01. DEFINITIONS
"Subsidiary" means an entity that controls, is controlled by or is under joint control with an entity, directly or indirectly.
"Authorized Subsidiary" means any of the Customer's Subsidiary (Subsidiaries), which is permitted to or otherwise be the recipient of the Services under the Agreement.
"Control" means the right of ownership, voting or other similar rights, representing fifty per cent (50%) or more of the total outstanding debts of that entity. The term "Controlled" will be interpreted accordingly.
"Controller" means an entity that determines the purposes and means of processing Personal Data.
"Customer Data" means any data that ISTRATE SIBTRUCK and / or its Subsidiaries process on Customer's behalf in the course of providing the Services in accordance with the Agreement.
"Data Protection Laws" means all laws and regulations on the protection and confidentiality of data applicable to the processing of Personal Data in accordance with the Agreement, including, where applicable, the EU Data Protection Act.
"EU Data Protection Law" means (i) before May 25, 2018, European Parliament and Council Directive 95/46 / EC on the protection of individuals with regard to the processing of personal data and the free movement of such data ("the Directive") and from May 25, 2018, Regulation 2016/679 of the European Parliament and the Council on the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of such Data (General Data Protection Regulation) (GDPR '); and (ii) Directive 2002/58 / EC on Personal Data and Privacy Protection in the electronic communications sector and its applicable national implementations (in each case the provisions may be amended or replaced).
"Personal Data" means any Customer Data related to an identified or identifiable individual, to the extent that such information is protected as personal data in accordance with the applicable Data Protection Act.
"Privacy Protection" eans the EU-US and Swiss-US Privacy Frames, as applied by the US Department of Commerce.
"Privacy Principles" means the Principles of the Privacy Protection Framework (as supplemented by Additional Principles) contained in Annex II of the European Commission Decision of July 12, 2016, in accordance with the Directive, details of which can be found at www.privacyshield.gov/eu-us-framework.
"Processor" means an entity that processes personal data on behalf of the Controller.
"Processing" has the meaning given to it in GDPR, and "processing", "processing" and "processed" will be interpreted accordingly.
"Security incident" means any unauthorized or unlawful security breach, resulting in the destruction, loss, alteration, accidental or unlawful disclosure of unauthorized disclosure or access to Personal Data.
"Services" means any product or service provided by Istrate Sibtruck to Customer in accordance with and based on more detailed descriptions of the Agreement.
"Sub-processor" means any Processor employed by Istrate Sibtruck or its Subsidiaries to assist in the performance of its obligations regarding the provision of the Services in accordance with the Agreement or this DPA. Sub-processors may include third parties or any other Istrate Sibtruck Branch.
02. SCOPE AND APPLICABILITY OF THIS DPA
2.1 This DPA applies only to and insofar as Istrate Sibtruck processes Personal Data on behalf of the Customer during the provision of the Services and such Personal Data are subject to the Data Protection laws of the European Union, the European Economic Area and / or their Member States, Switzerland and / or the United Kingdom. The Parties agree to abide by the terms and conditions of this DPA in relation to such Personal Data.
2.2 Role of Parties. From Istrate Sibtruck and Customer, Customer is the Personal Data Controller, and Istrate Sibtruck will only process Personal Data as a Processor on behalf of the Client. Nothing in the Agreement or this DPA will prevent Istra Sibtruck from using or distributing any data that Istrate Sibtruck will otherwise collect and process independently of Customer's use of the Services.
2.3 Obligations of the Client. The Customer agrees to (i) comply with its Controler's obligations under the Data Protection Laws, respecting the processing of Personal Data and all processing instructions that it issues to Istrate Sibtruck; and (ii) agrees to inform and obtain (or obtain) all approvals and rights required under the Data Protection Law for Istra Sibtruck to process Personal Data and provide the Services under the Agreement and this DPA .
2.4 Data Processing by Istrate Sibtruck. In the capacity of Processor, Istrate Sibtruck will only process Personal Data for the following purposes: (i) processing for the purpose of providing the Services in accordance with the Agreement; (ii) processing for the purpose of performing any steps necessary for the implementation of the Agreement; and (iii) to comply with any other reasonable instructions provided by Customer insofar as they comply with the terms of this Agreement and only in accordance with the Customer's legal and documented instructions. The Parties agree that this DPA and the Agreement establish the Client's complete and final instructions to Istrate Sibtruck in relation to the processing of Personal Data.
2.5 Type of Data. Istrate Sibtruck manages Customer Data provided by Customer. Such Client Data may contain special categories of data, depending on how Customer uses the Services. Client data may be subject to the following processing activities: (i) storage and other types of processing required to provide, preserve and improve the Services provided to the Customer; (ii) providing technical support and assistance to the Client; and (iii) disclosure, in accordance with the legal requirements or other provisions set forth in the Agreement.
2.6 Istrate Sibtruck Data. Without prejudice to the provisions of the Agreement (including this DPA), Customer acknowledges that Istra Sibtruck will have the right to use and disclose data related to and / or obtained in connection with the operation, support and / or use of the Services for its commercial purposes such as billing, account management, technical support, product development, and sales or promotion. To the extent that any such data is considered to be personal data under the Data Protection Laws, Istrate Sibtruck is the Controller of such data and will process such data accordingly, respecting the Data Protection Laws.
03. SUB-PROCESSING
3.1 Authorized subprocessors. Customer agrees that Istrate Sibtruck may engage Sub-processors for the processing of Personal Data on behalf of the Customer. The Istrate Sibtruck sub-processors, in the case of hiring, will be announced, subsequently accepted / rejected by the Clients.
