General Data Protection Regulation
FIRST.- Sinnaps: Objective
By means of the present clauses, Sinnaps is enabled, by the data processor, to process the personal data necessary to provide the cloud-based project management service.
SECOND.- Identifying the data affected
Implementation of the provisions arising from meeting the objective of this role, the USER makes all necessary information available to Sinnaps for service provision. Hence:
- Access is granted to the databases necessary to provide the service, sharing all information deemed opportune to manage the project on Sinnaps’s servers.
The present agreement will be in effect while the USER maintains the contractual relationship with Sinnaps detailed in the contract statement. Once the present contract concludes, Sinnaps will eliminate any copies of the data in their possession, notwithstanding the data blocking necessary to respond to the liabilities arising from the processing work.
FOURTH.- Sinnaps: Obligations
The SUPPIER and all their personnel are obliged to:
- Only use the personal data involved in the processing, or those collected for inclusion, for the purposes of this work. At no time may the data be used for their own purposes.
- Process the data in accordance with instructions from the USER.
If Sinnaps feels that any of the instructions infringe the RGPD or any other provision in the matter of data protection in the European Union or any of its Member States, the controller will immediately inform the processor.
- Keep a written record of all the categories of processing activities undertaken by the processor, which shall contain:
- The name and contact details of the processor(s) and each controller who activates the work and, where necessary, a representative of the controller or processor and the data protection delegate.
- The categories of processing undertaken by each processor.
- Where applicable, the transfer of personal data to a third-party country or international organisation (including the details of said country or international organisation) and, for transfers detailed in RGPD article 49 section 1 paragraph two, suitable warranty documents.
- A general description of the technical and organisational security measures for:
- a) The pseudonymization and encrypting of personal data.
- b) The capacity to ensure permanent confidentiality, integrity, availability, and resilience of the processing systems and services.
- c) The ability to restore availability and access to personal data rapidly should a physical or technical incident occur.
- d) The process of verifying, assessing and evaluating the effectiveness of the technical and organisational measures to ensure processing security.
- Not informing third parties of the data, except those who have express authorisation from the USER, under the legally permissible cases.
The processor may inform other data processors who are working under the same controller, in accordance with instructions from this party. In this circumstance, the controller shall, in advance and in writing, identify the organisation to which the data must be sent, which data are to be sent and the security measures to apply before the data are sent.
If the processor needs to transfer personal data to a third-party country or an international organisation, pursuant to any European or Member State Law that may be applicable, they shall first inform the controller of this legal requirement, unless said Law forbids this for reasons of substantial public interest.
Do not subcontract any of the provisions that comprise the objective of this contract which entail processing personal data, save those auxiliary services necessary for normal working operations pursued by the processor.
Should it prove necessary to subcontract any processing, the controller must be informed in writing some 30 days prior to the fact. This must detail the processing to be subcontracted and clearly and unequivocally identify the subcontractor and their contact information. Should the controller not oppose the situation within the established timeframe, the subcontracting may proceed.
The subcontractor shall also have the status of Sinnaps and, as such, is obliged to meet the obligations established in this document for a Sinnaps and the instructions given by the controller. The initial processor is responsible for regulating the new relationship, so the new processor is bound under the same conditions (instructions, obligations, security measures, etc.) and has the same formal requirements in terms of the suitable treatment of personal data and guaranteeing the rights of the persons affected. Should there be non-compliance on the part of the new processor, then the initial processor will be fully accountable to the controller in the matter of meeting obligations.
- Maintain the duty of secrecy for the personal data to which they have had access under the present assignment, even after the objective has been met.
- Ensure in writing that the people authorised to process personal data are expressly committed to respecting confidentiality and fulfilling the corresponding security measures (about which they must be duly informed).
- Make all documents supporting compliance with the objective established in the preceding section available to the controller.
- Guarantee all necessary training in personal data protection for those people authorised to process personal data.
- Help the USER when responding to the exercising of the rights to:
- Access, rectification, suppression and opposition.
- Processing limitations.
- Data portability.
- Unless subject to customised automated decisions (including profile creation).
