1. Purposes of processing
1.2. The personal data that are processed by the Processor in the context of the activities referred to in the previous paragraph and the categories of data subjects from whom they originate are set out in Schedule 1. The Processor will not process the personal data for any purpose other than as determined by the Processing Responsible Party. The Processing Responsible Party will inform the Processor of the processing purposes if they are not already set out in this Processing Agreement.
1.3. The personal data to be processed on the instructions of the Processing Responsible Party will remain the property of the Processing Responsible Party and/or the parties involved.1.4. The Processing Responsible Party guarantees that the processing of personal data will fall under one of the exemptions under the AVG, and that notification to the AP is therefore not required.
2. Obligations of Processor
2.2. The Processor will inform the Processing Party, at the latter's first request, of the measures it has taken regarding its obligations under this Processor Agreement.
2.3. The obligations of the Processor arising from this Processing Agreement also apply to those who process personal data under the authority of the Processor, including but not limited to employees, in the broadest sense of the word.
2.4. The Processor will immediately notify the Processor if, in its opinion, an instruction from the Processor is in breach of the legislation referred to in paragraph 1.
2.5. Processor will, to the extent within its power, provide assistance to Processor for the purposes of conducting data protection impact assessments (PIAs).
3. Obligations of the Controller
3.2. The processing responsibility includes in any case the correct and secure use of the services purchased, including:
- Applying a valid SSL certificate and connection to the relevant domains, websites, web shops and other code;
- Connecting email via SSL;
- Implementation of security patches and security upgrades on code;
- Keeping account content code up-to-date, including website, CMS, CRM software or other code.
4. Transfer of personal data
4.2. Transfer to countries outside the European Union is not permitted without the prior written consent of the Controller.
5. Division of responsibility
5.2. Processor is solely responsible for the processing of the personal data under this Processing Agreement, in accordance with the instructions of Processor and under the express (final) responsibility of Processor. For the other processing of personal data, including in any case, but not limited to, the collection of the personal data by the Processor, processing for purposes not notified to Processor by Processor, processing by third parties and/or for other purposes, Processor is expressly not responsible.
5.3. The Processor guarantees that the content, use and assignment of the processing of the personal data referred to in this Processing Agreement are not unlawful and do not infringe any third-party right.
6. Use of third parties or subcontractors
6.2. Processor shall unconditionally ensure that such third parties assume in writing the same duties as agreed between Controller and Processor.
6.3. The Processor guarantees that these third parties will comply correctly with the obligations of this Processor Agreement and, in the event of errors by these third parties, will itself be liable for all damage as if it had committed the error(s) itself.
7.2. Processor has taken at least the following measures: - Encryption of digital files containing personal data; - Securing network connections via Secure Sockets Layer (SSL) technology; - The application of updates and security patches for vulnerabilities at both infrastructure and operating system level, with the aim of providing the safest possible software- and hardware-based services. Execution of patching where applicable and to promote security will be carried out within 72 hours of delivery of available updates.
7.3. Processor is responsible for compliance with the measures agreed by the Parties and to be taken by Processor.
8. Duty to Report
8.2. If required by law and/or regulations, Processor will cooperate in informing the relevant authorities and any parties concerned. Controller is responsible for reporting to the relevant authorities.
8.3. The duty of notification includes in any case the reporting of the fact that a leak has occurred, as well as:
- What the (alleged) cause of the leak is;
- What is the (as yet known and/or expected) consequence;
- What is the (proposed) solution;
- What measures have already been taken.
9. Handling of requests from those concerned
10. Secrecy and confidentiality
10.2. This secrecy obligation will not apply insofar as the Processing Agent has given express permission to provide the information to third parties, if providing the information to third parties is logically necessary in view of the nature of the assignment given and the performance of this Processing Agreement, or if there is a legal obligation to provide the information to a third party.
11.2. This audit will take place no more than once a year and will only take place if there is a concrete and well-founded suspicion of misuse of personal data by the Processor, and only after the Processor has requested similar reports from the Processor, assessed them and provided reasonable arguments to justify an audit initiated by the Processor. Such an audit will be justified if the similar reports available at the Processor do not provide any, or sufficient, evidence of the Processor's compliance with this Processor Agreement.
11.3. This audit will take place two weeks after prior announcement by Processor, without using and inspecting any confidential data of Processor and without unnecessarily disrupting Processor's work processes.
11.4. Processor shall cooperate with the audit and provide all information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable period, whereby a period of up to four weeks is reasonable unless an urgent interest dictates otherwise.
11.5. The findings of the audit will be assessed by the Parties in mutual consultation and, as a result, may or may not be implemented by one or both Parties jointly.
11.6. The reasonable costs of the audit shall be borne by the Respondent, it being understood that the costs of the third party to be hired shall always be borne by the Respondent.
12. Liability and penalty clauses
12.2. Direct damage is exclusively understood as all damage consisting of: - Damage directly caused to tangible property ("property damage"); - Reasonable and demonstrable costs incurred in order to persuade the Processor to properly perform the Processing Agreement or to resume it; - Reasonable costs incurred to determine the cause and scope of the damage insofar as it relates to direct damage as referred to here - Reasonable and demonstrable costs incurred by the Processor to prevent or limit the direct damage referred to in this Article.
12.3. Processor is not liable for damages resulting from installed code, CRM systems or other software installed in the hosting account, server or other related service. CRM systems include WordPress, Joomla, Prestashop, Magento or Drupal.
12.4. For cloud services or additional services of which Processor does not do server or infrastructure management, but only acts as a reseller, facilitator or user, liability is excluded. Cloud services include Microsoft Office 365 email, Google G Suite email, Dropbox, Boxcryptor and Acronis backup. Additional services include CloudFlare, SpamExperts, SSL Certificate Authorities, and Let's Encrypt.
12.5. The liability of Processor for indirect damage is excluded. Indirect damage is understood to mean all damage that is not direct damage and therefore at least, but not limited to, consequential damage, loss of profit, missed savings, reduced goodwill, damage due to business interruption, damage due to failure to determine marketing objectives, damage relating to the use of data or data files prescribed by the Processor, or loss, mutilation or destruction of data or data files.
12.6. The exclusions and limitations referred to in this Article will lapse if and insofar as the damage is the result of intent or deliberate recklessness on the part of the Processor or its management.
12.7. Unless performance by the Processor is permanently impossible, the liability of the Processor for an attributable shortcoming in the performance of the Agreement will only arise if the Processor immediately gives notice of default in writing, stating a reasonable period for remedying the shortcoming, and if the Processor continues to be in attributable default of its obligations even after that period. The notice of default must contain a description of the shortcoming that is as complete and detailed as possible, so that Processor is given the opportunity to respond adequately.
12.8. Any claim for compensation by Processor against Processor that is not specified and explicitly reported will lapse by the mere lapse of twelve (12) months after the claim arises.
12.9. Processor shall have and maintain adequate insurance during the Processor Agreement for liability in accordance with this Article.
12.10. In the event of a breach of the Processing Agreement, Processor will forfeit an immediately payable penalty of 12.10. In the event of a breach of the Processing Agreement, the Processor will forfeit to the Processing Agent an immediately payable penalty of € 50.00 per breach and € 50.00 for each day that the breach continues.
13. Duration and termination
13.2. This Processing Agreement has been entered into for the term specified in the main agreement between the Parties and, failing that, in any event for the duration of the collaboration.
13.3. As soon as the Processor Agreement is terminated, for whatever reason and in whatever way, the Processor will - at the request of the Processing Party - delete and/or destroy all the personal data in its possession.
13.4. The Processor is entitled to revise this agreement from time to time. It will notify the Processor of the changes at least three months in advance. The Processing Responsible may terminate the agreement at the end of those three months if it cannot agree to the changes.
14. Applicable law and dispute resolution
14.2. All disputes that may arise between the Parties in connection with the Processing Agreement will be submitted to the competent court in the district where the Processor has its registered office.
14.3. In the event of conflict between different documents or their annexes, the following order of priority will apply: - the Agreement; - the General Terms and Conditions - this Processing Agreement - the Service Level Agreement; - any additional conditions.
Appendix 1: Specification of personal data and data subjects
In the context of Article 1.1 of the Processing Agreement, the Processor will process the following (special) personal data, where applicable, on the instructions of the Processor:
- Company name
- Address, postal code, town, country
- Email addresses
- Telephone numbers
- Payment method, financial data and bank account data
- Other information related to the services you purchase from us.
- IP addresses
Of the categories involved:
Processor warrants that the personal data and categories of data subjects described in this Schedule 1 are complete and accurate, and indemnifies Processor for any deficiencies and claims resulting from Processor's incorrect representation.
Access to data
Through the Surver customer panel you can see what information we store about you and you can also make changes. You can also email us at email@example.com if you want to know what information we store about you.