Data Protection Addendum.

This Data Protection Addendum, referred to as the “Addendum”, forms part of the agreement you've engaged in with the relevant BEEM group entity as specified in the table below (referred to as “BEEM”, “PayBEEM”, “we”, “us”, and “our”) (each individually a “party”, collectively the “parties”) (referred to as the “Agreement”). Should any conflict arise between the terms of this Addendum and other provisions within the Agreement or the Privacy Policy, the terms of this Addendum shall take precedence. The subsequent table delineates the various BEEM group entities subject to this Addendum, along with their respective roles in each applicable Agreement:

Entity


Aspera Payments PTY Ltd.

Agreement

Master Service Agreement

Role

Controller;
or
Joint Controller or processor, only when so determined by a Supervisory Authority or a court of law


1. Definitions and Interpretation

1.1. Unless specified otherwise in context, capitalised terms utilised in this Addendum shall bear the definitions as provided below or as otherwise outlined in the Agreement:

“Agreement”

Refers to the agreement between you and the corresponding BEEM group entity listed in the table above, which includes this Addendum by reference,

“Applicable Laws”

Refers to any laws, regulations, regulatory constraints, obligations, or rules in Australia or any other pertinent jurisdiction which are applicable to the respective Agreement and this Addendum. This includes binding codes of conduct and statements of principle incorporated and encompassed in such rules from time to time. Interpretation, where applicable, aligns with any guidance, code of conduct, or similar document issued by a relevant regulatory authority.

“Appropriate Safeguards”

Refers to legally enforceable mechanisms for the transfer of personal data permitted under the GDPR, including those delineated in Article 46 GDPR and the establishment of binding corporate rules as outlined in Article 47 GDPR.

“Commencement Date”

This means the date on which the Agreement becomes effective.

“Controller Data”

Has the definition provided in Part 3 of this Addendum.

“Data Complaint”

Refers to any complaint or request pertaining to the obligations of either party under the Data Protection Laws relevant to the Agreement. This includes complaints from data subjects or any notices, investigations, or actions initiated by a Supervisory Authority.

“Data Processing Term”

Has the definition ascribed to it in Schedule 1 of this Addendum.

“Data Protection Laws”

Refers to the entirety of relevant data protection legislation (including any subsequent enactments or modifications) in any jurisdiction where our operations extend to the extent they pertain to the services rendered to you under the pertinent Agreement. This encompasses statutes such as the EU GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Australian Privacy Act 1988, and any additional directly applicable local or national privacy regulations (or directives).

“Data Subject Request”

Refers to a data subject's request to exercise any rights granted to them under the Data Protection Laws concerning the Protected Data.

“Joint Data”

Has the definition provided in Part 3 of this Addendum.

“Permitted Purposes”

Has the definition ascribed to it in paragraph 2.1.3 of Part 2 of this Addendum.

“Personal Data Breach”

Refers to a breach of personal data concerning, involving, or affecting the Protected Data.

“Processing Instructions”

Has the definition ascribed to it in paragraph 5.1.2 of Part 5 of this Addendum.

“Protected Data”

Refers to any personal data processed by us, whether in our capacity as a joint or independent controller or as a processor, in connection with the fulfilment of our obligations under the Agreement.

“Records”

Has the definition ascribed to it in paragraph 2.5.1 of Part 2 of this Addendum.

“Services”

Refers to the services we provide to you from time to time in accordance with the terms outlined in the relevant Agreement.

“Sub-Processor”

Refers to another processor engaged by us (while acting as a processor) to conduct processing activities regarding the Protected Data under or in connection with the Agreement.

“Supervisory Authority”

Refers to any local, national, or multinational agency, department, official, parliament, public or statutory person, government or professional body, regulatory or supervisory authority, board, or other entity tasked with administering the Data Protection Laws. 


1.2. Terms, acronyms, phrases, and abbreviations employed in the financial services industry or other relevant business context will be construed in accordance with their commonly understood meanings in such industry or business context. Lowercase terms used but not defined in this Addendum, such as "personal data," "personal data breach," "processing," "processor," "controller," "joint controller," and "data subject," carry the definitions as outlined in the Data Protection Laws.

