Personal Data and General Confidentiality Agreement

DATA PROCESSING ADDITIONAL AGREEMENT

Last Updated: 21.10.2020

This Data Processing Supplemental Agreement (this "Supplemental Agreement" ) is between crnagorahosting.net , Doo and its Partners (" CrnaGoraHosting ") and you (the "Customer" ), and the Universal Terms of Service , Privacy Policy and all Covered Services (collectively, the "Service" Conditions ” ) and completes these articles. Unless otherwise specified in this Addendum, all capitalized terms not defined in this Addendum will have the meanings assigned to them in the Terms of Service.       

1. Definitions

" Partners " crnagorahosting with the common control, or monitor applications monitored by means of any asset.

" CCPA " means the California Consumer Privacy Act (Cal. Civ . Code 1798.100 et seq .), And includes any amendments and applicable regulations in that law that are valid on or after the date this Data Processing Supplemental Agreement enters into force. .

“ Covered Services ” All services we offer to you, which may include the Processing of Personal Data .

“Customer Data ” is all Data Subject Personal Data Processed by CrnaGoraHosting , within the CrnaGoraHosting Network, on behalf of the Customer, following or in connection with the Terms of Service .

“ Data Controller ” means the Customer as the entity that determines the purposes and methods of Processing Personal Data.

“ Data Processor ” means the entity CrnaGoraHosting as the entity processing Personal Data on behalf of the Data Controller or the service provider, the term defined by the CCPA .

" Data Protection Laws "; Means all data protection or privacy laws and regulations applicable to the Processing of Personal Data under contract, including the following laws and regulations: CCPA (California Consumer Privacy Act), (ii) GDPR (General Data Protection Regulation), (iii) EU e-Privacy Directive (Directive 2002/58 / EC), (iv) (ii) or (iii) all national data protection laws applied under or pursuant to them, (v) Swiss Federal Data Protection Act and Relevant Decree of 19 June 1992 and (vi) with respect to the United Kingdom , the 2018 Data Protection Act 2018 and any applicable legislation, GDPR or any other law on data and privacy that have been changed or transformed under local law as a result of the UK 's departure from the European Union.

" Data Subject "; Means the person to whom the Personal Data is related.

" EEA " means the European Economic area.

" GDP is ", the European Parliament and the Council approved by 27 April 2016 (EU) 2016/679 No. The Regulation, said the free circulation of data with the processing of personal data and Directive 95/46 / EC repealed in that Directive (General Data Protection Regulation ) concerns.

" Crnagorahosting Network , crnagorahosting owned and crnagorahosting under the control of the company and data center facilities used to provide covered services, servers, network equipment and hosting are the software systems (eg. Virtual firewalls).

“ Personal Data ” means any information relating to a person or household that has been or can be identified under the Data Protection Laws.

" Processing "; By means of collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, consultation, use, notifying by transmission, dissemination or making available for use, alignment or consolidation, restriction, deletion or destruction on Personal Data, means any transaction or set of operations performed on Personal Data, whether by automated means or not. The terms "transaction", "transactions" and "processed" will be interpreted accordingly. Processing details are set out in Appendix 1.

“ Security Incident ” (a) breach of CrnaGoraHosting Security Standards security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to any Customer Data ; or (b) any unauthorized access to CrnaGoraHosting equipment or facilities, in either case resulting in the destruction, loss, unauthorized disclosure or alteration of Customer Data .

“ Security Standards ” means the security standards attached to this Addendum as Annex 2.

" Standard Contractual Clauses " or SCCs means Annex 3, which has been added to and forms part of this Supplemental Agreement pursuant to the European Commission Decision of 5 February 2010 on standard contractual provisions for the transfer of personal data to processors established in third countries according to the Directive.  

" Subprocessor " means any Data Processor contacted by the Processor to Process data on behalf of the Data Controller.                                                               

2.Data Processing

2.1 Scope and Roles. This Supplemental Agreement is valid when Customer Data is processed by CrnaGoraHosting . In this context, CrnaGoraHosting will assume the role of Data Processor on behalf of the Customer as Data Controller within the scope of Customer Data.   

