DATA PROCESSING AGREEMENT
YOU or legal entity represented by YOU (hereinafter „Processor”); AND
LLC „BALTIMAX“, address Laisvės pr. 3, Vilnius, legal entity code 303726856, (hereinafter „Controller”),
hereinafter referred to individually as “Party” and together as “Parties”. Parties have agreed regarding hereinafter indicated provisions, that will be applicable for the Processor, while processing personal data, based on the agreements concluded within parties (hereinafter “Contract”).
1. Scope pf application
- This agreement regarding processing of personal data ("Data Management Agreement" or "DTS") sets the terms and conditions applicable to the Processor, while processing personal data on behalf of the Controller.
2. Procession and security of personal data
- The Processor shall process personal data in order to fulfill the Contract concluded between the Parties. The data processing activity includes the provision and management of the clients personal data in the system (database) of the Controller.
- The Processor obligates to process personal data only according to the written instructions of the Controller (including this DTS).
- The Processor ensures proper personal data protection under this DTS with the objective of protecting personal data from destruction, alteration, unauthorized disclosure or unauthorized access. Personal data is also protected against any other form of unlawful processing.
- The Processor manages the following personal data:
Personal data categories – clients.
Personal data types:
1. Customer personal data:
• Personal code;
2. Customer contact data:
• telephone number;
• e-mail address;
3. Substantive data:
• customer responsibilities;
THIRD PARTIES PROVIDING SERVICES:
Personal data categories:
• Clients and representatives
• Providers, partners and their representatives
Personal data types:
1. personal data:
• personal code;
2. contact data:
• telephone number;
• e-mail address;
3. substantive data:
- The Processor may obtain personal data from systems managed by the Controller (databases) and / or directly from the Controller.
- The Processor will comply with all the instructions of the Controller and will also adhere to the best practices in the market that are normally used to prevent unauthorized access or disclosure, alteration, destruction or loss.
Unless otherwise agreed by the Parties, the Processor will implement the following measures:
(i) will select the technical and organizational measures for the protection of personal data, corresponding to the nature of the data and the level of risk of their handling, and will ensure their continuous operation;
(ii) will ensure the confidentiality, integrity, and resistance of the personal data;
(iii) will implement and maintain the security control and protection measures required to meet with the requirements of data protection legislation.
- The Processor, arbitrarily and without written permission of the Controller, undertakes not to seek access and undertakes to refuse access to any third parties with the personal data which he is not entitled to access and who are not required to provide the services specified in the Contract.
- The Processor shall promptly (no later than the next working day) undertake to inform the Controller of any concerns of the data subjects, data protection authorities or other law enforcement or supervisory authorities, which the Controller will have the right to decide at his own discretion.
- The Processor may use third parties for the processing of personal data only with the prior written consent of the Controller. In addition, without prior written consent of the Controller, the Processor undertakes not to disclose any personal data processed by this DTS or otherwise disclose data to any third party.
- The right to use the Data Systems is granted only for the proper provision of the services specified in the Contract. By signing DTS, the Processor confirms that no system testing will be carried out with the personal data.
- The Processor ensures that all persons involved in the processing of personal data are bound by the obligation of confidentiality or that they are subject to the relevant confidentiality obligation established by law both during and after the term of the Contract.
- The obligation to process personal data under this agreement may only be carried out in a Member State of the European Union (EU) or in a Member State of the European Economic Area (EEA). Any transfer of personal data to a country which is not an EU or EEA Member State may only be carried out with the prior written consent of the Contoller and only if the specific conditions specified in the applicable data protection legislation are met.
3. Obligations and Liabiliy
- The Controller undertakes to process personal data in accordance with the procedure prescribed by law, to properly implement the rights of data subjects, to provide the Processor with all necessary information related to the processing of personal data.
The Processor commits himself and undertakes to ensure that his employees, other data processors and other service providers (if any) undertake to the extent applicable to the services provided by the Processor under the Contract:
(i) comply with all applicable data protection laws in the European Union, Lithuania, as well as all other legal acts applicable to Lithuania and the European Union (if data processing is carried out outside of Lithuania);
(ii) take appropriate technical and organizational measures to prevent the unauthorized and unlawful processing of the personal data, as well as the incidental loss, alteration, destruction or violation of personal data;
(iii) ensure the proper security of the premises where personal data is stored.
- The Processor remains responsible to the Controller for the compliance of third parties (if any) with due diligence and any negligence, as if these actions were carried out by the Processor himself. The Manager shall, as soon as he becomes aware, undertake to immediately notify the Controller of any breach or default of the DTS or the Agreement relating to the processing of the personal data.
- The Controller undertakes not to use and dispose of personal data for any other purposes, except for the ones provided for in the Agreement, and not to grant any rights and not to sell, not disclose, use, transmit, or otherwise use and not use personal data without the prior written permission of the Controller‘s consent.
- The Processor undertakes to provide the Controller with all information, necessary to prove that the provisions indicated in the Regulation (EU) of the European Parliament and of the Council 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, ane executed and to facilitate and assist the Controller or other auditor authorized by the Controller in carrying out audits, inspections. Processor undertakes to comply with other provisions, indicated in the above mentioned Regulation.
Personal data is and will remain the property of the Controller. Unless otherwise provided by applicable law, the Processor will return, or at the discretion of the Controller, destroy (and in the event of destruction, within a reasonable time, to confirm that such destruction has taken place in accordance with the data protection requirements specified in this DTS) personal data:
(i) at the request of the Controller;
(ii) upon expiry of the Contract; or
(iii) when the personal data is no longer required for the Processor.
- The Party to the fault of the other party suffering damage shall be liable to compensate the other Party for direct losses incurred by it. The Parties agree that neither of the Parties is liable for indirect looses. None of the Parties shall compensate non-material damage suffered by the other Party and / or third parties (customer's employees, employees, consultants, etc.), except in the cases provided for by law. The Parties agree that the Parties' obligations in this paragraph regarding liability and indemnity shall continue to be in force at the end of the Contract or this agreement.
4. Breaches of data protection and notifications
The Processor shall promptly, and in any case, within twenty four (24) hours from the date of the communication, provide the Controller with a written completeness letter ("Notice of breach") about:
(i) any loss of the personal data;
(ii) any unauthorized access to the personal data; or
(iii) any third-party notice of breach of law of the data Processor relating to the personal data.
5. Final provisions
- This Agreement applies as long as the Processor process personal data i. e. until the contract is in force.
- The law of the Republic of Lithuania applies to this DTS.