DATA PROCESSING AGREEMENT (DPA)

1. PREAMBLE

1.1. This DPA is an addition to E-Service Agreement (hereinafter – “Agreement”) between Yandex (hereinafter – “Yandex”) and the other party of such contract, agreement or document concluded with Yandex (hereinafter – “Customer”), in which this DPA is stipulated as a part of such contract, agreement or document (“Agreement”). In the event of a contradiction between this DPA and the provisions of Agreement, this DPA shall prevail.

1.2. This DPA is deemed to be concluded by using opt-in check-box or by entering into Agreement, including by electronic means (scan, email, etc.).

1.3. This DPA reflects the parties’ agreement on the processing of Personal Data in connection with the Data Protection Legislation.

2. DEFINITIONS AND INTERPRETATION

2.1. In this DPA:

“Customer” means legal entity or individual entrepreneur, who provides passenger transportation and related services which accepted the terms and conditions of the Agreement.

“E-Service” means various informational services provided by the Agreement, which, without limitation, include enabling and (or) assist the Customer with accessing the Service, receiving relevant information on Requests, performing Requests, and communicating with Yandex and (or) Yandex Users and other Services provided by the Agreement.

“Personal Data” means any personal data that is received from one party and processed by the other party under the Agreement in connection with provision or use (as applicable) of the Services to Customer.

“Data Protection Legislation” means, as applicable: (a) the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data); and/or (b) any other applicable law, statute regulation, directive or legislative act of another form, applicable to the processing of Personal Data.

“Driver(s)”, “Couriers” shall mean an individual who (a) has signed or otherwise became a party to either an employment or other contract with Customer or any third party, or Yandex has grounds to believe that such contractual relations exist, and (b) has all licenses and (or) permissions as required by the Country Law to drive the Vehicle and perform the Transfer and/or delivery services, and (c) actually capable of driving the Vehicle at the relevant time and registered in the Partner Web Interface by Customer.

“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Data Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

2.2. Other capitalized terms when used herein shall have the same meaning as is given such terms in the Agreement.

2.3. Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.

3. CATEGORIES OF PERSONAL DATA

3.1. For the purposes of providing the E-Service and fulfilling the obligations under the Agreement Yandex processes Personal Data:

3.1.1. full name, social security number, national ID details, tax ID, date of birth, place of birth, gender, citizenship, photo, mobile number, official residential address, chats, calls, geolocation, information related to activities during the services;

3.1.2. driving license details: forename and surname, date and place of birth, expiry date, official body that has issued the license, license number, place where the license has been issued, car category or categories to which the license extend; license plate number;

3.1.3. scanned copies of the documents containing the data listed in 4.1.1 (i) – (ii);

3.2. Personal Data listed above can be provided by Customer or collected by the Yandex on behalf of the Yandex.

4. PURPOSES OF DATA PROCESSING AND ROLES OF THE PARTIES

4.1. When processing personal data for the following purposes, the Yandex acts as the data controller:

4.1.1. Registration of drivers in Yandex’s application, authorization and identification;

4.1.2. Where applicable, verifying Drivers’ identity;

4.1.3. Monitoring driving style, including speed, acceleration, and deceleration, to prevent accidents, duration of work;

4.1.4. Monitoring driving time and route for safety concerns and regulatory compliance.

4.2. Yandex acts as the Data Processor where Yandex processes Personal Data for the following purposes:

4.2.1. Assisting Customer and Drivers to access the E-Service, enabling Drivers to receive the Requests of Yandex users and to perform the Requests;

4.2.2. Providing support to Drivers.

4.3. For other purposes of Personal Data processing not listed in this section 4 Customer acts as Data Controller.

4.4. Customer shall ensure legal basis of Personal Data processing, including legal basis of transfer Drivers’ Personal Data to Yandex.

4.5. Where required by applicable law, the Customer shall obtain drivers’ consent to collect and process Personal Data by the Yandex and transfer Personal Data to Yandex, and, at Yandex’s request, shall provide supporting evidence thereof. Customer shall promptly notify the Yandex if it becomes aware that any such consent is withdrawn.

4.6. Customer shall implement and maintain a privacy policy compatible with the requirements of Data Protection Legislation, governing processing of Drivers’ personal data. Customer shall duly inform the Driver that their data will transfer to the Yandex.

