Business Terms and conditions of the operation of payment gateway
1. Introductory provisions
1.1. ComGate Payments, a.s. (hereinafter referred to as the "Operator") issues these Business Terms and Conditions, which establish the rules of business relations between them and their Clients regarding the establishment and operation of the payment gateway for acceptance of card payments and bank payment buttons.
1.2. Business Terms and Conditions of operation of the payment gateway are an integral part of the contract between the Operator and the Client.
2.1. The Client is the entity with which the Operator has entered into a Contract for the provision of Payment Services or Payment Terminals Services, is the seller of goods or services to Customers and is also the recipient of payments.
2.2. The operator is the company ComGate Payments, a.s., which provides payment services and processes transactions under the Czech National Bank license, Payment Institution.
2.3. Acquirer is a card transaction processor that is an intermediary between the Operator and the Card Association (BS PAYONE GmbH, ČSOB, a.s.)
2.4. The Card issuer is a bank or other institution that is entitled to issue credit cards.
2.5. The Payment Card Holder (Payer or Customer) is the consumer purchasing goods or services.
2.6. Card Association, in particular Visa, MasterCard, Diners Club, Discover, JCB, is an organization providing banks with the right to issue payment cards and to process card transactions.
2.7. Online Card payment is a transaction made by a Customer in favor of the Client to pay for purchased goods or services, using a payment card in the internet environment.
2.8. Bank payment buttons are a tool for realizing an interbank transfer with immediate payment confirmation.
2.9. POS Terminal is a device that allows payment of goods or services by payment card at the point of sale.
2.10. One Click Payments (Repeated payments) is the functionality available with Online Card Payments that allows to make regular payments from a card. For these payments, the Client enters into the system at the required intervals a payment order, which allows the cardholder to withdraw the variable amounts in the selected period determined by the Client.
2.11. Recurring payments is the functionality available for Online Card payments, which allows for regular payments from the card. For these payments, the Client enters a payment order only with the first payment, which subsequently withdraw the same amount at regular, predetermined time intervals.
2.12. Pre-authorization is the functionality available with Online Card Payments or POS Terminals, which allows for a certain amount of time to book an amount on the Payer's Payment Card without the funds being withdrawn. Reservation time varies by Acquirer.
2.13. Chargeback is the refund of cash withdrawn during a card transaction back to the Payer and is executed whenever the Payer denies having issued a card payment instruction.
2.14. PCI DSS (Payment Card Industry Data Security Standard) is an international standard that sets security standards for processing and collecting card data. The standard description is available at www.pcistandard.cz. The original version of the documents in English is available at https://www.pcisecuritystandards.org/.
2.15. AML (Anti-Money Laundering) is a regulation that prevents the legalization of proceeds from crime (money laundering) and terrorism financing.
3. Establishment of a payment gateway
3.1. The establishment of a payment gateway is subject to the conclusion of a contract between the Provider and the Client.
3.2. Starting the payment gateway process is preceded by an activation process that includes in particular:
a) assessing the compliance of the Client and the Client's business with the requirements of the Card Association
b) assessing the compliance of the data on the Client's Internet presentation with the requirements of the card associations
c) registration of the Client with card associations
d) technical connection of the payment gateway
e) test operation
f) activation of the payment gateway operation
3.3. In the event that Acquier designates the Client as a risk and does not approve the business, the Operator is entitled not to make a payment by card for the Client.
3.4. The Client is obligated to provide the following information clearly and unambiguously on their website:
a) full name of the Client and address of the registered office, company identification number, same as registered in the Commercial Register, the name of the Commercial Register
b) the delivery and return conditions, the pre-authorization rules and subsequent payments
c) all fees for the Client's services, including shipping, packaging and taxes
d) if the Client delivers goods abroad, all possible destinations and special delivery terms and fees
e) the currency in which the services will be invoiced, at the latest at the time of confirmation of the order
f) customer service contact with a complete address
g) Client's Customer Data Use Policy
3.5. The Client is required:
a) to express prices only in currencies announced to the Operator
b) in the case of Recurring Payments, to allow the Customers to easily terminate service online and thereby to terminate further payments
c) in the case of trial operation, the Client is obliged to inform the Provider about the end of the trial period
(d) to offer for sale goods and services which are not on the list of prohibited areas. The list of prohibited areas is available on the Operator's website.
3.6. In case of violation of any of the above obligations, the Operator is entitled to immediately terminate the operation of the payment gateway or the payment terminal and to terminate the contract with the Client.
3.7. The client undertakes to permanently display logos of accepted payment cards on their Internet presentation. Logos must always be presented in the form provided by the Operator. In the event of a termination of the contractual relationship, the Client undertakes to immediately remove all the above mentioned data from his Internet presentation.
