Data Processing Agreement (DPA): governs personal data processing in accordance with Article 28 of the GDPR.

Agreement Data processing in accordance with the GDPR  between Data Processor B2Brouter Global S.L. and Data Controller

___________________

Preamble

This agreement sets out the responsibilities of the contracting parties in relation to the protection of personal data. These responsibilities arise from all existing and future contracts that involve the processing of personal data and have a similar contractual content, such as the creation and transmission of electronic documents or invoices using various networks, formats and standards. Specific details will be defined according to the established distribution or allocation of responsibilities.

This agreement shall apply to all activities in connection with such contracts in which the Contractor’s employees or its appointed third-party processors (hereinafter referred to as “Subcontractors”) handle personal data of the Client.

1.Object of the Agreement

This agreement constitutes an integral part of the main contract.

The Processor shall handle personal data on behalf of the Controller.

The purpose of the processing of personal data is detailed in the relevant contracts. In essence, the Processor carries out the following activities:

  • Hosting of IT infrastructures
  • Software development and implementation
  • Support and service activities for computer applications

Duration of data processing:

The term of this Agreement shall be governed by the duration of the Main Contract, unless the terms of this Agreement impose obligations beyond that term.

Upon termination of the provision of the services covered by this contract, if the Processor has stored personal data, or any other document and/or medium provided to it by any means, it shall return, delete or deliver them to a new Processor, at the choice of the Controller, including any existing copies. The Processor shall issue a certificate of return or destruction if so, required by the Controller. The deletion of data shall not proceed when their retention is required by a legal obligation, in which case the Processor shall proceed to the custody of the data by blocking the data and limiting their processing insofar as liabilities may arise from its relationship with the Data Controller. The Data Processor shall maintain the duty of secrecy and confidentiality of the data even after the termination of the relationship that is the object of this contract.

Data category:

  • Personal: name, surname, first name, postal address, telephone number.
  • Employment data: Department to which you belong, personal number.
  • Access records
  • Others:

Stakeholder category:

  • Managers, executive employees
  • Employees, including volunteers, students, agents, temporary workers.
  • Clients and users.
  • Commercial contacts
  • Suppliers
  • Contractors and their employees.

This Agreement regulates the measures to be agreed between the Controller and the Processor, in order to protect personal data in accordance with Art 28 of the GDPR.

2. Rights and obligations of the Controller

The CONTROLLER guarantees that the data provided to the PROCESSOR have been lawfully obtained and that they are adequate, relevant and limited to the purposes of the processing.

The CONTROLLER will make available to the PROCESSOR all information necessary for the performance of the services that are the subject of the assignment. The CONTROLLER warns the PROCESSOR that, if he/she determines the purposes and means of the processing on his/her own, he/she will be considered the controller of and will be subject to compliance with the provisions of the applicable regulations in force as such.

The Controller shall promptly inform the Processor if it detects errors or irregularities in the processing of personal data carried out by the latter on its behalf. For its part, the Processor shall promptly notify the Controller of any corrections made or actions necessary to remedy such errors or irregularities.

If a data subject submits a complaint to one of the contracting parties pursuant to Article 82 of the GDPR in connection with the processing of personal data under this Agreement, the party concerned shall notify the other party immediately. Both parties undertake to cooperate with each other in defending against such a complaint.

3. Obligations of the Processor

3.1. The Processor shall handle the personal data on behalf of the Controller, in accordance with the provisions of the Contract and as specified in this Agreement.

However, if the Processor decides the purposes and means of the processing of personal data, in breach of the instructions of the Controller, he/she shall assume the role of Controller. In this case, he/she shall be fully responsible for such processing, with all the corresponding obligations set forth in the GDPR and other applicable laws.

3.2. The Processor may only process the personal data of data subjects within the scope of the tasks specified in the Agreement and this Agreement, and in accordance with the documented instructions of the Controller. This shall apply unless there is a legal obligation requiring otherwise, in accordance with Article 28(3)(a) of the GDPR. In such a case, the Processor shall inform the Controller of this legal requirement, unless prohibited by law.

3.3. The Data Controller shall organise its internal structure in such a way as to comply with the specific data protection requirements within the scope of its responsibilities. It shall adopt the necessary technical and organisational measures to adequately protect the Controller’s data, in accordance with the requirements of Article 32 of the GDPR.

These measures shall include ensuring the confidentiality, integrity, availability and resilience of systems and services linked to data processing, including in the long term. It shall also implement measures to restore availability and access to personal data immediately after a physical or technical incident. In addition, shall establish procedures to periodically review the effectiveness of these technical and organisational measures to ensure the security of the processing.

