Smile Data
Processing Terms

2.1. “Applicable Law” means any national, supranational, regional or local government or governmental, administrative, statute, law (including common law), regulation, rule, ruling, order, writ, injunction, decree or guidelines issued by any authority in the Territory and any Data Protection Legislation applicable to Smile ID or the Customer;

2.2. “Business Purposes” mean the purposes described in this Terms and specifically identified in Schedule 1 of the Order Form;

2.3. “Consent” means agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear positive action, signify agreement to the Processing of their Personal Data;

2.4.“Controller” means the person or organisation that determines when, why and how to process Personal Data or as the Data Protection Legislation may otherwise define controller;

2.5.“Data Protection Legislation” means the legislation relating to Personal Data and the use thereof as well as all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications) and the guidance and codes of practice issued by the supervisory authority applicable to a Party;

2.6.“Data Subject” means an identifiable natural person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

2.7.“Explicit Consent” means consent which requires a very clear and specific statement (that is, not just action);

2.8.“Order Form” means each fully executed Smile ID order form that incorporates this Terms and the SaaS terms (together, the "Agreement") and describes the Services to be provided by Smile ID from time to time as agreed.

2.9.“Party” refers to either Smile ID or the Customer in this agreement; both are jointly referred to as the “Parties” in the Agreement.

2.10.“Personal Data” means any information identifying a Data Subject or information relating to a Data Subject. Personal Data specifically includes, but is not limited to: names, addresses or location data, photos, email addresses, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM and others;

2.11.“Processing and Process” mean either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties;

2.12.“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

2.13.“Pseudonymisation” means replacing information that directly or indirectly identifies an individual with one or more artificial identifiers or pseudonyms so that the person, to whom the data relates, cannot be identified without the use of additional information which is meant to be kept separately and secure;

2.14.“Regulatory Authority” means the regulating and enforcing authority responsible for regulating data protection and privacy of Data Subjects in the territory and as specifically described in the relevant Data Protection Legislation;

2.15.“Services” means the data processing and verification services to be provided by Smile ID to the Customer under this Terms.

3.1. The Customer hereby appoints Smile ID to provide the Services.

3.2. The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required Consents, and for the processing instructions it gives to Smile ID.

3.3. The “Agreement“ and the “Order Form” describe the subject matter, duration, nature and purpose of processing, as well as the Personal Data categories and Data Subject types in respect of which Smile ID may process data in order to fulfill the Business purposes of these Terms.

4.1. Smile ID will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes, in accordance with the Customer’s instructions.

4.2. Smile ID will promptly comply with any Customers request requiring Smile ID to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

4.3. Smile ID will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or this Terms specifically authorises the disclosure, or as required by law. If a law, a court of competent jurisdiction, regulator or supervisory authority requires Smile ID to process or disclose Personal Data, Smile ID must inform the Customer of the legal or regulatory requirement unless the law prohibits such notice.

4.4. Smile ID will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of Smile ID’s processing functions and the information available to Smile ID, including in relation to Data Subject’s rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.

5.1. Understanding that Smile ID shall be relying on the adequacy of the Consent obtained by the Customer from the Data Subject to perform the Services in this Terms, the Customer shall ensure that the requisite Consent (of the Data subject) is obtained using a notice or method which contains;

• 5.1.1. an approved data processing notice informing the Data Subject of appointment of a data processor at the time of collecting the Personal Data;


• 5.1.2. the purpose or purposes for which their Personal Data will be Processed;


• 5.1.3. information that the Personal Data may be transferred outside the territory of collection for Processing;


• 5.1.4. information that the Personal Data may be Processed by a third-party processor; and


• 5.1.5. any other information that, having regard to the specific circumstances of the collection and expected Processing, is required to enable fair Processing and performance of the Services.

6.1. Smile ID will ensure that all employees are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data.

7.1. Smile ID shall at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

7.2. Smile ID shall implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

• 7.2.1. the Pseudonymisation and encryption of Personal Data;


• 7.2.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;


• 7.2.3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and


• 7.2.4. a process for regularly testing, assessing and evaluating the effectiveness of security measures.

8.1. Smile ID will promptly and without undue delay notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.

8.2. Smile ID will immediately and without undue delay notify the Customer if it becomes aware of:

• 8.2.1. any accidental, unauthorised or unlawful processing of the Personal Data; or


• 8.2.2. any Personal Data Breach.

8.3. Immediately following any unauthorised or unlawful Personal Data Processing or Personal Data Breach, the parties will coordinate with each other to investigate the matter. Smile will reasonably cooperate with the Customer in the Customer’s handling of the matter, including:

• 8.3.1. assisting with any investigation;


• 8.3.2. providing the Customer with physical access to any facilities and operations affected;


• 8.3.3. facilitating interviews with Smile’s employees, former employees and others involved in the matter;


• 8.3.4. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and


• 8.3.5. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data Processing.

