DPA for Nayax Suppliers

NAYAX DATA PROTECTION ADDENDUM

This Data Protection Addendum (“Addendum”) dated _______________ (“Addendum Effective Date”) forms part of the _______________________________ (“Agreement”) between _______________ (“Supplier”) and NAYAX Ltd. (“NAYAX”).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms used herein and not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.

  1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 “Applicable Laws” means any laws applicable to this Addendum in light of its scope and subject matter;

1.1.2 “Authorised Subprocessors” means (a) those Subprocessors set out in Annex 3 (Authorised Subprocessors); and (b) any additional Subprocessors consented to in writing by NAYAX in accordance with Section 7.1;

1.1.3 “Process/Processing”, “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “Special Categories of Personal Data” shall have the same meaning as in the GDPR, and “Data Controller” and “Data Processor” shall be interpreted as in accordance with the terms “Controller” and “Processor”;

1.1.4 “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sale” shall have the meaning ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer” as such term is defined in the CCPA. “Personal Data” shall also mean and refer to “Personal Information” as such term is defined in the CCPA;

1.1.5 “NAYAX Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with NAYAX, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

1.1.6 “Data Protection Laws” shall mean: (i) Directive 95/46/EC and Directive 2002/58/EC, in each case as transposed into domestic legislation of each Member State of the European Economic Area and in each case as amended, replaced or superseded from time to time, including without limitation by the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR” and collectively with the foregoing “EU Data Protection Laws”) and any data protection laws substantially amending, replacing or superseding the GDPR following any exit by the United Kingdom from the European Union; (ii) the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq. (“CCPA“); or (iii) to the extent applicable, the data protection or privacy laws of any other country including, without limitation, Israel; or (iii) to the extent applicable, the data protection or privacy laws of any other country including, without limitation, Israel;

1.1.7 “Delete” means the removal or obliteration of Personal Data such that it cannot be recovered or reconstructed;

1.1.8 “EEA” means the European Economic Area;

1.1.9 “NAYAX Personal Data” means the data described in Annex 1 and any other Personal Data Processed by Supplier or an Authorized Subprocessor on behalf of NAYAX or any NAYAX Affiliate pursuant to or in connection with the Agreement;

1.1.10 “Mandated Auditor” has the meaning given to it in Section 12;

1.1.11 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, NAYAX Personal Data transmitted, stored or otherwise Processed, as well as any breach of Section 6 of this Addendum, or of the data protection, confidentiality or security provisions of the Agreement;

1.1.12 “Relevant Date” means the date falling on the earlier of (i) the cessation of Processing of NAYAX Personal Data by Supplier or an Authorized Subprocessor; or (ii) termination of the Agreement;

1.1.13 “Restricted Transfer” means either (i) a transfer of Personal Data from NAYAX or any NAYAX Affiliate (“Transferor”) to Supplier (“Transferee”); or (ii) an onward transfer from a Supplier to a Subprocessor (also a “Transferee”), in each case where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses to be established under Section 13 below. For the avoidance of doubt where a transfer of Personal Data from one country to another country is of a type authorised by Data Protection Laws in the exporting country for example in the case of transfers from within the European Union to a country or scheme which is approved by the European Commission as ensuring an adequate level of protection or any transfer which falls within a permitted derogation, such transfer shall not be a Restricted Transfer for the purposes of this Addendum;

1.1.14 “Services” means the services to be supplied by Supplier and/or an Authorized Subprocessor to NAYAX and/or NAYAX Affiliates pursuant to the Agreement;

1.1.15 “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and were adopted by the European Commission Decision 2021/914 on June 4, 2021, which are attached herein by linked reference:https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN;

1.1.16 Subprocessor” means any Data Processor (including any third party) appointed by Supplier to Process NAYAX Personal Data on behalf of NAYAX or any NAYAX Affiliate;

1.1.17 “Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;

1.1.18 Third Country” means a country which is not a Member State of the European Union.

  1. Data Processing Terms

In the course of providing the Services to NAYAX and NAYAX Affiliates pursuant to the Agreement, Supplier and any Authorized Subprocessor may Process NAYAX Personal Data on behalf of NAYAX or any NAYAX Affiliate. The parties acknowledge that in relation to all NAYAX Personal Data, NAYAX is the Controller of the NAYAX Personal Data and the Supplier is acting as the Processor on behalf of NAYAX (i.e., the Controller). Supplier shall only process NAYAX Personal Data on behalf and upon the reasonable instructions of the NAYAX (including the instructions herein) and as communicated by NAYAX in writing from time to time, for the purposes of providing the Services to the NAYAX. Supplier agrees to comply with the provisions set out in this Addendum with respect to any NAYAX Personal Data submitted by or for NAYAX or any NAYAX Affiliate to the Services or otherwise collected and Processed by or for NAYAX or any NAYAX Affiliate by Supplier or an Authorized Subprocessor.

