Privacy at Nayax

DATA PROCESSING ADDENDUM

This Data Processing Agreement (“DPA”) is hereby entered by and between Nayax Ltd. and its affiliates (collectively, “Company” or “Nayax”) and _____________ (“Distributor”) which forms an integral part of the Services Agreement signed by the parties, including its amendments and addendums (“Agreement”). Each a “party” and collectively, the “parties”.

    1. DEFINITIONS

1.1.   “Data Protection Laws” shall mean: (i) Directive 95/46/EC and Directive 2002/58/EC, in each case as transposed into domestic legislation of each Member State of the European Economic Area and in each case as amended, replaced or superseded from time to time, including without limitation by the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR” and collectively with the foregoing “EU Data Protection Laws”) and any data protection laws substantially amending, replacing or superseding the GDPR following any exit by the United Kingdom from the European Union; (ii) the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq. (“CCPA”); or (iii) to the extent applicable, the data protection or privacy laws of any other country including, without limitation, Israel;

1.2.   “Controller””, “Processor”, “Data Subject”, “Personal Data”, “Processing” (and “Process”), “Personal Data Breach” and “Special Categories of Personal Data” shall have the meanings given in EU Data Protection Law.

1.3.   “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sale” shall have the meaning ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer” as such term is defined in the CCPA. “Personal Data” shall also mean and refer to “Personal Information” as such term is defined in the CCPA.

1.4.   “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (“e-Privacy Law”); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.

1.5.   “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.

1.6.   “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and were adopted by the European Commission Decision 2021/914 on June 4, 2021, which are attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN

  1.  RELATIONSHIP OF THE PARTIES

1.1.   The parties acknowledge that they are each a separate and independent Controllers of the Personal Data Processed under the Agreement. In no event will the parties Process the Data as joint controllers. For the purpose of the CCPA (and to the extent applicable), the parties are considered as the Businesses.

1.2.   The parties shall ensure that they will Process Personal Data solely for the purposes contemplated in the Agreement. Each party shall Process Personal Data in compliance with applicable Data Protection Laws, industry standards and its obligations herein. Without derogating from the general or specific terms herein, each party hereby warrants and confirms that it is compliant with EU Data Protection Law and the CCPA, and each party shall be individually and separately responsible for complying with the applicable Data Protection Laws.

  1. PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAWS

2.1.   Each party shall identify and provide contact details for its contact point within its organization authorized to respond to enquiries concerning Processing of the Personal Data or its Data Protection Officer (“DPO”), as applicable and as indicated in ANNEX I attached herein. In the event of a change of the above contact person or DPO’s identity, each party shall provide updated contact details. Each party will cooperate in good faith with the other party, the Data Subject and the Supervisory Authority concerning all such enquiries within a reasonable time.

2.2.   Special Categories of Personal Data shall not be Processed or shared in connection with the performance of each party’s obligations under the Agreement.

2.3.   Unless otherwise agreed to in writing by the parties, a party shall not share any Personal Data with the other party that contains Personal Data relating to children under 16 years old.

2.4.   Each Party shall maintain a publicly-accessible privacy policy that is available via a prominent link that satisfies transparency disclosure requirements of Data Protection Laws, specifically in compliance with Article 13 and Article 14 of the GDPR. In addition the parties shall disclose the other party’s privacy policy within its privacy policy and the purpose of sharing data or transfer of data between the parties.

2.5.   Distributor acknowledges that NAYAX may not have any direct interaction with Data Subjects, and therefore, Distributor agrees that it is solely responsible to inform Data Subjects of the Processing of Personal Data, including by NAYAX. To that end, Distributor undertakes to notify Data Subjects that Nayax’ Processes their Personal Data, and include in such disclosure a link to Nayax’ Privacy Policy.

  1. RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS

3.1.   It is agreed that where either party receives a request from a Data Subject in respect of Personal Data Processed by the other party, where relevant, the party receiving such request will direct the Data Subject to the other party, as applicable, in order to enable the other party to respond directly to the Data Subject’s request. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request, to the extent permitted under Data Protection Laws.

3.2.   Notwithstanding the above, the parties shall cooperate reasonably and in good faith in order to respond to any correspondence or request by the Commission or Supervisor Authorities in accordance with any requirements under applicable Data Protection Laws.

  1. TECHNICAL AND ORGANIZATIONAL MEASURES

4.1.   Either party shall implement appropriate technical and organizational measures to protect the Personal Data processed in connection with the performance of the Agreement. In the event either party suffers a confirmed Security Incident, it shall notify the other party without undue delay and the parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Security Incident.

