2.1 Concerned data processing

This Appendix is intended to address the respective responsibilities of Lemonway and the Partner related to the data processing activities carried out for the following purposes:

2.1.1 The management of the Payment Transactions and the Payment Accounts of the Account Holders opened in the books of Lemonway;

2.1.2 The management of KYC;

2.1.3 The management of AML-CFT

2.2 Categories of personal data

The personal data processed in this context by the Parties, with regard to the Partner's natural person users, are the following:

2.2.1 Identity / civil-status data;

2.2.2 Connection data;

2.2.3 Economic and financial information data.

2.3 Qualifications of the Parties in the scope of the data processing

The data processing is carried out by Lemonway on its own behalf, and as the data controller (i) in the context of its regulatory obligations regarding anti-money laundering and combating the financing of terrorism (article L. 561-2 of the French Monetary and Financial Code), in order to fulfil regulatory obligations that are not imposed by its Partner and (ii) in the context of the management of Payment Transactions and Payment Accounts, as a Payment services provider.

The Partner manages the direct contact with the data subjects. The Partner transmits to Lemonway the personal data necessary to carry out the data processing and informs the data subjects of the existence of the data processing. The Partner acts as a data processor of Lemonway for these data processings.

4.1 Lemonway’s instructions

Lemonway acts as data controller and the Partner as data processor for the purposes defined in article 2.1 above and subject of this Appendix. As a data processor of Lemonway, the Partner undertakes to process personal data only in strict compliance with the documented instructions of Lemonway and only for the purposes described above, expressly defined and authorized by Lemonway.

In particular, any transfer of personal data to a country outside the European Economic Area or to the United Kingdom is subject to instructions from Lemonway.

The Partner may only take initiatives in relation to Lemonway's instructions concerning the data processing, for obligations requested by a regulation of the European Union or one of the Member States to which the Partner is subject, in which case the Partner, insofar as the law allows it, will notify Lemonway before any modification of the data processing.

Failure to comply with the obligations set out in this Appendix shall be a breach of contract allowing Lemonway to terminate the Agreement for breach on ten days written notice if the breach is not remedied, unless Lemonway failed to communicate or express its instructions.

The Partner shall immediately inform Lemonway in the event that:

4.1.1 the Partner is no longer able to perform the Agreement in accordance with Lemonway's instructions or the Applicable Data Protection Laws;

4.1.2 an instruction from Lemonway does not seem to be compliant with the Applicable Data Protection Laws for the Partner.

4.2 Support, alert and duty to advise

The Partner must support Lemonway in handling requests from a data protection supervisory authority (a “Supervisory Authority”).

The Partner shall make available to Lemonway the documentation necessary to prove compliance with its obligations and to facilitate audits and inspections by the data controller or an authorized representative.

The Partner shall use its reasonable efforts to provide Lemonway all necessary support to:

4.2.1 Help Lemonway in carrying out data protection impact assessments and, if necessary, in carrying out prior consultation with the Supervisory Authority;

4.2.2 Help Lemonway in ensuring compliance with its obligations under the Applicable Data Protection Laws with respect to security, including notifying the Supervisory Authority and data subjects of a personal data breach, conducting personal data protection impact assessments with or without prior consultation, and generally, as necessary, in connection with exchanges and requests from a Supervisory Authority;

Respond to requests from the data subjects, exercising their rights under the Applicable Data Protection Laws.

If the Partner receives requests from the data subjects to exercise their rights, the Partner shall in no case respond directly to them. In this case, the Partner must immediately forward the request to the data controller using the email of Lemonway's DPO: dpo@lemonway.com.

4.3 Security of the transfer

With regard to the personal data of the users of the Partner's services that Lemonway must process within the framework of its legal and regulatory obligations, due to the sensitive nature of the data the Partner will have access according to this Agreement, the Partner undertakes to take all necessary and appropriate measures to protect and transmit the aforementioned personal data in complete security.

The Partner undertakes to ensure the confidentiality, integrity, backup and archiving of the personal data it collects and transmits to Lemonway according to this Agreement.

The Partner is required to:

4.3.1 warranty the security of the information it processes, collects and transfers and of its information system by all necessary and appropriate measures guaranteeing secure access to its information system, limiting the access to the sole persons authorized for the purpose of the strict execution of this Agreement and, in general, guaranteeing the confidentiality, integrity and control of the disclosure of the concerned personal data;

4.3.2 Ensure the integrity of its information system, in particular by safeguarding the personal data it processes in its information system, in such a way as to enable the service to be restored in the event of any incident whatsoever, and by archiving personal data under the conditions defined in the Agreement, as well as the availability of the data, the traceability of access at all times, and include, in particular:

4.3.2.1 Encryption of personal data in accordance with the requirements of established professional practices in the field;

4.3.2.2 Identification and security of premises (locked access, restricted access requiring authorization and authentication, etc.);

4.3.2.3 The identification and strict control of access by staff to personal data and to the environments supporting the services delivered (registered accounts, password policy, traceability of access and actions, review of accounts, etc.);