  1. Processing of NAYAX Personal Data

3.1 Supplier shall only Process the NAYAX Personal Data on behalf of NAYAX in accordance with the applicable Data Protection Laws (including Article 28(3) of the GDPR), for the purposes of the Agreement, the Services and for the specific purposes as set out in Annex 1 to this Addendum for each category of Data Subjects listed therein. Supplier shall not Process, transfer, modify, amend or alter the NAYAX Personal Data or disclose or permit the disclosure of the NAYAX Personal Data to any third party other than in accordance with NAYAX’s documented instructions (whether in the Agreement, this Addendum or otherwise) unless such Processing is required by Applicable Laws to which Supplier is subject, in which case Supplier shall to the extent permitted by Applicable Laws inform NAYAX of that legal requirement before Processing such NAYAX Personal Data.

3.2 Supplier agrees to be included in public disclosures by Nayax as a Processor of Personal Data, Processing Personal Data on behalf of Nayax.

  1. No Sale of Personal Data

4.1 It is hereby agreed that any sharing of NAYAX Personal Data between the parties is done solely in order to fulfil a Business Purpose and Supplier does not receive or process any NAYAX Personal Data in consideration for the Services. Therefore, such Processing of NAYAX Personal Data shall not be considered a Sale.

4.2 Supplier undertakes not to receive, process or share any Personal Data in a manner that would be considered a Sale under the CCPA.

  1. Supplier Personnel

5.1 Supplier shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the NAYAX Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant NAYAX Personal Data, as strictly necessary for the purposes set out in Section 3.1 above in the context of that individual’s duties to Supplier. Supplier shall ensure that all such individuals:

5.1.1 are informed of the confidential nature of the NAYAX Personal Data, are aware of Supplier’s obligations under this Addendum and the Agreement in relation to the NAYAX Personal Data and agree to abide by such obligations;

5.1.2 have undertaken appropriate training in relation to the Data Protection Laws;

5.1.3 are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and

5.1.4 are subject to user authentication and log‑on processes when accessing the NAYAX Personal Data.

  1. Security

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Supplier shall implement appropriate technical and organizational measures as described in Annex 2to ensure a level of security appropriate to the risk to such NAYAX Personal Data, including, inter alia, as appropriate the measures referred to in Article 32(1) of the GDPR and Nayax’s security questionnaire and assessment.

6.2 In assessing the appropriate level of security, Supplier shall take into account the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to NAYAX Personal Data transmitted, stored or otherwise Processed.

6.3 Supplier confirms that it meets the requirements of PCI DSS, as further specified in the Link below, as applicable to Supplier: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1629621025722

  1. Subprocessing

7.1 Subject to Section 7.3, Supplier shall not engage any Data Processors to Process NAYAX Personal Data other than with the prior written consent of NAYAX, which NAYAX may refuse in its sole and absolute discretion, for any reason or no reason.

7.2 With respect to each Subprocessor, Supplier shall:

7.2.1 provide NAYAX with full details of the Processing to be undertaken by each Subprocessor;

7.2.2 carry out adequate due diligence on each Subprocessor to ensure that it is capable of providing the level of protection for NAYAX Personal Data as is required by this Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will abide by the requirements of the Data Protection Laws and this Addendum, and provide evidence of such due diligence to NAYAX where requested by NAYAX or a Supervisory Authority;

7.2.3 include terms in the contract between Supplier and each Subprocessor which are the same as those set out in this Addendum. Upon request, Supplier shall provide a copy of its agreements with Subprocessors to NAYAX for its review;

7.2.4 insofar as the contract with such Subprocessor involves a Restricted Transfer, required that each Transferee enter into such a contract with NAYAX (or such other arrangement as may be agreed with NAYAX), in each case in order to ensure the adequate protection of the transferred NAYAX Personal Data; and remain fully liable to NAYAX for any failure by each Subprocessor to fulfil its obligations in relation to the Processing of any NAYAX Personal Data.