4.2.   Distributor confirms that it meets the requirements of PCI DSS, as further specified in the Link below, as applicable to Distributor:

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1629621025722

4.3.   Without derogating from the above, the technical and organisational security measures implemented by each party shall include, at a minimum, those listed in ANNEX II.

4.4.   Each party shall take all necessary steps to ensure the reliability of its staff (employees, personnel and service providers) who may Process, come into contact with, or otherwise have access to the Personal Data, and has ensured that such members of the staff have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  1. THIRD PARTY PROCESSOR

Each Party acknowledges that in the provision of its engagement herein, it may transfer Personal Data to and otherwise interact with third party data Processors. Each party agrees that if and to the extent such transfers occur, the transferring party is responsible for entering into separate contractual arrangements with such third-party Processors binding them to comply with obligations in accordance with Data Protection Laws and this DPA.

  1. NO SALE OF PERSONAL DATA

It is hereby agreed that any sharing of Personal Data between the parties is done solely in order to fulfil a Business Purpose and each of the parties does not receive or process or share any Personal Data in a manner that would be considered a Sale under the CCPA.

  1. INTERNATIONAL TRANSFERS

7.1.   Each of the parties undertakes that it shall not transfer Personal Data internationally unless appropriate safeguards were implemented and the transfer is compliant with applicable Data Protection Laws.

7.2.   Without derogating from the generality of the above, either party shall not process any Personal Data in a territory outside of the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law.

7.3.   In the event that either party will need to transfer Personal Data outside of the EEA to a country that has not received an adequacy decision from the European Commission, by signing the Agreement and upon such an event, the parties will be deemed to have signed the Standard Contractual Clauses and the party transferring such Personal Data or Special Categories of Personal Data outside of the EEA shall be considered the Data Exporter and the other party shall be considered the Data Importer (as such terms are defined in the Standard Contractual Clauses). For the purposes of this engagement, and subject to the occurrence of transfer of Personal Data outside the EEA, the parties will be deemed to have entered into Module I of the Standard Contractual Clauses and the purpose and description of the transfer shall be as detailed in ANNEX I. The governing law of the Standard Contractual Clauses set in Clauses 17 will be the laws of Lithuania and any dispute arising from Standard Contractual Clauses shall be resolved by the courts of Lithuania, without giving rise to any conflict of laws principles included therein. Additionally, in the event a data transfer will need to occur outside of the EEA between a party and one of its processors (including a third party contractor in accordance with Section 5 above), such party hereby agrees to execute Module III of the Standard Contractual Clauses with any such processor.

  1. CONFLICT

In the event of a conflict between the terms and conditions of this DPA and the terms and conditions of the Company’s Privacy Policy, the Company Privacy Policy shall prevail. In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail.

NAYAX LTD. DISTRIBUTOR
By: _____________
Position: _____________Date: _____________Signature: _____________
By: _____________
Position: _____________Date: _____________Signature: _____________

ANNEX 1: DETAILS OF PROCESSING AND TRANSGERING OF PERSONAL DATA

This ANNEX I includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR and the transferring Personal Data subject to the Standard Contractual Clauses.

A.     LIST OF PARTIES

Data Exporter (s):

Name: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Address: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DPO: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contact person’s name, position and contact details: . . . . . . . . . . . . . . . . . . . . .

Activities relevant to the data transferred under these Clauses: . . . . . . . . . . . . .

Signature and date: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Role (controller/processor):

 

Data importer(s):

Name: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Address: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DPO: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contact person’s name, position and contact details: . . . . . . . . . . . . . . . . . . . . .

Activities relevant to the data transferred under these Clauses: . . . . . . . . . . . . .

Signature and date: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Role (controller/processor):

 

B.     DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is Processed transferred:

  • Customers
  • Employees
  • [Note: Add as applicable.]

Categories of personal data Processed transferred:

  • [Note: Add as applicable.]

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved (e.g. strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures):

  • [Note: Add as applicable.].

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

  • Continuous

Nature of the Processing and transferring:

  • [Recording, storage, retrieval, consultation, use, disclosure by transmission, making available, alignment or combination, restriction, erasure or destruction of data.]

Purpose(s) of the data transfer and further Processing:

  • Performance of the Agreement.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

  • [Note: Add as applicable.].

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

  • [Note: Add as applicable.].

