Data Protection Agreement

Last updated: October 20, 2023

THIS DATA PROTECTION AGREEMENT (“DPA”) is subject to and forms part of the Nium Direct Services Agreement or Nium Platform Services Agreement, as applicable, between the applicable Nium entity (“Nium”) and the applicable client entity (“Client”) party to that agreement. Nium and Client shall be collectively referred to herein as “Parties” and individually as a “Party”.

RECITALS

1. Nium is performing certain services for Client and its end customers, as set forth in one or more Services Agreements (as defined in Clause 1), and the Parties may be obligated to comply with certain Data Protection Laws (as defined in Clause 1). 
2. The Parties wish to, in accordance with requirements of the Data Protection Laws, set out the terms applicable to Personal Data in the Services Agreement. 

AGREEMENT

NOW, THEREFORE, in consideration of the foregoing recitals and the covenants and agreements set forth herein, the Parties hereby agree as follows:

1. DEFINITIONS 

1. “Business Purpose” means performance of the Nium Services by Nium pursuant to any applicable Services Agreement.
2. “Canada PIPEDA” means (i) the Personal Data Protection and Electronic Documents Act, S.C. 2000, c. 5 of Canada and (ii) any successor laws and regulations that have the same general intent and effect. 
3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
4. “Data Incident” means any act or omission that compromises the security, confidentiality or integrity of Personal Data or the physical, technical, administrative or organisational safeguards put in place to protect it that rises to the level of a security breach or incident under the applicable Data Protection Laws.
5. “Data Protection Laws” means all laws and regulations that are applicable to the Processing of Personal Data under this DPA, including, but not limited to, the Canada PIPEDA, the EU GDPR, the Singapore PDPA, the UK GDPR, and the US CCPA. 
6. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
7. “Data Subject Request” means a request from a Data Subject relating to Processing in connection with a Services Agreement or the Nium Services to exercise the Data Subject's right of access, right to rectification, right to restrict Processing, right of erasure (i.e. “right to be forgotten”), right to data portability, right to object to the Processing, right not to be subject to automated individual decision making, or another applicable data subject right available to such Data Subject under applicable Data Protection Laws.
8. “EU GDPR” means (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and (ii) any successor laws and regulations that have the same general intent and effect. 
9. “EU Standard Contractual Clauses” means (i) the Standard Contractual Clauses based on the Commission Decision C(2010)593 on standard contractual clauses, as set out in the Annex to Commission Decision (EU) 2021/914, as amended and modified, and (ii) any successor standard contractual clauses that have the same general intent and effect.
10. “Nium Services” means any services provided by Nium to the Client under the terms of any applicable Services Agreement. 
11. “Personal Data” means any information that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in a Party’s possession or control or that such Party is likely to have access to, or (b) any other information that is defined as “personal information” or “personal data” under any applicable Data Protection Laws.
12. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other activity that the relevant Data Protection Laws may otherwise include in the definition of processing.
13. “Processor” means the entity which Processes Personal Data on behalf of the Controller.
14. “Services Agreement” means a services agreement executed between the Parties, under the terms of which the Client receives Nium Services from Nium or its affiliates, including, but not limited to, the Nium Direct Services Agreement or the Nium Platform Services Agreement. 
15. “Service Provider” means a Processor Processing Personal Data for the Business Purpose and any other entity that is defined as a “service provider” or “contractor” under applicable Data Protection Laws.
16. “Singapore PDPA” means (i) the Singapore Personal Data Protection Act of 2012 and (ii) any successor laws and regulations that have the same general intent and effect.
    
17. “Standard Contractual Clauses” means (i) the EU Standard Contractual Clauses (where applicable) and (ii) the UK Standard Contractual Clauses (where applicable).
18. “Sub-Processor” means a third-party Processor engaged by a Processor.
19. “UK GDPR” means (i) the Data Protection Act 2018 of the United Kingdom and (ii) any successor laws and regulations that have the same general intent and effect. 
20. “UK Standard Contractual Clauses” means (i) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, provided by the United Kingdom's Information Commissioner's Office pursuant to Section 119A of the Data Protection Act 2018, as amended and modified, and (ii) any successor standard contractual clauses that have the same general intent and effect.
21. “US CCPA” means (i) the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 and (ii) any successor laws and regulations that have the same general intent and effect.

