Data Processing Annex (“DPA”)

This Personal Data Processing Annex (this “DPA”) is part of the General Terms and Conditions for the Subscription to SMU OS Services, and applicable to the Agreement, to the extent therein determined. Any capitalized terms under this Annex shall have the meanings given to them under the Terms and Conditions.

  1. INTERPRETATION
    1. The following words and phrases in initial capital letters shall have the meanings set forth below:

      Appropriate Safeguards means such legally enforceable mechanism(s) for Transfers of personal data as may be permitted under Data Protection Law from time to time;

      Controller means Customer;

      Data Processing Services mean the services described in Schedule 1 to this DPA;

      Data Protection Law means all data privacy regulations that are applicable and binding on the Controller, the Processor and/or the Data Processing Services, including, but not limited to European Economic Area and Switzerland, including the EU General Data Protection Regulation 2016/679 (“EU GDPR”), the UK Data Protection Act of 2018, and the UK GDPR (“UK GDPR”), California Consumer Privacy Act (“CCPA”);

      Onward Transfer means a Transfer from one International Recipient to another International Recipient;

      Personal Data means the information referring to a Data Subject that is processed by the Processor by instruction of the Controller in the context of the provision of Data Processing Services;

      Processor means Company;

      Regulator means any regulatory body with responsibility for ensuring compliance with Data Protection Law;

      Restricted Transfer means an overseas transfer to a country that is not subject to an adequacy decision or otherwise requires some form of transfer mechanism to be implemented in order to comply with such Data Protection Law;

      Security Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data;

      Standard Contractual Clauses means (a) with respect to a Restricted Transfer which is subject to the EU GDPR, the Controller-to-Processor standard contractual clauses, as set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to GDPR, as may be amended or replaced by the European Commission from time to time (the “EU SCCs”), (b) with respect to a Restricted Transfer subject to the UK GDPR, the International Data Transfer DPA to the EU Commission Standard Contractual of 21 March 2022, as may be amended or replaced by the UK Information Commissioner’s Office from time to time (the “UK IDTA”), (c) with respect to other Restricted Transfer subject to Argentina’s Personal Data Protection Law, the Controller to Processor standard contractual clauses, as set out in Regulation No. 60-E/2016, as may be amended or replaced by the National Directorate for the Protection of Personal Data from time to time (“Argentinian SCCs”), and (d) with respect to Restricted Transfers subject to other Data Protection Laws, such other standard contract clauses as may be required to be implemented between Controller and Processor (“Other Applicable Transfer Clauses”);

      Sub-Processor means any third party appointed by the Processor to process Personal Data.

