Meet Nium at Sibos 2025! • Book a meeting →

Nium logo
Nium logo

Legal

Table of Contents

Terms of Use

Direct Services Agreement

Platform Services Agreement

End Customer Terms

Financial Partner Terms

Direct Debit Terms

Verify Terms of Service

Privacy

Customer Protection Principles

Licenses and Registrations

Prohibited and Restricted Businesses

Cookie Declaration Table

Data Protection Agreement

Last updated: March 13, 2025

THIS DATA PROTECTION AGREEMENT (“DPA”) is subject to and forms part of the Services Agreement and/or Outsourcing Agreement (as applicable) entered into between the applicable Nium entity (“Nium”) and the applicable client entity (“Client”) that is a party to that agreement. Nium and Client shall be collectively referred to herein as “Parties” and individually as a “Party”.

1. DEFINITIONS 

  1. "Business” means the term as defined under the US CCPA.
  2. Business Purpose” means performance of the Nium Services by Nium pursuant to any applicable Services Agreement or performance of the Client Services by the Client pursuant to any applicable Outsourcing Agreement.
  3. “Client Services” means any services provided by Client to Nium under the terms of any applicable Outsourcing Agreement.
  4. Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
  5. "Data Complaint” means a complaint or request relating to either Party’s obligations under the Data Protection Laws relevant to this DPA, including any complaint by a Data Subject or any notice, investigation, or other action by a supervisory authority.
  6. Data Incident” means any act or omission that compromises the security, confidentiality or integrity of Personal Data or the physical, technical, administrative or organisational safeguards put in place to protect it that rises to the level of a security breach or incident under the applicable Data Protection Laws. Data Incidents include accidental or unlawful acquisition, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  7. Data Protection Laws means all applicable laws, regulations, and other legally-binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data under this DPA, including without limitation, solely to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“EU GDPR”); the United Kingdom Data Protection Act of 2018 (“UK GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the Personal Data Protection and Electronic Documents Act, S.C. 2000, c. 5 of Canada along with any successor laws and regulations that have the same general intent and effect (Canada PIPEDA), the Singapore Personal Data Protection Act of 2012 (“Singapore PDPA”), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (as amended and together with its regulations, the “US CCPA”), and Indonesian Law Number 27 of 2022 on Personal Data Protection along with any successor and implementing laws and regulations that have the same general intent and effect. For the avoidance of doubt, if a Party’s activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
  8. Data Subject means the identified or identifiable person to whom Personal Data relates.
  9. Data Subject Request” means a request from a Data Subject relating to Processing of Personal Data in connection with a Services Agreement or the Nium Services to exercise the Data Subject's right of access, right to rectification, right to restrict Processing, right of erasure (i.e. “right to be forgotten”), right to data portability, right to object to the Processing, right not to be subject to automated individual decision making, or another applicable data subject right available to such Data Subject under applicable Data Protection Laws.
  10. GDPR” means the EU GDPR or the UK GDPR (as applicable).
  11. EU Standard Contractual Clauses” means (i) the Standard Contractual Clauses based on the Commission Decision C(2010)593 on standard contractual clauses, as set out in the Annex to Commission Decision (EU) 2021/914, on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein, as amended and modified, and (ii) any successor standard contractual clauses that have the same general intent and effect.
  12. "Outsourcing Agreement” means the outsourcing agreement entered into between the Parties, under the term of which Nium receives certain outsourced services from Client.
  13. Nium Services” means any services provided by Nium to the Client under the terms of the applicable Services Agreement.
  14. Personal Data” means any information that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in a Party’s possession or control or that such Party is likely to have access to, or (b) any other information that is defined as “personal information” or “personal data” under any applicable Data Protection Laws, which is Processed by a Party in connection with the Services Agreement or Outsourcing Agreement (as applicable) and this DPA.
  15. Process” or “Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction, or any other activity that the relevant Data Protection Laws may otherwise include in the definition of processing.
  16. Processor means the entity which Processes Personal Data on behalf of the Controller.
  17. Services Agreement” means a services agreement executed between the Parties, under the terms of which the Client receives Nium Services from Nium or its affiliates, including, but not limited to, the Nium Direct Services Agreement or the Nium Platform Services Agreement. 
  18. Service Provider” means a Processor Processing Personal Data for the Business Purpose and any other entity that is defined as a “service provider” or “contractor” under applicable Data Protection Laws.
  19. Standard Contractual Clauses” means (i) the EU Standard Contractual Clauses (where applicable) and (ii) the UK Standard Contractual Clauses (where applicable).
  20. Sub-Processor” means a third-party Processor engaged by a Processor.
  21. UK Standard Contractual Clauses” means (i) the UK Addendum to the European Union Standard Contractual Clauses, provided by the United Kingdom's Information Commissioner's Office, as amended and modified, and (ii) any successor standard contractual clauses that have the same general intent and effect. 

