DATA PROCESSING AGREEMENT (DPA)

1. PREAMBLE

1.1. This DPA is an addition to E-Service Agreement between Yango (Contractor) and the other party of such contract, agreement or document concluded with Contractor (“Customer”), in which this DPA is stipulated as a part of such contract, agreement or document (“Agreement”). In the event of a contradiction between this DPA and the provisions of Agreement, this DPA shall prevail.

1.2. This DPA is deemed to be concluded by using opt-in check-box or by entering into Agreement, including by electronic means (scan, email, etc.).

1.3. This DPA reflects the parties’ agreement on the processing of Personal Data in connection with the Data Protection Legislation.

2. DEFINITIONS AND INTERPRETATION

2.1. In this DPA:

“Customer” means legal entity or individual entrepreneur, who provides passenger transportation and related services which accepted the terms and conditions of the Agreement.

“E-Service” means various informational services provided by the Agreement, which, without limitation, include enabling and (or) assist the Customer with accessing the Service, receiving relevant information on Requests, performing Requests, and communicating with Contractor and (or) Yango Users and other Services provided by the Agreement.

“Personal Data” means any personal data that is received from one party and processed by the other party under the Agreement in connection with provision or use (as applicable) of the Services to Customer.

“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the UAE Federal Decree-Law 45/2021; and/or (c) any other applicable law, statute regulation, directive or legislative act of another form, applicable to the processing of Personal Data.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02016R0679-20160504).

“Driver(s)” shall mean an individual who (a) has signed or otherwise became a party to either an employment or other contract with Customer or any third party, or Contractor has grounds to believe that such contractual relations exist, and (b) has all licenses and (or) permissions as required by the Country Law to drive the Vehicle and perform the Transfer and/or delivery services, and (c) actually capable of driving the Vehicle at the relevant time and registered in the Partner Web Interface by Customer.

2.2. Other capitalized terms when used herein shall have the same meaning as is given such terms in the Agreement.

2.3. The terms “controller” or “data controller”, “data subject”, “personal data”, “processing” and “processor” or “data processor” as used in this DPA have the meanings given in Data Protection Legislation.

2.4. Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3. CATEGORIES OF PERSONAL DATA

3.1. For the purposes of providing the E-Service and fulfilling the obligations under the Agreement Contractor processes Personal Data:

3.1.1. full name, social security number, national ID details, date of birth, place of birth, gender, citizenship, photo, mobile number, official residential address, chats, calls, geolocation, information related to activities during the services;

3.1.2. driving license details: forename and surname, date and place of birth, expiry date, official body that has issued the license, license number, place where the license has been issued, car category or categories to which the license extend;

3.1.3. scanned copies of the documents containing the data listed in 4.1.1 (i) – (ii);

3.2. Personal Data listed above can be provided by Customer or collected by the Contractor on behalf of the Contractor.

4. PURPOSES OF DATA PROCESSING AND ROLES OF THE PARTIES

4.1. When processing personal data for the following purposes, the Contractor acts as the data controller:

4.1.1. Registration of drivers in Contractor’s application, authorization and identification;

4.1.2. Where applicable, verifying Drivers’ identity;

4.1.3. Monitoring driving style, including speed, acceleration, and deceleration, to prevent accidents, duration of work;

4.1.4. Monitoring driving time and route for safety concerns and regulatory compliance.

4.2. Contractor acts as the Data Processor where Contractor processes Personal Data for the following purposes:

4.2.1. Assisting Customer and Drivers to access the E-Service, enabling Drivers to receive the Requests of Yango users and to perform the Requests;

4.2.2. Providing support to Drivers.

4.3. For other purposes of Personal Data processing not listed in this section 4 Customer acts as Data Controller.

4.4. Customer shall ensure legal basis of Personal Data processing, including legal basis of transfer Drivers’ Personal Data to Contractor.

4.5. Where required by applicable law, the Customer shall obtain drivers’ consent to collect and process Personal Data by the Contractor and transfer Personal Data to Contractor, and, at Contractor’s request, shall provide supporting evidence thereof. Customer shall promptly notify the Contractor if it becomes aware that any such consent is withdrawn.

4.6. Customer shall implement and maintain a privacy policy compatible with the requirements of Data Protection Legislation, governing processing of Drivers’ personal data. Customer shall duly inform the Driver that their data will transferred to the Contractor.

