DATA PROCESSING ADDITIONAL AGREEMENT
Last Updated: 21.10.2020
" Partners " crnagorahosting with the common control, or monitor applications monitored by means of any asset.
" CCPA " means the California Consumer Privacy Act (Cal. Civ . Code 1798.100 et seq .), And includes any amendments and applicable regulations in that law that are valid on or after the date this Data Processing Supplemental Agreement enters into force. .
“ Covered Services ” All services we offer to you, which may include the Processing of Personal Data .
“Customer Data ” is all Data Subject Personal Data Processed by CrnaGoraHosting , within the CrnaGoraHosting Network, on behalf of the Customer, following or in connection with the Terms of Service .
“ Data Controller ” means the Customer as the entity that determines the purposes and methods of Processing Personal Data.
“ Data Processor ” means the entity CrnaGoraHosting as the entity processing Personal Data on behalf of the Data Controller or the service provider, the term defined by the CCPA .
" Data Protection Laws "; Means all data protection or privacy laws and regulations applicable to the Processing of Personal Data under contract, including the following laws and regulations: CCPA (California Consumer Privacy Act), (ii) GDPR (General Data Protection Regulation), (iii) EU e-Privacy Directive (Directive 2002/58 / EC), (iv) (ii) or (iii) all national data protection laws applied under or pursuant to them, (v) Swiss Federal Data Protection Act and Relevant Decree of 19 June 1992 and (vi) with respect to the United Kingdom , the 2018 Data Protection Act 2018 and any applicable legislation, GDPR or any other law on data and privacy that have been changed or transformed under local law as a result of the UK 's departure from the European Union.
" Data Subject "; Means the person to whom the Personal Data is related.
" EEA " means the European Economic area.
" GDP is ", the European Parliament and the Council approved by 27 April 2016 (EU) 2016/679 No. The Regulation, said the free circulation of data with the processing of personal data and Directive 95/46 / EC repealed in that Directive (General Data Protection Regulation ) concerns.
" Crnagorahosting Network , crnagorahosting owned and crnagorahosting under the control of the company and data center facilities used to provide covered services, servers, network equipment and hosting are the software systems (eg. Virtual firewalls).
“ Personal Data ” means any information relating to a person or household that has been or can be identified under the Data Protection Laws.
" Processing "; By means of collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consultation, use, notifying by transmission, dissemination or making available for use, alignment or consolidation, restriction, deletion or destruction on Personal Data, means any transaction or set of operations performed on Personal Data, whether by automated means or not. The terms "transaction", "transactions" and "processed" will be interpreted accordingly. Processing details are set out in Appendix 1.
“ Security Incident ” (a) breach of CrnaGoraHosting Security Standards security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to any Customer Data ; or (b) any unauthorized access to CrnaGoraHosting equipment or facilities, in either case resulting in the destruction, loss, unauthorized disclosure or alteration of Customer Data .
“ Security Standards ” means the security standards attached to this Addendum as Annex 2.
" Standard Contractual Clauses " or SCCs means Annex 3, which has been added to and forms part of this Supplemental Agreement pursuant to the European Commission Decision of 5 February 2010 on standard contractual provisions for the transfer of personal data to processors established in third countries according to the Directive.
" Subprocessor " means any Data Processor contacted by the Processor to Process data on behalf of the Data Controller.
2.1 Scope and Roles. This Supplemental Agreement is valid when Customer Data is processed by CrnaGoraHosting . In this context, CrnaGoraHosting will assume the role of Data Processor on behalf of the Customer as Data Controller within the scope of Customer Data.
2.2 Data Processing Details. The processing of Customer Data by CrnaGoraHosting is the performance of the Covered Services under the Terms of Service and product specific agreements . CrnaGoraHosting will only Process Customer Data in accordance with the instructions documented by the Customer and for the following purposes: (i) Processing in accordance with the Terms of Service or the relevant product specific contract; (ii) Processing initiated by End Users in the use of the Covered Services; (iii) Other documented, reasonable instructions provided by Customers (eg via e-mail) processing where such instructions are consistent with the terms of the Agreement. CrnaGoraHosting company will: (a) not process, retain, use, sell or disclose Customer Data except as required by the Terms of Service or required by law to provide the Covered Services; (b) will not sell such Customer Data to any third party; (c) retain, use or disclose such Customer Data outside of a direct business relationship between CrnaGoraHosting and Customer.
