DATA PROCESSING AGREEMENT (DPA)

This is an old version of the document, which expired on June 26, 2025. The current version is available at: https://yandex.com/legal/yandextaxi_dpa.

1. PREAMBLE

1.1. This DPA is an addition to any contract, agreement or other legal document between Ridetech International B.V. or any of the companies listed at https://yandex.com/legal/dpa_undertakings (“Yandex.Taxi”) and the other party of such contract, agreement or document concluded with Yandex.Taxi (“Customer”), in which this DPA is stipulated as a part of such contract, agreement or document (“Contract”). In the event of a contradiction between this DPA and the provisions of Contract, this DPA shall prevail.

1.2. This DPA is deemed to be concluded by using opt-in check-box or by entering into Contract, including by electronic means (scan, email, etc.).

1.3. This DPA reflects the parties’ agreement on the processing of Personal Data in connection with the Data Protection Legislation.

2. DEFINITIONS AND INTERPRETATION

2.1 In this DPA:

Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.

Personal Data” means any personal data that is received from one party and processed by the other party under the Contract in connection with provision or use (as applicable) of the Services to the Customer.

Services” means the services provided to the Customer subject to the respective Contract.

Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) any other applicable law, statute regulation, directive or legislative act of another form, applicable to the processing of Personal Data.

GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2.2 The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in this DPA have the meanings given in the GDPR.

2.3 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3. APPLICATION OF THIS DPA

3.1 This DPA will only apply to the extent that the Data Protection Legislation applies to the processing of Personal Data.

4. PROCESSING OF PERSONAL DATA

4.1. For the purposes of providing the Services and fulfillment the obligations under the Contract Yandex.Taxi processes Personal Data provided by the Customer, such as:

4.1.1 Personal Data of individuals providing services to the end-users of Yandex.Taxi:

(i) full name, social security number, national id details, date of birth, place of birth, gender, citizenship, photo, mobile number, official residential address;

(ii) driving license details: forename and surname, date and place of birth, expiry date, official body that has issued the license, license number, place where the license has been issued, car category or categories to which the license extend;

(iii) scanned copies of the documents containing the data listed in 4.1 (i) – (ii);

(iv) other Personal Data indicated in the Contract.

4.1.2 Parties’ representatives:

(i) full name, signature, e-mail, phone number, contact details, address, position.

4.2. For the purposes of rendering the Services the Customer processes Personal Data of the end-users of Yandex.Taxi web-services and mobile applications, to which it has access through the Services, such as:

(i) (geo)location, orders details, mobile number;

(ii) Personal Data indicated in the Contract;

(iii) other Personal Data available for Customer, as well as for individuals providing services to the end-users of Yandex.Taxi through the relevant interfaces of the Services.

4.3. Regarding processing of Personal Data of individuals providing services to the end-users of Yandex.Taxi and parties’ representatives, each party:

(a) is an independent controller of Personal Data under the Data Protection Legislation;

(b) will individually determine the purposes and means of its processing of Personal Data for fulfilling the obligations according to the Contract;

(c) will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Personal Data;

(d) may cross-border transfer Personal Data if it complies with the provisions of Data Protection Legislation; and

(e) may engage processor or sub-processor of Personal Data according to the Data Protection Legislation.

4.4. Regarding processing of Personal Data of the end-users of Yandex.Taxi web-services and mobile applications the parties process Personal Data in accordance with the Annex “Standard Contractual Clauses” of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance) available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“SCC”), which forms an integral part of the DPA, as follows:

(a) The clauses of SCC shall be read as follows:

(i) Clause 7 (docking clause) is excluded.

(i) Option 1 in the Clause 9 (a) (Use of sub-processors), Model Two and Module Three, is selected. Time period specified as “14 days”.

(ii) Option in the Clause 11 (a) (redress) is excluded.

(iii) Option 1 in the Clause 17 (Governing law), Module One, Module Two and Module Three, is selected. Member State specified as the Netherlands.

(iv) Country in the Clause 17 (Governing law), Module Four, specified as the Netherlands.

(v) Member State in the Clause 18 (b) (Choice of forum and jurisdiction), Module One, Module Two and Module Three, specified as the Netherlands.

(vi) Country in the Clause 18 (Choice of forum and jurisdiction), Module Four, specified as the Netherlands.

(b) The Appendix to SCC is deemed to be fill-in with the following:

(i) Personal Data exporter is Yandex.Taxi which acts as data controller providing services to Customers according to the Contract. The details of contact person of Yandex.Taxi indicated in the Contract.

(ii) Personal Data importer is the Customer which acts as data processor consuming services provided to the Customer by Yandex.Taxi according to the Contract. The details of contact person of the Customer indicated in the Contract.

(iii) Categories of data subjects whose Personal Data is transferred and of Personal Data transferred are indicated in Section 4.2 herein.

(iv) No sensitive Personal Data is transferred.

(v) Personal Data transferred on a continuous basis.

(vi) The nature of the processing: set of operations which is performed on Personal Data by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, making available to the Customer and to the individuals providing services to the end-users of Yandex.Taxi, alignment or combination, restriction, erasure or destruction.

(vii) Purpose(s) of the Personal Data transfer and further processing indicated in the Section 4.2 herein.

(viii) The period for which the Personal Data will be retained is the same as the term of the Contract.

(ix) The transfers to (sub-) processors are not applicable.

(x) The competent supervisory authority is Dutch Data Protection Authority Autoriteit Persoonsgegevens (PO Box 93374, 2509 AJ DEN HAAG, Telephone number: (+31) - (0)70 - 888 85 00, Fax: (+31) - (0)70 - 888 85 01).

(xi) The following technical and organisational measures including technical and organisational measures to ensure the security of the Personal Data shall be applied by the Customer:

  • Measures of pseudonymisation and encryption of Personal Data
  • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  • Measures for user identification and authorisation
  • Measures for the protection of Personal Data during storage
  • Measures for ensuring physical security of locations at which Personal Data are processed
  • Measures for ensuring events logging
  • Measures for ensuring system configuration, including default configuration
  • Measures for internal IT and IT security governance and management
  • Measures for ensuring Personal Data minimisation
  • Measures for ensuring limited Personal Data retention
  • Measures for allowing data portability and ensuring erasure.

5. COLLECTION OF PERSONAL DATA

5.1 Warranties. The Customer represents and warrants, and, at Yandex.Taxi’s request, will provide supporting evidence, to demonstrate that: (i) the Customer collects, obtains and processes Personal Data, provided by the Customer to Yandex.Taxi under this DPA, lawfully, without violating any third parties’ rights, contractual obligations or Data Protection Legislation; (ii) the Customer has all rights, consents, authorization and title to grant the rights and permissions to collect such Personal Data by Yandex.Taxi according to the Contract and the terms of this DPA; (iii) the Customer has implemented and will maintain a privacy policy compatible with the requirements of Data Protection Legislation, governing processing of such Personal Data; (iv) processing of such Personal Data by Yandex.Taxi will not violate the Data Subject’s rights and rights of the other third parties, including without limitation privacy, data protection, good-will, good name, publicity, confidentiality and intellectual property rights.

5.2 Disclosure Notification. Without limiting the aforesaid, the Customer confirms, and at Yandex.Taxi’s request will demonstrate that all data subjects whose Personal Data processed by Yandex.Taxi received appropriate disclosures and notifications, as required under Data Protection Legislation. Where a third party provided the notices to the data subjects and (or) received their consent, the Customer will bear sole responsibility to verify and will be able to demonstrate that the notices and (or) consents were sufficient for the purposes of use under the terms of the Contract and this DPA and adequate pursuant to the Data Protection Legislation.

6. COOPERATION

6.1 Assistance in Compliance. The Customer will cooperate with Yandex.Taxi and provide all necessary assistance to Yandex.Taxi in connection with:

(a) Data Protection Legislation;

(b) Requests to exercise data subjects’ rights, complaints and inquiries;

If the Customer cannot provide sufficient assistance, Yandex.Taxi may terminate this DPA and the Contract, or those parts of the Contract which cannot be performed without the requested assistance.

6.2 The Customer Notices. Unless prohibited under applicable laws, the Customer will notify Yandex.Taxi of:

(a) Any violation by the Customer, or anyone on the Customer’s behalf of any provision under this DPA;

(b) Any official competent supervisory proceedings regarding the processing of the Personal Data;

(c) Any legal or factual circumstances preventing the Customer from performing any of its representations, warranties or obligations under the terms of this DPA; and

(d) Any material changes impacting the technical and organizational security measures implemented by the Customer which cause such measures to fall short of the Customer’s data security obligations under the Data Protection Legislation.

6.3 Inquiries, requests and complaints. The Customer will provide all reasonable and timely assistance to Yandex.Taxi, to enable Yandex.Taxi to respond to: (i) supervising authorities’ or data subjects’ requests under the Data Protection Legislation; and (ii) any other correspondence, inquiry or complaint received from data subjects (or on data subjects’ behalf), supervising authority and other regulators, or competent authorities in connection with the processing of the Personal Data provided under this DPA.

If any such communication is made directly to the Customer, the Customer will promptly inform Yandex.Taxi about such communication, provide Yandex.Taxi all related details and will not respond to the communication unless specifically required by Data Protection Legislation or authorized by Yandex.Taxi.

7. LIABILITY

7.1 The Customer guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by the Customer and the Customer agrees that it will be responsible for all costs associated with its compliance of such obligations. The Customer is responsible and liable for its acts and omissions under this DPA.

7.2 The Customer will defend, indemnify and hold Yandex.Taxi, its Affiliates, their officers, directors, employees, contractors and agents harmless from and against any and all third-party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs, arising out of or in connection with any failure by the Customer to comply with the requirements under this DPA.

8. PRIORITY

8.1 Effect of this DPA.In the event of a contradiction between this DPA and the provisions of Contract, this DPA shall prevail, unless otherwise is stipulated in the DPA.

8.2 Other Data Processing Agreements. This DPA will not affect any other separate data processing agreements between Yandex.Taxi and the Customer in respect of any data processing arising out of the agreements other than Contract.

9. CHANGES TO THIS DPA

9.1 Yandex.Taxi may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes are followed the factual Personal Data processing activities of the parties according to the Contract, or (c) changes do not result in a degradation of the security of Personal Data. Depending on the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency, such changes will be effective: (1) at the day of the publication at https://yandex.com/legal/yandextaxi_dpa, or (2) in thirty (30) days after such publication, or (3) in thirty (30) days after prior notice by Yandex.Taxi via e-mail or any other means including web account using by Customer according to the Contract (or shorter period as may legally be required).

If the Customer objects to any such change, it must terminate the DPA and the Contract (unless the Contract could be performed in the remaining part without existence of this DPA) and stop providing (or using, as applicable) the Services under the Contract. Yandex.Taxi shall be entitled not to notify Customer about editorial changes.

10. DISCLOSURE OF THE DPA

10.1 The Customer acknowledges that Yandex.Taxi may disclose this DPA and any relevant privacy provisions in the Contract to any supervisory authority, regulator or other competent authority, to the extent required under the applicable law.

_____________________________

Date of publication: 04.07.2022

Previous version of the document: https://yandex.com/legal/yandextaxi_dpa/22032022

Previous version of the document: https://yandex.com/legal/yandextaxi_dpa/06112018