.svg){kind=icon}
.svg)
Data Protection
.svg)
.svg)
.svg)
Select a region:
DATA PROCESSING AGREEMENT EU
The Client (hereinafter the “Controller”) and each of the Service provider (hereinafter the “Processor(s)”) as referred to in the Master Service Agreement and any Appendixes that apply to the Client, together referred as the “Parties” and each a “Party”, on the date Agreement is signed, conclude this Data Processing Agreement and agree on the conditions how and which data shall be processed by the Service provider when providing the Services in conjunction with the Agreement;
Applicability. This DPA applies to processing of Personal Data by the Service Provider where the Service Provider is established in the European Economic Area. The Service Provider has separately published equivalent Data Processing Agreements for the United Kingdom and Gibraltar, each of which applies where the relevant Service Provider is established in that jurisdiction.
Whereas:
Parties have concluded the Master Service Agreement with an intention to provide Services and therefore Parties shall cooperate (hereinafter the “Cooperation”);
a)
In the course of Cooperation the Service provider intends to process various data related to Service provision (hereinafter the “Data”) which includes Personal Data which the Client is the controller of (hereinafter the “Personal Data”) and act as a data processor, whereas the Client is a data controller authorising the Service provider to process such Personal Data under the conditions established below;
b)
For the avoidance of doubt, throughout the Agreement and this Data Processing Agreement, where the word “data” is used it should be understood as including but not limited to Personal Data and any other data processed by the Service provider in the course of providing Services under the Agreement;
c)
Processor intends to process the Personal Data pursuant to the data protection legislation and regulations, such as the regulation of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation (hereinafter the “GDPR”)), and process all of the Data in accordance with any other applicable laws and legislations, recommendations and binding orders of the Regulatory Bodies, applicable with regard to outsourcing of Services as per Agreement or processing of data as per this data processing agreement (hereinafter all together the “Regulations”);
d)
In cases when Personal data is transferred outside the EEA additional conditions referred to as Standard Contractual Clauses apply to this data processing agreement (controller-to-processor transfers). “Standard Contractual Clauses” or “SCC”, mean the standard contractual clauses for data transfer from data controllers in the EU to data processors established outside the EU or European Economic Area (EEA) (controller-to-processor transfers) and can be found on the www.getorbital.com/data-protection (as amended or updated from time to time).
Therefore, the Parties aim to determine the scope and purpose of Personal Data processing, legal basis for this processing, technical and organizational terms for data processing and mutual responsibilities of the Parties and enter into the present Data Processing Agreement (hereinafter the “DPA”) and agree as follows:
1. General Data Processing Rules
1.1
Data shall not be used for any purposes other than those specified in this DPA;
1.2
The Processor shall process Data:
1.2.1
in accordance with good data processing practices and prevailing information management industry standards, and in compliance with the Regulations as relates to Personal Data;
1.2.2
in accordance with written instructions from the Controller as further detailed in Annex No. 1 (Instructions for processing of Data on behalf of the Controller).
1.2.3
only during the term of this DPA and the period of time after it ends as set forth in Section 8 of this DPA.
1.3
Taking into account the nature of the processing, the Processor shall assist the Controller in its response to meet requests from Personal data subjects;
1.4
Further, the Processor undertakes to assist Controller in ensuring the compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (regarding, inter alia, security of processing, notification of a Personal Data breach to the supervisory authority, communication of a Personal Data breach to the data subject, data protection impact assessment and prior consultation), taking into account the nature of processing and the information available to the Processor, all in accordance with the Regulations.
1.5
The Processor shall provide the Controller with all information necessary to demonstrate compliance with Processor’s obligations set out in this DPA and in the Regulations where applicable;
1.6
The Processor upon separate request from the Controller shall provide the Controller with all Data or any other information the Processor has under this DPA.
1.7
This DPA shall not prevent the Processor from processing the Data as required by Regulations or by a competent court or any supervisory authority.
2. Data security
2.1
Taking into account the scope and purposes of processing, the Processor shall implement and document its technical and organisational measures to ensure the confidentiality, integrity and availability of the Data and to protect the Data against unlawful processing.
2.2
The Processor shall protect Data against destruction, modification, unlawful dissemination, or unlawful access, in particular where the processing involves the transmission of data over a network. The Processor shall also Protect Data against all other forms of unlawful processing.
2.3
The Processor shall periodically test, assess and evaluate the effectiveness of its technical and organisational measures.
2.4
The Processor shall train its personnel in relation to data safety requirements.
3. Controller’s obligations
3.1
The Controller shall always retain the control and authority over the Personal Data, processed under this DPA. If any data subject requested for information on the processing of Personal Data under this DPA, requested the correction of such Personal Data, disputed the legality of data-processing, or otherwise required the termination of data-processing, or the deletion or blocking of such Personal Data, the Controller shall immediately instruct the Processor to take the appropriate measures; and
3.2
The Controller represents, warrants and shall ensure that during all validity term of the Agreement all Data transferred to and processed by the Processor is collected and processed on a lawful basis, is accurate, complete and does not infringe upon the rights of data subjects, Controller’s instructions and comply with the Regulations where applicable.
3.3
The Controller shall be responsible for filling-out and regularly updating Annex No. 1, and indicating there all types of Personal Data, and all categories of data subjects involved with the data-processing under the Agreement, alongside with Controller’s contact details.
4. Term and relationship to other agreements between the Parties
4.1
This DPA shall apply during the period of time that the Processor processes Data. Upon the termination or expiration of the Agreement, and where a new such agreement is entered into without a new data processing agreement being executed, this DPA shall also govern such new agreement. With the exception of the termination rights expressly set out in this DPA, this DPA may be terminated only together with the Agreement in accordance with the terms and conditions set forth in the Agreement.
5. Personal Data Breach notifications
5.1
In case of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Data transmitted, stored or otherwise processed (hereinafter the “Data Breach”) Processor undertakes to notify the Controller.
5.2
Where, and in so far as it is not possible to provide all the information, related to the Data Breach, at the same time, the information may be provided in phases without undue further delay. In such cases when certain information cannot be provided by the Processor to the Contractor at all, the Processor will inform the Controller accordingly.
5.3
The Processor shall take appropriate steps to protect the Data after having become aware of a Data Breach in order to limit any possible detrimental effect to the data subjects. The Processor will cooperate with the Controller to respond to the Data Breach.
6. Right of supervision and audit
6.1
According to the Regulations, Controller is obliged to monitor that the processing of Data, which is performed by the Processor, fulfils the requirements of the Agreement and this DPA.
6.2
Controller including its control functions (e.g., compliance function, risk management function, internal audit), any external auditors, Regulatory Bodies and agents appointed by such Regulatory Bodies, or other advisers to the Controller shall be entitled to take measures necessary to assure itself that the Processor is able to carry out the security measures which must be undertaken pursuant to this DPA, and to assure itself that the Processor has in fact undertaken such measures. The Processor undertakes to ensure that the person conducting the audit receives the assistance which may reasonably be required in order for him to be able, in a simple manner, to assure itself of the aforesaid.
6.3
In case of Permitted Sub-processing, the Processor shall ensure that the same audit and supervision rights granted under this Section 6 to the Controller and other persons as indicated herein, are extended with regards of processing of Data by Permitted Sub-processors.
6.4
At any time during the term of this DPA, the Processor shall, make available all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and under this DPA and allow for and contribute to audits, of the Processor and its Approved Sub-processors, including inspections, conducted by Controller including its control functions (e.g. compliance function, risk management function, internal audit), any external auditors, Regulatory Bodies and agents appointed by such Regulatory Bodies, or other advisers to the Controller.
7. Duty of confidentiality
7.1
Confidentiality clauses, which are set in the Agreement, apply to all Data, which the Processor receives pursuant to the Agreement and this DPA.
7.2
In addition to the provisions of the above-mentioned Confidentiality clauses, the Processor undertakes to notify the Controller about:
7.2.1
any request received from any other third party without responding to that request, unless it has been otherwise authorised to do so. The Processor shall reject the request unless required by law to comply. If the request is valid, the Processor will attempt to redirect the third party to request the data directly from the Controller, and/or
7.2.2
any request on behalf of data subject regarding processing of the Personal Data.
7.3
Processor shall, at Controller’s request, provide Controller with reasonable cooperation and assistance in relation to any such request made including assisting the Controller to comply with a data access request within the relevant timescales (if any) set out in applicable Regulations.
8. Measures upon completion of processing of Data
8.1
Upon the termination or expiry of the Agreement or otherwise after the end of the provision of services relating to the Processor’s processing of Data under this DPA (end of Data processing as indicated in Annex No. 1), the Data shall either, as determined by the Controller in its sole discretion, be returned to the Controller or erased and the Processor shall delete existing copies unless the Regulations require storage of the Data. Upon request by the Controller, the Processor shall provide a written notice of the measures taken regarding the Data upon the termination or expiry of the Agreement or otherwise after the end of the provision of services relating to the Processor’s processing of Data under this DPA (end of Data processing as indicated in Annex No. 1).
8.2
The Processor has a right to store a copy of the Data on back-up tapes (his own or outsourced to third parties) for a period these tapes are overwritten (and thereby the Data deleted) in the normal course of business.
9. Liability
9.1
Where the Processor has failed to comply with this DPA, the Controller shall notify the Processor thereof in writing and grant the Processor the right to fully remedy the infringement within reasonable term, but in all cases not less than twenty (20) Business Days. Where the infringement is not fully remedied, the Controller shall be entitled to terminate the Agreement.
9.2
The Processor shall be liable only for direct damages caused to the Controller as a consequence of a breach of the provisions of this DPA. The Processor in any case will not reimburse indirect or any other kind of special losses of the Controller or any other third party. The amount of reimbursement for direct losses through the whole term of this DPA is limited to the sum of the total Charges paid and payable over the term of the Agreement, calculated by reference to the Charges in force at the Commencement Date.
9.3
The Processor in any case is not liable for any losses of the Controller, data subject or any other third party if any of them are using insecure computer and/or internet connection or software or in the event their email account, phone or other devices, login to the account information is breached, lost or stolen and this results in potentially unlawful or unauthorised use of Personal data.
9.4
The Processor accepts no responsibility for any loss or damages if the Controller or data subject provide any wrong or false information.
9.5
The Processor is at all times released from any liability for damages that occur in execution of direct instructions given by the Controller or on its behalf.
9.6
The Controller is fully liable for processing the Personal Data for correct and sufficient legal ground as stated in article 6 of GDPR. The Processor shall take no liability for any kind of damages arising from such unlawful Personal Data processing.
9.7
For the avoidance of doubt, neither Party shall be liable to the other Party for any fines imposed by the supervisory authorities or for damages awarded by a competent court in respect of such Party’s violation of the Regulations where applicable.
10. Use of Sub-processors
10.1
Processor may use sub-processors to perform tasks under this DPA on its behalf if the Processor notifies them to the Controller. Such notification is sufficient and this DPA is deemed prior written approval of such sub-processors (hereinafter the “Permitted Sub-processor”).
10.2
The Controller acknowledges and agrees that (a) Processor’s affiliates, subsidiaries or parent companies may be retained as sub-processors without separate notification; and (b) Processor and its affiliates, subsidiaries or parent companies respectively may engage third-party sub-processors in connection with the processing of Data within the limitations of this DPA and the Agreement.
10.3
The Processor shall make available to the Controller the current list of sub-processors as part of this DPA (in Annex No. 2) that shall include the names and country locations of those sub-processors, alongside with the scope of services they provide for Processor. The Controller approves these listed sub-processors for the indicated scope of services, by signing this DPA. All of them are treated as Permitted Sub-processors.
10.4
In case of any additions or change to the current list, the Processor shall notify the Controller in advance.
10.5
The Processor shall ensure that any processing of the Data by an Approved Sub-processor complies with the requirements set out under this DPA and the GDPR.
10.6
The Processor shall be responsible for any and all actions or omissions of the sub-processor (whether or not an Approved Sub-processor), under this DPA, as though they were the Processor’s own actions or omissions. The Processor is obliged to regularly monitor the performance of its sub-processors and ensure the same monitoring rights as per Section 6 are granted to the Controller including its control functions (e.g. compliance function, risk management function, internal audit), any external auditors, Regulatory Bodies and agents appointed by such Regulatory Bodies, or other advisers to the Controller.
11. Personal Data transfers
11.1
In case the Personal data is transferred from Controller to Processor or from Processor to Permitted Sub-processor outside the European Economic Area (“EEA”), the Standard Contractual Clauses (including annexes related thereto) are incorporated by reference to this DPA and form an integral part of this DPA to which both the Controller (referred to as the “data exporter” in the SSC) and the Processor or Sub-processor (referred to as the “data importer” in the SSC) oblige to comply, unless the European Commission under article 45 of GDPR has recognised such third country, where Personal Data transfer or processing is planned, as providing adequate protection or other security measures under GDPR have been complied. If any discrepancies between this DPA and the Standard Contractual Clauses (including annexes related thereto) arise, the provisions indicated in Standard Contractual Clauses shall prevail.
11.2
If sub-processing is approved in accordance with this DPA, the Processor may transfer Personal Data to such Permitted Sub-processor, either within or outside the EEA. This DPA and any additional written approval provided (where applicable for Permitted Sub-processing) is a Controller’s general consent for the Processor to transfer such data outside the EEA provided the Processor ensures that such transfer and such Sub-processor is bound by the terms of the Standard Contractual Clauses, unless the European Commission under article 45 of GDPR has recognised such third country, where Personal Data transfer or processing is planned, as providing adequate protection or other security measures under GDPR have been complied.
11.3
The initial list of approved transfers is provided within the list of Approved Sub-processors in Annex No. 2.
11.4
In case of any additions or change to the list of Approved Sub-processors (Annex No. 2.) the Processor shall notify the Controller in advance and receive its prior written approval.
12. Remuneration
12.1
The Processor is not entitled to any specific remuneration on the basis of the contents of this DPA and shall, thus, not charge Controller under this DPA. Remuneration is solely governed by the Agreement.
12.2
If implementation or completion of the Controller’s specific instructions requires or result in additional costs emerging on Processor’s side (e.g. if Controller requires Processor to implement specific data processing procedures which are not agreed under this DPA), Controller shall cover emerging costs.
13. Contact persons for Personal Data processing issues
13.1
Processor’s contact person is Data Protection Officer whose contact data is as follows:
13.1.1
E-mail: hello@getorbital.com.
13.2
The Party has to inform the other Party immediately in case of contact person’s contact data changed. Having failed to perform these requirements, the guilty Party cannot make any claims or objections with respect to the actions performed by the other Party or not having received messages sent under those details if those actions have been made based on the previously known requisites.
13.3
Parties agree that a notice, sent via email is equal to the written document and has the same power for the Parties.
13.4
Parties are aware of the risks deriving from electronic communication and taking them into consideration agree to exchange of information electronically. The Processor is not liable for the risks related to electronic communication of digitally formatted information.
14. Applicable law and disputes settlement
14.1
The DPA has been concluded and shall be interpreted and performed in accordance with the laws of England.
14.2
All disputes, discrepancies or claims arising from this DPA shall be settled by the Parties applying Disputes Resolution Procedure as indicated in the Agreement. The courts of England shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this DPA or its subject matter or formation following the Disputes Resolution Procedure.
15. Declarations
14.1
The Parties hereby declare and guarantee that according to the effective laws and other legal regulations binding to them, that they and their properly authorised persons signing this DPA have full power and necessary authorisations to enter into this DPA and fulfil all the obligations assumed under this DPA throughout the validity term of the DPA and it will not breach the incorporation documents of the Party, governing bodies' decisions, contractual or any other obligations or third parties' rights or lawful interests, and the legislation and legal regulations binding to them.
16. Final provisions
16.1
DPA is an integral part of the Agreement.
16.2
DPA has been executed in two counterparts in English and each of them has the same legal force. Parties confirm that the language of the DPA is suitable for them and fully understandable. After signing this DPA, each Party shall receive one copy of it. Taking in consideration the fact that the Parties may reside in different countries, DPA could be signed electronically or by exchanging a physically signed copies of the DPA via electronical means of communication without additionally exchanging the signed hard copies between the Parties and Parties agree that such signed DPA shall have the same legal effect as written document, signed by each Party. DPA is binding to the signing Party from the moment of its signing as evidenced by sending the copy of signed DPA to other Party.
16.3
Any amendments to this DPA shall be made in writing and be signed by duly authorised representatives of both Parties.
16.4
Notwithstanding the expiry of the Agreement or this DPA, the provisions stipulating performance of the obligations connected with the settlements, liability, applicable law and settlement of disputes shall remain valid until the full performance of such obligations.
16.5
Invalidity of any provision of the DPA shall not affect the validity of the other provisions. The Parties have agreed to substitute the invalid provision of the DPA by another which would match the economic aim and nature of the previous one in the best way.
16.6
The failure of either Party to assert any of its rights under this DPA shall not be deemed to constitute a waiver of that Party’s right thereafter to enforce each and every provision of this DPA in accordance with its terms.
16.7
Parties may not transfer all or part of its rights and obligations under this DPA to any third party without other Party’s consent.
16.8
What is not regulated by this DPA is regulated directly by the provisions of the Agreement. All definitions here have the same meaning as in the Agreement, and all conditions from the Agreement are applicable to this DPA, if not stated differently in this DPA.
17. Annexes (integral parts of DPA)
17.1
Annex No. 1: Instructions for processing of Data including Personal Data on behalf of the Controller.
17.2
Annex No. 2: List of Permitted Sub-processors.
Annex No. 1 to the DPA
Instructions for processing of Personal and other Data on behalf of the Controller
This Annex is entered as of the same day as DPA.
This Annex is integral part of the DPA.
The Processor shall comply with the instructions set forth below in conjunction with the processing of Personal and other Data. The terms “personal data” and “processing” relate to personal data and processing as defined in the DPO and Regulations.