1.3. This Addendum has the following parts:

1.3.1. Part 1. Definitions and Interpretations.

1.3.2. Part 2. General Terms: These terms apply regardless of the parties' roles.

1.3.3. Part 3. Joint Controller Terms: These terms apply only when the parties function as joint controllers.

1.3.4. Part 4. Controller Terms: These terms apply when we function as an independent controller.

1.3.5. Part 5. Processor Terms: These terms apply when we function as a processor.

1.4. In the event of a conflict between this Addendum and the Agreement, this Addendum shall take precedence.

1.5. If there is any conflict between:

1.5.1. The provisions in Part 2. General Terms; and

1.5.2. The provisions in any of Part 3. Joint Controller Terms, Part 4. Controller Terms, or Part 5. Processor Terms.

1.5.3. The provisions in Part 3. Joint Controller Terms, Part 4. Controller Terms, or Part 5. Processor Terms (as applicable) shall prevail.

1.6. We retain the right to periodically update this Addendum in accordance with the terms outlined in the Agreement. This includes updates to ensure compliance with our obligations under the Data Protection Laws, to address changes to the Services (such as new functionality or features), and/or to encompass any additional services that may be provided to you over time. The prevailing terms will be those of the most recent version of this Addendum accessible on the BEEM Website, with notice deemed given on the date of publication on the BEEM Website.

2. General Terms

2.1. Scope and Purpose

2.1.1. This Addendum delineates the principles, procedures, and additional terms under which we shall handle the Protected Data. While delivering the Services and fulfilling our rights and obligations pursuant to the Agreement, we may operate as a joint controller, independent controller, or processor of the Protected Data.

2.1.2. The provisions in this Addendum do not diminish or substitute the parties' responsibilities under the Data Protection Laws concerning the safeguarding of personal data.

2.1.3. Except as provided in paragraph 2.1.4 of this Part 2, we commit to processing the Protected Data solely for the provision of the Services, or in anticipation thereof, for the execution and implementation of our rights and duties under the Agreement, for our legitimate business interests (inclusive of compliance with legal and regulatory mandates, IT security, and administrative purposes)("Permitted Purposes"). The Protected Data shall not be processed in a manner inconsistent with the Permitted Purposes.

2.1.4. Each party shall process the Protected Data in accordance with:

2.1.4.1. The Data Protection Laws; and

2.1.4.2. The provisions of this Addendum.

2.1.5. Any inquiries regarding this Addendum and/or our processing of personal data should be directed to [email protected]. We will maintain any valid registrations and/or fulfil any necessary fees mandated by our Supervisory Authorities, covering the intended data processing as outlined in this Addendum where applicable.

2.2. Technical and Organisational Measures

2.2.1. We will transmit the Protected Data to any third party using secure methods outlined in Schedule 2 of this Addendum.

2.2.2. We will establish and uphold suitable technical and organisational measures to:

2.2.2.1. Ensure that processing of the Protected Data adheres to the requirements of Data Protection Laws, safeguarding the rights of data subjects; and

2.2.2.2. Safeguard the security, integrity, availability, and confidentiality of the Protected Data and prevent unauthorised or unlawful processing, accidental loss, destruction, or damage to the Protected Data. These measures will be commensurate with the potential harm resulting from unauthorised or unlawful processing or from accidental loss, destruction, or damage, considering the nature of the data to be protected.

2.2.3. The level of technical and organisational measures at the Commencement Date, in line with the matters mentioned in paragraph 2.2.2 of this Part 2, is detailed in Schedule 2 of this Addendum. These measures will be routinely tested, assessed, and evaluated to ascertain their efficacy in ensuring processing security. We will maintain records of such testing, regularly review these measures, and make updates as deemed necessary throughout the Data Processing Term.

2.2.4. We will ensure that our personnel engaged in processing Protected Data receive appropriate training to handle and process the Protected Data in accordance with the technical and organisational security measures specified in Schedule 2 of this Addendum, alongside any pertinent Data Protection Laws and guidance from a relevant Supervisory Authority.

2.2.5. The level, content, and frequency of training mentioned in paragraph 2.2.4 will be proportionate to the personnel's role, responsibilities, and frequency in handling and processing the Protected Data.

2.2.6. Our Personnel are bound by written confidentiality obligations covering their processing of any Protected Data.

2.3. International Data Transfer

2.3.1. For International Data Transfers between us, if your utilisation of the Services necessitates, under the Data Protection Laws, an onward transfer mechanism for us to legally transfer Protected Data from our jurisdiction (i.e., Australia, the EEA, or any other jurisdiction where we operate) to your jurisdiction (in case you are located outside of Australia and the EEA, and we are mandated to establish Appropriate Safeguards)(“Transfer Mechanism”), the provisions outlined in Schedule 3 (Cross Border Transfer Mechanisms) of this Addendum shall be applicable.