5. DURATION OF PROCESSING

5.1. Yandex where acting as Data Controller shall process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

5.2. Personal Data shall be deleted upon the sooner of (i) request of the Customer; or (ii) when Personal Data is no longer needed to perform the Agreement.

6. SUB-PROCESSORS

6.1. Customer acknowledges and agrees that:

6.1.1. Yandex’s Affiliates may be retained as sub-processors;

6.1.2. Yandex and Yandex’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the E-Service

6.2. Yandex and Yandex’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the E-Service.

6.3. Yandex verifies that its appointed Sub-Processors have provided sufficient guarantees to Yandex to implement appropriate technical and organizational measures in such a manner that the processing of Personal Data meets the requirements of the Data Protection Legislation. Yandex undertakes that all the Sub-Processors are subject to a written agreement with Yandex which imposes data protection obligations on the Sub-Processors that are no less onerous than those imposed on the Yandex under this DPA.

6.4. Yandex is not bound by any recommendations of the Customer in respect to choice of sub-processors and can follow or not follow such recommendations at its own discretion. Yandex can change Sub-processors from time to time and engage new sub processors without any prior approval.

7. DATA SUBJECT RIGHTS

7.1. Customer’s obligations:

7.1.1. The Customer shall promptly notify the Yandex of any request it has received from a data subject, including access, rectification or erasure requests.

7.1.2. The Customer shall assist the Yandex in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Data Protection Legislation. In fulfilling its obligations under this section, the Yandex shall comply with the instructions from the Customer.

7.2. Yandex’s obligations:

7.2.1. The Yandex shall promptly notify the Customer of any request it has received from a data subject, provided that such request refers to Personal Data processing by the Yandex.

7.2.2. Where Yandex processes personal data as Data Processor, the Yandex shall assist the Customer in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Data Protection Legislation. In fulfilling its obligations under this section, the Data Processor shall comply with the instructions from the Data Controller.

8. REPRESENTATIONS AND WARRANTIES

8.1. Customer represents and warrants, and, at Yandex’s request, will provide supporting evidence, to demonstrate that:

8.1.1. Customer collects, obtains and processes Personal Data, provided by Customer to Yandex under this DPA, lawfully, without violating any third parties’ rights, contractual obligations or Data Protection Legislation;

8.1.2. Customer’s data processing activities are compliant with Data Protection Legislation, applicable e-commerce legislation, advertising legislation or consumer protection legislation.

8.1.3. Customer has all rights, consents, authorization and title to grant the rights and permissions to collect such Personal Data by Yandex according to the Agreement and the terms of this DPA;

8.1.4. where required by applicable Data Protection Legislation, Customer has obtained the consent of data subjects (including Drivers and Couriers) to collect, process and share such Personal Data and transfer (including cross-border transfer) such Personal Data to Yandex as well as transfer personal data collected by Yandex on behalf of Customer to Customer, and, at Yandex’s request, will provide supporting evidence thereof;

8.1.5. Customer has implemented and will maintain a privacy policy compatible with the requirements of Data Protection Legislation, governing processing of such Personal Data;

8.1.6. processing of such Personal Data by Yandex will not violate the Data Subject’s rights and rights of the other third parties, including without limitation privacy, data protection, good-will, good name, publicity, confidentiality and intellectual property rights.

8.2. Where applicable, Customer has obtained all mandatory licenses, authorizations and approvals provided by applicable law.

8.3. Disclosure Notification. Without limiting the aforesaid, Customer confirms, and at Yandex’s request will demonstrate that all data subjects whose Personal Data processed by Yandex received appropriate disclosures and notifications, as required under Data Protection Legislation. Where a third party provided the notices to the data subjects and (or) received their consent, Customer will bear sole responsibility to verify and will be able to demonstrate that the notices and (or) consents were sufficient for the purposes of use under the terms of the Agreement and this DPA and adequate pursuant to the Data Protection Legislation.

9. COOPERATION

9.1. Assistance in Compliance. Customer shall cooperate with Yandex and provide all necessary assistance to Yandex in connection with Data Protection Legislation.

