Confidențialitate / GDPRAstimp IT Solution SRL

GDPR_ Astimp IT Solution SRL-download

Personal Data Processing Agreement

GDPR 

Firma S.R.L. cu sediul social în XXXXXXXX, str. XXXXXXXX, nr. xx, tel./fax  +40 xxx.xxx.xxx / +40 xxx.xxx.xxx, înmatriculată la Registrul Comertului sub nr. Jxx/xxx/20xx, CUI: xxxxxxxxx, cont bancar nr. ROxxxxxxxxxxxxxxx deschis la XXXX BANK, reprezentată de Nume Prenume, în calitate de administrator, denumită în continuare Beneficiar, 

și

ASTIMP IT SOLUTIONS S.R.L., cu sediul social în str. Ovidiu nr. 15, bl. LC5, sc. 1, ap. 1, 800084 Galați, jud. Galați, înregistrată la Registrul Comerțului  sub nr. J17/391/2015, CUI: 34287108, având contul IBAN nr. RO32BACX0000001662885000, deschis la UNICREDIT BANK SA, reprezentată de Toma-Alexander STUHMULLER, în calitate de administrator, denumită în continuare Prestator,

în scopul de a facilita pe cât posibil discuțiile purtate între părți și pentru ca părțile să primească una de la cealaltă, oral, vizual ori în scris, anumite informații comerciale, financiare și/sau de natură tehnică în condiții care să protejeze caracterul confidențial și proprietatea unor asemenea informații,

Preliminary remarks 

On 15/10/2018, the parties concluded an agreement on the use of Servers(Main Agreement). The provisions of the Main Agreement include the processing of data by the Contractor on behalf of the Client. This data may also include personal data. Personal data means any information relating to an identified or identifiable natural person (data subject). Insofar as the processing of personal data by the Contractor on behalf of the Client is concerned (data processing for third parties), this Agreement shall serve as a supplement to the Main Agreement. In this respect, deviating provisions of this Agreement take precedence over the provisions of the Main Agreement. The parties shall observe data protection regulations, in particular the regulations of the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG) when processing data.

The GDPR shall apply as of 25 May 2018. Insofar as the parties have already entered into a data processing agreement (DPA), this Agreement shall supersede the DPA once the GDPR applies.

Section 1       Subject matter and duration 

• The subject matter of the contract arises from the Main Agreement. In particular, this includes

the provisioning of servers racks incl. power supply and Internet connection in the data  centre of Astimp IT Solution SRL.

Personal data processed according to this Agreement shall include data that the Contractor has collected on behalf of the Client or has been transferred from the Client to the Contractor for data processing. The Client shall ensure that the transferred data or data collected on its behalf does not reveal racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership. The data shall also not be related to criminal convictions or offences, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of such a person.

• The duration of the contract shall correspond to the term of the Main Agreement. After completing the data processing services, the Contractor shall erase or return all personal data at the option of the Client unless legal regulations stipulate the storage of such data. The Contractor shall once again separately confirm the erasure at the request of the

Section 2       Content of the contract

• The type and purpose of the processing arise from the Main Agreement. Personal data processed on behalf of the Client includes (type of data):

– IP Adresses

insofar as the data subject may be identified by such data.

The Contractor shall not process the data for other than the contractual purposes. In particular, the Contractor shall not transfer the data to third parties outside the contract. The Contractor shall make copies (e.g. backup copies) only for the contractual processing of the data.

• The data of the following persons is affected by the data processing (categories of persons):

– users who access the Client’s infrastructure via the Internet.

• The Client  shall  remain  solely  responsible  for  the  processing  of

personal data that is effected on its behalf. The Contractor shall therefore process this data only at the instruction of the Client, insofar as the Contractor is not obligated to perform other processing according to the legal regulations. The Contractor shall notify the Client about such other processing, however, insofar as such notification is not prohibited due to  important public interests. The responsibility of the Client is concerned especially with the lawful data processing according to the contract and as instructed, as well as ensuring compliance with principles of processing personal data and that this compliance can be proven.