2.2 Data Processing Details. The processing of Customer Data by CrnaGoraHosting is the performance of the Covered Services under the Terms of Service and product specific agreements . CrnaGoraHosting will only Process Customer Data in accordance with the instructions documented by the Customer and for the following purposes: (i) Processing in accordance with the Terms of Service or the relevant product specific contract; (ii) Processing initiated by End Users in the use of the Covered Services; (iii) Other documented, reasonable instructions provided by Customers (eg via e-mail) processing where such instructions are consistent with the terms of the Agreement. CrnaGoraHosting company will: (a) not process, retain, use, sell or disclose Customer Data except as required by the Terms of Service or required by law to provide the Covered Services; (b) will not sell such Customer Data to any third party; (c) retain, use or disclose such Customer Data outside of a direct business relationship between CrnaGoraHosting and Customer. 

For the avoidance of doubt, the Customer's instructions regarding the Processing of Personal Data will comply with applicable data privacy laws. The sole responsibility for the accuracy, quality and legality of Personal Data belongs to the Customer. In the event that the instructions provided by the Customer violate the Data Protection Laws, CrnaGoraHosting will not be obliged to comply with or comply with such instructions. The duration of the Processing, the nature and purpose of the Transaction, the types of personal data and the categories of Data Subjects processed under this Annex are specified in more detail in Annex 1 ("Details of the Processing") to this Supplement.

3. Confidentiality of Customer Data

CrnaGoraHosting will not disclose Customer Data to any government or other third party except as required by law or to comply with a valid and binding order of the law enforcement agency (such as subpoena or court order). In the event that CrnaGoraHosting company obtains a valid public court order and to the extent permitted, CrnaGoraHosting ; He will endeavor to communicate his request to the Client by reasonable notice by e-mail or physical mail to allow the Client to take a protective order or other appropriate remedy.

4. Security

4.1 CrnaGoraHosting has implemented and maintains technical and organizational measures for the CrnaGoraHosting Network as described in this Section and, more specifically, in Annex 2, Security Standards, to this Supplementary Agreement . In particular, CrnaGoraHosting company has implemented and maintains technical and organizational measures addressing the following issues : (i) security of the CrnaGoraHosting Network ; (ii) physical security of facilities; (iii) controls over employee and contractor access to (i) and / or (ii) ; and (iv) the processes for testing, measuring and evaluating the effectiveness of technical and organizational measures implemented by CrnaGoraHosting . If we are unable to fulfill any of the obligations set forth herein, we will provide a written notice (via our website and e-mail) as soon as possible. 

4.2 CrnaGoraHosting provides a number of security features and functionality that the Customer can choose to use in relation to the Covered Services. Customer is responsible for: (a) properly configuring the Covered Services, (b) using existing controls in connection with the Covered Services (including security controls) to ensure the continued confidentiality, integrity, availability, and resilience of the systems and services , (c) a physical or technical event using existing controls (e.g., routine backup and archiving of Customer Data) in connection with the Covered Services (including security controls) to ensure the availability and timely accessibility of Customer Data, and (d) the use of encryption technology to protect Customer's Customer Data from unauthorized access; and Taking these steps deemed sufficient to ensure appropriate security, protection and deletion of Customer Data, which includes measures to control access rights to Customer Data. 

5.Data Subject Rights

Considering the nature of the Covered Services , CrnaGoraHosting provides specific controls as described in the Security section of this Supplemental Agreement, which the Customer can choose to use to receive, correct, delete or restrict the use and sharing of Customer Data as described in the Covered Services. The Client may use these controls as technical and organizational measures to assist in connection with its obligations under applicable privacy laws, including its obligations to respond to requests from Data Subjects. To the extent it is commercially reasonable and legally required or permitted, CrnaGoraHosting will promptly notify Customer if CrnaGoraHosting receives a direct request from a Data Subject to exercise these rights under applicable data privacy laws (“Data Subject Request”). In addition, where Customer's use of the Covered Services limits the ability to handle a Data Subject Request, CrnaGoraHosting may, at Customer's specific request, provide commercially reasonable assistance (if any) in handling the request, as legally permitted and appropriate.

6. Sub-Processing

6.1 Authorized Subprocessors. Customer agrees that CrnaGoraHosting may use Subprocessors to provide certain services, such as fulfilling contractual obligations contained in the Terms of Service and this Supplemental Agreement, or providing support services on its behalf. Customer consents to CrnaGoraHosting using Subprocessors as described in this Section. CrnaGoraHosting will not permit any other downstream processing activities , except as stated in this Section or as expressly authorized by you.  

6.2 Subprocessor Obligations. Chapter 6. 1 as described crnagorahosting in case of use of authorized sub-processor by:  

(i) CrnaGoraHosting will restrict the Subprocessor's access to Customer Data only to those required to maintain the Covered Services or to provide the Covered Services to the Customer and End Users in relation to the Covered Services. CrnaGoraHosting prohibits the Subprocessor from accessing Customer Data for any other purpose; 

(ii) CrnaGoraHosting will enter into a written agreement with the Subprocessor and to the extent that the Subprocessor performs the same data processing services provided by CrnaGoraHosting under this Annex, CrnaGoraHosting will apply to the subprocessor the same contractual obligations CrnaGoraHosting has under this Annex ; and 

(iii) crnagorahosting of this Annex and obligations of the contract crnagorahosting of companies crnagorahosting for causing it to breach any of its obligations under this Addendum the Old Handler is responsible for any action or omission. 

6.3 New Subprocessors . From time to time, we may make use of new Subprocessors subject to the terms of this Addendum. In this case, we will provide 60 days' notice (via our website and email) of a new Subprocessor acquiring any Customer Data. If the Client does not approve a new Subprocessor, the Client may terminate without penalty within 10 days or after receiving notice from us by providing an expiration written notice explaining your reasons for not approving any Included Services. If the Included Services are part of a package or a product purchased in a bundle, termination will apply to the entire package.  

7.Security Breach Notification

7.1 Security Incident : In the event that CrnaGoraHosting party notices the Security Incident, CrnaGoraHosting will without delay: (a) Inform the Customer about the Security Incident ; and (b) Take reasonable steps to minimize the impact of any damage caused by the Security Incident .  

7.2 crnagorahosting Support : Customer's current that have to do under any privacy legislation to help customers regarding any personal data breach notification crnagorahosting , Covered Services nature, crnagorahosting consideration any restrictions, such as confidentiality with respect to the disclosure of the company presented information and information will include information regarding the Security Incident , which CrnaGoraHosting company can reasonably share with the Customer, in the said notification.      

7.3 Failed Security Incidents : Customer agrees to:  

(i) A failed Security Incident will not be subject to the terms of this Addendum. A failed Security Incident is Security Incidents that do not cause any unauthorized access to the Network, equipment or facilities of the CrnaGoraHosting company that stores Customer Data or Customer Data , and ping and other broadcast attacks, port scans, failed login attempts, denial of service attacks, on firewalls or edge servers , may include, but are not limited to, packet filtering operations (or unauthorized access to traffic data by other means so as not to reach beyond headers) or similar events; and 

(ii) crnagorahosting company to report a Security Incident under this Section or answering obligation, crnagorahosting any defects or safety related incident by crnagorahosting will not be accepted and shall not be interpreted as a confirmation of liability. 

7.4 Communication : If applicable, Notification of Security Incidents will be delivered to one or more of the Customer's managers by any means CrnaGoraHosting chooses , including via email . It is the Customer 's sole responsibility to ensure that the customer administrators maintain correct contact information about the CrnaGoraHosting management console and that the transmission is always secure.  

8. Customer Rights

8.1 Independent Determination : The Customer is responsible for reviewing the information provided by CrnaGoraHosting company regarding data security and Security Standards and making an independent determination as to whether the Covered Services fulfill the Customer's requirements and legal obligations, as well as the Customer obligations under this Supplemental Agreement. The information provided is intended to assist the Client in complying with the Customer's own obligations under applicable privacy laws, including the GDPR, regarding data protection impact assessments and prior consultation.  

8.2 Client Control Rights : The Client has the right to certify CrnaGoraHosting company's compliance with this Addendum as applicable to the Covered Services; this includes exercising a reasonable right to conduct an audit or audit, including in particular CrnaGoraHosting 's compliance with Safety Standards; also, applications include making a specific request to CrnaGoraHosting , in accordance with the Standard Contractual Clauses, in writing to the address specified in the Terms of Service . If CrnaGoraHosting refuses to follow any requested instructions regarding an audit or inspection requested and audited by the Customer, Customer has the right to terminate these Supplemental Agreement and Terms of Service. If the Standard Contractual Clauses apply, nothing in this Section changes the Standard Contractual Clauses or affects the rights of the supervisory board or data subject under the Standard Contractual Clauses. This Section will also apply as long as CrnaGoraHosting carries out control of Subprocessors on behalf of the Customer.  

9.Transfer of Personal Data

9.1 USA Location Processing : Except as specifically stated in the Terms of Service, Customer Data will be transferred outside of the EEA and processed in the United States.  

9.2 Application of Standard Contractual Clauses : Standard Contractual Clauses will apply to Customer Data transferred outside the EEA, in the form of direct or onward transfer, to any country not recognized by the European Commission, providing adequate protection for Personal Data. Standard Contractual Clauses will not apply to Customer Data that is not transferred directly or by onward transfer outside the EEA . Notwithstanding the above, Standard Contractual Clauses; It will not apply in cases where Personal Data outside the EEA is transferred in accordance with the recognized compliance standard for legal transfer, such as required for the performance of the Covered Services pursuant to the Terms of Service or your consent.  

10. Termination of Additional Agreement

This Addendum will remain in effect until the termination of our transaction pursuant to our Terms of Service (“ Termination Date ”).   

11. Returning or Deleting Customer Data

As described in the Covered Services, the Customer may be provided with controls that can be used to retrieve or delete Customer Data. Deletion of Customer Data will be subject to the terms of these Covered Services.

12. Limitation of Liability

The obligation of each party under this Addendum will be subject to the exceptions and limitations of the obligations set forth in the Terms of Service. The Customer may be liable for legal penalties issued by CrnaGoraHosting company in relation to Customer Data due to the Customer's failure to fulfill its obligations under this Supplemental Agreement ; and any applicable privacy law will reduce and reduce the liability of CrnaGoraHosting under the Terms of Service , as is the responsibility of the Customer's Terms of Service .

13. All Terms of Service; Contradiction

This Supplemental Agreement is between the Customer and CrnaGoraHosting , in writing or verbally, between CrnaGoraHosting and the Customer; including any data processing attachments where a decision is made regarding the processing of personal data and the free movement of such data. It supersedes and supersedes any previous or simultaneous representation, understanding, agreement or communication relating to the subject matter of this Supplemental Agreement. Except as modified by this Addendum, the Terms of Service will remain in full force and effect. If there is a conflict between the Terms of Service and any agreement between the parties, including this Addendum, the terms of this Addendum will prevail.

** ********************************************** ** 

Annex 1

 PROCESSING DETAILS

1. The Nature and Purpose of Processing. CrnaGoraHosting will Process Personal Data as required to perform the Covered Services as outlined in more detail in the Terms of Service, product specific agreements, and throughout their use of the Covered Services by the Customer.  
2. Duration of Processing. Subject to Section 10 of this Supplemental Agreement, CrnaGoraHosting will Process Personal Data during the period in which the Terms of Service are in effect, but if this period is exceeded, it will comply with the terms of this Supplemental Agreement unless otherwise agreed in writing.  
3. Data Subject Categories. Customer may upload Personal Data associated with Data Subjects during the use of the Covered Services, at its sole discretion, as determined and controlled by the Customer and within its scope and which may include but are not limited to the following categories of Personal Data:  

• Leads, customers, business partners and vendors (are natural persons)
• Employees or persons to be contacted with the Customer's potential customers, customers, business partners and vendors
• Employees, agents, consultants, Client's freelancers (natural persons)
• Customer's Users authorized to use the User Covered Services

4. Personal Data Type. Customer may upload Personal Data of Data Subjects during the use of the Covered Services, at its sole discretion, as determined and controlled by the Customer and within its scope and which may include but are not limited to the following categories of Personal Data:   

• Name
• Address
• Phone number
• Date of birth
• E-mail address
• Other data that can directly or indirectly identify you.

** ************************************************ 

Annex 2

Safety Standards

1. Technical and Organizational Measures 

We are committed to protecting our customers' information. Considering best practices, implementation costs and the nature, scope, conditions and objectives of the processing, as well as the different likelihood of occurrence and seriousness of the risk to the rights and freedoms of natural persons, we take the following technical and organizational measures. Confidentiality, integrity, usability and flexibility of the systems are also taken into consideration while choosing the measures . A quick recovery is guaranteed after a physical or technical event.     

1. Data Privacy Program 

Our Data Privacy Program was established to protect the global data management structure and to ensure information security throughout its life cycle. This program is run by the office of the data protection officer, which oversees the implementation of privacy practices and security measures. We regularly test the effectiveness of the Data Privacy Program and Security Standards.    

