Data processing agreement
May 24, 2023
Appendix No 3 under license agreement (the ”Agreement”) that is concluded between SIA ATOM Tech, registration number: 40203185808 (the ”Licensor”) and the ”Licensee”.
This Data Processing Agreement is concluded by and between SIA ATOM Tech, registration number: 40203185808, address: Aldaru iela 10-4, LV-1050, Riga, Latvia (the ”Licensor”) and User of the services of the Licensor (the “Licensee”) who has agreed to be bound by this Data Processing Agreement (“Data Processing Agreement”).
1.1. “Agreement” means the contractual relationship of the Licensor and Licensee governed by the agreement to which this Data Processing Agreement is annexed;
1.2. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
1.3. “License subject” package of software developed and maintained by the Licensor and which is being licensed to the Licensee under the Agreement;
1.4. “Services” means services provided under the agreement concluded between Licensor and Licensee which are regulated by this Data Processing Ageement;
1.5. Other terms used in this Appendix shall have the same meaning as in the GDPR, including, such terms as “Data Controller”, “Data Processor”, “Personal data” and “Data subject”, “Processing” and other terms where the context requires so.
2. Scope and roles
2.1. Within the scope of Services provided under the Agreement, including licensing of the License subject, the Licensor will obtain access to the personal data of users of the License subject. Licensor is obliged to Process Personal data only as required for the fulfilment of the Agreement with the ultimate purpose of supporting the vehicle-sharing, digital rental and ride-hailing business of the Licensee through the use of the License subject.
2.2. For the purposes of this Agreement, the Licensor shall be deemed the Data Processor, whereas the Licensee shall be the Data Controller.
2.3. The Licensee, as the Data Controller, retains the sole responsibility and liability over the personal data processed using the License subject. As a Data Controller, the Licensee determines what Personal Data to gather about its clients, how it is used, and for what purposes.
2.4. Licensee as Data Controller is responsible for notifying respective Data subjects of the data processing as required under the applicable normative acts, including GDPR articles 13 and 14. Licensee may use the License subject to deliver respective privacy notices to clients using its service via the License subject.
3. Personal data
3.1. Personal data Processed is that of users of the License subject mobile app and include the following types of Personal data: personal identification data including name, surname, communications data (e.g., telephone, email address), ride history, the device used by users, language, and paid-up balance for rides. Other Personal data can be processed at the request of the Licensee.
3.2. Licensee has access to all Personal data generated and processed by the Licensor.
4. Personal data processing
4.1. Licensor may Process Personal data:
4.1.1. To maintain the functioning of the License subject that enables users to rent vehicles and request rides using mobile app;
4.1.2. Allow Licensee to monitor rides and ride history, manage clients, and obtain statistics;
4.1.3. Organize vehicle collection and servicing;
4.1.4. Monitor incoming payments, and detect debtors;
4.1.5. Identify and investigate any incidents, and improve functioning of the License subject.
4.2. Data Processed for the performance of the Agreement may be used by Licensor to calculate fees chargeable under the Agreement.
4.3. Taking into account the costs of implementation and the nature, scope, context and purposes of Personal Data Processing as well as the risk of varying likelihood and severity, the Licensor shall implement technical and organisational measures for the protection of Personal data, that include:
4.3.1. Physical security: Licensor protects Personal data against harm arising from access to Licensor’s facilities, hardware or network by protecting facilities from unauthorised access, restricting access to such facilities for authorised staff only;
4.3.2. Access: Licensor ensures that only authorised staff may have access to Personal data Processed under the Agreement and only to an extent required for the fulfilment of tasks under the Agreement;
4.3.3. Encryption: Licensor enables security measures provided by Amazon Web Services for the protection of Personal data, including, encryption of Personal data stored on Amazon Web Services;
4.3.4. Handling traffic: to ensure data and service availability, the load balancer is used to balance varying loads of incoming traffic.
4.4. Technical and organisational measures are subject to technical progress and further developments. In that regard, the Licensor is permitted to implement adequate alternative measures. The security level of the specified measures must be adequate.
4.5. The Licensor may not rectify, erase or restrict the Processing of the personal data that is Processed on behalf of the Licensee on its own authority, but only in accordance with documented instruction from Licensee. If a person concerned contacts the Licensor directly, the Licensor shall immediately forward this request to the Licensee.
4.6. Insofar as the scope of the Agreement includes, the deletion concept, the right to be forgotten, correction, data portability, and information shall be ensured directly by the Licensee, whereas Licensor may provide its assistance where necessary for execution of such request.
4.7. Licensor shall maintain the confidentiality of the Personal data. In carrying out work, the Licensor shall exclusively use employees who are bound to confidentiality, and have previously been familiarised with the relevant data protection provisions. The Licensor and any person under his/her control who has access to personal data may Process such data exclusively in accordance with the instructions of the Licensee, including the powers granted in this Agreement unless they are legally obliged to process it.
4.8. On request, the Licensee and the Licensor shall cooperate with the supervisory authority in the performance of their duties and shall inform each other thereof without delay about any requests or notifications concerning the License subject. This also applies to investigations within the scope of administrative offences as well as to liability claims of affected persons or third parties or other claims in connection with the License subject.
4.9. The Licensor shall regularly monitor internal processes and technical and organisational measures to ensure that Processing within its area of responsibility is carried out in accordance with the requirements of the applicable data protection legislation and that the rights of the data subject are protected.
4.10. Sub-contracting relationships within the meaning of this provision shall be understood to mean those services that relate directly to the provision of the Service and delivery of the License subject. The Licensor may sub-contract some Personal Data Processing to other sub-contractors. Data Controller hereby authorises the Licensor to use any sub-contractors at the discretion of the Licensor as far as necessary for the performance of the Agreement. Such sub-contractors may include sub-contractors out of EU/EEA, including, but not limited to, Amazon Web Services. Licensor will inform Licensee of any intended changes concerning the addition or replacement of other sub-contractors.
5. Rights and obligations
5.1. The Licensor shall support the Licensee in complying with the obligations specified in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting obligations in the event of data leaks, data protection impact assessments and prior consultations. These include, but are not limited to:
5.1.1. The obligation to report violations of personal data to the Licensee without delay;
5.1.2. The obligation to support the Licensee in the context of its duty to inform the Data subject and to make all relevant information available to him in this connection without delay;
5.1.3. The support of the Licensee in its data protection impact assessment;
5.1.4. Supporting the Licensee in prior consultations with the supervisory authority.
5.2. The Licensor is entitled to remuneration for support services not included in the Service specifications.
5.3. Licensee has the authority to issue instructions concerning Personal Data Processing.
6. Deletion and return of personal data
6.1. Copies or duplicates of Personal data may not be created without the Licensee's knowledge. This excludes backups as well as data that are required to comply with legal retention requirements.
6.2. During the validity of the Agreement as well as upon termination of the Agreement, the Licensee may copy or otherwise extract Personal data stored in the License subject and corresponding software. Upon the termination of the Agreement, the Licensee may require Licensor to delete Personal data stored or otherwise Processed using the License subject.
6.3. Documentation that serves as proof of order-compliant and proper Personal Data Processing may be kept by the Licensor in accordance with the respective retention periods beyond the term of the Agreement. However, for his own relief, the Licensor may also return them to the Licensee at the end of the Agreement.
6.4. Upon the request of the Licensee, the Licensor makes available to the Licensee all information necessary to demonstrate compliance with the obligations laid down in this Appendix and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
7. Changes to the Data Processing Agreement
7.1. This Data Processing Agreement may be subject to changes from time to time. Licensor shall inform Licensee of any material changes to this Data Processing Agreement prior to the changes taking place.