Privacypolicy

This appendix details all the obligations that apply to any processing of personal data received from the Customer operated by Myriad in accordance with the GDPR or any other legislation applicable in the Territory.

The Parties acknowledge that, for the processing of personal data carried out in the context of the Services, the Customer acts as the data controller and Myriad acts as the Customer's subcontractor.

In this context, the processing of the Customer's personal data by Myriad is described below:

- Nature of processing: messaging and/or authentication service described in the Services appendix.
- Purpose(s) of processing:

o Associate the MSISDN with information collected by the MNO such as the IMSI and provide it to the Customer
o Use the MSIDN to exchange messages via USSD channel
o MSISDN, IMSI and messages are not stored after processing.

- Categories of data subjects: End User
- Categories of personal data: End User's MSISDN (telephone number).
- Duration of processing: for the duration of the Contract and the relevant Service Annexes.

Myriad is committed to :

- To process the Customer's personal data solely for the purposes of performing the Contract and the relevant Service Annexes and, as a general rule, to process the Customer's personal data only in accordance with the documented instructions received from the Customer;
- That personnel authorized to process the Customer's personal data are subject to an obligation of confidentiality ;
- To implement the appropriate technical and organizational measures to comply with the RGPD or any other legislation applicable in the Territory and ensure the protection of the rights of the persons concerned, and more particularly to protect the Customer's personal data against accidental or illicit destruction, accidental loss, modification, disclosure or unauthorized access ;
- Notify the Customer of the existence of a data breach in writing as soon as possible, and no later than seventy-two (72) hours after becoming aware of it, and provide the Customer with the assistance and cooperation reasonably necessary to stop the breach, repair the damage caused, notify the breach to the competent authorities and communicate the breach to the persons concerned if necessary;
- Maintain a precise list of subcontractors involved in the provision of the Services and notify the Customer of any planned change, in particular the addition or replacement of a subcontractor, prior to the implementation of such change, it being specified that the Customer may object to the involvement of such new subcontractors and that the subcontracting operation may only take place in the absence of opposition from the Customer within a period of fifteen (15) days following notification of the change by Myriad. The current list of subcontractors authorized to operate on the date of signature of the Agreement is shown below:

o Amazon Web Services (AWS),
o MNOs,

- Respond, as soon as possible and at the latest within fifteen (15) working days, to any request from the Customer concerning processed personal data of the Customer in order to enable the Customer to take into consideration, in a timely manner, any request or claim from the data subject or from third parties (including a supervisory authority);
- Notify, as soon as possible and at the latest within fifteen (15) working days, the Customer of any request or claim from the data subject or from third parties concerning the processing of personal data that the subsequent processor directly receives;
- Return to the Customer all the Customer's personal data as well as any media provided by the Customer containing such data at the end of the Contract services and relevant Service Annexes, Myriad will not retain any part, copy or duplicate of the personal data, except for retention purposes pursuant to any applicable regulations;
- Inform the Customer of any transfer of the Customer's personal data outside the European Union, the Customer expressly consenting to Myriad and/or any of its subcontractors transferring personal data outside the European Union. Myriad further undertakes to take all appropriate safeguards aimed at ensuring the protection of the Customer's personal data pursuant to the RGPD or any other legislation applicable in the Territory, including by means of the signing of binding agreements incorporating the European Commission's standard contractual clauses;
- Make available to the Customer the information necessary to demonstrate compliance with its obligations and allow audits to be carried out by the Customer. The Customer reserves the right to carry out, at its own expense, an audit concerning Myriad's compliance with its obligations with respect to the protection of personal data, subject to one (1) month's prior written notice and subject to a limit of one (1) audit per year. This audit will be carried out by a team of the Customer's internal auditors. Myriad undertakes to cooperate in good faith with the Customer. The audit will be conducted in such a way as not to interfere, as far as possible, with Myriad's normal business.
- To cooperate with and assist the Customer in the event that the Customer is required to demonstrate compliance with the RGPD or any other legislation applicable in the Territory, in carrying out a data protection impact assessment, and in informing the Customer if, in Myriad's opinion, an instruction given by the Customer infringes the RGPD or any other legislation applicable in the Territory.