Legal Privacy revised draft 26 April 2018

PayPal Contractor Privacy Statement (Other than EU)

Name of Standard: PayPal Contractor Privacy Statement
Standard Identification: PPPriv-STD-1.2.0
Name of Policy: Data Binding Corporate Rules
Policy Identification: PPPriv-POL-NONEUAWF-1.0.0

I. Policy
PayPal Group (the “Company” or “we”) are committed to protecting the data privacy of its
Contractors/AWF in accordance with Applicable Law. This PayPal Contractor/AWF Privacy Statement
(“Privacy Statement”) describes how the Company collects, uses, transfers, stores and safeguards the
Personal Data of non-PayPal personnel working on the Company’s premises. You will find all of the
definitions for the capitalized terms in Section IV below.
II. Purpose and Scope
This Privacy Statement documents the Company’s privacy and data protection practices for the
Personal Data of non-PayPal personnel working on the Company’s premises. This Privacy Statement
applies to all of non-PayPal personnel working on the Company’s premises worldwide, except for
Personnel based in the EU, where a separate Statement applies. We may not be able to protect any
information and data that you use on our Company Devices in your personal capacity as opposed to in
your employment capacity. For instance, any of the personal photos, emails, and SMS or text messages
that you store on a corporate-issued device may not be protected and may be accessed by the
Company. While this Privacy Statement explains how the Company treats Personal Data, we may also
share or use your Personal Data in accordance with your separate instructions or consent, and to the
extent allowed under Applicable Law.

Content of this Statement in questions (click to jump to desired answer)

• What is Personal Data?
• How long does PayPal keep my Personal Data?
• Why does PayPal collect my Personal Data?
• How does PayPal use my Personal Data?
• What is the legal basis for processing my Personal Data?
• How does PayPal use my Personal Data?
• Is PayPal monitoring my professional activities?
• Are my data transferred and shared?
• What are my rights?
• Who can I contact if I want to know more about this Statement, the processing of Personal
Data or about my rights?
• Is there a Glossary?

PPPriv-STD-1.2.0 10-5-2017
Proprietary & Confidential For PayPal Internal Use Only Page | 1
Legal Privacy revised draft 26 April 2018

1. Personal Data
What is Personal Data?
As defined in the Glossary (view here), “Personal Data” means any information relating to an identified or
identifiable natural person. An identifiable person is one who can be identified either directly or indirectly.
We describe below what this means and what categories of Personal Data PayPal collects about Personnel
in the course of their engagement or employment with the Company. In a nutshell, your Personal Data
concerns your contact address, your identity details, your bank details, your national identity numbers, and
social insurance details.
Does the format of the Personal Data matter?
This Privacy Statement applies to Personal Data in any medium or format that we obtain about you as a
Contingent worker, whether we obtained it directly or indirectly, manually or automatically, or otherwise
through websites, applications, computers, permitted monitoring tools, tablets and other mobile devices,
and any other information from any of these sources to the extent it is combined with, or associated with
Personal Data about you.
How long does PayPal keep my Personal Data?
We use your Personal Data for as long as you remain a contracted work force at the Company premises
and where the retention of your Personal Data is necessary to meet legal requirements in accordance with
Applicable Law, for example, as established by labor, fiscal, health and safety, tax and social security laws.

2. Collection & Use

Why does PayPal collect my Personal Data?
As a client of a work force service provider (the Service Provider), we collect and verify Personal Data that
is provided by this service provider or by you directly.
How does PayPal use my Personal Data?
a. The verification of your temporary placement at the Company premises, by way of example:
• To carry out all pre-employment checks and checks to confirm the right to work;
• When applicable to your role, in accordance with Applicable Law, we will request your consent to
allow the Company to obtain additional information from third parties to verify your credit, criminal,
or related background information

b. The performance of a Contractor/AWF contract to which you are a party, by way of example:
• To carry out sanctions checks as required by Applicable Law
• To resolve disciplinary or grievance issues, or any other related investigation;
• To enable us to contact you in an emergency (through information you provided to us or as
needed through social media addresses), photographs

c. The compliance with a legal obligation to which PayPal is subject, by way of example:
• To comply with statutory, financial, regulatory and legal obligations including audits, reports and
statistics;
• To comply with legal obligations to which PayPal is subject and cooperate with regulators and law
enforcement bodies, including carrying out sanction checks under OFAC or other Applicable
Laws;
• To ensure compliance with working time obligations;
• To adhere to health and safety good practice and legislation.

