NAYAX DATA PROTECTION ADDENDUM

This Privacy and Data Protection Addendum (“DPA”), as well as the provisions of the agreement between Nayax and Customer, govern the transfer and Processing of Personal Data, any capitalized terms not defined herein shall have the meaning ascribed to such terms in the agreement between the parties.

In order to receive more information regarding on how we take precautions to ensure the protection of our Users’ personal data as well as to comply with applicable privacy and data protection legislation, please, refer to our Privacy Policy.

1. DEFINITIONS
   • The terms “Personal Data”, “Processor”, “Controller”, and “Processing”, “Special Categories of Personal Data”, shall have the meaning ascribed to such terms in the GDPR.
   • “Customer Account” shall have the meaning ascribed to such term in Section 3.
   • “Customer’s End-Users” means Customer’s end-users and consumers.
   • "Data Subject” means a natural person regarding whom Personal Data is Processed.
   • “GDPR” means Regulation (EU) 2016/679.
   • “Payment Services” means the provision of the NAYAX Unit and/or services associated with vending machines’ operation, and/or cashless payment services, including services provided by NAYAX via its designated system.
   • “Platform” shall have the meaning ascribed to such term in Section 3.
   • “User” means an individual who is authorized by Customer to use the Payment Services, to whom Customer has provided a sub-account, and/or to whom Customer has provided user credentials - identification and password enabling access to the Customer Account. Users may include, for example, employees, consultants, contractors and agents of Customer.
2. DATA PROCESSING
   • NAYAX will Process Personal Data on behalf of Customer as specified in Appendix A attached hereto.
   • NAYAX will Process Personal Data on behalf of Customer for the following purposes:
     • To provide the Payment Services to Customer and Customers’ End-Users, including support and maintenance services.
     • To contact Customer in connection with the Payment Services, notifications, programs or offerings.
     • To comply with applicable law, including Anti-Money Laundry regulations. For this purpose NAYAX may Process Personal Data regarding Customer and its shareholders with respect to KYC checks that NAYAX is obligated to perform in connection with the Payment Services.
     • To send Customer updates, promotional materials and newsletters that Customer has registered for; Customer may choose to opt-out and to not receive these communications by clicking on unsubscribe link.
     • To identify and authenticate Customer's and Users' access to the Services that the Customer or the Users are authorized to access.
     • To provide Customer’s End-Users support in connection with the Payment Services.
     • To protect the security or integrity of NAYAX' databases or the Payment Services, to take precautions against legal liability, and to analyze and improve the Payment Service.
     • As otherwise required and appropriate for the fulfilment of the agreement and exercising NAYAX' rights and obligations thereunder, provided such Processing is permitted under applicable laws.