C.     COMPETENT SUPERVISORY AUTHORITY

  • The Competent Authority shall be in accordance with Clause 13 of the Standard Contractual Clauses’ alternatives.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

This Annex forms part of the Transfer Clauses and summarizes the technical, organisational and physical security measures implemented by the parties:

In addition to any data security requirements set forth in the DPA, the Data Importer shall comply with the following:

Data Importer undertakes to implement, maintain, and continuously control and update, appropriate technical and organizational security measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. This includes:

1.      Preventing unauthorised persons from gaining access to data processing systems with which personal data are processed or used (physical access control); in particular, by taking the following measures:

  • Controlled access for critical or sensitive areas
  • Video monitoring in critical areas
  • Incident logs
  • Implementation of single entry access control systems
  • Automated systems of access control
  • Permanent door and windows locking mechanisms
  • Key management
  • Permanently manned reception
  • Code locks on doors
  • Monitoring facilities (e.g. alarm device, video surveillance)
  • Logging of visitors
  • Compulsory wearing of ID cards
  • Security awareness training

2.      Preventing data processing systems from being used without authorisation (logical access control); in particular, by taking the following measures:

  • Network devices such as intrusion detection systems, routers and firewalls
  • Secure log-in with unique user-ID, password and a second factor for authentication (OTP, MFA, 2FA).
  • Policy mandates locking of unattended workstations. Screensaver password is implemented such that if user forgets to lock the workstation, automatic locking is ensured.
  • Logging and analysis of system usage
  • Role-based access for critical systems containing personal data
  • Process for routine system updates for known vulnerabilities
  • Encryption of laptop hard drives
  • Monitoring for security vulnerabilities on critical systems
  • Deployment and updating of antivirus software
  • individual allocation of user rights, authentication by password and username, use of smartcards for log in, minimum requirements for passwords, password management, password request after inactivity, password protection for BIOS, blocking of external ports (such as USB ports), encryption of data, virus protection and use of firewalls, intrusion detection systems.

3.      Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have a right of access, and that, in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorisation (access control to data); in particular, by taking the following measures:

  • Network devices such as intrusion detection systems, routers and firewalls
  • Secure log-in with unique user-ID, password and a second factor for authentication (OTP, MFA, 2FA).
  • Logging and analysis of system usage
  • Role based access for critical systems containing personal data
  • Encryption of laptop hard drives
  • Deployment and updating of antivirus software
  • Compliance with Payment Card Industry Data Security Standard
  • Definition and management of role based authorization concept, access to personal data only on a need-to-know basis, general access rights only for a limited number of admins, access logging and controls, encryption of data, intrusion detection systems, secured storage of data carriers, secure data lines, distribution boxes and sockets.

4.      Ensuring that personal data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage and that it is possible to verify and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged (data transfer control); in particular, by taking the following measures:

  • Encryption of communication, tunneling (VPN = Virtual Private Network), firewall, secure transport containers in case of physical transport, encryption of laptops

5.      Ensuring that it is possible retrospectively to examine and establish whether and by whom personal data have been inserted into data processing systems, modified or removed (entry control); in particular, by taking the following measures:

  • Logging and analysis of system usage
  • Role based access for critical systems containing personal data
  • Logging and reporting systems, individual allocation of user rights to enter, modify or remove based on role based authorization concept.

6.      Ensuring that personal data processed on the basis of a commissioned processing of personal data are processed solely in accordance with the directions of the data exporter (job control); in particular, by taking the following measures:

  • Mandatory security and privacy awareness training for all employees
  • Employee hiring procedures which require the completion of a detailed application form for key employees with access to significant personal data and, where allowed by local law
  • Periodic audits are conducted
  • Implementation of processes that ensure that personal data is only processed as instructed by the data exporter, covering any sub-processors, including diligently selecting appropriate personnel and service providers and monitoring of contract peformance, entering into appropriate data processing agreements with sub-processors, which include appropriate technical and organizational security measures.

7.      Ensuring that personal data are protected against accidental destruction or loss (availability control); in particular, by taking the following measures:

  • Backup procedures and recovery systems, redundant servers in separate location, mirroring of hard disks, uninterruptible power supply and auxiliary power unit, remote storage, climate monitoring and control for servers, fire resistant doors, fire and smoke detection, fire extinguising system, anti-virus/firewall systems, malware protection, disaster recovery and emergency plan.

8.      Ensuring that data collected for different purposes or different principals can be processed separately (separation control); in particular, by taking the following measures:

Internal client concept and technical logical client data segregation, development of a role based authorization concept, separation of test data and live data.

action / 9 - action, cancel, close, delete, exit, remove, x icon
action / 9 - action, cancel, close, delete, exit, remove, x icon
action / 9 - action, cancel, close, delete, exit, remove, x icon
action / 9 - action, cancel, close, delete, exit, remove, x icon