Privacy at Nayax

NAYAX USER RIGHTS POLICY

NAYAX group values the privacy rights of our Users. Thus, we have designed this user right policy (“User Rights Policy”) as an overview of individuals’ rights the EU General Data Protection Regulation (“GDPR”), which shall apply to you in the event you are a resident of the European Economic Area, the California Consumer Privacy Act of 2018 (“CCPA“) which shall apply to you in the event you are in California for other than a temporary or transitory purpose or is domiciled in California; and the Federal Law on Protection of Personal Data Held by Private Parties (“LFPDPPP”), its regulations and other applicable secondary provisions, which shall apply to you in the event your personal data is processed in Mexico. If you wish to submit a request to exercise any of your rights, please fill in the Data Subject Request (DSR). Terms used herein and not defined shall have the meaning ascribed to them in the Privacy Policy.

Under the GDPR

Personal data” is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, email address, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Online identifiers may be considered as personal data, such as IP addresses, cookie identifiers, and radio frequency identification tags. Personal data also covers publicly available data.

Your Right to Be Informed

You have the right to be informed with the Company’s details (e.g. name, address, etc.), as well as why and how we process personal data. This right includes, among others, the right to be informed with the identity of the business, the reasons and lawful basis for processing personal data, and additional information necessary to ensure the fair and transparent processing of personal data (for specific information that must be provided to you please see Exhibit A).

Access

You have a right to request us to confirm whether we process certain personal data related you, as well as a right to obtain a copy of such personal data, with additional information regarding how and why we use this personal data. After we receive such request, we will analyze and determine the veracity and appropriateness of the access request and provide you with the applicable confirmation of processing, the copy of the personal data or a description of the personal data and categories of data processed, the purpose for which such data is being held and processed, and details about the source of the personal data if not provided by you. Our response detailed above will be provided within the period required by law (please see below). Please note, we may ask you to provide us with certain information to authenticate your identity.

Rectification

If personal data held by us is not accurate or up to date, you may require us to update such data so it is accurate. Further, in the event we have passed on incorrect information about you to a third party, you also have a right to ask us to inform those third parties of the applicable information should be updated.

Erasure (“Right To Be Forgotten”)

You have the right to require us to erase certain personal data, subject to fulfillment of specific conditions. We are required to comply with a request to exercise the right to be forgotten, and delete the requested personal data if:

  • the applicable personal data is no longer needed for the original purpose for which it was collected and in addition, there is no new lawful basis for continued processing;
  • the lawful basis for processing is consent and you request to withdrew such consent;
  • you have exercised your right to object to the processing of your personal data by us, and we have no overriding grounds for the processing of such personal data;
  • the personal data is processed by us unlawfully; or otherwise, the erasure of your personal data is necessary to comply with applicable laws.

In addition, in the event we have passed on your personal data to a third party, you have the right to instruct us to request those third parties to erase such information. Please note that, this right to erasure is not absolute. We are entitled to reject your request to erase the data in the event that we find it (subject to applicable laws):

  • necessary to comply with legal obligations;
  • necessary to establish, exercise or defend legal claims; or
  • necessary for scientific purposes, etc.

Object

With regards to personal data processed by us under the lawful basis of our legitimate interests, you may object to our processing on such grounds. However, even if we receive your objection, we will be permitted to continue processing the personal data in the event that (subject to applicable laws and regulations):

  • our legitimate interests for processing override your rights, interests and freedoms;
  • the processing of such personal data is necessary to establish, exercise or defend a legal claim or right, etc.

Restriction

You may request to limit the purposes for which we process your personal data in the event that:

  • the accuracy of the data is contested;
  • restriction is requested instead of erasure where the processing is considered to be unlawful;
  • we no longer need the personal data for its original purpose, but the data is still required to establish, exercise or defend legal rights; or
  • consideration of overriding grounds in the context of an erasure request.

Data Portability

You may request us to send or “port” your personal data held by us to a third-party entity, however, solely when:

  • you have provided us the personal data;
  • it is processed automatically;
  • it is processed on the legal bases of either consent or fulfilment of a contract.