2.3.2. For International Data Transfers to other third parties, we will not transfer, access, or process Protected Data outside of Australia and the EEA, including to a Sub-Processor situated in such a country or territory, unless:

2.3.2.1. The European Union has determined the adequacy of that country or territory, as per Article 45 GDPR or as otherwise stipulated under the Data Protection Laws.

2.3.2.2. We have ensured that any such transfer adheres to the Data Protection Laws by implementing Appropriate Safeguards. We have also taken steps to ascertain:

2.3.2.2.1. The level of protection granted to the Protected Data in the destination country or territory is equivalent to that in Australia or EEA.

2.3.2.2.2. The data importer provides us with relevant sources and information concerning the destination country or territory and the applicable laws governing the transfer in that destination country to support the assertions outlined in 2.3.2.2.1.

2.3.2.2.3. The data importer is contractually obligated to keep us informed of any developments affecting or likely affecting the protection level that your transferred Protected Data receives in the importer’s country.

2.3.2.3. We are otherwise authorised to do so by virtue of a derogation in Article 49 of the GDPR or as otherwise specified under the Data Protection Laws.

2.3.3. If, for any reason, the transfer of Protected Data pursuant to paragraphs 2.3.2.1, 2.3.2.2, or 2.3.2.3 of this Part 2. General Terms become unlawful, we will promptly implement other Appropriate Safeguards. We will ensure that the level of protection afforded to the Protected Data in the destination country or territory is equivalent to that in the EEA and/or Australia. If unable to do so, we will discontinue any such transfer of Protected Data unless expressly authorised by you to continue.

2.4. Using Processors

2.4.1. When we enlist a Processor or Sub-Processor to conduct any processing tasks regarding Protected Data, we will:

2.4.1.1. Make sure a written contract exists with each Processor or Sub-Processor. This contract will mandate that the Processor or Sub-Processor only undertakes processing activities as required periodically for the purposes of their engagement by us concerning the Agreement. Additionally, they must adhere to terms and conditions that provide substantially the same level of protection for the Protected Data as outlined in this Part 2. General Term.

2.4.1.2. We assume responsibility for the actions and oversights of any Processor or Sub-Processor regarding its data processing obligations under the Agreement, treating them as if they were our own actions and oversights.

2.4.2. We will guarantee that all individuals authorised by us (or by any Processor or Sub-Processor) to process Protected Data are bound by an obligation to maintain the confidentiality of the Protected Data. This obligation excludes cases where disclosure is mandated by Applicable Law. In such instances, where feasible and not prohibited by Applicable Law, we will inform you of such requirements before any disclosure occurs.

2.5. Records

2.5.1. We will maintain complete, accurate and up-to-date written records of all categories of processing activities carried out in accordance with the Data Protection Laws (the “Records”).

2.6. Reporting and General Obligations

2.6.1. We commit to fulfilling our obligations under the Data Protection Laws by promptly reporting any Personal Data Breach to the appropriate Supervisory Authority and, where applicable, to the affected data subjects.

2.6.2. Upon becoming aware of a Personal Data Breach, whether caused by us or otherwise related to the Services, we will promptly notify you within 48 hours and furnish you with comprehensive details of the breach. We will extend reasonable cooperation and assistance to facilitate the swift and compliant management of the breach, ensuring adherence to our obligations under the Data Protection Laws. Any release or publication of information regarding a Personal Data Breach will only occur if mandated by the Data Protection Laws and/or by a Supervisory Authority. In such cases, we will notify you beforehand of any such requirement.

2.6.3. We will promptly initiate an investigation into any Personal Data Breach involving Protected Data, taking necessary steps to identify, prevent, and mitigate its effects and subsequently remedy the breach.

2.6.4. We will keep you reasonably informed about the progress and developments concerning any ongoing Personal Data Breach.

2.7 Your Obligations

2.7.1. Regardless of whether we function as a joint controller, controller, or processor:

2.7.1.1. You hold sole responsibility for independently determining the adequacy of the technical and organisational measures implemented by you, ensuring they meet the standards mandated by the Data Protection Laws and any other obligations stipulated by Applicable Laws.