PPPriv-STD-1.2.0 10-5-2017
Proprietary & Confidential For PayPal Internal Use Only Page | 2
Legal Privacy revised draft 26 April 2018

d. The purposes of the legitimate interest (view Glossary) pursued by PayPal, by way of example:
• To conduct investigations which may include collaboration on a cross-border basis and involve
the Global Investigations Team;
• To deal with your inquiries and requests, including all communication in relation to inquiries and
requests;
• To monitor activities (to the extent permitted by Applicable Law and as informed in section 4
below) such as the use of Company resources, equipment, facilities and vehicles, all company
property and equipment and programs, communications with users and the access to, use of and
disclosure of customer, Employee and Company information;
• To ensure (to the extent permitted by Applicable Law) the processing, access, use and disclosure
of information are performed in accordance with workplace policies. This includes (including the
Company’s monitoring policies with regard to telephone, email, internet and other Company
resources, and all applications and/or programs used on company devices).
• To ensure that the PayPal Code of Business Conduct & Ethics is followed;
• To prevent unauthorised access to our computer and electronic communications systems and
prevent malicious software distribution;
• To deal with legal disputes involving you, or other employees, workers and contractors.

e. For Sensitive Personal Data: the Company also processes limited amounts of Sensitive Personal
Data but will do so only in accordance with Applicable Law. For example, health information may be
processed for the purposes of monitoring and managing sickness absences, and complying with legal
requirements.

3. Legal Basis
What is the legal basis for processing my Personal Data?
For Contracted workforce outside of the EU, your Personal Data is processed as per the local and
Applicable Laws on data protection of the country of your employment, in accordance with your contract or
other terms of employment (if applicable).
Please refer to section 2 which provides you with categories of data processing and illustrations.

4. Monitoring
Is PayPal monitoring my professional activities?
The Company may: (1) monitor Personnel use of Company Devices and Company Systems for the
purposes specified by applicable Company policies, and (2) investigate your use of Company Devices
and Company Systems, including, without limitation, third-party sites or applications you visit, download
or engagement through Company Systems or using Company Devices. By way of example, unless
prohibited by Applicable Law, the Company may also intercept, divert, discard, access and review the
contents of any e-mails or other electronic communications or file transfers. These actions are balanced
with Company policies and the necessity to protect and defend the interests of the Company.
The Company reserves the right to use, maintain or disclose the contents of your communications made
using Company Devices or through or over Company Systems with third parties, as listed for any of the
foregoing purposes, as well as to comply with requests from, or to otherwise assist, law enforcement
officials or other legal authorities.
Information on Information Security policies and procedures can be found on the relevant Confluence
page here or via InfoSec home page (https://infosec.paypalcorp.com/)
To the extent permitted by Applicable law, please be informed that the Company may:

PPPriv-STD-1.2.0 10-5-2017
Proprietary & Confidential For PayPal Internal Use Only Page | 3
Legal Privacy revised draft 26 April 2018

- copy the contents of your Company Devices and monitor your use of Company Devices. This
monitoring (e.g., via Airwatch) may include access or retention of all communications and content
produced on, over, or using Company Devices. By way of example, this includes systems,
programs or internet connectivity or programs supplied or maintained by the Company or its
service providers (“Company Systems”) and any non-Company System that you use or access
from your Company Device in your capacity as Personnel, and electronic voice communications
conducted on, through or using, Company Devices and Company Systems. As an example,
telephonic communications will be monitored only when there is a suspicion of misconduct,
illegality or breach of the Company’s policies or Code of Business Conduct and Ethics that
requires further investigation.
- use electronic surveillance (CCTV) at PayPal offices in the interests of safety and security. The
Company operates CCTV systems and uses data gathered through these systems in compliance
with applicable local law. As an example, the Company uses CCTV to monitor internal and
external access points as well as common areas.

- monitor your use of Company Devices and Company Systems and electronic communications
made over them when there is suspicion of misconduct, illegality or breach of the Company’s
policies or Code of Business Conduct and Ethics that requires further investigation.

Please visit PayPal corporate policies available on the Bridge (here), including notably the Code of
Business Conduct and Ethics (here).

5. Transfer and sharing

Contractor/AWF Personal Data may be stored in hard and electronic format in the United States and other
countries in which the Company, or Company affiliates, Service Providers or contractors have a physical
presence or do business.

