Processor agreement Selva Digital 2022.01

Processor agreement

If Selva Digital processes personal data on behalf of the Client during the execution of the agreement, the conditions below shall apply in addition to the General Terms and Conditions. The applicability of processing agreements of the Client is explicitly rejected.

Selva Digital offers the client the possibility to purchase the subscription where Selva Digital processes Personal Data for and on behalf of the client during the execution of the service. With the Processing of Personal Data, the client is considered the Processor and Selva Digital, depending on the capacity of the client, is considered the Processor or Sub-Processor.

Taking into account that:

  • The Processing Agent has instructed the Processing Agent to process the personal data under the main agreement and the general terms and conditions attached to this agreement;
  • Processor accepts the assignment to process this personal data and does not process this data for his own purposes;
  • Controller is responsible for the processing of the data by the Processor within the meaning of the General Data Protection Regulation;
  • Parties wish to lay down their mutual rights and obligations for the Processing of Personal Data.

Have agreed:

Definitions

AVG: the General Data Protection Regulation (Regulation (EU) 2016/679) elaborated in the UAVG.

Data Subject: the person to whom the Personal Data relates, as referred to in Article 4(1) of the AVG. Main Agreement: the main agreement(s) entered into between the Controller and the Processor, including annexes, to which this Processing Agreement relates.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed as referred to in Article 4(12) of the AVG.

Employees: Persons employed by the Controller or the Processor.

Recipient: a natural or legal person, a government agency, a service or another body, whether or not a third party, to whom/which the Personal Data are provided as referred to in Article 4(9) of the AVG. Parties: Controller and Processor.

Personal Data: any information in the broadest sense on an identified or identifiable natural person (the Data Subject) which is processed within the scope of the Main Agreement as referred to in Article 4(1) of the AVG; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the natural person’s physical, physiological, genetic, mental, economic, cultural or social identity.

Company data: all information in the broadest sense of the word about the company that is processed within the framework of the agreement.

UAVG: the law implementing the General Data Protection Regulation (Regulation (EU) 2016/679) of 16 May 2018.

Processor: the natural or legal person, a government organisation, a service or another body which processes Personal Data on behalf of the Controller as referred to in Article 4(8) of the AVG.

Sub-Processor: another processor engaged by the Processor to Process Personal Data on behalf of a Controller.

Controller: the natural or legal person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data within the meaning of Article 4 paragraph 7 of the AVG.

Processor Agreement: this Processor Agreement for the establishment of the agreements referred to in Article 28 (3) of the AVG.

Processing: an operation or set of operations relating to Personal Data, whether or not performed by automated means, such as recording, organising, collecting, structuring, storing, amending, retrieving, consulting, using, disclosure by transmission, dissemination or otherwise making available, aligning or combining, blocking, erasing or destroying data as referred to in Article 4(2) of the AVG.

 

Article 1 Purpose of the processing

1.1 The Processor undertakes to process personal data on the instructions of the Processing Party under the terms of this Processing Agreement. Processing will take place exclusively in the context of the performance of the assignment agreement and this Processing Agreement within the meaning of Article 28(3) of the AVG.

1.2 The Processor is prohibited from processing the personal data for any purpose other than the purpose connected with the performance of the contract, as well as the purposes reasonably related to the contract or determined with explicit consent during the term of the contract. To this end, Processor offers its Service(s).

1.3 The category of data subjects whose personal data are processed (on the instructions of the Controller) includes Client as well as its clients and/or other involved persons with whom Client has to deal including but not limited to: its (potential) clients, cooperation partners, relations, employees, visitors of the website, third parties who make personal data available to Controller, persons who are included in the webmail environment provided by Selva Digital, and other possible categories of data subjects whose personal data is processed through the services of Selva Digital.

1.4 The category of Personal Data that is processed is data including in any case, but not limited to, contact and name and address details, e-mail address, location and login data, IP addresses, and other categories of Personal Data including both non-personal and special personal data.

1.5 The Processor will not process the personal data for any purpose other than as laid down by the Processing Responsible Party. The Processing Responsible Party will inform the Processor of the processing purposes insofar as they are not already set out in this Processing Agreement.

1.6 The Processor has no control over the processing and use of the personal data. The Processing Responsible Party is responsible for the means and determining the purpose of the processing and must clearly set this out in writing. The Processing Entity must always inform the Processor of the processing purposes. The Processor shall never make independent decisions about the processing of the personal data, including the duration of storage, the use of the personal data and the disclosure to third parties.

1.7 The majority of processing will be (semi) automated, but can also be done manually.

1.8 The personal data to be processed on the instructions of the Processing Agent will remain the property of the Processing Agent (insofar as this data does not already belong to third parties).

