Data processing agreement 

Appendix No 3 under license agreement (the ”Agreement”) that is concluded between SIA ATOM Tech, registration number: 40203185808 (the ”Licensor”) and the ”Licensee”.

This Data Processing Agreement is concluded by and between SIA ATOM Tech, registration number: 40203185808, address: Aldaru iela 10-4, LV-1050, Riga, Latvia (the ”Licensor”) and User of the services of the Licensor (the “Licensee”) who has agreed to be bound by this Data Processing Agreement (“Data Processing Agreement”). 
1. Definitions1.1. “Agreement” means contractual relationship of the Licensor and Licensee governed by agreement to which this Data Processing Agreement is annexed;1.2. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;1.3. “License subject” package of software developed and maintained by the Licensor and which is being licensed to the Licensee under the Agreement;1.4. “Services” means services provided under the agreement concluded between Licensor and Licensee which are regulated by this Data Processing Agreement;1.5. Other terms used in this Appendix shall have the same meaning as in the GDPR, including, such terms as “Data Controller”, “Data Processor”, “Personal data” and “Data subject”, “Processing” and other terms where the context requires so. 
2. Scope and roles2.1. Within the scope of Services provided under the Agreement, including licensing of License subject, the Licensor will obtain access to personal data of users of the License subject. Licensor is obliged to Process Personal data only as far as required for fulfilment of the Agreement with the ultimate purpose of supporting the vehicle sharing business of Licensee through use of License subject. 2.2. For the purposes of this Agreement, the Licensor shall be deemed to be the Data Processor whereas the Licensee shall be the Data Controller. 2.3. The Licensee as the Data Controller retains the sole responsibility and liability over the personal data Processed using License subject. As a Data Controller the Licensee determines what Personal Data to gather about its clients, how such Personal data are used and for what purposes. 2.4. Licensee as Data Controller is responsible for notifying respective Data subjects of the data Processing as required under the applicable normative acts, including GDPR article 13 and 14. Licensee may use License subject to deliver respective privacy notices to its clients who will use its service via License subject. 
3. Personal data 3.1. Personal data Processed is that of users of License subject mobile app and include the following types of Personal data: personal identification data including name, surname, communications data (e.g., telephone, email address), ride history, device used by users, language, and paid-up balance for rides. Other Personal data can be processed at the request of the Licensee. 3.2. Licensee has access to all Personal data generated and processed by the Licensor. 
4. Personal data processing4.1. Licensor may Process Personal data:4.1.1. To maintain functioning of the License subject that enables users to rent vehicles using mobile app;4.1.2. Allow Licensee to monitor rides and ride history, manage clients, obtain statistics;4.1.3. Organize vehicle collection and servicing;4.1.4. Monitor incoming payments, detect debtors;4.1.5. Identify and investigate any incidents, improve functioning of the License subject.4.2. Data Processed for the performance of the Agreement may be used by Licensor to calculate fees chargeable under the Agreement.  4.3. Taking into account the costs of implementation and the nature, scope, context and purposes of Personal data Processing as well as the risk of varying likelihood and severity, the Licensor shall implement technical and organisational measures for protection of Personal data, that include:4.3.1. Physical security: Licensor protects Personal data against harm arising from access to Licensor’s facilities, hardware or network by protecting facilities from unauthorised access, restricting access to such facilities for authorised staff only;4.3.2. Access: Licensor ensures that only authorised staff may have access to Personal data Processed under the Agreement and only to an extent required for fulfilment of tasks under the Agreement;4.3.3. Encryption: Licensor enables security measures provided by Amazon Web Services for the protection of Personal data, including, encryption of Personal data stored on Amazon Web Services;4.3.4. Handling traffic: to ensure data and service availability, load balancer is used to balance varying load of incoming traffic.4.4. Technical and organisational measures are subject to technical progress and further developments. In that regard, the Licensor is permitted to implement alternative adequate measures. The security level of the specified measures must be adequate. 4.5. The Licensor may not rectify, erase or restrict the Processing of the personal data that is Processed on behalf of the Licensee on its own authority, but only in accordance with documented instruction from Licensee. If a person concerned contacts the Licensor directly in this regard, the Licensor shall immediately forward this request to the Licensee.4.6. Insofar as the scope of Agreement includes, the deletion concept, the right to be forgotten, correction, data portability and information shall be ensured directly by the Licensee, whereas Licensor may provide its assistance where necessary for execution of such request.  4.7. Licensor shall maintain confidentiality of the Personal data. In carrying out work, the Licensor shall exclusively use employees who are bound to confidentiality, and who have previously been familiarised with the relevant data protection provisions. The Licensor and any person under his/her control who has access to personal data may Process such data exclusively in accordance with the instructions of the Licensee, including the powers granted in this Agreement, unless they are legally obliged to Process it.4.8. On request, the Licensee and the Licensor shall cooperate with the supervisory authority in the performance of their duties and shall inform each other thereof without delay about any requests or notifications concerning License subject. This also applies to investigations within the scope of administrative offenses as well as to liability claims of affected persons or third parties or other claims in connection with License subject.4.9. The Licensor shall regularly monitor internal processes and technical and organisational measures to ensure that Processing within its area of responsibility is carried out in accordance with the requirements of the applicable data protection legislation and that the rights of the data subject are protected.4.10. Sub-contracting relationships within the meaning of this provision shall be understood to mean those services that relate directly to the provision of the Service and delivery of License subject. The Licensor may sub-contract some Personal data Processing to other sub-contractors. Data Controller hereby authorises the Licensor to use any sub-contractors at the discretion of the Licensor as far as necessary for the performance of the Agreement. Such sub-contractors may include sub-contractors out of EU/EEA, including, but not limited to, Amazon Web Services. Licensor will inform Licensee of any intended changes concerning the addition or replacement of other sub-contractors. 
5. Rights and obligations5.1. The Licensor shall support the Licensee in complying with the obligations specified in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting obligations in the event of data leaks, data protection impact assessments and prior consultations. These include, but are not limited to:5.1.1. The obligation to report violations of personal data to the Licensee without delay;5.1.2. The obligation to support the Licensee in the context of its duty to inform the Data subject and to make all relevant information available to him in this connection without delay;5.1.3. The support of the Licensee in its data protection impact assessment;5.1.4. Supporting the Licensee in prior consultations with the supervisory authority.5.2. The Licensor is entitled to remuneration for support services that are not included in the Service specifications. 5.3. Licensee has an authority to issue instructions concerning Personal data Processing.
6. Deletion and return of personal data 6.1. Copies or duplicates of Personal data may not be created without the Licensee's knowledge. This excludes backups as well as data that are required in order to comply with legal retention requirements.6.2. During the validity of the Agreement as well as upon termination of the Agreement the Licensee may copy or otherwise extract Personal data stored in the License subject and corresponding software. Upon the termination of the Agreement, the Licensee may require Licensor to delete Personal data stored or otherwise Processed using License subject. 6.3. Documentation that serves as proof of order-compliant and proper Personal data Processing may be kept by the Licensor in accordance with the respective retention periods beyond the term of the Agreement. However, for his own relief, the Licensor may also return them to the Licensee at the end of the Agreement.6.4. Upon the request of the Licensee, the Licensor makes available to the Licensee all information necessary to demonstrate compliance with the obligations laid down in this Appendix and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
7. Changes to the Data Processing Agreement7.1. This Data Processing Agreement may be subject to changes from time to time. Licensor shall inform Licensee of any material changes to this Data Processing Agreement prior to the changes taking place.