7.3 As of the Addendum Effective Date, NAYAX hereby authorises Supplier to engage those Subprocessors set out in Annex 3 (Authorised Subprocessors).

  1. Data Subject Rights

8.1 Taking into account the nature of the Processing, Supplier shall assist NAYAX by implementing appropriate technical and organisational measures to facilitate the fulfilment of NAYAX’ and NAYAX Affiliates’ obligations in Supplier’s capacity as a Data Processor and/or in order to assist NAYAX and NAYAX Affiliates, in each of their capacities and responsibilities as a Data Controller or a Data Processor (as the case may be) to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws.

8.2 Supplier shall promptly notify NAYAX if it receives a request from a Data Subject with respect to any of his/her rights under any Data Protection Laws in respect of NAYAX Personal Data that the Supplier is Processing on behalf of NAYAX. Unless otherwise required under applicable laws, Supplier shall not respond or act upon such requests without receiving the prior written approval to do so from NAYAX.

8.3 Supplier shall co‑operate as requested by NAYAX to enable NAYAX to comply with any exercise of rights by a Data Subject under any Data Protection Laws in respect of NAYAX Personal Data and comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of NAYAX Personal Data or this Addendum, which shall include:

8.3.1 the provision of all data requested by NAYAX within any reasonable timescale specified by NAYAX in each case, including full details and copies of the complaint, communication or request and any NAYAX Personal Data it holds in relation to a Data Subject;

8.3.2 where applicable, providing such assistance as is reasonably requested by NAYAX to enable NAYAX to comply with the relevant request within the timescales prescribed by the Data Protection Laws; and

8.3.3 implementing any additional technical and organisational measures as may be reasonably required by NAYAX to allow NAYAX to assist the Data Controller to respond effectively to relevant complaints, communications or requests.

  1. Personal Data Breach

9.1 Supplier shall notify NAYAX promptly and without any undue delay, and in any case within twenty-four (24) hours, upon becoming aware of or reasonably suspecting a Personal Data Breach providing NAYAX with sufficient information in its notification which will allow NAYAX to meet any obligations applicable to NAYAX in order ensure the report of a Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum:

9.1.1 include the date or estimated date of the Personal Data Breach and the date the Supplier discovered the Personal Data Breach;

9.1.2 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;

9.1.3 communicate the name and contact details of Supplier’s data protection officer or other relevant contact from whom more information may be obtained;

9.1.4 describe the likely consequences of the Personal Data Breach; and

9.1.5 describe the measures taken or proposed to be taken to address the Personal Data Breach.

9.2 Supplier shall co-operate with NAYAX and take such reasonable commercial steps as are directed by NAYAX to assist in the investigation, mitigation and remediation of each Personal Data Breach.

9.3 Supplier shall notify NAYAX in writing of any request, inspection, audit or investigation by a Supervisory Authority or other authority or any litigation arising out of or related to such Personal Data Breach and provide full cooperation to NAYAX in responding to such event. Supplier shall update NAYAX as necessary and provide sufficient information to allow NAYAX to meet its legal and contractual obligations, including pertaining to any proposed notification to a Supervisory Authority and/or Data Subject.

9.4 In the event of a Personal Data Breach, Supplier shall not inform any third party without first obtaining NAYAX’s prior written consent, unless notification is required by Data Protection Laws to which Supplier is subject, in which case Supplier shall to the extent permitted by such law inform NAYAX of that legal requirement, provide a copy of the proposed notification and consider any comments made by NAYAX before sending such notification

  1. Data Protection Impact Assessment and Prior Consultation

10.1 Supplier shall provide reasonable assistance to NAYAX with any data protection impact assessments which are required under Article 35 of the GDPR and with any prior consultations to any Supervisory Authority of NAYAX or any NAYAX Affiliate which are required under Article 36 of the GDPR, in each case solely in relation to the Processing of NAYAX Personal Data by Supplier on behalf of NAYAX and taking into account the nature of the Processing and information available to Supplier.

