Data Processing Agreement
for MEF LSO API OIT Service
All rights reserved by Amartus Ltd. | 1st October 2021.
Data Processing Agreement
- This data processing agreement concerns commissioned processing of personal data according to the following sections.
- The following regulations apply to all services of processing performed by Amartus for the Subscriber and to all activities in which employees of Amartus or third parties commissioned by Amartus may come into contact with personal data of the Subscriber.
In this data processing agreement, the terms “Process/Processing”, “Data Controller”, “Data Processor”, “Data Subject”, and “Personal Data Breach” shall have the same meaning as in the GDPR. Other definitions indicated in the Agreement shall apply.
2. Basic principles
- In the course of providing the services to the Agreement, Amartus may Process Subscriber Personal Data indicated in Annex 1 as Data Processor on behalf of the Subscriber. Amartus shall Process Subscriber Personal Data only for the performance of the Agreement.
- The Subscriber represents and warrants that is the Data Controller or Data Processor of the Subscriber Personal Data and Processes them in accordance with the applicable law including GDPR.
- Amartus shall only Process the types of Subscriber Personal Data relating to the categories of Data Subjects as set out in Annex 1.
- Whenever the Subscriber modifies the list of Subscriber Personal Data indicated in Annex 1, the Subscriber is obliged to inform Amartus in writing in order to obtain Amartus consent for Processing of such modified Subscriber Personal Data.
- The Parties agree that Subscriber Personal Data shall be Processed in accordance with the Subscriber’s instructions, which shall be sent to the Amartus Email Address. Instruction relating to a change of scope or manner of provision of the services means assigning Amartus with additional works or services for which Amartus may claim additional remuneration.
- Amartus shall obligate all persons authorized to Process Subscriber Personal Data to confidentiality or ensure that they are subject to an appropriate statutory duty of confidentiality.
3. Term of the processing: deletion and return of Subscriber Personal Data
- The Subscriber Personal Data shall be Processed during the period of the provision of the services on the basis of the Agreement.
- Amartus makes the available return of Subscriber Personal Data in accordance with clause 4.7 of the Agreement. After the period indicated in clause 4.7 of the Agreement, Subscriber Personal Data shall be deleted.
4. Technical and organizational measures
- Amartus shall implement appropriate technical and organisational measures as indicated in Annex 2.
- Amartus is allowed to implement alternative adequate measures to those indicated in Annex 2 without the necessity to amend this data processing agreement. The safety level of the measures shall not be undercut.
5. Cooperation with regard to Personal Data
- Amartus shall assist Subscriber as indicated in article 28.3 GDPR.
- If providing co-operation, assistance, support, report, providing details, information or adjustments requested by the Subscriber relating to Processing of Subscriber Personal Data, especially indicated in article 28.3.e-28.3 of GDPR, whatever is the basis for such activity of Amartus, generate or would generate any additional costs of Amartus or requires the involvement of additional resources, the Subscriber shall cover any reasonable costs specified by Amartus.
- Amartus is obliged to inform the Subscriber with undue delay if Amartus becomes aware of a personal data breach that has taken place with regard to this data processing agreement.
- Subscriber shall have the right to conduct an audit subject to the following terms and conditions:
- Amartus may make participation in such audit conditional upon prior execution of an appropriate confidentiality agreement;
- during an audit the Subscriber shall comply with internal procedures of Amartus;
- an audit should not be conducted more frequently than once per calendar year and should not last longer than 1 day;
- Subscriber shall notify its intention to conduct an audit at least 30 days before the proposed date of an audit by sending an e-mail to Amartus Email Address;
- each party shall cover its own costs connected with an audit.
- The Subscriber does hereby give its consent to Processing of Subscriber Personal Data by subcontractors engaged in the light of the Agreement at the date of conclusion of the Agreement.
- The Subscriber gives its consent to engage another subcontractor for Processing of Subscriber Personal Data upon notification of the subcontractor to the Subscriber at least 14 days in advance by sending an e-mail to Authorized Email Address.
- Any Processing of Subscriber Personal Data to a third country or an international organisation by Amartus shall take place in compliance with Chapter V of GDPR. There is no requirement to obtain consent for the Processing of Personal Data in a third country or by an international organization apart from the consent mentioned in sections 1-2 above.
7. Final provisions
- The Parties agree that this data processing agreement shall be governed by the law applicable to the Agreement and will be subject to the jurisdiction agreed in the Agreement.
- Liability of either Party to the other Party to this data processing agreement for violation of applicable legislation relating to the Processing of Subscriber Personal Data or this data processing agreement shall be limited or excluded in accordance with the provisions of the Agreement.
- Termination or expiration of the Agreement shall result in termination or expiration of this data processing agreement, without the necessity for making any additional statements. Termination of this data processing agreement before termination of the Agreement is excluded.
Categories of Data Subjects and type of Personal Data
- Type of Personal Data covered by this data processing agreement:
- email address
- postal address
- phone number
- phone number extension
- Categories of Data Subjects covered by this data processing agreement:
Technical and organizational measures
Taking into account the state of the art, nature, scope, and purposes of processing of personal data as well as the risk of infringements of rights and freedoms of natural persons, the data processor implements appropriate technical and organisational measures to ensure level of security appropriate to the risk levels for systems used and data categories. Therefore the data processor shall apply technical and organisational measures that ensure confidentiality, integrity, accountability and continuity of processed data. Such measures shall include:
- Making sure that only the persons who hold appropriate authorisations have access to the premises in which personal data is processed. Other persons may be present in the premises where data is processed only in the company of an authorised person;
- Locking of the premises being the data processing area for the time the employees are absent, in a manner preventing third party access;
- Use of locked cabinets and safes for document protection;
- Use of a paper shredder to effectively dispose of documents containing personal data;
- Protect the local area network against any actions initiated from the outside with the use of firewall hardware and software;
- Making backup files;
- Protection of the hardware used at the data processor’s against malware;
- Securing access to the company’s equipment with passwords;
- Use of data encryption to transmit data;
- Use of data encryption in the drives of the computers in which personal data may be stored.