• The instructions shall be initially defined and documented in the Main Agreement and this Agreement. The Client may modify, replace or supplement the initial instructions at a later point in time with separate instructions (individual instruction). The individual instruction shall fall within the scope of the contract and also be documented. If an individual instruction is given verbally due to extreme urgency, it shall be promptly confirmed in documented form. In this respect, instruction means every stipulation that is related to a specific data protection- related handling of the data processed according to this Agreement (e.g. erasure, anonymisation and rectification of data or the restriction of data processing).
• If the Contractor believes that an instruction violates legal regulations, the Contractor shall immediately inform the Client. In this respect, the Contractor shall be entitled to suspend the implementation of the instruction until it is modified or confirmed by the Client in documented form. If the Contractor determines the purposes and means of processing violating the instructions of the Client, the Contractor shall be responsible with regard to this processing.
• The data processing shall be performed in the Member States of the European Union (EU). The transfer of the processed data to a third country shall require the consent of the Client, which may be withheld only for important reasons. In particular, if the third country does not offer an adequate level of protection or the legal requirements for the transfer of data to the respective country are not met this shall constitute a reason for withholding consent. The Contractor shall be responsible if there are doubts in this
• The Client shall not make anyone subject to decisions based on automated processing including profiling within the context of data processing which produces legal effects concerning the data subject or similarly significantly affects the data subject. By the same token, the Client shall not have data processed on its behalf for an offer that is directly made to a child (e.g. services specifically directed at children).

Section 3        Contact persons 

• The contact person at the Client for the performance of this contract is:

Ms Name , funtion, Adress:xxxxx  Phone : xxxxxxxxxxx, Email: email@email.com

The contact person is simultaneously the person who is authorised to give data protection- related instructions to the Contractor according to this Agreement.

• The contact person at the Contractor for the performance of this contract is:

Mr Stuhlmuller Toma-Alexander, Ovidiu nr.15 bl.LC5 sc.1 ap.1, 800084 Galati, Romania, Phone .: +40 747 77 89 02, Email: office@astimp.ro

The contact person is simultaneously the person who is authorised to receive data protection-related instructions from the Client according to this Agreement.

• The parties may change their contact persons at any time. It is possible to designate multiple contact persons who are individually authorised to issue and receive instructions. If the contact person of one party is temporarily unavailable, the respective party shall change the contact person at least for the duration of such unavailability. Changing a contact person shall be documented in
• If one of the parties is not established in the EU, it shall designate a representative in writing. This representative shall represent the party in relation to its statutory data protection-related regulations in the EU. The representative shall be established in one of the Member States of the EU in which the persons subject to the data processing are located. Such a representative shall be designated as a contact person in this Agreement. The designation shall indicate that this is a representative according to the

Section 4       Data protection officer

• This Agreement shall not constitute an obligation to designate a data protection officer. Both parties are aware that a data protection officer shall be designated according to the legal regulations if a) the core activity of the respective party involves the performance of processing operations that require extensive regular and systematic monitoring, b) generally at least ten employees are constantly occupied with the automated processing of personal data, or c) the data is processed in a business-like manner for the purpose of data transfer or market and opinion
• The designated data protection officer of the Client is:Mr Suditu Andrei, Astimp IT Solution SRL, Ovidiu nr.15 bl.LC5 sc.1

ap.1, 800084 Galati, Romania, Phone .: +40 747 77 89 02, Email: noc@dedicatserver.ro

• The designated data protection officer of the Contractor is:

Mr Suditu Andrei, Astimp IT Solution SRL, Ovidiu nr.15 bl.LC5 sc.1

ap.1, 800084 Galati, Romania, Phone .: +40 747 77 89 02, Email: noc@dedicatserver.ro

