Data processing contract
FROM ONE SIDE, the one who signs the proposal, (hereafter, the DATA PROCESSING RESPONSIBLE or DPR).
FROM THE OTHER SIDE, Mr. Javier Martínez Galiana, of legal age, 52997423H as ID card, acting on behalf of and in representation of LEIALTA, SL. (hereafter, IN CHARGE OF DATA PROCESSING TREATMENT or ICDPT), B87291928 as TAX ID number, and Calle Zurbano, 45, 1º, CP 28010, Madrid (Madrid) as address for notification purposes.
And recognizing, mutually and reciprocally, with enough legal capacity for this act, STATE herein:
I.- That the ICDPT is dedicated, among other activities of its corporate purpose, to the provision of services of:•CONSULTING AND BUSINESS ADVISORY
II.- Based on the above, the DPR maintains with the ICDPT a professional service relationship: CONSULTING AND BUSINESS ADVISORY
III.- That, on the relationship of provision of services that binds both parties, the ICDPT needs to process certain personal data on behalf of the DPR.
IV.- That, based on the provisions in the Applicable Data Protection Law on the protection of natural persons with regard to the processing of personal data and free movement of this data the treatment by the person in charge of data processing shall be governed by a contract or other legal act in accordance with Union law or of the Member States, which links the person in charge with the person responsible and establishes the purpose, duration, nature and purpose of the treatment, the type of personal data and categories of the interested parties, and the obligations and rights of the person in charge.
In accordance with the foregoing, the parties agree with this contract, which will be governed in accordance with the following, PROVISIONS
FIRST.-OBJECT.
The purpose of this contract is to regulate the treatment by the ICDPT of certain personal data on behalf of the DPR, on the occasion of the service provision relationship that binds both parties, in compliance with the obligations established in Applicable Data Protection Law on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and in the Spanish regulations for the protection of personal data.
SECOND.- DEFINITIONS.
For the purposes of this contract, the following shall be understood as:
- Applicable Data Protection Law: shall mean: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of Personal Data and on the free movement of such data (the “Directive”); (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament
and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under or pursuant to (i), (ii) or (iii); in each case as may be amended or superseded from time to time.
- Personal data: all information about an identified or identifiable natural person; Any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or several elements of the identity, will be considered an identifiable physical person, physical, physiological, genetic, psychological, economic, cultural or social of said person (article 4 1) RGPD).
- Processing: any operation or set of operations performed on personal data or personal data sets, either by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization for access, collation or interconnection, limitation, suppression or destruction (article 4 2) RGPD).
- Data Processing Responsible : Physical or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of treatment; if Union or Member State law determines the aims and means of processing, the controller or the specific criteria for his appointment may be established by Union or Member State law (Article 4 7) RGPD).
- In charge of data processing treatment: The individual or legal entity, public authority, service or other body that processes personal data on behalf of the data controller (Article 4 8) RGPD).
THIRD.- INSTRUCTIONS OF THE DPR.
The ICDPT shall process the personal data necessary for the provision of services on behalf of the DPR, derived from the relationship that binds both parties, in accordance with the instructions documented in the ANNEX to this contract.
FOURTH. – IDENTIFICATION OF THE INFORMATION CONCERNED.
The ICDPT will process on behalf of the DPR the information about identified or identifiable individuals documented in the ANNEX to this contract.
FIFTH.- DURATION.
This contract will come into effect from the date of its signature and will be in force until the date of termination of the service provision relationship between the DPR and the ICDPT.
SIXTH.- OBLIGATIONS OF THE ICDPT
The ICDPT undertakes to comply with the following obligations:
- Use personal data subject to treatment, or those collected for inclusion, only for the purpose of this assignment. In no case may ICDPT use the data for own purposes or those of any third party.
- Treat the data according to the instructions of the DPR.
If the ICDPT considers any of the instructions to be in breach of Regulation (EU) 2016/679 or any other data protection provision of the Union or of the Member States, the person in charge shall immediately inform the DPR.
- Keep, in writing, a record of all categories of treatment activities carried out on behalf of the DPR in charge, which contains:
- The name and contact information of the person in charge or those in charge and of each person responsible for which the person in charge acts and, where appropriate, the representative of the person in charge or the person in charge and the data protection officer.
- The categories of treatments carried out on behalf of each person responsible.
- ICDPT shall not transfer the data (nor permit the data to be transferred) outside of the European Economic Area (“EEA”) unless (i) it has first obtained ICDPT’s prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
- ICDPT shall implement appropriate technical and organizational measures to protect the data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the data (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
- a) Pseudonymization and encryption of personal data.
- b) The ability to guarantee the confidentiality, integrity, availability and permanent resilience of the processing systems and services.
- c) The ability to restore availability and access to personal data promptly, in the event of a physical or technical incident.
- d) The process of regular testing, verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment.
