GDPR - Data Protection
Last Updated : 12 Oct 2022
Table of Contents
It is the intention of the Parties that the herein Appendix no. 3 from the Agreement, constitutes a written contract (the “Addendum”), mandatory for the Data Processor in accordance with art. 28 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“RGPD”).
This Agreement will be deemed to have entered into force at the latest on the Effective Date, respectivly the moment in which the Brand opens an account on the Platform and thus accepts this document.
The individual that signs up in the name of the Brand, represents and warrants that it has the authority to agree to this Agreement on behalf of the Brad and the right to bind the Brand thereto.
Any Brand wishing an executable copy of this Addendum can contact GuidefAI at the email address email@example.com and request a PDF version of this Addrendum. The email must include: name of entity, name and title of authorised representative and their email address for account confirmation.
Data processing Addendum
By and between:
[…], having its headquarters located in the city […], […] Street, registered before the Trade Registry under no. […], sole registration no. […], having as contact email address: […], hereinafter to be referred to as to as the “Brand” and/or “Data Controller”,
GUIDEFAI S.R.L., having its headquarters located in Timişoara, Dr. Iosif Nemoianu Street, Nr. 9, Room 1, 2 and 4, apartment 2, Timiş county, Romania, registered before the Trade Registry under no. J35/3534/2020, sole registration no. 43373410, having as contact email address: firstname.lastname@example.org, hereinafter to be referred to as to as the “Provider” and/or “Data Processor”,
Data Controller and Data Processor are hereinafter jointly referred to as the “Parties” and individually as the “Party” throughout this Addendum.
1. The Data Controller uses the services of the Data Processor in order to digitalise Brand Documentation, create and display the Brand Platform and allow the Brand to get customers insights, as per the Agreement between the Parties, available here (the “Agreement”).
2. The Agreement enables the Data Controller’s Brand Users and final Users to upload and/or make available information within the Platform without the Data Processor’s participation or implication, also allowing the Data Controller to add additional controls as to what data to collect and process;
3. The Data Processor undertakes no responsibility for the Personal Data processed by the Data Controller through the GuidefAi Platform,
4. The Parties agree to enter into this Addendum to ensure compliance with EU Data Protection Laws and Regulations (as defined below) in relation to all such Processing (as defined below),
5. This Addendum forms an integral part of the Agreement,
6. The terms of this Agreement are to apply to all Processing (as defined below) carried out for the Data Controller by the Data Processor and to all Personal Data (as defined below) held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards,
In consideration of the above (with the preamble making integral part of this Addendum), the Parties have mutually agreed to conclude this Addendum with the following provisions:
If the case, terms defined in the Agreement shall have the same meaning when used in this Addendum. In addition, the definitions below apply in this Data Processing Addendum:
a) Affiliate – any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of the majority of the voting interests of the subject entity.
b) Data Controller – the entity which determines the purposes and means of the Processing of Personal Data.c) EU Data Protection Laws and Regulations – all laws and regulations applicable in Romania, regardless of them being primary legislation (such as national laws and/or GDPR, defined below) or secondary legislation (such as the Working Party Guidelines/European Data Protection Board or other guidelines issued by the Supervisory Authority), applicable to the Processing of Personal Data under the Agreement.
d) Data Subject – the identified or identifiable person to whom Personal Data relates.
e) GDPR – the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
f) Personal Data – any information relating to an identified or identifiable natural person and, where such information is protected under applicable EU Data Protection Laws and Regulations. For the purpose of this Agreement, Personal Data includes Personal Data relating to criminal convictions and offences and special categories of Personal Data (as defined by GDPR).
g) Processing – any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as for example collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
h) Processor – the entity which performs the Processing of Personal Data on behalf of the Data Controller.
i) Sub-processor – any person appointed by or on behalf of Data Processor or by an Affiliate to Process Personal Data in connection with the Agreement;
j) Supervisory Authority – National Authority for Supervision and Protection of Personal Data or any other authority to which data protection responsibilities where attributed pursuant to the EU Data Protection Laws and Regulations” of any Member State.
k) Transfer – to disclose or otherwise make Personal Data available to third party (including to any Affiliate or Sub-processor), either by physical movement of the Personal Data to such third party or by enabling access to the Personal Data by other means. For sake of clarity, storage, back-up shall qualify as transfer for the purpose of this Agreement.
1. The purpose of this Addendum is to describe the Processing to be carried out by the Data Processor in relation with the Agreement.