The measures to be implemented include pseudonymisation and encryption of personal data, where necessary to ensure an adequate level of security. The technical and organisational measures taken by the Processor, as described in Annex 1, have been verified by the Controller, who confirms their binding nature. The Controller shall be responsible for the compliance of such measures with the specific data protection requirements.

3.4. The Processor shall ensure the implementation of all measures defined in this Agreement for the processing of personal data. It shall inform the Controller of any known new technology that may improve the protection of personal data.

3.5. The Controller shall draw up, update and maintain a list of all categories of processing activities carried out on behalf of the Controller, including the specifications required by Article 30(2) of the GDPR.

3.6. The Processor shall support the Controller, in accordance with Article 28(3)(e) of the GDPR, to the extent possible, by implementing appropriate technical and organisational protection measures. This will make it easier for the Controller to comply with its obligations to respond to data subjects in accordance with Chapter III of the GDPR. Such support may include, among others, providing information and access to data subjects, correcting or deleting data, restricting processing, ensuring the right to be forgotten, facilitating data portability and addressing objections to processing.

The Processor shall provide support to the Controller, in accordance with Article 28(3)(f) of the GDPR, to ensure compliance with the security requirements set out in Article 32 of the GDPR. It shall also facilitate the handling of personal data protection breach notifications in accordance with Article 33 of the GDPR and, where necessary, the communication to data subjects in accordance with Article 34 of the GDPR. In addition, it shall provide the Controller, upon request, with the data and documents necessary for this purpose.

The Processor shall also assist, pursuant to Article 28(3)(f) of the GDPR, in the preparation of data protection impact assessments pursuant to Article 35 of the GDPR and, where relevant, in prior consultations with supervisory authorities pursuant to Article 36 of the GDPR. It shall provide the Controller with the required details and documents upon request.

3.7. The Processor shall designate a data protection officer and a point of contact to deal with enquiries from the Controller on data protection issues under the Contract and this Agreement. Any change in the contact person shall be promptly notified to the Controller.

3.8. The Processor shall not use the personal data for purposes other than those established by the Controller, nor shall it retain them beyond the period determined by law. No copies or duplicates of the data may be created without the knowledge and approval of the Controller.

3.9 The Processor shall, in accordance with the Controller’s written instructions, guarantee the rights of data subjects, including erasure (right to be forgotten), rectification, data portability, restriction of processing, objection and access, and shall do so without undue delay.

3.10. The Controller shall immediately notify the Data Controller or its Data Protection Officer in the following cases:

  • If the security measures implemented by the Data Controller do not comply with the requirements set out in this Agreement.
  • If significant alterations to operational procedures occur.
  • In case of breaches of the data protection rules or of the provisions set out in this Agreement, either by the Data Controller or its employees.
  • In the event of any suspicion of a personal data breach or irregularity in the processing of personal data.

The Controller shall take appropriate security measures, as instructed by the Data Controller, to minimise the possible detrimental effects on data subjects.

This includes ensuring compliance with the Controller’s obligations under Articles 33 and 34 of the GDPR, relating to the notification of data breaches to the supervisory authorities and, where necessary, to the data subjects. The Processor undertakes to actively support the Controller in fulfilling these obligations.

The Processor shall notify the Controller of any personal data protection breach by sending an email to gdpr@b2brouter.net . The notification shall include, at a minimum, the following information:

  • Description of the breach: An explanation of the nature of the breach, including the categories of data affected and the approximate number of individuals and data sets compromised.
  • Contact details: The name and contact details of a contact person who can provide further information.
  • Likely consequences: A description of the possible repercussions of the infringement for the persons concerned.
  • Actions taken: A list of actions taken or planned to be taken to remedy or mitigate the effects of the violation.

This process ensures clear and efficient communication, enabling the Controller to comply with its legal obligations under the GDPR.

3.11. The controller has the right to inspect the technical and organisational measures to be taken by the processor, as set out in Clause 3.3, prior to the start of any data processing. In addition, it may verify such measures on a regular basis at regular intervals. The inspections may be carried out directly by the controller or audited by a third party appointed on its behalf, to ensure compliance with data protection regulations.

3.12. The processor shall immediately inform the controller of the following:

  • Actions by the supervisory authority, pursuant to Articles 55 et seq. and 31 of the GDPR, as well as any investigation by the supervisory authority of the processor, as provided for in Articles 58(2) and 83 et seq. of the GDPR.
  • Requests from data subjects concerning the exercise of their rights set out in Chapter III of the GDPR, such as the rights of rectification, erasure, restriction of processing, access, data portability and objection. The processor shall transmit such requests to the controller without delay and shall cooperate in the handling of such requests.

The processor is not authorised, without the prior written instruction of the controller, to provide any information to data subjects or third parties about the processing of personal data, in accordance with Article 15 of the GDPR.

