BACKGROUND
- The parties have agreed that it may be necessary for Supplier to Process certain Personal Data on behalf of Company as the Controller of certain Personal Data.
- In light of this Processing, the parties have agreed to enter into this Agreement to address the compliance obligations imposed upon Company pursuant to the Regulation (EU) 2016/679 (hereinafter “GDPR”) .
- carry out any relevant prior consultations with any applicable Data Protection Authority
- The Supplier is appointed by Company as a Processor to Process such Personal Data under instruction from Company solely to the extent necessary to provide the Services in accordance with the terms of this Agreement.
1. (Definitions)
In this Agreement:
Personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data subject: means an individual who is the subject of personal data.
Process or Processing: means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
Controller/Data Controller: means the Company which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor/Data Processor: means a Supplier or authorized Sub-Processor, which processes Personal Data under instruction from the Data Controller.
Data Protection Authority: shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction where data processing is performed.
Service or Services: The specific services or set of services that Controller has procured from Processor for which Processing of Personal Data is necessary.
2. (OBLIGATIONS OF THE DATA PROCESSOR)
a. Use all Personal Data provided by Data Controller or as may be collected by Data Processor pursuant to the Service, only for the purpose of the Service. In no case shall Data Processor use Personal Data for a purpose other than the Purpose stated in Section 2.
b. Process Personal Data according to the instructions of the Data Controller. If the Data Processor believes that any of the instructions violate the GDPR, the Data Processor shall immediately inform the Data Controller.
c. Keep a written record of all categories of the Processing operations carried under instruction from the Data Controller.
d. When performing the services requires transfer of Personal Data outside the European Economic Area or in a territory that does not guarantee an adequate level of data protection recognized by the European Commission, transfer will be made according with Model Clauses included in the European Commission Decision of February 5th 2010 n.2010/87/UE or taking any other legal approved measures that guarantee the appropriate protection level.
e. Maintain written security policies for the security, integrity and protection of Personal Data against unauthorized disclosure, theft or loss. Data Processor’s security policies including administrative, technical and physical safeguards appropriate for Processor’s size, resources and types of Personal Data that it processes.
f. Not disclose Personal Data to third parties, unless with express authorization from Data Controller, when legally permissible.The Data Processor may disclose Personal Data to third parties only pursuant to the Data Controller’s express instructions. In this case, the Data Controller shall identify, in writing and in advance, the entity whom Personal Data will be disclosed to, the Personal Data to be disclosed, and the security measures to be applied for disclosure.If the Data Processor is obligated to transfer Personal Data to a third country or organization outside the EEA, they shall inform the Data Controller of that legal requirement beforehand, unless otherwise prohibited by law.
g. Provide Data Controller with reasonable assistance in conducting data protection impact assessments, when appropriate.
h. Provide Data Controller with reasonable assistance in sending prior consultations to control authorities, when appropriate.
i. Provide Data Controller with all the information necessary to demonstrate compliance with their obligations. Permit audits and inspections to be carried out by the Controller or another auditor authorized by them, at Controller’s cost, during business hours, and no more than once annually. Notwithstanding the aforementioned, such audits and inspections will only be conducted when there is a reasonable basis to do so, at the sole discretion of the Data Processor. Competitors of the Data Processor are explicitly excluded from acting as auditors. The Data Processor and Controller will discuss and agree in advance on the reasonable start date, scope, duration and confidentially controls applicable to any audit and Data Processor reserves the right to charge a fee (based on Data Processor reasonable cost) for any such audit.
j. Maintain the confidentiality of all Personal Data Processed under this Agreement, even after its termination.
- Access, rectification, erasure and opposition
- Restriction of Processing
- Data portability
- To not be subject to automated individual decisions (including profiling)
m. Subcontracting
Processor is authorized to use subcontractors (“Sub-processors”) to perform the Services described under Section 2 herein. List of approved sub processors is attached as Schedule 2.To subcontract with other companies, Data Processor must notify Controller in writing, clearly and unequivocally identifying the subcontractor and their contact details. Processing may be subcontracted if the Controller does not indicate their opposition in the period of 5 working days. Sub-processor(s) will be considered a Data Processor for the purposes of this Agreement and equally obliged to comply with the obligations of Data Processor as set forth in this Agreement, as well as any instructions issued by the Data Controller as to the Processing of Personal Data. Data Processor undertakes to ensure that Sub-processor(s) will enter into a separate Data Processor Agreement on the same conditions (instructions, obligations, security measures, etc.) as set out herein and with the same formal requirements regarding adequate Processing of Personal Data and guaranteeing the rights of Data Subjects as set out under GDPR.