    2. References in this DPA to “Data Subject", “Processing”, “Data Protection Officer” and “Transfer” shall have the same meaning as defined in Data Protection Law.
  2. CONTROLLER’S OBLIGATIONS
    1. The Controller shall:
      Comply with all applicable Data Protection Law;
      Instruct Processor (and authorize Processor to instruct each of its approved Sub-Processors) to process Personal Data;
      Warrant and represent that it is and will at all relevant times remain duly and effectively authorized to give the instruction as set out in clause 2.1(b);
      Warrant and represent that the Personal Data sourced by the Controller for use in connection with Schedule 1 of this DPA, shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Law;
      Perform an assessment of the impact on personal data protection of the processing operations to be conducted by the Processor as required by Data Protection Law;
      Implement the relevant prior consultations;
      Inform the Processor, to the best of Controller’s knowledge, if any Personal Data disclosure is somehow restricted (including but not limited to, any restriction from further disclosure to Controller’s subcontractors and/or any international transfer of the Personal Data allowed hereunder).
  3. PROCESSOR’S OBLIGATIONS
    1. The Processor shall:
      Process the Personal Data only to the extent, and in such a manner, as is necessary for the purposes of the Data Processing Services and in accordance with the Controller’s written instructions;
      Keep written records of all categories of processing activities carried out on behalf of the Controller as part of the Data Processing Services, including:
      name and contact details of the Processor(s) and of every Controller or any Affiliates on whose behalf the former is acting;
      if applicable and duly authorized by the Controller under this DPA, the transfers of Personal Data to a third country or international organization, including the identification of such third country or international organization, and the documentation of suitable safeguards, when applicable;
      Comply with its obligations as Processor under Data Protection Law including, where necessary, appointing a Data Protection Officer;
      Take appropriate technical and organizational measures, at least equivalent to the technical and organizational measures set out in Schedule 2 of this DPA;
      Notify Controller without undue delay if in the Processor’s opinion any of Controller’s instructions violate Data Protection Law. Processor shall not be liable for not carrying out any allegedly infringing instruction that has been duly notified to Controller until the status of such instruction has been resolved by the Parties. Any notification is provided “as is”, and shall not be considered legal advice on behalf of the Processor. The Processor shall have indemnification rights and no liability whatsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses costs, expenses or liabilities arising from or in connection with any processing in accordance with Controller’s processing instructions;
      Ensure that its employees and contractors who have access to Personal Data are subject to appropriate enforceable obligations of confidentiality with regards to Personal Data, at least as restrictive as the ones contained under this DPA and Data Protection Law, and that access to, or use of, Personal Data by such employees and contractors is permitted only where required to perform the Data Processing Services;
      Provide Controller with cooperation and assistance required in relation to the Controller’s obligations under Data Protection Law, considering the nature of the Data Processing Services and the information available to the Processor, including:
      notifying Controller without undue delay of receipt of any request made by a Data Subject to exercise any of their rights under Data Protection Law, and providing, to the extent that the Processor has it, reasonable and sufficient information and assistance in complying with such requests;
      assisting with compliance of the Controller’s obligations to report Security Breaches to Regulators and Data Subjects in respect. Processor shall not make any public statement, announcement or comment in relation to any Security Breach without the prior review and written consent of the Controller; and
      contributing to data protection impact assessments, and, where applicable, prior consultations with Regulators.
    2. The Processor shall give written notice to the Controller, without undue delay, and in any case within 72 (seventy two) hours of any relevant Security Breach. Processor notice shall not be necessary where it is unlikely that such Security Breach constitutes a risk for the rights and liberties of individuals. The Processor shall without undue delay of the Security Breach, provide all reasonable information, to the extent that Processor has it, as the Controller reasonably requires to report the Security Breach to a Regulator and to notify affected Data Subjects.
  4. AUDIT
    1. Upon receipt of reasonable prior written notice of at least 10 (ten) Business Days, the Processor shall (and shall ensure all of its sub-processors shall) promptly make available to the Controller such information as is required to demonstrate the Processor’s compliance with its obligations under this DPA and the Data Protection Law, and allow for audits by the Controller for this purpose at the reasonable request the Controller subject to a maximum of one audit request in any 12 (twelve) month period.
    2. The Processor shall provide (or procure) access to all relevant premises, documents, personnel and records during normal business hours for the purposes of each such audit and provide and procure all further reasonable cooperation, access and assistance in relation to any such audit.
