Data Protection Agreement

IDEMIA understands the importance of, and is committed to, protecting data subjects' personal data. IDEMIA herein after “IDEMIA” is part of the IDEMIA Group of Companies ("IDEMIA Group") which is a global organization.

This policy sets out how IDEMIA aims to protect the privacy of personal data, users’ rights in relation to their personal data handled by IDEMIA and the way IDEMIA collects, holds, uses and share personal data. This policy explains how IDEMIA use the personal data we collect about user when accessing the Service. This policy may be updated from time to time.

The processing of data collected is carried out with Your consent and/or in accordance with our legitimate interest.

Definitions

“Customer” means You and Your company.

"Personal data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by local law, the controller or the specific criteria for its nomination may be provided for by local law.

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Supervisory Authority" means an independent public authority which is established by a state to be responsible for monitoring the application of the data privacy Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data between countries in secured way.

" Data Transfers" means any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization.
Purpose

The purpose of this Agreement is to define the conditions under which IDEMIA will process personal data defined in Appendix 1 below provided to IDEMIA by the Customer when accessing IDEMIA’s Services. For the provision of the services, it is understood that IDEMIA is the Processor, and Customer is the Controller.
Compliance with applicable regulation regarding data protection

The Parties undertake to comply with all obligations arising from any applicable data protection law. The Parties shall refrain from any action, which could result in the other Party's failure to comply with its obligations under the applicable Data Protection Law.
Obligations of the customer

The Customer represents and warrants that it collects and processes Personal Data in a lawful manner, including:
- Ensure that it has a proper legal basis under applicable law for the processing;
- Provide the data subjects with all necessary information at the time of collection of their personal data;
- Has obtained all necessary permissions, rights and authority to the collect, process, transfer, use and store all Personal Data as contemplated herein,
- Implement all necessary measures to ensure that data subjects can exercise their rights;
- Provide IDEMIA with the data referred to in Appendix 1;
- Specify in writing and in a clear manner the instructions to be followed by IDEMIA while ensuring that these instructions comply with Data Protection Law and other applicable regulations.
Processing carried out by IDEMIA

IDEMIA processes personal data to the extent strictly necessary for the provision of the service. Service means Identity Proofing platform to help the Customer in its anti-money laundering, terrorism and its financing activities, in accordance with the written instructions of the Customer.

Accordingly, IDEMIA shall:
- Refrain from any use, including personal or commercial use, of the personal data processed which differs from the purpose of the present Agreement;
- Authorize access to the data only to its duly authorized employees and contractors for the purposes of the performance of the Agreement;
- Inform its employees and any person acting on its behalf or under its authority of the confidential nature of the data being processed under the Agreement;
- Train its employees so that they strictly respect their legal and contractual obligations regarding the protection of personal data;
- Provide the Customer with all the information necessary to help him to demonstrate the compliance of the processing operations with the Data Protection Law and this Agreement ;
- Appoint a Data Protection Officer who can be contacted at dpo@idemia.com
Sub-processing

Customer acknowledges and agrees that:
- (a) IDEMIA’s Affiliates may be retained as Subprocessors; and (b) IDEMIA and IDEMIA’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
- IDEMIA or IDEMIA’s Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor
List of current Sub-processors are available in the Privacy Policy, this list may be updated from time to time. The Agreement with the subcontractor shall contain terms substantially equivalent to those contained in this Addendum.
Security measures

IDEMIA implements, or ensures that its subcontractors implement, appropriate technical and organizational measures of security appropriate to the risk.