1. Agreement
1.1
Service Agreement
2. Legal background for the Data processing
2.1
Execution of the Agreement (provision of Services)
3. Nature of the processing
3.1
Collection
3.2
Recording
3.3
Structuring
3.4
Monitoring
3.5
Adaptation
3.6
Use
3.7
Consultation
3.8
Alignment
3.9
Storage
3.10
Erasure
4. Purpose of the processing
4.1
Execution of the Agreement (provision of Services)
5. Duration of the processing
5.1
As long as Agreement is valid and not more than 90 (ninety) days after termination of the Agreement or until request from the Controller to stop processing
6. Categories of personal data subjects
6.1
Authorised representatives and management members of the Controller (natural persons);
6.2
Shareholders of the Controller (natural persons);
6.3
Ultimate Beneficial Owners of the Controller;
6.4
Politically exposed persons (“PEP”) related to the Controller;
6.5
Clients of the Controller (natural persons);
6.6
Service providers of the Controller (natural persons);
7. Types of Personal Data
7.1
Authorised representatives and management members of the Controller (natural persons)
Name
Surname
Date of birth (Personal code)
Residential address
Citizenship
Position
E-mail address
Phone number
The position held at the Customer (Acting grounds) if any
Information regarding the identification document and its copy
Selfie with the identification document
Signature
7.2
Shareholders of the Controller (natural persons)
Name
Surname
Personal code
Data of birth
Citizenship / country of registration
Residential address
Share of benefit (%)
7.3
Ultimate Beneficial Owners of the Controller
Name
Surname
Citizenship(s)
Personal code (Date of birth)
Registered residential address
Taxpayer identification number (TIN)
Place of birth
Share of benefit (%)
Copy of identification document
Other information that Controller may ask during Customer’s verification procedure
7.4
Politically exposed persons (“PEP”) related to the Controller:
Information on whether a Representative of the Controller/ UBO or his / her close associate or immediate family member are PEP
Nature of relationship with PEP
PEP’s name and surname
PEP’s country
PEP’s institution
PEP’s position
7.5
Clients of the Controller (natural persons)
Name
Surname
Address
Email
Phone number
Account numbers
Payment card numbers
Payment information with regard to payments
7.6
Service providers of the Controller (natural persons)
Name
Surname
Address
Account numbers
Payment card numbers
Payment information with regard to payments
8. Personal Data transfer/collection means
8.1
Directly from the Clients of the Controller;
8.2
Directly from the Controller;
8.3
Via API or by using Controller’s databases to which the Processor has the granted access rights
8.4
Directly from third party payment service providers used for conducting the transaction.
9. Security measures
The Processor shall apply proper rules for the organizational and technical security measures for Data and ensure sufficient security of this data. The minimum requirements are:
9.1
Organisational security measures
9.1.1
Security policy and procedures for the protection of data and personal data
9.1.1.1
The organization should document a separate dedicated security policy with regard to the processing of personal data and any other data. The policy should be approved by management and communicated to all employees and relevant external parties.
9.1.1.2
The security policy should be reviewed and revised on an annual basis.
9.1.2
Roles and responsibilities
9.1.2.1
Roles and responsibilities related to the processing of data should be clearly defined.
9.1.2.2
Clear appointment of persons in charge of specific security tasks should be performed
9.1.3
Access control policy
9.1.3.1
Specific access control rights should be allocated to each role (involved in the processing of personal data) following the need to know principle.
9.1.3.2
An access control policy should be detailed and documented. The organization should determine in this document the appropriate access control rules, access rights and restrictions for specific user roles towards the processes and procedures related to personal data.
9.1.3.3
(For High-risk cases) Roles with excessive access rights should be clearly defined and assigned to limited specific members of staff.
9.1.4
Asset management
9.1.4.1
The organization should have a register of the IT resources used for the processing of personal data (hardware, software, and network). The register could include at least the following information: IT resource, type (e.g. server, workstation), location (physical or electronic). A specific person should be assigned the task of maintaining and updating the register.
9.1.4.2
Roles having access to certain resources should be defined and documented.
9.1.4.3
IT resources should be reviewed and updated on annual basis.
9.1.5
Change management
9.1.5.1
Software development should be performed in a special environment that is not connected to the IT system used for the processing of personal data. When testing is needed, dummy data should be used (not real data). In cases that this is not possible, specific procedures should be in place for the protection of personal data used in testing.
9.1.6
Data processors
9.1.6.1
Formal guidelines and procedures covering the processing of personal data by data processors (contractors/outsourcing) should be defined, documented and agreed between the data controller and the data processor prior to the commencement of the processing activities. These guidelines and procedures should mandatorily establish the same level of personal data security as mandated in the organization’s security policy.
9.1.6.2
Upon finding out of a personal data breach, the data processor shall notify the controller without undue delay.
9.1.6.3
Formal requirements and obligations should be formally agreed between the data controller and the data processor. The data processor should provide sufficient documented evidence of compliance.
9.1.6.4
The data controller’s organization should regularly audit the compliance of the data processor to the agreed level of requirements and obligations.
9.1.6.5
(For High-risk cases) The employees of the data processor who are processing personal data should be subject to specific documented confidentiality/ non-disclosure agreements.
9.1.7
Incidents handling / Personal data breaches
9.1.7.1
An incident response plan with detailed procedures should be defined to ensure effective and orderly response to incidents pertaining data.
9.1.7.2
Data breaches should be reported immediately to the management. Notification procedures for the reporting of the personal data breaches to competent authorities and data subjects should be in place, following art. 33 and 34 GDPR.
9.1.7.3
The incidents’ response plan should be documented, including a list of possible mitigation actions and clear assignment of roles.
9.1.7.4
(For High-risk cases) Incidents and data breaches should be recorded along with details regarding the event and subsequent mitigation actions performed.
9.1.8
Business continuity
9.1.8.1
The organization should establish the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing data (in the event of an incident/ data breach).
9.1.8.2
A BCP should be detailed and documented (following the general security policy). It should include clear actions and assignment of roles.
9.1.9
Confidentiality of personnel
9.1.9.1
The organization should ensure that all employees understand their responsibilities and obligations related to the processing of data including specifics of processing personal data. Roles and responsibilities should be clearly communicated during the pre-employment and/or induction process.
9.1.9.2
Prior to up taking their duties employees should be asked to review and agree on the security policy of the organization and sign respective confidentiality and non-disclosure agreements.
9.1.9.3
(For High-risk cases) Employees involved in high risk processing of personal data should be bound to specific confidentiality clauses (under their employment contract or other legally binding document).
9.1.10
Training
9.1.10.1
The organization should ensure that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data should also be properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.
9.1.10.2
The organization should have structured and regular training programmes for staff, including specific programmers for the induction (to data protection matters) of newcomers.
9.2
Technical Security Measures
9.2.1
Access control and authentication
9.2.1.1
The use of common user accounts should be avoided. In cases where this is necessary, it should be ensured that all users of the common account have the same roles and responsibilities.
9.2.1.2
An authentication mechanism should be in place, allowing access to the IT system (based on the access control policy and system). As a minimum a username/password combination should be used. Passwords should respect a certain (configurable) level of complexity.
9.2.1.3
A specific password policy should be defined and documented. The policy should include at least password length, complexity, validity period, as well as number of acceptable unsuccessful login attempts.
9.2.1.4
User passwords must be stored in a “hashed” form.
9.2.2
Logging and monitoring
9.2.2.1
Log files should be activated for each system/application used for the processing of personal data. They should include all types of access to data (view, modification, deletion).
9.2.2.2
Log files should be timestamped and adequately protected against tampering and unauthorised access. Clocks should be synchronized to a single reference time source.
9.2.2.3
Actions of the system administrators and system operators, including addition/deletion/change of user rights should be logged.
9.2.2.4
There should be no possibility of deletion or modification of log files content. Access to the log files should also be logged in addition to monitoring for detecting unusual activity.
9.2.2.5
A monitoring system should process the log files and produce reports on the status of the system and notify for potential alerts.
9.2.3
Server/Database security
9.2.3.1
Servers should be configured in accordance with documented standards / procedures.
9.2.3.2
Server images should be reviewed, tested and kept up to date (i.e. with recent patches and changes to build/configuration).
9.2.3.3
Servers should be configured to protect against attacks by: disabling unnecessary or insecure user accounts, changing important security-related parameters from their default settings, restricting physical access to a limited number of authorised individuals, maintaining up-to-date malware protection software, monitoring, and by reviewing them on a regular basis.
9.2.3.4
Database and applications servers should only process the personal data that are actually needed to process in order to achieve its processing purposes.
9.2.3.5
(For High-risk cases)Encryption solutions should be considered on specific files or records through software or hardware implementation.
9.2.3.6
(For High-risk cases) Encrypting storage drives should be considered.
9.2.4
Workstation security
9.2.4.1
Users should not be able to deactivate or bypass security settings.
9.2.4.2
Users should not have privileges to install or deactivate unauthorised software applications.
9.2.4.3
The system should have session time-outs when the user has not been active for a certain time period.
9.2.4.4
Critical security updates released by the operating system developer should be installed regularly.
9.2.4.5
(For High-risk cases) It should not be allowed to transfer personal data from workstations to external storage devices (e.g. USB, DVD, external hard drives).
9.2.4.6
(For High-risk cases) Full disk software encryption should be enabled on the workstation operating system drives.
9.2.5
Network/Communication security
9.2.5.1
Whenever access is performed through the Internet, communication should be encrypted through cryptographic protocols (TLS).
9.2.5.2
Wireless access to the IT system should be protected by encryption mechanisms.
9.2.5.3
Remote access to the IT system should in general be avoided. In cases where this is absolutely necessary, it should be performed only under the control and monitoring of a specific person from the organization (e.g. IT administrator/security officer) through pre-defined devices.
9.2.5.4
The network of the information system should be segregated from the other networks of the data controller.
9.2.6
Back-ups
9.2.6.1
Backup and data restore procedures should be defined, documented and clearly linked to roles and responsibilities.
9.2.6.2
Backups should be given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
9.2.6.3
Execution of backups should be monitored to ensure completeness.
9.2.6.4
Backup media should be regularly tested to ensure that they can be relied upon for emergency use.
9.2.6.5
Copies of the backup should be securely stored in different locations.
9.2.6.6
In case a third party service for back up storage is used, the copy must be encrypted before being transmitted from the data Processor.
9.2.7
Mobile/Portable devices
9.2.7.1
Mobile and portable device management procedures should be defined and documented establishing clear rules for their proper use.
9.2.7.2
Mobile devices that are allowed to access the information system should be pre-registered and pre-authorised.
9.2.7.3
Mobile devices should be subject to the same levels of access control procedures (to the data processing system) as other terminal equipment.
9.2.7.4
Personal data stored at the mobile device (as part of the organization’s data processing operation) should be encrypted.
9.2.8
Application lifecycle security
9.2.8.1
During the development lifecycle best practices, state of the art and well acknowledged secure development practices, frameworks or standards should be followed.
9.2.8.2
Specific security requirements should be defined during the early stages of the development lifecycle.
9.2.8.3
Specific technologies and techniques designed for supporting privacy and data protection (also referred to as Privacy Enhancing Technologies (PETs)) should be adopted in analogy to the security requirements.
9.2.8.4
Secure coding standards and practices should be followed.
9.2.8.5
During the development, testing and validation against the implementation of the initial security requirements should be performed.
9.2.8.6
Vulnerability assessment, application and infrastructure penetration testing should be performed prior to the operational adoption. The application shall not be adopted unless the required level of security is achieved.
9.2.8.7
Periodic penetration testing should be carried out.
9.2.8.8
Information about technical vulnerabilities of information systems being used should be obtained.
9.2.8.9
Software patches should be tested and evaluated before they are installed in an operational environment.
9.2.9
Data deletion/disposal
9.2.9.1
Multiple passes of software-based overwriting should be performed on all media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction should be performed.
9.2.9.2
Shredding of paper and portable media used to store personal data shall be carried out.
9.2.9.3
(For High-risk cases) If a third party’s services are used to securely dispose of media or paper based records, a service agreement should be in place and a record of destruction of records should be produced as appropriate. Where possible it should be considered that the process takes place at the premises of the data controller or processor (and avoid off-site transfer of personal data).
9.2.10
Physical security
9.2.10.1
The physical perimeter of the IT system infrastructure should not be accessible by non-authorised personnel. Physical barriers should, where applicable, be built to prevent unauthorised physical access.
9.2.10.2
Clear identification, through appropriate means e.g. ID Badges, for all personnel and visitors accessing the premises of the organization should be established, as appropriate.
9.2.10.3
Secure zones should be defined and be protected by appropriate entry controls. A physical log book or electronic audit trail of all access should be securely maintained and monitored.
9.2.10.4
Intruder detection systems should be installed in all security zones.
9.2.10.5
Vacant secure areas should be physically locked and periodically reviewed.
9.2.10.6
An automatic fire suppression system, closed control dedicated air conditioning system and uninterruptible power supply (UPS) should be implemented at the server room.
Annex No. 2 to the DPA
Permitted Sub-processors
This Annex is entered as of the same day as DPA.
This Annex is integral part of the DPA.
The list of subcontractors engaged by the Processor as sub-processors can be found here: Sub-processors
The list will be updated as needed to reflect any changes as regards Permitted Sub-processors.
DATA PROCESSING AGREEMENT Gibraltar
The Client (hereinafter the “Controller”) and each of the Service provider (hereinafter the “Processor(s)”) as referred to in the Master Service Agreement and any Appendixes that apply to the Client, together referred as the “Parties” and each a “Party”, on the date Agreement is signed, conclude this Data Processing Agreement and agree on the conditions how and which data shall be processed by the Service provider when providing the Services in conjunction with the Agreement;
Applicability. This DPA applies to processing of Personal Data by the Service Provider where the Service Provider is established in the European Economic Area. The Service Provider has separately published equivalent Data Processing Agreements for the United Kingdom and Gibraltar, each of which applies where the relevant Service Provider is established in that jurisdiction.
Whereas:
Parties have concluded the Master Service Agreement with an intention to provide Services and therefore Parties shall cooperate (hereinafter the “Cooperation”);
a)
In the course of Cooperation the Service provider intends to process various data related to Service provision (hereinafter the “Data”) which includes Personal Data which the Client is the controller of (hereinafter the “Personal Data”) and act as a data processor, whereas the Client is a data controller authorising the Service provider to process such Personal Data under the conditions established below;
b)
For the avoidance of doubt, throughout the Agreement and this Data Processing Agreement, where the word “data” is used it should be understood as including but not limited to Personal Data and any other data processed by the Service provider in the course of providing Services under the Agreement;
c)
Processor intends to process the Personal Data pursuant to the data protection legislation and regulations, including the General Data Protection Regulation as it forms part of the law of Gibraltar by virtue of the Data Protection Act 2004 (as amended by the Data Protection (Amendment) Regulations 2018 and any successor or amending legislation), together with the Data Protection Act 2004 itself, in each case as amended or replaced from time to time (hereinafter the “Gibraltar GDPR”), and process all of the Data in accordance with any other applicable laws and legislations, recommendations and binding orders of the Regulatory Bodies, applicable with regard to outsourcing of Services as per Agreement or processing of data as per this data processing agreement (hereinafter all together the “Regulations”);
d)
In cases when Personal data is transferred outside Gibraltar additional conditions referred to as Standard Contractual Clauses apply to this data processing agreement (controller-to-processor transfers). “Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of personal data from a controller in Gibraltar to a processor established outside Gibraltar, in the form of (i) Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module 2 — controller-to-processor) as modified by (ii) the Gibraltar adaptation to the EU Commission Standard Contractual Clauses (the “Gibraltar Adaptation”), and that can be found on the www.getorbital.com/data-protection (as amended or updated from time to time).
Therefore, the Parties aim to determine the scope and purpose of Personal Data processing, legal basis for this processing, technical and organizational terms for data processing and mutual responsibilities of the Parties and enter into the present Data Processing Agreement (hereinafter the “DPA”) and agree as follows:
1. General Data Processing Rules
1.1
Data shall not be used for any purposes other than those specified in this DPA;
1.2
The Processor shall process Data:
1.2.1
in accordance with good data processing practices and prevailing information management industry standards, and in compliance with the Regulations as relates to Personal Data;
1.2.2
in accordance with written instructions from the Controller as further detailed in Annex No. 1 (Instructions for processing of Data on behalf of the Controller).
1.2.3
only during the term of this DPA and the period of time after it ends as set forth in Section 8 of this DPA.
1.3
Taking into account the nature of the processing, the Processor shall assist the Controller in its response to meet requests from Personal data subjects;
1.4
Further, the Processor undertakes to assist Controller in ensuring the compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (regarding, inter alia, security of processing, notification of a Personal Data breach to the supervisory authority, communication of a Personal Data breach to the data subject, data protection impact assessment and prior consultation), taking into account the nature of processing and the information available to the Processor, all in accordance with the Regulations.
1.5
The Processor shall provide the Controller with all information necessary to demonstrate compliance with Processor’s obligations set out in this DPA and in the Regulations where applicable;
1.6
The Processor upon separate request from the Controller shall provide the Controller with all Data or any other information the Processor has under this DPA.
1.7
This DPA shall not prevent the Processor from processing the Data as required by Regulations or by a competent court or any supervisory authority.
2. Data security
2.1
Taking into account the scope and purposes of processing, the Processor shall implement and document its technical and organisational measures to ensure the confidentiality, integrity and availability of the Data and to protect the Data against unlawful processing.
2.2
The Processor shall protect Data against destruction, modification, unlawful dissemination, or unlawful access, in particular where the processing involves the transmission of data over a network. The Processor shall also Protect Data against all other forms of unlawful processing.
2.3
The Processor shall periodically test, assess and evaluate the effectiveness of its technical and organisational measures.
2.4
The Processor shall train its personnel in relation to data safety requirements.
3. Controller’s obligations
2.1
The Controller shall always retain the control and authority over the Personal Data, processed under this DPA. If any data subject requested for information on the processing of Personal Data under this DPA, requested the correction of such Personal Data, disputed the legality of data-processing, or otherwise required the termination of data-processing, or the deletion or blocking of such Personal Data, the Controller shall immediately instruct the Processor to take the appropriate measures; and
2.2
The Controller represents, warrants and shall ensure that during all validity term of the Agreement all Data transferred to and processed by the Processor is collected and processed on a lawful basis, is accurate, complete and does not infringe upon the rights of data subjects, Controller’s instructions and comply with the Regulations where applicable.
2.3
The Controller shall be responsible for filling-out and regularly updating Annex No. 1, and indicating there all types of Personal Data, and all categories of data subjects involved with the data-processing under the Agreement, alongside with Controller’s contact details.
4. Term and relationship to other agreements between the Parties
4.1
This DPA shall apply during the period of time that the Processor processes Data. Upon the termination or expiration of the Agreement, and where a new such agreement is entered into without a new data processing agreement being executed, this DPA shall also govern such new agreement. With the exception of the termination rights expressly set out in this DPA, this DPA may be terminated only together with the Agreement in accordance with the terms and conditions set forth in the Agreement.
5. Personal Data Breach notifications
5.1
In case of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Data transmitted, stored or otherwise processed (hereinafter the “Data Breach”) Processor undertakes to notify the Controller.
5.2
Where, and in so far as it is not possible to provide all the information, related to the Data Breach, at the same time, the information may be provided in phases without undue further delay. In such cases when certain information cannot be provided by the Processor to the Contractor at all, the Processor will inform the Controller accordingly.
5.3
The Processor shall take appropriate steps to protect the Data after having become aware of a Data Breach in order to limit any possible detrimental effect to the data subjects. The Processor will cooperate with the Controller to respond to the Data Breach.
6. Right of supervision and audit
6.1
According to the Regulations, Controller is obliged to monitor that the processing of Data, which is performed by the Processor, fulfils the requirements of the Agreement and this DPA.
6.2
Controller including its control functions (e.g., compliance function, risk management function, internal audit), any external auditors, Regulatory Bodies and agents appointed by such Regulatory Bodies, or other advisers to the Controller shall be entitled to take measures necessary to assure itself that the Processor is able to carry out the security measures which must be undertaken pursuant to this DPA, and to assure itself that the Processor has in fact undertaken such measures. The Processor undertakes to ensure that the person conducting the audit receives the assistance which may reasonably be required in order for him to be able, in a simple manner, to assure itself of the aforesaid.
6.3
In case of Permitted Sub-processing, the Processor shall ensure that the same audit and supervision rights granted under this Section 6 to the Controller and other persons as indicated herein, are extended with regards of processing of Data by Permitted Sub-processors.
6.4
At any time during the term of this DPA, the Processor shall, make available all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and under this DPA and allow for and contribute to audits, of the Processor and its Approved Sub-processors, including inspections, conducted by Controller including its control functions (e.g. compliance function, risk management function, internal audit), any external auditors, Regulatory Bodies and agents appointed by such Regulatory Bodies, or other advisers to the Controller.
7. Duty of confidentiality
7.1
Confidentiality clauses, which are set in the Agreement, apply to all Data, which the Processor receives pursuant to the Agreement and this DPA.
7.2
In addition to the provisions of the above-mentioned Confidentiality clauses, the Processor undertakes to notify the Controller about:
7.2.1
any request received from any other third party without responding to that request, unless it has been otherwise authorised to do so. The Processor shall reject the request unless required by law to comply. If the request is valid, the Processor will attempt to redirect the third party to request the data directly from the Controller, and/or
7.2.2
any request on behalf of data subject regarding processing of the Personal Data.
7.3
Processor shall, at Controller’s request, provide Controller with reasonable cooperation and assistance in relation to any such request made including assisting the Controller to comply with a data access request within the relevant timescales (if any) set out in applicable Regulations.
8. Measures upon completion of processing of Data
8.1
Upon the termination or expiry of the Agreement or otherwise after the end of the provision of services relating to the Processor’s processing of Data under this DPA (end of Data processing as indicated in Annex No. 1), the Data shall either, as determined by the Controller in its sole discretion, be returned to the Controller or erased and the Processor shall delete existing copies unless the Regulations require storage of the Data. Upon request by the Controller, the Processor shall provide a written notice of the measures taken regarding the Data upon the termination or expiry of the Agreement or otherwise after the end of the provision of services relating to the Processor’s processing of Data under this DPA (end of Data processing as indicated in Annex No. 1).
8.2
The Processor has a right to store a copy of the Data on back-up tapes (his own or outsourced to third parties) for a period these tapes are overwritten (and thereby the Data deleted) in the normal course of business.
9. Liability
9.1
Where the Processor has failed to comply with this DPA, the Controller shall notify the Processor thereof in writing and grant the Processor the right to fully remedy the infringement within reasonable term, but in all cases not less than twenty (20) Business Days. Where the infringement is not fully remedied, the Controller shall be entitled to terminate the Agreement.
9.2
The Processor shall be liable only for direct damages caused to the Controller as a consequence of a breach of the provisions of this DPA. The Processor in any case will not reimburse indirect or any other kind of special losses of the Controller or any other third party. The amount of reimbursement for direct losses through the whole term of this DPA is limited to the sum of the total Charges paid and payable over the term of the Agreement, calculated by reference to the Charges in force at the Commencement Date.
9.3
The Processor in any case is not liable for any losses of the Controller, data subject or any other third party if any of them are using insecure computer and/or internet connection or software or in the event their email account, phone or other devices, login to the account information is breached, lost or stolen and this results in potentially unlawful or unauthorised use of Personal data.
9.4
The Processor accepts no responsibility for any loss or damages if the Controller or data subject provide any wrong or false information.
9.5
The Processor is at all times released from any liability for damages that occur in execution of direct instructions given by the Controller or on its behalf.
9.6
The Controller is fully liable for processing the Personal Data for correct and sufficient legal ground as stated in article 6 of GDPR. The Processor shall take no liability for any kind of damages arising from such unlawful Personal Data processing.
9.7
For the avoidance of doubt, neither Party shall be liable to the other Party for any fines imposed by the supervisory authorities or for damages awarded by a competent court in respect of such Party’s violation of the Regulations where applicable.
10. Use of Sub-processors
9.1
Processor may use sub-processors to perform tasks under this DPA on its behalf if the Processor notifies them to the Controller. Such notification is sufficient and this DPA is deemed prior written approval of such sub-processors (hereinafter the “Permitted Sub-processor”).
9.2
The Controller acknowledges and agrees that (a) Processor’s affiliates, subsidiaries or parent companies may be retained as sub-processors without separate notification; and (b) Processor and its affiliates, subsidiaries or parent companies respectively may engage third-party sub-processors in connection with the processing of Data within the limitations of this DPA and the Agreement.
9.3
The Processor shall make available to the Controller the current list of sub-processors as part of this DPA (in Annex No. 2) that shall include the names and country locations of those sub-processors, alongside with the scope of services they provide for Processor. The Controller approves these listed sub-processors for the indicated scope of services, by signing this DPA. All of them are treated as Permitted Sub-processors.
9.4
In case of any additions or change to the current list, the Processor shall notify the Controller in advance.
9.5
The Processor shall ensure that any processing of the Data by an Approved Sub-processor complies with the requirements set out under this DPA and the GDPR.
9.6
The Processor shall be responsible for any and all actions or omissions of the sub-processor (whether or not an Approved Sub-processor), under this DPA, as though they were the Processor’s own actions or omissions. The Processor is obliged to regularly monitor the performance of its sub-processors and ensure the same monitoring rights as per Section 6 are granted to the Controller including its control functions (e.g. compliance function, risk management function, internal audit), any external auditors, Regulatory Bodies and agents appointed by such Regulatory Bodies, or other advisers to the Controller.
11. Personal Data transfers
11.1
In case the Personal data is transferred from Controller to Processor or from Processor to Permitted Sub-processor outside the European Economic Area (“EEA”), the Standard Contractual Clauses (including annexes related thereto) are incorporated by reference to this DPA and form an integral part of this DPA to which both the Controller (referred to as the “data exporter” in the SSC) and the Processor or Sub-processor (referred to as the “data importer” in the SSC) oblige to comply, unless the European Commission under article 45 of GDPR has recognised such third country, where Personal Data transfer or processing is planned, as providing adequate protection or other security measures under GDPR have been complied. If any discrepancies between this DPA and the Standard Contractual Clauses (including annexes related thereto) arise, the provisions indicated in Standard Contractual Clauses shall prevail.
11.2
If sub-processing is approved in accordance with this DPA, the Processor may transfer Personal Data to such Permitted Sub-processor, either within or outside the EEA. This DPA and any additional written approval provided (where applicable for Permitted Sub-processing) is a Controller’s general consent for the Processor to transfer such data outside the EEA provided the Processor ensures that such transfer and such Sub-processor is bound by the terms of the Standard Contractual Clauses, unless the European Commission under article 45 of GDPR has recognised such third country, where Personal Data transfer or processing is planned, as providing adequate protection or other security measures under GDPR have been complied.
11.3
The initial list of approved transfers is provided within the list of Approved Sub-processors in Annex No. 2.
11.4
In case of any additions or change to the list of Approved Sub-processors (Annex No. 2.) the Processor shall notify the Controller in advance and receive its prior written approval.
12. Remuneration
12.1
The Processor is not entitled to any specific remuneration on the basis of the contents of this DPA and shall, thus, not charge Controller under this DPA. Remuneration is solely governed by the Agreement.
12.2
If implementation or completion of the Controller’s specific instructions requires or result in additional costs emerging on Processor’s side (e.g. if Controller requires Processor to implement specific data processing procedures which are not agreed under this DPA), Controller shall cover emerging costs.
13. Contact persons for Personal Data processing issues
13.1
Processor’s contact person is Data Protection Officer whose contact data is as follows:
13.1.1
E-mail: hello@getorbital.com.
13.2
The Party has to inform the other Party immediately in case of contact person’s contact data changed. Having failed to perform these requirements, the guilty Party cannot make any claims or objections with respect to the actions performed by the other Party or not having received messages sent under those details if those actions have been made based on the previously known requisites.
13.3
Parties agree that a notice, sent via email is equal to the written document and has the same power for the Parties.
13.4
Parties are aware of the risks deriving from electronic communication and taking them into consideration agree to exchange of information electronically. The Processor is not liable for the risks related to electronic communication of digitally formatted information.
14. Applicable law and disputes settlement
14.1
The DPA has been concluded and shall be interpreted and performed in accordance with the laws of England.
14.2
All disputes, discrepancies or claims arising from this DPA shall be settled by the Parties applying Disputes Resolution Procedure as indicated in the Agreement. The courts of England shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this DPA or its subject matter or formation following the Disputes Resolution Procedure.
15. Declarations
14.1
The Parties hereby declare and guarantee that according to the effective laws and other legal regulations binding to them, that they and their properly authorised persons signing this DPA have full power and necessary authorisations to enter into this DPA and fulfil all the obligations assumed under this DPA throughout the validity term of the DPA and it will not breach the incorporation documents of the Party, governing bodies' decisions, contractual or any other obligations or third parties' rights or lawful interests, and the legislation and legal regulations binding to them.
16. Final provisions
16.1
DPA is an integral part of the Agreement.
16.2
DPA has been executed in two counterparts in English and each of them has the same legal force. Parties confirm that the language of the DPA is suitable for them and fully understandable. After signing this DPA, each Party shall receive one copy of it. Taking in consideration the fact that the Parties may reside in different countries, DPA could be signed electronically or by exchanging a physically signed copies of the DPA via electronical means of communication without additionally exchanging the signed hard copies between the Parties and Parties agree that such signed DPA shall have the same legal effect as written document, signed by each Party. DPA is binding to the signing Party from the moment of its signing as evidenced by sending the copy of signed DPA to other Party.
16.3
Any amendments to this DPA shall be made in writing and be signed by duly authorised representatives of both Parties.
16.4
Notwithstanding the expiry of the Agreement or this DPA, the provisions stipulating performance of the obligations connected with the settlements, liability, applicable law and settlement of disputes shall remain valid until the full performance of such obligations.
16.5
Invalidity of any provision of the DPA shall not affect the validity of the other provisions. The Parties have agreed to substitute the invalid provision of the DPA by another which would match the economic aim and nature of the previous one in the best way.
16.6
The failure of either Party to assert any of its rights under this DPA shall not be deemed to constitute a waiver of that Party’s right thereafter to enforce each and every provision of this DPA in accordance with its terms.
16.7
Parties may not transfer all or part of its rights and obligations under this DPA to any third party without other Party’s consent.
16.8
What is not regulated by this DPA is regulated directly by the provisions of the Agreement. All definitions here have the same meaning as in the Agreement, and all conditions from the Agreement are applicable to this DPA, if not stated differently in this DPA.
17. Annexes (integral parts of DPA)
17.1
Annex No. 1: Instructions for processing of Data including Personal Data on behalf of the Controller.
17.2
Annex No. 2: List of Permitted Sub-processors.
Annex No. 1 to the DPA
Instructions for processing of Personal and other Data on behalf of the Controller
This Annex is entered as of the same day as DPA.
This Annex is integral part of the DPA.
The Processor shall comply with the instructions set forth below in conjunction with the processing of Personal and other Data. The terms “personal data” and “processing” relate to personal data and processing as defined in the DPO and Regulations.
1. Agreement
1.1
Service Agreement
2. Legal background for the Data processing
2.1
Execution of the Agreement (provision of Services)
3. Nature of the processing
3.1
Collection
3.2
Recording
3.3
Structuring
3.4
Monitoring
3.5
Adaptation
3.6
Use
3.7
Consultation
3.8
Alignment
3.9
Storage
3.10
Erasure
4. Purpose of the processing
4.1
Execution of the Agreement (provision of Services)
5. Duration of the processing
5.1
As long as Agreement is valid and not more than 90 (ninety) days after termination of the Agreement or until request from the Controller to stop processing
6. Categories of personal data subjects
6.1
Authorised representatives and management members of the Controller (natural persons);
6.2
Shareholders of the Controller (natural persons);
6.3
Ultimate Beneficial Owners of the Controller;
6.4
Politically exposed persons (“PEP”) related to the Controller;
6.5
Clients of the Controller (natural persons);
6.6
Service providers of the Controller (natural persons);
7. Types of Personal Data
7
Authorised representatives and management members of the Controller (natural persons)
Name
Surname
Date of birth (Personal code)
Residential address
Citizenship
Position
E-mail address
Phone number
The position held at the Customer (Acting grounds) if any
Information regarding the identification document and its copy
Selfie with the identification document
Signature
7.2
Shareholders of the Controller (natural persons)
Name
Surname
Personal code
Data of birth
Citizenship / country of registration
Residential address
Share of benefit (%)
7.3
Ultimate Beneficial Owners of the Controller
Name
Surname
Citizenship(s)
Personal code (Date of birth)
Registered residential address
Taxpayer identification number (TIN)
Place of birth
Share of benefit (%)
Copy of identification document
Other information that Controller may ask during Customer’s verification procedure
7.4
Politically exposed persons (“PEP”) related to the Controller:
Information on whether a Representative of the Controller/ UBO or his / her close associate or immediate family member are PEP
Nature of relationship with PEP
PEP’s name and surname
PEP’s country
PEP’s institution
PEP’s position
7.5
Clients of the Controller (natural persons)
Name
Surname
Address
Email
Phone number
Account numbers
Payment card numbers
Payment information with regard to payments
7.6
Service providers of the Controller (natural persons)
Name
Surname
Address
Account numbers
Payment card numbers
Payment information with regard to payments
8. Personal Data transfer/collection means
8.1
Directly from the Clients of the Controller;
8.2
Directly from the Controller;
8.3
Via API or by using Controller’s databases to which the Processor has the granted access rights
8.4
Directly from third party payment service providers used for conducting the transaction.
9. Security measures
The Processor shall apply proper rules for the organizational and technical security measures for Data and ensure sufficient security of this data. The minimum requirements are:
9.1
Organisational security measures
9.1.1
Security policy and procedures for the protection of data and personal data
9.1.1.1
The organization should document a separate dedicated security policy with regard to the processing of personal data and any other data. The policy should be approved by management and communicated to all employees and relevant external parties.
9.1.1.2
The security policy should be reviewed and revised on an annual basis.
9.1.2
Roles and responsibilities
9.1.2.1
Roles and responsibilities related to the processing of data should be clearly defined.
9.1.2.2
Clear appointment of persons in charge of specific security tasks should be performed
9.1.3
Access control policy
9.1.3.1
Specific access control rights should be allocated to each role (involved in the processing of personal data) following the need to know principle.
9.1.3.2
An access control policy should be detailed and documented. The organization should determine in this document the appropriate access control rules, access rights and restrictions for specific user roles towards the processes and procedures related to personal data.
9.1.3.3
(For High-risk cases) Roles with excessive access rights should be clearly defined and assigned to limited specific members of staff.
9.1.4
Asset management
9.1.4.1
The organization should have a register of the IT resources used for the processing of personal data (hardware, software, and network). The register could include at least the following information: IT resource, type (e.g. server, workstation), location (physical or electronic). A specific person should be assigned the task of maintaining and updating the register.
9.1.4.2
Roles having access to certain resources should be defined and documented.
9.1.4.3
IT resources should be reviewed and updated on annual basis.
9.1.5
Change management
9.1.5.1
Software development should be performed in a special environment that is not connected to the IT system used for the processing of personal data. When testing is needed, dummy data should be used (not real data). In cases that this is not possible, specific procedures should be in place for the protection of personal data used in testing.
