1. Definitions and interpretations
Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:
-
-
1.2. “Agreement” means all this Data Processing Agreement and all Annexes hereto;
-
1.3. “Company’s Personal Data” means any Personal Data Processed by a Processor and/or Sub-processor on behalf of Company pursuant to or in connection with the Services Agreement;
-
1.4. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
-
1.5. “EEA” means the European Economic Area;
-
1.6. “EU Data Protection Laws” means the GDPR and laws implementing or supplementing the GDPR;
-
1.7. “EU Standard Contractual Clauses” means the terms pursuant to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
-
1.8. “GDPR” means EU General Data Protection Regulation 2016/679;
-
1.9. “Data Transfer” means:
-
a) transfer of Company Personal Data from the Company to a Sub-processor; or
-
b) an onward transfer of Company Personal Data from a Sub-processor to another Sub-processor where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
-
1.10. “Services” means the services the Processor provides;
-
1.11. “Sub-processor” means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company in connection with the Agreement.
The terms, “Commission”, “Controller”, “(Data) Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Definitions and interpretations
Processor shall:
-
-
2.2. comply with all applicable Data Protection Laws in the Processing of Company Personal Data;
-
2.3. process Company’s Personal Data for the purposes of the Services Agreement only. Processing of Company’s Personal Data shall be only in accordance with the written instructions of the Company in respect of such Personal Data, and not for any other purpose, or in any other manner, unless specifically instructed by the Company in writing to do so. The management and administration services provided by the Company under this Agreement reflect the processing instructions of the Company. In the event that Data Processor is required by the Data Protection Laws to process Personal Data for any other purpose or in any other manner, Data Processor shall inform the Company of that legal requirement before processing, unless the applicable law prohibits such information on grounds of public interest;
-
2.4. where applicable, assist the Company in connection with its obligations as regards (i) the security of processing, (ii) notification of Company’s Personal Data Breaches to the supervisory authority, (iii) communication of a breach to a Data Subject, (iv) the conduct of data protection impact assessments (and, where required by Data Protection Laws, consulting with the relevant Privacy Regulation in respect of any such data protection impact assessment).
3. Subprocessing, Reliability and Non-Disclosure
The Processor may appoint any Subprocessor to process Company’s Personal Data provided that:
-
-
Processor enters into a written contract with the Sub-processor on equivalent terms to those set out in this Agreement;
-
Processor keeps updated the list of its Sub-Processors available at https://corefy.com/list-of-sub-processors, agreements with Sub-Processors are published online on the web-sites of respective Sub-Processors;
-
where a Sub-processor fails to fulfil its data protection obligations, Processor shall remain fully liable to the Company for the performance of the Sub-processor’s obligations
-
Processor carries out adequate due diligence on each Sub-Processor to ensure that it can provide the level of protection for Company Personal Data, including without limitation, sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR, this Agreement, the Services Agreement and the applicable Data Protection Laws; and
-
insofar as that contract involves the transfer of Company Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by the Company into the contract between the Processor and each Sub-Processor to ensure the adequate protection of the transferred Company Personal Data.
Processor shall take all the reasonable steps to ensure the reliability of any employee, agent or contractor of any Sub-processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company’s Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with applicable laws in the context of that individual’s duties to the Sub-processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
The Processor must ensure that all individuals which have a duty to process Controller’s Personal Data:
-
are informed of the confidential nature of the Company’s Personal Data and are aware of Processor's obligations under this Agreement and the Services Agreement in relation to the Company’s Personal Data;
-
have taken appropriate training and/or certifications in relation to the Data Protection Laws or any other training and/or certifications requested by the Company;
-
Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality; and
-
are subject to user authentication and login processes when accessing the Company’s Personal Data in accordance with this Agreement, the Services Agreement and the applicable Data Protection Laws.
4. Personal Data Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
Such measures must ensure a level of security appropriate to the risk of processing the Company’s Personal Data, including as appropriate, measures which:
-
include pseudonymisation and encryption of Company’s Personal Data;
-
ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
-
enable the availability of, and access to, Company’s Personal Data to be restored in a timely manner in the event of a physical or technical incident or disaster; and
-
incorporate periodic risk assessments to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of records containing Company’s Personal Data and a process for regularly testing, assessing and evaluating the effectiveness of its security measures.
