Data Processing Agreement

I. Introduction

This Data Processing Agreement (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Services Agreement (“Main Agreement”) between [PANDECTES OÜ] and the customer entity that is a party to the Main Agreement.

The present DPA forms an Annex of the Main Agreement and constitutes an integral part of it. In case of conflict, the terms of DPA supersede those of the Main Agreement in respect of data protection matters.

By signing this Data Processing Agreement (hereinafter “DPA”), the Client (“Client” or “Controller”) entrusts our Company (“Processor” or “Company”) with the Processing of the Personal Data relating to the Main Agreement, under the following terms & conditions:

II. Terms & Conditions

1. Definitions

The terms used herein, including those for which no definition is given, shall have the meaning given to them in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data (General Data Protection Regulation – “GDPR”).

1.1. Data Subject: any identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.2. Personal Data: Any information relating to an identified or identifiable natural person (”Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Herein, Personal Data means all Client’s Data/Personal Data belonging to the Client, which is from time to time Processed (as defined below) under the Main Agreement and this DPA by the Processor and/or on Processor’s behalf including but not limited to all electronic data or information submitted by the Client and any Personal Data provided by or on behalf of the Client.

1.3. Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.4. Applicable Law: The GDPR and any piece of European legislation (Treaty, Constitution, Regulation, Directive, Law, etc.) regulating the protection of Personal Data or privacy and which Personal Data falls under. All applicable legislation and provisions on the protection of Personal Data, including inter alia the GDPR, any national legislation that supplements the GDPR and decisions and guidance issued by the competent National Data Protection Authority and the Article 29 Working Party/ European Data Protection Board.

1.5. Controller: The first party, who controls the purposes and means of Processing of Personal Data.

1.6. Processor: The second party, who processes Personal Data on behalf of the Controller.

1.7. Sub-processor: The natural or legal person recruited by the Processor in order to perform Processing activities on behalf of the Controller.

1.8. Transfer: to disclose or otherwise make Personal Data available to a Third party (including to any affiliate or Sub-Processor), either by physical movement of the Personal Data to such Third party or by enabling access to the Personal Data by other means.

1.9. Recipient: Any natural or legal person, public authority, agency or another body, to which personal data are disclosed.

1.10. Third party: Any natural or legal person, public authority, agency or body other than the Data Subject, Controller, and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.

1.11. Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

1.12. SCCs: (i) the standard contractual clauses between controllers and processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021, or (ii) the standard contractual clauses between processors adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021.

1.13. Security Incident: any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Personal Data on systems managed or otherwise controlled by Processor.

1.14. Sub-processor:  any processor engaged by Processor to assist in fulfilling its obligations with respect to providing the Service pursuant to the Main Agreement or this DPA. Sub-processors may include third parties or Affiliates of Processor.

2. Roles

2.1. The Client acts as Controller according to GDPR, since is the one that solely takes decision regarding all the essential parameters of the Processing (e.g., purposes, methods and means of Processing, duration, transfer).

2.2. The Company acts as Processor according to GDPR, since shall process the Personal Data on behalf of the Controller and in accordance with the Controller’s documented instructions.

2.3. The Processor processes the Personal Data only on behalf of and in accordance with the Main Agreement, the present DPA and the documented instructions of the Controller.

2.4. The performance of the Services requires the Controller to share certain categories of Personal Data with the Processor and further requires the Processor to process such Personal Data.

3. Processing

3.1. The purpose of the Processing by the Processor is limited by the Main Agreement, which means that the Processor shall process the Personal Data only for the provision of the Services in accordance with the Main Agreement. The lawful basis for the Processing is the performance of the Main Agreement.

3.2. The Processing of the Personal Data by the Processor consists of limited data processing activities such as limited storage, collection, recording, organisation, structuring, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the Personal Data that is needed for the provision of Services under the Main Agreement.

3.3. The categories of the affected Data Subjects, whose Personal Data may be processed by the Processor, are any present or potential client that may deal with or relate to the Controller and any present or potential user (including guests) of any website belonging to the Controller.

3.4. The categories of the Personal Data which may be processed by the Processor include any ordinary/ simple Personal Data that may be collected and maintained by the Client relating to the use of the Client’s website, such as website users’ or guests’ identification details (e.g., IP address, login details, browser details, time zone and location, operating system and its version, device details), web usage details (e.g., navigation/application usage details, cookies consent, consent type), data resulting from interaction with customers made by or on behalf of the Client. Controller shall not provide or cause to be provided any Sensitive Data to Processor and Processor has no liability whatsoever for Sensitive Data. Controller shall keep Processor harmless in case of any liability (e.g., Security Incident) in relation of Sensitive Data.