For the avoidance of doubt, the Customer's instructions regarding the Processing of Personal Data will comply with applicable data privacy laws. The sole responsibility for the accuracy, quality and legality of Personal Data belongs to the Customer. In the event that the instructions provided by the Customer violate the Data Protection Laws, CrnaGoraHosting will not be obliged to comply with or comply with such instructions. The duration of the Processing, the nature and purpose of the Transaction, the types of personal data and the categories of Data Subjects processed under this Annex are specified in more detail in Annex 1 ("Details of the Processing") to this Supplement.
CrnaGoraHosting will not disclose Customer Data to any government or other third party except as required by law or to comply with a valid and binding order of the law enforcement agency (such as subpoena or court order). In the event that CrnaGoraHosting company obtains a valid public court order and to the extent permitted, CrnaGoraHosting ; He will endeavor to communicate his request to the Client by reasonable notice by e-mail or physical mail to allow the Client to take a protective order or other appropriate remedy.
4.1 CrnaGoraHosting has implemented and maintains technical and organizational measures for the CrnaGoraHosting Network as described in this Section and, more specifically, in Annex 2, Security Standards, to this Supplementary Agreement . In particular, CrnaGoraHosting company has implemented and maintains technical and organizational measures addressing the following issues : (i) security of the CrnaGoraHosting Network ; (ii) physical security of facilities; (iii) controls over employee and contractor access to (i) and / or (ii) ; and (iv) the processes for testing, measuring and evaluating the effectiveness of technical and organizational measures implemented by CrnaGoraHosting . If we are unable to fulfill any of the obligations set forth herein, we will provide a written notice (via our website and e-mail) as soon as possible.
4.2 CrnaGoraHosting provides a number of security features and functionality that the Customer can choose to use in relation to the Covered Services. Customer is responsible for: (a) properly configuring the Covered Services, (b) using existing controls in connection with the Covered Services (including security controls) to ensure the continued confidentiality, integrity, availability, and resilience of the systems and services , (c) a physical or technical event using existing controls (e.g., routine backup and archiving of Customer Data) in connection with the Covered Services (including security controls) to ensure the availability and timely accessibility of Customer Data, and (d) the use of encryption technology to protect Customer's Customer Data from unauthorized access; and Taking these steps deemed sufficient to ensure appropriate security, protection and deletion of Customer Data, which includes measures to control access rights to Customer Data.
5.Data Subject Rights
Considering the nature of the Covered Services , CrnaGoraHosting provides specific controls as described in the Security section of this Supplemental Agreement, which the Customer can choose to use to receive, correct, delete or restrict the use and sharing of Customer Data as described in the Covered Services. The Client may use these controls as technical and organizational measures to assist in connection with its obligations under applicable privacy laws, including its obligations to respond to requests from Data Subjects. To the extent it is commercially reasonable and legally required or permitted, CrnaGoraHosting will promptly notify Customer if CrnaGoraHosting receives a direct request from a Data Subject to exercise these rights under applicable data privacy laws (“Data Subject Request”). In addition, where Customer's use of the Covered Services limits the ability to handle a Data Subject Request, CrnaGoraHosting may, at Customer's specific request, provide commercially reasonable assistance (if any) in handling the request, as legally permitted and appropriate.
6.1 Authorized Subprocessors. Customer agrees that CrnaGoraHosting may use Subprocessors to provide certain services, such as fulfilling contractual obligations contained in the Terms of Service and this Supplemental Agreement, or providing support services on its behalf. Customer consents to CrnaGoraHosting using Subprocessors as described in this Section. CrnaGoraHosting will not permit any other downstream processing activities , except as stated in this Section or as expressly authorized by you.