Are my data transferred and shared?

- Transfer and sharing among PayPal Affiliates

Personal Data may be shared in the normal course and scope of business with other Company affiliates
and Personnel worldwide to the extent necessary and as permitted to facilitate the uses described in this
Privacy Statement, with the guarantees and safeguards as provided by the obligations and requirements
of Applicable Laws. The rules regulating the transfer of Personal Data of Personnel in the EU between a
Company affiliate in the European Economic Area (EEA) to Personnel of a Company affiliate located
outside of the EEA can be found on the Bridge along with this Privacy Statement in a document entitled
‘Binding Corporate Rules (BCRs)’. For Personal Data of Personnel outside of the EU, PayPal has entered
into an Intra Group Data Processing Agreement. As a general note, the Intra Group Agreement contains
variations based on local legislation for the following countries: Brazil, USA, India, Japan, Philippines,
Russia, Hong Kong, Singapore, China, Turkey, Costa Rica, Tunisia and Malaysia.

- Transfers and sharing with third-party Service Providers

Personal Data also may be shared with third-party Service Providers (e.g., medical benefit providers, stock
brokerages, retirement benefit providers, travel, Salesforce, etc.) working on behalf of the Company or with
whom or to which the Company has chosen to outsource work, to facilitate the uses described above. If
Personal Data is provided to a Service Provider, the Company will enter into contracts that ensure that the
Service Provider only processes the Personal Data as instructed, and in accordance with this Privacy
Statement and its obligations under Applicable Law, including but not limited to applicable privacy,
employment, information security and/or data protection law. In addition, all contracts with Service Providers
must contain minimum contractual safeguards, as defined or required by Applicable Law and PayPal
policies. The Company may also share Personal Data with law enforcement, regulatory authorities or other
third parties in cases where it is necessary to protect the Company’s legitimate purpose (including for

PPPriv-STD-1.2.0 10-5-2017
Proprietary & Confidential For PayPal Internal Use Only Page | 4
Legal Privacy revised draft 26 April 2018

example, to prevent imminent physical harm, financial loss, or to report suspected illegal activity) as
required and if permitted by Applicable Law.

6. Your Data Protection rights (Access, rectification, erasure, blocking)

What are my rights?

You have the right to obtain from PayPal confirmation as to whether Personal Data concerning you are
being processed, and, where that is the case, access to the Personal Data and the information relating to
such processing.

You have the right to obtain from PayPal without undue delay the rectification of inaccurate Personal Data
concerning you. Considering the purposes of the processing, you shall have the right to have incomplete
Personal Data completed, including by means of providing a supplementary statement. You also have the
right to obtain from the Data Controller the erasure of Personal Data concerning you without undue delay
and PayPal shall have the obligation to erase Personal Data without undue delay where, for instance, one
of the following grounds applies:

a) The Personal Data is no longer necessary in relation to the purposes for which it was collected
or otherwise processed;
b) You withdraw your consent.

You have the right to obtain from PayPal, restriction of processing where, for instance, the accuracy of the
Personal Data is contested by you. You have the right to receive your Personal Data in a structured,
commonly used and machine-readable format. You have the right to object at any time to processing of
Personal Data concerning you.
You have the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy
in cases where the Data controller does not take action on your request.

Note that you have the ability to directly access and modify much if not all of your Personal Data through
Company Systems such as Workday. You may also contact your People Organization representative for
additional access and to request modifications to your Personal Data. Upon your request, the Company will
try to accommodate requests to remove Personal Data unless retention of Personal Data is required by
Applicable Law or necessary to defend the Company against legal claims.

7. Protection
The Company uses physical, technical and organizational security controls commensurate with the amount
and sensitivity of the Personal Data to prevent unauthorized processing, including but not limited to,
unauthorized access to, acquisition and use of, loss, destruction, or damage to Personal Data, and to
protect the data’s integrity. Where appropriate, the Company uses encryption, firewalls, access controls,
standards and other procedures to protect Personal Data from unauthorized access. Physical and logical
access to electronic and hard copy files is further restricted based upon job responsibilities and business
needs, and only individuals with a legitimate business need to know the Personal Data are authorized to
access it for legitimate business purposes.