In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Data Subject Rights
The Company is primarily responsible for handling and responding to requests made by data subjects.
Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws (including, right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing of his/her rights not to be subject to an automated individual decision making). With regards to the Data Subject rights, Processor shall:
-
promptly notify the Company if the Processor receives a request from a Data Subject under any Applicable Law with respect to Company’s Personal Data;
-
ensure that Processor does not respond to that request, except on the documented instructions of the Company, or as required by Data Protection Laws to which Processor is subject, in which case Processor shall, to the extent permitted by Data Protection Laws, inform the Company of that legal requirement before the Processor responds to the request.
6. Personal Data Breach
Processor shall notify the Company without undue delay, but not later than twenty-four (24) hours, upon Processor becoming aware of the Company’s Personal Data Breach affecting Company’s Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Such notification shall as a minimum describe:
-
the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
-
the estimated risk and the likely consequences of the Personal Data Breach;
-
the measures taken or proposed to be taken to address the Personal Data Breach.
Processor shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
In the event of a Personal Data Breach, the Processor shall not inform any third party without first obtaining the Company’s prior written consent, unless notification is required by Data Protection Laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by such law, inform the Company of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Company before notifying the Personal Data Breach.
7. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Sub-processors.
8. Erasure or Return of Company Personal Data
Data Processor shall promptly and, in any event within ten (10) business days of the earlier of: (i) cessation of Processing of Company Personal Data by Processor; or (ii) termination of the Services Agreement, at the choice of Company (such choice to be notified to Processor in writing) either:
-
return a complete copy of all Company Personal Data to the Company by secure file transfer in such format as notified by the Company to the Processor and securely erase all other copies of Company Personal Data Processed by the Processor; or
-
securely wipe all copies of Company Personal Data Processed by Processor.
The Processor, must provide a written certification to the Company that it has complied fully with the requirements of this section 8 of this Agreement.
9. Audit rights
Subject to this section 9, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data.
Information and audit rights of the Company only arise under section 9 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
10. Data Transfer
Data Processor may, in performing their obligations under this Agreement, transfer Personal Data to countries outside the EEA only to the extent that i) the Company has provided its prior written approval; or ii) such country provides an adequate level of protection as contemplated by Data Protection Laws; or iii) where Data Processor has put in place adequate safeguards to protect the Company’s Personal Data, as required by Data Protection Laws, such as by ensuring that any such transfer of Personal Data is governed by the EU Standard Contractual Clauses (as amended/restated and adopted from time to time by the European Commission).
The Company (as "data exporter") and the Data Processor (as "data importer") hereby enter into, as of the Effective Date, the EU Standard Contractual Clauses, as set out in Annex B, attached hereto and which are incorporated by reference and constitute an integral part of this Agreement. The Parties are deemed to have accepted and executed the EU Standard Contractual Clauses in their entirety, including the appendices.
11. Liability
Processor shall be fully liable to the Company for any breach of the Services Agreement or this Agreement, and the obligations set out therein, in accordance with the Data Protection Laws.
12. Indemnification
Processor agrees to indemnify and hold harmless Company and its officers, directors, employees, contractors, agents, affiliates, successors, and permitted assigns against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind which Company may sustain as a consequence of any breach by the Processor of the provisions of this Agreement and its appendices.
13. General Terms
-
13.1. Subject to this section, the Parties agree that this Agreement and the Standard Contractual Clauses shall terminate automatically upon termination of the Services Agreement or expiry or termination of all service contracts entered into by the Processor with the Company, pursuant to the Services Agreement, whichever is later.
13.2. This Agreement, excluding the Standard Contractual Clauses, shall be governed by the Laws of England and Wales.
13.3. Any breach of this Agreement shall constitute a material breach of the Services Agreement.
13.4. With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the Parties, including but not limited to the Services Agreement, the provisions of this Agreement shall prevail with regard to the Parties’ data protection obligations for Personal Data of a Data Subject from a Member State of the European Union.