6.2 Subprocessor Obligations. Chapter 6. 1 as described crnagorahosting in case of use of authorized sub-processor by:
(i) CrnaGoraHosting will restrict the Subprocessor's access to Customer Data only to those required to maintain the Covered Services or to provide the Covered Services to the Customer and End Users in relation to the Covered Services. CrnaGoraHosting prohibits the Subprocessor from accessing Customer Data for any other purpose;
(ii) CrnaGoraHosting will enter into a written agreement with the Subprocessor and to the extent that the Subprocessor performs the same data processing services provided by CrnaGoraHosting under this Annex, CrnaGoraHosting will apply to the subprocessor the same contractual obligations CrnaGoraHosting has under this Annex ; and
(iii) crnagorahosting of this Annex and obligations of the contract crnagorahosting of companies crnagorahosting for causing it to breach any of its obligations under this Addendum the Old Handler is responsible for any action or omission.
6.3 New Subprocessors . From time to time, we may make use of new Subprocessors subject to the terms of this Addendum. In this case, we will provide 60 days' notice (via our website and email) of a new Subprocessor acquiring any Customer Data. If the Client does not approve a new Subprocessor, the Client may terminate without penalty within 10 days or after receiving notice from us by providing an expiration written notice explaining your reasons for not approving any Included Services. If the Included Services are part of a package or a product purchased in a bundle, termination will apply to the entire package.
7.Security Breach Notification
7.1 Security Incident : In the event that CrnaGoraHosting party notices the Security Incident, CrnaGoraHosting will without delay: (a) Inform the Customer about the Security Incident ; and (b) Take reasonable steps to minimize the impact of any damage caused by the Security Incident .
7.2 crnagorahosting Support : Customer's current that have to do under any privacy legislation to help customers regarding any personal data breach notification crnagorahosting , Covered Services nature, crnagorahosting consideration any restrictions, such as confidentiality with respect to the disclosure of the company presented information and information will include information regarding the Security Incident , which CrnaGoraHosting company can reasonably share with the Customer, in the said notification.
7.3 Failed Security Incidents : Customer agrees to:
(i) A failed Security Incident will not be subject to the terms of this Addendum. A failed Security Incident is Security Incidents that do not cause any unauthorized access to the Network, equipment or facilities of the CrnaGoraHosting company that stores Customer Data or Customer Data , and ping and other broadcast attacks, port scans, failed login attempts, denial of service attacks, on firewalls or edge servers , may include, but are not limited to, packet filtering operations (or unauthorized access to traffic data by other means so as not to reach beyond headers) or similar events; and
(ii) crnagorahosting company to report a Security Incident under this Section or answering obligation, crnagorahosting any defects or safety related incident by crnagorahosting will not be accepted and shall not be interpreted as a confirmation of liability.
7.4 Communication : If applicable, Notification of Security Incidents will be delivered to one or more of the Customer's managers by any means CrnaGoraHosting chooses , including via email . It is the Customer 's sole responsibility to ensure that the customer administrators maintain correct contact information about the CrnaGoraHosting management console and that the transmission is always secure.
8.1 Independent Determination : The Customer is responsible for reviewing the information provided by CrnaGoraHosting company regarding data security and Security Standards and making an independent determination as to whether the Covered Services fulfill the Customer's requirements and legal obligations, as well as the Customer obligations under this Supplemental Agreement. The information provided is intended to assist the Client in complying with the Customer's own obligations under applicable privacy laws, including the GDPR, regarding data protection impact assessments and prior consultation.
8.2 Client Control Rights : The Client has the right to certify CrnaGoraHosting company's compliance with this Addendum as applicable to the Covered Services; this includes exercising a reasonable right to conduct an audit or audit, including in particular CrnaGoraHosting 's compliance with Safety Standards; also, applications include making a specific request to CrnaGoraHosting , in accordance with the Standard Contractual Clauses, in writing to the address specified in the Terms of Service . If CrnaGoraHosting refuses to follow any requested instructions regarding an audit or inspection requested and audited by the Customer, Customer has the right to terminate these Supplemental Agreement and Terms of Service. If the Standard Contractual Clauses apply, nothing in this Section changes the Standard Contractual Clauses or affects the rights of the supervisory board or data subject under the Standard Contractual Clauses. This Section will also apply as long as CrnaGoraHosting carries out control of Subprocessors on behalf of the Customer.