3.8. The Client is obliged to make available to the Provider all sections of the site in which the payment gateway is displayed prior to the start of operation.
3.9. The Client may not offer goods or services at increased prices or under less favorable terms to payers who pay using a payment card than to payers in cash or other means. The client may not charge additional fees for accepting a credit card. Client's right to offer discounts by using a specific payment card or other authentication method remains unaffected.
3.10. The Client undertakes to become acquainted with and comply with the PCI DSS rules at the latest on the effective date of the Contract. The Client is obliged to fill in the SAQ form and deliver it to the Provider before starting the operation of the service.
3.11. If the Client carries out a business which according to the law requires a special authorisation or license, for example but not only lotteries, bets, pharmacies, etc., the Client is obliged to provide the Operator with a valid authorization.
3.12. In the event that the Client, the Client's business or the Client's website does not comply with the above requirements, the payment gateway will not be made operational. Should there be any changes after the payment gateway has been activated on the part of the Client, its business activities or in the Internet presentation, which will cause a conflict with the above requirements, the payment gateway function be suspended.
4. Payment gateway operation
4.1. In accordance with EU Regulation No. 2015/751, the Operator provides Clients with Interchange ++ charges (interchange fee, Scheme Fee and Processing Fee) or the cumulative fee model.
4.2. The Client acknowledges that the Operator may change the method of charging from the cumulative rate to Interchange ++ at any time from the beginning of the next calendar month following the Operator's announcement.
4. 3. The bill shall be made on the 15th day of the following month for the perion of the preceding month. The statement of accounts contains fees and commissions on which the Client and the Operator agreed in the Contract. The Operator's fees do not include value added tax.
4. 4. In the event of a claim regarding the card payment made by the Payer, the Client is obliged to resolve such complaint through the Operator. The Operator will credit the amount to the Payer’s card if the transaction has been processed online. If the transaction was processed at the POS terminal, the transaction refund is processed by the Client at the same POS terminal. The Operator recommends that the Client to refund the transaction to the Payer's card, which was the subject of the transaction being claimed.
4.5. If the Acquier, the Card Association or the Operator suspects that any of the Client's payments are fraudulent or is the subject of a claim on the part of the Payer, the Client is obliged to provide the Operator with the necessary documents for such payment, in particular, but not limited to, the billing and delivery address of the payer, document evidencing the delivery of goods by the carrier.
4.6. The Operator is entitled to withhold payments for transactions suspected of fraud for as long as necessary. The Operator is obliged to inform the Client about each individual case of suspention.
4.7. If the Customer's payment is acknowledged to be fraudulent and there is a Chargeback executed at the side of the Acquirer, the Client is obliged to return the payment to the Operator's account. If the Client fails to do so within 5 business days of receiving the call, the Operator may reduce the Chargeback amount from the transferred funds for the transactions executed.
4.8. The Client acknowledges that fees may be charged when the transaction is disrupted or when the Chargeback is executed.
4.9. The Operator reserves the right to deduct the transferred funds for the transactions effected by monthly fees, as follows: In the first ten days of the month, the Operator subtracts the monthly fee for the previous month. If the total amount can not be charged at that time, the remaining amount will be invoiced on the 15th day of the month. The operator will not mitigate transactions by monthly fee unless expressly agreed in the Agreement.
4.10. The Client is obliged to notify the Operator of possible discrepancies and errors in billing and invoicing without undue delay. The Client is required to submit any claim related to the transactions within 20 calendar days after receipt of the payment statement from the Operator.
4.11. In the event that the Association or the Acquirer impose a fine on the Operator and / or the Provider suffered a damage in connection with the Client's business, the Client shall be obliged to pay this fine or damage not later than 5 calendar days from the date of delivery of the written request. The operator is entitled to claim damages at court. In the event that the Client does not pay the required amount within the stipulated period and does not agree otherwise with the Operator, the Operator is entitled to demand a contractual penalty of 0.05% of the amount due for each individual day of delay with the payment of the fine.
4.12. If the Client fails to pay his obligations to the Operator in a timely and proper manner, the Operator may at any time offset any of its outstanding cash receivables from the Client against any Client's receivables from the Operator, regardless of whether these receivables are payable or not and irrespective of their currency and the legal relationship that results from them. Set-off is also possible against an undue claim.
4.13. In case of delay of the Client with payment of its due obligations to the Operator arising from the Contract, the Operator shall be entitled to interest for late payment in the amount of 0,05% of the amount due for each day of delay.
4.14. The Client acknowledges that access to the payment gateway service may be restricted or blocked by the Operator for the time necessary. The reason for limiting the use of the system may be, but not limited to, the request of the Bank, the Acquirer or the Card Association, in case of violation of legal obligations, moral or security rules by the Client. The Operator is not responsible for planned or accidental outages or shutdowns by banks or Acquirer.