2. PROCESSING OF PERSONAL DATA

a. Independent Controller Terms under a Service Agreement. Where the Parties Process Personal Data under or otherwise in connection with a Service Agreement, the Parties understand and agree that they are acting, and shall act, independently of one another in their respective Processing of such Personal Data and that the following terms and the applicable parts of Appendix A as referenced shall apply with respect to the Processing of Personal Data under the Service Agreement:

  1. Roles of the Parties as Independent Controllers. Roles of the Parties as Independent Controllers. The Parties agree that in regard to the Processing of Personal Data under Data Protection Laws that define the Parties’ relationship as one between a Controller and a Processor (such as the GDPR), Nium and Client shall both be considered independent Controllers, shall individually determine the purposes and means of their Processing of such Personal Data, and shall not be “joint controllers” of such Personal Data within the meaning of Article 26 (1) of the GDPR. The Parties understand and agree that the applicable module of the Standard Contractual Clauses has been determined pursuant to the roles of the Parties as defined in this Section 2(a) and the roles of the Parties as importer and exporter. The Parties agree that in regard to the Processing of Personal Data under Data Protection Laws that define the Parties’ relationship as one between a Business and a Service Provider (such US CCPA), neither Party shall be considered a Service Provider, and each Party shall be considered the Business. The Parties agree that in respect of the Processing of Personal Data under Data Protection Laws that define the Parties’ relationship as one between a “organisation” and a “data intermediary” (such as the Singapore PDPA), Nium and Client shall both be considered independent organisations. Nothing in this DPA or in the Services Agreement or Outsourcing Agreement (as applicable) shall be construed as to state or imply that (A) Nium has a direct relationship with the individual customers or users of Client, unless such direct relationship is specifically established under the terms of the Services Agreement or Outsourcing Agreement (as applicable), or (B) that Nium is acting as a Processor under Data Protection Laws. The Parties further agree and acknowledge that neither Party is responsible for determining the requirements of Data Protection Laws applicable to the other Party.
  2. Responsibility of the Parties. Without limiting the roles identified in Section 2(a)(i) above, each Party agrees to: (A) maintain a publicly-accessible privacy policy on its website that satisfies all applicable transparency and notice requirements as required by Data Protection Laws with respect to Processing of Personal Data, (B) delete or destroy Personal Data, in accordance with the requirements of applicable Data Protection Laws, upon the conclusion of its purpose for Processing such Personal Data unless applicable law requires a longer retention period, and (C) implement appropriate technical and organisational measures to protect the Personal Data.
  3. Treatment of Personal Data. The parties agree to treat Personal Data as Confidential Information in accordance with the terms of each Services Agreement or Outsourcing Agreement (as applicable). Each Party acknowledges and confirms that it will, only to the extent required under Data Protection Laws: (A) comply with applicable Data Protection Laws and this DPA in connection with its Processing of Personal Data; (B) only give lawful instructions to any Processors and/or Service Providers; (C) be responsible for determining the legal basis of its own Processing activities; (D) not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without the other Party’s express written permission; and (E) provide the other Party with reasonable assistance, information and cooperation as such Party may reasonably request to ensure compliance with the Parties' respective obligations under Data Protection Laws. Nothing in this DPA shall be construed to convey any ownership interest or license in the Personal Data that is contrary to the ownership interests and licenses set forth in Services Agreement or Outsourcing Agreement.
  4. Data Subject Requests. Each Party will, to the extent legally permitted, notify the other Party within a reasonable time period if the notifying Party receives a Data Subject Request. The notifying Party will use commercially reasonable efforts to assist the other Party in responding to such Data Subject Request, to the extent the notifying Party is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. The other Party shall be responsible for any costs arising from the notifying Party’s provision of such assistance.
  5. Data Incident. In the event that either Party suffers a Data Incident in connection with any Nium Services, such Party shall notify the other Party without undue delay and the Parties shall reasonably cooperate with each other in taking such measures as may be necessary to notify affected Data Subjects, comply with each Party's obligations under Data Protection Laws, and to mitigate or remedy the effects of such Data Subjects, comply with each Party's obligations under Data Protection Laws, and to mitigate or remedy the effects of such Data Incident.

b. Processor Terms under an Outsourcing Agreement. Where the Client Processes Nium Personal Data under or otherwise in connection with an Outsourcing Agreement, the applicable parts of Appendix A as referenced, and the entirety of Appendix B applies.

3. COOPERATION

Each Party shall provide reasonable assistance to the other Party and cooperation with respect to any consultation or request by any regulatory or supervisory authority who has governance over such other Party related to the Processing of Personal Data, to the extent related to the Nium Services and required under Data Protection Laws.