Response Timing and Format

We endeavor to respond to a verifiable request within 30 days. If we require more time, up to 60 days, we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request justify a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Deletion rights described above, please submit a request by either:

By Toll-Free Telephone:  

Direct Dial  

  • English-speaking USA and Canada: 833-204-4684 
  • Spanish-speaking USA and Canada: 800-216-1288  
  • French-speaking Canada: 855-725-0002   
  • Spanish-speaking Mexico: 01-800-681-5340  

AT&T USADirect  

 

Emailing us at: privacy@nayax.com or support@nayax.com

Site Address: https://www.nayax.com/

All of the User Rights Policy sections under the GDPR also apply to individuals under the CCPA (including as amended, replaced or superseded) except for the following exceptions:

Personal Information

Personal Information” is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The categories of information become personal information if that information identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. It does not cover publicly available information.

Right to be informed

The categories of personal information collected/sold/disclosed by us in the previous 12 months must be provided to you (for specific information that must be provided to you please see Exhibit A).

Right of Access

The right applies only to personal information collected in the 12 months prior to the request and we are not required to provide access to personal information more than twice in 12 months.

Right to deletion

Under the CCPA, there are no specific situations of deletion and no justifications needed for a deletion request.

In addition to the exceptions enumerated under the EU Law, we are not required to comply with the right to deletion in the following circumstances:

1) to perform a contract between you and us;

2) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity;

3) debug to identify and repair errors that impair existing intended functionality;

4) to enable solely internal uses that are reasonably aligned with your expectations based on the our relationship with you;

Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days. If we require more time, up to 90 days, we will inform you of the reason and extension period in writing. Under the CCPA the data request only applies to the 12 months prior to the request and not more than 2 requests in a 12 months period.

Right to Opt Out (instead of the Right to Object mentioned above)

Under the CCPA you have the right to opt out of the sale of personal information. In the event we will sell Personal Information, we will provide you with information on how to exercise your right to opt-out (by providing with applicable “DO NOT SELL MY DATA” feature.

Explicit Notice

Under the CCPA a third party is prohibited from selling information about you that has been sold by us unless you have received explicit notice and provided the opportunity to opt out.

Nondiscrimination

You must not be discriminated for exercising any of your rights, including by:

  • denied goods or services;
  • charged different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • provided a different level or quality of goods or services;
  • suggested they will receive a different price or rate for goods or services.

Under the CCPA we can set up incentive programs for providing financial incentives and you can opt-in to become part of them.

Data Portability

The CCPA’s right is limited to allowing you receive personal information, and it does not extend to having us transfer the information to another business.

 

Under the LFPDPPP, its Regulations and other applicable secondary provisions in Mexico.

 

Personal information

 

Personal Data” is defined as any information relating to an identified or identifiable natural person; an identifiable natural person is any whose identity can be determined, directly or indirectly, by any information, such as a name, email address,  an identification number, location data, an online identifier or to one or more factors specific to personal data that affect the most intimate sphere of that natural person, or whose improper use may give rise to discrimination or entail a serious risk for him/her, for example: his/her racial or ethnic origin; past, present and future state of health; genetic information; religious, philosophical and moral beliefs; union membership; political opinions; sexual preference of that natural person. Online identifiers may be considered as personal data, such as IP addresses, cookie identifiers, and radio frequency identification tags. Personal data also covers publicly available data.

 

Your Right to Be Informed

 

You have the right to be informed with the Company’s details (e.g. name, address, etc.), as well as why and how we process personal data. This right includes, among others, the right to be informed with the identity of the business, the reasons for processing personal data, and additional information necessary to ensure the fair and transparent processing of personal data (for specific information that must be provided to you please see Exhibit A).

 

Access

 

You have the right to request us to confirm whether we process certain personal data concerning you and that are held by us in order to know which are and the state in which they are, that is, if it is correct and updated, or to know for what purposes it is used as well as a right to obtain a copy of the Privacy Notice to which the processing of your personal data is subject with additional information regarding the general conditions and characteristics of such processing.  After we receive such request, we will analyze and determine the veracity and appropriateness of the access request and provide you with the applicable confirmation of processing, the copy of the Privacy Notice or a description of the personal data and categories of data processed, the purpose for which such data is being held and processed, and details about the source of the personal data if not provided by you. Our response detailed above will be provided within the period required by law (please see below). Please note, we may ask you to provide us with certain information to authenticate your identity.