2.7.1.2. You commit to complying consistently with your obligations as a controller or joint controller (as applicable) and delivering services to clients in adherence to the Data Protection Laws.

2.7.1.3. You will maintain valid registrations and fulfil any required fees as mandated by your Supervisory Authority to cover your processing activities, including those outlined in the Agreement.

2.7.1.4. You will uphold sufficient data processing, privacy, and IT security policies concerning your handling of personal data and any cybersecurity incidents, aligning with the requirements of the Data Protection Laws. Compliance with these policies will be ensured by you and your personnel, who will be subject to written confidentiality obligations covering their handling of personal data. Where certain control requirements are deemed inapplicable to the Services, we may consider waiving or amending some requirements, upon notifying you of such changes in writing.

2.7.1.5. You will furnish all necessary, transparent information and notices to data subjects whose Protected Data are processed under this Addendum, ensuring lawful processing for the Permitted Purpose without requiring further consent, approval, or authorisation. Upon request, you will engage in consultations with us and comply with our reasonable requests concerning such information and notices. These communications should elucidate the purposes of processing, the legal basis, recipients of the data, and other pertinent information as mandated by the Data Protection Laws.

2.7.1.6. Upon our request, you will promptly provide reasonable evidence demonstrating compliance with your obligations regarding information provision, notices, and consent under the Data Protection Laws.

2.7.1.7. We may presume that any disclosure or transfer of personal data to us by you, directly or indirectly, is conducted in compliance with the Data Protection Laws.

2.7.1.8. You will ensure the accuracy of any personal data disclosed or transferred to us.

2.7.1.9. Excessive or irrelevant personal data not essential for the Services or the Permitted Purpose shall not be disclosed or transferred to us. Any such data contained in documents shared with us shall be promptly deleted.

2.7.1.10. Prompt notification within 48 hours is required if you become aware of a Personal Data Breach, whether by us or otherwise related to the Services. Full details of the breach must be provided, accompanied by reasonable cooperation and assistance to manage the breach in compliance with the Data Protection Laws. Any release or publication of information regarding a Personal Data Breach will only occur if mandated by the Data Protection Laws and/or by a Supervisory Authority, with prior notification to us.

2.7.1.11. Immediate notification, within no more than 2 business days where legally permissible, is required upon receiving or becoming aware of a Data Complaint. Reasonable cooperation and assistance must be provided to address the complaint.

2.7.1.12. You will offer us reasonable cooperation and assistance as needed to fulfil our obligations under the Data Protection Laws, including those concerning security, Data Subject Requests, data protection impact assessments, and consultations with a Supervisory Authority.

2.7.1.13. Any additional obligations imposed on you in other parts of this Addendum must be complied with accordingly.

2.8 Data Retention

2.8.1. We will not retain Protected Data beyond what is necessary to fulfil any Permitted Purpose.

2.8.2. We will uphold and adhere to our data retention policy, which we will furnish to you upon written request.

3. Joint Controller Terms

In instances where the parties process Protected Data as joint controllers under or in connection with the Agreement ("Joint Data"), the regulations outlined in this Part 3. Joint Controller Terms will govern the processing of Joint Data by these parties, alongside Part 2. General Terms.

3.1. Processing Joint Data

3.1.1. Each party will fulfil its controller obligations under the Data Protection Laws concerning its handling of Joint Data.

3.1.2. Each party agrees that:

3.1.2.1. Regarding the Joint Data, the parties collaborate to determine both the purpose and methods of processing.

3.1.2.2. It will process the Joint Data exclusively for the Permitted Purpose and in accordance with paragraph 2.1.3 of Part 2, subject to periodic updates.

3.1.2.3. It will ensure that the collection, processing, and transfer of Joint Data comply with the relevant Data Protection Laws.

3.1.2.4. It will be responsible for providing all necessary, transparent information and notices to data subjects, ensuring that such communications detail the processing of Joint Data required for the Permitted Purpose, including the legal basis, recipients, and other pertinent information mandated by the Data Protection Laws. These communications will transparently depict the arrangement between the parties in compliance with the Data Protection Laws.

3.1.2.5. It will collaborate with the other party to furnish any information reasonably needed for the other party to produce and disseminate its information and notices in accordance with paragraph 3.1.2.4 of this Part 3. Joint Controller Terms.