4. 15. The Operator is responsible only for received and confirmed data by the Operator and is not responsible for any damages resulting from the incorrect processing of such data on the part of the Client. The Operator is not responsible for any errors in the implementation on the Client's side.
4. 16. The Client acknowledges that he is obliged to notify the Provider, in good time, at least 30 days, of the change the nature of the websites listed in the Contract, including the products and services offered and other mandatory parts.
4. 17. The Client is obliged to notify the Provider in good time of any change in the identification data and any other changes or circumstances that may affect the provision of services and the Client's ability to meet the obligations to the Operator as well as the change of the Authorized Person. The Client is obliged to communicate to the Operator without undue delay any facts that have a significant effect on his legal status (especially entry into liquidation, commencement of insolvency proceedings, bankruptcy, introduction of forced administration, etc.), in particular:
a) the sale or lease of the business or any other change of ownership
b) change of address or bank account
c) change of legal form or company name
d) changes in products or URLs
e) change of the owner
4. 18. The operator is not responsible for damages caused mainly due to situations and events that occurred independently of the will of the Operator and which the Operator can not influence, such as consequences of force majeure and consequences of third party actions (e.g. hacker attack, fraudulent behavior, etc., which is considered to be a force majeure). The Operator is not responsible for the interruption of operation due to the situations described in this provision. The scope of the Operator's liability is further limited by the Act No. 127/2005 Coll., On Electronic Communications.
5. Protection of personal data
5.1. In the performance of the obligations under the Contract, the Provider will or may be provided with personal data of the Client, employees and authorized representatives of the Client or third parties, in particular Payers or Customers. In this case, the Operator will proceed in accordance with the relevant provisions of the Act No. 101/2000 Coll., On Data Protection and from the moment of entry into force of the EU Data Protection Regulation 2016/679 / EU, the General Data Protection Regulation, they will proceeed also in accordance with this Regulation. The Operator will then be in the position of the Personal Data Processor (hereinafter referred to as the Processor) and the Client in the position of the Personal Data Controller (hereinafter referred to as Controller).
5.2. The Processor is responsible for the use of personal data in accordance with the relevant provisions of the above-mentioned law and the GDPR. The Processor is obliged to take technical measures to prevent the loss or misuse of personal data. The Processor is obliged to perform the duties provided by the above-mentioned law and GDPR.
5.3. In order to fulfill the obligations under GDPR, the Processor is obliged:
a) to process such personal data only for the purposes of the provision of services, as may subsequently be agreed by the parties in writing, acting only on the basis of documented instructions from the Controller; a written instruction from the Controller is considered any instruction made within the Operator's information systems for the provision of payment services;
b) not to carry out data control itself, transfer or intend to transfer such personal data to third parties, except where the Controller may specifically request it in a documented form;
c) not to process, use, or use personal data for any purpose other than that required, necessary and essential for the performance of the obligations under this Contract;
d) not to process personal data for its own purposes or include personal data in any product or service offered to third parties;
(e) to report all cases of personal data breach;
5.4. The Processor will process personal data to fulfill the obligations of the Contract between him and the Controller. The purpose of the processing is the provision of payment services within the scope of the concluded Contract and other services performed by the Processor for the Controller under the Contract.
5.5. The Controller shall pass on or may transmit to the Processor in particular the following personal data, or the Processor shall obtain the following personal data directly from the data subjects:
a) the name and surname;
b) date of birth;
c) birth number;
d) account number;
f) e-mail adress;
g) IP address;h) payment information;
i) sensitive payment information;
other personal data necessary for the fulfillment of the obligations of the Processor as a Payment Service Provider;
5.6. The Processor is entitled to transfer the personal data of the recipients to third parties in order to fulfill the obligations arising from the Contract or legal regulations, in particular:
a) the Acquier;
b) the Card issuers;
c) Card Association;
e) state administration and self-government bodies in fulfilling legal obligations;
5.7. The Processor is entitled to engage in the processing another Processor and the Controller in accordance with the EU Data Protection Regulation No. 2016/679 / EU, Article 28 (2) gives a general consensus. This additional Processor is obliged to comply with the obligations under this clause to the same extent as the Processor.
5.8. The Controller acknowledges that for the fulfillment of his / her duties, the Processor will or may be required to pass on personal data to the recipients and to act as another Controller to these recipients.
5.9. The Processor undertakes to observe confidentiality regarding the processing of personal data.
5.10. The Processor will not transmit personal data for processing outside of the European Union.
5.11. The Processor is bound to comply with the applicable Personal Data Protection Act oand the GDPR and will fulfill its obligations under this Contract in relation to personal data in such a way that the Controller does not breach any of its obligations under the applicable Personal Data Protection Act and the GDPR.
