This Data Processing Agreement is an integral part of the Terms of Service and together with them forms the Service Provision Agreement (hereinafter: the „Agreement“) between the company SETCOR d.o.o., with registered seat at Čabdin 73, 10450 Jastrebarsko, PIN(OIB): 69149293370 (“MyDataKnox”) and the other contracting party (the “User”) in the context of hosting User’s website, storing User data and other online services provided by MyDataKnox (“Services”).
Definitions of terms used in the content of this Agreement:
- Setcor, Company, MyDataKnox: SETCOR d.o.o.;
- User, Client: Private or legal entity that uses or orders the Services of the Company;
- Service: The Service offered by MyDataKnox to existing and new Users;
- GDPR: General Data Protection Regulation (EU 2016/679) and the General Data Protection Implementation Act (NN 42/2018).
- Controller: a natural or legal person, public authority, agency or other body that determines the purposes and means of processing personal data, alone or jointly with others. In accordance with the GDPR, the User has the status of the Controller;
- Processor: an entity that processes personal data on behalf of the Controller. In accordance with the GDPR, MyDataKnox has the status of the Processor;
- Sub-processor: any data processor whose services MyDataKnox uses for to provide services to the User. In cases where the User is also the Processor, MyDataKnox becomes the Sub-processor.
Personal Data: means all data relating to an individual whose identity is identified or identifiable (“data subject”); an identifiable individual is a person who can be identified directly or indirectly, in particular by identifiers such as name, identification number, location information, network identifier or by one or more factor inherent to the physical, physiological, genetic, mental, economic, cultural or social identity if that individual.
2. SCOPE AND APPLICATION OF THIS AGREEMENT
This Agreement applies only to the extent that MyDataKnox processes Personal Data on behalf of the User when providing the Services, and such personal data is subject to legal data protection rules of the European Union, the European Economic Area and/or their Members, Switzerland and/or the United Kingdom. The Parties agree to abide by the terms and conditions of this Agreement regarding Personal Data.
- ROLES OF THE PARTIES
MyDataKnox will process Personal Data as the Processor on behalf of the User and only in accordance with the User’s instructions.
In cases where the User acts as the Processor, MyDataKnox is the Sub-processor.
- USER’S OBLIGATIONS
The User agrees to:
- Comply with its obligations as the Personal Data Controller in connection with the processing of Personal Data and shall ensure that the requirements and instructions issued to MyDataKnox as the Processor are in accordance with the rights and obligations arising for the Controller from the GDPR and other applicable regulations; and
- To give all consent and rights to MyDataKnox required under GDPR for the processing of Personal Data by MyDataKnox for the purpose of providing the Services in accordance with the Terms of Service and this Agreement;
- PROCESSING OF PERSONAL DATA BY MYDATAKNOX
As a Processor, MyDataKnox shall process Personal Data only for the following purposes:
- To take any steps necessary to execute the Agreement;
- At the request of the User, but to the extent that the request complies with the terms of this Agreement and only with the User’s documented instructions;
- For storage and other processing necessary for the provision, maintenance and improvement of the Services provided to the User;
- AUTHORISED SUB-PROCESSORS
The User agrees that MyDataKnox may engage a Sub-processor to process Personal Data on behalf of the User.
- OBLIGATIONS OF THE SUB-PROCESSOR
- Enter into an agreement with the Sub-processor that imposes obligations on the Sub-processor that are equivalent to the obligations assumed by je MyDataKnox as the Processor under this Agreement; and
- Remain responsible for compliance with the obligations under this Agreement and for the actions and omissions of the Sub-processor that cause MyDataKnox’s breach of any obligations hereunder.
- CHANGE OF SUB-PROCESSOR
MyDataKnox will notify the User of any changes regarding the addition or replacement of the Processor.
- OBJECTION TO THE SUB-PROCESSOR
The User may object to the new Sub-processor in writing, within 5 days from receiving the notification of the change of the Sub-processor. A written objection must include a reasonable basis for the objection.