1. Confidentiality. "Confidentiality means protecting personal data against unauthorized disclosure."

We use a variety of physical and reasonable measures to protect the privacy of our customers' personal information. These measures include:   

  Physical Security:

• Physical access controls are implemented (Beacon access control, Security event monitoring, etc.) 
• Surveillance systems including alarms and, as appropriate, closed-circuit TV viewing  
• Implementation of clean desk policies and controls (locking unattended computers, lockers, etc.)  
• Visitor Access Management 
• Destruction of data on physical media and documents ( paper shredding, magnetism neutralization, etc.) 

  Access Control and Prevention of Unauthorized Access:

• Role-based access permissions provisioned / reviewed based on user access restrictions applied and segregation of task policies  
• Difficult authentication and authorization methods (Multi-factor authentication, authorization-based certification, automatic deactivation / logoff, etc.) 
• Centralized password management and strong / complex password policies (minimum length, complexity of characters, expiry of passwords, etc.)   
• Controlled access to e-mails and internet 
• Anti virus management  
• Unauthorized Access Prevention System management  

Encryption:

• Encrypting external and internal communications with strong cryptographic protocols  
• Encrypting PII / SPII data (databases, shared dictionaries, etc.)   
• Full disk encryption for company PCs and laptops   
• Storage media encryption  
• Remote connections to corporate networks are encrypted with VPN  
• Securing the usage cycle of encryption keys  

 Data Minimization:    

• Minimization of PII / SPI application, debugging and security logs   
• Imitation of personal data to prevent direct identification of an individual 
• Separation of recorded data by function (test, phasing , live) 
• Logical separation of data based on role based on access rights 
• Data retention periods defined for personal data   

Security Test:  

• Penetration Testing for critical company networks and platforms hosting personal data 
• Regular network and vulnerability scans   

2. Integrity. “Integrity refers to ensuring the accuracy (robustness) of data and correct operation of systems. When the term integrity is used in conjunction with the term 'data', it means that the data is complete and unchanged. "

In addition to access controls, appropriate modification and daily management controls are in place to maintain the integrity of personal data, such as:    

Change and Waiver Management    

• Impact analysis, approvals, tests, security reviews, staging , monitoring, etc. change and waiver management process, including  
• Providing Role and Function-based (Separation of Duties) access in production environments    

Logging and Monitoring

• Creating a log of access and data changes  
• Centralized audit and security logs   
• Monitoring the completeness and accuracy of data transfer (end-to-end check)  

3. Availability. "The availability of services and IT systems, IT applications and IT network functions or information is guaranteed if the user can use them at all times and as intended."

We implement appropriate continuity and security measures to maintain the availability of the services and the data contained in these services:    

• Regular error tests for critical services  
• Comprehensive performance / availability monitoring and reporting for critical systems  
• Security Incident Response  
• Critical data that is replicated or backed up (Cloud Backups / Hard Drives / Database copying, etc.) 
• Scheduled software, infrastructure and security maintenance is applied (Security updates, security patches, etc.)   
• Redundant and flexible systems (server clusters, mirrored databases , high availability settings, etc.) located in on-site and / or geographically separated locations .    
• Uninterruptible power supplies, redundant hardware and network systems  
• Alarm and security systems are used   
• Physical Protection measures are applied for critical areas (current protection, high floors, cooling systems, fire and / or smoke detectors , fire extinguishing systems, etc.). 
• DDOS protection to maintain availability   
• Load and Stress Tests  

4 . Data Processing Instructions. "The Data Processing Instructions guarantee that personal data will only be processed in accordance with the instructions of the data controller and the relevant company measures"    

We have established internal privacy policies and contracts, and we organize regular privacy trainings to ensure that employees' personal preferences are processed in line with the customer's preferences and instructions.   

• Privacy and confidentiality conditions in force under employee contracts 
• Regular data privacy and security training for employees 
• Contractual clauses in accordance with agreements with subcontractors to protect instruction-related audit rights 
• Regular privacy checks for external service providers 
• Providing customers with full control over their data processing preferences 
• Regular security checks   

**********************************************

Annex 3

See section 9.2 of the Supplemental Agreement for the applicability of these SCCs .

Standard Contractual Clauses (processors)

In accordance with Article 26 (2) of Directive 95/46 / EC for the transfer of personal data to processors established in third world countries that do not provide an adequate level of data protection.