2. PROCESSING OF PERSONAL DATA.

1. Roles of the Parties as Independent Controllers. The Parties understand and agree that they are acting, and shall act, independently of one another in their respective processing of such Personal Data. The Parties agree that in regard to the Processing of Personal Data under Data Protection Laws that define the Parties’ relationship as one between a Controller and a Processor (such as EU GDPR), Nium and Client shall both be considered independent Controllers, shall individually determine the purposes and means of its Processing of such Personal Data, and shall not be “joint controllers” of such Personal Data within the meaning of Article 26(1) of the EU GDPR. The Parties understand and agree that the applicable module of the Standard Contractual Clauses has been determined pursuant to the roles of the Parties as defined in this Clause 2(a) and the roles of the Parties as importer and exporter. The Parties agree that in regard to the Processing of Personal Data under Data Protection Laws that define the Parties’ relationship as one between a business and a Service Provider (such as Canada PIPEDA and US CCPA), neither Party shall be considered a Service Provider and each Party shall be considered the business. The Parties agree that in regard to the Processing of Personal Data under Data Protection Laws that define the Parties’ relationship as one between a “organisation” and a “data intermediary” (such as Singapore PDPA), Nium and Client shall both be considered independent organisations. Nothing in this DPA or in the Services Agreement shall be construed as to state or imply that (i) Nium has a direct relationship with the individual customers or users of Client, unless such direct relationship is specifically established under the terms of the Services Agreement, or (ii) that Nium is acting as a Processor under Data Protection Laws. The Parties agree and acknowledge that neither Party is to be classified as a “third party” as such term is defined under US CCPA. The Parties further agree and acknowledge that neither Party is responsible for determining the requirements of Data Protection Laws applicable to the other Party.
2. Responsibility of the Parties. Without limiting the roles identified in Clause 2(a) above, each Party agrees to: (i) maintain a publicly-accessible privacy policy on its sites that satisfies all applicable transparency and notice requirements as required by Data Protection Laws with respect to Processing of Personal Data, (ii) delete or destroy Personal Data, in accordance with the requirements of applicable Data  Protection Laws, upon the conclusion of its purpose for Processing such Personal Data, and (iii) implement appropriate technical and organisational measures to protect the Personal Data.
3. Treatment of Personal Data. The Parties agree to treat Personal Data as Confidential Information in accordance with the terms of each Services Agreement. Each Party acknowledges and confirms that it will, only to the extent required under Data Protection Laws: (i) comply with applicable Data Protection Laws and this DPA in connection with its Processing of Personal Data; (ii) only give lawful instructions to any Processors and/or Sub-Processors; (iii) be responsible for determining the legal basis of its own Processing activities; and (iv) provide the other Party with reasonable assistance, information and cooperation as such Party may reasonably request to ensure compliance with the Parties’ respective obligations under Data Protection Laws. Nothing in this DPA shall be construed to convey any ownership interest or licence in the Personal Data that is contrary to the ownership interests and licences set forth in the Services Agreement.
4. Data Subject Requests. Each Party will, to the extent legally permitted, notify the other Party within a reasonable time period if the notifying Party receives a Data Subject Request.  The notifying Party will use commercially reasonable efforts to assist the other Party in responding to such Data Subject Request, to the extent the notifying Party is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. The other Party shall be responsible for any costs arising from the notifying Party’s provision of such assistance.
5. Data Incident. In the event that either Party suffers a Data Incident in connection with any Nium Services, such Party shall notify the other Party without undue delay and the Parties shall reasonably cooperate with each other in taking such measures as may be necessary to notify affected Data Subjects, comply with each Party’s obligations under Data Protection Laws, and to mitigate or remedy the effects of such Data Incident.  Client agrees that, in the event of a Data Incident that is likely to result in a “risk to the rights and freedoms of natural persons” (as defined in Recital 75 of the EU GDPR, or any successor rules or guidance), Client shall notify Nium no later than twenty (24) hours after discovery of the Data Incident.

3. COOPERATION.

Each Party shall provide reasonable assistance to the other Party and cooperation with respect to any consultation or request by any regulatory or supervisory authority who has governance over such other Party, to the extent related to the Nium Services and required under Data Protection Laws.