13.5. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
13.6. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that (i) disclosure is required by law; (ii) the relevant information is already in the public domain.
13.7. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the Services Agreement or at such other address as notified from time to time by the Parties changing address.
13.8. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, shall be resolved in a manner prescribed for the dispute resolution in the Service Agreement.
13.9. This Agreement forms an integral part of the Service Agreement and consists of the Agreement itself and the following Annexes being its integral part:
-
Annex A – Details of Company’s Personal Data Processing, incorporated into section 14 hereof;
-
Annex B – Data Transfer Agreement (incorporated into section 15 hereof) and Appendices thereto, namely, Appendix 1 incorporated into section 16 hereof), Appendix 2 (incorporated into section 17 hereof).
14. Annex A to the Data Processing Agreement
Further details of the Processing, in addition to the ones laid down in the Services Agreement and this Agreement, include:
-
1. The subject matter of the Processing of Company’s Personal Data pertains to the provision of Services, as requested by the Company.
-
2. The duration of the processing of Company’s Personal Data is generally determined by the terms of this Agreement and the Services Agreement, respectively, in the context of the contractual relationship between the Company and the Data Processor.
-
3. The nature and purpose of the Processing of Company’s Personal Data pertain to the provision of Services under the Services Agreement.
-
4. The categories of Data Subjects whose Personal Data will be Processed by the Processor include:
-
a. Clients of the Company;
-
b. Consumers (end-users of the Company’s Service);
-
c. Users of the Company’s account (Client’s employees).
-
5. The types of Data Subjects whose Personal Data will be Processed by the Processor:
-
a. Data provided by the client: full name, date of birth, email, phone number, position, company name, merchant ID.
-
b. Data provided by the user: full name, phone number, email, and company name.
-
c. Data provided by the consumer: full name, geolocation, address, device hash, email, phone number, tax number, payment information.
-
d. Technical data: IP address, UTM parameters, geolocation, device type, browser type, cookies, and session ID.
-
e. Data provided by the Company: full name, date of birth, address, e-mail, phone number, position or details on state registration (as an individual entrepreneur or alike) of the Company’s employees and contractors.
-
6. Full name includes name, parental name and surname.
-
7. Contact details include phone, address and email.
-
8. Payment information includes bank details, bank card details, bank ID.
-
9. Session ID includes interaction with the site, the name of the site from which user went to Data Controller’s site, the functions were used, the pages viewed on the site, the way of usage of the site, and the actions were taken if such actions are present.
-
10. Processing operations. The personal data transferred will be subject to the following basic processing activities (please specify – if none is ticked it is considered that all items below are chosen):
-
a. Personal data processing:
-
Collection of data via website and customer form;
-
Structuring data according to business objectives;
-
Database compilation;
-
Creating client’s account and sub-accounts;
-
Preparation of the necessary documentation;
-
Storage of personal data in the terms and conditions prescribed in the privacy policy;
-
b. Administration:
-
Setting up a client’s account;
-
Administration of participants in the client's account;
-
Training of client's employees, assistance in work tasks;
-
End user data monitoring (client’s users);
-
c. Technical support:
-
Solving technical problems from the client's account;
-
Answering questions, checking client account;
-
Elimination of deficiencies and problems.
15. Annex B to the Data Processing Agreement
Data Transfer Agreement
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, the Company (also referred to as the “Data exporter”) and the Service Provider (also referred to as the “Data importer”) each also referred to as the “Party” and together as the “Parties”, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1. Definitions
For the purposes of the Clauses:
-
1. "personal data”, “special categories of data", "process/processing", "controller", "processor", "data subject and "supervisory authority" shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
-
2. the "data exporter" means the Controller who transfers the personal data;
-
3. the "data importer" means the Processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
-
4. the "sub-processor" means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
-
5. the "applicable data protection law" means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
-
6. "technical and organizational security measures" means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2. Details of the transfer
-
1. The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3. Third-party beneficiary clause
-
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
-
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
-
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
-
4. The Parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4. Obligations of the data exporter
-
1. The data exporter agrees and warrants:
-
a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
-
b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
-
c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
-
d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
-
e) that it will ensure compliance with the security measures;
-
f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
-
g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
-
h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
-
i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
-
j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5. Obligations of the data importer
-
1. The data importer agrees and warrants:
-
a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
-
b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
-
c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
-
d) that it will promptly notify the data exporter about:
-
any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
-
any accidental or unauthorized access; and
-
any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
-
e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
-
f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
-
g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
-
h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
-
i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
-
j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6. Liability
-
1. The Parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter (controller) for the damage suffered.
-
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
-
3. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
-
4. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7. Mediation and jurisdiction
-
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
-
a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
-
b) to refer the dispute to the courts in the state in which the data exporter is established.
-
2. The Parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8. Cooperation with supervisory authorities
-
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
-
2. The Parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
-
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9. Governing law
-
1. The Clauses shall be governed by the English law.
Clause 10. Variation of the contract
-
1. The Parties undertake not to vary or modify the Clauses. This does not preclude the Parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11. Sub-processing
-
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses (3). Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
-
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
-
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the English law.
-
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12. Obligation after the termination of personal data-processing services
-
1. The Parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
-
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
16. Appendix 1 to the Data Transfer Agreement / Standard Contractual Clause being Annex A to the Data Processing Agreement
1. This Appendix forms part of the Clauses and is be completed and signed by the Parties.
2. The Paties may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
3. Data exporter: the Company (full details are indicated on the first page of the Data Processing Agreement and its signature section at the very end).
4. Data importer: PAYCORE.IO LIMITED, a company incorporated in England and Wales with registered number 11654625.
5. Data subjects. The personal data transferred concern the following categories of data subjects:
-
a) Clients of the Company;
-
b) Consumers (end-users of the Company’s Service);
-
c) Users of the Company’s account (Client’s employees);
-
d) Employees and contractors of the Company.
6. The types of Data Subjects whose Personal Data will be Processed by the respective Processor:
-
a) Data provided by the client: full name, date of birth, email, phone number, position, company name, merchant ID;
-
b) Data provided by the user: name, phone number, email, and company name;
-
c) Data provided by the consumer: name, surname, geolocation, address, device hash, email, phone number, tax number, payment information;
-
d) Technical data: IP address, UTM parameters, geolocation, device type, browser type, cookies, and session ID;
-
e) Data provided by the Company: full name, date of birth, address, e-mail, phone number, position or details on state registration (as an individual entrepreneur or alike) of the Company’s employees and contractors.
7. Full name includes name, parental name and surname.
8. Contact details include phone, address and email.
9. Payment information includes bank details, bank card details, bank ID.
10. Session ID includes interaction with the site, the name of the site from which user went to Data Controller’s site, the functions were used, the pages viewed on the site, the way of usage of the site, and the actions were taken if such actions are present.
11. Processing operations. The personal data transferred will be subject to the following basic processing activities (please specify – if none is ticked it is considered that all items below are chosen):
-
a. Personal data processing:
-
Collection of data via web-site and customer form;
-
Structuring data according to business objectives;
-
Database compilation;
-
Creating client’s account and sub-accounts;
-
Preparation of the necessary documentation;
-
Storage of personal data in the terms and conditions prescribed in the privacy policy;
-
b. Administration:
-
Setting up a client’s account;
-
Administration of participants in the client's account;
-
Training of client's employees, assistance in work tasks;
-
End user data monitoring (client’s users);
-
c. Technical support:
-
Solving technical problems from the client's account;
-
Answering questions, checking client account;
-
Elimination of deficiencies and problems.
17. Appendix 2 to the Data Transfer Agreement / Standard Contractual Clause being Annex A to the Data Processing Agreement
1. This Appendix forms part of the Clauses and is completed and signed by the Parties.
2. Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
-
a. Encryption of personal data
-
b. Limited access to data
-
c. Securing working device with a password
-
d. Signing of the NDA (or integrating NDA provisions into the Service Agreement)
3. Liability. The Parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.
4. Indemnification is contingent upon:
-
a. the data exporter promptly notifying the data importer of a claim; and
-
b. the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim.