Customer GDPR Data Processing Agreement
Declaration on personal data processing in accordance with the general data protection regulation (EU679 / 2016)
System Bee d.o.o., Vrtlarska 6, Pula, OIB: 44118711367 as Service Provider confirms:
1. Introductory provisions
1.1 The Service Provider has entered into a contractual relationship with the Service Provider, whose Contractual Services have been contracted, with the acceptance of the Business Conditions and the payment of the Preliminary Service (hereinafter: Contract Services).
1.2 This Statement is part of the contractual relationship and defines the harmonization of the relationship with the EU679 / 2016 General Data Protection Regulation (“the Regulation”).
1.3 The Service Provider has in accordance with the Processing Manager status (hereinafter referred to as the Processing Manager).
1.4 The service provider shall comply with the Order of the Processing Agent (hereinafter referred to as the Executing Officer).
1.5 Terms used in this Agreement have the same meaning as stated in the Regulation.
1.6 The processing manager keeps track of the type / category of the data that is involved in the processing of personal data and the provision of Contract Services.
1.7 Personal data provided by the Contractor shall also be considered as personal data to be contacted by the Contractor during the execution of the Contract Services.
1.8 The processing agent shall use the personal information received solely for the purposes of performing the Contract Services. (Annex 1: Contractual Services, Personal Data, Processing and Processing of Personal Data).
2. Information security and compliance with the Regulation
2.1. The Executing Officer confirms that technical and organizational measures are strictly executed when performing his business activities with the aim of protecting personal data and securing the rights of the respondents pursuant to Art. 28 and 32 of the Regulation.
2.2. Minimum technical and organizational measures that reduce the likelihood of unauthorized or deliberate unauthorized changes, destruction, loss or unauthorized processing of personal data include:
- physical, technical and logical protection of premises, machinery and system software, including ICT entry / exit units,
- technical and logical protection of user equipment,
- technical and logical prevention of unauthorized access to personal data when transmitted, including telecommunication and network transmission,
- efficient ways of blocking, destroying, deleting, or anonymizing personal data, when the purpose of data processing is met,
- providing and conducting audit trails designed to determine the time of entry of particular data into records of personal data, use, transfer, view, other processing and identifying the performer of those activities,
- responsibility, information and qualifications of employees and other collaborators of the Processing Manager regarding the protection of personal data, conditions and requirements of the Regulation and good practices of information security,
- documented guarantees of employees and other collaborators of the Processing Manager in conjunction with the requirements of Sections 8.7, 8.8. and 8.9 of this Agreement,
- other measures referred to in the Regulation (Article 32).
2.3 The Executor of Processing warrants that, when executing the Contract Services, he or she fulfills all the conditions, requirements and standards that define their mutual agreement, regulation and good information security practices regarding the protection of personal data.
2.4 The Execution Manager meets all requirements of the Regulation and Good Information Security Practice regarding the formation and management of audit trails.
3. Collection, processing, transfer and storage of personal data
3.1 The Processing Manager confirms that all personal and related data, which are the subject of processing, i.e. the performance of the Contract Services, are obtained legally and in a manner consistent with the requirements of Art. 6 (1), 7 (1), 8 and 9 (2) of the Regulation.
3.2 The Processing Manager confirms that all respondents, in a clear, understandable and written manner, inform about the conditions of collection, processing, transfer and storage of personal data in accordance with Art. 5 of the Regulation.
4. Rights of the respondent
4.1 The Manager of Processing All Respondents allows you to exercise all rights related to their personal information, as set out in Art. 12 to 22 and 46 (5) of the Regulation.
4.2 The Contractor shall comply with the provisions of Art. 37, 38 and 39 of the Regulation, appointed the Data Protection Officer and defined his / her powers, duties and responsibilities.
5. Rights of the Processing Manager
5.1 The Processing Manager shall have the right at any time, at its own expense, and in cooperation with an independent auditor, to carry out the Contract Services and perform technical, organizational and personnel measures that ensure the information security and protection of personal data, as well as compliance with the Regulation, information security practices.
5.2 Processing Manager has the right to work with the Executing Officer when performing the activities required to provide Contractual Services, restrict or prohibit co-operation with the individual subcontractor.
6. Responsibilities of the Processing Manager
6.1 The Processing Manager is obligated to submit all requests and instructions relating to the performance of the Contract Services to the Processing Dealer in writing.
6.2 Processing Manager is responsible for ensuring the legality of the use of information resources, which are the subject of Contractual Services and over which the Contractor has processed, in accordance with the contractual provisions, no direct control or other possibilities of influence.
7. Rights of the Executing Agent
7.1 In the event of a suspicion that the execution of the instructions by the Processing Manager violates applicable laws, the processing agent may suspend the performance of the Contract Services until the change of instructions.
7.2 The Contractor shall notify the Processing Manager of the potential breach of the applicable laws and the intention to terminate the Contract Services in a timely manner and without delay.
7.3 The Settlement Officer may, in the case of misuse or misuse of information resources, which are the subject of Contract Services, without delay postpone such activity.
7.4 A Contractor’s Lease Contractor may enter into a contract with the subcontractor solely for the scope and purpose of the co-operation approved by the Leader. If the Manager does not set any restrictions, the Contractor is free to conclude a contract with the subcontractor of his choice.
8. Obligations of the Executing Officer
8.1 The Contractor is obliged to perform the Contract only for the extent and for the purposes stipulated in the Basic Contract, the Annexes, and the written requests and instructions of the Processing Manager.
8.2 The Contractor shall comply with all the requirements of the Regulation concerning the formation and conduct of audit trails when executing Contract Services.
8.3 The Contractor shall, in accordance with the Regulation and good practice of information security, continuously perform and upgrade all technical and organizational measures that ensure the protection of personal and other related data of the Respondents and the Processing Manager in a manner that will continually ensure the confidentiality, completeness, availability and system and service resilience.
8.4 The contractor will conclude written contracts with the approved subcontractors.
8.5 The Responsibility of the Executing Agent is that the selected subcontractors offer information security and personal data protection at least at the same level as the Executing Agent.
8.6 In the case of receipt of a request by the Respondent regarding the realization of the rights provided to him by the Regulation and if he / she can link the data subject with the Processing Manager on the basis of the data available to him, the Contractor shall submit such a request without delay and in writing to the Processing Manager.
8.7 All employees and other persons involved in the performance of the Contract Services on the part of the Executing Agent shall comply with all instructions and standards of the Processing Manager, as well as the requirements set out in Art. 28, 28, 32 of the Regulation.
8.8 All employees and other persons involved in the performance of Contract Services on the part of the Executing Agent are obliged to respect the confidentiality of business secrets.
8.9 The obligation to protect business secrets is also valid after the termination of employment or other contractual relations or after the termination of co-operation between the Processing Manager and the Executing Officer.
8.10 In the cases defined in the Regulation and on the basis of a written request of the Processing Manager, the Processing Contractor shall cooperate with the Personal Data Protection Agency (AZOP).
8.11 Upon completion of Contract Services, the Contractor shall return to the Manager of all received collections of personal data within 30 days at the latest.
8.12 If the Processing Manager does not require otherwise or if the law does not require storage, the Processing Manager shall permanently destroy all copies and traces of records of personal data that were the subject of Contract Services and / or with which they were in duration within 60 days of the interruption of the cooperation performing contract services in non-contact contact. Exceptions are data, copies or other personal data records that are backed up and with technical restrictions regarding selective deletion.
9. Incident Management
9.1 The Executing Officer confirms that in his organization, in accordance with the Regulation and Good Practice of Information Security, he performs all technical and organizational measures that ensure the management and execution of adequate activities in the event of suspicion or confirmation of a security incident and / or loss of confidentiality.
9.2 The Processing Manager and the Processing Manager shall, in the event of doubt or confirmation of a security incident and / or loss of confidentiality, act in accordance with Art. 33 and 34 of the Regulation.
9.3 The Processing Manager and the Processing Manager shall, without delay, notify each other, in the event of any suspicion or confirmation of a security incident and / or loss of confidentiality, in addition to the performance of all activities envisaged in their internal regulations.
9.4 The Processing Manager and the Processing Manager shall exchange the results of the analysis of causes and circumstances related to identified security incidents and loss of confidentiality.
9.5 All findings and analysis results will be used to improve and upgrade the system and internal processes.
10. Final Provisions
10.1. The Processing Manager and the Executing Officer agree that none of the individual provisions of this Statement or of the Basic Contract or Annex or any written request shall be deprived of the individual obligations to comply with the provisions of the Regulation and the individual liability arising therefrom.
10.2 In the case of disputes relating to the security of personal data, the provisions of this Declaration shall take precedence over the provisions of the Basic Agreement and the Annex.
10.3 Any dispute arising out of or in connection with this Statement shall be settled by the Contracting Parties in a peaceful manner, and in the event of a dispute being resolved by peaceful means, the Contracting Parties shall have jurisdiction over the jurisdiction of the Court in Pula, with the application of the law of the Republic of Croatia.
10.4 Irregularity or non-enforceability of the individual provisions of this Statement shall not affect the validity of other valid provisions. The Contracting Parties are obliged to change any improper provision without delay.
10.5 This Declaration is valid for the Processing Manager from the time of delivery or confirmation of its order or no later than the payment execution. For existing contractual partners, this Statement is valid from the time of its publication on System Bee d.o.o.
10.6 This Declaration is valid for the validity period of the Basic Contract and the Annex.
System Bee, LTD
Name: Zvonimir Gembec
Title: General Counsel
Annex A – List of Sysbee’s Sub-processors
Available upon request
Annex B – Sysbee’s Security Measures
Available upon request