4. INTERNATIONAL TRANSFERS. 

If Data Protection Laws restrict cross-border Personal Data transfers between two independent Controllers, each Party will only transfer that Personal Data to the other Party under the following conditions: (a) the transferring Party, either through its location or participation in a valid cross-border transfer mechanism under Data Protection Laws, may legally receive that Personal Data, or (b) the transfer otherwise complies with Data Protection Laws. If any Personal Data transfer between the Parties, as two independent Controllers, requires execution of Standard Contractual Clauses in order to comply with Data Protection Laws, the Parties agree that the Standard Contractual Clauses, in their entirety and as applicable, are hereby incorporated into this DPA and shall govern. This DPA, including all Annexes hereto that are set forth in Appendix A, shall set forth all necessary information to properly execute the applicable Standard Contractual Clauses. Pursuant to any Personal Data transfer between Client and Nium that requires execution of Standard Contractual Clauses where this DPA fails to provide all necessary information to properly execute the applicable Standard Contractual Clauses, the Parties will take all actions required to legitimize the transfer, including, if necessary: (x) co-operating to register the Standard Contractual Clauses with any applicable supervisory authority; (y) procuring approval from any such supervisory authority; or (z) providing additional information about the transfer to such supervisory authority. As applicable, in the event of a conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.  Clause 7 (Docking clause) of the EU Standard Contractual Clauses is hereby incorporated into this DPA.

5. SALE OF PERSONAL INFORMATION. 

To the extent the US CCPA governs Nium’s provision of the Nium Services to Client, (a) the Parties agree that neither Party shall: (i) sell Personal Data (including to the extent of the definition of “sell” as defined in the US CCPA); (ii) retain, use or disclose Personal Data for any purpose other than for the Business Purpose, in compliance with the Services Agreement, or as otherwise permitted by applicable Data Protection Laws; (iii) retain, use or disclose the Personal Data for a commercial purpose (including to the extent of the definition of “commercial purpose” as defined in the US CCPA) other than the agreed purposes set forth in the Services Agreement; and (iv) retain, use, or disclose Personal Data outside of the direct business relationship between Nium and Client, except as may otherwise be provided in this DPA or the Services Agreement; and (b) each Party hereby certifies that it understands and is willing to abide by the restrictions in this Clause 5.