3.5. Τhe Processing of Personal Data lasts as long as the Main Agreement.

4. Parties’ Warranties

4.1. Client represents and warrants that:

(i) complies with Applicable Law, in respect of collecting and processing Personal Data of Data Subjects,  

(ii) has provided all required information to Data Subjects regarding Processing Personal Data by the Processor according to DPA and has obtained any required relevant consent under Data Protection Laws for Company to process Customer Data for the purposes described in the Main Agreement,

(iii) any instruction addressed to the Processor by the Controller regarding the Processing complies with the Applicable Law,

(iv) in case that any instruction addressed to the Processor by the Controller regarding the Processing infringes Applicable Law, the Controller shall immediately inform the Processor about such infringement providing any needed clarification upon Processor’s request.

(v) has sole responsibility and liability for the accuracy, quality, and legality of Personal Data.

4.2. Processor represents and warrants that:

(i) complies with the Applicable Law,

(ii) processes the Personal Data in accordance with the Applicable Law, under the terms of the Main Agreement, the DPA and the Controller’s written instructions.

(iii) taking into consideration the state of the art, the cost of implementation, the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

• Measures of pseudonymization and encryption of the Personal Data.
• Measures for ensuring ongoing the confidentiality, integrity, availability and resilience of Processing systems and services.
• Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
• Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing.
• Measures for user identification and authorization.
• Measures for the protection of data during transmission.
• Measures for the protection of data during storage (including physical storage).
• Measures for ensuring physical security of locations at which Personal Data are processed.
• Measures for ensuring events logging.
• Measures for ensuring system configuration, including default configuration.
• Measures for internal IT and IT security governance and management.
• Measures for certification/assurance of processes and products.
• Measures for ensuring data minimization.
• Measures for ensuring data quality.
• Measures for ensuring limited data retention.
• Measures for ensuring accountability.
• Measures for allowing data portability and ensuring erasure.

(iv) The Processor shall always proceed in the future to the necessary software and hardware upgrades, as well as the needed modifications of the technical and organizational measures, in order to ensure the ongoing and contiguous security of the processing.

5. Parties’ Obligations

5.1. Processor shall deal promptly and adequately with inquiries from the Controller about the Processing of Personal Data in accordance with the DPA. 

5.2. Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in the DPA and stem directly from the Applicable Law.

5.3. At the Controller’s prior written request, the Processor shall also permit and contribute to audits of the Processing, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the Processor.   

5.4. The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the facilities of the Processor and shall, where appropriate, be carried out with reasonable written notice to the Processor 10 working days before the audit.

5.5. The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request, if required by the Applicable Law.

5.6. All Customer’s written requests shall be sent to Processor’s email address [info@pandectes.io], provided that Customer shall not exercise this right more than once per calendar year.

6. Use of Sub-Processors

6.1. The Processor has the Controller’s general authorisation for the engagement of sub-processors from the Sub-Processors’ list uploaded on the Processor’s website. The Processor shall keep the uploaded list of the Sub-Processors updated in case of addition or replacement of the Sub-Processors. If the Controller has any objection to the changes in the list, they must express it in writing to the Processor and the Processor shall provide the Controller with the information necessary to enable the Controller to exercise the right to object.

6.2. Where the Processor engages a Sub-Processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Sub-Processor, in substance, similar data protection obligations as the ones imposed on the Processor in accordance with the DPA. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject pursuant to the DPA and Applicable Law.

6.3. At the Controller’s written request, the Processor shall provide a copy of such a Sub-Processor agreement and any subsequent amendments to the Controller. To the extent necessary to protect business secret or other confidential information, including personal data, the Processor may redact the text of the agreement prior to sharing the copy.

7. International transfers

7.1. Any transfer of data to a third country or an international organisation by the Processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Applicable Law to which the Processor is subject and shall take place in compliance with Applicable Law.

7.2. The Controller agrees that where the Processor engages an authorized Sub-Processor in accordance with Clause 6 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of Personal Data according to Applicable Law, such transfer is also deemed as authorized by the Controller and the Processor and Sub-Processor can ensure compliance with Applicable Law by using SCCs.

7.3. Client acknowledges that Company may transfer and process Customer Data to and in the United States and anywhere else in the world where Company (and its affiliates or its Sub-Processors) maintain Data Processing Operations. Company shall at all times ensure that such transfers are made in compliance with the Applicable Law and this DPA.