4. INTERNATIONAL TRANSFERS

If Data Protection Laws restrict cross-border Personal Data transfers between two independent Controllers, each Party will only transfer Personal Data to the other Party under the following conditions: (a) the transferring Party, either through its location or participation in a valid cross-border transfer mechanism under Data Protection Laws, may legally receive that Personal Data, or (b) the transfer otherwise complies with Data Protection Laws. If any Personal Data transfer between the Parties, as two independent Controllers, requires execution of Standard Contractual Clauses in order to comply with Data Protection Laws, the Parties agree that the Standard Contractual Clauses, in their entirety and as applicable, are hereby incorporated into this DPA and shall govern. Pursuant to any Personal Data transfer between Client and Nium that requires execution of Standard Contractual Clauses where this DPA fails to provide all necessary information to properly execute the applicable Standard Contractual Clauses, the Parties will take all actions required to legitimize the transfer, including, if necessary: (x) co-operating to register the Standard Contractual Clauses with any applicable supervisory authority; (y) procuring approval from any such supervisory authority; or (z) providing additional information about the transfer to such supervisory authority. As applicable, in the event of a conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. 

For transfers of Personal Data that are subject to the FADP, the EU Standard Contractual Clauses form part of this DPA as set forth above, but with the following differences to the extent required by the FADP: (1) references to the EU GDPR in the EU Standard Contractual Clauses are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the EU GDPR; (2) the term “member state” in EU Standard Contractual Clauses shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses; and (3) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the EU GDPR), or both such Commissioner and the supervisory authority identified in the EU Standard Contractual Clauses (where the FADP and EU GDPR apply, respectively).

5. US CCPA

If a party discloses Personal Data ("Disclosing Party") to the other party ("Receiving Party"), the Parties agree that such disclosure shall not be considered a “Sale” or “Sharing” for purposes of “Cross-Context Behavioral Advertising” (as such terms in quotes are defined in the US CCPA), and that such disclosure will be solely for the parties' legitimate business purposes as detailed in the Services Agreement or Outsourcing Agreement (as applicable), and for purposes permitted by the US CPPA along with its legally binding amendments and regulations.  The Receiving Party represents and warrants that it will not retain, use, disclose, or process Personal Data obtained pursuant to the Agreement for any purpose other than for the specific purposes set forth herein, unless the Receiving Party has received appropriate consent under Data Protection Law from the individual about whom the Personal Data relates.  The Receiving Party represents and warrants that it will comply with all requirements of Data Protection Law, including but not limited to by:

  • providing the same level of privacy protection to Personal Data as required of the Disclosing Party under Data Protection Law, and in no event less than a reasonable standard of care;
  • providing any required disclosures, such as privacy policies, notices at collection, or opt out notices to individuals whose Personal Data it processes; and comply with any required opt out rights; and
  • implementing appropriate technical and organizational measures to ensure a level of security for the Personal Data appropriate to the risk. 
  • Not “Selling” or “Sharing” for purposes of Cross-Context Behavioral Advertising Personal Data (as such terms are defined in the US CCPA).

The Disclosing Party has the right to take reasonable and appropriate steps to ensure that the Receiving Party uses Personal Data provided by the Disclosing Party under the Agreement consistent with Data Protection Law, and, upon reasonable advance notice, to take reasonable steps to stop and remediate any use of Personal Data by the Receiving Party that is inconsistent with applicable Data Protection Laws or this provision.