6. GENERAL PROVISIONS.

1. Notice Requirements. Each Party agrees that it will notify the other Party if it determines that it cannot or will no longer meet the obligations set forth in this DPA or applicable Data Protection Laws with respect to the Business Purpose. All such notices shall be sent in accordance with the notice provision(s) set forth in the applicable Services Agreement.
2. Term. This DPA will remain in force and effect for the duration of the Services Agreement, unless otherwise agreed in writing.
3. Severability. If one or more provisions of this DPA are held to be unenforceable under applicable law, the Parties agree to renegotiate such provision in good faith. In the event that such provision was not required by the Data Protection Laws and the Parties cannot reach a mutually agreeable and enforceable replacement, then (a) such provision shall be excluded from this DPA, (b) the balance of this DPA shall be interpreted as if such provision were so excluded, and (c) the balance of this DPA shall be enforceable in accordance with its terms.
4. Limitation of Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to those limitations of liability set forth in the Services Agreement and any reference in the Services Agreement limiting a Party’s liability means the aggregate liability of that Party under the Services Agreement and this DPA.
5. Independent Contractors. The Parties are independent contractors, and nothing contained in this DPA shall be construed to constitute the Parties as partners, joint venturers, co-owners or otherwise as participants in a joint or common undertaking.
6. Governing Law and Jurisdiction.  This DPA shall be governed by and construed in accordance with the laws of the governing jurisdiction that is set forth in the applicable Services Agreement (the “Governing Jurisdiction”), and the parties shall submit to the exclusive jurisdiction of the courts of the Governing Jurisdiction for any dispute which may arise out of or in connection with this DPA; provided, however, that (i) any dispute arising from the EU Standard Contractual Clauses shall be governed by and construed in accordance with the laws of Malta and shall be subject to the jurisdiction of the courts of Malta and (ii) any dispute arising from the UK Standard Contractual Clauses shall be governed by and construed in accordance with the laws of England and Wales and shall be subject to the jurisdiction of the courts of England and Wales.
7. Remedies. Nium and Client each agree that the obligations set forth in this DPA are necessary and reasonable in order to ensure that Data Subjects continue to benefit from effective safeguards and protection as required by the Data Protection Laws. Nium and Client each expressly agree that due to the unique nature of the Personal Data covered hereunder, monetary damages would be inadequate to compensate either Party for any breach by the other Party of its covenants and agreements set forth in this DPA. Accordingly, Nium and Client each agree and acknowledge that any such violation or threatened violation shall cause irreparable injury to a Party and that, in addition to any other remedies that may be available, in law, in equity or otherwise, such Party shall be entitled to obtain injunctive relief against the threatened breach of this DPA or the continuation of any such breach by the other Party, without the necessity of proving actual damages. Except as expressly set out in this DPA, each Party’s rights and remedies under this DPA are cumulative and not exclusive of any other rights or remedies to which the Party may be lawfully entitled under this DPA or at law, and each Party may pursue all of the Party’s rights and remedies concurrently, consecutively and alternatively.
8. Headings. The headings and subheadings within this DPA are for convenience only and do not define, limit, or enlarge the scope or meaning of this DPA or any of its provisions.
9. Counterparts. This DPA may be executed in two or more counterparts, each of which shall be deemed an original and all of which together shall constitute one instrument.
10. Amendment and Waiver. Nium may modify all or any part of this DPA at any time by posting a modified version of this DPA (including any terms incorporated by reference into this DPA) on the Nium Legal Page or by notifying the Client. The modified DPA is effective upon posting or, if Nium notified the Client, as stated in the notice. If the Client objects to any of the modified terms in the DPA, the Client may terminate this DPA together with the Services Agreement.  By continuing to use the Services after the effective date of any modification to this DPA, the Client agrees to be bound by the modified DPA. It is the Company’s obligation to check the Nium Legal Page regularly for modifications to this DPA. Nium last modified this DPA on the date listed at the top of this DPA. Except as this DPA (including this clause) otherwise allows, this Agreement may not be modified except in writing by the parties. Without limiting the foregoing, the Parties acknowledge that the Data Protection Laws and Standard Contractual Clauses have been incorporated into this DPA as amended and modified and include all implementing regulations enacted thereunder, as applicable. The Parties acknowledge and agree that amendments and modifications to the Data Protection Laws and Standard Contractual Clauses shall be automatically incorporated into this DPA; such amendments and modifications to the Data Protection Laws and Standard Contractual Clauses may change the Parties’ obligations under this DPA, but shall not be considered an amendment or modification of this DPA necessitating notice by Nium. The Parties acknowledge and agree that the mere issuing of amendments and modifications to the Data Protection Laws and Standard Contractual Clauses shall not grant either Party the unilateral right to terminate any part of this DPA.
11. Entire Agreement. This DPA is the product of both of the Parties and constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all other prior agreements and understandings, both written and oral, between the Parties with respect to the subject matter hereof. In the case of conflict or ambiguity between any provision in this DPA and the Services Agreement, the provisions of this DPA will prevail.

APPENDIX A

ANNEXES I AND II TO EUROPEAN UNION STANDARD CONTRACTUAL CLAUSES

ANNEX I

A. LIST OF PARTIES

Data exporters and importers: 

NIUM (Data Importer and Data Exporter)
Full Legal Name and Company Registration Number	The Nium entity party to the Services Agreement.
Address	Nium’s applicable address stated on https://www.nium.com
Contact details	Nium Legal Department, [email protected]
Activities relevant to data transferred under these Clauses	Services, under the terms of one or more agreements, being provided by Nium to Client.
Role (controller/processor)	Independent controller.
Signature and date:	Each party shall be deemed to have signed this Annex I on the same date as the Effective Date of the applicable Services Agreement.

 

CLIENT (Data Importer and Data Exporter)
Full Legal Name and Company Registration Number	The Client entity party to the Services Agreement
Address	The address provided to Nium by the Client.
Contact details	The name, position and contact details provided to Nium by the Client.
Activities relevant to data transferred under these Clauses	Services, under the terms of one or more executed Services Agreements, being provided by Nium to Client.
Role (controller/processor)	Independent controller.
Signature and date:	Each party shall be deemed to have signed this Annex I on the same date as the Effective Date of the applicable Services Agreement.