5. DURATION OF PROCESSING

5.1. Contractor where acting as Data Controller shall process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

5.2. Personal Data shall be deleted upon the sooner of (i) request of the Customer; or (ii) when Personal Data is no longer needed to perform the Agreement.

6. SUB-PROCESSORS

6.1. Customer acknowledges and agrees that:

6.1.1. Contractor’s Affiliates may be retained as sub-processors;

6.1.2. Contractor and Contractor’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the E-Service

6.2. Contractor and Contractor’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the E-Service.

6.3. Contractor verifies that its appointed Sub-Processors have provided sufficient guarantees to Contractor to implement appropriate technical and organizational measures in such a manner that the processing of Personal Data meets the requirements of the Data Protection Legislation. Contractor undertakes that all the Sub-Processors are subject to a written agreement with Contractor which imposes data protection obligations on the Sub-Processors that are no less onerous than those imposed on the Contractor under this DPA.

6.4. Contractor is not bound by any recommendations of the Customer in respect to choice of sub-processors and can follow or not follow such recommendations at its own discretion. Contractor can change Sub-processors from time to time and engage new sub processors without any prior approval.

7. DATA SUBJECT RIGHTS

7.1. Customer’s obligations:

7.1.1. The Customer shall promptly notify the Contractor of any request it has received from a data subject, including access, rectification or erasure requests.

7.1.2. The Customer shall assist the Contractor in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Data Protection Legislation. In fulfilling its obligations under this section, the Contractor shall comply with the instructions from the Customer.

7.2. Contractor’s obligations:

7.2.1. The Contractor shall promptly notify the Customer of any request it has received from a data subject, provided that such request refers to Personal Data processing by the Contractor.

7.2.2. Where Contractor processes personal data as Data Processor, the Contractor shall assist the Customer in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Data Protection Legislation. In fulfilling its obligations under this section, the Data Processor shall comply with the instructions from the Data Controller.

7.3. Redress. In case of a dispute between a data subject and one of the Parties as regards compliance with the present DPA or the Agreement, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

7.4. Where the data subject invokes a third-party beneficiary right, the data processor shall accept the decision of the data subject to: lodge a complaint with the supervisory authority of his/her habitual residence or place of work; refer the dispute to the competent courts.

7.5. The Parties accept that the data subject may be represented by a not-for-profit body, organization or association under the conditions set out in Data Protection Legislation. The data processor shall abide by a decision that is binding under the applicable Data Protection Legislation. The data processor agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

8. REPRESENTATIONS AND WARRANTIES

8.1. Customer represents and warrants, and, at Contractor’s request, will provide supporting evidence, to demonstrate that:

8.1.1. Customer collects, obtains and processes Personal Data, provided by Customer to Contractor under this DPA, lawfully, without violating any third parties’ rights, contractual obligations or Data Protection Legislation;

8.1.2. Customer’s data processing activities are compliant with Data Protection Legislation, applicable e-commerce legislation, advertising legislation or consumer protection legislation.

8.1.3. Customer has all rights, consents, authorization and title to grant the rights and permissions to collect such Personal Data by Contractor according to the Agreement and the terms of this DPA;

8.1.4. where required by applicable Data Protection Legislation, Customer has obtained the consent of data subjects (including Drivers and Couriers) to collect, process and share such Personal Data and transfer (including cross-border transfer) such Personal Data to Contractor as well as transfer personal data collected by Contractor on behalf of Customer to Customer, and, at Contractor’s request, will provide supporting evidence thereof;

8.1.5. Customer has implemented and will maintain a privacy policy compatible with the requirements of Data Protection Legislation, governing processing of such Personal Data;

8.1.6. processing of such Personal Data by Contractor will not violate the Data Subject’s rights and rights of the other third parties, including without limitation privacy, data protection, good-will, good name, publicity, confidentiality and intellectual property rights.

8.2. Where applicable, Customer has obtained all mandatory licenses, authorizations and approvals provided by applicable law.

8.3. Disclosure Notification. Without limiting the aforesaid, Customer confirms, and at Contractor’s request will demonstrate that all data subjects whose Personal Data processed by Contractor received appropriate disclosures and notifications, as required under Data Protection Legislation. Where a third party provided the notices to the data subjects and (or) received their consent, Customer will bear sole responsibility to verify and will be able to demonstrate that the notices and (or) consents were sufficient for the purposes of use under the terms of the Agreement and this DPA and adequate pursuant to the Data Protection Legislation.