2. The Data Processor processes the Personal Data on behalf of Data Controller. The Processing of the Personal Data by the Data Processor shall take place within the framework of the Agreement and this Addendum and only to the extent:
2.1 needed to provide the services in the Main Agreement, or
2.2 that Data Controller has instructed the Data Processor to do so in relation with the Agreement, or
2.3 needed to comply with law.
3. The Data Processor can perform other Processing of the Personal Data only for statistical purposes and/or if the data is rendered anonymised.
This Addendum shall be deemed to take effect from the Effective Date of the Agreement and shall continue in full force and effect until the termination of the Agreement.
Coordinates of the processing of the data processor
Under this Addendum, Data Controller has defined that the following categories of Personal Data will be the subject matter of the Processing:
3. Personal Identification Number
4. Company name
5. Credentials (Password / PIN)
6. Credentials (Username)
7. Credit Debit card details
8. Customer financial details
10. Name and/or Surname
11. Geolocation data
13. IP Address
14. Job position
15. Phone number(s) (contact)
16. Power of attorney
17. Profiling results
18. Signature (Manual, Electronic copies of signature)
19. Social accounts (Facebook, LinkedIn, Instagram Yahoo etc.)
20. Web cookies and similar technologies
21. The Data Controller has defined the following categories of data subjects from who the Personal Data will be the subject matter of Processing under this Addendum:
22. Brand Users
25. Collaborators, sub-contractors
26. Suppliers, service providers and communication partners
27. Consultants and other partners
28. Representatives of authorities
29. Under this Addendum, the Data Processor will not process:
a) special categories of Personal Data – related to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
b) Personal Data relating to criminal convictions and offences.
30. Throughout the term of the Agreement, on each of their expense, both Parties are continuously responsible to monitor, detect and announce the other Party of any change in the Processing in respect of either Personal Data and/or data subjects. Any change will be brought to the attention of the other Party in writing, as soon as feasible from the date a change was detected.
Obligations of the Data Processor:
1. Confidentiality. Data Processor shall ensure that its personnel engaged in the Processing of Personal Data is informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed confidentiality agreements.
2. Limitation of Access. Data Processor shall ensure that its access to Personal Data is limited to those personnel performing he relevant services.
3. Minimum Appropriate Technical and Security Measures. The Data Processor agrees and, on a best effort basis, guarantees that it has implemented security measures which are appropriate to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the Personal Data to be protected, having regard to the state of the art and the cost of their implementation. The Data Processor documents the implementation of the technical measures in accordance with the requirements of the EU Data Protection Laws and Regulations and discloses such document to the Data Controller upon commencement of this Agreement. The Processor ensures that it has implemented the appropriate technical measures listed under Annex no. 1 hereto.
4. Duty to collaborate. Data Controller and Data Processor shall cooperate and / or with the Supervisory Authority in what concerns any administrative investigations, information requests concerning Personal Data or this Agreement. More specific:
4.1. Request from data subject. In maximum 7 (seven) working days from receipt, Data Processor shall notify Data Controller of any request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (the “Data Subject Request”). Data Processor shall not respond to a Data Subject Request without Data Controller’s prior written consent. Data Processor shall, upon Data Controller’s request provide reasonable assistance to facilitate such Data Subject Request.
4.2. Request from Supervisory Authority. In maximum 2 (two) working day from notice, Data Processor shall notify the Data Controller of any inspection, information request or any other act from the Supervisory Authority in respect of the Personal Data.
5. Duty to inform. Throughout the term of the Agreement, Data Processor shall notify the Data Controller of any administrative offence or criminal procedure, liability claim based on EU Data Protection Laws and Regulations, if in relation to the Personal Data.
6. Duty to evaluate lawfulness of instructions given by Data Controller. Data Processor undertakes to evaluate the lawfulness of the instructions given by Data Controller against the provisions of EU Data Protection Laws and Regulations and timely notify the Data Controller if it thinks it has been given instructions which do not comply with such EU Data Protection Laws and Regulations.
7. Personal Data Incident Management and Notification. Data Processor maintains security incident management policies and procedures and shall, notify Data Controller without undue delay (max. 24 hours) after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Data Processor and / or Sub-Processors (“Personal Data Incident”). Data Processor shall notify Data Controller before any other Supervisory Authority. Data Processor shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Data Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident.
8. Private Impact Assessment. Data Processor shall make all reasonable efforts in order to provide assistance to Data Controller with any data protection impact assessments.
9. Records of processing. Data Processor will set up and keep an up to date records of processing for the Processing performed under this Agreement. Data Processor may select the most suitable manner for organizing this records of processing, as per the applicable provisions of EU Data Protection Laws and Regulations.