• The provision for changing the contact person applies correspondingly to the data protection officer. The contact person may also at the same time be the data protection officer. If a party subsequently designates a data protection officer, it shall immediately notify the other party in documented form. The data protection officer of the Client shall be entitled to give instructions and the data protection officer of the Contractor shall be entitled to receive
• The data protection officer shall be involved by the respective other party in all issues concerning the protection of personal data and monitor the compliance with data protection regulations. The parties may consult the data protection officer of the other respective party in all issues concerning the processing of personal data according to this

Section 5       Rights and obligations 

• The Contractor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This shall in particular apply to persons subject to the supervision of the Contractor (employees) who have access to the processed data. At the same time, the Contractor shall ensure that its employees process this data only according to the instructions of the Client insofar as they are not obligated to other processing according to legal regulations. The obligation to ensure discretion and confidentiality shall remain after the end of the
• The Contractor shall assist the Client in the fulfilment of its obligation to respond to requests for exercising the data subject’s legal rights vis-à-vis the Client. If a data subject contacts the Contractor, the Contractor shall immediately forward the request of the data subject to the Client. The Contractor shall not respond to any request of data subjects without the instruction of the Client. Furthermore, the parties shall assist each other taking into account the nature of the processing and their respectively available information in the compliance with their legal obligations concerning data protection. In particular, this shall apply to the obligation to ensure the security of processing, notify the supervisory authorityand  the  data  subjects  of  a  data  protection  breach,  perform  a      data

protection impact assessment, consult the supervisory authority and prepare a record of processing activities.

• The parties shall provide all necessary information to prove compliance with data protection obligations stipulated in this Agreement on request. The same shall apply to information needed for proving compliance with required legal regulations for data processing. Furthermore, the Contractor shall facilitate reviews including inspections that are performed by the Client or an auditor commissioned by the Client. The Contractor may object to an auditor that is in direct competition with the Contractor. The Client shall make an appointment in good time in advance for inspections at the establishment of the Contractor. The Client or auditor shall commit to confidentiality prior to the audit. This shall not apply if it is excluded that the Client and/or auditor comes into contact with information other than the information processed according to this Agreement. The Contractor shall assist the audit where necessary. The proof of measures that not only relate to the specific contract may also be provided by audit certificates or reports by an independent body such as an external auditor or data protection auditor. The same shall apply to authorised or otherwise appropriate certifications by an independent
• If the Contractor becomes aware of a breach of security of personal data that is processed on its behalf, the Contractor shall immediately notify the Client. The same shall apply if the data processed by the Contractor is subject to seizure or confiscation, insolvency proceedings or similar measures. In case of imminent danger, the Contractor shall be entitled and obligated to point out that the responsibility for the affected data lies with the Client. The parties shall implement appropriate measures for the protection of the data and for minimising possible adverse effects, in particular also for the data subjects, and assist each other with the documentation. The parties shall also inform each other about measures that a supervisory authority has taken in connection with the processing insofar as this is

Section 6       Technical and organisational measures 

• The Contractor shall take appropriate technical and organisational measures so that the processing is performed in accordance with legal requirements and the protection of the data subjects’ rights is ensured. The Contractor shall thereby consider the state of technology, implementation costs and the type, scope, circumstances and purposes of processing as well as the different probabilities of occurrence and severity of the risk to the rights and freedoms of natural persons. Overall, the technical and organisational measures of the Contractor shall ensure a level of protection that is appropriate to the risk

These measures shall include for example: a) the pseudonymisation   and

encryption of personal data, b) the ability to ensure the confidentiality, integrity and capacity of the systems and services in connection with the processing in the long term, c) the ability quickly to restore the availability of personal data and access to it following a physical or technical incident. The data processed on behalf of the Client shall be separated technically and organisationally from other data whenever possible.

