DATA PROCESSING AGREEMENT

In the course of the fulfillment of the contract between DOOFINDER, S.L.  (“Doofinder”) with address in C/ Cronos, 63, Madrid, 28037 Madrid, Spain (the “PROCESSOR“) and the customer (the “CONTROLLER“, together with the Processor the “Parties”) regarding the provision of the Processor’s software to the Customer (the “Contract”), it is possible that the Processor deals with personal data pursuant to Art. 4 no. 1 General Data Protection Regulation (“GDPR”), i.e. any information relating to an identified or identifiable natural person (e.g. names, addresses or phone numbers of persons who are the Customer’s customers), with regard to which the Customer acts as a controller pursuant to data protection law (the “Customer Data‟). This agreement (the “Agreement”) specifies the data protection obligations and rights of the Parties in connection with the Processor’s use of Customer Data to render the services under the Contract.

Both parties, recognizing each other sufficient legal capacity to bind themselves by means of this document, and declaring that their powers are in force and sufficient to bind their represented parties,

DECLARE AS FOLLOWS

  1. That this data processing agreement or, pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (hereinafter GDPR) annex / processor contract, specifies the data protection obligations of the parties under the quotation, service agreement or other agreement between the parties (hereinafter AGREEMENT).
  2. The following email address will be the contact email address between the Processor at lopd@doofinder.com and the registered account e-mail address as the Controller.

III.- That, in compliance with the GDPR and Organic Law 3/2018, of 5 December, on the              Protection of Personal Data and the guarantee of digital rights (hereinafter, LOPDGDD), both parties freely and spontaneously agree to regulate the processing of personal data in accordance with the following,

CLAUSES

1. PURPOSE OF THE DATA PROCESSING

Under the AGREEMENT, the CONTROLLER is allowed to use the services offered by DOOFINDER.  These services will allow the end-user of the CONTROLLER to make use of the functionalities offered by DOOFINDER on the website. 

In development of the AGREEMENT indicated in previous sections, the CONTROLLER makes available to the PROCESSOR, the following:

PERSONAL DATA UNDERGOING PROCESSING
Tax ID No. Health insurance card
Social security No.Personal characteristics
Name and surnamesSocial circumstances
Postal addressAcademic/professional particulars
Email addressEmployment details
Telephone number Commercial information
SignatureElectronic Signature
Economic related dataTransactions involving goods and services
Insurance related data IP address
ImageVoice
Location dataPhysical marks
SPECIAL CATEGORIES
Ethnic or racial originBiometric data
Political opinions/convictions, religious or philosophical beliefs and/or trade-union membership
Health
Genetic dataLife or sexual orientation
Other:

2. IDENTIFICATION OF PERSONAL DATA AND DATA SUBJECTS

For the execution of the services derived from the fulfilment of the aforementioned service provision contract, the CONTROLLER makes available to the PROCESSOR the personal data necessary for the provision of DOOFINDER’s services.

3.DURATION

The duration of this contract shall be subject to the continuity of the main AGREEMENT and shall be automatically renewed unless either party decides otherwise.

4. OBLIGATIONS OF THE DATA PROCESSOR

The PROCESSOR and all its personnel undertake to:

  1. Use personal data intended for processing or collected for processing only for  the purpose of this order in accordance with the provisions of Appendix 1. In no case whatsoever may data be used for the PROCESSOR’s own purposes or purposes differing from the ones established by the CONTROLLER.
  1. Process the data according to the documented instructions of the CONTROLLER, which in all cases will entail the prohibition of carrying out, as a result of the rendering of the service, international transfers that require authorization requests from a supervisory authority because they involve countries and/or organizations that have an inadequate level of protection or no safeguards in place for exporting personal data. 

If the PROCESSOR considers that some of the instructions infringe the GDPR or any other data protection provision of the European Union or Member States, the PROCESSOR shall immediately inform the CONTROLLER thereof.

  1. Guarantee that the personnel authorized to process personal data not only undertake expressly and in writing to observe confidentiality, safeguard professional secrecy and adopt the corresponding security measures, but also are trained, apprised and informed accordingly. The duty of secrecy and confidentiality regarding the personal data to which they might have had access by virtue of the present commissioned service will last indefinitely.
  1. Subcontracting

None of the services constituting any part of the purpose of the present Agreement may be subcontracted when they entail the processing of personal data, save the auxiliary services necessary for the normal rendering of PROCESSOR services.

Whenever subcontracting some processing proves to be necessary, the subcontractor or SUB-PROCESSOR, which will also be considered to be a processor, is likewise obligated to fulfil the obligations stipulated herein for the PROCESSOR and the instructions given by the CONTROLLER. 

The initial PROCESSOR will be responsible for formalizing the new relationship so that the SUB-PROCESSOR is bound to the same terms and conditions (instructions, obligations, security measures, etc.) and formal requirements as the PROCESSOR insofar as properly processing personal data and safeguarding the rights of the data subjects.

  1. Keep a written record of all the categories of processing activities on behalf of the CONTROLLER, containing at least:
    • The name and contact particulars of the CONTROLLER on behalf of whom the PROCESSOR will act and, where pertinent, the representative of the CONTROLLER or PROCESSOR and data protection officer, when one is assigned. 
    • The categories of processing activities executed on behalf of the CONTROLLER.
    • Whenever pertinent, the transfers of personal data to a third country or international organization, including the name of the third country or international organization and, in such a case, documentation substantiating suitable safeguards adopted.
    • Whenever possible, a general description of the technical and organizational security measures, including yet not restricted to the following:
      • Capability of safeguarding the permanent confidentiality, integrity, availability and resilience of the processing systems and services. 
      • Capability of restoring availability and access to personal data quickly in case of physical or technical incident.
      • Regular verification, evaluation and assessment processes of the effectiveness of technical and organizational measures to safeguard the security of the processing. 
      • The pseudonymization and encryption of personal data, where necessary.

      This record must be made available and provided to the CONTROLLER and supervisory authority upon request, though not before first consulting with the CONTROLLER. 

      1. Refrain from disclosing the data to third parties without the CONTROLLER’S express authorization to do so or in legally admissible situations. 

      The PROCESSOR will disclose the data to other processors of the same CONTROLLER according to the instructions of the CONTROLLER. In such cases, the CONTROLLER will previously provide written identification of the entity to which the data must be disclosed, the data to disclose and the security measures to apply when disclosing.

      The PROCESSOR will keep all documentation substantiating compliance with the obligations regarding third-party disclosure and/or transfers available for the CONTROLLER.

      1. Assist the CONTROLLER, in consideration of the nature thereof and through the appropriate technical and organizational measures, whenever possible, so that the CONTROLLER may respond to the exercise of the rights to access, rectification, erasure, objection, restriction of processing, personal data portability and not to be subject to automated individualized decision-making (including profiling).

      The PROCESSOR must notify the CONTROLLER by email when data subjects contact the PROCESSOR to exercise their rights to access, rectification, erasure, objection, restriction of processing, personal data portability and not to be subject to automated individualized decision-making. This notification must be made immediately, yet no later than the next business day following the date of receipt of the request, and include any additional information that could be relevant to address the request whenever necessary 

      1. The PROCESSOR shall notify the CONTROLLER by email of personal data breaches affecting the personal data under its responsibility without undue delay and, in any case, within twenty-four (24) hours, though legislation sets a maximum term of seventy-two (72) hours from the moment the PROCESSOR detects the breach. This notification should also include all relevant information for the documentation and communication of the incident.
        The following information should at least be included therein when known:
        • Description of the nature of the personal data breach, including, whenever possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
        • The name and contact particulars of the data protection officer or other point of contact from whom additional information may be obtained.
        • Description of the likely consequences of the personal data breach.
        • Description of the measures taken or proposed to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. 
        • When all the information cannot be provided at the same time, the information may be provided in phases without undue further delay.

          The CONTROLLER need not be notified when the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

          1. Assist the CONTROLLER in carrying out data protection impact assessments and prior consultations with the supervisory authority where necessary and pertinent according to the applicable data protection legislation and/or instructions issued by the national supervisory authority. 
          1. Make available to the CONTROLLER all information necessary to demonstrate compliance with the obligations laid down in data protection legislation and allow for and contribute to audits, including inspections, conducted by the CONTROLLER or another auditor mandated by the CONTROLLER. There must be a prior notice of SEVEN (7) days for actions of this sort.
          1. Security Measures 

          Implement the technical and organizational measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

          The security measures to be taken must be determined in consideration of the risk analysis and impact assessment, if necessary, to ascertain the most appropriate measures that should be adopted to safeguard processing security, and a record must be kept of all the steps taken. In any case, the appropriate measures may be provided by means of codes of conduct, seals, certifications or any other currently valid policy or international standard regarding data protection and information security.

          1. Appoint a data protection officer and notify the CONTROLLER of the identity and contact details thereof, where applicable.

          5. OBLIGATIONS OF THE DATA CONTROLLER

          1. Provide the PROCESSOR with the data referred to in CLAUSE 2 herein.
          1. Provide the corresponding instructions for carrying out the processing.
          1. Conduct a personal data protection risk analysis and impact assessment regarding the processing operations that the PROCESSOR will carry out, where applicable.
          1. Carry out the corresponding prior consultations.
          1. Ensure before and throughout the processing that the PROCESSOR is compliant with the GDPR.
          1. Supervise the processing, including the carrying out of inspections and audits.

          6. DESTINATION OF THE DATA

          Upon conclusion of the service, the PROCESSOR must:

          Return all the personal data and, where pertinent, media containing them to the CONTROLLER upon completion of the service. The PROCESSOR may also be asked to destroy them or delivery them to another PROCESSOR designated in writing by the CONTROLLER.

          This return must entail the full deletion of the existing data in the computer systems used by the PROCESSOR, including backups and security copies. Notwithstanding the foregoing, the PROCESSOR may conserve a copy with the data duly blocked out so long as there may be liabilities regarding the execution of the service or legal obligation to do so.

          The destruction of the data will not proceed when there is a legal provision requiring its conservation, in which case it must be returned to the CONTROLLER, who will guarantee its conservation while this obligation persists.

          7. LEGAL DISCLAIMER

          The CONTROLLER is exonerated from any responsibility that could be generated by the PROCESSOR’S non-compliance with the stipulations of this contract, as well as with the provisions of the GDPR, in which case he will be considered Data  Controller, answering for the infringements in which he could incur, as well as for any claim for compensation that the data subjects could file with the Control Authority or with the Courts.

          If the PROCESSOR were to subcontract, giving rise to a Sub-processor, the latter failing to comply with his or her data protection obligations, the PROCESSOR will continue to be fully liable to the CONTROLLER with regard to compliance with the obligations of the Sub-processor.  This will be maintained regardless of the number of successive sub-processors.

          8. CONFIDENTIALITY AND DATA PROTECTION

          The Parties are obliged to keep absolute confidentiality on the information and documentation provided or accessed during the provision of the SERVICE, not to disclose, nor use directly or indirectly the information derived from this contractual relationship.

          Both parties are informed respectively that the personal data of the signatories of the present contract will be included in the processing of the other party to satisfy the purpose of management and maintenance of the contractual relationship. At any time, they may exercise their rights of access, rectification, deletion, opposition, limitation to processing, portability, and not be subject to automated individualized decisions, where appropriate, in the postal addresses and contact emails indicated in the header. They also provide the privacy policy posted on their respective websites for further information, offering the availability of attaching it on paper or sending it by mail if there is no website.

          9. GOVERNING LAW AND JURISDICTION

          This contract contemplates the requirements of current Spanish and European legislation on the protection of personal data, particularly as established in the RGPD and LOPDGDD.

          The parties, expressly waiving their own jurisdiction, submit all interpretations and/or conflicts that may arise from this contract to the Courts and Tribunals of the registered address of the DATA PROCESSOR.