Personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject: means an individual who is the subject of personal data.
Process or Processing: means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
Controller/Data Controller: means the Company which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor/Data Processor: means a Supplier or authorized Sub-Processor, which processes Personal Data under instruction from the Data Controller.
Data Protection Authority: shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction where data processing is performed.
Service or Services: The specific services or set of services that Controller has procured from Processor for which Processing of Personal Data is necessary.
The Data Processor and all its employees undertake to:
a. Use all Personal Data provided by Data Controller or as may be collected by Data Processor pursuant to the Service, only for the purpose of the Service. In no case shall Data Processor use Personal Data for a purpose other than the Purpose stated in Section 2.
b. Process Personal Data according to the instructions of the Data Controller. If the Data Processor believes that any of the instructions violate the GDPR, the Data Processor shall immediately inform the Data Controller.
c. Keep a written record of all categories of the Processing operations carried under instruction from the Data Controller.
d. When performing the services requires transfer of Personal Data outside the European Economic Area or in a territory that does not guarantee an adequate level of data protection recognized by the European Commission, transfer will be made according with Model Clauses included in the European Commission Decision of February 5th 2010 n.2010/87/UE or taking any other legal approved measures that guarantee the appropriate protection level.
e. Maintain written security policies for the security, integrity and protection of Personal Data against unauthorized disclosure, theft or loss. Data Processor’s security policies including administrative, technical and physical safeguards appropriate for Processor’s size, resources and types of Personal Data that it processes.
f. Not disclose Personal Data to third parties, unless with express authorization from Data Controller, when legally permissible.The Data Processor may disclose Personal Data to third parties only pursuant to the Data Controller’s express instructions. In this case, the Data Controller shall identify, in writing and in advance, the entity whom Personal Data will be disclosed to, the Personal Data to be disclosed, and the security measures to be applied for disclosure.If the Data Processor is obligated to transfer Personal Data to a third country or organization outside the EEA, they shall inform the Data Controller of that legal requirement beforehand, unless otherwise prohibited by law.
g. Provide Data Controller with reasonable assistance in conducting data protection impact assessments, when appropriate.
h. Provide Data Controller with reasonable assistance in sending prior consultations to control authorities, when appropriate.
i. Provide Data Controller with all the information necessary to demonstrate compliance with their obligations. Permit audits and inspections to be carried out by the Controller or another auditor authorized by them, at Controller’s cost, during business hours, and no more than once annually. Notwithstanding the aforementioned, such audits and inspections will only be conducted when there is a reasonable basis to do so, at the sole discretion of the Data Processor. Competitors of the Data Processor are explicitly excluded from acting as auditors. The Data Processor and Controller will discuss and agree in advance on the reasonable start date, scope, duration and confidentially controls applicable to any audit and Data Processor reserves the right to charge a fee (based on Data Processor reasonable cost) for any such audit.
j. Maintain the confidentiality of all Personal Data Processed under this Agreement, even after its termination.
k. Provide to relevant employees and representatives, appropriate training, regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Personal Data.
l. Collaborate with the Data Controller, in the scope of the Services, in responding to requests of a Data Subject to exercise their rights of:
- Access, rectification, erasure and opposition
- Restriction of Processing
- Data portability
- To not be subject to automated individual decisions (including profiling)
And further to inform the Data Controller when it receives a request from a Data Subject asking to exercise their rights as described above. Notification must be no later than 5 working days following receipt of the request, and must be accompanied, where appropriate, by other information that may be relevant to resolve the request.
m. Subcontracting
Processor is authorized to use subcontractors (“Sub-processors”) to perform the Services described under Section 2 herein. List of approved sub processors is attached as Schedule 2.To subcontract with other companies, Data Processor must notify Controller in writing, clearly and unequivocally identifying the subcontractor and their contact details. Processing may be subcontracted if the Controller does not indicate their opposition in the period of 5 working days. Sub-processor(s) will be considered a Data Processor for the purposes of this Agreement and equally obliged to comply with the obligations of Data Processor as set forth in this Agreement, as well as any instructions issued by the Data Controller as to the Processing of Personal Data. Data Processor undertakes to ensure that Sub-processor(s) will enter into a separate Data Processor Agreement on the same conditions (instructions, obligations, security measures, etc.) as set out herein and with the same formal requirements regarding adequate Processing of Personal Data and guaranteeing the rights of Data Subjects as set out under GDPR.
n. Data security breach notifications
Data Processor shall notify Data Controller, without undue delay, and in any case, before the maximum period of 72 hours, and via e-mail and phone confirmation, of any breach they are aware of to the security of the Personal Data they hold, together with all relevant information to document and report the incident.This notification shall not be necessary when the data security breach is unlikely to entail a risk to the rights and freedoms of individuals.
The following minimum information shall be provided, if available:
- Description of the nature of the Personal Data security breach including, when possible, the categories and approximate number of Data Subjects affected, and the categories and approximate number of Personal Data records affected.
- The name and contact details of the individual responsible for data security or another point of contact to obtain more information. c) Description of the possible consequences of the Personal Data security breach.
- Description of the measures adopted or proposed to remedy the Personal Data security breach including, if appropriate, the measures adopted to mitigate possible negative effects.
If information cannot be provided simultaneously, and to the extent that it is not, the information will be gradually provided without undue delay.
Data Processor shall also report data security breaches to the appropriate Data Protection Authority in accordance with the relevant provisions of the GDPR.
o. Deletion or Return the Personal Data:
Upon expiry or termination of a Service, or if the Processing of Personal Data is no longer required for the purposes of the Services, unless Data Controller provides express direction, at Data Processor’s option, securely delete or return the Personal Data to Data Controller according with applicable law and Spider AF policies and promptly inform in writing to Data Controller that it has done so.