9. COOPERATION

9.1. Assistance in Compliance. Customer shall cooperate with Contractor and provide all necessary assistance to Contractor in connection with Data Protection Legislation.

9.2. Contractor shall cooperate with Contractor and provide all necessary to Contractor in connection with requests to exercise data subjects’ rights, complaints and inquiries;

9.3. Customer Notices. Unless prohibited under applicable laws, Customer will notify Contractor of:

9.3.1. Any violation by Customer, or anyone on Customer’s behalf of any provision under this DPA;

9.3.2. Any official competent supervisory proceedings regarding the processing of the Personal Data;

9.3.3. Any legal or factual circumstances preventing Customer from performing any of its representations, warranties or obligations under the terms of this DPA; and

9.3.4. Any material changes impacting the technical and organizational security measures implemented by Customer which cause such measures to fall short of Customer’s data security obligations under the Data Protection Legislation.

9.4. Inquiries, requests and complaints. Customer will provide all reasonable and timely assistance to Contractor, to enable Contractor to respond to: (i) supervising authorities’ or data subjects’ requests under the Data Protection Legislation; and (ii) any other correspondence, inquiry or complaint received from data subjects (or on data subjects’ behalf), supervising authority and other regulators, or competent authorities in connection with the processing of the Personal Data provided under this DPA.

9.5. If any such communication is made directly to Customer, Customer will promptly inform Contractor about such communication, provide Contractor with all related details and will not respond to the communication unless specifically required by Data Protection Legislation or authorized by Contractor.

10. LIABILITY

10.1. Customer guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by Customer and Customer agrees that it will be responsible for all costs associated with its compliance with such obligations. Customer is responsible and liable for its acts and omissions under this DPA.

10.2. Customer will defend, indemnify and hold Contractor, its Affiliates, their officers, directors, employees, contractors and agents harmless from and against any and all third-party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs, arising out of or in connection with any failure by Customer to comply with the requirements under this DPA.

11. SECURITY INCIDENTS

11.1. Data Processor shall inform Data Controller within 72 hours after becoming aware of any security incident that affects Personal Data, including accidental or unlawful destruction, loss, alteration, theft, unauthorised disclosure of, processing, acquisition or access to Personal Data.

11.2. Data Processor shall immediately take remediation and containment measures to prevent or limit unauthorised access, alteration, loss of confidentiality and Processing of Controller Personal Data.

12. DATA SECURITY

12.1. Taking into account the state of the art, the costs of implementing technical and organizational measures that align with the nature, scope, context and purposes of the processing of Personal Data, Data Processor shall implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful loss, destruction, damage, theft, alternation or disclosure and to ensure a level of security appropriate to the risk. Such measures may include, but are not limited to limitation of access, access control mechanisms, data encryption, data pseudonymization, malware protection, possessing the ability to restore the availability of and access to Controller Personal Data in a timely manner after a security incident and other relevant measures.

12.2. Data Processor shall regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures.

13. PRIORITY

13.1. Effect of this DPA. In the event of a contradiction between this DPA and the provisions of Agreement, this DPA shall prevail, unless otherwise is stipulated in the DPA.

13.2. Other Data Processing Agreements. This DPA will not affect any other separate data processing agreements between Contractor and Customer in respect of any data processing arising out of the agreements other than Agreement.

14. CHANGES TO THIS DPA

14.1. Contractor may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes are followed the factual Personal Data processing activities of the parties according to the Agreement, or (c) changes do not result in a degradation of the security of Personal Data. Depending on the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency, such changes will be effective in thirty (30) days after prior notice by Contractor via e-mail or any other means including web account using by Customer according to the Agreement (or shorter period as may legally be required).

14.2. If Customer objects to any such change, it must terminate the DPA and the Agreement (unless the Agreement could be performed in the remaining part without existence of this DPA) and stop providing (or using, as applicable) the E-Service under the Agreement. Contractor shall be entitled not to notify Customer about editorial changes.

15. DISCLOSURE OF THE DPA

15.1. Customer acknowledges that Contractor may disclose this DPA and any relevant privacy provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the applicable law.

Date of publication: 27.12.2024

Previous version of the document: https://yandex.ru/legal/dpa/06092021