This data protection agrement (the “Agreement”) was conclued today [•] by and between:
Deltatel SRL, limited liability company, incorporated and functioning under Romanian law, with registered office at 11 Gh. Lazar street, zip code 300081, Timisoara, Romania, registered with the Trade Registry under no. J35/1133/2003, fiscal registration number RO 15434490, represented by Mr. Gelu Crasnic, in his capacity as Director, hereinafter referred to as „Deltatel” or the “Controller ”
And
[•], [•] company, incorporated and functioning under [•], law, with registered office at [•], zip code [•], registered with [•], under no. [•], fiscal registration number [•], represented by [•], in his capacity as [•], hereinafter referred to as the "Processor"
Hereinafter individually referred to as the "Party" and collectively as the "Parties"
WHEREAS
- The Parties have concluded the Contract [•] [•], dated [•], (hereinafter referred to as the "Contract").
- In connection with the performance of its obligations under the Contract, the Processor will have access to Personal Data, as defined at Annex no. 1 to this Agreement;
- In order to secure the processing of this Personal Data in compliance with the Regulation (EU) 2016/679 dated April 27, 2016 (hereinafter referred to as the “GDPR”) and the relevant Romanian data protection legislation, as amended from time to time (hereinafter referred to as the “Relevant Data Protection Legislation”),
The Parties hereby agree as follows:
1. DEFINITIONS
The capitalized terms which are not otherwise defined in this Agreement shall have the meaning ascribed to them below:
- "Agreement" means this document and its appendices;
- "Controller" means the entity determining the purposes and means of the Personal Data processing (for the purposes of this Agreement - Deltatel SRL);
- "Processor" means the entity acting under the authority and instructions of the Controller (for the purposes of this Agreement - [•]);
- “Data Protection Authority” or “DPA” means a supervisory authority controlling the processing of Personal Data because: (a) the Controller or Processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the Processing; or (c) a complaint has been lodged with that supervisory authority;
- "Data Protection Officer" or “DPO” shall mean the person designated by the Controller or the Processor in compliance with Article 37 of the GDPR;
- "Personal Data" means any information relating to an identified or identifiable natural person (hereinafter referred to as ”Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
- “Personal Data Breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
- ”Processing” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Purpose of Processing” shall mean the reasons for which the Personal Data are being processed or the goal to be achieved through the Processing;
- “Transfer of Personal Data” shall mean any transfer of Personal Data from an entity to another entity. A transfer can be carried out via any communication, copy, transfer or disclosure of Personal Data through a network, including remote access to a database or transfer from one medium to another, whatever the type of medium (for instance from a computer hard disk to a server).
2. PURPOSE OF THE AGREEMENT
The provisions of this Agreement shall serve as an amendment to the Contract, specifically with respect to the obligations of the Processor concerning the Processing operations as described in Appendix 1, the security and the confidentiality of the Personal Data in compliance with the GDPR and the Relevant Data Protection Legislation. The Processor shall inform the Controller of any change of the information provided in Appendix 1.
In the context of their contractual relationships, the Parties undertake to comply with the GDPR and where necessary to the Relevant Data Protection Legislation.
All provisions of the Contract which are not explicitly amended by this Agreement shall remain fully applicable between the Parties.
3. DURATION OF THE AGREEMENT
The Agreement shall enter into force from [•] and shall remain applicable for the entire duration of the Contract.
4. OBLIGATIONS OF THE PROCESSOR
4.1. General Obligations
The Processor shall:
- comply with all obligations incumbent upon the data processors, as provided by the GDPR and the Relevant Data Protection Legislation;
- comply with the Controller’s guidelines, in particular without limitation those guidelines which are necessary to ensure the Controller is in compliance with the GDPR and the Relevant Data Protection Legislation;
- process the Personal Data solely in order to perform its obligations under the Contract, only pursuant to the terms and conditions of this Agreement and/or in accordance with the instructions of the Controller, except where the Processor is required to have a specific conduct pursuant to GDPR or the Relevant Data Protection Legislation. In such a case, the Processor shall inform the Controller of the relevant legal requirement before Processing unless the relevant law prohibits such notification on important grounds of public interest;
- promptly inform the Controller i) of its inability to comply with the provisions of the Agreement and/or ii) if, in its opinion, an instruction of the Controller infringes the GDPR or any other Relevant Data Protection Legislation; and
- provide the Controller with the contact details of the Processor’s Data Protection Officer, should such Data Protection Officer is appointed in compliance with Article 37 of the GDPR;
shall comply with all requests for information and/or documents made by the Controller for the purpose of verifying compliance by the Processor with the legal obligations regarding the protection of personal data. The Processor shall also allow and actively contribute to any inspection carried out by the Controller in this respect, without this being overly burdensome or requiring disproportionate or unreasonable efforts on the part of the Processor. To the extent that the Controller does not identify breaches of data protection law, the Controller shall reimburse the reasonable expenses incurred by the Processor in connection with the inspection carried out by the Controller;
4.2. Security and Confidentiality Obligations
The Processor shall preserve the security and confidentiality of the Personal Data and implement all adequate measures to ensure the level of security of the Controller’s Personal Data are appropriate. In this regard, The Processor shall obtain and maintain all licenses, authorizations and approvals required by applicable law to process Personal Data and any other data and information derived therefrom.