6. GENERAL PROVISIONS

  1. Notice Requirements. Each Party agrees that it will notify the other Party if it determines that it cannot or will no longer meet the obligations set forth in this DPA or applicable Data Protection Laws with respect to the Business Purpose. All such notices shall be sent in accordance with the notice provision(s) set forth in the applicable Services Agreement or Outsourcing Agreement (as applicable).
  2. Term. This DPA will remain in force and effect for the duration of (i) the Services Agreement or (ii) the Outsourcing Agreement, unless otherwise agreed in writing between the Parties.
  3. Severability. If one or more provisions of this DPA are held to be unenforceable under applicable law, the Parties agree to renegotiate such provision in good faith. In the event that such provision was not required by the Data Protection Laws and the Parties cannot reach a mutually agreeable and enforceable replacement, then (a) such provision shall be excluded from this DPA, (b) the balance of this DPA shall be interpreted as if such provision were so excluded, and (c) the balance of this DPA shall be enforceable in accordance with its terms.
  4. Limitation of Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability set forth in the applicable Services Agreement or Outsourcing Agreement and any reference in the Services Agreement or Outsourcing Agreement limiting a Party’s liability means the aggregate liability of that Party under the such agreement and this DPA.
  5. Governing Law and Jurisdiction.  This DPA shall be governed by and construed in accordance with the laws of the governing jurisdiction that is set forth in the applicable Services Agreement or Outsourcing Agreement (the “Governing Jurisdiction”), and the parties shall submit to the exclusive jurisdiction of the courts of the Governing Jurisdiction for any dispute which may arise out of or in connection with this DPA; provided, however, that (i) any dispute arising from the EU Standard Contractual Clauses shall be governed by and construed in accordance with the laws of Malta or Switzerland (as provided in Section 4 above in accordance with the FADP) and shall be subject to the jurisdiction of the courts of Malta and (ii) any dispute arising from the UK Standard Contractual Clauses shall be governed by and construed in accordance with the laws of England and Wales and shall be subject to the jurisdiction of the courts of England and Wales.
  6. Remedies. Nium and Client each agree that the obligations set forth in this DPA are necessary and reasonable in order to ensure that Data Subjects continue to benefit from effective safeguards and protection as required by the Data Protection Laws. Nium and Client each expressly agree that due to the unique nature of the Personal Data covered hereunder, monetary damages would be inadequate to compensate either Party for any breach by the other Party of its covenants and agreements set forth in this DPA. Accordingly, Nium and Client each agree and acknowledge that any such violation or threatened violation shall cause irreparable injury to a Party and that, in addition to any other remedies that may be available, in law, in equity or otherwise, such Party shall be entitled to obtain injunctive relief against the threatened breach of this DPA or the continuation of any such breach by the other Party, without the necessity of proving actual damages. Except as expressly set out in this DPA, each Party’s rights and remedies under this DPA are cumulative and not exclusive of any other rights or remedies to which the Party may be lawfully entitled under this DPA or at law, and each Party may pursue all of the Party’s rights and remedies concurrently, consecutively and alternatively.
  7. Headings. The headings and subheadings within this DPA are for convenience only and do not define, limit, or enlarge the scope or meaning of this DPA or any of its provisions.
  8. Amendment and Waiver. Nium may modify all or any part of this DPA at any time by posting a modified version of this DPA (including any terms incorporated by reference into this DPA) on the Nium Legal Page or by notifying the Client. The modified DPA is effective upon posting or, if Nium notified the Client, as stated in the notice. If the Client objects to any of the modified terms in the DPA, the Client may terminate this DPA together with the Services Agreement.  By continuing to use the Services after the effective date of any modification to this DPA, the Client agrees to be bound by the modified DPA. It is the Company’s obligation to check the Nium Legal Page regularly for modifications to this DPA. Nium last modified this DPA on the date listed at the top of this DPA. Except as this DPA (including this clause) otherwise allows, this Agreement may not be modified except in writing by the parties. Without limiting the foregoing, the Parties acknowledge that the Data Protection Laws and Standard Contractual Clauses have been incorporated into this DPA as amended and modified and include all implementing regulations enacted thereunder, as applicable. The Parties acknowledge and agree that amendments and modifications to the Data Protection Laws and Standard Contractual Clauses shall be automatically incorporated into this DPA; such amendments and modifications to the Data Protection Laws and Standard Contractual Clauses may change the Parties’ obligations under this DPA, but shall not be considered an amendment or modification of this DPA necessitating notice by Nium. The Parties acknowledge and agree that the mere issuing of amendments and modifications to the Data Protection Laws and Standard Contractual Clauses shall not grant either Party the unilateral right to terminate any part of this DPA.
  9. Survival. The provisions of this DPA survive the termination or expiration of the applicable Services Agreement or Outsourcing Agreement for so long as the Parties Processes Personal Data.
  10. Entire Agreement. This DPA is the product of both of the Parties and constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all other prior agreements and understandings, both written and oral, between the Parties with respect to the subject matter hereof. In the case of conflict or ambiguity between any provision in this DPA and the Services Agreement or Outsourcing Agreement, the provisions of this DPA will prevail.

APPENDIX A


ANNEXES I AND II TO EUROPEAN UNION STANDARD CONTRACTUAL CLAUSES

ANNEX I

A. LIST OF PARTIES

Data exporters and importers: 

NIUM
(Data Importer and Data Exporter)

Full Legal Name and Company Registration Number

The Nium entity party to the Services Agreement or Outsourcing Agreement.

Address

Nium’s applicable address stated on https://www.nium.com

Contact details

Nium Legal Department, [email protected]

Activities relevant to data transferred under these Clauses

When acting under Section 2(a) (Independent Controller Terms under a Service Agreement) of the DPA, Services, under the terms of one or more Services Agreements, being provided by Nium to Client.

When acting under Section 2(b) (Processor Terms under an Outsourcing Agreement) of the DPA, services being provided by the Client to Nium under an executed Outsourcing Agreement.

Role (controller/processor)

Independent controller. 

Signature and date: 

Each party shall be deemed to have signed this Annex I on the same date as the Effective Date of the applicable Services Agreement or Outsourcing Agreement

 

CLIENT
(Data Importer and Data Exporter)

Full Legal Name and Company Registration Number

The Client entity party to the Services Agreement or Outsourcing Agreement (as applicable).

Address

The address provided to Nium by the Client.

Contact details

The name, position and contact details provided to Nium by the Client.

Activities relevant to data transferred under these Clauses 

When acting under Section 2(a) (Independent Controller Terms under a Service Agreement), Services, under the terms of one or more Services Agreements, being provided by Nium to Client.

With regards to Section 2(b) of the DPA, services being provided by the Client to Nium under an executed Outsourcing Agreement.

Role (controller/processor)

When acting under Section 2(a) (Independent Controller Terms under a Service Agreement) of the DPA: Independent controller.