• Details on the measures implemented may be found in the Appendix to this Agreement. The Client acknowledges that these measures are sufficient according to the state of technology. The Contractor shall regularly review the compliance and effectiveness of the technical and organisational measures to ensure the security of the processing and update them where necessary. During the review, the Contractor shall consider the risks concerning the processing, in particular due to destruction, loss or alteration, whether unintended or unlawful, or unauthorised disclosure of or unauthorised access to personal data that is transferred, stored or processed in any other way. The Contractor shall comply with the level of protection stipulated by this Agreement when updating. Significant changes that result from the updating of the measures shall be documented by the

Section 7       Subcontractors 

• The Contractor currently uses the processors (subcontractors). Documentation is required if a subcontractor is processing data in a third country. At the same time, it is necessary to document what constitutes the appropriate level of protection for data processing by the subcontractor. In this respect, the Client agrees to the data transfer to a third
• The Contractor shall be entitled to involve additional subcontractors or replace the used subcontractors by other subcontractors. The Contractor shall inform the Client in advance about any intended change with regard to adding or replacing a subcontractor. This gives the Client the opportunity to object to the intended change. The objection shall be raised within a cut-off period of six weeks after receiving notification about the intended change. Both the notification and the objection shall be made in writing, with the Contractor once again making the Client aware of the cut-off period in the notification. If the Client raises an objection to the change without an important reason, the Contractor shall be entitled to early cancellation of this Agreement as well as the Main Agreement with a notice period of  six
• The Contractor shall impose the same data protection obligations on

the subcontractors stipulated in this Agreement between the two parties. In particular, the subcontractor shall implement appropriate technical and organisational measures in such a way that the processing is performed according to the data protection regulations. If a subcontractor fails to comply with its data protection obligations, the Contractor shall be liable for the compliance with the obligations of the respective subcontractor. The Contractor shall transfer data processed on behalf of the Client to a subcontractor only when  the requirements according this Agreement are met.

• Third parties which the Contractor uses for ancillary services to support the performance of the contract shall not be considered subcontractors. These include telecommunication, postal, maintenance and audit services. The Contractor shall also take measures in this respect to ensure an appropriate level of protection proportionate to the risk (e.g. confidentiality obligation, monitoring or encryption).

Section 8       Costs 

• The Contractor shall perform the implementation of the instructions that are defined in the Main Contract and ensure compliance with general, technical and organisational measures according to this Agreement without charging costs to the Client. In this respect, the services of the Contractor shall already be covered by the compensation pursuant to the Main Contract. The same shall apply to individual instructions that the Client may and actually does implement on its own according to the Main Agreement (e.g. erasure of data through a web interface) via the processing system of the
• The costs for the implementation of individual instructions and other requirements, however, shall be the responsibility of the Client. In particular, this shall include assisting in responding to requests of data subjects and compliance with other obligations to which the Client is subject, the return and destruction of data insofar as this goes beyond deletion in the system of the Contractor, making information available insofar as this is not primarily in the interest of the Contractor and facilitating and contributing to reviews including 
• On request, the Contractor shall provide the Client with a cost estimate in advance. Costs also include an appropriate compensation for services rendered. Different cost provisions in the Main Contract or a price list included in the Main Contract related to data protection measures shall  override  this  cost    Likewise,  the costs for   measuresrequired due to the fault of one party shall be borne by this party. Partial culpability of the respective other party shall be considered, however.

Section 9        Final provisions 

• Even if single provisions are legally invalid, this Agreement shall remain binding in its remaining parts. Statutory provisions shall apply in place of the invalid provisions. This Agreement shall not apply to the processing of non-personal data. This Agreement shall also not apply if the parties categorised such data as personal by mistake or because of an incorrect interpretation of the law. As long as there are doubts concerning whether the data is personal, the data labelled as such shall be handled as if it were personal as a precautionary measure. The provisions of the Main Agreement shall apply solely to non-personal
• The laws of the Romania shall apply. Any provision on the place of jurisdiction and limitation of liability in the Main Agreement shall also apply to this Agreement without limiting the legal rights of the data
• Modifications, supplements to and cancellation of this Agreement shall be made in documented form. Documented form within the meaning of this Agreement means at least text form. At the request of one party, any declaration made in text form shall be confirmed in writing.

Signature(*) and company seal if applicable                       Signature(*) and company seal if applicable

* This Agreement requires the written form, which may also be in an electronic format.