The Processor undertakes to implement all reasonably necessary and appropriate technical and organizational measures using generally accepted state-of-the-art technology to protect the Personal Data it processes under the Contract against unauthorized or accidental access, alteration, transmission, disclosure, deletion or destruction and in particular all the measures mentioned in Appendix 2.
The Processor shall review and adapt such measures regularly to comply with the state of the art and applicable regulations, namely physical security measures, necessary to ensure the conservation and integrity of the Personal Data processed during the performance of the Contract (for instance to secure the access to computers, to install antivirus, to perform regular backups on removable media and to increase the employees and suppliers’ awareness to security measures);
Without limiting the generality of the foregoing, the Processor shall comply with the following obligations and shall ensure that its employees and/or its suppliers will also comply with them:
- The Processor shall process the Personal Data only in accordance with the Controller’s instructions and to the extent such processing is necessary to carry out the Processor’s obligations in connection with the performance of the Contract;
- The Processor will not use the Personal Data for any other purposes, nor will the Processor retain this data for any longer than required by the Controller;
- The Processor will only use personnel who: (i) has a need to process the Personal Data in order to fulfill the Processor’s obligations under the Contract, (ii) has entered into confidentiality agreement; (iii) has received adequate training regarding the protection of Personal Data and (iv) has been informed of any special data protection requirements arising from this Agreement and of the limitation of the use of the Personal Data for specific purposes as instructed. The Processor also undertakes to communicate to the Data Controller, upon request, the list of persons so entitled;
- The Personal Data shall not be disclosed to any third party, whether individual or legal person, public or private entity without prior approval of the Controller, (in such case the Processor shall maintain a record of any disclosure of Personal Data to a third party and make such report available to the Controller, promptly upon request);
- The Processor shall not sell, assign, rent and more generally transfer the Personal Data for any reason without the prior written approval of the Controller;
- The Processor is not allowed to make copies or duplicate of the Personal Data without the prior written consent of the Controller, unless such copies or duplicates are necessary for the fulfillment of its obligations under the Contract.
4.3. Personal Data Breach Notification
The Processor shall notify the Controller in writing of any Personal Data Breach, without undue delay and no later than 24 hours after it becomes aware of such Personal Data Breach.
Such notification shall at least contain the following information:
- the nature of the Personal Data Breach including where possible, the data categories and approximate number of Data Subjects concerned.
- the name and contact details of the Data Protection Officer or other contact point where additional information can be obtained;
- a description of the likely consequences of the Personal Data Breach;
- a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The Processor also undertakes to provide the Controller with reasonable assistance and co-operation to notify the Personal Data Breach to the competent Data Protection Authority and to communicate such Personal Data Breach to the Data Subjects, in compliance with Articles 33 and 34 of the GDPR and any Relevant Data Protection Legislation.
The Provider shall design and implement procedures for managing and reporting such Personal Data Breach to the Controller.
4.4. Exercise of Data Subjects’ rights
The Processor shall provide the Controller, taking into account the nature of the Processing, with reasonable assistance and co-operation, to allow the Controller to respond (i) to requests presented by Data Subjects for exercising their rights, or (ii) to requests of the competent Data Protection Authorities in relation with the Processing of Personal Data. In particular, the Processor shall implement appropriate technical and organisational measures in order to promptly satisfy in writing, within 5 working days, any request for information from the Controller.
The Processor may only grant access to, correct, delete, block, restrict the Processing of, or communicate to the Data Subject the Personal Data processed on behalf of the Controller in a structured, commonly used and machine-readable format, when instructed to do so by the Controller.
If a Data Subject would apply directly a request or a complaint to the Processor, the Processor shall forward this request or complaint to the Controller without undue delay, at
4.5. Subcontracting
The Processor is not allowed to disclose, assign, or otherwise communicate Personal Data to any subcontractor (whether located within the EU or outside the EU) without informing and obtaining the specific prior written consent of the Controller in this respect, except otherwise required by a legal or regulatory mandatory provision. In such a case, the Processor shall inform the Controller of that legal requirement before the processing, unless that legal mandatory provision prohibits such information on important grounds of public interest.