When acting under Section 2(b) (Processor Terms under an Outsourcing Agreement) of the DPA: Processor.

Signature and date: 

Each party shall be deemed to have signed this Annex I on the same date as the Effective Date of the applicable Services Agreement or Outsourcing Agreement.

 

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

 

When acting under Section 2(a) (Independent Controller Terms under a Service Agreement), the Client’s end customers, representatives, and any natural person who accesses Nium Services.

With regard to Section 2(b) of the DPA, the categories of data subjects as set out in Appendix D of the Outsourcing Agreement between Nium and the Client.

Categories of personal data transferred

When acting under Section 2(a) (Independent Controller Terms under a Service Agreement), the categories of personal data required under the terms of the applicable Services Agreement, including account details, address, name, transaction details, device ID, email address, IP address/location, payment card details, tax ID/status, identity information including government issued documents (e.g., national IDs, driver’s licenses and passports).

With regard to Section 2(b) of the DPA, the categories of data as set out in Appendix D of the Outsourcing Agreement between Nium and the Client.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

 

When acting under Section 2(a) (Independent Controller Terms under a Service Agreement), the categories of sensitive data transferred may include racial or ethnic origin data. The data is transferred as part of compliance with anti-money laundering laws, sanctions laws, and financial institution laws. Access is restricted and protected in accordance with applicable law.

With regard to Section 2(b) of the DPA, the categories of any sensitive data as set out in Appendix D of the Outsourcing Agreement between Nium and the Client.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

When acting under Section 2(a) (Independent Controller Terms under a Service Agreement), data will be transferred on a continuous basis for the terms of any applicable Services Agreement.

With regard to Section 2(b) of the DPA, data will be transferred on a continuous basis for the term of any applicable Outsourcing Agreement.

Nature of the processing

When acting under Section 2(a) (Independent Controller Terms under a Service Agreement), Nium will process personal data as necessary to provide the Nium Services under each applicable Services Agreement.

With regard to Section 2(b) of the DPA, the nature of processing is set out in Appendix D of the Outsourcing Agreement between Nium and the Client.

Purpose(s) of the data transfer and further processing

When acting under Section 2(a) (Independent Controller Terms under a Service Agreement), the purposes of Nium’s Processing of Personal Data in its capacity as a Controller are:

(i)  determining the Processing of Personal Data when providing Nium Services, including when Nium provides a payment method, and determining the third parties (banks and other service providers) to be utilized 

(ii)  monitoring, preventing and detecting fraudulent transactions and other fraudulent activity in connection with Nium’s services;  

(iii)  complying with applicable law, including applicable anti-money laundering screening and know-your-customer obligations; and  

(iv)  analysing and developing Nium’s services.  

With regard to Section 2(b) of the DPA, the purpose of processing is set out in Appendix D of the Outsourcing Agreement between Nium and the Client.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained for as long as necessary for the purpose for which it is collected. However, Personal Data may be retained longer, as may be required by law.

For transfers to Processors and Sub-Processors, also specify subject matter, nature and duration of the processing

As applicable, any transfers to processors and Sub-Processors will be subject to the same subject matter, nature, and duration as otherwise set forth in this Annex I.

 

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority in accordance with Clause 13 is (i) for the purposes of the UK GDPR, the United Kingdom Information Commissioner Officer or (ii) for purposes of the EU GDPR, the Malta Information and Data Protection Commissioner or the Swiss Federal Data Protection and Information Commissioner as relevant in accordance with Section 4 of the Agreement.

 

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING
TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The technical and organizational measures of Nium are as set forth below:

Annex II
Nium - Technical and Organizational Measures

Organizational Measures
  • Internal policies and procedures for data security for Nium’s employees. 
  • Employees are informed about the internal policies and procedures regulating Personal Data security.
  • The internal policies and procedures related to the Processing of Personal Data are periodically revised and updated.
  • The responsible employees are trained about Personal Data security and processing.

Management and Control of Access to Personal Data
  • The protection, management and control of access to Personal Data is ensured.
  • Access to Personal Data is granted only to the person to whom the Personal Data is required to perform his / her functions in connection with the Services.
  • Actions which can be taken while Processing Personal Data is limited by the scope of right that have been granted to a person.
  • The requirements for the access to the Personal Data is ensured for the passwords: passwords’ confidentiality is ensured; passwords are unique; the passwords are changed periodically.
  • In case the Personal Data is Processed in the internal network of computers, the protection of Personal Data is ensured from the illegal connection by electronic connections measures (e. g. the use of the firewall).
  • Control of access to Personal Data.
  • Recording and controlling the registration and access rights efforts.
  • Determining the number of allowed failed connections.
  • Recordings of logins to personal data: login ID, date, time, duration, connection result (successful, unsuccessful).
  • Logs for personal data are stored.
  • Login data and tools are intended for each user personally - it is forbidden for other persons to use one login account. 
  • When the access to the employee of the Data Processer becomes the unnecessary (e. g. the employment relationship is terminated or the nature of work is changed), the Data Controller shall be informed immediately about that, the access is cancelled, physical authentication tools are returned if such tools were provided.   

Physical Access
  • The security of premises, where Personal Data is stored, is ensured physically by limiting the access of unauthorized persons to appropriate premises.

Receiving and Providing Personal Data Over Internet

 

 

    If Personal Data is received or provided over the Internet:

  • Data transmission channels are encrypted using cryptographic protocols (TLS, SSL).
  • Logging is allowed from any IP address. 
  • Users are identified by a unique name / password / certificate.

Security Measures While Receiving or Providing Personal Data by Email and External Data Networks
  • If Personal Data is received or provided via email, security controls on Personal Data are ensured.
  • If Personal Data is received or provided by external data transmission networks, secure protocols (e. g. TLS, SSL) / passwords are ensured.

Use of Computers and Software

  • The protection of computer hardware is ensured from malicious software (such as installing, upgrading, firewalls, and firewalls).
  • Back-up copies of Personal Data, if any, are stored in other premises or geographic location than the active (working) database.
  • Testing of information systems is not carried out with real Personal Data.

 

  • The security updates are regularly automatically installed for computer systems.
  • Complex and secure passwords are used to connect to the computer.
  • When utilizing of or transferring a computer or data media for use by other persons, it must be ensured that all information relating to the Personal Data has been destroyed in a secure manner.

Protection of Servers and Databases

The following minimum-security requirements apply to the protection of servers and databases used to access or store the Processor’s information:

  • Updated malware protection must be enabled and maintained.
  • Access (physical and logical) must be allowed only to authorized personnel.

Security of Data Networks

The use of Processor information systems and data is allowed only with the use of properly protected networks, including:

  • Direct connection of the computer to the internet is prohibited. The connection must be made by using an intermediate network security device - a router with address change (NAT) function or a firewall.
  • Connection from data networks which security is unknown (e. g. public access points in cafes, hotels, etc.) is prohibited.
  • If a local wireless connection (e. g. Wi-Fi) is used to connect the computer, the security and secrecy of the connection must be secured using secure authentication and encryption methods.
  • All devices on the network are managed so that only authorized devices are accessed and unauthorized and unmanaged devices are detected and blocked.

 

The technical and organizational measures of Client are as set forth below:

Annex II
Client - Technical and Organizational Measures

Organizational Measures
  • Internal policies and procedures for data security for Client’s employees. 
  • Employees are informed about the internal policies and procedures regulating Personal Data security.
  • The internal policies and procedures related to the Processing of Personal Data are periodically revised and updated.
  • The responsible employees are trained about Personal Data security and processing.

Management and Control of Access to Personal Data
  • The protection, management and control of access to Personal Data is ensured.
  • Access to Personal Data is granted only to the person to whom the Personal Data is required to perform his / her functions in connection with the Services.
  • Actions which can be taken while Processing Personal Data is limited by the scope of right that have been granted to a person.
  • The requirements for the access to the Personal Data is ensured for the passwords: passwords’ confidentiality is ensured; passwords are unique; the passwords are changed periodically.
  • In case the Personal Data is Processed in the internal network of computers, the protection of Personal Data is ensured from the illegal connection by electronic connections measures (e. g. the use of the firewall).
  • Control of access to Personal Data.
  • Recording and controlling the registration and access rights efforts.
  • Determining the number of allowed failed connections.
  • Recordings of logins to personal data: login ID, date, time, duration, connection result (successful, unsuccessful).
  • Logs for personal data are stored.
  • Login data and tools are intended for each user personally - it is forbidden for other persons to use one login account. 
  • When the access to the employee of the Data Processer becomes the unnecessary (e. g. the employment relationship is terminated or the nature of work is changed), the Data Controller shall be informed immediately about that, the access is cancelled, physical authentication tools are returned if such tools were provided.   

Physical Access
  • The security of premises, where Personal Data is stored, is ensured physically by limiting the access of unauthorized persons to appropriate premises.

Receiving and Providing Personal Data Over Internet

 

 

    If Personal Data is received or provided over the Internet:

  • Data transmission channels are encrypted using cryptographic protocols (TLS, SSL).
  • Logging is allowed from any IP address. 
  • Users are identified by a unique name / password / certificate.

Security Measures While Receiving or Providing Personal Data by Email and External Data Networks
  • If Personal Data is received or provided via email, security controls on Personal Data are ensured.
  • If Personal Data is received or provided by external data transmission networks, secure protocols (e. g. TLS, SSL) / passwords are ensured.

Use of Computers and Software

  • The protection of computer hardware is ensured from malicious software (such as installing, upgrading, firewalls, and firewalls).
  • Back-up copies of Personal Data, if any, are stored in other premises or geographic location than the active (working) database.
  • Testing of information systems is not carried out with real Personal Data.