3.2 Obligations of Sub-processors. Istrate Sibtruck: (i) Sign a written agreement with the Sub-processors, imposing data protection terms requiring Sub-processors to protect Personal Data to the standard required by Data Protection Laws; and (ii) retain responsibility for complying with the obligations of this DPA and any act or omission of the Sub-processor that causes Istrate Sibtruck to breach any of its obligations, in accordance with the DPA.
3.3 Changes to Sub-Processors. Istrate Sibtruck will inform Customers sufficiently in advance (emailing should be sufficient) if it adds or deletes Sub-processors.
3.4 Objections on Sub-processors. Customer may object in writing to the appointment of a new Sub-processor by Istrate Sibtruck, based on reasonable data protection reasons, promptly informing Istrate Sibtruck in writing within five (5) calendar days of receipt of the notification from the Istrate Sibtruck side, in accordance with Section 3.3. Such information will explain the reasonable grounds for the objection. In such a situation, the parties will discuss these concerns in good faith in order to reach a reasonable commercial solution. If this is not possible, either party may terminate the request to terminate the provision of applicable Services that can not be provided by Istrate Sibtruck without the involvement of the new Subprocessor that has been challenged.
04. SECURITY
4.1 Safety measures. Istrate Sibtruck will implement and maintain appropriate technical and organizational security measures to protect Personal Data against Security Incidents and to maintain the security and confidentiality of Personal Data in accordance with Istrate Sibtruck's security standards.
4.2 Confidentiality of processing. Istrate Sibtruck will ensure that any person authorized by Istrate Sibtruck to process Personal Data (including his employees, agents or subcontractors) will have to comply with the appropriate confidentiality obligation (be it a contractual or statutory obligation).
4.3 Response to a security incident. Upon becoming aware of a Security Incident, Istrate Sibtruck will inform the Client without undue delay and provide him with timely information about the Security Incident as soon as it is brought to his attention To the Customer or to its reasonable requirements.
4.4 Updates to Security Measures. Customer acknowledges that Security Measures are subject to technical progress and development and that Istra Sibtruck may modify or update Security Means from time to time, provided that such updates or changes do not lead to the degradation of the overall security of the Services purchased by the Customer.
05. SECURITY REPORTS AND AUDIT
5.1 Istrate Sibtruck will keep records of its security standards. Upon the Client's written request, Istrate Sibtruck will provide (confidentially) copies of relevant ISMS external certifications, summaries of audit reports and / or other documents reasonably requested by Customer to verify Istrate Sibtruck's compliance with this DPA. Istrate Sibtruck will continue to provide written responses (confidentially) to all reasonable requests for information made by Customer, including responses to information security questionnaires and audits, which the Customer (reasonably) deems necessary to confirm that Istrate Sibtruck respects this DPA, provided Customer does not exercise this right more than once a year.
06. INTERNATIONAL TRANSFERS
6.1 Processing locations. Istrate Sibtruck stores and processes EU data (defined below) in data centers located within and outside the European Union. All other Client Data may be transferred and processed in Romania and anywhere in the world where Customer, its Subsidiaries and / or its Sub-processors retain their data processing operations. Istrate Sibtruck will implement appropriate safeguards to protect your personal data wherever this data is processed in accordance with the Data Protection Law requirements.
6.2 Transfer mechanism: Without prejudice to Section 6.1, to the extent that Istrate Sibtruck processes or transfers (directly or through a subsequent transfer) Personal data under this DPA from the European Union, the European Economic Area and / or their Member States Member States and Switzerland ("EU Data") to or to countries that do not provide an adequate level of data protection within the meaning of the applicable Data Protection Laws of the above territories, the Parties agree that Istrate Sibtruck should be held responsible for ensuring that appropriate protection for such data by virtue of its compliance certification with Privacy Policy, and Istrate Sibtruck will process these data in accordance with the Privacy Principles. The Client hereby authorizes.
07. RETURNING OR DELETING DATA
7.1 At the time of deactivation of the Services, all Personal Data will be deleted, unless Istra Sibtruck will be required, in accordance with the applicable law, to retain some or all of the Personal Data or Personal Data that you have, has archived on back-up systems that Istrate Sibtruck will safely isolate and protect them from any further processing unless the law asks him to do the opposite.
08. COOPERATION
8.1 To the extent that the Customer can not access the relevant Personal Data in the Services, Istrate Sibtruck will consider (at Client's expense) the type of processing, provide reasonable co-operation to assist the Customer with technical and appropriate organizational arrangements to the extent possible to respond to any requests from persons or data protection enforcement authorities in connection with the processing of Personal Data under the Agreement. If any such request is made directly to Istrate Sibtruck, Istrate Sibtruck will not respond directly to such communication without prior authorization from the Customer unless it is legally obliged to do so.
8.2 As far as Istrate Sibtruck is required to do so, under the Data Protection Law, Istrate Sibtruck will provide (at Customer's expense) the reasonable information requested regarding the processing by Istrate Sibtruck of Personal Data, based on the Agreement, in order to enable the Customer to carry out personal data protection impact assessments or prior consultations with data protection authorities, as required by law.
09. Miscellaneous
9.1 Except as modified by this DPA, the Agreement remains unchanged and fully effective. If there is any conflict between this DPA and the Agreement, this DPA will prevail within that conflict.
9.2 This DPA is part of and is incorporated into the Agreement so that the references to "Agreement" in the Agreement will include this DPA.
9.3 In no event shall either party limit its own liability to any of the rights of data protection persons under this DPA or otherwise.
9.4 This DPA will be governed and construed in accordance with the applicable law and applicable jurisdiction of the Agreement, unless otherwise required by the Data Protection Laws.