5.12. The Processor shall provide the Controller with such cooperation, assistance and information as the Controller may reasonably require to fulfill his obligations under the applicable Personal Data Protection Act and the GDPR, and will cooperate and follow the instructions or decisions of the relevant Personal Data Protection Authority and, in any case within a time limit that would allow the other party to meet any deadline set by the Office for Personal Data Protection.
5.13. Within 15 (fifteen) calendar days after receipt of the Controller's request, the Processor shall provide the Controller a written record of the processing of personal data by the Provider on behalf of the Controller.
5.14. The processor is obliged to take the necessary measures that the Controller will reasonably require based on the data subject's request for the exercise of rights arising from the GDPR (in particular the right to delete, the right to information, the right of access, the right to be forgotten, the right to repair, the right to limit the processing and other related rights of the data subject under GDPR). The processor is obliged to accept such measures within the deadlines of the GDPR.
5.15. The processor shall be entitled to reasonable compensation for costs arising from or in connection with adherence to the instructions of the Controller or any of its obligations under this Contract or the applicable Personal Data Protection Act.
5.16. The Controller is responsible for ensuring that personal data is processed in accordance with GDPR.
5.17. The parties note that in their cooperation, there may be situations where the Operator will be the Personal Data Controller and the Client will be the Personal Data Provider. In that case, the arrangement of this provision shall apply vice versa.
5.18. If the Controller appoints a Data Protection Officer within the meaning of Article 37 and the following GDPR, the Processor is required to provide the Officer with all the necessary co-operation to carry out his duties.
5.19. If the Controller undertakes to comply with the Code of Conduct issued under Article 40 of the GDPR, he will inform the Processor about this fact and he is obliged to abide by these Codes in an appropriate manner.
5.20. The processor appointed a Data Protection Officer. Contact details and other information according to the information obligation of the Processor in accordance with the GDPR is published on the Website of the Processor.
21. The Client gives the Operator the consent to use his trade name and logo for the marketing promotion of the Operator, especially but not limited to the presentation of the Client's logo on the Provider's Internet presentation.
6. Final Provisions
6.1. In connection with the development of the legal environment, the development of technologies and in view of the changes in the composition of the product portfolio and changes in the Operator's business policy, the Operator is entitled to amend these Business Terms and Conditions, Contract conditions, Tariff Charges and other contractual documents in accordance with Section 1752 (2) of the Civil Code. In this case, the Operator is entitled to propose to the Client a change in the Business Terms and Conditions, Tariff Fees or other contractual documents no later than two (2) months before the date on which the change in the Business Terms and Conditions, Tariff Fees or other contractual documents is effective. The Client and the Operator agree on an irrefutable presumption that the Client has accepted the proposal to change the Business Terms and Conditions and other contractual documents if the Operator has proposed such change to the Client within the above deadline, informing him about his right to terminate the contract according to the following sentence of this provisions and the consequences of refusing to reject the proposal below the above mentioned deadline and the Client has not rejected in writing the proposal to amend the Business Terms and Conditions and other contractual documents before the change became effective. If the Client has rejected the proposal to amend the Business Terms and Conditions and other contractual documents, the he has the right to terminate the relevant Contract by the effective date of the amendment free of charge and with immediate effect. In the event that, at the same time as the Contract is concluded, the Operator shall submit to the Client a proposal for amendment of the contractual documents, which shall become effective in the future, the amendment shall from the date of the effect of this amendment form part of the subject Contract. The Operator is entitled to make a unilateral change of the trade name of the product or service, which he / she is obliged to inform the Client in an appropriate manner and without undue delay. Changing the trade name of a product or service does not affect the rights and obligations of the parties resulting from the Contract so the parties do not consider such a change to be a change in the Contract for a given product or service.
6.2. The Contract may be terminated by agreement of the parties or by notice of termination by a contracting party with a notice period of two months and shall begin to run from the first day of the calendar month following the month in which the notice was served. The agreement or termination of this Contract must be in writing.
6.3. Both parties undertake, in performing the subject matter of the Contract, to ensure that there is no breach of commercial or banking secrecy, the protection of personal data within the meaning of the provisions of Act No. 101/2000 Coll., on the Protection of Personal Data and Amendments to Certain Acts, as amended (the "Personal Data Protection Act").
6.4. Legal relations between the Operator and the Client are governed by the Czech legal order, in particular by the Act No. 89/2012 Coll., the Civil Code. The parties agree that in the event of a dispute a general court of the Operator is competent to solve the dispute.
6.5. The Client declares that he is not in the position of a consumer within the meaning of Section 419 of the Civil Code and that the concluded contract is not covered by consumer protection legislation within the meaning of Section 1810 et seq. Of the Civil Code.
6. 6. These Business Terms and Conditions take effect on May 25, 2018 and can be downloaded here.