9.1.6
Data processors
9.1.6.1
Formal guidelines and procedures covering the processing of personal data by data processors (contractors/outsourcing) should be defined, documented and agreed between the data controller and the data processor prior to the commencement of the processing activities. These guidelines and procedures should mandatorily establish the same level of personal data security as mandated in the organization’s security policy.
9.1.6.2
Upon finding out of a personal data breach, the data processor shall notify the controller without undue delay.
9.1.6.3
Formal requirements and obligations should be formally agreed between the data controller and the data processor. The data processor should provide sufficient documented evidence of compliance.
9.1.6.4
The data controller’s organization should regularly audit the compliance of the data processor to the agreed level of requirements and obligations.
9.1.6.5
(For High-risk cases) The employees of the data processor who are processing personal data should be subject to specific documented confidentiality/ non-disclosure agreements.
9.1.7
Incidents handling / Personal data breaches
9.1.7.1
An incident response plan with detailed procedures should be defined to ensure effective and orderly response to incidents pertaining data.
9.1.7.2
Data breaches should be reported immediately to the management. Notification procedures for the reporting of the personal data breaches to competent authorities and data subjects should be in place, following art. 33 and 34 GDPR.
9.1.7.3
The incidents’ response plan should be documented, including a list of possible mitigation actions and clear assignment of roles.
9.1.7.4
(For High-risk cases) Incidents and data breaches should be recorded along with details regarding the event and subsequent mitigation actions performed.
9.1.8
Business continuity
9.1.8.1
The organization should establish the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing data (in the event of an incident/ data breach).
9.1.8.2
A BCP should be detailed and documented (following the general security policy). It should include clear actions and assignment of roles.
9.1.9
Confidentiality of personnel
9.1.9.1
The organization should ensure that all employees understand their responsibilities and obligations related to the processing of data including specifics of processing personal data. Roles and responsibilities should be clearly communicated during the pre-employment and/or induction process.
9.1.9.2
Prior to up taking their duties employees should be asked to review and agree on the security policy of the organization and sign respective confidentiality and non-disclosure agreements.
9.1.9.3
(For High-risk cases) Employees involved in high risk processing of personal data should be bound to specific confidentiality clauses (under their employment contract or other legally binding document).
9.1.10
Training
9.1.10.1
The organization should ensure that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data should also be properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.
9.1.10.2
The organization should have structured and regular training programmes for staff, including specific programmers for the induction (to data protection matters) of newcomers.
9.2
Technical Security Measures
9.2.1
Access control and authentication
9.2.1.1
The use of common user accounts should be avoided. In cases where this is necessary, it should be ensured that all users of the common account have the same roles and responsibilities.
9.2.1.2
An authentication mechanism should be in place, allowing access to the IT system (based on the access control policy and system). As a minimum a username/password combination should be used. Passwords should respect a certain (configurable) level of complexity.
9.2.1.3
A specific password policy should be defined and documented. The policy should include at least password length, complexity, validity period, as well as number of acceptable unsuccessful login attempts.
9.2.1.4
User passwords must be stored in a “hashed” form.
9.2.2
Logging and monitoring
9.2.2.1
Log files should be activated for each system/application used for the processing of personal data. They should include all types of access to data (view, modification, deletion).
9.2.2.2
Log files should be timestamped and adequately protected against tampering and unauthorised access. Clocks should be synchronized to a single reference time source.
9.2.2.3
Actions of the system administrators and system operators, including addition/deletion/change of user rights should be logged.
9.2.2.4
There should be no possibility of deletion or modification of log files content. Access to the log files should also be logged in addition to monitoring for detecting unusual activity.
9.2.2.5
A monitoring system should process the log files and produce reports on the status of the system and notify for potential alerts.
9.2.3
Server/Database security
9.2.3.1
Servers should be configured in accordance with documented standards / procedures.
9.2.3.2
Server images should be reviewed, tested and kept up to date (i.e. with recent patches and changes to build/configuration).
9.2.3.3
Servers should be configured to protect against attacks by: disabling unnecessary or insecure user accounts, changing important security-related parameters from their default settings, restricting physical access to a limited number of authorised individuals, maintaining up-to-date malware protection software, monitoring, and by reviewing them on a regular basis.
9.2.3.4
Database and applications servers should only process the personal data that are actually needed to process in order to achieve its processing purposes.
9.2.3.5
(For High-risk cases)Encryption solutions should be considered on specific files or records through software or hardware implementation.
9.2.3.6
(For High-risk cases) Encrypting storage drives should be considered.
9.2.4
Workstation security
9.2.4.1
Users should not be able to deactivate or bypass security settings.
9.2.4.2
Users should not have privileges to install or deactivate unauthorised software applications.
9.2.4.3
The system should have session time-outs when the user has not been active for a certain time period.
9.2.4.4
Critical security updates released by the operating system developer should be installed regularly.
9.2.4.5
(For High-risk cases) It should not be allowed to transfer personal data from workstations to external storage devices (e.g. USB, DVD, external hard drives).
9.2.4.6
(For High-risk cases) Full disk software encryption should be enabled on the workstation operating system drives.
9.2.5
Network/Communication security
9.2.5.1
Whenever access is performed through the Internet, communication should be encrypted through cryptographic protocols (TLS).
9.2.5.2
Wireless access to the IT system should be protected by encryption mechanisms.
9.2.5.3
Remote access to the IT system should in general be avoided. In cases where this is absolutely necessary, it should be performed only under the control and monitoring of a specific person from the organization (e.g. IT administrator/security officer) through pre-defined devices.
9.2.5.4
The network of the information system should be segregated from the other networks of the data controller.
9.2.6
Back-ups
9.2.6.1
Backup and data restore procedures should be defined, documented and clearly linked to roles and responsibilities.
9.2.6.2
Backups should be given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
9.2.6.3
Execution of backups should be monitored to ensure completeness.
9.2.6.4
Backup media should be regularly tested to ensure that they can be relied upon for emergency use.
9.2.6.5
Copies of the backup should be securely stored in different locations.
9.2.6.6
In case a third party service for back up storage is used, the copy must be encrypted before being transmitted from the data Processor.
9.2.7
Mobile/Portable devices
9.2.7.1
Mobile and portable device management procedures should be defined and documented establishing clear rules for their proper use.
9.2.7.2
Mobile devices that are allowed to access the information system should be pre-registered and pre-authorised.
9.2.7.3
Mobile devices should be subject to the same levels of access control procedures (to the data processing system) as other terminal equipment.
9.2.7.4
Personal data stored at the mobile device (as part of the organization’s data processing operation) should be encrypted.
9.2.8
Application lifecycle security
9.2.8.1
During the development lifecycle best practices, state of the art and well acknowledged secure development practices, frameworks or standards should be followed.
9.2.8.2
Specific security requirements should be defined during the early stages of the development lifecycle.
9.2.8.3
Specific technologies and techniques designed for supporting privacy and data protection (also referred to as Privacy Enhancing Technologies (PETs)) should be adopted in analogy to the security requirements.
9.2.8.4
Secure coding standards and practices should be followed.
9.2.8.5
During the development, testing and validation against the implementation of the initial security requirements should be performed.
9.2.8.6
Vulnerability assessment, application and infrastructure penetration testing should be performed prior to the operational adoption. The application shall not be adopted unless the required level of security is achieved.
9.2.8.7
Periodic penetration testing should be carried out.
9.2.8.8
Information about technical vulnerabilities of information systems being used should be obtained.
9.2.8.9
Software patches should be tested and evaluated before they are installed in an operational environment.
9.2.9
Data deletion/disposal
9.2.9.1
Multiple passes of software-based overwriting should be performed on all media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction should be performed.
9.2.9.2
Shredding of paper and portable media used to store personal data shall be carried out.
9.2.9.3
(For High-risk cases) If a third party’s services are used to securely dispose of media or paper based records, a service agreement should be in place and a record of destruction of records should be produced as appropriate. Where possible it should be considered that the process takes place at the premises of the data controller or processor (and avoid off-site transfer of personal data).
9.2.10
Physical security
9.2.10.1
The physical perimeter of the IT system infrastructure should not be accessible by non-authorised personnel. Physical barriers should, where applicable, be built to prevent unauthorised physical access.
9.2.10.2
Clear identification, through appropriate means e.g. ID Badges, for all personnel and visitors accessing the premises of the organization should be established, as appropriate.
9.2.10.3
Secure zones should be defined and be protected by appropriate entry controls. A physical log book or electronic audit trail of all access should be securely maintained and monitored.
9.2.10.4
Intruder detection systems should be installed in all security zones.
9.2.10.5
Vacant secure areas should be physically locked and periodically reviewed.
9.2.10.6
An automatic fire suppression system, closed control dedicated air conditioning system and uninterruptible power supply (UPS) should be implemented at the server room.
Annex No. 2 to the DPA
Permitted Sub-processors
This Annex is entered as of the same day as DPA.
This Annex is integral part of the DPA.
The list of subcontractors engaged by the Processor as sub-processors can be found here: Sub-processors
The list will be updated as needed to reflect any changes as regards Permitted Sub-processors.
