USER PRIVACY RIGHTS POLICY
Last Modified: November 15, 2020
NAYAX values the privacy rights of our Users. Thus, we have designed this User Privacy Rights Policy (“User Rights Policy” or “Policy”) as an overview of your rights regarding your personal data, under the following legislation:
(i) The EU General Data Protection Regulation (“GDPR”), which shall apply to you in the event you are a resident of the European Economic Area (“EEA”); and
(ii) The California Consumer Privacy Act of 2018 (“CCPA” or “Act”) which shall apply to you in the event you are a “California Resident”, as defined under the CCPA.
This Policy is an integral part of our Privacy Policy. Any terms used herein and not defined shall have the meaning ascribed to them in the Privacy Policy.
This Policy applies solely to your rights concerning Personal Data or Personal Information (as defined under the applicable law) processed by us. If you wish to submit a request to exercise any of your rights please fill in the form available at:https://s3.amazonaws.com/static.nayax.com/policy/DSR.html and send it to us at: privacy@nayax.com.
Your Right to be Informed
You have the right to be informed with respect to our details (e.g. name, address, etc.), as well as why and how we process Personal Data. This right includes, among others, the right to be informed of the identity of the business, the reasons and lawful basis for processing Personal Data, and additional information necessary to ensure the fair and transparent processing of Personal Data. Furthermore, you have the right to be informed of the categories of Personal Information collected, sold, disclosed by us in the previous 12 months, therefore we ensure our Privacy Notice discloses all of the above and is updated every 12 months.
Right to Access
You have a right to request us to confirm whether we process certain Personal Data related you, as well as a right to obtain a copy of such Personal Data, with additional information regarding how and why we use this Personal Data. After we receive such request, we will analyze and determine the veracity and appropriateness of the access request and provide you with the applicable confirmation of processing, the copy of the Personal Data or a description of the Personal Data and categories of data processed, the purpose for which such data is being held and processed, and details about the source of the Personal Data if not provided by you. Our response detailed above will be provided within the period required by law (please see additional information under “Response Timing and Format” below). Notwithstanding the above, the GDPR and CCPA provide different protections, the GDPR enables access to all Personal Data processed by a controller, however the CCPA access right applies only to Personal Information collected in the 12 months prior to the request.
The Right of Rectification
If Personal Data held by us is not accurate, incomplete or out-of-date, you may require us to update such data so it will be correct. Furthermore, in the event we have passed on incorrect information about you to a third party, you also have a right to oblige us to inform those third parties that the applicable information should be updated.
Erasure Rights (“right to be forgotten” or “right of deletion”, as applicable)
We are legally obligated to comply with a request to delete Personal Data if: the data is no longer needed for the original purpose and no new lawful purpose exists for continued processing; the lawful basis for processing is consent of the data subject and such consent is withdrawn; the data subject exercises his or her right to object to our processing of his or her Personal Data, and we have no overriding grounds for processing the data; the Personal Data is processed unlawfully; or the erasure of the Personal Data is necessary to comply with applicable laws.
In addition, if we transferred Personal Data to a third party, a data subject also has a right to oblige us to tell those third parties that the information should be erased. The right to erasure is not absolute. Even if a data subject falls into one of the categories described above, we are entitled to reject the data subject’s request and continue processing data if such processing is (depending on the relevant law that applies to you): necessary to comply with legal or regulatory obligations; necessary to establish, exercise or defend legal claims; is necessary for scientific research etc.; necessary to perform a contract between you and us; necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity; necessary to debug to identify and repair errors that impair existing intended functionality; or solely for our internal use that are reasonably aligned with your expectations based on our relationship with you – all subject to applicable laws.
Right to Object
With regards to Personal Data processed by us under the lawful basis of our legitimate interests (such as direct marketing), you may object to our processing on such grounds. However, even if we receive your objection, we will be permitted to continue processing the Personal Data in the event that (subject to applicable laws and regulations):
(i) our legitimate interests for processing override your rights, interests and freedoms.
(ii) the processing of such Personal Data is necessary to establish, exercise or defend a legal claim or right, etc.
The Right of Restriction
A data subject may limit the purposes for which we may process his/her Personal Data. Our processing activities may be restricted if: the accuracy of the data is contested; processing is unlawful and data subject requests restriction instead of erasure; we no longer need the data for its original purpose, but the data is still required to establish, exercise or defend legal rights; or consideration of overriding grounds in the context of an erasure request.
Data Portability
You may request us to send or “port” your Personal Data that is held by us to a third-party entity, however note, the GDPR and the CCPA apply differently to this right, thus, we will handle this according to your relevant jurisdiction.
Do Not Sell
You have the right to know what Personal Data is sold, to whom and for what purpose. You also have the right to request the data not to be sold. Note, “selling” data under the CCPA includes any transfer of data for the purpose of receiving valuable goods.
Nondiscrimination
Under the CCPA, you must not be discriminated against for exercising any of your rights, including: by being denied goods or services; being charged different fees for goods or services, including through the use of discounts or other benefits or imposing penalties; it being suggested that you will receive a different price or rate for goods or services if you exercise your rights. Notwithstanding the above, it is permitted to set up schemes for providing financial incentives and you can opt-in to become part of them.
Response Timing and Format
- Time. We endeavor to respond to a verifiable consumer request without undue delay and in any event within 30 days from the receipt of the request subject to GDPR, and between 10-45 days from receipt of a request subject to CCPA.
- Extension. If we require more time, we will inform you of the reason and extension period in writing. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
- Fees. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. Furthermore, please note, that under the CCPA you are not entitled to submit more than 2 requests in a 12 month period.
Please submit a request by:
Emailing us at: privacy@nayax.com.