 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred	Client’s end customers, representatives, and any natural person who accesses Nium Services.
Categories of personal data transferred	The categories of personal data required under the terms of the applicable Services Agreement, including account details, address, name, transaction details, device ID, email address, IP address/location, payment card details, tax ID/status, identity information including government issued documents (e.g., national IDs, driver’s licences and passports).
Categories of data subjects whose personal data is transferred	Client’s end users, representatives, and any natural person who accesses or uses Nium Services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.	The categories of sensitive data transferred may include racial or ethnic origin data.  The data is transferred as part of compliance with anti-money laundering laws, sanctions laws, and financial institution laws.  Access is restricted and protected in accordance with applicable law.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).	Data will be transferred on a continuous basis for the term of any applicable Services Agreement.
Nature of the processing	Nium will process personal data as necessary to provide the Nium Services under each applicable Services Agreement.
Purpose(s) of the data transfer and further processing	The purposes of Nium’s Processing of Personal Data in its capacity as a Controller are: (i)  determining the Processing of Personal Data when providing Nium Services, including when Nium provides a payment method, and determining the third parties (banks and other service providers) to be utilized; (ii)  monitoring, preventing and detecting fraudulent transactions and other fraudulent activity in connection with Nium’s services; (iii)  complying with applicable law, including applicable anti-money laundering screening and know-your-customer obligations; and (iv)  analysing and developing Nium’s services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period	Personal Data will be retained for as long as necessary for the purpose for which it is collected. However, Personal Data may be retained longer, as may be required by law.
For transfers to Processors and Sub-Processors, also specify subject matter, nature and duration of the processing	The Services Agreement has authorised the engagement of Sub-Processors by Nium.  As applicable, any transfers to processors will be subject to the same subject matter, nature, and duration as otherwise set forth in this Annex I.

 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority in accordance with Clause 13 is (i) for purposes of the UK GDPR, the United Kingdom Information Commissioner Office or (ii) for purposes of the EU GDPR, the Malta Information and Data Protection Commissioner.

 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING
TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The technical and organisational measures of Nium are as set forth below:

Annex II Nium - Technical and Organisational Measures
Organisational Measures	Internal policies and procedures for data security for Nium’s employees.  Employees are informed about the internal policies and procedures regulating Personal Data security. The internal policies and procedures related to the Processing of Personal Data are periodically revised and updated. The responsible employees are trained about Personal Data security and processing.
Management and Control of Access to Personal Data	The protection, management and control of access to Personal Data is ensured. Access to Personal Data is granted only to the person to whom the Personal Data is required to perform his / her functions in connection with the Services. Actions which can be taken while Processing Personal Data is limited by the scope of right that have been granted to a person. The requirements for the access to the Personal Data is ensured for the passwords: passwords’ confidentiality is ensured; passwords are unique; the passwords are changed periodically. In case the Personal Data is Processed in the internal network of computers, the protection of Personal Data is ensured from the illegal connection by electronic connections measures (e. g. the use of the firewall). Control of access to Personal Data. Recording and controlling the registration and access rights efforts. Determining the number of allowed failed connections. Recordings of logins to personal data: login ID, date, time, duration, connection result (successful, unsuccessful). Logs for personal data are stored. Login data and tools are intended for each user personally - it is forbidden for other persons to use one login account.  When the access to the employee of the Data Processer becomes the unnecessary (e. g. the employment relationship is terminated or the nature of work is changed), the Data Controller shall be informed immediately about that, the access is cancelled, physical authentication tools are returned if such tools were provided.
Physical Access	The security of premises, where Personal Data is stored, is ensured physically by limiting the access of unauthorised persons to appropriate premises.
Receiving and Providing Personal Data Over Internet	If Personal Data is received or provided over the Internet: Data transmission channels are encrypted using cryptographic protocols (TLS, SSL). Logging is allowed from any IP address.  Users are identified by a unique name / password / certificate.
Security Measures While Receiving or Providing Personal Data by Email and External Data Networks	If Personal Data is received or provided via email, security controls on Personal Data are ensured. If Personal Data is received or provided by external data transmission networks, secure protocols (e. g. TLS, SSL) / passwords are ensured.
Use of Computers and Software	The protection of computer hardware is ensured from malicious software (such as installing, upgrading, firewalls, and firewalls). Back-up copies of Personal Data, if any, are stored in other premises or geographic location than the active (working) database. Testing of information systems is not carried out with real Personal Data.   The security updates are regularly automatically installed for computer systems. Complex and secure passwords are used to connect to the computer. When utilizing of or transferring a computer or data media for use by other persons, it must be ensured that all information relating to the Personal Data has been destroyed in a secure manner.
Protection of Servers and Databases	The following minimum-security requirements apply to the protection of servers and databases used to access or store the Processor’s information: Updated malware protection must be enabled and maintained. Access (physical and logical) must be allowed only to authorised personnel.
Security of Data Networks	The use of Processor information systems and data is allowed only with the use of properly protected networks, including: Direct connection of the computer to the internet is prohibited. The connection must be made by using an intermediate network security device - a router with address change (NAT) function or a firewall. Connection from data networks which security is unknown (e. g. public access points in cafes, hotels, etc.) is prohibited. If a local wireless connection (e. g. Wi-Fi) is used to connect the computer, the security and secrecy of the connection must be secured using secure authentication and encryption methods. All devices on the network are managed so that only authorised devices are accessed and unauthorised and unmanaged devices are detected and blocked.

