YANDEX.TAXI DATA PROCESSING AGREEMENT (DPA)
Agreement on Contracted Data Processing for customers by and between Yandex.Taxi B.V. - Schiphol Boulevard 165, 1118 BG Schiphol, the Netherlands (“Yandex.Taxi”)
By using opt-in check-box or by signing a contract or agreement in which this data processing agreement is stipulated as a part of such contract or agreement you declare that you agree to the following regulations. By proceeding, you confirm that you have a business established in the territory of a member state of the European Economic Area or Switzerland, or that, for other reasons, you are subject to the territorial scope of the national implementations of the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, (General Data Protection Regulation). You further agree that if the aforementioned is not the case, this DPA between you and Yandex.Taxi shall be void.
This DPA is an addition to any contract or agreement between Yandex.Taxi and you (“Customer”), in which this DPA is stipulated as a part of such contract or agreement (“Contract”). In the event of a contradiction between these clauses and such contract and agreement, the terms and conditions under this DPA shall prevail.
This DPA reflects the parties’ agreement on the processing of Controller Personal Data in connection with the Data Protection Legislation.
2. DEFINITIONS AND INTERPRETATION
2.1 In this DPA:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Controller Data Subject” means a data subject to whom Controller Personal Data relates.
“Controller Personal Data” means any personal data that is processed by a party under the Contract in connection with provision or use (as applicable) of the Services to the Customer.
“Services” means the services provided to the Customer subject to the respective Contract.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) any other applicable law, statute regulation, directive or legislative act of another form, applicable to the Processing of Controller Personal Data.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2.2 The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in this DPA have the meanings given in the GDPR.
2.3 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
3. APPLICATION OF THIS DPA
3.1 Application of Data Protection Legislation. This DPA will only apply to the extent that the Data Protection Legislation applies to the processing of Controller Personal Data.
3.2 Application to Controller Services. This DPA will only apply to the Services for which the parties agreed to in the Contract. The Customer could accept this DPA either by (a) clicking in the special check-box in the Customer Interface, or (b) if the Contract incorporates this DPA by reference.
4. PROCESSING OF PERSONAL DATA
4.1 Subject matter, nature, purpose of the data processing and types of personal data.
(a) For the purposes of providing the Services and fulfillment the obligations under the Contract Yandex.Taxi processes Controller Personal Data of the drivers provided by the Customer, such as:
(i) full name, social security number, identification number, date of birth, place of birth, gender, citizenship, photo, mobile number, official residential address;
(ii) driving license details: forename and surname, date and place of birth, expiry date, official body that has issued the license, license number, place where the license has been issued, car category or categories to which the license extend;
(iii) scanned copies of the documents containing the data listed in 2.4.1 (i) – (ii);
(b) For the purposes of rendering the transportation services on the sole discretion of the Customer, it processes Controller Personal Data of the end-users of Yandex.Taxi web-services and mobile applications, to which it has access through the Services, such as:
(i) (geo)location, end-users transportation requests details;
(ii) other information available for Customer, as well as for its representatives and drivers through the relevant interfaces of the Services.
4.2 Independent Controllers. Each party:
(a) is an independent controller of Controller Personal Data under the Data Protection Legislation;
(b) will individually determine the purposes and means of its processing of Controller Personal Data; and
(c) will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Controller Personal Data.
4.3 Restrictions on Processing. Section 4.2 (Independent Controllers) will not affect any restrictions on either party’s rights to use or otherwise process Controller Personal Data under the Contract (if any).
4.4 Transfers of Data Out of the European Economic Area and Switzerland. Either party may transfer Controller Personal Data outside the European Economic Area and Switzerland if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Legislation.
Yandex.Taxi performs the contractually agreed Processing of Controller Personal Data on servers in Member States of the European Union or other signatories to the agreement on the European Economic Area or by data processor for which Yandex.Taxi ensures a reasonable level of protection of Controller Personal Data including through the conclusion of standard contractual clauses for processors adopted by the Commission of the European Union.
5. COLLECTION OF PERSONAL DATA
5.2 Disclosure Notification. Without limiting the aforesaid, the Customer confirms, and at Yandex.Taxi’s request will demonstrate that all Controller Data Subjects received appropriate disclosures and notifications, as required under Data Protection Legislation, including for the use, distribution and cross-border transfer of Controller Personal Data, provided by the Customer to Yandex.Taxi under this DPA, which is required for the use and Processing of such Controller Personal Data under the terms of the Contract and this DPA. Where a third party provided the notices to the Controller Data Subjects and received their consent, the Customer will bear sole responsibility to verify and will be able to demonstrate that the notices and consents were sufficient for the purposes of use under the terms of the Contract and this DPA and adequate pursuant to the Data Protection Legislation.
6.1 Assistance in Compliance. The Customer will cooperate with Yandex.Taxi and provide all necessary assistance to Yandex in connection with:
(a) Yandex.Taxi’s GDPR (or other Data Protection Legislation)-related demonstration of compliance;
(b) Requests to exercise Controller Data Subjects’ rights, complaints and inquiries pursuant to section 6 of this DPA;
If at Yandex.Taxi’s discretion the Customer cannot provide sufficient assistance, Yandex.Taxi may terminate this DPA and the Contract, or those parts of the Contract which cannot be performed without the requested assistance.
6.2 The Customer Notices. Unless prohibited under applicable laws, the Customer will notify Yandex.Taxi of:
(a) Any violation by the Customer, or anyone on the Customer’s behalf of any provision under this DPA;
(b) Any official competent supervisory proceedings regarding the Processing of the Controller Personal Data;
(c) Any legal or factual circumstances preventing the Customer from performing any of its representations, warranties or obligations under the terms of this DPA; and
(d) Any material changes impacting the technical and organizational security measures implemented by the Customer which cause such measures to fall short of the Customer’s data security obligations under the Data Protection Legislation.
6.3 Inquiries, requests and complaints. The Customer will provide all reasonable and timely assistance to Yandex.Taxi, to enable Yandex.Taxi to respond to: (i) supervising authorities or Controller Data Subjects’ requests for assistance in relation to any request from the Controller Data Subject to exercise any of the Controller Data Subject’s rights under the Data Protection Legislation; and (ii) any other correspondence, inquiry or complaint received from the Controller Data Subject (or on the Controller Data Subject’s behalf), supervising authority and other regulators, or competent authorities in connection with the Processing of the Controller Personal Data provided by the Customer to Yandex.Taxi under this DPA.
6.4 Information obligation. If any such communication, which indicated in Section 6.3 (Inquiries, requests and complaints), related to the Processing of the Controller Personal Data of Yandex.Taxi, to which the Customer has access through the Services, is made directly to the Customer, the Customer will promptly inform Yandex.Taxi about such communication, provide Yandex.Taxi all related details and will not respond to the communication unless specifically required by applicable Data Protection Legislation or authorized by Yandex.Taxi.
7.1 The Customer guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by the Customer and the Customer agrees that it will be responsible for all costs associated with its compliance of such obligations. The Customer is responsible and liable for its acts and omissions under this DPA.
7.2 The Customer will defend, indemnify and hold Yandex.Taxi, its Affiliates, their officers, directors, employees, contractors and agents harmless from and against any and all third-party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs, arising out of or in connection with any failure by the Customer to comply with the requirements under this DPA.
8.1 Effect of this DPA. If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Contract then, subject to Sections 4.3 (Restrictions on Processing) and 8.2 (Other Data Processing Agreements), the terms of this DPA will govern. Subject to the amendments in this DPA, the Contract remains in full force and effect.
8.2 Other Data Processing Agreements. This DPA will not affect any other separate Data Processing Agreement between Yandex and/or its Affiliate and the Customer in respect of any data processing arising out of the agreements other than Contract.
9. CHANGES TO THIS DPA
9.1 Yandex.Taxi may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes do not: (i) result in a degradation of the security of Controller Personal Data; (ii) expand the scope of, or remove any restrictions on, Yandex.Taxi Processing of Controller Personal Data; and (iii) otherwise have a material adverse impact on your rights under this DPA, as reasonably determined by Yandex.Taxi. Before changes will take effect Yandex.Taxi informs you at least thirty (30) days in advance (or shorter period as may be required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency) by either: (a) email; or (b) alerting you via the Customer Interface. If you object to any such change, you must terminate the DPA and the Contract (unless the Contract could be performed in the remaining part without existence of this DPA) and stop providing (or using, as applicable) the Services under the Contract. Yandex.Taxi shall be entitled not to notify you about editorial changes.
10. DISCLOSURE OF THE DPA
10.1 The Customer acknowledges that Yandex.Taxi may disclose this DPA and any relevant privacy provisions in the Contract to any supervisory authority, regulator or other competent authority, to the extent required under the applicable law.
Date of publication: 06.11.2018