1.1.-The purpose of this Agreement is to regulate this contractual relationship with the SUPPLIER and to enable the SUPPLIER, the Data Processor, to process on behalf of the Client, the Data Controller, the personal data necessary to provide the personal data processing service (hereinafter, the “Service”), and also to establish the security and confidentiality requirements and conditions under which the SUPPLIER must process the personal data for which the Client is responsible, as the latter must decide on the purpose and use of such data.
1.2.-In particular, the processing of personal data which is the responsibility of the Client and which are the object of this Agreement are set out in Annex I (hereinafter referred to as “Personal Data”). The SUPPLIER will carry out the following steps in processing the Personal Data:
- Registration or capture: register or record the information onto some type of system or device, automated or non-automated, for subsequent processing.
- Structuring or organisation: order and structure the information to facilitate its processing.
- Modification or adaptation: alter or change the information.
- Retention: keep the information for a certain period of time.
- Extraction: obtain the information from an original system or device to send or transfer it to another system or device.
- Query: search for data on the system or device on which it is registered.
- Dissemination or any other means of enabling access, collation, or interconnection, limitation: make the information registered on a system or device available to other users or recipients.
- Deletion: delete, remove the information from the system or device on which it was originally recorded.
- Destruction: disable the physical medium to prevent access to the information.
- Communication: send the data to another recipient from a source system or device through electronic means.
1.3.-The Services will be analysed periodically, and the two parties may agree to introduce changes, inclusions or eliminations which may be deemed to be apt or necessary in order to properly carry out the Services so as to improve the relations and efficiency of the Parties.
1.4.-The SUPPLIER may alter, at any time, the personalñ and material means used to provide the Services, as long as (i) it has obtained the prior written consent of the Data Controller and (ii) this does not prevent it from complying with the obligations mentioned in this Agreement.
1.5.-None of the services arising from this Agreement is understood to be provided on an exclusive basis. Consequently, the SUPPLIER may offer the same type of services to third parties other than the Client, provided that this does not prevent it from properly fulfilling its obligations under this Agreement.
TWO. DURATION AND VALIDITY OF AGREEMENT.
2.1.-This Contract is fully effective and valid, coming into force from the day it is signed, and will terminate as soon as the SUPPLIER ceases to process the Personal Data on behalf of the Client.
2.2.-If the obligations set out in this Agreement are undetermined or simply last longer, they shall remain in force even if the validity of the Agreement has been terminated for other purposes.
THREE. OBLIGATIONS OF THE PARTIES.
3.1.-the Client shall properly comply, at all times, with the provisions set forth in the GDPR, as well as with any regulations (national or supranational) that may be applicable at any given time. In particular, the Data Controller undertakes to:
- Give the SUPPLIER the Personal Data and inform the SUPPLIER of any change in the data that may affect their processing;
- Previously inform the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, prior access by the SUPPLIER to the Personal Data;
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural personals which the Client is the data controller, the controller shall communicate the personal data breach to the data subject without undue delay.
3.2.-The SUPPLIER shall properly fulfil, at all times, the provisions set forth in the GDPR, as well as any regulations (national or supranational) that may be applicable at any given time. In particular, the SUPPLIER undertakes to:
- Use the Personal Data, or those it may collect on behalf of the Client, only for the purpose of this Agreement, and it may not in any event use such Personal Data for its own and/or different purposes;
- Process the Personal Data only following documented instructions from the Client and, if any instruction is considered not to be aligned with the GDPR, to immediately inform the Data Controller so that it may take the measures deemed appropriate;
- Where required by the GDPR, keep a documented record of all categories of processing activities carried out on behalf of the Client within the framework of this Agreement;
- Not disclose Personal Data to third parties or give third parties access to such data, except with the express written authorisation of the Client for those cases allowed by law;
- Ensure that persons authorised to process Personal Data have undertaken to respect confidentiality on terms equivalent to those set out in this Agreement;
- Take all appropriate technical and organisational measures to ensure a level of security adequate to the risk of the Personal Data in accordance with the provisions of Article 32 of the GDPR and, in particular but without limitation, the following measures:
- Measures to pseudonymise and encrypt personal details;
- Measures which may ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services;
- Measures which may restore the availability of and access to the personal details in a timely manner in the event of a physical or technical incident; and
- Measures required to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services;
- Measures which may verify, evaluate and judge the effectiveness of the technical and organisational measures implemented to guarantee the security of the processing;
- Abide by the conditions indicated in clause 5 below in relation to subcontracting;
- Assist the Data Controller, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that they may comply with their obligation to reply to requests regarding the exercise of the data subjects' rights, that is, the rights of transparency, information, access, correction and erasure (right to be forgotten), restriction of processing, portability, opposition or not to be the object of automated individualised decisions (including profiling), and others that are specified in Chapter III of the GDPR. If the SUPPLIER receives a request for the exercise of the rights specified in Chapter III of the GDPR relating to the processing of data under this Agreement, it must notify the Client in a term of two (2) days maximum;
- Collaborate, cooperate and actively assist the Client in fulfilling the obligations set out in Articles 32(security of processing), 33 (notification of a breach of the security of personal data to the Supervisory Authority), 34 (communication of a breach of the security of personal data to the data subject), 35 (data protection impact assessment) and 36 (prior consultation) of the GDPR, all taking into account the nature of the processing and the information available to the SUPPLIER;
- Report data security breaches to the data controller, when the breach is likely to pose a high risk to the rights and freedoms of natural persons which the Client is the Data Controller; in which case, the following minimum content is required:
- Description of the nature of the security breach.