The Processor shall impose on its subcontractor by way of a contract or other legal act, the same legal requirements as the Processor itself undertakes in the Agreement, in particular the obligation to provide sufficient guarantees in relation with the Processing by implementing appropriate technical and organizational measures. Where the subcontractor fails to fulfil its data protection obligations, the Processor shall remain fully liable towards the Controller for the performance of that subcontractor’s obligations.
A list of subcontractors currently employed by the Processor in relation with the Processing of Personal Data is attached at Appendix 1. The Processor shall inform the Controller in case of change in such list.
4.3. Transfers of Personal Data outside the EEA
The Processor undertakes to:
- comply with the Controller’s instructions in relation to Data Transfers carried out outside the EEA not carry out a Transfer of Personal Data outside the EEA without the prior written consent of the Controller, except where the Processor is required to transfer Personal Data outside the EEA pursuant to applicable legislation. In such a case, the Processor shall inform the Controller of the relevant legal requirement unless the relevant law prohibits such notification on important grounds of public interest;
- ensure that its own subcontractors, the persons acting under the authority or on behalf of the Processor, do not carry out any Transfer of Personal Data concerning Controller’s Personal Data information outside the EEA without the prior written consent of the Controller;
- inform the Controller in case of change of the location of any Personal Data Processing sites, whatever the nature of the Processing operation (hosting, back-up, maintenance, administration, help-desk), as detailed in Appendix 1;
- if the Processor appoints a subcontractor, located outside the EEA, the Processor shall also ensure, before any Transfer of Personal Data, that the transfer will be carried out in compliance with the GDPR and the Relevant Data Protection Legislation (for instance, by ensuring that the EU Standard Contractual Clauses approved by the EU Commission on February, 10, 2010 (c2010/0593) will be signed between the Controller and the subcontractor, if the latter is located in a country which does not provide for an adequate level of protection of Personal Data).
4.7. Data Protection Impact Assessment
The Processor undertakes to provide the Controller with reasonable assistance and co-operation to carry out an assessment of the impact of the Personal Data Processing operations carried out under this Agreement on the protection of Personal Data and to consult the competent data protection authorities, where necessary.
5. RECORDS OF PROCESSING ACTIVITIES
The Processor undertakes to maintain a record of its Personal Data Processing activities carried out on behalf of the Controller, including the following information:
- the name and contact details of the Controller, the potential subcontractors and, where applicable, of the Data Protection Officer;
- the categories of Processing carried out on behalf of the Controller;
- where applicable, Transfers of Personal Data to a third country, including the documentation of suitable safeguards;
- where possible, a general description of the technical and organizational security measures implemented to protect the Personal Data.
6. DOCUMENTATION AND AUDIT RIGHTS OF THE CONTROLLER
The Controller is entitled to audit or to have audited by a third party the technical and organizational measures implemented by the Processor, at regular intervals, in order to verify whether the Processor complies with the provisions of this Agreement.
The Processor shall cooperate for the purposes of such audit. In addition, the Processor shall under a prior written notice sent by the Controller to the Processor, without undue delay i) grant the Controller free access to premises, records and personnel and/or ii) provide the Controller (or the third party auditor) with all information, files and other documents requested in relation to the Processing of the Personal Data as necessary to perform the audit and/or to demonstrate compliance with the obligations laid down in the Agreement.
Any issues, errors or irregularities that are identified, and brought to the Processor's attention, will be promptly remedied by the Processor without delay. The Processor will assist the Controller with any data protection audits or controls enforced by a Data Protection Authority or other competent public authority if these audits or controls concern data Processing within the scope of the Agreement.
The Controller undertakes to comply with any confidentiality provisions, policies and/or rules the Processor may notify to the Controller in the context of the audit.
7. RETENTION, RETURN OR DELETION OF DATA
During the execution of the Agreement, the Processor undertakes to implement adequate technical and organizational measures to comply with data retention periods applicable to Controller’s Personal Data processed under the Agreement where requested by the Controller.
Upon expiry or termination of the Contract, the Processor shall at the Controller’s request, either (i) return all Personal Data processed and the copies thereof to the Controller or (ii) destroy all the Personal Data and certify to the Controller, in writing that it has done so, subject however to any regulatory obligations concerning the retention of the Personal Data applicable to the Processor. In such a case the Processor shall inform the Controller, in writing about such obligations.