9.Transfer of Personal Data
9.1 USA Location Processing : Except as specifically stated in the Terms of Service, Customer Data will be transferred outside of the EEA and processed in the United States.
9.2 Application of Standard Contractual Clauses : Standard Contractual Clauses will apply to Customer Data transferred outside the EEA, in the form of direct or onward transfer, to any country not recognized by the European Commission, providing adequate protection for Personal Data. Standard Contractual Clauses will not apply to Customer Data that is not transferred directly or by onward transfer outside the EEA . Notwithstanding the above, Standard Contractual Clauses; It will not apply in cases where Personal Data outside the EEA is transferred in accordance with the recognized compliance standard for legal transfer, such as required for the performance of the Covered Services pursuant to the Terms of Service or your consent.
This Addendum will remain in effect until the termination of our transaction pursuant to our Terms of Service (“ Termination Date ”).
As described in the Covered Services, the Customer may be provided with controls that can be used to retrieve or delete Customer Data. Deletion of Customer Data will be subject to the terms of these Covered Services.
The obligation of each party under this Addendum will be subject to the exceptions and limitations of the obligations set forth in the Terms of Service. The Customer may be liable for legal penalties issued by CrnaGoraHosting company in relation to Customer Data due to the Customer's failure to fulfill its obligations under this Supplemental Agreement ; and any applicable privacy law will reduce and reduce the liability of CrnaGoraHosting under the Terms of Service , as is the responsibility of the Customer's Terms of Service .
This Supplemental Agreement is between the Customer and CrnaGoraHosting , in writing or verbally, between CrnaGoraHosting and the Customer; including any data processing attachments where a decision is made regarding the processing of personal data and the free movement of such data. It supersedes and supersedes any previous or simultaneous representation, understanding, agreement or communication relating to the subject matter of this Supplemental Agreement. Except as modified by this Addendum, the Terms of Service will remain in full force and effect. If there is a conflict between the Terms of Service and any agreement between the parties, including this Addendum, the terms of this Addendum will prevail.
** ********************************************** **
We are committed to protecting our customers' information. Considering best practices, implementation costs and the nature, scope, conditions and objectives of the processing, as well as the different likelihood of occurrence and seriousness of the risk to the rights and freedoms of natural persons, we take the following technical and organizational measures. Confidentiality, integrity, usability and flexibility of the systems are also taken into consideration while choosing the measures . A quick recovery is guaranteed after a physical or technical event.
Our Data Privacy Program was established to protect the global data management structure and to ensure information security throughout its life cycle. This program is run by the office of the data protection officer, which oversees the implementation of privacy practices and security measures. We regularly test the effectiveness of the Data Privacy Program and Security Standards.
We use a variety of physical and reasonable measures to protect the privacy of our customers' personal information. These measures include:
Access Control and Prevention of Unauthorized Access:
In addition to access controls, appropriate modification and daily management controls are in place to maintain the integrity of personal data, such as:
Change and Waiver Management
Logging and Monitoring
We implement appropriate continuity and security measures to maintain the availability of the services and the data contained in these services:
4 . Data Processing Instructions. "The Data Processing Instructions guarantee that personal data will only be processed in accordance with the instructions of the data controller and the relevant company measures"
We have established internal privacy policies and contracts, and we organize regular privacy trainings to ensure that employees' personal preferences are processed in line with the customer's preferences and instructions.
See section 9.2 of the Supplemental Agreement for the applicability of these SCCs .
Standard Contractual Clauses (processors)
In accordance with Article 26 (2) of Directive 95/46 / EC for the transfer of personal data to processors established in third world countries that do not provide an adequate level of data protection.
Entity defined as "Customer" in the Supplemental Agreement
(" data exporter" )
CrnaGoraHosting .com, Doo
(The " data importer" )
each "party" together "parties",
AGREED on the following Contractual Provisions (Conditions) in order to provide the data exporter with adequate safeguards regarding the protection of privacy and the protection of the fundamental rights and freedoms of individuals by the party receiving the personal data specified in Annex 1.