 

Rectification

 

If personal data held by us is not accurate or incomplete, you may require us to update such personal data so it is accurate. It is necessary to specify the data you wish to have rectified, as well as to provide the necessary supporting documents. Further, in the event we have passed on incorrect information about you to a third party, you also have a right to ask us to inform those third parties of the applicable information should be updated.

 

Erasure (“Right of Cancellation”)

 

You have the right to require us to erase (cancel) certain personal data from the databases of Nayax, that is, to have your personal data deleted when you consider that it is not being used or processed in accordance with the principles and duties established by the LFPDPPP and/or its Regulations.

 

This right implies the cessation of the processing of your personal data by us, after a period of blocking the data and its subsequent deletion.

 

The cancellation will proceed with respect to all of your personal data of the Data Subject contained in our databases, or only part of them, as you request. It also proceeds when your personal data are no longer necessary for the purposes for which it was obtained and will not be applicable when your data must be retained for the periods provided for in the applicable legal provisions or existing contractual relationships.

 

Object

 

With regards to personal data processed by us, you may object to our processing when:

 

·       There is legitimate cause and your specific situation requires it, which must justify that although the processing is lawful, it must cease in order to prevent its persistence from causing you harm.

·       You need to express your opposition to the processing of your personal data so that the processing is not carried out for specific purposes.

 

However, even if we receive your objection, we will be permitted to continue processing the personal data in the event that the processing is necessary for the fulfilment of a legal obligation for us.

 

Withdrawal of consent

 

At any time, you can withdraw your consent to the processing of your personal data for all the purposes for which you have consented (full withdrawal) or only for some of them (partial withdrawal), that is up to you, according to your own interests.

 

It is important to note that the total withdrawal would imply the termination of the relationship you have with us, because we can no longer use your personal data for any purpose.

 

The withdrawal of your consent does not apply in cases where the processing of your personal data is necessary for the fulfilment of a legal obligation.

 

 

Response Timing and Format

 

You may submit a Request for your ARCO Rights and/or Withdrawal of Consent by filling out the respective form and sending it by email to privacy@nayax.com.

 

We endeavor to respond to a verifiable request within 20 working days. If we require more time, up to 40 days, we will inform you of the reason and extension period in writing. The justification for the extension will be notified to you within the same time period from the day on which the request is received. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

 

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request justify a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. In the event that any of the rights are exercised again in a period of less than twelve months, the cost may not exceed the equivalent of three days of the general minimum salary in force in Mexico City.

 

If your request is admissible, your ARCO right and/or withdrawal of consent will be effective within 15 working days from the date of the response. This time period may be extended once for a justified cause. The justification for the extension will be notified to you within the same time period, from the date of response.

 

Request for additional information

 

If the information provided in the Request is incorrect, incomplete or unclear, within a time period of 5 working days we will require you to complete or clarify it; you will have 10 working days to respond to the additional information request, otherwise your request will be considered as not submitted and will be considered as inadmissible.

 

For the exercise of your ARCO rights, the time period for us to communicate the determination, will begin to apply from the day following that on which you attend to the request.

 

As regards the exercise of the right to withdraw consent, the time periods of the request will be considered within the time period for us to communicate the determination.

 

 

Exhibit A

Information on the following must be provided to you:

  • the categories of personal data processed;
  • the purposes of processing;
  • the existence of data subjects’ rights and the contact details of the data protection officer.

Under the EU Law:

  • contact details of the data protection officer (to the extent required);
  • the lawful basis of the data controller or the third party to process your personal data;
  • the recipients or categories of personal data;
  • transfer of data to third parties;
  • data retention period;
  • the right to withdraw consent at any time;
  • the right to lodge a complaint with a supervisory authority.
  • when data is necessary for the performance of a contract, the possible consequences of not doing so;
  • the existence of automated decision-making including profiling, including the logic involved and consequences of such processing.

Under the CCPA:

  • the categories of personal information collected;
  • the sources from which the information was collected;
  • the business or commercial purpose for collecting or selling the information;
  • categories of third parties with whom the business shares the information;
  • the specific pieces of personal information the business collected about the consumer.

Under the LFPDPPP, its Regulations and other applicable secondary provisions in Mexico.

 

·       who process your personal data.

·       the recipients and data purposes.

·       transfer of data to third parties.

·       the right to withdraw consent at any time.

·       the sources from which your personal data was obtained.

 

 

action / 9 - action, cancel, close, delete, exit, remove, x icon