3. CUSTOMER ACCOUNT MANAGEMENT
   • In order to use the Payment Services, including the DCS (“Platform”), a designated Customer account will be created by Nayax for the use of the Customer and its Users (the “Customer Account”). Customer will be required to select a username and password and use a 2 factor authentication application in order to use the Platform. Customer may assign create sub-accounts and grant access authorizations to the Customer Account solely to its authorized Users. Each of the Users will be required to select a username and password in order to access and use their sub-account in the Customer Account. Customer is solely responsible to set-up applicable permissions and sub-accounts on the Platform to each of its authorized Users.
   • Customer acknowledges that under applicable laws access authorizations to systems containing Personal Data, including the Platform, should only be granted on a need-to-know basis, and may require ongoing monitoring of access authorizations and their use by authorized Users only, such monitoring may be associated with removal of Users no longer having a "need to know" in connection with the Platform, such as former employees of Customer, and Customer undertakes to comply with applicable laws in this context.
   • In order to create and use the User Account, Customer and any Users on its behalf, must be at least 18 years old, and will be required to provide certain Personal Data, such as their name and contact information. All such information provided must be truthful, and accurate and up-to-date. Customer undertakes that it and its Users will not, and will not enable others, to use any access authorizations in deviation of the specific authorization granted or by anyone who is not the authorized User, and not to share their authorizations with any other person or third party. If Customer’s or its Users’ information provided during registration to the Platform changes at any time, Customer undertakes that it will be responsible to update such information on the Customer Account or otherwise if instructed to do so by NAYAX.
   • Customer hereby represents and warrants that it is: (i) solely responsible for Users’ compliance with this DPA, any applicable agreement with NAYAX, the Terms and Conditions, and any applicable laws and regulations; (ii) solely responsible for the accuracy, quality and legality of any information provided by it or its Users and the Customer’s and Users’ use of the Payment Services and the Platform; (iii) use appropriate efforts to prevent and detect unauthorized access to or use of the Payment Services and the Platform and notify Nayax of any such unauthorized access or use immediately upon discovery; (iv) use the Payment Services and the Platform only in accordance with this DPA, the Terms and Conditions and applicable laws.
   • For the avoidance of doubt, Nayax does not and cannot control or monitor the management of the Customer Account and use of the Platform by Customer and its Users, and Customer is solely and fully responsible for such management and use.
   • In the event Customer or its Users violate any of the terms of this DPA, NAYAX may suspend or terminate the Customer Account or suspend or terminate Customer or its Users' access to the Platform.
4. REPRESENTATIONS AND UNDERTAKINGS OF THE PARTIES
   • Customer shall be regarded as the Controller of Personal Data, and NAYAX shall be regarded as the Processor of Personal Data.
   • The Parties shall each implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks to Personal Data.
   • NAYAX represents and warrants that NAYAX' employees, authorized by NAYAX to Process Personal Data on behalf of Customer, are committed to customary confidentiality undertakings, or are otherwise under appropriate statutory obligations of confidentiality.
   • NAYAX shall only Process Personal Data on behalf of Customer and pursuant to the instructions as set forth herein and pursuant to the agreement.
   • Customer undertakes that Customer shall Process Personal Data only as lawful and compliant with applicable law.
   • Customer acknowledges that NAYAX may not have any direct interaction with Customer's End-Users, and therefore, Customer agrees that it is solely responsible to inform Customer's End-Users of the Processing of their Personal Data, including by NAYAX. Customer further represents that Customer has all required authorizations to disclose Personal Data to NAYAX.
   • Customer shall not disclose to NAYAX any Data included in Special Categories of Personal Data.
   • NAYAX will delete or return to the Customer Personal Data after termination or expiration of the Agreement, unless permitted to retain it under applicable law.
5. INSTRUCTIONS
   • Customer hereby instructs NAYAX to Process, on behalf of Customer, Personal Data, in connection with the Payment Services to Customer, for the purposes and in accordance with the terms specified herein and in the agreement.
   • Notwithstanding the above, NAYAX will not be obligated to perform any instruction which in NAYAX' determination, is in violation of applicable law.
6. AUDTIS

Upon Customer's reasonable request, NAYAX will provide Customer with relevant documentation or records (which may redacted to remove confidential commercial information) which will enable it to verify NAYAX' compliance with its data protection and security obligations under the terms of the GDPR, not less than thirty (30) days of receipt of such request in writing.