When the people affected exercise their rights to access, rectification, suppression and opposition, limit processing, data portability and not be subject to customised automated decisions before Sinnaps, this party must inform the USER of such by electronic mail. This communication needs to be immediate and at no time be delayed beyond the working day after receiving the request, together (where applicable) with other information that may prove relevant to decide on the request.
- Right to information
The controller is the person who must provide the right to information when gathering data.
- Notification of data security breaches
Sinnaps will inform the USER with all due haste (or a maximum of 48 hours) by electronic mail of any breaches of personal data security regarding any data under their control of which they are aware, together with all the relevant information for documenting and reporting the incident.
Such notification shall not be necessary should it prove unlikely that said breach of security constitutes a risk to the rights and freedoms of any physical persons.
If available, the following basic information should be provided:
- a) Description of the nature of the data security breach, including (where possible) the categories and approximate number of interested parties affected, and the categories and approximate number of personal data records affected.
- b) The name and contact details of the data protection delegate or other contact person from whom more information may be obtained.
- c) Description of the possible consequences of the breach of personal data security.
- d) Description of the measures taken or proposed to remedy this breach of personal data security, including (where applicable) the measures adopted to mitigate any possible negative effects.
If this information cannot be supplied at the same time, then it shall be sent gradually as it becomes available without delay.
The USER must report the data security breaches as quickly as possible to the interested parties when it is likely these breaches may pose a high risk to the rights and freedoms of physical persons.
Communication must be clear and simple and must at least:
- a) Explain the nature of the data breach.
- b) Give the name and contact details of the data protection delegate or other contact person from whom more information may be obtained.
- c) Describe the possible consequences of the breach of personal data security.
- d) Describe the measures taken or proposed by the USER to remedy this breach of personal data security, including (where applicable) the measures adopted to mitigate any possible negative effects.
- Provide support to the USER in the task of evaluating the relative impact on data protection, where necessary.
- Provide support to the USER to undertake the prior consultations with the control authority, where necessary.
- Make all necessary information available to the controller to show this party has met their obligations, as well as for the audits or inspections to be pursued by the controller or auditor authorised by the controller.
Implement the following security measures:
- Used of encrypted passwords
- The use of passwords with a minimum of 8 characters, including at least one capital letter, one lower case letter and a number.
- Website access through personal encrypted SSL
- The servers and hosting service use all the current standards to ensure data security.
- The web service is filtered through a global DNS
- The web service has DDoS protection
- All Sinnaps workers must sign confidentiality and data protection agreements.
- The offices are under lock and key within installations with an alarm system.
In any case, mechanisms should be implemented to:
- a) Ensure permanent confidentiality, integrity, availability, and resilience of the processing systems and services.
- b) Restore availability and access to personal data rapidly should a physical or technical incident occur.
- c) Regularly verify, assess and evaluate the effectiveness of the technical and organisational measures implemented to ensure processing security.
- d) Pseudonymize and encrypt personal data, where appropriate.
- Appoint a data protection delegate and inform the controller of their identity and contact details.
- Use of the data.
Destroy the data once the service provision has been met. Once destroyed, the processor must certify said action in writing and deliver this certificate to the USER.
This notwithstanding, the processor may retain a copy – with the data suitably blocked – while liabilities remain arising from undertaking said provision.
FIFTH.- USER: Obligations
The USER must:
- a) Provide the processor with the data detailed in clause 2 of this document.
- b) Undertake an assessment of the impact on personal data protection of the processing operations the data processor will perform.
- c) Undertake all necessary prior consultation.
- d) Ensure both before and during processing that the data processor complies with the RGPD.
- e) Oversee the processing, including performing inspections and audits.
SIXTH: In general
This Contract contains the full agreement between the parties on the singular subject and substitutes and replaces any pre-existing verbal or written agreement between the parties.
Hence, should there be any discrepancy between the conditions stipulated in the present agreement and those in any other pre-existing contract between the parties, the stipulations of the present document will prevail.
Any modification of the content of this contract shall only come into effect if it is in writing and agreed upon by both parties.
In witness whereof, the two parties sign two original copies of the present document, in the place and on the date indicated in the header.