    3. The Processor need not give access to its premises or share information for the purposes of such an audit:
      to any individual unless they produce reasonable evidence of identity and authority;
      outside normal business hours at those premises; or
      to any auditor that declines to sign any of the confidentiality agreements required by the Processor or that is a competitor of the Processor.
    4. Under no circumstances shall any of the terms of this DPA be construed as the Processor’s obligation to deliver or disclose to the Controller and/or its auditors any piece of information that: (a) is not strictly related to the Data Processing Services; (b) is related to any of the Processor’s clients other than the Controller; (c) relates to salaries or any other information regarding the Processor’s or the Processor Affiliates’ employees; or (d) relates to the costs of execution of the services provided by Processor.
    5. The Controller shall ensure that it makes reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Processor’s premises, equipment, personnel and business while its personnel are on the Processor’s premises in the course of such audit.
    6. The costs of the audit shall be borne by the Controller. If, as a result of the audit any errors or instances of non-compliance are identified, the Controller shall notify the Processor and grant the Processor a term of 30 (thirty) days to correct the matter.
  5. SUB-PROCESSORS
    1. The Processor is hereby authorized to subcontract other companies (Sub-Processors) to assist with the provision of the services contracted between the parties. The aforementioned Sub-Processors may be hired by the Processor for the performance of any of its obligations under any relevant agreement. The list of Sub-Processors is available in this link. The Processor shall keep the list of Sub-Processors updated in that list.
    2. The Processor shall ensure that access to Personal Data is limited to the authorized persons who need access to it to provide the Data Processing Services.
    3. The Processor shall, prior to any Sub-processor carrying out any processing activities in respect to the Personal Data, appoint such Sub-processor under a binding written contract containing the same obligations outlined in this DPA and procure compliance by each such Sub-processor of its obligations under such agreement.
    4. The Processor shall remain fully liable to the Controller under this DPA for all the acts and omissions of each of its Sub-processors as if they were its own.
  6. INTERNATIONAL TRANSFERS
    1. The Processor shall not Transfer (nor permit any Onward Transfer of) any Personal Data processed under this DPA to another country or an international organization (“International Recipient”) without the Controller’s prior written consent.
    2. The Controller hereby consents to the Processor Transferring Personal Data for the purpose of the Data Processing Services to any International Recipients, provided all Transfers of Personal Data by the Processor to an International Recipient (including any Onward Transfer) as long as the Transfer is:
      made by way of Appropriate Safeguards and in accordance with Data Protection Law and this DPA; and
      made pursuant to a written contract, including equivalent obligations on each sub-processor in respect of Transfers to International Recipients as apply to the Processor.
    3. The Processor may transmit the Personal Data to its Affiliates, third parties hired by the Processor in accordance with the Data Protection Law and in relation to the purpose, and to other Processors of the same Controller (“Authorized Parties”) in accordance with the instructions given by the Controller; in which case, the Controller shall previously identify in writing the entity that shall receive the data, the data to be shared and the security measures to apply in order to proceed to the communication.
    4. If the Processor must transfer Personal Data from one country to another or to an international organization, pursuant to and to the extent required by the Data Protection Law, and except to the extent such transfer is to any of the Authorized Parties, it shall previously inform the Controller of such statutory requirement, unless such law prohibits it for important public interest reasons.
    5. To the extent any Restricted Transfer of Personal Data takes place, the terms set forth in Schedule 3 will apply.
  7. DATA DELETION
    1. The Processor shall (and shall ensure that each of its Sub-Processors shall) delete all the Personal Data, within 30 (thirty) days from receiving the request from the Controller, in such form as the Controller reasonably requests once the provision of the relevant Data Processing Services have ended and are no longer required.
    2. The requirement in clause 7.1 shall not apply to the extent that the Processor (or any of its Sub-processors) is required by applicable statutory or regulatory law, regulation, court order or other similar rules in any relevant jurisdiction, to retain or continue to store the Personal Data.
    3. If so requested in writing by the Controller, the Processor shall provide written confirmation of compliance with clause 7.1.
Schedule 1 – Data Processing Services Details
  1. Subject-matter and duration of processing: The subject matter and duration of the Data Processing Services are set out in the Master Services Agreement and relevant Statements of Work.
  2. Nature and purpose of the processing: Processing personal data so as to facilitate the services to be provided under Master Services Agreement and relevant Statements of Work.