  1. Deletion or return of NAYAX Personal Data

11.1 Subject to Sections 11.2 and 11.3, Supplier shall promptly and in any event within 30 calendar days of the Relevant Date: (a) return a complete copy of all NAYAX Personal Data to NAYAX by secure file transfer in such format as notified by NAYAX to Supplier; and (b) Delete and procure the Deletion of all other copies of NAYAX Personal Data Processed by Supplier or any Authorised Subprocessor. Supplier shall provide written certification to NAYAX that it has fully complied with this Section 11.1 within 30 days of the Relevant Date.

11.2 Subject to Section 11.3, NAYAX may in its absolute discretion notify Supplier in writing with 30 days prior notice to require Supplier to Delete and procure the Deletion of all or any copies of NAYAX Personal Data Processed by Supplier or any Authorised Subprocessor. Supplier shall provide written certification to NAYAX that it has fully complied with this Section 11.2 within 30 days of its receipt of the prior notice from NAYAX.

11.3 Supplier may retain NAYAX Personal Data to the extent required by Applicable Laws and only to the extent and for the period of time required by Applicable Laws, provided, that Supplier shall ensure the confidentiality of all such NAYAX Personal Data and shall ensure that such NAYAX Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws that require its retention.

  1. Audit rights

12.1 In addition to any audit rights granted pursuant to the Agreement, Supplier shall make available to NAYAX on request all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by NAYAX or an auditor mandated by NAYAX or any NAYAX Affiliate (“Mandated Auditor”) of any premises where the Processing of NAYAX Personal Data takes place in order to assess compliance with this Addendum. Supplier shall permit NAYAX or a Mandated Auditor to inspect, audit and copy any relevant records, processes and systems in order for NAYAX to feel satisfied that the provisions of this Addendum are being complied with. Supplier shall provide full co‑operation to NAYAX in respect of any such audit and shall at the request of NAYAX, provide NAYAX with evidence of compliance with its obligations under this Addendum. Supplier shall immediately inform NAYAX if, in its opinion, an instruction pursuant to this Section 12 (Audit Rights) infringes the GDPR or other Data Protection Laws.

  1. Restricted Transfers

13.1 To the extent that the Services include Restricted Transfers of NAYAX Personal Data, the following shall apply:

13.1.1 In order to maintain the integrity, security and confidentiality of the Personal Data, a Restricted Transfer shall be subject, in addition to the terms of this Addendum, to the terms and obligations of the Module II of the Standard Contractual Clauses in which event Supplier shall be deemed as the Data Importer and the Nayax shall be deemed as the Data Exporter.

13.1.2 The purpose and description of the transfer shall be detailed in Annex 1.

13.1.3 If the Supplier engages a Subprocessor, in accordance with Section 7 above, for carrying out specific processing activities (on behalf of Nayax), the Supplier and the Subprocessor shall ensure compliance with Chapter V GDPR by using the Standard Contractual Clauses. In such event, the Supplier shall be deemed as the Data Exporter and the Subprocessor shall be deemed as the Data Importer. For the purposes of such engagement, the Supplier and the SubpProcessor will enter into Module III of the Standard Contractual Clauses.

13.1.4 The Supplier agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Standard Contractual Clauses, all subject to Clause 13 of the Standard Contractual Clauses.

13.1.5 The parties agree that subject to Clause 17 and 18 of the Standard Contractual Clauses, the Standard Contractual Clauses shall be governed by the laws of the Lithuania dispute arising from Standard Contractual Clauses shall be resolved by the courts of Lithuania without giving rise to any conflict of laws principles included therein. Notwithstanding the above, subject to Clause 18 the Standard Contractual Clauses, a Data Subject may also bring legal proceedings against the parties before the courts of the Member State in which he/she has his/her habitual residence.