 

The technical and organisational measures of Client are as set forth below:

Annex II Client - Technical and Organisational Measures
Organisational Measures	Internal policies and procedures for data security for Client’s employees.  Employees are informed about the internal policies and procedures regulating Personal Data security. The internal policies and procedures related to the Processing of Personal Data are periodically revised and updated. The responsible employees are trained about Personal Data security and processing.
Management and Control of Access to Personal Data	The protection, management and control of access to Personal Data is ensured. Access to Personal Data is granted only to the person to whom the Personal Data is required to perform his / her functions in connection with the Services. Actions which can be taken while Processing Personal Data is limited by the scope of right that have been granted to a person. The requirements for the access to the Personal Data is ensured for the passwords: passwords’ confidentiality is ensured; passwords are unique; the passwords are changed periodically. In case the Personal Data is Processed in the internal network of computers, the protection of Personal Data is ensured from the illegal connection by electronic connections measures (e. g. the use of the firewall). Control of access to Personal Data. Recording and controlling the registration and access rights efforts. Determining the number of allowed failed connections. Recordings of logins to personal data: login ID, date, time, duration, connection result (successful, unsuccessful). Logs for personal data are stored. Login data and tools are intended for each user personally - it is forbidden for other persons to use one login account.  When the access to the employee of the Data Processer becomes the unnecessary (e. g. the employment relationship is terminated or the nature of work is changed), the Data Controller shall be informed immediately about that, the access is cancelled, physical authentication tools are returned if such tools were provided.
Physical Access	The security of premises, where Personal Data is stored, is ensured physically by limiting the access of unauthorised persons to appropriate premises.
Receiving and Providing Personal Data Over Internet	If Personal Data is received or provided over the Internet: Data transmission channels are encrypted using cryptographic protocols (TLS, SSL). Logging is allowed from any IP address.  Users are identified by a unique name / password / certificate.
Security Measures While Receiving or Providing Personal Data by Email and External Data Networks	If Personal Data is received or provided via email, security controls on Personal Data are ensured. If Personal Data is received or provided by external data transmission networks, secure protocols (e. g. TLS, SSL) / passwords are ensured.
Use of Computers and Software	The protection of computer hardware is ensured from malicious software (such as installing, upgrading, firewalls, and firewalls). Back-up copies of Personal Data, if any, are stored in other premises or geographic location than the active (working) database. Testing of information systems is not carried out with real Personal Data.   The security updates are regularly automatically installed for computer systems. Complex and secure passwords are used to connect to the computer. When utilizing of or transferring a computer or data media for use by other persons, it must be ensured that all information relating to the Personal Data has been destroyed in a secure manner.
Protection of Servers and Databases	The following minimum-security requirements apply to the protection of servers and databases used to access or store the Processor’s information: Updated malware protection must be enabled and maintained. Access (physical and logical) must be allowed only to authorised personnel.
Security of Data Networks	The use of Processor information systems and data is allowed only with the use of properly protected networks, including: Direct connection of the computer to the internet is prohibited. The connection must be made by using an intermediate network security device - a router with address change (NAT) function or a firewall. Connection from data networks which security is unknown (e. g. public access points in cafes, hotels, etc.) is prohibited. If a local wireless connection (e. g. Wi-Fi) is used to connect the computer, the security and secrecy of the connection must be secured using secure authentication and encryption methods. All devices on the network are managed so that only authorised devices are accessed and unauthorised and unmanaged devices are detected and blocked.