8. Assistance to the Controller

8.1. The Processor shall promptly inform the Controller, if, in its reasoned opinion, an instruction of the Controller does not comply with the Applicable law, as well as regarding the content of any communication it has with any Supervisory Authority in connection with the Processing hereunder.

8.2. The Processor shall promptly, inform the Controller, if the Processor receives directly a request correspondence, enquiry, or complaint from the Data Subjects in relation to the Personal Data or the Processing. The Processor shall not act upon such request, correspondence, enquiry or complaint made directly to the Processor without the prior written instructions of the Controller.

8.3. The Processor shall provide to Controller all reasonable assistance by appropriate technical and organizational measures to enable the Controller to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Law (i.e. right of access, rectification, erasure, restriction of Processing, objection, portability), and (ii) any other correspondence, enquiry or complaint received from a Data Subject, Supervisory Authority or other Third Party in connection with the processing of the personal data hereunder.

9. Personal Data Breach

9.1. The Processor shall notify and inform the Controller as soon as possible when a Personal Data Breach comes to their attention, affecting the Personal Data of the Controller, providing the Controller with sufficient information which will enable Controller to comply with the requirements for the disclosure of Personal Data breaches to the Supervisory Authority and / or Data Subjects, as defined in the Applicable Law and Articles 33 and 34 of the GDPR.

Such notification shall contain, at least:

• a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
• the details of a contact point where more information concerning the personal data breach can be obtained;
• its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

9.2. The Processor shall cooperate with the Controller and respond to the Controller’s request promptly in order to assist in investigating, limiting and dealing with any Personal Data Breach.

9.3. The Processor shall inform the Controller in writing if a Data Subject initiates judicial proceedings against the Processor or if any person files a claim of any kind against the Processor relating to the Processing under the Principal Agreement.

9.4. The Processor shall not acknowledge and/or accept and/or agree and/or proceed to any settlement with any Data Subject without the prior written consent of the Controller.

10. Liability

10.1. Each Party, during the fulfillment of the obligations arising from the DPA and the Applicable Law, shall be liable for any damage caused to the other Party.

10.2. The Processor is and shall be liable towards Controller for all infringements/breaches of the Applicable Law by any third-party Sub-Processor engaged by the Processor and for any act, error, or omission of such Sub-Processor.

10.3. Any claims made against Company under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Client entity that is a party to the Main Agreement.

10.4. If the Controller breaches its obligations under DPA or Applicable Law, the Controller shall keep the Processor harmless and shall pay any compensation that the latter paid to any Data Subject as a result of that breach and fully compensate the Processor for any damage (actual damage and/or loss of profits) suffered directly and/or indirectly by the Processor due to Controller’s fault (including slight negligence). 

11. Duration and Termination

11.1. DPA is effective from the date of the signature of the Main Agreement and shall apply until the termination or expiration of the Main Agreement. Neither party has the right to terminate the DPA separately from the Main Agreement.

11.2. Upon the expiration or the termination of the Main Agreement, the Controller has the right to request from the Processor to return or erase all the Personal Data and any copies of them, unless otherwise stipulated by the applicable law. The Processor is obliged, at the choice of the Controller and in accordance with the instructions given, either (a) to return all the Personal Data to the Controller, or (b) to delete all the Personal Data, providing in any case within 20 days a written certification to the Controller that the Processor and any of its Sub-processors no longer keep copies of the Personal Data, unless a provision of national or European law requires further storage of the Personal Data.

12. General Terms

12.1.  Confidentiality: Each Party must keep this DPA and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

(a) disclosure is required by law, (b) the relevant information is already in the public domain under the precondition that such publication does not breach this confidentiality clause, neither the DPA nor the Main Agreement.

12.2.  Notices: All notices and communications given under this DPA must be in writing and will be delivered personally, sent by email to the address or email address set out in the heading of this DPA at such other address as notified from time to time by the Parties changing address.

12.3.  Governing Law and Jurisdiction: This Agreement is governed by the laws of Greece. Any dispute arising in connection with this DPA, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Athens, Greece.

12.4. The Parties may modify this DPA from time to time by agreement in writing signed by both Parties.

12.5. If any provision of the DPA is held unenforceable by a court or any competent authority or if a provision of the Agreement becomes ineffective because of changes in applicable laws or in their interpretations, the validity of the other provisions of this DPA shall not be affected thereby. The parties shall then negotiate in good faith appropriate modifications to the DPA to reflect the changes required by law.