For the purposes of these Articles:
(a) "personal data", "special data categories", "processing / processing", "auditor", "processor", "data owner" and "supervisory board" Protection of individuals in relation to the processing of personal information and the free movement of these data. will have the same meaning as Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995;
(b) "data exporter" means the party that controls the transfer of personal data;
(c) the "data importer" agrees to receive from the personal data of the data exporter prepared to act on its behalf, after the transfer in accordance with the provisions of the instructions and the Terms, and provides adequate protection in accordance with Article 25 (1) of Directive 95/46 / EC. means a processor not subject to a third country's system;
(d) "Sub-processor" , on behalf of the data exporter, who agrees to receive the data from the sub-processor of the receiving party or from the party receiving the data, only for the processing activities to be carried out after the data transfer in accordance with the instructions, the provisions of the Articles and the articles of the written sub-contract. means the processor whose services are used by the party or subprocessor of the party receiving the data;
(e) “applicable data protection law” means the legislation protecting the fundamental rights and freedoms of individuals and in particular the privacy rights with regard to the processing of personal data applied to a data controller in the Member State in which the data exporter is created;
(f) "Technical and organizational security measures" are measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the transaction involves data transmission over a network and protection against all other illegal forms of transaction. It means.
Details on transfer
The details of the transfer, and particularly where applicable, specific categories of personal data are set out in Annex 1, which forms an integral part of the Articles.
Third party beneficiary clause
3.In cases where both the data exporter and the data importer do not actually disappear or cease to exist under the law, unless the data subject assumes all legal obligations of the sub-processor from the contract or the functioning of the law, this Clause, Clause 5 (a) - (e) and (g) can be applied against the data importer of Articles 6, 7, 8 (2) and 9 - 12, as a result, the data exporter assumes its rights and obligations, in which case the data subject takes them against such an asset. can apply. Such third party liability of the sub-processor will be limited to its own processing operations under the Terms.
Obligations of the data exporter
The data exporter agrees and warrants the following items:
(a) The processing, including the transfer of personal data itself, is and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and where applicable, notified to the relevant authorities of the Member State in which the data exporter is located) and does not violate the relevant provisions of that State. ;
(b) During the personal data processing services, it instructs and directs the data importer to process only the personal data transferred on behalf of the data exporter and in accordance with the applicable data protection law and Articles;
(c) the data importer shall provide adequate guarantees regarding the technical and organizational security measures specified in Annex 2 to this contract;
(d) After consideration of the requirements of applicable data protection law, security measures are particularly suitable for protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; against the network and all other forms of illegal processing and these measures provide a level of security appropriate to the nature of the data to be protected according to the risks posed by the processing and the state of the technology and their cost;
(e) Ensure compliance with security measures;
(f) If the transfer involves special categories of data, the data subject is informed or informed that the data may be transferred to a third country that does not provide an adequate level of protection under Directive 95/46 / EC, either earlier or as soon as possible;
(g) If the data exporter decides to continue the transfer or suspend, forwarding to the data protection supervisor any notification received from the data importer or sub-processor pursuant to Clause 5 (b) and Clause 8 (3);
(h) Unless the Articles or the contract contain commercial information (in which case such commercial information may be deleted), providing the data subject with a copy of the Articles other than Annex 2 and a summary description of the security measures, as well as a contract for sub-processing services that must be performed in accordance with the Articles. provide a copy of it;
(i) In the case of sub-processing, the transaction activity is carried out by a sub-processor that provides at least the same level of protection for personal data and the data rights subjected as the data importer under Article 11, in accordance with Article 11; and
(j) Comply with Articles 4 (a) to (i).
Article 5 1 .