3.1.2.6. It will ensure that any data subject wishing to make a Data Subject Request has a readily accessible point of contact to do so.

3.1.2.7. It will reasonably aid the other party in ensuring compliance with the latter's obligations under the Data Protection Laws concerning security, Personal Data Breach notifications, data protection impact assessments, and consultations with Supervisory Authorities, insofar as they pertain to the processing of Joint Data.

3.2. Data Subject Requests and Data Complaint Handling

3.2.1. Upon receipt of a Data Subject Request and/or a Data Complaint concerning the processing of Joint Data, a party shall promptly notify the other party (within 48 hours of receiving the Data Subject Request, at the latest) and adhere to the stipulations outlined in this section.

3.2.2. Regarding compliance and response responsibilities:

3.2.2.1. The party initially receiving a Data Subject Request assumes responsibility for its handling.

3.2.2.2. The party receiving a Data Complaint concerning the processing of Joint Data bears responsibility for its resolution unless otherwise mutually agreed upon by the parties.

3.2.2.3. The parties commit to providing each other with reasonable assistance in managing Data Subject Requests and Data Complaints pertaining to the processing of Joint Data.

3.2.2.4. Each party shall address Data Subject Requests or Data Complaints related to Joint Data processing promptly and professionally, ensuring compliance with Data Protection Laws, including relevant timelines.

3.2.2.5. Both parties shall refrain from responding to a Data Subject Request or Data Complaint concerning the processing of Joint Data without consulting the other party, except in cases where failure to respond would result in a breach of Data Protection Laws and/or if a response is requested by a Supervisory Authority.

3.3. Personal Data Breaches

3.3.1. In the event of a Personal Data Breach concerning the Joint Data processed by either party:

3.3.1.1. The party discovering the breach shall promptly notify the other party (within 48 hours of becoming aware of the breach) and furnish a detailed description, including the type of data and the affected person(s)' identity, as soon as feasible, along with any additional information reasonably requested.

3.3.1.2. Both parties will cooperate to ascertain the breach's cause and determine the appropriate entity to inform the Supervisory Authority and/or affected data subject(s), if necessary. In the absence of an agreement, the notifying party retains the right to inform the Supervisory Authority and/or data subject(s).

3.3.1.3. The party experiencing the breach will promptly undertake necessary actions to rectify the breach and implement recovery measures, as mutually agreed upon by both parties.

3.3.2. Should you become aware of a Personal Data Breach pertaining to the Joint Data, kindly notify us via email at [email protected].

4. Controller Terms

For processing Protected Data as an independent controller under the Agreement or otherwise related to it ("Controller Data"), the regulations outlined in this Part 4. Controller Terms, will govern our handling of Controller Data, alongside Part 2. General Terms.

4.1 Processing Controller Data

4.1.1. We will fulfil our obligations as a controller under the Data Protection Laws when processing Controller Data.

4.1.2. Specifically, we will:

4.1.2.1. Process Controller Data exclusively for the Permitted Purpose and in accordance with Schedule 1 of this Addendum, as updated periodically;

4.1.2.2. Provide all necessary, fair, and transparent information and notices to data subjects. We will ensure these details include the processing of Controller Data for the Permitted Purpose, the legal basis for such processing, the recipients of the Controller Data (including third parties or regulators), and any other information required by the Data Protection Laws;

4.1.2.3. Ensure that any data subject wishing to make a Data Subject Request related to Controller Data has an easily accessible point of contact.

4.2. Data Subject Request

4.2.1. If you receive a Data Subject Request or a Data Complaint regarding the processing of Controller Data, you will, to the extent legally permissible, promptly notify us by email at [email protected] within 48 hours of receipt. Unless otherwise required by Applicable Law or a Supervisory Authority, we, as the controller, will be responsible for handling such Data Subject Requests or Data Complaints in compliance with Data Protection Laws.

5. Processor Terms

When we process Protected Data as a processor on your behalf under or in connection with the Agreement, the provisions outlined in Part 5. Processor Terms will apply to our processing of Protected Data, in addition to the terms specified in Part 2. General Terms.

5.1. Instructions and Details of Processing

5.1.1. When we process Protected Data on your behalf, we will:

5.1.2. Process the Protected Data only as specified in the Agreement, Schedule 1 of this Addendum, and any other documented instructions from you ("Processing Instructions"), unless required to do otherwise by Applicable Laws. We will ensure that anyone acting under our authority also complies with these instructions; and

5.1.3. Notify you of any requirement to process Protected Data differently from the Processing Instructions, if such a requirement arises under Applicable Laws, unless those laws prohibit this disclosure on important public interest grounds.