 

Article 2 Duration of the Agreement

2.1 This agreement commences after the agreement has been signed and is entered into for the duration of the assignment as agreed in the main agreement.

2.2 This agreement cannot be terminated prematurely.

2.3 Amendments to this agreement as a result of changes to the underlying commission contract, laws or regulations or other relevant circumstances are only valid if they are added to the processing agreement after consultation and with the explicit consent of the parties.

2.4 This Agreement shall terminate by operation of law if the Main Agreement ends.

2.5 Once the agreement is terminated, for whatever reason and in whatever way, the Processing Responsible Party is responsible for removing its data from the Processor’s system in a timely and correct manner. All consequences of deleting this data shall be entirely at the expense and risk of the Processing Responsible Party, unless explicitly agreed otherwise.

2.6 The provisions on confidentiality, liability and dispute resolution shall remain in full force and effect after termination of this Agreement.

 

Article 3 Obligations of Processor

3.1 The Processor is obliged to comply with the conditions imposed on the processing of personal data under applicable laws and regulations, in particular the AVG and the AVG Implementation Act.

3.2 The Processor is prohibited from enriching its database(s) and/or files with any personal or other data from the Controller’s database(s), except if the Processor needs to create temporary database(s) and/or files for the proper processing of the personal data. The temporary files will be deleted immediately from the moment that these temporary files are no longer necessary for processing.

3.3 The Processor will inform the Processing Party, at the latter’s request, of the measures it has taken with regard to its obligations under this Processing Agreement.

3.4 The Processor is not obliged to follow any instructions and/or directions given by the Processor.

3.5 All obligations that rest on the Processor also apply to the persons who process personal data under the authority of the Processor, including employees and third parties engaged by the Processor.

3.6 The Processing Entity will have access to the (personal) data stored by it at all times.

3.7 Processor has access to the stored (personal) data.

3.8 This agreement is not transferable, unless explicitly agreed otherwise.

 

Article 4 Transfer of personal data

4.1 If personal data is transferred, the Processor will inform the Accountable Party of the country or countries involved. The Processor guarantees that, in view of the circumstances which affect the transfer of the personal data or a category of data transfers, an adequate level of protection exists in the case of countries outside the European Union.

4.2 In particular, when determining an appropriate level of protection, the Processor will take into account the duration of the intended processing, the country of origin and the country of final destination, the general and sectoral rules of law applicable in the country concerned, as well as the rules of professional conduct and the security measures observed in those countries.

 

Article 5 Responsibility of Processor

5.1 The Processor will perform the work for the Processing Party under this agreement as agreed in the main agreement.

5.2 The Processor is only responsible for the processing of the personal data under this Processing Agreement in accordance with the instructions of the Processing Responsible Party and under the explicit (final) responsibility of the Processing Responsible Party. The Processor is explicitly not responsible for the other processing of personal data, including in any case, but not limited to, the collection of the personal data by the Processing Responsible Party, processing for purposes not notified by the Processing Responsible Party to the Processor, processing by third parties and/or for other purposes.

5.3 The Controller warrants that the content, use and commissioning of the processing of the personal data referred to in this Processing Agreement are not unlawful and do not infringe any rights of third parties.

 

Article 6 Third parties

The activities of the Processor may be outsourced to third parties, the sub-processors. All obligations under this Agreement shall also apply to these third parties.

 

Article 7 Security measures

7.1 The Processor shall make an effort to take sufficient and appropriate organisational and technical measures against any form of unlawful processing in relation to the processing of personal data to be carried out by it, all this within the reasonable possibilities offered by the Processor’s (software) suppliers.

7.2 The security level of the measures must at least comply with a level that is not unreasonable in the context of the costs involved, the sensitivity of the personal data concerned and the state of the art and risks. Processor does not guarantee that the security measures taken at all times, be effective under all circumstances.

7.3 The controller is responsible for compliance with the agreements made by the parties.

7.4 The Processing Entity itself must take all (security) measures to ensure that any natural person acting under the authority of the Processing Entity and having access to the Services of the Processor, only process the relevant stored (personal) data on the instructions of the Processor.

7.5 If there is a leak in the security or data which may cause damage or have adverse effects on the protection of the personal data, the Processor must inform the Processing Responsible Party immediately, or at least without unreasonable delay, but within 24 hours of the time at which the Processor could reasonably have been expected to be aware of this. If the notification referred to in the previous sentence is not reasonably possible within 24 hours, the parties will consult with each other to determine a reasonable period within which the Processor will be able to inform the Processing Responsible Party. The Processing Responsible Party will then inform the Personal Data Authority within 72 hours and any parties involved as soon as possible about the breach.