7. DATA SUBJECTS' RIGHTS
   • Customer shall have sole liability to comply with obligations in connection with the rights and freedoms of Data Subjects pursuant to applicable laws.
   • NAYAX shall make reasonable commercial efforts to assist the Customer, for the fulfilment of the Customer's obligations to respond to requests for exercising the Data Subjects' rights.
8. DATA REGARDING CUSTOMER AND NON-PERSONAL DATA
   • Customer is not required by any law to provide NAYAX with any Personal Data regarding Customer or the Data Subjects, including Users and Customer’s End-Users. Please note that by doing so NAYAX may not be able to provide Customer, Users or Customer’s End-Users with some or all of the Services.
   • Customer is entitled to review its Personal Data and may exercise such right by sending us a request to: support@nayax.com.
   • In the event any Personal Data is incorrect or outdated, Customer may update and correct such data by providing us with the appropriate information.
   • Customer may also be entitled to request the erasure or the restriction of Personal Data processed by NAYAX with respect to the Payment Services, and NAYAX will comply with such requests, to the extent required under applicable law.
   • To the extent processing of Personal Data is conducted on the basis of Customer's consent, Customer may rescind such consent, by sending NAYAX an email to: support@nayax.com.
   • To the extent applicable to Customer and the Payment Services, Customer may request the portability of its Personal Data.
   • NAYAX retains Personal Data for the duration necessary in order to: (i) fulfil the purposes of Processing described herein, and (ii) defend or assert legal claims and liability, or as otherwise permitted under applicable law.
9. SUBPROCESSING
   • Customer hereby grants NAYAX express authorization to engage with Sub-Processors for the provision of the Payment Services, as determined by NAYAX in NAYAX' reasonable determination.
   • NAYAX may share Personal Data with its subsidiaries, suppliers, Sub-Processors and/or their agents and/or contractors, and other non-affiliated entities that assist NAYAX in providing the Payment Services, including the following third parties who provide clearing services:
     • Safecharge – https://www.safecharge.com/our-company/
     • Borgun – https://www.borgun.com/about-borgun/
     • Credorax - https://www.credorax.com/about
     • Elavon - https://www.elavon.com/about/company.html/
   • Please note that the above list is not a final list, and may be subject to changes in our engagements with the acquirers.
10. INTERNATIONAL TRANSFERS OF DATA
    • Customer acknowledges that NAYAX is an international corporation, and that Personal Data may be transferred to a country other than the country where Data Subjects are located in connection with the provision of Payment Services to Customer and Customer's Users.
    • In the event NAYAX transfers Personal Data across international borders, NAYAX will use appropriate safeguards to ensure a level of security appropriate to the risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transferred.
    • Customer shall have sole responsibility to obtain and document all necessary consents from Data Subjects to the transfer of Personal Data if required under applicable law.
11. NOTIFICATIONS
    • NAYAX shall notify Customer in writing upon an event of data breach that affected Customer's Personal Data, and/or as otherwise required under applicable law.
    • NAYAX may disclose Data to law enforcement, regulatory or other government agencies, or third parties, if NAYAX reasonably believes that such disclosure is necessary to comply with a judicial proceeding, court order, or a legal process.
12. LIABILITY AND INDEMNIFICATION

Customer will indemnify, and hold harmless NAYAX, and its officers, directors, employees, successors, and agents, from all damages and liabilities (including, without limitation, reasonable attorneys' fees and legal expenses), resulting from any claim by a third party (including supervisory authorities) that arises out of a violation of the Customer's representations and/or obligations under this DPA or applicable laws.

13. TERM

The term of this DPA shall continue until termination or expiration of the engagement between NAYAX and Customer.

14. GENERAL TERMS.
    • Some of the above Sections shall be in force only in the event the GDPR applies to the Processing of Personal Data pursuant to this DPA.
    • In the event of inconsistencies between the provisions of this DPA and the agreement, the provisions of this DPA shall prevail.
    • NAYAX may amend this DPA from time to time, and make the amended DPA available to Customer.
    • In the event this Agreement is translated to languages other than English, in case of any discrepancies between the English version of this Agreement and translated versions, the version in English shall prevail.

APPENDIX A: DETAILS OF PROCESSING OF PERSONAL DATA

This Appendix A includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

1. Subject matter and duration of the Processing of Personal Data

The subject matter and duration of the Processing of the Personal Data are set out in Section 2 of this DPA.

2. The nature and purpose of the Processing of Personal Data

NAYAX is engaged to provide Customer with services which involve the processing of Personal Data. The scope of the Services is set out in the agreement between the Customer and NAYAX, and the Personal Data will be processed by NAYAX to deliver those Services to Customer and to comply with the terms of the agreement between Customer and NAYAX this DPA.  

3. The types of Personal Data to be processed

• Customer's contact person full name and contact details;
• The following information will be collected regarding Customer’s in connection with KYC and AML checks: if he/she is an individual or regarding Customer’s shareholders if it is a legal entity: personal identification number, date of birth, residence country, citizenship country, confirmation if one is a politically engaged person, email address, phone and mobile number, snapshot of his/her face, 5 second video of his/her face, copy of identification document;
• Customer's and/or Customers’ Users IP addresses, device identifiers.
• Customer's Users’ contact information, such as name, email, phone number, etc.

4. The categories of Data Subject to whom the Personal Data relates

• Customer (to the extent the Customer is an individual)
• Customers’ shareholders;
• Customer's Users;
• Customer’s End-Users

5. The obligations and rights of Customer

The obligations and rights of Customer are set out in the agreement between NAYAX and Customer this DPA.

6. The processing operations carried out in relation to the Personal Data

Collection, recording, hosting, organizing, adapting, analyzing, retrieving, sharing with Sub-Processors, structuring, storing, deleting, in each case for the purposes of providing the Payment Services to Customer, the scope of which are set out in the agreement between NAYAX and Customer and this DPA.