5.2. Personnel and Other Processors

5.2.1. We will not engage a Sub-Processor to perform any processing activities concerning the Protected Data without notifying you. Compliance with paragraphs 5.2.2 and 5.2.3 of Part 5 and paragraph 2.3 of Part 2 above is required. You are deemed to have approved the new Sub-Processor if you do not object within thirty (30) calendar days from the date you received our notice.

5.2.2. We will:

5.2.2.1. Provide you with details of any Sub-Processor.;

5.2.2.2. Notify you 30 days in advance of any change in a Sub-Processor (whether adding or replacing one) and provide sufficient information for you to decide whether to consent to the change. You are entitled to object to any change in the Sub-Processor and may, at your discretion (not unreasonably exercised), elect to terminate the Agreement or the part involving processing of the Protected Data by the Sub-Processor if we fail to address your objections or cease to use the relevant Sub-Processor;

5.2.2.3. Before any Sub-Processor performs processing activities regarding the Protected Data, appoint each Sub-Processor under a written contract containing obligations that provide a materially equivalent level of protection for the Protected Data as those set out in this Addendum. This includes an obligation on the Sub-Processor to offer sufficient guarantees to implement equivalent technical and organisational measures in accordance with paragraph 5.3 of this Part 5 and to delete or return the Protected Data in accordance with paragraph 5.7 of this Part 5 The contract with the Sub-Processor shall state that you may enforce compliance with the obligations if we cease to exist or become insolvent. Upon your request, we shall provide a copy of the contract with the Sub-Processor, redacting any confidential information or personal data as necessary; and

5.2.2.4. Notify you of any failure by a Sub-Processor to fulfil its contractual obligations as described in paragraph 5.2.2.3 of this Part 5.

5.2.3. We will ensure that all persons authorized by us (or by any Sub-Processor) to process Protected Data are obligated to keep the Protected Data confidential. Access to the Protected Data will be granted to personnel on a "need-to-know" basis for the Permitted Purposes only.

5.2.4. We will remain fully liable to you for any acts or omissions of any Sub-Processor and any persons authorised by us (or by any Sub-Processor) to process Protected Data as if they were our own.

5.3. Technical and Organisational Measures

5.3..1. We will implement and maintain appropriate technical and organisational measures in accordance with paragraph 3.2 of Part 2 above, to:

5.3.1.1. Ensure that the processing of Protected Data meets the minimum requirements of the Data Protection Laws (including those set out in Article 32 of the GDPR) and ensures the protection of the rights of data subjects; and

5.3.1.2. Provide reasonable assistance to you in responding to Data Subject Requests relating to Protected Data.

5.4. Information and Audit

5.4.1. Subject to paragraph 5.4.2 of this Part 5 we will, in accordance with Data Protection Laws, as reasonably necessary to demonstrate our compliance with our obligations under Part 2. General Terms, this Part 5. Processor Terms, and the Data Protection Laws (unless providing this information would breach Applicable Laws, in which case we will inform you to the extent we are permitted by Applicable Laws to do so):

5.4.1.1. Make available to you the Records as soon as reasonably practicable, unless doing so infringes Data Protection Laws or any Applicable Law (in which case, we will inform you to the extent we are permitted by law to do so); and

5.4.1.2. Allow for and contribute to audits, including inspections, by you (or an auditor mandated by you and agreed upon by us in writing).

5.4.2. You will:

5.4.2.1. Provide us with reasonable prior written notice (not less than 10 business days) of any information request, audit, and/or inspection that you require;

5.4.2.2. Ensure that the Records and all information obtained or generated by you or your auditor in connection with such information requests, inspections, and audits are kept strictly confidential and will not disclose them to a third party unless required to do so by a relevant regulator. In such a case, you will (to the extent legally permissible) provide us with not less than fourteen (14) days prior written notice of such requirement;

5.4.2.3. Ensure that any audit or inspection is undertaken during our normal business hours, with minimal disruption to our business and the business of our other customers;

5.4.2.4. Pay our reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits; and

5.4.2.5. Comply with any additional obligations regarding access by you or an auditor as set out in the Agreement.

5.4.3. Both parties are entitled to share any information referred to in this paragraph 5.4 of this Part 5, including the results of any audit, with a competent Supervisory Authority as may be necessary from time to time.

