This Data Processing Addendum (“Addendum“) forms an integral part of the Terms of Service (“ToS“).
You (“Company” or “Controller”) and “Premium WP Support” Ltd. (a company organized and existing under the laws of Bulgaria, with UIC 205888763 and seat and registered address located at 73 “Cherni vrah” Blvd., floor 3, 1407 Sofia, Bulgaria) (“Processor”) have entered into an agreement under which the Processor has agreed to provide Services (as described at https://saasbpm.com/terms-of-services/) and technical support to the Company.
The Company and the Processor are hereinafter referred to jointly as “Parties”.
Except as expressly modified below, the ToS remain in full force and effect.
The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the ToS.
For the purpose of this Addendum, the following terms and expressions will have the following meaning:
1.1. “Applicable Laws” means EU Data Protection Laws, including but not limited to the Bulgarian Personal Data Protection Act and the General Data Protection Regulation 2016/679 and, to the extent applicable, the data protection or privacy laws of any other country;
1.2. “GDPR” means EU General Data Protection Regulation 2016/679;
1.3. “Sub Processor” means any person or third party appointed by or on behalf of the Processor and approved expressly by the Company, with such approval being subject to strict compliance with this Addendum;
1.4. “Services” means the services and other activities to be supplied or carried out by or on behalf of the Processor for Company Group Members pursuant to the ToS.
The terms, “Commission”, “Controller”, “Data Protection Officer”, Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” have the same meaning as in the GDPR.
- Processing of Personal Data
2.1 The Company remains the exclusive Controller of the Processed Personal Data and shall determine how the Personal Data is to be processed by the Processor, the purposes of such Processing, and the use of Personal Data by the Processor. The Company warrants that:
(a) its instructions and actions with respect to the Processed Personal Data have been authorized by the relevant Data Subjects and are compliant with Applicable Laws;
(b) it has obtained the prior consent and authorization by the relevant Data Subjects to appoint the Data Processor;
(c) it will provide all required instructions to the Processor in a timely, sufficiently clear and detailed manner in either written or electronic form;
2.2. The Processor shall only Process Personal Data on behalf and for the benefit of the Company, in accordance with the Company’s instructions and shall have no independent rights in relation to it, unless Processing is required by Applicable laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by Applicable laws, inform the relevant Company of that legal requirement before the Processing of that Personal Data.
2.3. Annex 1 to this Addendum sets out more information regarding the Processing of Personal Data. The Company and the Processor may make reasonable amendments to Annex 1 from time to time. Such amendments shall require both Parties’ consent and shall be made in writing.
3.1. The Processor and the Company shall take reasonable steps to ensure the reliability of any of its employees, contractors, agents or consultants, who may have access to the Personal Data, ensuring in each case that the access is strictly limited to those individuals who need to know or access the relevant Personal Data, as strictly necessary for the purposes of the ToS, and to comply with Applicable Laws in the context of that individual’s duties to the Processor.
3.2. The Processor and the Company ensure that the individuals, authorised to Process Personal Data for the purpose of the ToS and this Addendum, have agreed in writing to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality.
4.1. The Processor shall not appoint (or disclose any Personal Data to) a Sub Processor except with the prior explicit written consent of the Company.
4.2. The Company generally authorises the Processor for the engagement of the following Sub Processors:
(a) cloud service providers;
(b) email service providers;
(c) payment services providers;
(d) wordpress plug-in providers;
(e) analytics providers;
(f) technical support providers;
(g) software maintenance providers.
4.3. When engaging a Sub Processor, the Processor will comply with its obligations under Article 28 (2) GDPR and Article 28 (4) GDPR.
4.4. The Processor shall be liable for acts or omissions of Sub Processors resulting in breach of Applicable Laws insofar as such acts or omissions are part of the Processing activities, which are under the Processor’s control. If these Processing activities (for example storage of Personal Data in the cloud) are outside of the Processor’s control, the latter shall not be liable for such Processing activities.
5.1. Processor warrants that it has implemented appropriate technical and organisational measures to secure Personal Data against loss, any form of unlawful Processing or unauthorised Processing. These measures shall guarantee an appropriate level of security as described in Article 32 GDPR.
5.2. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by the Processing and in particular the risk from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Processed Personal Data.
- International Transfers of Personal Data
6.1. The Processor or any Sub processor shall not process or transfer any Personal Data (nor permit the Personal Data to be transferred) outside of the EEA unless:
(a) such transfer is to countries which ensure an adequate level of data protection according to an adequacy decision of the European Commission, or
(b) such transfer is needed for the performance of the ToS, or
(c) it is governed by the EU Standard Contractual Model Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010, (the “Standard Contractual Clauses).
6.2. In the event of conflict between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- Data Subject Rights
7.1. For the duration of this Addendum and the ToS, the Processor will enable the Company to access, export, rectify and/or restrict Processing of Personal Data, as well as to delete Personal Data in a manner consistent with the functionality of the Services. The Company shall be responsible for exporting Personal Data before giving any instructions to the Processor for data deletion.
7.2. Taking into account the nature of the Processing, the Processor shall assist the Company, insofar as this is possible, for the fulfilment of the Company’s obligations to respond to requests to exercise Data Subject rights under the Applicable Data Protection Laws.
7.3. The Processor shall:
(a) provide assistance within one (1) week of the Company’s written notice, should the Company request assistance related to rights requests by Data Subject;
(b) promptly notify the Company and no later than within forty eight (48) hours upon receipt, if it receives a complaint or request from a Data Subject under any Data Protection Law in respect of Personal Data;
(c) provide full cooperation and assistance in relation to any complaint or request from a Data Subject regarding the Processing of Personal data;
(d) not respond to that request, except on the documented written instructions of the Company or as required by Applicable Laws to which the Contracted Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Company of that legal requirement before the Processor responds to the request;
- Personal Data Breach
8.1. The Processor shall notify the Company of every Personal Data Breach without undue delay and no later than 12 hours after the Processor has become aware of the Personal Data breach.
8.2. The Processor shall provide the Company with sufficient information to allow the Company to meet its duties to notify the Supervisory Authority, competent in accordance with Article 55 GDPR or any other Data Protection Laws, and to inform the Data Subjects of the Personal Data Breach, where applicable. The information shall be accurate and shall always include:
(a) the identity and contact details of the Data Protection Officer or other contact point where more information can be obtained;
(b) the nature of the security breach including the categories of Data Subjects concerned and the categories of Personal Data concerned;
(c) a description of the measures the Company could take to mitigate the possible adverse effects of the Personal Data Breach;
(d) the consequences of the Personal Data Breach;
(e) the measures proposed or taken by the Processor in cooperation with the Company to address the Personal data Breach.
8.3. If the Processor is unable to communicate all information relating to the Personal Data Breach simultaneously, the Processor shall provide the information as soon as the information becomes available.
8.4. The Processor shall co-operate with the Company and take such reasonable steps, as are directed by the Company, to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Data Protection Impact Assessments
9.1. The Processor shall provide reasonable cooperation and assistance to the Company to fulfil Company’s obligations under the GDPR to carry out assessments of the impact of the envisaged Processing operations and the protection of Personal Data, taking into account the nature, scope, context and purposes of the Processing pursuant Article 35 GDPR.
9.2. The Processor shall provide reasonable assistance to Company in the cooperation or prior consultation with any Supervisory Authority in the performance the Company’s duties related to section 9.1 of this Addendum.
- Audit Rights
10.1. The Processor shall make available to Company, on request, all information reasonably necessary to demonstrate its compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Personal Data.
10.2. The reasonable costs for the engagement of auditors of the Company shall be at the Company’s expense.
- Liability and Indemnity
The Parties agree that if one Party is held liable for a violation of the clauses in this Addendum by the other Party, the latter will indemnify the first party for any costs, charges, damages, expenses or loss it has incurred.
- Termination of Contract
Upon termination or expiry of the ToS or upon the termination of the provision of data processing Services and upon the written request of the Controller, the Processor shall immediately cease any Processing of Personal Data and shall, at the choice of the Company, return or delete all Personal Data (to the extent technically possible and practicable) no later than one month after the termination or expiration, except when Applicable Laws prevent the Processor to delete such Personal Data.
13.1. In the event of any inconsistency between the provisions in this Addendum and the provisions of the ToS, the provisions of this Addendum shall prevail.
13.2. This Addendum is governed by the laws of Bulgaria. Any disputes arising out or in connection with this Addendum shall be brought before the competent court of Sofia.
13.3. Any notification by Processor pursuant to this Addendum shall be addresses to “Premium WP Support” Ltd. at email firstname.lastname@example.org
13.4. This Addendum is entered into and becomes a binding part of the ToS with effect from the effective date of the ToS.
Annex 1. Data Processing Schedule
- Categories of Personal Data
1.1. The Processed Personal Data is the Personal data provided by the Company to the Processor in connection with the Services.
1.2. The Processed Personal Data shall include Personal Data of individuals provided or uploaded via the Services to the Processor by (or at the direction of) the Company, its customers or end users.
2. Categories of Data Subjects
Data Subjects shall be the individuals about whom data is provided to the Processor via the Services by (or at the direction of) the Company, its customers or end users, its employees or other members of staff. The Company is solely responsible for determining the categories of Data Subjects.
3. Permitted Processing operations for the Controler
The Processing consists of all data Processing activities that are performed following the instructions of the Controller and that are necessary to deliver the Services to the Company and for the Permitted Purposes.
4. Permitted Purposes
The Processor may process Personal Data in accordance with the purposes set out in the ToS and, generally: to provide its Services to the Company.
The duration of the Processing is limited to the duration needed for Processor to perform its obligations under the ToS. The obligations of the Processor with regard to the Personal Data Processing shall in any case continue until the Personal Data has been properly deleted or has been returned at the request of the Company.
Effective as of: 01.08.2020