Obligations of the Data Controller:
1. Responsibility. The Data Controller warrants:
a) that it has a lawful legal basis for the processing of Personal Data;
b) that, when applicable, it has the required permissions / consent from the Data Subjects;
d) that it will not transfer to GuidefAI any special categories of Personal Data or Personal Data related to criminal offences or convictions and that the controls enabled within the GuidefAI Platform will not lead to the processing of such data;
b) reference GuidefAI as a processor of the Personal Data.
3. Duty to inform. If the Data Controller discovers a failure to comply with the EU Data Protection Laws and Regulations with respect to any aspect of the processing of Personal Data in accordance with this Addendum it must notify the Data Processor witing 72 (seventy-two) hours from such discovery and provide solutions and/or remedies.
Sub-processors and Affiliates:
1. The Data Processor shall not subcontract its obligations under this Agreement to a Sub-processor without priorly informing the Data Controller and allowing it to object. If the Controller does not object / answer within 15 (fifteen) days from the notice, the Sub-processor may be appointed.
2. For sake of clarity, any Affiliates which are involved in the Processing of the Personal Data shall be considered as Sub-Processors.
3. The Data Processor shall ensure that Sub-processors undertake the same obligations as imposed on the Data Processor in this Addendum and the Agreement, as further amended and/or supplemented.
4. The list of subcontractors approved by the Data Controller is described in the Annex 3.
Audits and Inspections:
Upon Data Controller’s request, Data Processor shall make available to Data Controller or to a third party appointed by Data Controller information regarding the Data Processor’s compliance with the obligations set forth in this Agreement. Data Controller may request Data Processor on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Before the commencement of any such on-site audit, Data Controller and Data Processor shall mutually agree upon the scope, timing, and duration of the audit.
Termination of this agreement and return or deletion of personal data:
1. This Addendum shall terminate on the date the Agreement is terminated regardless of cause for termination.
2. Upon termination of the Agreement but no later than 30 (thirty) working days from such termination, Personal Data will be deleted and/or anonymised and, if not legally permitted, will be returned to the Data Controller by the Data Processor.
1. The Parties hereby agree that they will cooperate fully in case of any investigation, court litigation which concerns the Personal Data and this Addendum and Agreement so that to minimize any losses.
2. The provisions of this Addendum shall be read alongside the Agreement.
3. Financial arrangements between Data Controller and Data Processor are included in the Agreement and cover the assistance and/or the costs incurred by the Data Processor in performing the Addendum. However, should the Controller request the implementation of additional security measures and/or procedures or tasks that are not an obligation under this Addendum, such shall be implemented by the Data Processor at the expense of the Data Controller.
If the Data Controller does not agree to the costs it shall be entitled to terminate the Agreement with a notice of 30 (thirty) days and the Data Processor will not be considered in breach of the Agreement.
The following Annexes are part of this Agreement:
Annex No. 1 – Appropriate Technical and Security Measures
Annex No. 2 – Approved Subcontractors
ANNEX NO. 1 -Apropriate technical and security measures
The Data Processor:
–shall employ his best efforts to take the necessary reasonable measures for the processing of Personal Data as set out in this Annex;
–undertakes that the requirements established herein will be acknowledged, contractually binding and to be respected by its staff (regardless of the employment regime);
–shall keep the measures and controls under review. Additional security and technical requirements may be included in specific contracts, agreements, technical annexes, etc.;
–shall notify the Data Controller with 15 (fifteen) days’ notice in order to subcontract any of its obligations and allow the Data Controller to object. The Data Processor shall be liable only for the diligence with which it chooses its Sub-processors. The Data Processor shall ensure that its subcontractors will comply to at least the same requirements as those imposed on the Data Processor in this Addendum. In case the Data Controller does not object within the 15 (fifteen) days from the notice, the Data Processor shall be allowed to contract the Sub-processor.
The users appointed by the Data Processor must access only the Personal Data required to perform their job assignments. For this purpose, the Data Processor shall take the reasonable steps to implement an access policy and determine the types of access, by functionality (such as: administration, input, processing, rescue etc.).
Data input controls
The Data Processor shall take reasonable measures to ensure that the systems it employs will allow the establishment of whether and by whom the Personal Data was entered, modified or deleted.
The Data Processor shall ensure that its staff is trained in about how to use the information system and on the applicable data protection legal framework.
In order to provide the services according to the Agreement, the Data Controller approves that the Data Processor may use the following Subcontractors: