This Data Processing Agreement (“DPA”), is incorporated into, and is subject to the terms and conditions of, the Agreement between the Customer (the “Customer” or the “Processor”), and Captio (“Captio” or the “Supplier”), regarding Chrome River invoices product.
All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. For the avoidance of doubt, all references to the Agreement shall include this DPA and the terms and conditions of Chrome River invoice product.
1.1.- The purpose of this DPA is to regulate this contractual relationship with the SUPPLIER and to enable the SUPPLIER, the Data Processor, to process on behalf of the Client, the Data Controller, the personal data necessary to provide the personal data processing service (hereinafter, the “Service”), and also to establish the security and confidentiality requirements and conditions under which the SUPPLIER must process the personal data for which the Client is responsible, as the latter must decide on the purpose and use of such data.
1.2.- In particular, the processing of personal data which is the responsibility of the Client and which are the object of this DPA are set out in this clause (hereinafter referred to as “Personal Data”).
- Financial information for examples of procurement of specific modules in this regard.
- Content of digitised invoices sent to the platform.
- Data and information from third parties, of which the customer or user is the controller, which they can upload to the software platform for the use thereof.
- User’s contact information ( name, surnames and/or DNI, company email address, position in the company).
- Registration or capture: register or record the information onto some type of system or device, automated or non-automated, for subsequent processing.
- Structuring or organisation: order and structure the information to facilitate its processing.
- Modification or adaptation: alter or change the information.
- Retention: keep the information for a certain period of time.
- Extraction: obtain the information from an original system or device to send or transfer it to another system or device.
- Query: search for data on the system or device on which it is registered.
- Dissemination or any other means of enabling access, collation, or interconnection, limitation: make the information registered on a system or device available to other users or recipients.
- Deletion: delete, remove the information from the system or device on which it was originally recorded.
- Destruction: disable the physical medium to prevent access to the information.
- Communication: send the data to another recipient from a source system or device through electronic means.
1.3.- The Services will be analysed periodically, and the two parties may agree to introduce changes, inclusions or eliminations which may be deemed to be apt or necessary in order to properly carry out the Services so as to improve the relations and efficiency of the Parties.
1.4.-The SUPPLIER may alter, at any time, the personal and material means used to provide the Services, as long as (i) it has obtained the prior written consent of the Data Controller and (ii) this does not prevent it from complying with the obligations mentioned in this document.
1.5.-None of the services arising from the Agreement is understood to be provided on an exclusive basis. Consequently, the SUPPLIER may offer the same type of services to third parties other than the Client, provided that this does not prevent it from properly fulfilling its obligations under the Agreement.
TWO. DURATION AND VALIDITY OF AGREEMENT.
2.1.- This DPA is fully effective and valid, coming into force from the day it is accepted, and will terminate as soon as the SUPPLIER ceases to process the Personal Data on behalf of the Client.
2.2.- If the obligations set out in this DPA are undetermined or simply last longer, they shall remain in force even if the validity of the Agreement has been terminated for other purposes.
THREE. OBLIGATIONS OF THE PARTIES.
3.1.- The Client shall properly comply, at all times, with the provisions set forth in the GDPR, as well as with any regulations (national or supranational) that may be applicable at any given time. In particular, the Data Controller undertakes to:
- Give the SUPPLIER the Personal Data and inform the SUPPLIER of any change in the data that may affect their processing;
- Previously inform the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, prior access by the SUPPLIER to the Personal Data;
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural personals which the Client is the data controller, the controller shall communicate the personal data breach to the data subject without undue delay.