    Please mark with an X those activities to be carried out:

    X Collection X Registration
    X Structuring X Modification
    X Maintenance X Extraction
    X Access X Communication through transmission
    Dissemination X Interconnection
    Comparison X Restriction
    X Erasure X Destruction
    Communication Others: .........................
  3. Identification of Personal Data:
    Purpose of the Processing Categories of Data Subjects Categories of Personal Data
    Management of services relationship for employees Employees and workers Necessary data to comply with the services: Name and Surnames Contact details and employer’s identifying data (name of company/organization, position, duties, etc.) Data related to the services provided
  4. Processing Instructions: All necessary processing operations to provide the Data Processing Services under this DPA and the services and performance of Processor’s obligations under the Terms and Conditions or Subscription.
Schedule 2 – Technical and Organizational Measures

Processor is a serious professional software development service provider that adheres to the best practices of cybersecurity and data protection as requested by all its clients. Processor implements several controls (logical and physical) in order to guarantee the security of the information. These controls include but are not limited to:

  • ISO 27001 (or other renowned) security framework
  • Information security policies
  • Remote working
  • Employees screenings
  • Awareness training for its employees.
  • Asset management
  • Access controls (logical)
  • User management
  • Operating Systems, Software, Patching and Antivirus
  • Network controls
  • Backups
  • Systems and Applications Logging
  • Encryption
  • Business Continuity Management (BCM)
  • Physical Security standards (manned guards, CCTV, proximity cards and biometric controls).
  • Incident Management

The Processor will not store any Personal Data unless it is specifically agreed in a Statement of Work signed with the Controller.

If the Processor stores any Personal Data, the Processor will implement the appropriate controls to guarantee its confidentiality, integrity and availability.

Schedule 3 - Cross Border Transfer Mechanisms
  1. In the event of a Restricted Transfer to a recipient outside of the EEA, then such transfers shall be governed by Module 2 of the EU SCCs, which shall be entered into and incorporated into this DPA by this reference and the following terms shall apply:
    the optional docking clause in Clause 7 does not apply;
    in Clause 9, Option 2 will apply, the minimum time period for prior notice of Sub-processor changes shall be 5 (five) days, and Processor shall fulfill its notification obligations by notifying Controller of any Sub-processor changes by emailing the Controller to the email address indicated in the Terms and Conditions or Subscription;
    in Clause 11, the optional language does not apply;
    in Clause 13, all square brackets are removed with the text remaining;
    in Clause 17, Option 1 will apply, governing law shall be the one set out in the DPA
    in Clause 18, disputes will be resolved before the courts set out in the DPA;
    the information required in Annex 1 of the EU SCCs (Subject Matter and Details of Processing) is attached in this DPA as Schedule 1;
    the information required in Annex 2 of the EU SCCs is contained in Schedule 2.
  2. In the event of a Restricted Transfer to a recipient outside of the UK, then such transfers shall be governed by the UK IDTA, which shall be entered into and incorporated into this DPA by this reference and completed as follows:
    in Table 1, the parties’ information shall be completed as set out in this DPA;
    in Table 2, the transfer details shall be completed as set out in this DPA;
    in Table 3, the details of the Transferred Data shall be completed as set out in Schedule 1 of this DPA;
    in Table 4, the details of the Security Requirements shall be completed as set out in Schedule 2 of this DPA.
  3. In the event of a Restricted Transfer to a recipient outside of Argentina, then such transfers shall be governed by Appendix II the Argentinian SCCs, which shall be entered into and incorporated into this DPA by reference and Exhibit A (Subject Matter and Details of Processing) shall be completed as set out in Schedules 1 and 2 of this DPA
  4. In the event of any other Restricted Transfer, such transfers shall be governed by such other applicable transfer clauses as may be required under Data Protection Laws, which shall be entered into and incorporated into this DPA by reference and:
    Schedule 1 to this to this DPA will provide details of the Restricted Transfer;
    Schedule 2 to this DPA will provide the Technical and Organization Measures; and
    disputes relating to the Restricted Transfer shall be governed by the applicable laws of the country from which the Restricted Transfer takes place and resolved before the courts of such country.
Cookies

We value your privacy

We use a selection of our own and third-party cookies on the pages of this website: essential cookies, which are necessary to use the website; functional cookies, which provide better ease of use when using the website; performance cookies, which are used to generate aggregate data about website usage and statistics; and marketing cookies, which are used to display relevant content and advertising. If you choose “ACCEPT ALL”, you agree to the use of all cookies. You can accept and reject individual cookie types and revoke your consent for the future at any time under “Cookie settings”

Cookie settings
WhatsApp