Elavon Europe Service Providers/Sub-Processors

As a regulated credit institution operating in several geographies in Europe, Elavon takes its responsibilities of compliance extremely seriously. This includes a commitment to complying with all applicable Data Protection, Privacy and Security Laws and Regulations (collectively referred to as Requirements) in the locations in which it operates.
 

To comply with the relevant European Requirements, Elavon has established an EU Data Protection Framework that is constructed around the key Requirements and aligned to relevant internal policies, programs and controls as relevant. For example, Elavon has a range of security policies in place that document and outline the company approach and control environment in terms of the processing, transmission and storage of ‘Personal Data’ and ‘other Sensitive Information’.
 

The EU Data Protection Framework determines how Elavon will collect, process, store, share or disclose, protect and use the Personal Data of its customers, partners and others. It is reviewed regularly and updated as appropriate to reflect changing regulatory requirements or industry standards.

All Third Parties that Elavon engages will be obliged to understand and protect all rights from Elavon Customers and Elavon will generally be liable towards the Customers within the limitation of liability agreed between the parties for the services that the Third Parties provide.
 

Where Elavon engages a Third Party to assist in its Processing activities, it will choose a Data Processor who has in place sufficient technical and organisational security measures to protect Personal Data and takes reasonable steps to ensure compliance with those measures.

It is the Policy of Elavon to enter into a written contract, or equivalent, when engaging a Third Party to Process Personal Data on its behalf. The contract, or equivalent, will clearly set out the responsibilities of the respective parties and will be constructed in a manner to ensure compliance with relevant Data Protection requirements under European and local Member State legislation.

Elavon Business Lines and Support Functions are required to ensure that all Third-Party relationships are established and maintained in accordance with the Third-Party Risk Management Policy and the Contracting Policy.

Elavon operates in compliance with a comprehensive Third Party Risk Management Policy, which defines a risk-based framework that Elavon uses to manage its Third Party relationships (TPRs).

When engaging a Third Party, Elavon conducts appropriate risk management activities to manage the Company’s corresponding risks, including, but not limited to, operational, compliance, reputation, strategic, concentration, and credit risks as defined in its Risk Management Framework and applicable laws and regulations.

Accordingly, the decision by Elavon to engage a Third Party must be consistent with the Company’s business objectives and made only after robust due diligence and strong consideration of the risks involved.

Each prospective TPR is subject to due diligence, from which the Company will determine whether to proceed to the next risk management phase. A comprehensive risk assessment must be performed and subjected to requisite approvals before entering into a contract with the Third Party.

Elavon Business Lines manage the provision of products/services to the Company on an ongoing basis, regardless of whether performance is by a Third Party or through one or more Fourth Parties. After engaging a Third Party, each Business Line manages the performance of relationship activities (whether the performance is ultimately provided by the Third Party and/or through one or more Fourth Parties) on an ongoing basis for compliance with agreed-upon performance and risk standards. The TPRMConfidential Program incorporates a risk-based approach to guide the Business Lines in their decisions on content and frequency of ongoing management activities.