- Name and contact details of the data protection officer or other contact point where more information can be obtained.
- Description of the possible consequences of the personal data breach;
- Description of the measures adopted or proposed to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects.
- Delete or return all personal data once the services referred to in the Recitals of this Agreement have been completed, deleting existing copies unless the personal data are required to be stored (invariably, applying the appropriate security measures in accordance with the GDPR and other applicable regulations) under the law of the Union or the Member States.
- The SUPPLIER guarantees; (a) that it will set up legal, organisational and technical measures aimed at generating evidence of compliance with Article 28 GDPR; (b) make all information necessary to demonstrate compliance with the obligations set out in this Contract and in Article 28 of the GDPR available to the Client, and also to allow and assist in the performance of audits, including inspections, by the Client to verify compliance with this Agreement, as well as all other provisions of the GDPR;
- Guarantee the necessary personal data protection training to the persons authorised to process the Personal Data.
In the event that the assistance obligations set out in this section, require the performance of external or internal audits, or require a dedication of resources superior to that used in compliance with this contract, the SUPPLIER reserves the right to transfer the Client the reasonable and motivated extra costs that said increase involves.
FOUR. DUTY OF INFORMATION
4.1.-To ensure that the SUPPLIER may satisfactorily carry out the activity entrusted to it, Client shall make available to the former all the data, information and documentation necessary for the SUPPLIER to carry out the services covered by this Agreement with the quality and excellence required.
5.1.-The SUPPLIER may not subcontract, whether totally or partially, any of the Services or Processing that is outlined by this Contract, except for any auxiliary services necessary for the normal operation of the Data Processor's Services. In this case, upon request by the Customer, the SUPPLIER will provide a list of said auxiliary services, together with a brief description thereof and of the third parties that provide them.
5.2.-If the SUPPLIER deems it necessary to subcontract, whether totally or partially, any of the Processing that is covered by this Contract, the SUPPLIER must communicate said circumstance beforehand, in writing, to the Customer and, as a minimum, seven (7) days in advance, indicating the processing it intends to subcontract, and it must clearly and unequivocally identify the subcontractor and its contact information. The SUPPLIER may carry out the subcontracting under the same terms expressed in the aforementioned communication in the event that the Data Controller has not expressed in writing its opposition thereto before the established deadline.
5.3Invariably, the SUPPLIER shall be held liable before the Client for any actions and/or omissions of the subcontractor.
SIX. INTERNATIONAL TRANSFER
SUPPLIER, or any subcontractors, may transmit, store and process data outside the European Economic Area, as a result of the provision of the service. These subcontractors provide us with necessary auxiliary services for the normal operation of the services. In this case, the SUPPLIER will ensure that all data transfers offer an adequate level of protection, through the adoption of standard contractual clauses for data transfers approved by the European Commissions (art. 46 GDPR), documenting all the guarantees in accordance with article 30, paragraph 2, of the RGPD.
7.1.-The SUPPLIER has sole liability, and if necessary will have to compensate the Client in full, for the correct performance of the services covered by this Agreement, except as provided in clause 6.2. Therefore, if the SUPPLIER fails to fulfil the terms of the Agreement, it admits full liability for all direct damages it may cause to the Client in the framework of the execution of this Agreement.
7.2.-The duties and obligations set out in this Agreement shall apply exclusively to the SUPPLIER, for those services performed directly by the SUPPLIER, by virtue of the Agreement. If the Client has signed the Software License Agreement with an Authorised Partner of Captio and that Agreement includes the provision of Services and/or additional functions to be provided by the Authorised Partner to the Client, if these additional Services require the customer's personal data to be processed, the Customer must sign an independent Data processing agreement with that Authorised Partner that includes the data processing activities of such additional Services. This Agreement shall not be valid or legally binding for the processing of such data.
EIGHT. PERSONAL DATA PROTECTION AND CONFIDENTIALITY.
8.1.-The SUPPLIER undertakes to comply with the obligation to keep the facts, personal data, information, knowledge, documents and other elements to which it has access in connection with the provision of the agreed service confidential and secret, and cannot keep a copy or use them for any purpose other than those expressly included in this Agreement.
8.2.-Furthermore, the SUPPLIER undertakes that confidential information will only be available to those natural or legal persons who need the information to carry out tasks for which the use of this information is strictly necessary. The SUPPLIER shall warn such natural or legal persons of their obligations with regard to confidentiality, ensuring compliance with them.
8.3.-These confidentiality obligations shall continue even after the termination of this Agreement.
NINE. APPLICABLE LAW AND JURISDICTION.
9.1.-This Agreement will be governed and interpreted in accordance with Spanish legislation. If any provision of this Agreement is held to be ineffective, whether this inefficacy is initial or supervening, the remainder of this Agreement shall be valid. The clause declared ineffective will be replaced by another one that the Parties decide by mutual agreement and in writing, and that from the point of view of the rights or obligations that it generates for them has a similar meaning to the one that it replaces.
9.2.-To resolve any dispute that may arise in the interpretation or fulfilment of this Agreement, the Parties agree to submit expressly and voluntarily to the Courts and Tribunals of the city of Barcelona, expressly waiving any other jurisdiction that may be applicable.