3.2.-The SUPPLIER shall properly fulfil, at all times, the provisions set forth in the GDPR, as well as any regulations (national or supranational) that may be applicable at any given time. In particular, the SUPPLIER undertakes to:
- Use the Personal Data, or those it may collect on behalf of the Client, only for the purpose of the Agreement, and it may not in any event use such Personal Data for its own and/or different purposes;
- Process the Personal Data only following documented instructions from the Client and, if any instruction is considered not to be aligned with the GDPR, to immediately inform the Data Controller so that it may take the measures deemed appropriate;
- Where required by the GDPR, keep a documented record of all categories of processing activities carried out on behalf of the Client within the framework of the Agreement;
- Not disclose Personal Data to third parties or give third parties access to such data, except with the express written authorisation of the Client for those cases allowed by law;
- Ensure that persons authorised to process Personal Data have undertaken to respect confidentiality on terms equivalent to those set out in this DPA;
- Take all appropriate technical and organisational measures to ensure a level of security adequate to the risk of the Personal Data in accordance with the provisions of Article 32 of the GDPR and, in particular but without limitation, the following measures:
- Measures to pseudonymise and encrypt personal details;
- Measures which may ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services;
- Measures which may restore the availability of and access to the personal details in a timely manner in the event of a physical or technical incident; and
- Measures required to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services;
- Measures which may verify, evaluate and judge the effectiveness of the technical and organisational measures implemented to guarantee the security of the processing;
- Abide by the conditions indicated in clause 5 below in relation to subcontracting;
- Assist the Data Controller, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that they may comply with their obligation to reply to requests regarding the exercise of the data subjects' rights, that is, the rights of transparency, information, access, correction and erasure (right to be forgotten), restriction of processing, portability, opposition or not to be the object of automated individualised decisions (including profiling), and others that are specified in Chapter III of the GDPR. If the SUPPLIER receives a request for the exercise of the rights specified in Chapter III of the GDPR relating to the processing of data under the Agreement, it must notify the Client in a term of twenty-four (24) working hours ;
- Collaborate, cooperate and actively assist the Client in fulfilling the obligations set out in Articles 32(security of processing), 33 (notification of a breach of the security of personal data to the Supervisory Authority), 34 (communication of a breach of the security of personal data to the data subject), 35 (data protection impact assessment) and 36 (prior consultation) of the GDPR, all taking into account the nature of the processing and the information available to the SUPPLIER;
- Report data security breaches to the data controller, regarding personal data breaches which the Supplier has knowledge;; in which case, the following minimum content is required:
- Description of the nature of the security breach.
- Name and contact details of the data protection officer or other contact point where more information can be obtained.
- Description of the possible consequences of the personal data breach;
- Description of the measures adopted or proposed to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects.
- Delete or return all personal data once the services referred to in the Recitals of this Agreement have been completed, deleting existing copies unless the personal data are required to be stored (invariably, applying the appropriate security measures in accordance with the GDPR and other applicable regulations) under the law of the Union or the Member States.
- Guarantee the necessary personal data protection training to the persons authorised to process the Personal Data.
In the event that the assistance obligations set out in this section, require the performance of external or internal audits, or require a dedication of resources superior to that used in compliance with this DPA, the SUPPLIER reserves the right to transfer the Client the reasonable and motivated extra costs that said increase involves.
FOUR. DUTY OF INFORMATION
4.1.- To ensure that the SUPPLIER may satisfactorily carry out the activity entrusted to it, Client shall make available to the former all the data, information and documentation necessary for the SUPPLIER to carry out the services covered by the Agreement with the quality and excellence required.
5.1.- Customer agrees that Supplier may engage Sub-processors to process Customer Data on Customer's behalf. The Sub-processors currently engaged by Captio and authorized by Customer are available here. Mailchimp shall notify Customer if it adds or removes Sub-processors at least 7 days prior to any such changes if Customer opts in to receive such notifications by clicking here.
5.2.- Captio shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Captio to breach any of its obligations under this DPA.
5.3- Invariably, the SUPPLIER shall be held liable before the Client for any actions and/or omissions of the subcontractor.
SIX. INTERNATIONAL TRANSFER
6.1.- Customer acknowledges that Captio may transfers and process Customer Data to and in the United States and anywhere else in the world where Captio, its Affiliates or its Sub-processors maintain data processing operations. Captio shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
In this case, the SUPPLIER will ensure that all data transfers offer an adequate level of protection, through the adoption of standard contractual clauses for data transfers approved by the European Commissions (art. 46 GDPR).
6.2.- Additionally in the same vein, Captio may report data to other entities in the international Group “Emburse” business group, in which case, please note that there are companies belonging to the same group in third countries that do not provide the same level of protection as European data protection standards. In such cases, the data shall be transferred ensuring that the processing is adapted by signing specific contractual clauses (art. 46 of the GDPR).
7.1.- The SUPPLIER has sole liability, and if necessary, will have to compensate the Client in full, for the correct performance of the services covered by the Agreement. Therefore, if the SUPPLIER fails to fulfil the terms of the Agreement, it admits full liability for all direct damages it may cause to the Client in the framework of the execution of the Agreement.