4.3.2.4 Logical security (network segmentation, reinforcement of configurations, anti-intrusion probes, firewalls, authentication and archiving of access to personal data, incident simulations, clock synchronization, etc.);

4.3.2.5 Protection of administration interfaces against unauthorized access (use of VPN, secure authentication, use of secure and encrypted protocols);

4.3.2.6 For systems exposed on public networks, the implementation of appropriate security measures (reverse proxy, WAF, anti-DDoS);

4.3.2.7 Securing the flow of personal data exchanges in such a way that they cannot be exploited by an unauthorised third party;

4.3.2.8 Keeping a historical log of activities on the computer system;

4.3.2.9 Protection of computer environments with up-to-date antivirus software (virus programs and list of viruses);

4.3.2.10 The secure destruction of personal data;

4.3.2.11 The implementation of control procedures to ensure the level of security (intrusion tests, vulnerability scans, security audits, etc.);

4.3.3 Guarantee the confidentiality of personal data and only rely on employees and representatives bound by confidentiality agreements or subject to an appropriate legal obligation of confidentiality

4.3.4 Ensure that processing tools and procedures comply with the principles of personal data protection from the design stage and by default ("Privacy by default" and "Privacy by design") and make them evolve to ensure this respect;

4.3.5 Regularly train its employees and representatives on personal data protection and security - in particular, train the employees who may access personal data on good practices to ensure the security of information and regulatory compliance practices;

4.3.6 In general, to implement, take, maintain and update all organisational, logical and technical measures necessary or appropriate in order to ensure an adequate level of security of the data processing entrusted with regard to (i) the state of known techniques, (ii) the modalities of the data processing entrusted as described herein (nature, scope, context, purpose of the data processing, probability and seriousness of the risks to the rights and freedoms of individuals in the event of destruction, loss, alteration, disclosure of personal data or unauthorised access) and/or in Lemonway's documented instructions, and in any event (iii) the security requirements provided for or arising from Applicable Data Protection Laws, the practice and documentation of Supervisory Authorities, as well as any national, European or international laws and regulations and standards laying down obligations or standards applicable to the security of personal data or information systems, in accordance with the highest of the following standards:

4.3.6.1 the state of the art and recommendations published by the Supervisory Authorities or the administrative authorities responsible for computer security;

4.3.6.2 industry standards, including ISO standards;

4.3.7 Maintain a record of processing activities carried out on behalf of Lemonway, in accordance with article 30.2 of the GDPR, and inform Lemonway of any request for information or investigation by a Supervisory Authority concerning the performance of the Agreement.

4.4 Notification of a data breach

The Partner sets up a system enabling it to detect, handle and notify any violation of the personal data processed according to this Agreement.

The Partner notifies Lemonway without delay of any data breach or suspected data breach by sending an e-mail to Lemonway's DPO: dpo@lemonway.com.

A first notification shall be provided by the Partner to Lemonway without delay as soon as the Partner becomes aware of the event. The Partner shall provide additional information no later than 48 hours following awareness of the event, including, at least, the information necessary for Lemonway to notify the data breach to the French Supervisory Authority (the CNIL).

This notification occurs when there is a data breach or suspected data breach, regardless of the associated risk. The assessment of the risk is Lemonway’s responsibility. The Partner undertakes to assist Lemonway promptly in assessing the risk.

The Partner provides Lemonway with any useful documentation to enable Lemonway, if necessary, to notify the CNIL of the data breach.

The Partner agrees to cooperate with Lemonway to:

4.4.1 Limit the consequences of the data breach and take steps to remedy the data breach, including, where appropriate, measures to mitigate any negative consequences;

4.4.2 Notify the competent Supervisory Authority (the CNIL) of any violation. The notification must include various elements:

4.4.2.1 a description of the nature of the personal data breach, listing by category the number of persons affected by the data breach and the number of personal data backups affected;

4.4.2.2 the name and contact details of the data protection officer, and if applicable, the competent person holding the necessary information;

4.4.2.3 a description of the consequences of a data breach;

4.4.2.4 a description of the measures to be taken, or proposals for measures to be taken, to remedy the data breach, including, where appropriate, measures to mitigate the negative consequences caused by the data breach.

The Partner undertakes to mobilize the appropriate human and technical means in order to take the necessary security measures, and not to make any notification to the data subjects concerned or Supervisory Authorities without instructions and approval from Lemonway.

4.5 Resort to sub-processing by the Partner

The Partner may resort to a subsequent sub-processor (the “Subsequent Sub-Processor”) to perform the data processing activities. In this case, the Partner notifies Lemonway in advance and in writing of any planned changes regarding the addition or replacement of any Subsequent Sub-Processors. This information must clearly indicate the processing activities being sub-processed, the identity and contact details of the Subsequent Sub-Processor and the dates of the sub-processing agreement. Lemonway will have a minimum of 72 hours from the date of receipt of this information to submit its objections. This sub-processing can only be carried out if Lemonway has not objected within the agreed time period.

