Data processing

CONTRACT OF ENTRUSTMENT OF PERSONAL DATA PROCESSING

§ 1. Definitions

  1. The terms used in this agreement mean:
    1. Controller – as defined in Article 4(7) of the GDPR;
    2. Personal Data – as defined in Article 4(1) of the GDPR;
    3. CertifyHub – an online application available on the Service, intended for entrepreneurs, used for generating and issuing credentials, particularly badges and certificates, as well as creating email templates and sharing credentials with external Recipients;
    4. Personal Data Breach – a personal data breach as defined in Article 4(12) of the GDPR;
    5. Processor – an entity entrusted with the processing of personal data under an Agreement concluded with the Controller;
    6. Sub-processor – an entity to whom the Processor, on behalf of the Controller, has entrusted the processing of Personal Data in whole or in part;
    7. Data Processing – processing as defined in Article 4(2) of the GDPR;
    8. Terms of Service – the terms of service of the website www.certifyhub.net/terms;
    9. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
    10. Agreement – this data processing agreement;
    11. Main Agreement – the agreement for the provision of services based on the Terms of Service for access to the CertifyHub application.
  2. Other terms used in the Data Processing Agreement with capital letters have the meanings assigned to them in the Terms of Service.

§ 2. Subject of the Agreement

  1. The processing includes: The subject of the Agreement is the entrustment by the Controller of Personal Data to be processed by the Processor for the purpose of fulfilling the Main Agreement.
  2. The Processor processes Personal Data solely based on documented instructions from the Controller – this also applies to the transfer of Personal Data to third countries or international organizations – unless EU law or the law of a Member State to which the Processor is subject requires otherwise. In such cases, before commencing processing, the Processor informs the Controller of this legal obligation, unless such information is prohibited due to an overriding public interest. Documented instructions include the provisions of the Agreement and the Terms of Service. After concluding the Main Agreement, the Controller may direct instructions regarding the processing of Personal Data to the Processor exclusively in at least a format which can be reproduced in writing, either by mail to CertifyHub OÜ, Tartu maakond, Kambja vald, Pangodi küla, Karl-Eeriku, 62017, or by email to rodo@certifyhub.net. Instructions provided in any other form are not binding until they are transmitted in the agreed-upon form. The deadline for executing each instruction should be agreed upon by the Controller and the Processor.
  3. The Processor informs the Controller if, in its opinion, an instruction issued by the Controller violates the GDPR or applicable data protection laws.
  4. The Processing includes:
    1. Type of Personal Data: Ordinary data entered into the CertifyHub application by the Controller, particularly identification data (name, surname) and contact information (email address).
    2. Categories of individuals to whom the Personal Data pertains: Recipients of credentials, individuals authorized to manage accounts.
    3. Nature of Data Processing: Processing of Personal Data in electronic form.
    4. Data Processing includes, among other things, performing the following actions on the data: a) Storing Personal Data in the CertifyHub application. b) Deleting Personal Data once the purpose of further processing ceases. c) ensuring the service functionalities under the Main Agreement.
  5. Personal Data will be processed for the duration of the Main Agreement.

§ 3. Rights and Obligations of the Processor

  1. Considering the nature of processing and the available information, the Processor undertakes to assist the Controller in fulfilling the obligations specified in Articles 32-36 of the GDPR.
  2. Taking into account the nature of the processing, the Processor commits, to the extent possible, through appropriate technical and organizational measures and at the request of the Controller, to assist the Controller in fulfilling the obligation to respond to requests from data subjects regarding the exercise of their rights as defined in Chapter III of the GDPR.
  3. The Processor has the right to suspend or limit the processing of Personal Data under the Agreement if the Controller fails to provide necessary information regarding the manner, scope, and nature of the processed Personal Data or if there is a delay in providing such information.
  4. Regarding assistance to the Controller in fulfilling the obligation to report Personal Data Breaches to the supervisory authority and to notify affected data subjects, as referred to in Article 28(3)(f) of the GDPR, considering the nature of data processing and the available information, the Processor is obligated to:
    1. Notify the Controller within 48 hours of discovering a Personal Data Breach, using the email address provided by the Processor during Account registration, related to the execution of the Agreement.
    2. Provide the Controller, to the extent possible, with additional information concerning a Personal Data Breach identified by the Controller or reported by the Processor. This information is necessary for the Controller to assess the likelihood of a risk to the rights and freedoms of the affected individuals and to comply with Articles 33 and 34 of the GDPR.
  5. The Processor commits to maintaining the confidentiality of all information, data, materials, documents, and Personal Data received from the Controller and from authorized individuals who have access to the CertifyHub application.
  6. The Controller is entitled to request information related to Personal Data Breaches, as mentioned in paragraph 4, by emailing rodo@certifyhub.net.

§ 4. Technical and Organizational Measures

  1. The Processor guarantees that every person executing the Agreement is obliged to ensure the confidentiality of Personal Data processed in connection with the execution of the Agreement, and in particular, that such data will not be transferred, disclosed, or made available to unauthorized persons. Simultaneously, every person executing the Agreement is obliged to keep the methods of securing Personal Data confidential.
  2. The Processor declares the use of technical and organizational measures specified in Article 32 of the GDPR, adequate to the identified risk of violation of the rights or freedoms of the entrusted Data.
  3. The Processor undertakes to protect the entrusted Personal Data against unauthorized or unlawful processing (destruction, loss, modification, unauthorized disclosure, or unauthorized access to Personal Data transmitted, stored, or otherwise processed) and accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  4. Every person executing the Agreement is obliged to process the Personal Data to which they have access only within the scope and purpose provided for in the Agreement.