Obligations of the data importer
The data importer agrees and warrants the following items:
(a) to process personal data only on behalf of the data exporter and in accordance with its instructions and Articles; If for any reason it cannot achieve such compliance, it agrees to immediately notify the data exporter of its incompatibility, in which case the data exporter has the right to suspend the data transfer and / or terminate the contract;
(b) There is no reason to believe that the applicable legislation may prevent the data exporter from fulfilling their obligations under the contract and, in the event of a change in that legislation that is likely to have a significant adverse effect, that could prevent its implementation. As soon as the informed party becomes aware of the warranties and obligations provided by the articles, as soon as the informed party becomes aware, in this case the data exporter has the right to suspend the data transfer and / or terminate the contract;
(c) Applied the technical and organizational security measures specified in Annex 2 before processing the personal data transferred;
(d) It will immediately inform the data exporter of:
(i) Any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a criminal law prohibition to protect the confidentiality of a law enforcement investigation,
(ii) Any accidental or unauthorized access, and
(iii) Unless authorized otherwise, any request received directly from the data subject without responding to that request;
(e) To promptly and appropriately address all questions from the data exporter regarding the processing of the transferred personal data and to comply with the advice of the supervisory board regarding the processing of the transferred data;
(f) The data exporter, at the request of the data processing facilities to audit the transaction activities to be carried out by the data exporter, is performed by the data exporter or an audit body consisting of independent members and has the necessary professional qualifications, in agreement with the supervisor, selected by the data exporter. a duty of confidentiality;
(g) Providing a copy of the Substances to the data subject upon request, with the exception of Annex 2, which will be replaced by a brief description of the security measures where the data subject is unable to obtain a copy from the data exporter, unless the Articles or contract contain commercial information (in which case such commercial information may be deleted). or to provide any existing contracts for subprocessing;
(h) In the case of sub-processing, it informs the data exporter in advance and obtains its prior written consent;
(i) The subprocessor will perform processing services in accordance with Clause 11;
(j) Immediately send a copy of any subprocessor agreement to the data exporter in accordance with the Clauses.
Mediation and jurisdiction
(a) referral of the dispute to mediation by an independent person or, where appropriate, by the supervisor;
(b) the submission of the dispute to the courts in the Member State in which the data exporter is located.
Supervisors with cooperation
Substances are governed by the law of the Member State in which the data exporter is located and will be governed by the laws of England and Wales when in doubt or in the case of multiple data exporter.
Change of contract
The Parties undertake not to change the Articles. This does not prevent the parties from adding business-related provisions where necessary, so long as they do not conflict with the Clause.
Liability following the termination of personal data processing services
1.The parties, upon the termination of the provision of data processing services, the data importer and the sub-processor will return all transferred personal data and copies, at the choice of the data exporter, to the data exporter or send the data to the exporter and give consent to the data exporter. , if the legislation imposed on the party receiving the data does not prevent the transfer or destruction of all or part of the personal data transferred. In this case, the data exporter guarantees the confidentiality of the personal data transferred and that the transferred personal data will no longer be processed.
Annex 1 to Standard Contractual Clauses
The data exporter is the entity defined as the Customer in the Supplemental Agreement.
The data exporter is CrnaGoraHosting .com, the provider of the hosted services , company Doo .
Processing operations are defined in Sections 1.3 and 1 and the Supplementary Contractual Appendix.
Processing operations are defined in Sections 1.3 and 1 and the Supplementary Contractual Appendix.
Processing operations are defined in Sections 1.3 and 1 and the Supplementary Contractual Appendix.
Annex 2 to Standard Contractual Clauses
This Annex forms part of the Articles. By purchasing the Covered Services from CrnaGoraHosting , the Supplemental Agreement and this Addendum 2 have been agreed and implemented between the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4 (d) and 5 (c) (or attached document / legislation):
The technical and organizational security measures implemented by the data importer are described in Annex 2, which is included and included in the annex.
1- Mandatory requirements of national legislation applicable to the data importer, i.e. national security, defense, public security, prevention of criminal offenses, which, on the basis of the interests listed in Article 13 (1) of Directive 95/46 / EC, do not go beyond what is necessary in a democratic society, The protection of the rights and freedoms of the data subject or others is not contrary to standard contractual provisions if the investigation, detection and prosecution of the investigation, or ethical violations for regulated professions constitute a necessary measure to protect the significant economic or financial interests of the State. Some examples of these mandatory requirements that do not go beyond what is necessary in a democratic society are, among others, internationally accepted sanctions, tax reporting requirements, or anti-money laundering reporting requirements.