3.13. Personal data used for test purposes shall be kept securely. Such data shall not be accessible until the controller instructs the processor to proceed with their destruction, erasure or return to the controller. The deletion or destruction of the data shall be confirmed in writing to the controller, indicating the date of the action.

3.14. Upon termination of this Agreement, the Processor shall return to the Controller, or, at the request of the Controller, irretrievably delete all information, documentation and data provided by the Controller, including personal data and results of work generated in connection with this Agreement, provided that there is no legal obligation to retain personal data under EU or member state law (see Art. 28, paragraph 3, letter g of the GDPR). The processor shall confirm to the controller, no later than 30 days after the request, the return, destruction, erasure and blocking of all information and records. The same shall apply to subcontractors.

3.14.1. The processor may only subcontract the processing of data to third parties with the prior written consent of the controller. The subcontractors appointed by the processor shall be listed in Annex 2 to this Agreement. For the subcontractors mentioned in the said Annex 2, the authorization shall be granted upon signature of this Agreement. The processor shall notify the controller of any change, inclusion or replacement of a subcontractor in advance, giving the controller the opportunity to object to the change.

3.14.2. The Controller shall ensure that the subcontractor is carefully selected with regard to the adequacy of the technical and organisational measures used by the subcontractor. The Processor shall ensure that the subcontractor’s contract (as regards the processing of personal data) is on substantially the same and in any event no less onerous terms than the terms of this Agreement.

3.14.3. The transfer of data will only be admissible once the subcontractor has implemented all the requirements set out in Article 28 of the GDPR, including the security measures described in Article 32 of the GDPR.

3.14.4. In the contract between the processor and the subcontractor, the details referred to in point 1 shall be clearly specified in such a way that the responsibilities between the processor and the subcontractor are clearly delimited. This principle shall also apply to the separation of responsibilities between different subcontractors.

3.14.5. The processor shall inform the controller about the essential aspects of the contracts signed with subcontractors and about the implementation of the data protection obligations contained in those contracts. If necessary, the contract shall be submitted to the controller for review.

3.14.6. Outsourcing under the terms of this Agreement shall not include ancillary services contracted by the processor to third parties to facilitate the performance of the Agreement, such as telecommunication services, cleaning, auditing or disposal of data media. However, to ensure the protection and security of personal data, the processor shall:

  • Enter into appropriate agreements that comply with applicable law.
  • Monitor the activities of third parties providing ancillary services to ensure that they comply with the data protection standards specified in this Agreement.

3.15. Any transfer of data to a third country will require the prior approval of the controller and will only be permitted if the requirements set out in Articles 44 et seq. of the GDPR are met.

3.16. If personal data of the controller in the custody of the processor is compromised due to seizure, confiscation, insolvency proceedings, bankruptcy proceedings, insolvency proceedings or other actions or measures by third parties, the processor shall immediately inform the controller. Furthermore, the processor shall promptly notify all parties involved that the sovereignty and ownership of the personal data rests exclusively with the controller, in accordance with the GDPR.

4. Confidentiality and integrity

4.1. The processor shall ensure that all persons authorised to process personal data give a written undertaking to maintain confidentiality before commencing any activity, in accordance with Article 5(1)(f) of the GDPR. In addition, the Controller shall ensure that its staff is properly informed about the obligations arising from this Agreement, the GDPR and other relevant data protection requirements. It shall also ensure that they are familiar with the instructions of the controller. The Controller shall monitor compliance with data protection regulations and the terms set out in this Agreement.

4.2 The obligation of confidentiality and integrity shall remain in force even after the termination of the employment relationship.

4.3 The controller shall be obliged to respect the confidentiality of all business secrets and data protection measures of the processor that may be disclosed during the contractual relationship.

5. Liability and compensation

The processor shall be liable to the controller for any damage or loss caused by the unauthorised or incorrect processing of personal data, whether in the context of contractual or external relationships, in accordance with the GDPR and other applicable data protection legislation. This includes, in particular:

  • Data processing that deviates from the instructions of the controller.
  • Faulty processing resulting from the processor’s failure to comply with its obligations under this Agreement.

The processor undertakes to compensate the data controller and to 

release it from any claims brought by third parties in this context, in accordance with the   

Article 82(3) of the GDPR.

6. Contract period

6.1. The duration of this agreement shall be based on the duration of the main agreement, provided that the provisions of this agreement do not give rise to obligations going beyond it. This agreement may be terminated by giving three months’ written notice to the other party.

6.2. In the event that the Processor fails to comply with its obligations as defined in point 3 of this Agreement, or in the event that the Processor fails to perform the services in point 1 of this Agreement, and in the event that the relevant request or reminder from the Controller remains unsuccessful for a period of sixty days, the Controller shall, without prejudice to any other rights, have the right to terminate this Agreement in writing and without notice at any time.