8. Questions
Who can I contact if I want to know more about this Statement, the processing of Personal Data or my
rights?
For any data that was given to PayPal by the workforce service provider, since your personal data is
controlled and processed mainly by the workforce service provider, if you have any questions about the
collection, access, use, disclosure, sharing or your Personal Data we refer you to such Data Controller.

PPPriv-STD-1.2.0 10-5-2017
Proprietary & Confidential For PayPal Internal Use Only Page | 5
Legal Privacy revised draft 26 April 2018

Alternatively, if you have any questions about this Privacy Statement, or the collection, access, use,
disclosure, sharing or safeguarding of Contractor/AWF Personal Data, or your Personal Data, that is,
processing of data during your daily work at PayPal premises, you may contact PayPal’s Data Protection
Officer at DPO@paypal.com.

9. Notices and changes

All communications related to this Privacy Statement will be provided to you at your workplace email
address. If we are unable to reach you at your workplace email address, for instance, if you are on leave
of absence, we may need to send you an email at the personal email address that we have on file for you
to ask you if we can reach you at your personal email address. We will provide you with notice in accordance
with Applicable Law in the event we discover unauthorized access to or use of your Personal Data. We
also will notify you in the event that this Contractor/AWF Privacy Statement is materially revised. All material
revisions to this Contractor/AWF Privacy Statement shall be effective within thirty (30) days upon notice.
You may have the opportunity to reject revisions where permitted by Applicable Law.

By signing this document, you acknowledge the processing of your Personal Data relating to
you as a contracted workforce at the Company premises.

____________________________
Signature

______________________________
Signature Date

_____________________________
Print Name

PPPriv-STD-1.2.0 10-5-2017
Proprietary & Confidential For PayPal Internal Use Only Page | 6
Legal Privacy revised draft 26 April 2018

III. Glossary:
“Applicable Law” means applicable laws, rules and/or regulations.
“AWF or “alternative work force”/ Contractor” is a person under a contract with a work force
service provider, or also called temporary placement agency
“Binding Corporate Rules” means PayPal internal rules that define PayPal global policy with
regard to the international transfers of Personal Data within PayPal to Company affiliate located in
countries which do not provide an adequate level of protection.
“Contingent Worker” means any worker that is performing a duty on behalf of PayPal that is not a
PayPal employee. PayPal recognizes four types of contingent worker classifications: Consultants,
Independent Contractors (IC), Outsourced Workers, and Temporary Workers. Correct Worker
Classifications are necessary to support accurate headcount data, enforce various engagement
restrictions, and to ensure proper treatment of workers. The assignment being completed by the
worker will determine the applicable worker classification.
“Data controller “means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of Personal Data
“Data processor” means a natural or legal person, public authority, agency or other body which
processes Personal Data on behalf of the Data controller;
“Employee” means employees, workers, trainees and other personnel or staff members, including
contingent or temporary workers, alternate work force, or contractors of a Group Member, whether
employed or engaged on a full or part-time basis and irrespective of the type of employment or
engagement. When the context requires, “Employee” also means (a) former Employees and/or (b)
an Employee’s dependents and beneficiaries under Company benefit plans.
“Company Devices” means all electronic devices, systems and software applications provided to
you by the Company for business use.
“Employee Personal Data” means Personal Data relating to Employees.
“Legitimate interest” means the Company’s interests or the interests of third parties, and
commercial interests as well as wider societal benefits. Legitimate interest is analyzed through a) a
Purpose test: are you pursuing a legitimate interest?, b) a Necessity test: is the processing
necessary for that purpose and c) a Balancing test: do the individual’s interests override the
legitimate interest?
“Personal Data” means any information relating to an identified or identifiable natural person; an
identifiable person is one who can be identified, directly or indirectly, in particular by reference to an
identification number or to one or more factors specific to his physical, physiological, mental,
economic, cultural or social identity.
“PayPal Group” means PayPal Holdings, Inc. and any legal entity it controls directly or indirectly.
“Sensitive Personal Data” means Personal Data revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade-union membership, information relating to criminal offences,
or information concerning health or sex life.
“Service Provider” means any entity under contract with a PayPal Group Member which processes
Personal Data on behalf of a PayPal Group Member. In some jurisdictions, Service Providers also
may be referred to as Data Processors.
“Workforce service provider” means an agency specialized in the delivery of contingent workforce
to companies and businesses.

PPPriv-STD-1.2.0 10-5-2017
Proprietary & Confidential For PayPal Internal Use Only Page | 7