7.6 Pursuant to the obligation of Processor to report a leak, the report of a leak must consist of at least the following components:

  • the nature of the personal data breach, where possible indicating the categories of data subjects and personal data concerned and, approximately, the number of data subjects and personal data records concerned;
  • the name and contact details of the data protection officer or other contact point where further information can be obtained;
  • the likely consequences of the personal data breach;
  • the measures proposed or taken by the Processor to prevent the breach in relation to personal data, including, where appropriate, measures to mitigate their possible adverse effects.

7.7 The Controller and the Processor must each keep a register of Data Leaks in accordance with Article 33(5) of the AVG. The Processor must document all data breaches, including the facts relating to the personal data breach, the consequences thereof and the corrective measures taken. The Processor will allow the Processing Party to inspect this upon request.

7.8 If a security breach of the personal data has taken place at the Processor, the Processor is obliged to take appropriate measures at its own expense to prevent future incidents and/or breaches.

 

Article 8 Confidentiality

Processor and its employees as well as the third party/parties engaged by Processor are obliged to keep all personal data, sensitive information and/or company data acquired through this agreement confidential. The duty of confidentiality does not apply if Verwerker has given explicit, written consent to share these data and information with a third party, or there is a legal obligation to provide the data and information to a third party. After the end of this agreement, the parties will remain obliged to comply with this secrecy obligation.

 

Article 9 Rights of data subjects

9.1 If the Processor receives a request for inspection from a data subject or an authorised body and/or supervisory authority, it will pass this request on to the Processing Responsible Party as soon as possible and in any event within 7 working days. If so requested, Processor must cooperate in the execution of the request. The reasonable costs incurred by the Processor in providing its cooperation will be borne by the Processing Responsible Party.

9.2 The provisions of Article 9.1 shall apply accordingly if a data subject wishes to exercise other rights such as the right to rectification, data erasure, the right to restriction of processing, the right to data portability, the right to object and rights in the event of automated individual decision-making as laid down in Sections 3 and 4 of the General Data Protection Regulation.

 

Article 10 Audit

10.1 The Processor may have an expert verify compliance with this Processor Agreement, only after it has become apparent that the Processor’s audit reports are insufficient (no or insufficient clarity regarding the Processor’s compliance with the Processor Agreement) and the content of these reports justifies such an audit.

10.2 Processor is obliged to cooperate in the verification and shall provide all relevant information as soon as possible, but no later than within 14 calendar days after the request for information is received by Processor. Processor may be given up to one month extension to still provide the information. If there is an urgent interest, the parties may make alternative arrangements. If there is an urgent interest, the parties shall consult with each other to agree on a possibly shorter period.

10.3 The audit shall take place at most once a year, after at least six weeks have elapsed since the announcement of the audit. The findings of the audit shall be discussed by the parties and, if desired, implemented by one or both of them jointly.

10.4 The costs of the audit will be borne entirely by the Processor. If the audit reveals that adjustments are required to the security measures of the Processor, and the Processing Responsible is also responsible for this, the costs of the security measures (to be taken) will be borne proportionally by the Processor and the Processing Responsible, unless the responsibility is to be borne in full by the Processing Responsible, in which case the Processor itself will bear the costs in full.

 

Article 11 Liability

11.1 Controller is ultimately responsible for processing the personal data and guarantees that the processing is lawful and does not infringe the rights of those involved. The Processor is not liable for any damage resulting from acts and/or omissions, or non-compliance with laws and regulations by the Processor.

11.2 Processor is not liable for indirect damage, consequential damage, loss of profit, missed savings, reduced goodwill, business interruption and/or damage as a result of claims by the Processing Agent, involved parties and third parties.

11.3 Without prejudice to the provisions of this Article, the Processor is only liable for the damage caused by the processing if this processing does not comply with the obligations of the AVG specifically addressed to the Processor or if it contravenes the lawful instructions of the Processing Responsible. If and insofar as any damage is caused, the liability of Processor is limited to the invoice value excluding VAT of the past 12 months.

11.4 The Controller guarantees that the order to process the personal data complies with the applicable laws and regulations.

 

Article 12 Indemnification

12.1 The Processing Responsible Party will indemnify the Processor against claims, fines and/or penalty payments from or on behalf of the Personal Data Authority and/or other authorities, where it has been established that the breaches are the responsibility of the Processing Responsible Party and/or the Processor. Verwerker may recover the fines and/or periodic penalty payments imposed from the Processor if it cannot be held responsible for the breaches.

12.2 The Processor will indemnify the Controller against all claims by third parties, including the supervisor(s) and/or other authorities, arising from non-compliance with the applicable laws and regulations.

 

Article 13 Dispute settlement

13.1 This agreement shall be governed by Spanish law.

13.2 All disputes arising between the parties that arise from or relate to this Processor Agreement shall be settled by the competent court where the Processor has its registered office.