6.3. If the transmission of personal data takes place exclusively based on an adequacy decision pursuant to Art. 45 GDPR, the controller shall reserve the right to an extraordinary erasure if the effect of the adequacy decision is or has been waived, amended or cancelled pursuant to Art. 45 para. 3 sentences 2 in conjunction with para. 5 of the GDPR.

7. Divisibility

If any provision of this Agreement shall be or become invalid in whole or in part, this shall not affect the validity of the remainder of this Agreement.

The invalid provision shall be replaced by a valid provision that is legally permissible and reflects, to the greatest extent possible, the economic intent and purpose of the original provision.

8. General

8.1. Any amendment or addition to this Agreement and any of its constituent elements (including the warranties given by the processor) must be in writing. This may be done in electronic form, if it is clearly specified that it is a written agreement amending or supplementing this Agreement. This provision shall also apply to the waiver of the requirements relating to this format.

8.2. In the event of any discrepancy or inconsistency between the terms of this Agreement and the terms of the main contract, the terms set out in this Agreement shall prevail.

8.3. This Agreement shall be governed by European law. Exclusive jurisdiction shall be Barcelona, Spain.

B2Brouter Global S.L.

Data Processor Data Controller

 

Annex 1: Technical and organisational measures/security concept

The following TOMS (Technical and Organisational Measures) are agreed between the controller and the processor and are detailed in this specific case. For further reference, please refer to the list of examples.

1. Measures to ensure confidentiality (Art. 32 para. 1 lit. b GDPR)

  • Physical access control

Unauthorised access to data processing systems is not permitted.

  • Logical access control.

No unauthorised use of the system.

Access through secure channels and authenticated by private/public key via bastion server.

  • Data access control

Prohibition of unauthorised reading, copying, modification or deletion within the system.

  • Separation control.

Separate processing of data collected for different purposes.

Customer data are logically separated.

  • Deletion of data

Disk drives or servers that are no longer in use are erased multiple times according to the secure deletion policy.

2. Measures to ensure integrity (Art. 32 para. 1 lit b of the GDPR)

  • Transfer control

Prohibition of unauthorised reading, copying, modification or deletion during transmission or electronic transport.

Data transmission is carried out through secure encrypted channels.

All employees are trained and are obliged to ensure that personal data is handled in accordance with the data protection standard.

  • Entry control

Determination of whether and by whom personal data have been entered, modified or deleted in data processing systems, e.g. registration, document management.

3. Measures to ensure availability and resilience (Art. 32(1)(b) GDPR), e.g.

  • Availability control

Protection against accidental damage or destruction or loss, through backup and recovery strategies. 

Systems and data distributed in different data centres in different countries within the European Union (Germany and Finland).

Business continuity plan for critical activities and disaster recovery plans.

  • No processing of data on behalf of the data controller within the meaning of Art. 28 of the GDPR without instructions from the data controller.
  • Resilience

Systems and services (e.g. storage, access, line capacity, etc.) are designed in such a way that even high intermittent voltages or high constant processing loads can be guaranteed.

Systems and services are arranged in a high availability architecture, and  are constantly monitored.

All servers have the duplicate disks mirrored.

Security systems such as firewalls, anti-virus, anti-spam and encryption are employed.

4. Measures for the pseudonymisation of personal data, e.g.

  • Separation of customer master data and customer user data.
  • Personal data are pseudonymised where necessary.

5. Measures to quickly restore the availability of personal data following a physical or technical incident, e.g.

  • Redundant data storage
  • Dual IT infrastructure
  • Backup data centre

6. Regular review, assessment and evaluation procedures (Art. 32(1)(d) and Art. 25(1) GDPR), e.g.

  • Privacy management
  • Incident response management
  • Data protection by default (Art. 25 para. 2 GDPR)
  • Assessment by CISO, IT security audits
  • External assessment, audits, ISO27001 certifications.

Annex 2: Sub-Data Processors

Designated company Scope of the assignment Place of data processing Data category
INGENT SYSTEM SL Outsourcing of programming and IT activities Vilafranca del Penedès (Spain) Data relating to customer accounts (e-mails, names, bank accounts, etc.).
Hetzner Online GmbH Server outsourcing Gunzenhausen (Germany) No access to personal data
×
Cookies
We use cookies. If you are happy with this, simply click "Accept all". You can also choose what type of cookies you want by clicking on "Settings". Read our cookie policy
Settings Decline all Accept all and close
Cookies
Choose which type of cookies to accept. Your choice will be saved for one year. Read our cookie policy
Save Decline all Accept all and close