- Not communicate the data to third parties, unless you have the express authorization of the DPR, in the legally admissible cases.
The ICDPT can communicate the data to other DPR of the same responsible, according to the instructions of the DPR. In this case, the DPR will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication.
- THE ICDPT may not subcontract any of the processing services that are part of the object of this contract that involve the processing of personal data without prior written consent of DPR.
- If it is necessary to subcontract any data processing treatment, this fact must be previously communicated in writing to the DPR, with a prior written communication,
indicating the data processing treatments that are intended to subcontract and clearly and unambiguously identifying the subcontractor company and their contact information. If DPR refuses to consent to ICDPT’s appointment of a third party subprocessor on grounds relating to the protection of the data, then either ICDPT will not appoint the subprocessor or DPR may elect to suspend or terminate this contract. Maintain the duty of secrecy with respect to personal data to which you have had access under this order, even after the end of its purpose.
- Guarantee that the persons authorized to process personal data commit themselves, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be informed accordingly, and shall not permit any person to process the data who is not under such a duty of confidentiality.
- Keep the documentation at DPR disposal for the compliance of the obligation established in the previous section.
- To guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
- Assist and provide all reasonable and timely assistance (including by appropriate technical and organisation measures) to the DPR to enable DPR to respond to:
- any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and
- any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the data.
In the event that any such request, correspondence, enquiry or complaint is made directly to ICDPT, ICDPT shall promptly inform DPR providing full details of the same.
When the affected persons exercise the rights of access, rectification, deletion and opposition, limitation of processing, data portability this must be communicated by email to the address indicated by the DPR. The communication must be made immediately and in no case beyond the working day following the reception of the request, together with, where appropriate, other information that may be relevant to resolve the request.
- The ICDPT, at the time of collecting the data, must provide information regarding the data processing that will be performed. The wording and the format in which the information will be provided must be agreed with the DPR before the start of the data collection.
- The ICDPT shall notify the DPR, without undue delay, and in any case before the maximum period of 24 hours, and by email to the address indicated by the DPR, the breaches of the security of the personal data together with all the relevant information for the documentation and communication of the incidence.
If it is available, at least the following information will be provided:
- a) Description of the nature of the breach of the security of personal data, including, when possible, the categories and the number of affected stakeholders, and the categories and number of personal data records affected.
- b) The name and contact details of the data protection delegate or other contact point where more information can be obtained.
- c) Description of the possible consequences of the violation of the security of personal data.
- d) Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
- Give support and all such reasonable and timely assistance to the DPR in carrying out the impact evaluations related to data protection, when appropriate.
- Give support and all such reasonable and timely assistance to the DPR in carrying out the consultations prior to the control authority, when appropriate.
- Provide the DPR with all the necessary information to demonstrate compliance with their obligations, as well as for the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him. ICDPT shall permit DPR (or its appointed third party auditors) to audit ICDPT’s compliance with this clause, and shall make available to DPR all information, systems and staff necessary for DPR (or its third party auditors) to conduct such audit. ICDPT acknowledges that DPR (or its third party auditors) may enter its premises for the purposes of conducting this audit, provided that DPR gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to ICDPT’s operations. DPR will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) DPR believes a further audit is necessary due to a Security Incident suffered by ICDPT.
- Designate a delegate of data protection and communicate their identity and contact information to the DPR, as long as this is mandatory by virtue of what is established in Regulation (EU) 2016/679 and the Spanish regulations on data protection.
- Once the relationship of provision of services that binds both parties is completed, the ICDPT shall either assign the personal data to DPR according to the instructions contained in the ANNEX included in this contract or destroy the personal data in its possession or control (including any data subcontracted to a third party for processing). This requirement shall not apply to the extent that ICDPT is required by any EU (or any EU Member State) law to retain some or all of the data, in which event ICDPT shall isolate and protect the data from any further processing except to the extent required by such law.
SEVENTH. – CONFIDENTIALITY.
Both parties undertake to keep due confidentiality about the facts, information, knowledge, documents, objects and any other elements protected by secrecy, to which they have access due to the relationship of provision of services, without being able to use the information to which they accede for any purpose other than the execution of the contract that unites both parties.
In this regard, and without limiting or excluding, the aforementioned duty of confidentiality and secrecy includes the following information:
- Any information protected by the regulations on intellectual and industrial property.
- Any information on identified or identifiable individuals, protected by the regulations on protection of natural persons with regard to the processing of personal data.
- Any information protected by Organic Law 1/1982, of May 5, on civil protection of the right to honor, to personal and family privacy and to one’s own image.
- Any information subject to the duty of professional secrecy.
- Undisclosed technical knowledge and business information (trade secrets).
- Any other information that by its nature cannot be disclosed to third parties unrelated to the signatory parties and, therefore, is not public knowledge.