9.1. The Customer agrees that Smile ID may transfer the Personal Data outside the territory of collection for the purpose of Processing and performance of the Services.

9.2. Where the Processing to be carried out by Smile ID includes a transfer to a country which is not recognized by the relevant Regulatory Authority to have adequate level of protection for the privacy rights of individuals in accordance with the Data Protection Legislation, the Customer hereby acknowledges that the provisions of this Terms shall continue to govern the protection of the Personal Data.

9.3. The Customer shall ensure that the Data Subject has provided Explicit Consent for the transfer of Personal Data outside the territory of collection, after having been informed:

• 9.3.1. of the possible risks of such transfers for the Data Subject due to the absence of an adequate level of data protection for the privacy rights of individuals;


• 9.3.2. that Smile ID shall remain bound by the Data Protection Legislation;


• 9.3.3. that there are no alternatives; and


• 9.3.4. that the transfer is necessary for the performance of a contract between the Data Subject and the Customer.

10.1. Smile ID may only authorise a third-party (subcontractor) to process the Personal Data if:

• 10.1.1. Smile ID enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Terms, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer’s written request, provides the Customer with copies of such contracts;


• 10.1.2. Smile ID maintains control over all Personal Data it entrusts to the subcontractor; and


• 10.1.3. the subcontractor’s contract terminates automatically on termination of this Terms for any reason.

11.1. Smile ID must take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

• 11.1.1. the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and


• 11.1.2. information or assessment notices served on the Customer by any supervisory authority under the Data Protection Legislation.


• 11.1.3. Smile ID must notify the Customer immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with the Data Protection Legislation.


• 11.1.4. Smile ID will give the Customer its full cooperation and assistance in responding to any complaint, notice, communication or Data Subject request.


• 11.1.5. Smile ID must not disclose the Personal Data to any Data Subject or to a third-party other than at the Customer’s request or instruction, as provided for in this Terms or as required by law.

12.1. Unless otherwise required by law, Smile ID will retain and store securely Personal Data for a period of ninety (90) calendar days from the date the Personal was Processed. Customer may however request for deletion or retention of specific data at the time of signing this agreement.

12.2. Upon the expiration of the retention period, Smile ID shall not be under any further obligation to retain or store such Personal Data and shall immediately delete and destroy all such Personal Data.

13.1. Smile ID will from time to time, permit the Customer and its duly authorised third-party representatives to audit Smile ID’s compliance with its Terms obligations, on at least thirty (30) Business Days’ notice. Smile ID will give the Customer and its duly authorised third-party representatives all necessary assistance to conduct such audits.

14.1. The Customer shall indemnify and keep indemnified Smile ID in respect of costs, claims, damages or expenses arising from losses suffered or incurred by, awarded against or agreed to be paid by Smile ID or any of its sub-contractors arising from or in connection with any:

• 14.1.1. Non-compliance by the Customer with the relevant Data Protection Legislation;


• 14.1.2. Processing carried out by Smile ID or any of its sub-contractors pursuant to any Processing instruction from the Customer that infringes any provision of the relevant Data Protection Legislation; or


• 14.1.3. Breach by the Customer of its obligations under this Terms.

14.2. In the event that any act or omission of a Party or its employees, servants, agents, or representatives causes or results in (i) damage to or destruction of property and/or reputation of the other Party, then the first Party shall indemnify, defend, and hold the other Party harmless from and against any and all claims, actions, damages, demands, liabilities, costs, and expenses, including reasonable legal fees and expenses, resulting therefrom to the extent caused by the at or omission of the first Party.

15.1. This Agreement shall be governed by the Applicable law of the territory where the Service is delivered; however, where the Service is delivered in multiple territories, the laws of England and Wales shall apply.

15.2. For questions or more information on our data protection and privacy policies contact us at compliance@usesmileid.com with the subject line: Data Protection

16.1. Any disputes arising under or in connection with the validity, interpretation and performance of this Agreement between Smile ID, Customer or/and any third parties that cannot be resolved amicably by the Parties through negotiation within 30 (thirty) calendar days shall be resolved by arbitration.

16.2. Any disputes arising under or in connection with the validity, interpretation and performance of the this Agreement between Smile ID, User or/and any third parties that cannot be resolved amicably by the Parties through negotiation within 30 (thirty) days shall be resolved by arbitration.

16.3. Where the Services are delivered in only one territory, the forum shall be any arbitration panel/tribunal or centre established under applicable law (the “Domestic Tribunal”), and the rules of Domestic Tribunal shall apply. The seat of arbitration shall be the territory in which the services are delivered. The number of arbitrators shall be one. The arbitrator shall be appointed by the Domestic Tribunal.

16.4 Where the Services are delivered in multiple territories, the dispute shall be resolved by the London Court of International Arbitration (LCIA) in accordance with the LCIA Rules and the seat of arbitration shall be London. The number of arbitrators shall be one. The arbitrator shall be appointed by the LCIA