n. Data security breach notifications
Data Processor shall notify Data Controller, without undue delay, and in any case, before the maximum period of 72 hours, and via e-mail and phone confirmation, of any breach they are aware of to the security of the Personal Data they hold, together with all relevant information to document and report the incident.This notification shall not be necessary when the data security breach is unlikely to entail a risk to the rights and freedoms of individuals.
The following minimum information shall be provided, if available:
- Description of the nature of the Personal Data security breach including, when possible, the categories and approximate number of Data Subjects affected, and the categories and approximate number of Personal Data records affected.
- The name and contact details of the individual responsible for data security or another point of contact to obtain more information. c) Description of the possible consequences of the Personal Data security breach.
- Description of the measures adopted or proposed to remedy the Personal Data security breach including, if appropriate, the measures adopted to mitigate possible negative effects.
If information cannot be provided simultaneously, and to the extent that it is not, the information will be gradually provided without undue delay.
Data Processor shall also report data security breaches to the appropriate Data Protection Authority in accordance with the relevant provisions of the GDPR.
Upon expiry or termination of a Service, or if the Processing of Personal Data is no longer required for the purposes of the Services, unless Data Controller provides express direction, at Data Processor’s option, securely delete or return the Personal Data to Data Controller according with applicable law and Spider AF policies and promptly inform in writing to Data Controller that it has done so.
3. (OBLIGATIONS OF THE DATA CONTROLLER)
- provide the Data Processor with the Personal Data referred to in Section 2 of this document, facilitate the right to have the information processed and have all the necessary consents from applicable Data Subjects at the time of data collection.
- conduct a data protection impact assessment for the processing operations to be carried out by the Data Processor.
- carry out any relevant prior consultations with any applicable Data Protection Authority
- provide direction and instruction to the Processor to ensure that they can comply with the GDPR prior to and during processing.
4. (LIMITATION OF LIABILITY)
Data Controller’s remedies, including those of its Affiliates, arising from any breach by Data Processor of the terms of this agreement will be subject to any aggregate limitation of liability already existing between the parties, as permitted by law.
5. (APPLICABLE LAW )
This Agreement shall be governed by and construed in accordance with the laws of Portugal and shall be subject to the exclusive jurisdiction of the Courts of Lisbon
6.(MISCELLANEOUS
)
- I. Clauses and other headings in this Agreement are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of this Agreement. Schedules to this Agreement shall form an integral part thereof.
-
- II. Unless the context otherwise requires, in the Agreement:
- use of the singular includes the plural and vice versa;
- a reference to an Applicable Law shall be construed as referring to such Applicable Law as amended and in force from time to time and to any Applicable Laws which re-enact or consolidate;
- This Agreement, including the Schedules attached hereto and any subsequent properly executed Processing Appendices agreed between the parties, constitutes the entire agreement between the parties pertaining to the subject matter hereof and supersedes all prior agreements, understandings, negotiations and discussions of the parties.
- The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Agreement shall remain in full force and effect.
- Any notice, letter or other communication contemplated by this Agreement shall be communicated in writing via letter or facsimile to the addresses set out on the first page of this agreement.
(SCHEDULE 1)
Template Data Processing Appendix
This Appendix, including any relevant attachment, describes the types of Personal Data, and the purposes for which that Personal Data may be processed by the Processor.
Controller is:
[………………………………………………………………….]
The Processor is:
SPIDER LABS PORTUGAL, UNIPESSOAL, LDA, with Tax Registration Number 516011626, and registered office in Rua dos Eucaliptos, Lote 63, Loja 3B Alfragide Amadora, 2610-069 Alfragide, represented by Eurico Jose Teodoro Doirado
Special categories of data:
No categories of Sensitive Personal Data as defined by Article 8 (1) of European Directive 95/46 shall be processed for the purposes of this Processing Appendix.
Personal Data Processing Activities