§ 5. Use of Subcontractor Services

  1. The Controller consents to the further entrustment of the Processing of the Controller’s Personal Data within the services commissioned by the Processor to other entities after prior notification of the Controller about such a Subcontractor at least 14 days in advance via an email sent to the email address provided during the Account registration, provided that the Controller does not object to such a Subcontractor within 7 days of notification by the Processor. The Controller’s objection should be sent via email to: rodo@certifyhub.net.
  2. The Processor undertakes to cooperate with such Subcontractors who ensure the implementation of such technical and organizational measures that the Processing of data complies with the requirements of the GDPR.
  3. The Processor will conclude an appropriate agreement with each Subcontractor who will process the Controller’s Personal Data, imposing appropriate obligations on the Subcontractor regarding the protection of Personal Data.
  4. The Controller hereby consents to the sub-processing of Personal Data by the Processor’s personnel cooperating with it based on a civil law contract, under the terms specified in this Agreement.
  5. If the Subcontractor fails to fulfill its obligations regarding the protection of the Controller’s Personal Data, the Processor is liable to the Controller for the Subcontractor’s failure to fulfill its obligations as if they were its own actions and omissions.

§ 6. Duties and Rights of the Controller

  1. Upon the Controller’s request, the Processor shall provide all necessary information to demonstrate compliance with the obligations incumbent upon the Processor.
  2. The Controller is authorized to conduct an audit to verify compliance with the Agreement by the Processor, either directly or through an authorized auditor, subject to the following conditions:
    1. The Controller’s auditor must not be a party engaged in competitive activities with the Processor or an entity related to the Processor, including its employees or collaborators, regardless of their employment or cooperation basis.
    2. The audit may involve inquiries, document analysis, interviews with employees/collaborators of the Processor or Subprocessors, as well as visits to the premises of the Processor, access to facilities and systems, or any other method agreed upon by the Parties, provided it directly relates to the execution of the Agreement.
    3. The audit must not cover information or documents related to other clients of the Processor, nor should it lead to or result in the Controller gaining access to Personal Data other than the Controller’s own or to confidential data of the Processor or other entities.
    4. The Processor may make the participation of the Controller’s auditor or designated employee in the audit contingent upon the prior conclusion of an appropriate confidentiality agreement with the Processor or Subprocessor.
    5. During the audit, both the Controller and the auditor must adhere to the Processor’s internal security and confidentiality procedures.
    6. Audits should not occur more frequently than once per calendar year and should not exceed 14 days in duration.
    7. The audit schedule should be agreed upon by the Parties, with the Controller notifying the intention to conduct an audit at least 30 days before the proposed date by sending an email to rodo@certifyhub.net.
    8. The Processor is obliged to participate in the audit and cooperate appropriately with the Controller and the auditor.
    9. Each Party covers its own costs related to the audit, with the Controller consistently covering all auditor costs.
  3. The Controller should exercise the rights specified in this Agreement in a manner that does not disrupt the execution of the Main Agreement or the ongoing business operations of the Processor.
  4. Upon expiration of the services, or as the case may be, where no further processing is required, the Processor shall, at the Controller’s choice, either delete, anonymize or return all Personal Data, provided there is no legal obligation to keep records for retention periods set by any applicable law. In this latter case, the Processor shall ensure the confidentiality and security of the Personal Data.

§ 7. Statements and Obligations of the Controller

  1. The Controller declares that it is the Controller of Personal Data entered into the CertifyHub application and guarantees that such data are processed in accordance with the law.
  2. The Controller undertakes to comply with the Data Processing Agreement and applicable legal provisions related to the Processing of Personal Data, particularly the obligations arising from the GDPR.

§ 8. Liability

  1. The Controller is responsible for the proper performance of the Controller’s duties in accordance with the GDPR (article 82), other applicable data protection regulations, and this Agreement.
  2. To the extent permitted by law, the Processor’s liability towards the Controller for breaches of the GDPR, other applicable data protection regulations, or the Data Processing Agreement is excluded.
  3. The Processor’s liability for executing the Controller’s instructions that are non-compliant with the GDPR or other data protection regulations, and for instructions not submitted in accordance with §2(2), is excluded.
  4. The liability limitations mentioned in this paragraph do not apply to Controllers who are Consumers, to the extent required by mandatory legal provisions.
  5. The provisions of this paragraph remain in force after the termination or expiration of the Agreement.

§ 9. Final Provisions

  1. The procedure for handling data after the termination of the Main Agreement is specified in the Regulations.
  2. The Data Processing Agreement comes into effect from the effective date of the Main Agreement, constitutes an integral part of the Main Agreement, and is concluded for the duration of the Main Agreement.
  3. The termination or expiration of the Main Agreement results in the corresponding termination or expiration of this Agreement without the need for additional declarations. Termination of the Agreement before the end of the period for which the Main Agreement was concluded without simultaneous termination of the Main Agreement is excluded.
  4. The parties agree that the law applicable to the Agreement will be the law in force in Estonia, and any disputes will be resolved by the common court competent for the Processor’s registered office.
  5. In matters not regulated by this Data Processing Agreement, the GDPR and applicable Estonian law will apply.