ANNEX №2 to the MASTER SERVICE AGREEMENT №______ PERSONAL DATA PROCESSING AGREEMENT This ANNEX to Agreement (hereinafter — “Annex II”) is made and entered into ___ day of _________, _____ between Parties. Annex II shall determine applicable data processing terms and conditions. Annex II shall constitute an integral part of Agreement and shall continue to be in full force and effect in accordance with the provisions of Agreement. […]
to the MASTER SERVICE AGREEMENT №______
PERSONAL DATA PROCESSING AGREEMENT
This ANNEX to Agreement (hereinafter — “Annex II”) is made and entered into ___ day of _________, _____ between Parties. Annex II shall determine applicable data processing terms and conditions. Annex II shall constitute an integral part of Agreement and shall continue to be in full force and effect in accordance with the provisions of Agreement.
For the provision of Subscription to Mindbox Service Contractor processes Personal Data on behalf of Customer. In this capacity Contractor is considered as the data processor (Processor) and Customer is considered as the data controller (Controller) as set out in the GDPR.
1. Obligations. Contractor processes Personal Data only to the extent necessary for the provision of Subscription to Mindbox Service and the execution of Agreement. The Processing of Personal Data by Contractor is fair and lawful, compliant with GDPR and in accordance with Customers’ request for services.
Personal Data transfers. Contractor contracts an affiliated enterprise and services providers as subcontractors (Sub-processors) for the data processing according to the data sub-processor agreement. A Data Sub-processor Agreement provides that (a) the same data protection obligations as set herein are imposed on Sub-processors, in particular providing sufficient guarantees to implement appropriate technical and organisational measures (b) the Contractor remains fully liable to the Customer for the performance of Sub-processors’ obligations.
When the Sub-processors are located outside the European Economic Area, the Contractor enters into the EU Standard Contractual Clauses as required by Art. 46 GDPR to ensure the appropriate safeguards are provided prior to transferring Personal Data.
Customer generally authorises the engagement of Mindbox’ affiliated enterprise and Mindbox’ service providers as Sub-processors. The list of Sub-processors shall be provided to Customer upon request.
With respect to the transfer of Personal Data to a third country, any processing operation as described in this DPA shall also be subject to the Annex III (Standard Contractual Clauses) which shall prevail over any conflicting clauses in the Agreement and (or) Annex II.
Annex III shall constitute an integral part of Agreement and shall continue to be in full force and effect in accordance with the provisions of Agreement.
2. When Customer transfers Personal Data to third countries outside the European Union by use of Mindbox’ Service Customer indemnifies Mindbox against all legal claims of third parties stating that Personal Data are transmitted outside EU territory in violation of the provisions of the GDPR.
3. Security. Contractor has implemented technical and organisational security measures to protect Personal Data against unauthorised or unlawful Processing, accidental or unlawful destruction or accidental loss, alteration, damage, unauthorised disclosure or unauthorised access by any person.
4. Contractor does not take knowledge of non-public information, including Personal Data, which is placed on Mindbox Service by Customer, unless this is necessary for the proper provision of Subscription to Mindbox Service under this Agreement or this inspection is based on a legal obligation.
5. Data Breach notification. Contractor will immediately notify Customer of any actual or suspected security breach involving Personal Data which can foreseeably compromise the confidentiality and/or integrity of Personal Data. Such notice shall summarize in reasonable detail:
a. the nature of the security breach;
b. the contact details of the Contractor’s employee that can provide additional information about the incident;
c. the recommended corrective actions taken or to be taken by Contractor to reduce the negative consequences of the security breach;
d. the observed and the probable consequences of the security breach for the processing of Personal Data and the corrective actions taken or to be taken by Customer to reduce the negative consequences of the security breach;
e. the nature of the Personal Data that are compromised;
f. information regarding to the extent of the security breach, the number of records that were possibly compromised;
g. the exact time and date of the security breach.
6. Contractor will provide Customer with all further information necessary for notifying the Data Protection Authority or the Data Subjects involved in the Data Breach.
7. Data Subject requests. Customer always has access to Contractor’s systems where Personal Data of Data Subjects are processed on behalf of Customer. Should Customer for any reason has no independent access to the information necessary for complying to Data Subject requests for access, rectification, erasure and/ or restriction of processing of their Personal Data, Contractor will assist Customer by providing all necessary information to respond to the request.
8. Confidentiality. Contractor treats Personal Data confidential. Contractor ensures that those members of staff and third parties that have access to Personal Data maintain the confidentiality and the security of Personal Data by signing a confidentiality agreement.
9. This obligation does not apply if and insofar as disclosure is required by law and / or court order, in which case the information to be disclosed will be kept as limited as possible. When Contractor receives a request from a public authority, including but not limited to the Data Protection or Telecom Authority, to disclose Personal Data belonging to Customer, Contractor shall immediately inform Customer.
10. Scope of this Personal Data Processing Agreement and re-negotiation. Contractor’s obligations as set out in this Personal Data Processing Agreement will perpetuate after termination of Agreement for as long as Contractor still has access to Personal Data. Upon termination or receipt of notice terminating Agreement, Customer is responsible for the export of Personal Data from Mindbox Service. 30 (thirty) days after termination of this Agreement, Contractor will destroy all Personal Data processed on behalf of Customer. Contractor may deviate to the extent where a longer data retention period is necessary to demonstrate fulfilment of contractual obligations.
DETAILS AND SIGNATURES OF THE PARTIES
|Representative of Customer:
|Representative of the Contractor:
Managing director Ivan Borovikov
and Managing director CIS Management B.V. represented by Maria Govorukhina
and Alhard Zwart