Entity defined as "Customer" in the Supplemental Agreement
(" data exporter" )

and

CrnaGoraHosting .com, Doo

 (The " data importer" ) 

each "party" together "parties",

AGREED on the following Contractual Provisions (Conditions) in order to provide the data exporter with adequate safeguards regarding the protection of privacy and the protection of the fundamental rights and freedoms of individuals by the party receiving the personal data specified in Annex 1.

Article 1

Definitions:

For the purposes of these Articles:

(a) "personal data", "special data categories", "processing / processing", "auditor", "processor", "data owner" and "supervisory board" Protection of individuals in relation to the processing of personal information and the free movement of these data. will have the same meaning as Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995;    

(b) "data exporter" means the party that controls the transfer of personal data; 

(c) the "data importer" agrees to receive from the personal data of the data exporter prepared to act on its behalf, after the transfer in accordance with the provisions of the instructions and the Terms, and provides adequate protection in accordance with Article 25 (1) of Directive 95/46 / EC. means a processor not subject to a third country's system; 

(d) "Sub-processor" , on behalf of the data exporter, who agrees to receive the data from the sub-processor of the receiving party or from the party receiving the data, only for the processing activities to be carried out after the data transfer in accordance with the instructions, the provisions of the Articles and the articles of the written sub-contract. means the processor whose services are used by the party or subprocessor of the party receiving the data; 

(e) “applicable data protection law” means the legislation protecting the fundamental rights and freedoms of individuals and in particular the privacy rights with regard to the processing of personal data applied to a data controller in the Member State in which the data exporter is created;  

(f) "Technical and organizational security measures" are measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the transaction involves data transmission over a network and protection against all other illegal forms of transaction. It means.  

Article 2

Details on transfer

The details of the transfer, and particularly where applicable, specific categories of personal data are set out in Annex 1, which forms an integral part of the Articles.

Clause 3

Third party beneficiary clause

1. Data subject; This Article includes Articles 4 (b) to (i), 5 (a) to (e) and (g) to (j), Article 6 (1) and (2), Article 7, Article 8 (2) and It can apply Articles 9 to 12 against the data exporter as third party beneficiary. 
2. The data subject, as long as undertake all legal obligations with the data field side of the operation of the contract or law, in cases where data that party does not actually disappear or end of existence in the law, Article 5 (a ) - (e) and (g), Article 6, Article 7, Article 8 (2) and Article 9 - 12 are applicable against the data importer, as a result, the data exporter assumes its rights and obligations, in which case the data subject may apply them against such an entity. 

3.In cases where both the data exporter and the data importer do not actually disappear or cease to exist under the law, unless the data subject assumes all legal obligations of the sub-processor from the contract or the functioning of the law, this Clause, Clause 5 (a) - (e) and (g) can be applied against the data importer of Articles 6, 7, 8 (2) and 9 - 12, as a result, the data exporter assumes its rights and obligations, in which case the data subject takes them against such an asset. can apply. Such third party liability of the sub-processor will be limited to its own processing operations under the Terms. 

4. Parties do not object to a data subject represented by an association or other institution where the data subject expressly expresses it and where national law permits. 

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants the following items:

(a) The processing, including the transfer of personal data itself, is and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and where applicable, notified to the relevant authorities of the Member State in which the data exporter is located) and does not violate the relevant provisions of that State. ;

(b) During the personal data processing services, it instructs and directs the data importer to process only the personal data transferred on behalf of the data exporter and in accordance with the applicable data protection law and Articles;

(c) the data importer shall provide adequate guarantees regarding the technical and organizational security measures specified in Annex 2 to this contract;

(d) After consideration of the requirements of applicable data protection law, security measures are particularly suitable for protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access; against the network and all other forms of illegal processing and these measures provide a level of security appropriate to the nature of the data to be protected according to the risks posed by the processing and the state of the technology and their cost;

(e) Ensure compliance with security measures;

(f) If the transfer involves special categories of data, the data subject is informed or informed that the data may be transferred to a third country that does not provide an adequate level of protection under Directive 95/46 / EC, either earlier or as soon as possible;

(g) If the data exporter decides to continue the transfer or suspend, forwarding to the data protection supervisor any notification received from the data importer or sub-processor pursuant to Clause 5 (b) and Clause 8 (3);

(h) Unless the Articles or the contract contain commercial information (in which case such commercial information may be deleted), providing the data subject with a copy of the Articles other than Annex 2 and a summary description of the security measures, as well as a contract for sub-processing services that must be performed in accordance with the Articles. provide a copy of it;

(i) In the case of sub-processing, the transaction activity is carried out by a sub-processor that provides at least the same level of protection for personal data and the data rights subjected as the data importer under Article 11, in accordance with Article 11; and

(j) Comply with Articles 4 (a) to (i).

