Annex 1 - Data Processing Agreement Between the Data Processor and the Data Controller Based on the GDPR
1. The Purpose of Data Processing
a) The purpose of the data processing by the Service Provider (Processor, Microsec) is to perform the services under the Terms. This Data Processing Agreement shall apply only to the data uploaded or shared by Client or Users in the PassByME.
b) The Service Provider cannot, in the context of normal operation, access any documents and texts—i.e. personal data as defined in the GDPR (hereinafter: “Personal Data”)—uploaded or otherwise created by the Client (hereinafter: “Document”) or the Users in PassByME. Microsec will only have the right defined in the Terms to access the Document.
c) Pursuant to the above, data processing operations by the Processor are limited to the storage of the Personal Data, however, the Processor may check the Document in order to make sure that the Client (Controller) is using PassByME in accordance with the Terms. Accordingly, the Processor will not be aware of the kind of Personal Data that appear in the Document, nor whom the data subjects and what the purpose of processing may be, unless it is necessary to satisfy any applicable law, regulation, legal process or governmental request. Concerning the Personal Data appearing in the Document, the Client shall represent that it had obtained the data subjects’ consent to data processing or that it has other legal grounds regarding data processing. The Client shall furthermore examine whether the data processing complies with the principles of purpose limitation and minimum data as laid down in the Data Protection Rules. The Client shall be obliged to act with particular diligence in the case of Personal Data constituting special data based on the Data Protection Rules. The Processor will not be subject to any liability whatsoever in case the Controller uploads or create such document that contains unlawfully obtained or stored Personal Data. Should the Processor incur any damage despite that, the Client shall be obliged to fully indemnify the Processor.
2. The Client’s Rights and Obligations
a) The Client shall process Personal Data in line with the Data Protection Rules.
b) The Client acknowledges that the Service Provider will have no access to Personal Data while providing the PassByME service, unless it is necessary to satisfy any applicable law, regulation, legal process or governmental request. So the Client will not have the right to give any data processing related instructions to the Service Provider that would require accessing the Personal Data. In particular, the Service Provider cannot correct, delete or block Personal Data, nor cancel data processing in respect of a data subject’s Personal Data.
c) While this Data Processing Agreement remains in effect, the Client shall be obliged to retain its authorisation to control the Personal Data (i.e. it must have an appropriate legal basis for processing the data subject natural persons’ data throughout the entire duration of the Service).
e) Client is solely responsible for the Document uploaded or created by the Users.
3. The Service Provider’s Rights and Obligations
a) The Service Provider may not use Personal Data for purposes other than those specified in the Terms and this Data Processing Agreement.
b) The Service Provider shall be obliged to process Personal Data in compliance with the applicable Data Protection Rules.
c) The Service Provider will make available all information to the Client that may be necessary to certify compliance with the data processor’s obligations specified in this Data Processing Agreement and the Data Protection Rules.
d) The Service Provider will consent to the Client conducting the data protection audit prescribed in the GDPR.
e) The Service Provider will process Personal Data during the term of the contractual relationship between the parties. The expiry of the Terms between the parties will result in the expiry of this Data Processing Agreement.
f) The Service Provider is entitled to transmit the Personal Data in the mandatory cases prescribed by the Data Protection Rules, upon being called to do so by a competent court or the Data Protection Authority. If the Data Protection Authority or the competent court discloses such a decision to the Service Provider, the Service Provider will inform the Client without undue delay, before taking any action requested in connection with the Personal Data, or—where the Data Protection Authority or the competent court expects a prompt response or one in a short time—as soon as reasonably possible, unless the applicable Data Protection Rule or decision explicitly prohibits informing the Client in this way.
g) The Service Provider shall ensure that individuals authorised to access files containing Personal Data commit to a non-disclosure obligation or that they will be subject to an appropriate non-disclosure obligation based on legislation. Data security
h) The Service Provider will make any and all technical and organisational arrangements that may be required to preserve the confidential nature and integrity of the Personal Data, furthermore to ensure their accessibility (and will document such arrangements appropriately), moreover will be obliged to safeguard the Personal Data from unauthorised use.
i) The Service Provider shall regularly review the effectiveness of the technical and organisational arrangements it uses. Managing personal data breaches
j) In the case of a personal data breach, including the breach of data security to a degree that may lead to the inadvertent or unauthorised destruction, loss, alteration, disclosure or the unauthorised accessing of Personal Data, the Processor shall be obliged to take all necessary steps required by the Data Protection Rules.
4. Returning or Destruction of Personal Data
a) In case the Service Agreement expires for any reason whatsoever, the Service Provider will delete Personal Data (or the documents containing Personal Data) in compliance with the Terms.
5. Transmission of Personal Data
a) The Service Provider will not transmit Personal Data to any country outside the European Economic Area (EEA). Having regard to the fact that the Service is also accessible—in case of internet connection—from countries outside the European Economic Area (EEA), the Processor will perform the transmission of requested Personal Data in such cases, however, the Client having requested the data transmission shall bear any and all liability associated with such data transmission (particularly establishing the secure IT environment required for data transmission).
6. Subprocessors (subcontractors)
b) The Service Provider shall be obliged to regularly audit the performance of its subprocessors, and will be liable for the conduct of its subprocessors as if it had acted on its own.
7. Data Protection Audit
a) During the term of this Data Processing Agreement the Client and/or a reputable independent third-party auditor the Client designates will have the right to examine the Service Provider and its subprocessors’ facilities, moreover to verify whether or not the Service Provider operates its data protection system in compliance with the provisions set out in this Data Processing Agreement, if it is suspected that the Processor fails to comply with any provision in this agreement.
b) Notwithstanding the above, this audit may not extend to the examination of data belonging to the Service Provider’s other Clients, furthermore will not grant access to information related to the Service Provider’s security systems/measures. The Processor must be notified about audits initiated by the Client at least 30 days in advance. The notification shall reason the necessity of the audit and shall describe its envisaged scope. Audits may not trigger the unreasonable interruption of the Processor’s workflows, and may not exceed a duration of 30 days, which may be extended once in justified cases. Auditing may not involve (i) direct access to the qualified trust service provider’s IT systems and premises, (ii) disturbing the Processor’s employees and causing significant extra work for them. To avoid any misunderstanding, the Parties confirm that the Client will bear the costs related to data protection audits.