 

  • The security updates are regularly automatically installed for computer systems.
  • Complex and secure passwords are used to connect to the computer.
  • When utilizing of or transferring a computer or data media for use by other persons, it must be ensured that all information relating to the Personal Data has been destroyed in a secure manner.

Protection of Servers and Databases

The following minimum-security requirements apply to the protection of servers and databases used to access or store the Processor’s information:

  • Updated malware protection must be enabled and maintained.
  • Access (physical and logical) must be allowed only to authorized personnel.

Security of Data Networks

The use of Processor information systems and data is allowed only with the use of properly protected networks, including:

  • Direct connection of the computer to the internet is prohibited. The connection must be made by using an intermediate network security device - a router with address change (NAT) function or a firewall.
  • Connection from data networks which security is unknown (e. g. public access points in cafes, hotels, etc.) is prohibited.
  • If a local wireless connection (e. g. Wi-Fi) is used to connect the computer, the security and secrecy of the connection must be secured using secure authentication and encryption methods.
  • All devices on the network are managed so that only authorized devices are accessed and unauthorized and unmanaged devices are detected and blocked.

 

APPENDIX B

Where the Client Processes Nium Personal Data under or otherwise in connection with an Outsourcing Agreement, the Parties understand and agree that Nium is the Controller and the Client is the Processor and that the Processing of Personal Data under the Outsourcing Agreement is subject to this Appendix B.

1. Role of the Client as a Processor. Nium is the Controller and the Client is the Processor.

2. Instructions and Details of Processing. When the Client processes Personal Data on behalf of Nium, the Client shall:

  1. unless required to do otherwise by applicable laws, (and shall take steps to ensure each person acting under its authority shall) process the Personal Data only on and in accordance with this Agreement  and Appendix D to the Outsourcing Agreement and any other documented instructions from Nium (including with regard to any transfers to a third country or an international organisation) all as updated from time to time upon written agreement between the Parties (“Processing Instructions”);
  2. if applicable laws require it to process Personal Data other than in accordance with the Processing Instructions, notify Nium of any such requirement before processing the Personal Data (unless applicable laws prohibit such information on important grounds of public interest).
  3. notify Nium if it becomes aware that any of the Personal Data is inaccurate or has become outdated.
  4. not share the Personal Data with any third party except as expressly authorised by Nium and pursuant to Section 3 below.
  5. not transfer, access or process Personal Data of Nium outside of the UK and the EEA without obtaining the Nium's explicit written consent and without having in place such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under the GDPR from time to time, including those set out in Article 46 of the GDPR and the implementation of binding corporate rules pursuant to Article 47 of the GDPR.

3. Personnel and Other Processors.

The Client shall not engage a Sub-Processor to carry out any processing activities in respect of the Personal Data without notifying Nium, seeking Nium’s prior written consent and subject to compliance by the Client with Section 3. Nium is deemed to have provided its approval where it has not objected to the new proposed Sub-Processor within thirty (30) calendar days from the date the Client’s notice was received.

a. The Client shall: 

  1. provide details to Nium of any Sub-Processor. Any Sub-Processor agreed by Nium as at the date of this Agreement is set out in Appendix D of the Outsourcing Agreement;
  2. notify Nium 30 days in advance of any change in a Sub-Processor (through the addition or replacement of a Sub-Processor) and shall provide such information as necessary to enable Nium to decide whether to consent to the change. Nium shall be entitled to object to any change in the Sub-Processor and at its discretion (not to be unreasonably exercised) may elect to terminate the Agreement or that part of the Agreement that involves processing of the Personal Data by the Sub-Processor in the event that the Client fails to take the steps suggested by Nium to address the objection and otherwise does not cease to use the relevant Sub-Processor;
  3. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Personal Data, appoint each Sub-Processor under a written contract containing obligations which offer materially the same level of protection for the Personal Data as those set out in this Agreement, including an obligation on the Sub-Processor to provide sufficient guarantees to implement equivalent technical and organizational measures in accordance with Section 4 and to delete or return the Personal Data in accordance with Section 8. The contract with the Sub-Processor shall state that compliance with the obligations may be enforced by Nium including if the Client ceases to exist or becomes insolvent. On request by Nium, the Client shall provide a copy of the contract with the Sub-Processor. The Client may redact the text of the contract to the extent necessary to protect confidential information including any personal data; and
  4. notify Nium of any failure by a Sub-Processor to fulfil its contractual obligations.  

b. The Client shall ensure that all persons authorised by it (or by any Sub-Processor) to process Personal Data are subject to an obligation to keep the Personal Data confidential. The Client shall grant access to the Personal Data to members of the personnel on an "as needed basis" and only for the purposes set out in Appendix D of the Outsourcing Agreement. 

c. The Client shall remain fully liable to Nium for any and all acts and omissions of any Sub- Processor, and any persons authorised by it (or by any Sub-Processor) to process Personal Data as if they were its own.