13.1.6 Specifically, EU-US Transfers: Following Schrems II, Case No. C-311/18, and related guidance from Supervisory Authorities, the parties acknowledge that supplemental measures may be needed with respect to EU-U.S. data transfers where Personal Data of Nayax may be Processed in the US. The parties acknowledge that Nayax’s EU operations involve merely ordinary commercial services, and any EU-U.S. transfers of Personal Data contemplated by this Addendum involve ordinary commercial information, which is not the type of data that is of interest to, or generally subject to, surveillance by U.S. intelligence agencies. Accordingly, Supplier acknowledges and warrants that it will not provide access to Nayax’s Personal Data to any US government or intelligence agency, except where it is obligated to do so under the US law or a valid and binding order of a government authority (such as pursuant to a court order). In any such case, the Supplier will attempt to redirect the law enforcement agency to request the data directly from Nayax. Unless the Supplier is legally prohibited from doing so, in any such case the Supplier will: (1) give Nayax notice of the demand no later than 3 days after such demand is received to allow Nayax to seek recourse or other appropriate remedy to adequately protect the privacy of EEA Data Subjects; and (2) in any event, provide access only to such Nayax’s Personal Data as is strictly required by the relevant law or binding order (having used reasonable efforts to minimize and limit the scope of any such access).

In the event that EU authorities or courts determine that the Restricted Transfer mechanism selected above is no longer an appropriate basis for Restricted Transfers, NAYAX and the Supplier shall promptly take all steps reasonably necessary to demonstrate adequate protection for the NAYAX Personal Data, using another approved mechanism. Supplier understands and agrees that NAYAX may terminate the Restricted Transfers as needed to comply with the Data Protection Laws.

  1. Processing Personal Data regarding Supplier’s Personnel

Nayax may Process certain Personal Data regarding Supplier’s personnel who are in contact with Nayax in relation to the Processing of Nayax’ Personal Data. Such Processing will be made in accordance with Nayax’ Privacy Policy and User Rights Policy. Supplier undertakes to inform its personnel of such Processing and refer them to the above mentioned policies.

  1. Indemnity

15.1 Supplier shall indemnify and hold harmless NAYAX and each NAYAX Affiliate against all losses, fines and sanctions arising from any claim by a third party or Supervisory Authority arising from any breach of this Addendum.

15.2 Supplier shall defend, indemnify, and hold harmless NAYAX and each NAYAX Affiliate from any and all claims, damages, liabilities, assessments, losses, costs, administrative fines and other expenses (including, without limitation, reasonable attorneys’ fees and legal expenses), arising out of or resulting from any claim, allegation, demand, suit, action, order or any other proceeding by the Data Controller, that arises out of or relates to a violation of Supplier’s representations and/or obligations under this Addendum, and any and all claims, damages, liabilities, assessments, losses, costs, administrative fines and other expenses (including, without limitation, reasonable attorneys’ fees and legal expenses), arising out of or resulting from any action of an Authorised Subprocessor.

  1. Liability

16.1 Notwithstanding anything to the contrary in the Agreement, Supplier’s liability for any breach of this Addendum shall be unlimited.

  1. Miscellaneous

Termination

17.1 Subject to Section 16.2, the parties agree that this Addendum and, if applicable, the Standard Contractual Clauses shall terminate automatically upon (i) termination of the Agreement; or (ii) expiry or termination of all service contracts, statements of work, work orders or similar contract documents entered into by Supplier with NAYAX and/or NAYAX Affiliates pursuant to the Agreement, whichever is later.

17.2 Any obligation imposed on Supplier under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum.

Governing law of this Addendum

17.3 Without, if applicable, prejudice to Clause 17 (Governing Law) of the Standard Contractual Clauses, the governing law of this Addendum shall the choice of the governing law stipulated in the Agreement.

Choice of jurisdiction

17.4 Without, if applicable, prejudice to Clause 18 (Choice of forum and jurisdiction) of the Standard Contractual Clauses, and notwithstanding the choice of law under Section 17.3, the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this Addendum.

Cross-default

17.5 Any breach of this Addendum shall constitute a material breach of the Agreement.

Order of precedence

17.6 With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including but not limited to the Agreement, the provisions of this Addendum shall prevail with regard to the parties’ data protection obligations under applicable Data Protection Laws. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses , if applicable, the Standard Contractual Clauses shall prevail.

Costs of compliance

17.7 Each side will bear its own costs and expenses in order to ensure compliance with this Addendum and the GDPR requirements.

Third party rights

17.8 Except to the extent set out Section 17.9 and, if applicable, in Clause 3 of the Standard Contractual Clauses, a person who is not a party to this Addendum shall have no right to enforce any term of this Addendum.

17.9 A NAYAX Affiliate may enforce any term of this Addendum which is expressly or implicitly intended to benefit it.

17.10 The rights of the parties to rescind or vary this Addendum are not subject to the consent of any other person.

Changes in Data Protection Laws

17.11 NAYAX may notify Supplier in writing from time to time of any variations to this Addendum which are required as a result of a change in Data Protection Laws including without limitation to the generality of the foregoing, any variations which are (i) required and to the extent required as a result of any changes to UK Data Protection Laws following any exit of the UK from the European Union; or (ii) required to take account of any new data transfer mechanisms for the purposes of Section 13.1. Any such variations shall take effect on the date falling 30 (thirty) calendar days after the date such written notice is sent by NAYAX and Supplier shall procure that where necessary the terms in each contract between Supplier and each Subprocessor are amended to incorporate such variations within the same time period.

Severance

17.12 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Agreement with effect from the Addendum Effective Date first set out above.

 

________________ (“NAYAX”) ________________ (“Supplier”)

Signature _____________________________ Signature______________________________
____________________________________
Name Name
_______________________________________
Title Title

 

_______________________________________
Date Signed Date Signed

ANNEX 1: DETAILS OF PROCESSING AND TRANSFERING OF NAYAX PERSONAL DATA

This Annex 1 includes certain details of the Processing of NAYAX Personal Data as required by Article 28(3) GDPR and the transferring Personal Data subject to the Standard Contractual Clauses..

  1. LIST OF PARTIES

Data Exporter (s):

Name: Nayax’s contact details shall be the same as indicated in the Agreement.

Activities relevant to the data transferred under these Clauses Personal Data: Processing for the performance of the Agreement.

Signature and date: Signature of the Agreement and the Addendum incorporated therein, shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their Appendices.

Role (controller/processor): Controller

Data importer(s): [To be completed by the Supplier]

Name: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Address: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DPO: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contact person’s name, position and contact details: . . . . . . . . . . . . . . . . . . . . .

Activities relevant to the data transferred under these Clauses: . . . . . . . . . . . . .

Signature and date: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Role (controller/processor): Processor.

  1. DESCRIPTION OF TRANSFER

Subject matter and duration of the Processing of NAYAX Personal Data

The subject matter and duration of the Processing of the NAYAX Personal Data are set out in the Agreement and this Addendum.

The nature and purpose of the Processing and transferring of NAYAX Personal Data

Supplier will be providing Services to NAYAX which involve the Processing of NAYAX Personal Data. The scope of the Services is set out in the Agreement, and the NAYAX Personal Data will be Processed by the Supplier in order to provide those Services and to comply with the terms of the Agreement and this Addendum.

The types of NAYAX Personal Data to be Processed and transferred (insert description in accordance with the activities and services provided by each supplier which NAYAX engages with)

______________________________________________________________

The categories of Data Subject to whom the NAYAX Personal Data relates (insert description)

_______________________________________________________________

The obligations and rights of NAYAX and NAYAX Affiliates

The obligations and rights of NAYAX and NAYAX Affiliates are set out in the Agreement and this Addendum.

The processing operations carried out in relation to the NAYAX Personal Data (e.g. collecting and recording the data, hosting the data, organising the data, adapting or altering the data, consulting or retrieving the data, disclosing or transferring the data, etc.)

_______________________________________________________________

_______________________________________________________________

_______________________________________________________________

 

In each case for the purposes of providing services to NAYAX, the scope of which are set out in the Agreement.

 

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

  • [Continuous/One-off basis]

For transfers to sub- processors, also specify subject matter, nature and duration of the processing

  • [fill in]

Competent Authority in accordance with Clause 13 of the Standard Contractual Clauses

  • The Competent Authority shall be in accordance with Clause 13 alternatives.