8. LIABILITY AND INDEMNIFICATION
Pursuant to the provisions of Article 82 of the GDPR, Processor shall indemnify, defend and hold the Controller harmless from any and all any claims asserted by any Data Subject, Data Protection Authority or any third party with respect to a breach of any of the Processor’s obligations under this Agreement, to the extent the Processor is responsible for the event giving rise to any such claim.
9. TERMINATION
This Agreement shall automatically terminate upon the termination of the Contract.
However, any obligation of the Processor under this Agreement which by its nature survives the termination of the Agreement shall continue to have effect after termination of the Agreement.
In the event the Processor is in breach of any of its obligations under this Agreement, the Controller may:
- suspend the transfer of Personal Data to the Processor until the breach is repaired to the Controller’s reasonable satisfaction or the Contract is terminated; or
- terminate the Contract, after first giving the Processor thirty (30) days prior written notice of its decision to terminate the Contract. If, during this thirty-day notice period, the Processor remedies the breach to the Controller’s reasonable satisfaction, the Contract will remain in effect.
FINAL PROVISIONS
In the event of any inconsistencies between the provisions of this Agreement and any other agreements between the Parties, including but not limited to the Agreement, the provisions of this Agreement shall prevail with respect to the Parties' obligations to protect Personal Data.
In the event of disputes, claims or the like arising out of this Agreement, the Parties shall attempt to reach an amicable settlement thereof. If an amicable settlement cannot be reached, the dispute shall be submitted to and settled by the competent Romanian court.
This Agreement does not imply the payment of any additional remuneration by either Party and does not derogate from the Contract with regard to the financial conditions set by the Parties.
If any provision of this Agreement is or becomes void or unenforceable, the remainder of this Agreement shall remain in full force and effect. Otherwise, the Parties will negotiate in good faith to replace the invalid or unenforceable clause with a valid, legal and enforceable clause, preserving as far as possible the commercial effects of the original clause.
This Agreement, together with its annexes, and the Contract, insofar as it relates to any matter concerning the processing of Personal Data, represent the entire will of the Parties with respect to the processing of the Operator's Personal Data for the purpose of providing the Services and may only be amended with the written consent of both Parties.
This Agreement was concluded on [•], in 2 (two) copies, one for each Party.
CONTROLLER
Represented by:
[name and capacity]
PROCESSOR
Represented by:
[name and capacity]
APPENDIX 1
Personal Data Processing activities
Object of the Contract/Services provided in accordance with the Contract |
|
Nature of the Processing operations |
|
Purpose(s) of Processing |
|
Category/ies of Personal Data |
|
Category/ies of Data Subjects |
|
Duration of Processing operations |
|
Identity of the sub-contractor(s) |
|
APPENDIX 2
Technical and Organizational Security Measures in order to ensure protection Personal Data and/or adherence by the Processor to an approved code of conduct or to an approved certification mechanism
Taking into account the state of the art, the costs of implementation and the nature, purpose, context and purposes of the processing, as well as the varying risk in terms of occurrence and extent to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the Controller's Personal Data.
In this regard, the Processor shall have regard to the following:
- Having sufficient resources available to ensure the continued confidentiality, integrity and availability of processing systems and services;
- Execution of the preliminary risk analyses regarding the processed personal data, with the cooperation of the Beneficiary;
- Ensuring that all personal data are collected, stored, or processed only for the specific purpose for which they were collected, only for the time required to meet the purposes for which they were collected;
- Ensuring that only authorized employees access the data have the technical possibility of accessing them;
- Overseeing the access of employees, employees, subcontractors to personal data received from the Beneficiary or accessed in any way on the occasion of providing the services covered by the Contracts;
- Documenting and adopting procedures for the allocation of access rights, roles in IT applications and systems accessed by employees, collaborators, subcontractors, etc.;
- Notifying the Beneficiary without delay of any breach of security with respect to personal data;
- Having adequate resources available to ensure that availability and access to personal data are restored in a timely manner in the event of a technical or physical incident;
- Ensuring that it has implemented appropriate technical measures to detect a Personal Data security breach and has a Personal Data security breach/incident response procedure that ensures an effective response to incidents involving Personal Data;
- Ensuring a procedure for backup and restoration of Personal Data.
In assessing the appropriate level of security, the Processor shall take into account all risks that the processing poses, in particular through accidental or unlawful destruction, loss, alteration, disclosure or unauthorised access to the Controller's Personal Data transmitted, stored or otherwise processed.
The Processor shall ensure that it has implemented appropriate technical measures to detect a Personal Data security breach and has a Personal Data security breach/incident response procedure that ensures an effective response to incidents involving Personal Data.
CONTROLLER
Represented by:
[name and capacity]
PROCESSOR
Represented by:
[name and capacity]