4. Technical and Organizational Measures. The Client shall implement and maintain appropriate technical and organizational measures in accordance with Appendix B, to:

a. ensure that the processing of Personal Data will meet the minimum requirements of the Data Protection Laws (including as set out in Article 32 GDPR) and ensure the protection of the rights of Data Subjects; and

b. provide reasonable assistance to Nium in responding to Data Subject Requests relating to Personal Data.

5. Information and Audit.

a. The Client shall maintain complete, accurate and up-to-date written records of all categories of Processing activities carried out in accordance with the Data Protection Laws (the “Records”). 

b. The Client shall, in accordance with the Data Protection Laws:

  1. as soon as reasonably practicable make available to Nium such information as requested by it from time to time, including any Records, that is necessary to demonstrate the Client's compliance with its obligations under this Agreement and the Data Protection Laws, and it shall immediately inform Nium if, in its reasonable opinion, an instruction infringes the Data Protection Laws or any applicable law; and
  2. allow Nium (either itself or mandate an independent auditor to) inspect, test and audit, all facilities, premises, equipment, systems, documents and electronic data relating to the processing of Nium’s Personal Data by the Client, including where required by a supervisory authority. Such inspections and audits shall be at reasonable times and with prior written notice, subject to any inspection or audit required by a supervisory authority where this is not possible.

c. The Client shall:

  1. provide full cooperation and assistance in relation to such inspection, test and audit (subject to any confidentiality obligations) and on request shall provide copies of the results of any penetration and security testing procedures and third-party audit reports such as SOC II type audit reports (if such reports are available); and
  2. in the event that Nium identifies any non-compliance with this Agreement as a result of an inspection, test or audit, the Client shall take such steps as Nium may reasonably request in order to promptly remedy the non-compliance, at no further cost to Nium.

d. All Parties shall be entitled to share any information referred to in this Section D including the results of any audit, with a competent supervisory authority as may be necessary from time to time.

6. Assistance and Data Subject Rights

a. The Client shall maintain a complete and accurate record of Data Subject Requests. Upon receipt of any Data Subject Request, the Client shall immediately (and no later than within 48 (forty-eight) hours of receipt) refer such Data Subject Request to Nium and shall, at its own expense, promptly assist Nium with such Data Subject Request to ensure that Nium meets the response times under the Data Protection Laws. The Client shall not respond to a Data Subject Request without providing prior written notice to Nium or as required by applicable laws, in which case the Client shall, to the extent permitted by applicable laws, inform Nium of that legal requirement prior to the Client responding to such Data Subject Request.

b. The Client shall provide such assistance as reasonably required by Nium to ensure compliance with Nium’s obligations under the Data Protection Laws with respect to:

  1. security of processing;
  2. data protection impact assessments (as such term is defined in the Data Protection Laws);
  3. prior consultation with a supervisory authority regarding high-risk processing;
  4. notifications to the supervisory authority and/or communications to data subjects by Nium in response to any Data Incident; and
  5. any remedial action to be taken in response to a Data Incident and/or a Data Complaint or request relating to either Party’s obligations under the Data Protection Laws relevant to the Agreement.

7. Breach Notification

a. In respect of any Data Incident, the Client shall, without undue delay but in no event later than 48 (forty-eight) hours (or earlier where possible) after becoming aware, notify Nium of the Data Incident and provide Nium with details of the Data Incident including the nature of the Data Incident, the categories and approximate volume of data subjects, the Personal Data records concerned, the likely consequences of the Data Incident and any measures taken or to be taken by the Client to mitigate the effects of the Data Incident. Where, and insofar as, it is not possible for the Client to provide all of this information at the same time, the initial notification will provide such information as available to the Client and the Client shall provide the further information as soon as it becomes available without undue delay (but in no event later than 24 (twenty-four) hours after it becomes available).

b. The Client shall immediately, at its own expense, investigate the Data Incident and take steps to identify, prevent and mitigate the effects of and to remedy any Data Incident. The Client shall not release or publish any filing, communication, notice, press release or report concerning any Data Incident without Nium’s prior written approval.

c. The Client shall promptly (but in no event later than 48 (forty-eight) hours after becoming aware) inform Nium if it receives or becomes aware of a Data Complaint and shall not respond to the Data Complaint without Nium’s prior written approval.

8. Deletion or Return of Personal Data and Copies

a. The Client only shall process the Personal Data for the duration of the Outsourcing Agreement.

b. The Client shall ensure that any Personal Data (and all copies) are securely returned to Nium or destroyed (at Nium's discretion and direction) in accordance with the instructions given by Nium (unless storage is required by Applicable Laws and, if so, the Client shall inform Nium of any such requirement) in the following circumstances:

  1. on termination of the Outsourcing Agreement or this DPA
  2. once processing of the Personal Data is no longer necessary for the purposes set out in Appendix D of the Outsourcing Agreement;

c. Following the destruction of the Personal Data in accordance with this Section 8, the Client shall certify to Nium that the Personal Data in question has been destroyed in accordance with Nium's instructions.