ANNEX 2:

TECHNICAL AND ORGANISATIONAL MEASURES

This Annex forms part of the Transfer Clauses and summarizes the technical, organisational and physical security measures implemented by the parties:

In addition to any data security requirements set forth in the DPA, the Data Importer shall comply with the following:

Data Importer undertakes to implement, maintain, and continuously control and update, appropriate technical and organizational security measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. This includes:

  1. Preventing unauthorised persons from gaining access to data processing systems with which personal data are processed or used (physical access control); in particular, by taking the following measures:
    • Controlled access for critical or sensitive areas
    • Video monitoring in critical areas
    • Incident logs
    • Implementation of single entry access control systems
    • Automated systems of access control
    • Permanent door and windows locking mechanisms
    • Key management
    • Permanently manned reception
    • Code locks on doors
    • Monitoring facilities (e.g. alarm device, video surveillance)
    • Logging of visitors
    • Compulsory wearing of ID cards
    • Security awareness training
  1. Preventing data processing systems from being used without authorisation (logical access control); in particular, by taking the following measures:
    • Network devices such as intrusion detection systems, routers and firewalls
    • Secure log-in with unique user-ID, password and a second factor for authentication (OTP, MFA, 2FA).
    • Policy mandates locking of unattended workstations. Screensaver password is implemented such that if user forgets to lock the workstation, automatic locking is ensured.
    • Logging and analysis of system usage
    • Role-based access for critical systems containing personal data
    • Process for routine system updates for known vulnerabilities
    • Encryption of laptop hard drives
    • Monitoring for security vulnerabilities on critical systems
    • Deployment and updating of antivirus software
    • individual allocation of user rights, authentication by password and username, use of smartcards for log in, minimum requirements for passwords, password management, password request after inactivity, password protection for BIOS, blocking of external ports (such as USB ports), encryption of data, virus protection and use of firewalls, intrusion detection systems.
  1. Ensuring that persons entitled to use a data processing system can gain access only to the data to which they have a right of access, and that, in the course of processing or use and after storage, personal data cannot be read, copied, modified or deleted without authorisation (access control to data); in particular, by taking the following measures:
    • Network devices such as intrusion detection systems, routers and firewalls
    • Secure log-in with unique user-ID, password and a second factor for authentication (OTP, MFA, 2FA).
    • Logging and analysis of system usage
    • Role based access for critical systems containing personal data
    • Encryption of laptop hard drives
    • Deployment and updating of antivirus software
    • Compliance with Payment Card Industry Data Security Standard
    • Definition and management of role based authorization concept, access to personal data only on a need-to-know basis, general access rights only for a limited number of admins, access logging and controls, encryption of data, intrusion detection systems, secured storage of data carriers, secure data lines, distribution boxes and sockets.
  1. Ensuring that personal data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage and that it is possible to verify and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged (data transfer control); in particular, by taking the following measures:
    • Encryption of communication, tunneling (VPN = Virtual Private Network), firewall, secure transport containers in case of physical transport, encryption of laptops
  1. Ensuring that it is possible retrospectively to examine and establish whether and by whom personal data have been inserted into data processing systems, modified or removed (entry control); in particular, by taking the following measures:
    • Logging and analysis of system usage
    • Role based access for critical systems containing personal data
    • Logging and reporting systems, individual allocation of user rights to enter, modify or remove based on role based authorization concept.
  1. Ensuring that personal data processed on the basis of a commissioned processing of personal data are processed solely in accordance with the directions of the data exporter (job control); in particular, by taking the following measures:
    • Mandatory security and privacy awareness training for all employees
    • Employee hiring procedures which require the completion of a detailed application form for key employees with access to significant personal data and, where allowed by local law
    • Periodic audits are conducted
    • Implementation of processes that ensure that personal data is only processed as instructed by the data exporter, covering any sub-processors, including diligently selecting appropriate personnel and service providers and monitoring of contract peformance, entering into appropriate data processing agreements with sub-processors, which include appropriate technical and organizational security measures.
  1. Ensuring that personal data are protected against accidental destruction or loss (availability control); in particular, by taking the following measures:
    • Backup procedures and recovery systems, redundant servers in separate location, mirroring of hard disks, uninterruptible power supply and auxiliary power unit, remote storage, climate monitoring and control for servers, fire resistant doors, fire and smoke detection, fire extinguising system, anti-virus/firewall systems, malware protection, disaster recovery and emergency plan.
  1. Ensuring that data collected for different purposes or different principals can be processed separately (separation control); in particular, by taking the following measures:

Internal client concept and technical logical client data segregation, development of a role based authorization concept, separation of test data and live data.

ANNEX 3: AUTHORISED SUBPROCESSORS [To be completed by Supplier]

Name Address Server location Description of the processing