The Partner is responsible for the Subsequent Sub-Processors. The Partner undertakes to enter into written contracts with the Subsequent Sub-Processors in accordance with article 28 of the GDPR and incorporate the commitments it made to Lemonway in this schedule. The Subsequent Sub-Processors shall furthermore:

4.5.1 Fulfil their obligations at all times;

4.5.2 Take all necessary measures to protect the security and confidentiality of the personal data, including in case of transfer of said data outside the European Economic Area;

4.5.3 Obtain prior and written authorisation from Lemonway, in order to carry out data transfers outside the European Economic Area;

4.5.4 They shall provide the following guarantees to ensure the implementation of confidentiality and security measures:

4.5.4.1 Independence;

4.5.4.2 Establishment and provision upon first request of documentation describing the confidentiality implemented within the solution to protect personal data;

4.5.4.3 Conclusion of standard contractual clauses governing a potential transfer of data to a Subsequent Sub-Processor that is not located in the European Economic Area, or any equivalent mechanism duly recognised by the Supervisory Authorities;

4.5.4.4 Regular internal controls and audits to verify that internal data protection systems and procedures remain in place for the entire period during which said data is stored;

4.5.4.5 Implementing and maintaining a procedure for reporting any violation or unauthorised access to data - proven or suspected - resulting in immediately warning the data controller and, where applicable, the Supervisory Authority and the person concerned;

4.5.4.6 Implementing and maintaining a procedure for receiving and executing requests made by individuals to exercise their rights.

4.6 Duty of the Partner as intermediary with the data subjects

The Parties undertake to:

4.6.1 Establish a contact person to liaise between the parties:

4.6.1.1 DPO Lemonway: dpo@lemonway.com

4.6.1.1 DPO Partner (cf. Appendix “Partner and UBO identification”);

4.6.2 Inform each other of any changes to the data processing carried out under this Agreement and in particular, without this list being exhaustive, in the event of changes in the purposes of the processing or in the technical and organisational security measures implemented.

5. OBLIGATIONS OF LEMONWAY

It is the responsibility of Lemonway, as data controller with respect to the Applicable Data Protection Laws, to carry out the data processing in strict compliance with the Applicable Data Protection Laws, both with respect to the purpose of the processing, the duration of storage of the personal data and the information to be provided to the data subjects.

5.1 Either to the definitive and irreversible deletion of all personal data still in its possession;

5.2 Either to return all of the personal data to Lemonway in an intact and reusable format, and to order all of its Subsequent Sub-Processors to proceed to this deletion or return.

In the absence of an express documented instruction from Lemonway, the Partner shall, accordingly with the preceding paragraph, operate the deletion of the personal data.

Deletion and return of personal data, in the meaning of the two preceding paragraphs mean the deletion and return of, in particular, any files, documents, media, or materials of any other nature which contain personal data entrusted under this Agreement.

In the event of the deletion of personal data, the Partner undertakes to keep all necessary and useful proof of the proper performance of this deletion, in any convenient form, including certifications or statements from professional third parties, and to communicate this proof to Lemonway upon first request.

It is understood, for the application of this article, that the deletion of personal data resulting from the end of the contractual relationship between the Parties does not compel the Partner to definitively and irreversibly delete personal data that it continues to process and / or to store in the context of data processing activities for which the Partner is itself data controller or for which the Partner is the processor for the account of a data controller other than Lemonway.

6. TRANSFERS OF PERSONAL DATA OUTSIDE OF THE EUROPEAN ECONOMIC AREA

If the Partner subscribes to the Faster Payment service, Account Holders’ personal data may be transferred to the subcontractors of Lemonway located outside the European Economic Area with an adequate level of protection in accordance with the Applicable Data Protection Laws. These transfers which comply with the provisions of the Framework Agreement for Payment Services entered into between Lemonway and the Account Holders, are made only to the extent necessary for the provision of the Payment Services.

The Partner undertakes to carry out transfers of personal data outside the European Economic Area only on condition that (i) it has previously informed Lemonway of the location of the recipients concerned, (ii) it has obtained Lemonway's prior written consent to proceed to the transfer of personal data outside the European Economic Area, and (iii) the implementation of appropriate safeguards for the security of such transfer outside the European Economic Area, namely the signature between each recipient and the Partner or Lemonway (at the choice of the latter) of standard contractual clauses "controller/ processor" adopted by the European Commission or adopted by a Supervisory Authority and approved by the European Commission in accordance with article 46.2. (c) and (d) of the GDPR.

In the event that the Partner considers that the transfer of the personal data outside the European Economic Area may benefit from one of the derogations referred to in article 49 of the GDPR, the Partner will inform Lemonway, which will in all circumstances remain the sole judge of the need to implement the above-mentioned appropriate safeguards.

In the event that the means chosen to provide the aforementioned appropriate safeguards should disappear, be invalidated or become null and void for any reason whatsoever, the Partner undertakes to immediately stop all affected or concerned transfers of personal data outside the European Economic Area, and to propose to Lemonway alternative transitory solutions including hosting the personal data entrusted to it in the European Economic Area. The Parties undertake in such a case to negotiate in good faith with a view to reaching a prompt solution to restore appropriate safeguards for the transfer of data outside the European Economic Area. Unless it presents the characteristics of a case of force majeure, this situation shall not justify the suspension of the performance of the Agreement or its termination by the Partner.