GDPR Agreement

GDPR Agreement on the Processing of Personal Data

As of May 25, 2018, Directive 95/46/EC has been repealed and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, is applicable.

The general rights and obligations are stipulated in this Agreement. Specific information regarding the individual processing of personal data is defined in accordance with Annex No. 1 for each data processing activity.

To better understand the terms used in this Agreement, the following definitions shall apply: a. “Personal data” means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person; b. “Processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction; c. “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;

Article 1
Subject Matter of the Agreement
The subject of this Agreement is the processing of categories of personal data, in compliance with the terms and conditions of this Agreement.

Article 2
Obligations of the Parties

Each Party is responsible for the lawfulness of data processing and for responding to requests from data subjects exercising their rights under data protection legislation.

Obligations of the Parties

Each Party is responsible for the lawfulness of data processing, as well as for responding to requests for the exercise of data subjects' rights arising from personal data processing legislation.

The Parties have the following obligations:
a. To use the personal data provided by the other Party solely for the purpose for which the agreement was concluded and in compliance with the other obligations set forth in this Agreement;
b. To comply with the applicable rules, provisions, and regulations regarding data protection as stipulated in Regulation (EU) No. 679/2016;
c. To cooperate in cases where (i) a data subject wishes to exercise their rights as provided by Regulation (EU) No. 679/2016, and (ii) to demonstrate compliance with legal obligations regarding personal data processing; in this regard, the Parties agree to provide each other with prompt and reasonable assistance (within 5 working days from the request) to review the data subject’s request and respond within the legal timeframe, including by taking appropriate technical and organizational measures;
d. Each Party shall maintain a record of (i) requests/notifications submitted by the data subject as mentioned above, (ii) decisions and information exchanged; these records shall include a copy of the submitted requests and details regarding the personal data accessed and disclosed between the Parties;
e. To cooperate in conducting a data protection impact assessment, if and to the extent such an assessment is required;
f. To notify each other without undue delay and no later than 24 hours after becoming aware of any personal data security breach, providing all reasonably available details, and to cooperate and provide reasonable information upon request of the affected Party regarding the data breach and its consequences; furthermore, each Party shall comply with all obligations imposed by Regulation (EU) No. 679/2016 regarding the management, notification, documentation, and resolution of any security incident;
g. Each Party shall comply with legal provisions regarding data retention periods, and with obligations concerning the deletion/anonymization of personal data processed under the Contract and this Agreement;
h. To cooperate and provide the other Party and any competent supervisory authority with all necessary information regarding data processing activities under the Contract and this Agreement;
i. Not to transfer personal data to any country or territory outside the European Union, except where an adequate level of protection is ensured for that country or territory, in accordance with Regulation (EU) No. 679/2016; the Party intending to transfer the data shall enter into a data transfer agreement with the relevant entity outside the European Union, which shall include standard contractual clauses approved by the competent bodies of the European Commission or equivalent measures provided by Regulation (EU) No. 679/2016, to ensure compliance with regulatory obligations under Regulation (EU) No. 679/2016; the Parties shall inform each other in writing, providing appropriate evidence, about how the adequate level of protection is ensured for such transfers in each case;
j. To respond within the legal timeframe, either jointly if applicable or individually, to any requests made by the National Supervisory Authority for Personal Data Processing in relation to the processing of personal data.
3. Each Party, when acting as a Data Controller, has the following obligations:

a. It shall properly and fully fulfill all obligations related to informing data subjects and obtaining their consent (if applicable) regarding the processing of personal data;
b. It is designated as the point of contact for data subjects; in the event of receiving any request/notification, the Party acting as Controller shall inform the other Party within a maximum of 5 working days from receipt of such requests, as well as whether they should be resolved/managed by the Party acting as the Processor.

4. Each Party, when acting as a Data Processor, has the following obligations:

a. Personal data shall be processed by the Processor only upon documented written instruction from the Controller, in physical or electronic format, including with respect to any transfer of personal data to a third country or international organization. The Controller retains full rights to issue instructions regarding the type, subject, and procedures of data processing, which may be specified in detail in individual instructions. The Processor shall document and retain the instructions received and any other permissions in a clear and reasonable manner and shall make the records available to the Controller upon request;
b. The Controller’s instructions shall be issued exclusively by the person mentioned in the relevant annex. The recipients of the instructions under the Processor’s control are the persons listed in Annex 1 of this Agreement;
c. The Processor shall immediately notify the Controller if it considers that an instruction from the Controller violates any applicable data protection regulations;
d. The Processor shall regularly monitor compliance with the data confidentiality parameters under this Agreement and the Controller’s instructions, as well as any other approvals from the Controller, throughout the contractual term;
e. The Processor guarantees that all persons entrusted with processing tasks (employees, subcontractors, etc.) fully comply with the legal data protection regulations, shall implement and maintain technical and organizational measures to adequately protect the personal data of the data subjects in accordance with Article 32 of Regulation (EU) No. 679/2016, and shall observe those measures;
f. Upon the Controller’s request, if applicable, the Processor shall provide all necessary information for the Controller to prepare the record of processing activities as defined by Article 30 of Regulation (EU) No. 679/2016, solely for the purposes of processing as defined in Annex 1 of this Agreement;
g. The Processor shall assist the Controller, upon request, in ensuring compliance with the Controller’s obligation to carry out a data protection impact assessment in accordance with Article 35 of Regulation (EU) No. 679/2016, by providing the relevant information requested by the Controller;
h. The Processor shall ensure that any employee or person acting under its authority and entrusted with the processing of personal data is contractually bound to respect the principle of data confidentiality in accordance with Article 28(3)(b) of Regulation (EU) No. 679/2016 and has been appropriately trained on the data protection provisions outlined in this Agreement;
i. The Processor shall ensure that the designated contact person responsible for data protection complies with the obligations under Article 38 of Regulation (EU) No. 679/2016;
j. Upon request by the Controller, the Processor shall provide all necessary information to demonstrate compliance with its obligations under this Agreement;
k. The Processor shall guarantee the implementation of appropriate technical and organizational security measures to ensure the protection and security of personal data processed and used on behalf of the Controller;
l. The Processor shall implement at least the following control measures as part of its standard security practices:

Prevention of unauthorized persons from accessing data processing systems or using personal data;

Prevention of unauthorized use of data processing systems;

Assurance that authorized users have access only to the data for which they have received authorization and that personal data cannot be read, copied, modified, or deleted without authorization during processing, use, and after recording;

Capability to retrospectively verify and evaluate whether personal data was recorded, modified, or deleted from processing systems and, if so, to identify the responsible person;

Assurance that data is protected against accidental destruction or loss.

In the event of a change in contact persons or if a contact person is prevented from acting for an extended period, the contracting partner shall notify the successor or representative accordingly in writing, either in physical format or electronically.