Article 5 ¹ .

Obligations of the data importer

The data importer agrees and warrants the following items:

(a) to process personal data only on behalf of the data exporter and in accordance with its instructions and Articles; If for any reason it cannot achieve such compliance, it agrees to immediately notify the data exporter of its incompatibility, in which case the data exporter has the right to suspend the data transfer and / or terminate the contract;

(b) There is no reason to believe that the applicable legislation may prevent the data exporter from fulfilling their obligations under the contract and, in the event of a change in that legislation that is likely to have a significant adverse effect, that could prevent its implementation. As soon as the informed party becomes aware of the warranties and obligations provided by the articles, as soon as the informed party becomes aware, in this case the data exporter has the right to suspend the data transfer and / or terminate the contract;

(c) Applied the technical and organizational security measures specified in Annex 2 before processing the personal data transferred;

(d) It will immediately inform the data exporter of:

(i) Any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a criminal law prohibition to protect the confidentiality of a law enforcement investigation, 

(ii) Any accidental or unauthorized access, and

(iii) Unless authorized otherwise, any request received directly from the data subject without responding to that request;

(e) To promptly and appropriately address all questions from the data exporter regarding the processing of the transferred personal data and to comply with the advice of the supervisory board regarding the processing of the transferred data;

(f) The data exporter, at the request of the data processing facilities to audit the transaction activities to be carried out by the data exporter, is performed by the data exporter or an audit body consisting of independent members and has the necessary professional qualifications, in agreement with the supervisor, selected by the data exporter. a duty of confidentiality;

(g) Providing a copy of the Substances to the data subject upon request, with the exception of Annex 2, which will be replaced by a brief description of the security measures where the data subject is unable to obtain a copy from the data exporter, unless the Articles or contract contain commercial information (in which case such commercial information may be deleted). or to provide any existing contracts for subprocessing;

(h) In the case of sub-processing, it informs the data exporter in advance and obtains its prior written consent;

(i) The subprocessor will perform processing services in accordance with Clause 11;

(j) Immediately send a copy of any subprocessor agreement to the data exporter in accordance with the Clauses.

Article 6

Obligation

1. The parties agree that any data subject who has suffered damage as a result of the breach of the obligations laid down in Clause 3 or Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for damages incurred. 
2. A data subject paragraph of parties providing the data in accordance with 1 (Item 3 or Item 11, the specified requirements of any of the data area side or bottom handler violation resulting) does not request any compensation, eliminating the data which parties or a legal up or Unless the data exporter undertakes all legal obligations (in this case, the data subject may exercise its rights), the data importer party to the data exporter as if the data subject was the data exporter, unless any successor entity undertakes all legal obligations under the contract with the operation of the law. He accepts that he can make a claim for damages against him. The data importer does not rely on the breach of a sub-processor of its obligations to avoid its own obligations. 
3. If a data subject fails to make a claim against the data exporter or the data importer referred to in paragraphs 1 and 2 resulting from a breach of the sub-processor of any of its obligations set forth in Clause 3 or Clause 11; Both the data exporter and the data importer, the data subprocessor, the data subject, the data subprocessor, the data subprocessor of any successor party or the data importer party, in relation to their subprocessor, as they have ceased to exist or become obsolete or void in the law. Unless it undertakes its legal obligations with the contract or the functioning of the law, the data exporter or the party receiving the data, in this case, the data subject may exercise their rights against such entities. This obligation of the sub-processor will be limited to its processing operations under the Terms. 

Article 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject claims third-party beneficiary rights and / or compensation for damages under the Provisions, the data importer agrees to accept the data subject's decision: 

(a) referral of the dispute to mediation by an independent person or, where appropriate, by the supervisor; 

(b) the submission of the dispute to the courts in the Member State in which the data exporter is located. 

2. The parties agree that the choice made by the data subject will not prejudice their material or procedural rights to seek legal remedies in accordance with other provisions of national or international law.

