ENG – 20221108 RGPD Data processor treatment
1. Purpose of the data processor
This DATA PROCESSOR AGREEMENT details the scope, characteristics, conditions and commitments related to the treatment of the information provided for the provision of services contracted from char of any kind, by any means and for any product, forming a binding part of the commitment acquired with its contracting.
char refers to char desarrollo de sistemas, s.l., with CIF B61839023 and address at C/ Pablo Iglesias 56, 1-1, 08302 Mataró, represented by its Administrator.
CONTRACTOR refers to the person contracting the service, whether or not he/she is the beneficiary of the service. This contracting party will be the person or legal entity to whom the invoices for the contracted SERVICE are issued by char and is responsible for the contents of this agreement.
The SERVICE refers to the supply of any related products and services under the formula Software Subscription (Software Subscription), SaaS (Software as a Service) and/or maintenance services of any product supplied under the formula of transfer of licence of use.
By contracting the SERVICE, the CONTRACTOR, in its capacity as DATA CONTROLLER, authorises char as DATA PROCESSOR to process the information that may be provided, including personal data necessary to provide the SERVICE, for which both parties expressly accept this agreement and all its contents.
2. Identification of the information concerned
For the execution of the services derived from the fulfillment of the object of this data processor, the CONTRACTOR as the DATA CONTROLLER PERSON provides char with the information necessary for the execution of the contracted SERVICE.
This agreement shall remain in force as long as the related SERVICE is active in accordance with the conditions established for its performance.
Upon termination of the SERVICE, and therefore of this agreement, char must destroy and delete any copies of the CONTRACTOR’s data that it may have in its possession and custody. The CONTRACTOR may request the return of this data prior to its destruction by expressly requesting it at least 30 calendar days before the end of the SERVICE. This return would be carried out in the digital format in which they are stored, even if they are the property of char, without char being obliged to provide the necessary tools for their reading and interpretation. However, char will be able to keep the data blocked in order to attend possible administrative or jurisdictional responsibilities.
4. Obligations of CHAR as DATA PROCESSOR
4.1. char and all its staff are obliged to:
- Use the personal data being processed, or those collected for inclusion, only for what is strictly necessary for the performance of the contracted SERVICE. Under no circumstances may it use the data for its own purposes.
- Process the data in accordance with the CONTRACTOR’s instructions.
- To keep, in writing, a record of all categories of processing activities carried out on behalf of the controller, which contains:
- The name and contact details of the data processor(s) and of each controller on whose behalf the data processor is acting and, where applicable, of the representative of the controller or of the data processor and of the data protection officer.
- The categories of processing operations carried out on behalf of the controller.
- A general description of the appropriate technical and organisational security measures in place.
- Not to communicate the data to third parties, except to:
- Third parties that need to be contracted to properly perform the contracted service, assuming the responsibility that the subcontracted third party complies with current legislation on data protection and with the required technical and organisational security measures.
- Third parties that are involved in the contracted SERVICE and that the CONTRACTOR requires their participation for its provision, either by express indication or simply because they are related to the purpose of the SERVICE.
- To maintain the duty of secrecy with respect to personal data to which it has access by virtue of this assignment, even after the end of the contract.
- Ensure that the persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
- Keep at the disposal of the data controller the documentation accrediting compliance with the obligation established in the previous section.
- Guarantee the necessary training in personal data protection for the persons authorised to process personal data.
- When people could exercise their rights of access, rectification, suppression and opposition, limitation of data processing and data portability before CHAR, the latter must inform the CONTRACTOR in a reliable way. The communication must be made immediately and in no case later than the working day following the day of receipt of the request, together, if necessary, with other information that may be relevant to resolve the request.
- Make available to the CONTRACTOR all information necessary to demonstrate compliance with its obligations, as well as for audits or inspections carried out by the CONTRACTOR or any other auditor authorised by the CONTRACTOR.
- Implement the necessary technical and organisational security measures to ensure the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
4.2. Notification of data security breaches:
char will notify the CONTRACTOR, without undue delay and in an irrefutable manner, of the security breaches in the access to the personal data under its responsibility of which it becomes aware, together with all the relevant information for the documentation and communication of the incident.
As a minimum, the following shall be provided:
- Description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
- Contact details of the contact person for further information.
- Description of the possible consequences of the personal data breach. Description of the measures taken or proposed to be taken to remedy the personal data breach, including, where appropriate, measures taken to mitigate the possible negative effects.
If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.
char shall, at the request of the data controller, communicate data security breaches to data subjects as soon as possible, if this is possible and where the breach is likely to result in a high risk to the rights and freedoms of natural persons.
The communication must be made in clear and simple language and must include the elements indicated in each case by the data controller, as a minimum:
- The nature of the data breach.
- Details of the contact point of the controller or data processor where further information can be obtained.
- Describe the possible consequences of the personal data breach. Describe the measures taken or proposed by the data processor to remedy the personal data breach, including, where appropriate, measures taken to mitigate possible negative effects.
5. Obligations of the CONTRACTOR as DATA PROCESSOR
- To provide char with the data necessary for it to provide the SERVICE.
- To ensure, before and during the entire processing, that char complies with the GDPR.
- To supervise the processing.