If the User does not object to the new Sub-processor within the stipulated period, it is considered that they have agreed to the change.
If the User and MyDataKnox cannot agree on the objection, especially if the User’s Service cannot be delivered and maintained without the Sub-processor to which the User complaints, each party may unilaterally terminate this Agreement without notice upon written notification addresses to the other party.
- SECURITY MEASURES
MyDataKnox shall implement and maintain appropriate technical and organizational measures to protect Personal Data from security incidents and to maintain the security and confidentiality of Personal Data in accordance with security standards and with a defined level of risk.
- CONFIDENFITALITY OF PROCESSING
MyDataKnox shall ensure that any person authorized to process data by MyDataKnox, including employees, is bound by the obligation of confidentiality.
- TRANSFER OF PERSONAL DATA
MyDataKnox shall not transfer personal data to third parties without a prior written consent of the User, unless required by applicable regulations. In the event that the Processor is required to submit, that is transfer personal data to third parties, MyDataKnox is obliged to notify the User of such legal claim before acting upon it, unless the applicable regulations prohibit such notification.
- SECURITY INCIDENTS
If a security incident occurs that results in a personal data breach that is likely to cause a high risk to an individual’s rights and freedoms, MyDataKnox shall immediately notify the User about it, no later than 48 (forty-eight hours) of finding out about the personal data breach, and will promptly provide the User with all information related to a security incident, as soon as it is discovered
- UPDATING SAFETY MEASURES
The User agrees that security measures a matter related to the technical progress and that MyDataKnox may, from time to time, improve or modify security measures, provided that such changes do not adversely affect the overall security of the User’s Services.
- SECURITY MEASURES
5. DATA LOCATION AND ERASURE OF DATA LOCATION
- DATA LOCATION
The User agrees that the Personal Data is processed in the Republic of Croatia and/or in one of the EU member states, or one of the members of the European Economic Area.
- ERASURE OF PERSONAL DATA
The User may request the erasure of personal data from MyDataKnox when the User responds to the subject’s request for erasure in accordance with the GDPR.
Upon expiration or termination of the Service, MyDataKnox will, at the User’s discretion (i) erase personal data, (ii) return personal data to the User, including any copies of personal data or (iii) transfer personal data to a third party as directed by the User, if possible.
The User is obliged to inform MyDataKnox at the latest by the expiry of the notice period or the expiry of the term of the Agreement or within 30 (thirty) calendar days from the date of termination of the Agreement about the manner in which they wish to dispose of Personal Data. Otherwise, the decision is at the discretion of MyDataKnox, which shall confirm to the User without delay that the Personal Data and all backups have been deleted and notify the User in which manner they may retrieve Personal Data within a specified time limit. After the period for downloading Personal Data has expired, MyDataKnox is not obliged to allow the User to access or transfer Personal Data.
The Contracting Parties agree that Personal Data may be made available to the User in the JSON form and that the transfer of Personal Data to third parties is conditional on the possibility for a third party to receive Personal Data in such form, as well other technical requirements that must be fulfilled in order to ensure a secure transfer of Personal Data from MyDataKnox to a third party, otherwise MyDataKnox is not required to provide a transfer.
Upon downloading or expiry of the term of downloading Personal Data by the User or a third party at the discretion of the User, MyDataKnox shall delete the Personal Data and all backups at its diposal.
MyDataKnox is under no obligation to delete Personal Data in accordance with the provisions of this Article if it is obliged to store Personal Data within the specified timeframe in accordance with applicable regulations. In the event that MyDataKnox is obliged to keep certain Personal Data in accordance with special regulations, it will notify the User of such legal obligation and the estimated duration of such storage.
Notwithstanding the other provisions of this Article, all Personal Data submitted by the User that is processed by MyDataKnox as the Processor shall be automatically erased from the MyDataKnox system no later than 180 days from the date of the lease of the active Service, that is from the last login of the User to the MyDataKnox user system, except the data for which there is no obligation of storage.
6. FINAL PROVISIONS
- CONFLICT OF LAWS PRINCIPLES