5.4.4. Nothing in paragraph 5.4 of this Part 5 gives you the right to access any data of any other customer of ours or any information that could cause us to breach our obligations under Applicable Law (including the Data Protection Laws) and/or our confidentiality obligations owed to a third party.

5.5. Assistance and Data Subject Rights

5.5.1. We are responsible for maintaining a record of Data Subject Requests. Upon receipt of any Data Subject Request, we shall immediately (and no later than within 48 hours of receipt) refer such a request to you and shall, at our own expense, promptly assist you with the request to ensure you meet the response times under the Data Protection Laws. We will not respond to a Data Subject Request without providing prior written notice to you unless required by Applicable Laws, in which case we shall, to the extent permitted by Applicable Laws, inform you of that legal requirement before responding.

5.5.2. We will provide such assistance as reasonably required by you to ensure compliance with your obligations under the Data Protection Laws with respect to:

5.5.2.1. Security of processing;

5.5.2.2. Data protection impact assessments (as defined in the Data Protection Laws);

5.5.2.3. Prior consultation with a Supervisory Authority regarding high-risk processing;

5.5.2.4. Notifications to the Supervisory Authority and/or communications to data subjects by you in response to any Personal Data Breach; and

5.5.2.5. Any remedial action to be taken in response to a Personal Data Breach and/or a Data Complaint or request relating to your obligations under the Data Protection Laws relevant to the Agreement.

5.6. Breach Notification

5.6.1. In the event of any Personal Data Breach, we will notify you without undue delay but no later than 48 hours (or earlier where possible) after becoming aware of the breach. We will provide you with details of the breach, including its nature, the categories and approximate volume of data subjects affected, the Protected Data records involved, the likely consequences, and any measures taken or to be taken by us to mitigate the breach's effects. If we cannot provide all this information at once, the initial notification will include what is available, and we will furnish the rest as soon as possible, but no later than 24 hours after it becomes available.

5.6.2. We will promptly investigate the Personal Data Breach at our own expense and take necessary steps to identify, prevent, mitigate, and remedy its effects. We will not release or publish any information concerning the breach without your prior written approval.

5.6.3. If we receive or become aware of a Data Complaint, we will promptly inform you within 48 hours of becoming aware. We will not respond to the Data Complaint without your prior written approval.

5.7. Deletion or Return of Protected Data and Copies

5.7.1. We will only process the Protected Data for the duration of the Data Processing Term.

5.7.2. Upon termination of the Agreement and at your written request, we will ensure that any Protected Data (and all copies) are securely returned to you or destroyed (at your discretion and direction) to the extent reasonably practicable, unless storage is required by Applicable Laws. In such cases, we will inform you of any such requirement. This will occur in the following circumstances:

5.7.2.1. Termination of the Agreement;

5.7.2.2. Expiry of the Data Processing Term;

5.7.2.3. When processing of the Protected Data is no longer necessary for the Permitted Purposes.


Schedule 1 – Data Processing Details

Details of Processing

Description

Scope

The processing of personal data as required for the Permitted Purpose.

Nature and Purpose

The processing of personal data as required for the Permitted Purpose.

Duration

For the duration of the Agreement and for such time as required by Applicable Laws (the “Data Processing Term”).

Types of Personal Data

We will process the categories of personal data required to provide the Services, including the following:

General personal data

  • Name

  • Age

  • Nationality

  • Passport number

  • Driver's license details

  • National identity card details

  • Bank account details

  • Home address

  • Phone number

  • Date of birth

  • IP address

  • Email address

  • Personal finances

  • Transaction data

  • Tax-related matters

  • Work-related circumstances

  • Qualifications

Only when we process Protected Data under the BEEM Master Services Agreement will we also process the following categories of personal data:

  • Cryptocurrency wallet ID

  • Cryptocurrency transaction ID

Categories of Data Subjects

Data subjects encompass the following individuals associated with you:

  • Employees

  • Directors

  • Shareholders

  • Beneficial owners

  • Authorised Users

  • Partners

  • Trustees

  • Suppliers

  • Customers and End Users

  • Job applicants

  • Consultants

  • Contractors


Schedule 2 – Security Measure

1. The security measures include:

1.1. Ensuring access to the Protected Data is granted on an "as needed" basis, utilising user and logic-based segmentation and controls. This involves employing measures such as conditional access, two-factor authentication, and just-in-time access for privileged users.

