PERSONAL DATA PROCESSING AGREEMENT
ACCORDING TO REGULATION (EU) 2016/679
The present Agreement was entered by and between:
1. Didis Ltd., идис ООД, head office: the town of Shumen, 6 Trakia East Street, represented by Deyan Radev – Manager (hereinafter for short referred to as the “Assignor”), on one side,
and on the other side
2. ……………………………….............….. (hereinafter for short referred to as the “Contractor”)
The Assignor and the Contractor are jointly referred to as the “Parties”, and individually each of them – “Party”.
The present Agreement, according to Regulation (EU) 2016/679 on the protection of the personal data, hereinafter for short referred to as the Regulation, is in relation to the obligation of the Assignor and the Contractor to execute a written agreement, regulating the Parties’ rights, obligations and liabilities in relation to the personal data, which the Contractor shall process on behalf of the Assignor.
Article 1. Within the meaning of the Regulation, the Assignor is Personal Data Controller (the person (entity), which sets the goals for and the manner of processing the personal data), the Contractor is Personal Data Processor (the person (entity), which processes personal data on behalf of and as per instructions of an Administrator), and the natural persons, whose data is processed, are called Data Subjects.
Article 2. (1) The Contractor shall process the following personal data, presented by the Assignor, respectively the categories Data Subjects and the goals for the processing thereof:
1. Of employees, contact persons, clients, suppliers and interested parties of the Assignor, at any and all activities, related to the business relations between the Contractor and the Assignor;
(2) The type of the personal data, processed by the Contractor on behalf and in the name of the Assignor, are:
1. For employees, contact persons, clients, suppliers and interested parties:
a) full name;
b) contact telephone;
c) mailing address;
d) e-mail;
e) other contact and communication data, as well as data in contracts, orders, plannings, claims,
which the Contractor shall receive from the Assignor.
(3) the impact level at violation of the security of the processed personal data n behalf of the Assignor, in relation to the risks with various probability and weight for the right and freedoms of the Data Subjects, in case of breach of the security of the processed personal data thereof is low.
Article 3. (1) The Assignor shall assign and instruct the Contractor to process the provided thereto personal data only for the purpose of making the data in conformity with the agreement for sale of goods, purchased at the Assignor’s site.
(2) The third parties’ information, related to the processing of the personal data under paragraph 1, the Contractor shall disclose and provide to:
1. State and municipal bodies and/or institution in relation to legal obligations thereto and/or related to legal requests on their behalf for information regarding Assignor’s clients, which contain personal data.
(3) The Assignor shall always ensure that the persons, acting under its control, who process personal data on behalf of the Assignor, do so in accordance with the provisions of paragraphs 1 and 2.
Article 4. The Contractor wants and represents to the Assignor, that the Contractor has undertaken and applies the required organizational and technical measures in relation to the impact level, determined in article 2, paragraph 3 of the present agreement, as a result of which the processing of personal data, which the Assignor has provided to the Contractor for processing, is performed in accordance with the Regulation’s requirements and provides protection of the Data Subjects’ rights.
Article 5. (1) The Contractor shall notify the Assignor when, at the processing of the personal data on behalf of the Assignor, the Contractor intends to use Subcontractor(s), thus enabling the Assignor to approve such Subcontractor(s).
(2) The Contractor, in its contractual relations with its Subcontractors under paragraph 1, shall require sufficient guarantees for implementation of adequate organizational and technical measures, as a result of which the processing of personal data in that part is performed in accordance with the Regulation’s requirements and provides protection of the Data Subjects’ rights.
(3) When Contractor’s subcontractor (another personal data processor) under paragraph 1 fails to perform an obligation thereof for personal data protection, the Contractor shall bear full and complete property liability before and to the Assignor for the performance of the obligations of its subcontractor, which have resulted in sanctions and damages for the Assignor.
Article 6. Taking into account the achievements of the technical progress, the costs of the application thereof and the nature, scope, context and goals of the processing, as well as the risks with different probability and weight for the natural persons’ rights and freedoms, the Contractor, when processing personal data on behalf of the Assignor, shall always apply and implement adequate technical and organizational measures for ensuring the conforming to those risks security level.
Article 7. The Contractor shall prepare responses for any and all requests, addressed to the Assignor on behalf of Data Subjects, in relation to exercising their rights under the Regulation, in the cases when the Contractor is responsible for this part of the processing of personal data on behalf of the Assignor.
Article 8. The Contractor shall notify the Assignor for any and each breach of the security of the processed personal data on behalf of the Assignor. The notification shall be made with no undue delay, after becoming aware of the breach of the personal data’s security. The notification shall contain at least the following:
1. description of the nature of the breach of the personal data’s security, including, if possible, the categories and the approximate number of the affected data subjects and the categories and approximate quantity of the affected records of personal data;
2. stating the name and contact details of the official, responsible for the personal data protection, or another contact person, from which further information could be received;
3. description of the eventual consequences of the breach of the personal data’s security;
4. description of the undertaken or proposed by the Contractor measures for remedying the breach of the personal data’s security, including expedient measures for mitigation of the eventual negative consequences.
Article 9. The term for processing of the personal data under the present Agreement shall be in effect until the Agreement’s termination.
Article 10. At termination of the Agreement, the Contractor shall hand over to the Assignor any and all registers with personal data, including digital and physical, which the Contractor has processed during the Agreement’s term.
Article 11. (1) The Contractor shall, at any time, provide access to the Assignor to all of the information, required for evidencing that the Contractor has performed the obligation in relation to the processing of the personal data on behalf of the Assignor in accordance with the Regulation’s provisions.
(2) The Contractor shall ensure and provide assistance for the performance of inspections and audits on behalf of the Assignor or by an auditor, appointed by the Assignor, for ascertaining that the Contractor performs the obligations in relation to the processing of the personal data on behalf of the Assignor in accordance with the Regulation’s provisions.
Article 12. The Contractor shall bear full property responsibility before and to the Assignor for any breach of the security of the processed on behalf of the Assignor personal data, which is due to a fault of the Contractor or its Subcontractor, for which the Assignor has suffered sanctions and/or damages.
Article 13. The present Agreement enters in effect from the signing thereof by the Parties and it is not limited in time.
Article 14. The present Agreement shall be terminated:
(1) At mutual consent of the Parties, expressed in written form;
(2) With sending of one month advance notice by the Party, wishing to terminate the agreement, to the other Party.
Article 15. Any and all supplements and amendments to the present Agreement shall be made through an Annex thereto, signed by both Parties.
Article 16. The provisions and regulations of the civil legislation of the Republic of Bulgaria shall be applicable to any and all matters, not settled herein.
Article 17. The present Agreement was drawn up and signed in two uniform copies – one for each of the Parties.
FOR THE ASSIGNOR: FOR THE CONTRACTOR:
________________________ ________________________
All information can be downloaded here