EIGHTH.- INFORMATION IN COMPLIANCE WITH THAT ESTABLISHED IN ARTICLE 13 OF REGULATION (EU) 2016/679.
The data of the people signing this contract will be processed by each of the entities they represent in order to execute it. Said data will be kept during the statutory limitation periods of the responsibilities arising from the relationship of provision of services that binds both parties. The signatories have the right to request each of the entities responsible for processing access to their personal data, as well as their rectification or deletion, in the addresses for the purposes of notifications indicated in the heading of this contract. Likewise, they have the right to present a claim to the competent control authority in the event that they understand that their right to data protection has been violated.
NINTH. – APPLICABLE LAW AND FORUM.
This contract shall be governed and construed in accordance with Spanish law in matters not expressly regulated. If any of the stipulations or conditions of this contract are null, invalid or ineffective and could not have effect because of the legislation applicable to it, such nullity, invalidity or ineffectiveness will not affect the rest of the stipulations or conditions.
The parties submit, for disputes that may arise in relation to this contract, to the jurisdiction of the Courts and Tribunals of the city indicated in the header thereof, waiving any other forum that may correspond.
And for this to be the case, both the one who proposes the consulting service, ICDPT, and the one who signs the service proposal, DPR, agrees and ratifies this contract for the processing of data on behalf of third parties in the moment in which the service proposal is signed by both parties.
ANNEX TO THE DATA PROCESSING CONTRACT
- INSTRUCTIONS OF THE DPR REGARDING THE DATA PROCESSING TO BE CARRIED OUT BY THE ICDPT
- Description of the form of service provision:
The service will be provided by the ICDPT in their own premises and with their systems, other than those of the DPR.
- Specific operations to be carried out on personal data
Collection | Registry | Filing | Query | Utilization |
- IDENTIFICATION OF THE AFFECTED INFORMATION
- a) Types of personal data processed:
NIF / DNI | Postal address | Email address | Phone | Name and surname |
Economic, financial and insurance | Infractions and administrative sanctions. | Solvency of assets and credit | Transactions of goods and services | Academics and professionals |
Signature / Footprint | Electronic signature | Commercial information | No. SS / Mutuality |
|
- b) Groups or categories of interested parties:
Beneficiaries | Employees | Contact persons | Owners or tenants | Suppliers |
Employees of contractors and subcontractors | Public administration | Associates or members | Clients and users | Potential customers |
Legal representative |
|
|
|
|
III) SECURITY MEASURES TO BE IMPLEMENTED BY THE ICDPT
The security measures that will be implemented by the ICDPT will be the following:
- a) General measures:
Personal data protection policy document
Functions and obligations of users and rules of use of TIC resources
Training and education of users in data protection.
Inventory of information assets (list of all those resources – physics, software, documents, services, people, facilities, etc. – that have value for the organization and need to be protected from potential risks)
- b) Regarding pseudonymisation and encryption of personal data:
Technical and organizational measures of pseudonymization
- c) In relation to the ability to guarantee the confidentiality, integrity, availability and permanent resilience of the treatment systems and services:
User identification and authentication system Access privilege management system
User identification and authentication system | Access privilege management system | System of control of access to the information system | Electronic signature system (authentication) | Private network of electronic communications |
System of analysis and management of vulnerabilities and threats / System of protection against malicious and downloadable code (eg antivirus) | Adoption of measures to ensure the material durability of documents (eg, preventive measures against various factors of deterioration, destruction or disappearance of documents: humidity control, fire, theft, etc.) | Application of the criteria and methods of documentary organization (classification and organization) | Control of access to documentation (eg, lock with key, biometric identification, smart card, access code, etc.) | Security of information assets outside the premises of the data controller (eg, authorization process for exit, password, encryption, etc.) |
Control of physical access to the room of the Data Processing Center (CPD) / Server room | Secure and confidential destruction of information assets | Authorization process for new types and / or means of data processing. | Safe and confidential destruction of documentation: | Registration of access to documentation |
Own server | Own mail server | Own web server | Policy of clean tables | Rules for the use of document printers |
Transfer and safe shipment of documentation: | – Document shredding machines | – Contract of services with external company of certified documentary destruction |
|
|
- d) In relation to the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident:
Uninterruptible power supply (UPS) / Generating set
Redundant computer system (eg redundant server)
Identification, registration and incident management system
System of management of backups and recovery of personal data Management system and notification of personal data security breaches.
- e) In relation to the process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment:
Internal compliance controls every 3 months.
Regular review of the data protection policy at planned intervals.
- IV) DESTINATION OF INFORMATION
Return to the manager designated in writing by the DPR, the personal data and, if applicable, the media where they appear, once the service has been completed.
The return must involve the total erasure of the existing data in the computer equipment used by the person in charge.
However, the ICDPT can keep a copy, with the data duly blocked, as long as responsibilities for the execution of the provision can be derived.