1.2. Pseudonymizing and/or encrypting the Protected Data stored or transmitted over public or wireless networks.

1.3. Implementing and maintaining business continuity, disaster recovery, and other relevant policies and procedures to safeguard the confidentiality, integrity, availability, and resilience of processing systems and services. These measures ensure the timely availability and access to Protected Data in the event of a physical or technical incident.

Schedule 3 - Cross Border Data Transfer Mechanisms

1. Definitions

Terms used in this Schedule 3 shall bear the meanings ascribed below, in the Addendum, or as otherwise defined in the EU Standard Contractual Clauses. If a term is defined in both this Schedule 3 the EU Standard Contractual Clauses, the meaning of the term in EU Standard Contractual Clauses shall prevail concerning the respective agreement.

EU Standard Contractual Clauses
means the Standard Contractual Clauses approved by the European Commission in decision 2021/914

2. Cross Border Data Transfer Mechanisms

2.1. Order of Precedence. If the Services are covered by more than one Transfer Mechanism, the transfer of personal data will be governed by a single Transfer Mechanism in the following order of precedence: (a)the EU Standard Contractual Clauses as set forth in paragraph 2.2 (EU Standard Contractual Clauses) of this Schedule 3; and, if (a) is not applicable, then (b) other applicable data Transfer Mechanisms permitted under Data Protection Laws.

2.2. EU Standard Contractual Clauses. The EU Standard Contractual Clauses will apply to personal data transferred via the Services from the EEA, Switzerland, Guernsey, or Jersey, either directly or via onward transfer, to any country or recipient outside these regions that is not recognised by the relevant competent authority as providing an adequate level of protection for personal data. For data transfers subject to the EU Standard Contractual Clauses, the clauses will be deemed entered into and incorporated into this Addendum by reference. The following modules may apply depending on our role as a controller, joint controller, or processor of personal data:

2.2.1. Module One (Controller to Controller) of the EU Standard Contractual Clauses;

2.2.2. Module Two (Controller to Processor) of the EU Standard Contractual Clauses;

2.2.3. Module Three (Processor to Processor) of the EU Standard Contractual Clauses;

2.2.4. Module Four (Processor to Controller) of the EU Standard Contractual Clauses;

2.2.5. For each module, where applicable, the modules will be completed as follows:

2.2.5.1. In Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;

2.2.5.2. In Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply, and the time period for prior written notice of sub-processor changes will be as set forth in paragraph 5.2.2.2 in Part 5. Processor Terms of this Addendum;

2.2.5.3. In Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;

2.2.5.4. In Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;

2.2.5.5. In Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;

2.2.5.6. In Annex I, Part A of the EU Standard Contractual Clauses:

Data Exporter:
BEEM

Contact Details:
[email protected]

Data Exporter Role:
The Data Exporter’s role is set forth in the table setting out the different BEEM groups on page 2 of this Addendum.

Signature and Date:
By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the Commencement Date of the Agreement.

Data Importer:
BEEM customer (based in third country outside EU)

Contact Details:
The email address(es) designated by Customer as provided to BEEM via the onboarding journey, or otherwise provided to BEEM from time to time.

Data Importer Role:
The Data Importer’s role is set forth in paragraph 2.1 in Part 2 of this Addendum.

Signature and Date:
By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Commencement Date of the Agreement.

2.2.5.7. In Annex I, Part B of the EU Standard Contractual Clauses:

2.2.5.7.1.The categories of data subjects are set forth in Schedule 1 (Data Processing Details) of this Addendum;

2.2.5.7.2. The frequency of the transfer is on a continuous basis for the duration of the Agreement;

2.2.5.7.3. The nature of the processing is set forth in the table in Schedule 1 (Data Processing Details) of this Addendum;

2.2.5.7.4. The purpose of the processing is set forth in the table in Schedule 1 (Data Processing Details) of this Addendum;

2.2.5.7.5. The period for which the personal data will be retained is set forth in the table in Schedule 1 (Data Processing Details) of this Addendum;

2.2.5.7.6. For transfers to sub-processors, the subject matter, nature, and duration of the processing can be requested from [email protected];

2.2.5.7.7. In Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority;

2.2.5.7.8. Schedule 2 (Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses.