General Data Protection Regulation
GDPR statement: System Bee d.o.o., Marianijeva 11, Pula, OIB: 44118711367 as Service Provider (hereinafter: the Provider) confirms the following:
1. Introductory provisions
This Statement is part of the contractual relationship and defines the reconciliation of mutual relations with regards to the the EU General Data Protection Regulation EU679 / 2016 (hereinafter: the Regulation).
In accordance with the Regulation, the Services User has the status of Data Controller (hereinafter: Data Controller), the Service Provider has the status of Data Processor (hereinafter: Data Processor) and the Data Subjects are all natural persons whose personal data can be processed (hereinafter: Data Subject).
The terms used in this Statement have the same meaning as in the Regulation.
Data Processor keeps a record of the type / category of data which is involved in the processing of personal data and the provision of contractual services.
Personal data which will inadvertently be processed by the Processing Contractor when performing the contractual Services will also be considered as submitted personal data.
The Data Processor will use the received personal data solely for the purpose of performing the contractual Services.
2. Information security and compliance with the Regulation
Data Processor confirms technical and organizational measures are strictly executed when performing his business activities with the aim of protecting personal data and securing the rights of the data subjects pursuant to Art. 28 and 32 of the Regulation.
Minimal technical and organizational measures which reduce the likelihood of unintentional or intentional tampering, destruction, loss or unauthorized processing of personal information include:
- Physical, technical and logical protection of premises, machinery and system software, including ICT entry / exit units,
- Technical and logical protection of user equipment,
- Technical and logical prevention of unauthorized access to personal data during transmission, including telecommunication and network transmission,
- Efficient ways of blocking, destroying, deleting, or anonymizing personal data, when the purposes of data processing are fulfilled,
- Providing and conducting audit trails designed to determine the time of entry of particular data into records of personal data, use, transfer, view, other processing and identifying the performer of those activities,
- Responsibility, information and qualifications of employees and other collaborators of the Data Processor regarding the protection of personal data, conditions and requirements of the Regulation and good practices of information security,
- Other measures referred to in the Regulation (Article 32).
The Data Processor guarantees that when performing the contractual Services, all of the conditions, requirements and standards defined by the Regulation as well as good information security practices related to the protection of personal data will be respected. The Data Processor also meets all the requirements of the Regulation and good information security practices regarding the formation and management of audit trails.
3. Collection, processing, transfer and storage of personal data
The Data Controller confirms that all personal and related data, which are the subject of processing, i.e. the execution of the contractual Services, are obtained legally and in a manner consistent with the requirements of Art. 6 (1), 7 (1), 8 and 9 (2) of the Regulation.
The Data Controller confirms that all Data Subjects were informed clearly, understandably and in writing regarding the conditions of collecting, processing, transferring and storing their personal data, in accordance with Art. 5 of the Regulation.
4. Data Subject’s rights
The Data Processor enables all respondents to exercise all the rights related to their personal data, as specified in Art. 12 to 22 and 46 (5) of the Regulation.
5. Data Controller’s rights
The Data Controller has the right to, at any time, at his own expense and in cooperation with an independent auditor, check the execution of contractual Services, and the implementation of technical, organizational and personnel measures which ensure information security and protection of personal data, as well as the compliance with the Regulation and good practices of information security, at the Data Processor’s side.
The Data Controller has the right to limit, or prohibit, cooperation with individual subcontractors when performing the activities required to provide the contractual Services.
6. Data Controller’s obligations
The Data Controller is obliged to forward all requests and instructions related to the execution of the contractual Services to the Data Processor in writing.
The Data Controller is obliged to ensure the lawfulness of the use of information systems, which are the subject of the contractual Services and over which the Data Processor, in accordance with the contractual provisions, has no direct control or other possibility of influence.
7. Data Processor’s rights
The Data Processor may suspend temporarily the execution of the contractual Services in case there is a suspicion that laws will be violated by executing the instructions provided by the Data Controller.
The Data Processor is obliged to inform the Data Controller of a potential violation of the applicable laws and the intention to terminate the execution of the contractual Services in a timely manner and without delays.
The Settlement Officer may, in the case of misuse or misuse of information resources, which are the subject of Contract Services, without delay postpone such activity.
The Data Processor may enter into a contract with a subcontractor for the purpose of executing the contractual Services, only to the extent and purpose of the cooperation previously approved by the Data Controller. If the Data Controller does not impose restrictions, the Data Processor is free to cooperate with a subcontractor of its choice.
8. Data Processor’s obligations
Data processor is required to perform contractual services only to the extent and for the purposes agreed upon in the Original contract, Annexes and written requests and instructions of the Data Controller.
Data processor will, when performing contractual Services, meet all the requirements of the Regulation in connection with the formation and management of audit trails.
In accordance with the Regulation and good information security practice, the Data Processor will continuously implement and upgrade all technical and organizational measures which ensure the protection of the personal and other related data of the Data Subjects and the Data Controller, in such a way that they will constantly ensure the confidentiality, integrity, availability and resilience of systems and services.
The Data Processor will enter into written contracts with the approved subcontractors whenever possible. It is the responsibility of the Data Processor that the selected subcontractors offer information security and protection of personal data at least at the same level as the Data Processor.
In case of receiving a request from a Data Subject related to the realization of his or her rights guaranteed by the Regulation, and if on the basis of the information provided the Data Processor can link the Data Subject with the Data Controller, the Data Processor shall immediately forward such request without delay and in writing to the Data Controller.
All employees and other persons involved in the execution of contractual Services by the Data Processor shall comply with all instructions and standards of the Data Controller, as well as the requirements specified in Art. 28, 28, 32 of the Regulation. All employees and other persons involved in the execution of the contractual Services by the Data Processor are obliged to respect the protection of business secrets. The obligation to protect business secrets is valid even after the end of employment or other contractual relations, and after the termination of cooperation between the Data Processor and Data Controller.
In the cases defined in the Regulation and upon the written request of the Data Controller, the Data Processor will cooperate with the Personal Data Protection Agency (AZOP).
Unless otherwise required by the Data Controller, or required by law, the Data Processor shall, within 60 days of termination of cooperation, permanently destroy all copies and traces of records of personal data that were the subject of the contractual Services and / or with which he was in accidental contract while providing the Services. The exception is data where there are technical or legal restrictions regarding selective deletion.
9. Incident Management
The Data Processor confirms that all technical and organizational measures which ensure the management and performance of adequate activities in the event of a suspected or confirmed security incident and / or loss of confidentiality are implemented within the Data Processor’s organization, in accordance with the Regulation and good information security practice.
The Data Controller and Data Processor shall in case of suspicion or confirmation of a security incident and / or loss of confidentiality immediately respond in accordance with art. 33 and 34 of the Regulation.
The Data Controller and Data Processor shall in case of suspicion or confirmation of a security incident and / or loss of confidentiality immediately notify one another, in addition to carrying out all the activities provided in their internal regulations.
The Data Controller and Data Processor will exchange the results of the analysis of causes and circumstances related to the security incidents and confidentiality losses. All findings and results of the analyzes will be used to improve and upgrade systems and internal processes.
10. Final Provisions
The Data Controller and Data Processor agree that no individual provisions of this Statement, the Original contract, Annexes or written requests deprive them of the individual obligation to comply with the provisions of the Regulation and the individual liability arising therefrom.
In the case of disputes concerning the security of personal data, the provisions of this Statement take precedence over the provisions of the Original contract and annexes.
All disputes arising out of or in connection with this Statement shall be settled by the contracting parties amicably. In the event that the dispute is not settled amicably, the contracting parties shall agree on the jurisdiction of the court in Pula, in accordance with the law of the Republic of Croatia.
The invalidity or unenforceability of individual provisions of this Statement does not affect the validity of other applicable provisions. The parties are obliged to change any invalid provision without delay.
This Statement is valid for the Data Controller from the time of delivery or confirmation of his order, or at the latest upon payment for the order. This Statement is valid for existing contractual partners from the time of its publication on the Sysbee website.
This Statement is valid for the period of validity of the Original Contract and any annexes related to it.
List of Sysbee’s Sub-processors is available upon request.