Contract for access to data on behalf of third parties

MEETING

On the one hand, Jotelulu, S.L. with registered office at Plaza Pablo Ruiz Picasso, n.1, 28020 Madrid (Spain), duly registered in the commercial register of its registered office and with Tax Identification Number B65814709, duly represented by David Amorín Iglesias (hereinafter, the PROCESSOR).

And, on the other hand, [full name of the company with S.L. or S.A.], with registered office at [•], duly registered in the commercial register of its domicile and with tax identification number [*], duly represented by (hereinafter, the CONTROLLER).

EXHIBIT

I. That both parties mutually recognize that they have sufficient legal capacity to enter into this Contract.

II. That the CONTROLLER has contracted the services of the PROCESSOR detailed below.

III. That the provision of the services will be carried out: (i) At the CONTROLLER’s premises, (ii) At the PROCESSOR’s premises, (iii) Outside the premises of both parties and by remote connection.

IV. That in accordance with Article 28 of REGULATION (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council on the Protection of Individuals with regard to the processing of their personal data and on the free movement of such data and Organic Law 3/2018 of 5 December 2018 on the Protection of Personal Data and guarantee of digital rights, both parties agree to enter into this Agreement, which they expressly accept and in accordance with the following:

CLAUSES

1. Purpose of the assignment

By means of this Contract, the PROCESSOR is authorized to process, on behalf of the CONTROLLER, the personal data necessary to provide the services contracted on the platform. The processing will consist, exclusively, in the hosting and management of computer services, (hereinafter, the Service).

2. Identification of the information concerned

For the execution of the services derived from the fulfilment of the object of this assignment, the CONTROLLER makes available to the PROCESSOR the information described below:

a. All the data contained in the computer systems

3. Duration

This Agreement shall remain in force for the duration of the provision of the Services. Notwithstanding the foregoing, both Parties agree that the provisions of this Agreement, expressly or by implication intended to continue in effect after the termination or expiration of this Agreement or the Services, shall survive and continue to bind both Parties.

The duty of confidentiality between the Parties shall continue beyond the expiration of this Agreement.

If this Agreement amends in whole or in part any provision of a previous agreement between the parties, this Agreement shall prevail.

4. Obligations of the processor

The PROCESSOR, and all its staff, undertakes to:

a. Use the personal data subject to processing, or those collected for inclusion, only for the purpose of the Service. Under no circumstances may it use the data for its own purposes or carry out processing outside the scope of the Service.

b. Process the data in accordance with the instructions of the CONTROLLER. If the PROCESSOR considers that any of the instructions infringe the GDPR or any other Union or Member State data protection provisions, it shall immediately inform the CONTROLLER.

c. Keep, in writing, a record of all categories of processing activities carried out on behalf of the CONTROLLER, containing:

1. The name(s) and contact details of the processor(s) and of each controller on whose behalf the processor is acting and, where applicable, of the controller’s or processor’s representative and of the data protection officer.

2. The categories of processing operations carried out on behalf of each controller.

3. Where applicable, transfers of personal data to a third country or international organization, including the identification of that third country or international organization of that third country or international organization and, where applicable, for transfers referred to in the second paragraph of Article 49 of the GDPR, documentation of appropriate safeguards.

4. A general description of the technical and organizational security measures relating to:

i. Pseudonymization and encryption of personal data.

ii. The ability to ensure the continuing confidentiality, integrity, availability and resilience of the processing systems and services.

iii. The ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident.

iv. The process of regular verification, evaluation, and assessment of the effectiveness of the technical and organizational measures to ensure the security of the processing.

d. Not to communicate data to third parties, except with the express authorization of the CONTROLLER, in the legally admissible cases. The PROCESSOR may communicate data to other processors of the CONTROLLER, in accordance with the instructions of the CONTROLLER. In this case, the CONTROLLER will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication. If the PROCESSOR must transfer personal data to a third country or an international organization, pursuant to applicable Union or Member State law, it shall inform the CONTROLLER of this legal requirement in advance, unless the law prohibits it for important reasons of public interest.

e. The CONTROLLER authorizes the PROCESSOR to subcontract to third parties who provide services to him/her (hereinafter referred to as sub-processors). These sub-contractors may or may not be external providers within the EU/EEA.

If a sub-processor is within a jurisdiction outside the EU/EEA and is not on the European Commission’s approved list of satisfactory levels of data protection under the GDPR, the PROCESSOR and such sub-processor shall enter into an express agreement to ensure that it will maintain all personal data in full compliance with the standards of care required by applicable EU data protection laws.

By virtue of this agreement the CONTROLLER specifically and explicitly consents in advance to the use by the PROCESSOR of sub-processors under this assignment, even after the end of its purpose.

f. Ensure that the persons authorized to process personal data undertake expressly and in writing to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.

g. Keep at the disposal of the CONTROLLER the documentation accrediting compliance with the obligation established in the previous section.

h. Guarantee the necessary training in the protection of personal data of the persons authorized to process personal data.

i. Assist the CONTROLLER in the response to the exercise of the rights of:

1. Access, rectification, deletion, and opposition.

2. Limitation of processing.

3. Data portability.

4. Not to be subject to automated individualized decisions (including profiling).

When the data subjects exercise their rights of access, rectification, erasure, opposition, limitation of processing and data portability and the right not to be subject to automated individualized decisions before the PROCESSOR, the latter must communicate this by e-mail to the address [•]. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request. The PROCESSOR should under no circumstances respond, in the name and on behalf of the CONTROLLER, to requests it receives, except with the prior consent of the CONTROLLER.

j. It is the CONTROLLER’s responsibility to provide the right to information at the time of data collection.

k. Notification of data security breaches: The PROCESSOR shall notify the data CONTROLLER, without undue delay, and, in any case, within a maximum period of 24 hours of any breaches of security of the personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident. This communication shall be carried out in the following manner: By sending an e-mail to the CONTROLLER to the following address: [•].

The communication shall contain, as a minimum, the following information:

i. Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.

ii. Name and contact details of the data protection officer or other point of contact from whom further information may be obtained.

iii. A description of the possible consequences of the personal data breach.

iv. A description of the measures taken or proposed to be taken to remedy the personal data breach, including, where appropriate, measures taken to mitigate the possible negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a phased manner without undue delay. It is the responsibility of the CONTROLLER to communicate data security breaches to data subjects as soon as possible, where the breach is likely to result in a high risk to the rights and freedoms of natural persons.

The communication should be in clear and plain language and should, as a minimum:

Explain the nature of the data breach.
State the name and contact details of the data protection officer or other point of contact from whom further information can be obtained.
Describe the possible consequences of the personal data security breach.
Describe the measures taken or proposed to be taken by the CONTROLLER to remedy the personal data breach, including, where appropriate, measures taken to mitigate any adverse effects.

l. Support the CONTROLLER in carrying out data protection impact assessments where appropriate.

m. Support the CONTROLLER in carrying out prior consultations with the supervisory authority, where appropriate.

n. Make available to the CONTROLLER all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the CONTROLLER or another auditor authorized by the CONTROLLER.

o. In any case, it shall implement mechanisms to:

1. Ensure the continued confidentiality, integrity, availability and resilience of the processing systems and services.

2. Restore availability and access to personal data promptly in the event of a physical or technical incident.

3. Regularly verify, evaluate, and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.

4. Pseudonymize and encrypt personal data, where appropriate.

p. Destination of the data upon termination of the provision of the services: The PROCESSOR shall return the personal data and, if applicable, the media on which they are stored, to the CONTROLLER once the services have been rendered. The return must entail the total deletion of the data existing on the computer equipment used by the processor. However, the PROCESSOR may keep a copy, with the data duly blocked, for as long as liability may arise from the performance of the service.

5. Obligationsn of the controller

It is the responsibility of the CONTROLLER:

a) Deliver to the processor the data referred to in clause II of this document.

b) Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the PROCESSOR.

c) Carry out the appropriate prior consultations.

d) To ensure, prior to and during the processing, compliance with the GDPR by the PROCESSOR.

e) Supervise the processing, including the performance of inspections and audits.

6. Responsabilities and guarantees

If the PROCESSOR breaches this Agreement or any Data Protection Law or regulation in determining the purposes and means of processing, it shall be considered CONTROLLER for such processing, thereby assuming all liabilities, claims and direct and indirect penalties that may arise for the CONTROLLER from such breach by the PROCESSOR.

Furthermore, both parties agree that failure to comply with these obligations shall be grounds for termination of this Agreement. Therefore, any breach by the PROCESSOR, its personnel, suppliers, or persons involved in the provision of the Contract and receive compensation for any damages arising from the breach of the contractual obligations.

7. Audit and controls

The CONTROLLER reserves the right to carry out, at its sole discretion, any verification it deems useful to establish compliance by the PROCESSOR and, where applicable, its sub-processors, with their obligations in relation to the Personal Data processed on behalf of the CONTROLLER. The PROCESSOR undertakes to respond and, where appropriate, to ensure that its sub-processors respond to any audit request by the CONTROLLER and audit operation carried out by the CONTROLLER or by a third party chosen by the CONTROLLER. The PROCESSOR undertakes to cooperate and, where appropriate, to ensure that its sub-processors cooperate with the CONTROLLER in such operations, by providing all relevant information and access to all equipment, software, data, files, information systems, etc., used to process the Controllers’ Personal Data, and not to charge any costs to the CONTROLLER for such operations. If the audit performed reveals a breach of the warranties and undertakings of the PROCESSOR and, where applicable, of its sub-processors, the CONTROLLER shall take immediate steps to remedy them at its own expense. These auditing operations and their results do not in any way exempt the sub-processors from their other contractual obligations.

8. Applicable lay and jurisdiction

This Data Processing Contract shall be governed by the Data Protection Laws, as well as by the resolutions and guidelines of the Spanish Data Protection Agency and other competent bodies in this field. To resolve any discrepancy that may arise in relation to the interpretation and/or execution of the provisions of this Data Processing Contract, both Parties submit to the jurisdiction of the Courts and Tribunals of the city of Madrid, expressly waiving any other legislation or jurisdiction that may be applicable to them, unless such waiver is expressly prohibited by the regulations applicable to this CONTRACT.

In witness whereof, they sign this Agreement in the same place and on the date.