To this purpose, IDEMIA takes into account the state of the art, the costs of implementing the measures as well as the nature, scope, context and purposes of the processing. IDEMIA also takes into account the likelihood and severity of risks to the rights and freedoms of individuals, and the need to prevent the destruction, loss or alteration, unauthorized disclosure of data to or unauthorized access to such data, whether accidentally or unlawfully.
Data subjects’ rights

Upon Customer’s request IDEMIA will respond without undue delay in order to enable Customers to comply with the legal requirements and will provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request

In the event IDEMIA receive directly a request from a data subject it will promptly reply and inform the Customer.
Personal data breach notification

In case of a data breach of Customer Data, IDEMIA will notify the Customer without undue delay after becoming aware of it. The information notified, where appropriate in stages, shall describe the nature of the data breach, including where possible:
- The categories and approximate number of data subjects, as well as the categories and approximate number of personal data records concerned;
- The name and contact details of the Data Protection Officer or the contact point from which further information can be obtained;
- A description of the likely consequences of the data breach in question;
- A description of the measures taken or proposed to remedy the breach of personal data, including, where appropriate, measures to mitigate any negative effects.
IDEMIA undertakes to cooperate in good faith with the Customer for any notification to the Supervisory authority and for any information to the Data Subjects.
Transfer of personal data outside the customer country

Where relevant IDEMIA undertakes not to transfer personal data outside the EEA without putting into place the necessary legal instruments such as for EU Customers EU Commission Standard Contractual Clauses (Decision 2010/87/EC).

The Data Controller authorizes the Data Processor, to enter, on its behalf, into the EU Commission Standard contractual Clauses with Sub-processors in a third country provided that the conditions set in Article 6 above are met.
Opt-out and erasure of personal data

Users may opt-out of the collection of PII or Personal data by uninstalling all software from all devices and instructing IDEMIA in writing to cancel the services and destroying all user’s PII and personal data at https://portalidemia.atlassian.net/servicedesk/customer/portals.

In the event of termination for any reason whatsoever of the Agreement, IDEMIA undertakes to erase personal data it processes on behalf of the Controller, unless the regulations require their retention. In particular as regards the rules of prescription. By default IDEMIA will retain PII or Personal data up to 30 days to support the trial and improve the overall service performances.
Cooperation and assistance

IDEMIA undertakes to provide commercially reasonable efforts to assist its Customer in (1) the carrying out of Data Protection Impact Assessment and consultation with Supervisory Authorities; (2) responding to data subjects’ requests and complaints; (3) demonstrating compliance with data protection regulation.
Audit by the customer

Upon Customer’s written request at reasonable intervals, no more than once per calendar year, and subject to the confidentiality obligations, IDEMIA shall make available to Customer or to the designated independent third party auditor - that is not a competitor of and has no conflict of interests with IDEMIA - a copy of its most recent third-party audits or certifications, as applicable.

To the extent it is not possible to otherwise satisfy an audit obligation mandated by any relevant legal or regulatory requirements, including Data Protection Laws and Regulations, only a third party auditor mutually agreed by the Parties may conduct an onsite visit of the facilities used by IDEMIA to provide the Services. As per IDEMIA’s security policy, no access to IDEMIA’s systems and equipment is authorized.

The date of the audit, its duration and scope shall be defined by mutual agreement between the Parties. In any event, the audit may only be conducted 20 working days after these arrangements have been defined by mutual agreement. The audit can only be carried out during IDEMIA's business hours and in a manner that does not disrupt its activities.

The Customer shall bear all costs incurred by the audit, including but not limited to the auditor's fees. It shall reimburse IDEMIA for all expenses and costs incurred by this audit, including the time spent by its employees on the audit based on the average hourly rate of IDEMIA staff who contributed to this audit.
Liability

Data Processor’s liability towards the Data Controller is set forth at article 8 of the Terms and Conditions of trial.
Update of the Privacy Policy

IDEMIA will occasionally update the Privacy Policy contained in this Data Processing Agreement. The latest version of these Privacy Policy can be found at https://experience.idemia.com/ Downloading or use of the Services after any changes to the Privacy Policy, constitutes consent to the revised Privacy Policy.

Appendix 1

Processing subject to the agreement

The purpose of the processing,
The personal data collected and processed (including special categories of data),
The categories of data subjects,
The data retention period,
Data sharing with third parties and data transfer

Are described in the Privacy Policy available here