PERSONAL DATA PROCESSING AGREEMENT
This ANNEX to Agreement (hereinafter – “Annex II”) is made and entered into ___ day of _____, _____ between Parties. Annex II shall determine applicable data processing terms and conditions. Annex II shall constitute an integral part of Agreement and shall continue to be in full force and effect in accordance with the provisions of Agreement.
For the provision of Subscription to Mindbox Service Contractor processes Personal Data on behalf of Customer. In this capacity Contractor is considered data processor (Processor) and Customer is considered data controller (Controller) as set out in the GDPR. This Annex.
DETAILS AND SIGNATURES OF THE PARTIES
- Obligations. Contractor processes Personal Data only to the extent necessary for the provision of Subscription to Mindbox Service and the execution of Agreement. The Processing of Personal Data by Contractor is fair and lawful, compliant with GDPR and in accordance with Customers’ request for services.
- Personal Data transfers. Where Contractor intends to disclose Personal Data to a third Party outside of the EU such third party will process Personal Data in a country which has been recognized by the European Commission or by a Member State of the European Economic Area to ensure an adequate level of protection, of which written proof will be provided to Customer upon request.
- When Customer transfers Personal Data to third countries outside the European Union by use of Mindbox’ Service Customer indemnifies Mindbox against all legal claims of third parties stating that Personal Data are transmitted outside EU territory in violation of the provisions of the GDPR.
- Security. Contractor has implemented technical and organisational security measures to protect Personal Data against unauthorised or unlawful Processing, accidental or unlawful destruction or accidental loss, alteration, damage, unauthorised disclosure or unauthorised access by any person.
- Contractor does not take knowledge of non-public information, including Personal Data, which is placed on Mindbox Service by Customer, unless this is necessary for the proper provision of Subscription to Mindbox Service under this Agreement or this inspection is based on a legal obligation.
- Data Breach notification. Contractor will immediately notify Customer of any actual or suspected security breach involving Personal Data which can foreseeably compromise the confidentiality and/or integrity of Personal Data. Such notice shall summarize in reasonable detail:
- the nature of the security breach;
- the contact details of the Contractor’s employee that can provide additional information about the incident;
- the recommended corrective actions taken or to be taken by Contractor to reduce the negative consequences of the security breach;
- the observed and the probable consequences of the security breach for the processing of Personal Data and the corrective actions taken or to be taken by Customer to reduce the negative consequences of the security breach;
- the nature of the Personal Data that are compromised;
- information regarding to the extent of the security breach, the number of records that were possibly compromised;
- the exact time and date of the security breach.
Contractor will provide Customer with all further information necessary for notifying the Data Protection Authority or the Data Subjects involved in the Data Breach.
- Data Subject requests. Customer always has access to Contractor’s systems where Personal Data of Data Subjects are processed on behalf of Customer. Should Customer for any reason has no independent access to the information necessary for complying to Data Subject requests for access, rectification, erasure and/ or restriction of processing of their Personal Data, Contractor will assist Customer by providing all necessary information to respond to the request.
- Confidentiality. Contractor treats Personal Data confidential. Contractor ensures that those members of staff and third parties that have access to Personal Data maintain the confidentiality and the security of Personal Data by signing a confidentiality agreement.
This obligation does not apply if and insofar as disclosure is required by law and / or court order, in which case the information to be disclosed will be kept as limited as possible. When Contractor receives a request from a public authority, including but not limited to the Data Protection or Telecom Authority, to disclose Personal Data belonging to Customer, Contractor shall immediately inform Customer.
- Scope of this Personal Data Processing Agreement and re-negotiation. Contractor’s obligations as set out in this Personal Data Processing Agreement will perpetuate after termination of Agreement for as long as Contractor still has access to Personal Data. Upon termination or receipt of notice terminating Agreement, Customer is responsible for the export of Personal Data from Mindbox Service. 30 (thirty) days after termination of this Agreement, Contractor will destroy all Personal Data processed on behalf of Customer. Contractor may deviate to the extent where a longer data retention period is necessary to demonstrate fulfilment of contractual obligations.
| CUSTOMER: ___________________
||CONTRACTOR: Mindbox.Cloud B.V.
Representative of the Customer:
Representative of the Contractor:
Managing director Ivan Borovikov
Managing director CIS Management B.V.
represented by Yulia Karpova
and Aharon Rabinovitz