9.2. Yandex shall cooperate with Yandex and provide all necessary to Yandex in connection with requests to exercise data subjects’ rights, complaints and inquiries;

9.3. Customer Notices. Unless prohibited under applicable laws, Customer will notify Yandex of:

9.3.1. Any violation by Customer, or anyone on Customer’s behalf of any provision under this DPA;

9.3.2. Any official competent supervisory proceedings regarding the processing of the Personal Data;

9.3.3. Any legal or factual circumstances preventing Customer from performing any of its representations, warranties or obligations under the terms of this DPA; and

9.3.4. Any material changes impacting the technical and organizational security measures implemented by Customer which cause such measures to fall short of Customer’s data security obligations under the Data Protection Legislation.

9.4. Inquiries, requests and complaints. Customer will provide all reasonable and timely assistance to Yandex, to enable Yandex to respond to: (i) supervising authorities’ or data subjects’ requests under the Data Protection Legislation; and (ii) any other correspondence, inquiry or complaint received from data subjects (or on data subjects’ behalf), supervising authority and other regulators, or competent authorities in connection with the processing of the Personal Data provided under this DPA.

9.5. If any such communication is made directly to Customer, Customer will promptly inform Yandex about such communication, provide Yandex with all related details and will not respond to the communication unless specifically required by Data Protection Legislation or authorized by Yandex.

10. LIABILITY

10.1. Customer guarantees the prompt and satisfactory performance of its obligations and responsibilities under this DPA by Customer and Customer agrees that it will be responsible for all costs associated with its compliance with such obligations. Customer is responsible and liable for its acts and omissions under this DPA.

10.2. Customer will defend, indemnify and hold Yandex, its Affiliates, their officers, directors, employees, counterparties and agents harmless from and against any and all third-party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs, arising out of or in connection with any failure by Customer to comply with the requirements under this DPA.

11. SECURITY INCIDENTS

11.1. Data Processor shall inform Data Controller within 72 hours after becoming aware of any security incident that affects Personal Data, including accidental or unlawful destruction, loss, alteration, theft, unauthorized disclosure of, processing, acquisition or access to Personal Data.

11.2. Data Processor shall immediately take remediation and containment measures to prevent or limit unauthorized access, alteration, loss of confidentiality and Processing of Controller Personal Data.

12. DATA SECURITY

12.1. Taking into account the state of the art, the costs of implementing technical and organizational measures that align with the nature, scope, context and purposes of the processing of Personal Data, Data Processor shall implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful loss, destruction, damage, theft, alternation or disclosure and to ensure a level of security appropriate to the risk. Such measures may include, but are not limited to limitation of access, access control mechanisms, data encryption, data pseudonymization, malware protection, possessing the ability to restore the availability of and access to Controller Personal Data in a timely manner after a security incident and other relevant measures.

12.2. Data Processor shall regularly test and monitor the effectiveness of its safeguards, controls, systems and procedures.

13. PRIORITY

13.1. Effect of this DPA. In the event of a contradiction between this DPA and the provisions of Agreement, this DPA shall prevail, unless otherwise is stipulated in the DPA.

13.2. Other Data Processing Agreements. This DPA will not affect any other separate data processing agreements between Yandex and Customer in respect of any data processing arising out of the agreements other than Agreement.

14. CHANGES TO THIS DPA

14.1. Yandex may change the DPA at any moment in case: (a) changes are required to comply with the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) changes are followed the factual Personal Data processing activities of the parties according to the Agreement, or (c) changes do not result in a degradation of the security of Personal Data. Depending on the applicable law, applicable regulation, a court order or guidance issued by a regulator or agency, such changes will be effective in thirty (30) days after prior notice by Yandex via e-mail or any other means including web account using by Customer according to the Agreement (or shorter period as may legally be required).

14.2. If Customer objects to any such change, it must terminate the DPA and the Agreement (unless the Agreement could be performed in the remaining part without existence of this DPA) and stop providing (or using, as applicable) the E-Service under the Agreement. Yandex shall be entitled not to notify Customer about editorial changes.

15. DISCLOSURE OF THE DPA

15.1. Customer acknowledges that Yandex may disclose this DPA and any relevant privacy provisions in the Agreement to any supervisory authority, regulator or other competent authority, to the extent required under the applicable law.

_____________________________

Date of publication: 26.06.2025

Previous version of the document: https://yandex.com/legal/yandextaxi_dpa/04072022

Previous version of the document: https://yandex.com/legal/yandextaxi_dpa/22032022

Previous version of the document: https://yandex.com/legal/yandextaxi_dpa/06112018