Article 8

Supervisors with cooperation

1. The data exporter agrees to pay together with the supervisory authority if it requests a copy of this contract or if required under the applicable data protection law. 
2. The parties agree that the supervisory authority has the right to carry out the inspection of the data importer and any sub-processor in the same scope and subject to the same conditions applicable to the control of the data exporter under the applicable data protection law. 
3. The data importer shall promptly notify the data exporter, pursuant to paragraph 2, of the existence of the legislation applicable to it or the data exporter of a sub-processor or any sub-processor that prevents the execution of its audit. In such a case, the data exporter will have the right to take the measures provided for in Article 5 (b). 

Article 9

Applicable laws

Substances are governed by the law of the Member State in which the data exporter is located and will be governed by the laws of England and Wales when in doubt or in the case of multiple data exporter. 

Article 10

Change of contract

The Parties undertake not to change the Articles. This does not prevent the parties from adding business-related provisions where necessary, so long as they do not conflict with the Clause.

Article 11

Sub Processing

1. The data importer cannot subcontract any transaction carried out on behalf of the data exporter pursuant to the Terms without the prior written consent of the data exporter. The data importer will fulfill its obligations under the Clauses, only by concluding a written agreement with the subprocessor, with the consent of the data exporter, which imposes the same obligations as the sub-processor and, in this context, the obligations of the data importer. In the event that the sub-processor fails to fulfill its data protection obligations under this written agreement, the data importer will remain fully liable to the data exporter for the fulfillment of the sub-processor's obligations under this agreement. 
2. The pre-written agreement between the data importer and the sub-processor will also provide for the third-party beneficiary requirement referred to in Article 3 for cases where the data subject cannot meet the compensation claim referred to in Article 6 paragraph 1; Against the data exporter or the party receiving the data, it is assumed that they have actually ceased to exist or have become null and void in the law, and any successor entity undertakes all legal obligations by the data exporter or the data importer by contract or by the functioning of the law. Such third party liability of the sub-processor will be limited to its own processing operations under the Terms. 
3. Provisions regarding data protection aspects of sub-processing of the contract referred to in paragraph 1 are governed by the law of the Member State in which the data exporter was established. 
4. The data exporter shall keep the list of sub-transaction agreements made by the data importer and concluded according to the Articles in accordance with Article 5 (j), which will be updated at least once a year. The list will be open to the data protection supervisory authority of the data exporter. 

Article 12

Liability following the termination of personal data processing services

1.The parties, upon the termination of the provision of data processing services, the data importer and the sub-processor will return all transferred personal data and copies, at the choice of the data exporter, to the data exporter or send the data to the exporter and give consent to the data exporter. , if the legislation imposed on the party receiving the data does not prevent the transfer or destruction of all or part of the personal data transferred. In this case, the data exporter guarantees the confidentiality of the personal data transferred and that the transferred personal data will no longer be processed. 

2. The data exporter and sub-processor shall, at the request of the data exporter and / or supervisory authority, provide information processing facilities for the control of the measures referred to in paragraph 1. 

**********************************************

Annex 1 to Standard Contractual Clauses

Data exporter

The data exporter is the entity defined as the Customer in the Supplemental Agreement.

Data importer

The data exporter is CrnaGoraHosting .com, the provider of the hosted services , company Doo .

Data subjects

Processing operations are defined in Sections 1.3 and 1 and the Supplementary Contractual Appendix.

Data categories

Processing operations are defined in Sections 1.3 and 1 and the Supplementary Contractual Appendix.

Processing operations

Processing operations are defined in Sections 1.3 and 1 and the Supplementary Contractual Appendix.

Annex 2 to Standard Contractual Clauses

This Annex forms part of the Articles. By purchasing the Covered Services from CrnaGoraHosting , the Supplemental Agreement and this Addendum 2 have been agreed and implemented between the parties. 

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4 (d) and 5 (c) (or attached document / legislation):

The technical and organizational security measures implemented by the data importer are described in Annex 2, which is included and included in the annex.

1- Mandatory requirements of national legislation applicable to the data importer, i.e. national security, defense, public security, prevention of criminal offenses, which, on the basis of the interests listed in Article 13 (1) of Directive 95/46 / EC, do not go beyond what is necessary in a democratic society, The protection of the rights and freedoms of the data subject or others is not contrary to standard contractual provisions if the investigation, detection and prosecution of the investigation, or ethical violations for regulated professions constitute a necessary measure to protect the significant economic or financial interests of the State. Some examples of these mandatory requirements that do not go beyond what is necessary in a democratic society are, among others, internationally accepted sanctions, tax reporting requirements, or anti-money laundering reporting requirements.