DATA PROCESSING AGREEMENT UK
The Client (hereinafter the “Controller”) and each of the Service provider (hereinafter the “Processor(s)”) as referred to in the Master Service Agreement and any Appendixes that apply to the Client, together referred as the “Parties” and each a “Party”, on the date Agreement is signed, conclude this Data Processing Agreement and agree on the conditions how and which data shall be processed by the Service provider when providing the Services in conjunction with the Agreement;
Applicability. This DPA applies to processing of Personal Data by the Service Provider where the Service Provider is established in the European Economic Area. The Service Provider has separately published equivalent Data Processing Agreements for the United Kingdom and Gibraltar, each of which applies where the relevant Service Provider is established in that jurisdiction.
Whereas:
Parties have concluded the Master Service Agreement with an intention to provide Services and therefore Parties shall cooperate (hereinafter the “Cooperation”);
a)
In the course of Cooperation the Service provider intends to process various data related to Service provision (hereinafter the “Data”) which includes Personal Data which the Client is the controller of (hereinafter the “Personal Data”) and act as a data processor, whereas the Client is a data controller authorising the Service provider to process such Personal Data under the conditions established below;
b)
For the avoidance of doubt, throughout the Agreement and this Data Processing Agreement, where the word “data” is used it should be understood as including but not limited to Personal Data and any other data processed by the Service provider in the course of providing Services under the Agreement;
c)
Processor intends to process the Personal Data pursuant to the data protection legislation and regulations, including Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, in each case as amended or replaced from time to time (hereinafter the “UK GDPR”), and process all of the Data in accordance with any other applicable laws and legislations, recommendations and binding orders of the Regulatory Bodies, applicable with regard to outsourcing of Services as per Agreement or processing of data as per this data processing agreement (hereinafter all together the “Regulations”)
d)
In cases when Personal data is transferred outside the United Kingdom additional conditions referred to as Standard Contractual Clauses apply to this data processing agreement (controller-to-processor transfers). “Standard Contractual Clauses” or “SCC” mean the standard contractual clauses for the transfer of personal data from a controller in the United Kingdom to a processor established outside the United Kingdom, in the form of (i) Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module 2 — controller-to-processor) as modified by (ii) the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 (the “UK Addendum”), and that can be found on the www.getorbital.com/data-protection (as amended or updated from time to time).
Therefore, the Parties aim to determine the scope and purpose of Personal Data processing, legal basis for this processing, technical and organizational terms for data processing and mutual responsibilities of the Parties and enter into the present Data Processing Agreement (hereinafter the “DPA”) and agree as follows:
1. General Data Processing Rules
1.1
Data shall not be used for any purposes other than those specified in this DPA;
1.2
The Processor shall process Data:
1.2.1
in accordance with good data processing practices and prevailing information management industry standards, and in compliance with the Regulations as relates to Personal Data;
1.2.2
in accordance with written instructions from the Controller as further detailed in Annex No. 1 (Instructions for processing of Data on behalf of the Controller).
1.2.3
only during the term of this DPA and the period of time after it ends as set forth in Section 8 of this DPA.
1.3
Taking into account the nature of the processing, the Processor shall assist the Controller in its response to meet requests from Personal data subjects;
1.4
Further, the Processor undertakes to assist Controller in ensuring the compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (regarding, inter alia, security of processing, notification of a Personal Data breach to the supervisory authority, communication of a Personal Data breach to the data subject, data protection impact assessment and prior consultation), taking into account the nature of processing and the information available to the Processor, all in accordance with the Regulations.
1.5
The Processor shall provide the Controller with all information necessary to demonstrate compliance with Processor’s obligations set out in this DPA and in the Regulations where applicable;
1.6
The Processor upon separate request from the Controller shall provide the Controller with all Data or any other information the Processor has under this DPA.
1.7
This DPA shall not prevent the Processor from processing the Data as required by Regulations or by a competent court or any supervisory authority.
2. Data security
2.1
Taking into account the scope and purposes of processing, the Processor shall implement and document its technical and organisational measures to ensure the confidentiality, integrity and availability of the Data and to protect the Data against unlawful processing.
2.2
The Processor shall protect Data against destruction, modification, unlawful dissemination, or unlawful access, in particular where the processing involves the transmission of data over a network. The Processor shall also Protect Data against all other forms of unlawful processing.
2.3
The Processor shall periodically test, assess and evaluate the effectiveness of its technical and organisational measures.
2.4
The Processor shall train its personnel in relation to data safety requirements.
3. Controller’s obligations
2.1
The Controller shall always retain the control and authority over the Personal Data, processed under this DPA. If any data subject requested for information on the processing of Personal Data under this DPA, requested the correction of such Personal Data, disputed the legality of data-processing, or otherwise required the termination of data-processing, or the deletion or blocking of such Personal Data, the Controller shall immediately instruct the Processor to take the appropriate measures; and
2.2
The Controller represents, warrants and shall ensure that during all validity term of the Agreement all Data transferred to and processed by the Processor is collected and processed on a lawful basis, is accurate, complete and does not infringe upon the rights of data subjects, Controller’s instructions and comply with the Regulations where applicable.
2.3
The Controller shall be responsible for filling-out and regularly updating Annex No. 1, and indicating there all types of Personal Data, and all categories of data subjects involved with the data-processing under the Agreement, alongside with Controller’s contact details.
4. Term and relationship to other agreements between the Parties
4.1
This DPA shall apply during the period of time that the Processor processes Data. Upon the termination or expiration of the Agreement, and where a new such agreement is entered into without a new data processing agreement being executed, this DPA shall also govern such new agreement. With the exception of the termination rights expressly set out in this DPA, this DPA may be terminated only together with the Agreement in accordance with the terms and conditions set forth in the Agreement.
5. Personal Data Breach notifications
5.1
In case of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Data transmitted, stored or otherwise processed (hereinafter the “Data Breach”) Processor undertakes to notify the Controller.
5.2
Where, and in so far as it is not possible to provide all the information, related to the Data Breach, at the same time, the information may be provided in phases without undue further delay. In such cases when certain information cannot be provided by the Processor to the Contractor at all, the Processor will inform the Controller accordingly.
5.3
The Processor shall take appropriate steps to protect the Data after having become aware of a Data Breach in order to limit any possible detrimental effect to the data subjects. The Processor will cooperate with the Controller to respond to the Data Breach.
6. Right of supervision and audit
6.1
According to the Regulations, Controller is obliged to monitor that the processing of Data, which is performed by the Processor, fulfils the requirements of the Agreement and this DPA.
6.2
Controller including its control functions (e.g., compliance function, risk management function, internal audit), any external auditors, Regulatory Bodies and agents appointed by such Regulatory Bodies, or other advisers to the Controller shall be entitled to take measures necessary to assure itself that the Processor is able to carry out the security measures which must be undertaken pursuant to this DPA, and to assure itself that the Processor has in fact undertaken such measures. The Processor undertakes to ensure that the person conducting the audit receives the assistance which may reasonably be required in order for him to be able, in a simple manner, to assure itself of the aforesaid.
6.3
In case of Permitted Sub-processing, the Processor shall ensure that the same audit and supervision rights granted under this Section 6 to the Controller and other persons as indicated herein, are extended with regards of processing of Data by Permitted Sub-processors.
6.4
At any time during the term of this DPA, the Processor shall, make available all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and under this DPA and allow for and contribute to audits, of the Processor and its Approved Sub-processors, including inspections, conducted by Controller including its control functions (e.g. compliance function, risk management function, internal audit), any external auditors, Regulatory Bodies and agents appointed by such Regulatory Bodies, or other advisers to the Controller.
7. Duty of confidentiality
7.1
Confidentiality clauses, which are set in the Agreement, apply to all Data, which the Processor receives pursuant to the Agreement and this DPA.
7.2
In addition to the provisions of the above-mentioned Confidentiality clauses, the Processor undertakes to notify the Controller about:
7.2.1
any request received from any other third party without responding to that request, unless it has been otherwise authorised to do so. The Processor shall reject the request unless required by law to comply. If the request is valid, the Processor will attempt to redirect the third party to request the data directly from the Controller, and/or
7.2.2
any request on behalf of data subject regarding processing of the Personal Data.
7.3
Processor shall, at Controller’s request, provide Controller with reasonable cooperation and assistance in relation to any such request made including assisting the Controller to comply with a data access request within the relevant timescales (if any) set out in applicable Regulations.
8. Measures upon completion of processing of Data
8.1
Upon the termination or expiry of the Agreement or otherwise after the end of the provision of services relating to the Processor’s processing of Data under this DPA (end of Data processing as indicated in Annex No. 1), the Data shall either, as determined by the Controller in its sole discretion, be returned to the Controller or erased and the Processor shall delete existing copies unless the Regulations require storage of the Data. Upon request by the Controller, the Processor shall provide a written notice of the measures taken regarding the Data upon the termination or expiry of the Agreement or otherwise after the end of the provision of services relating to the Processor’s processing of Data under this DPA (end of Data processing as indicated in Annex No. 1).
8.2
The Processor has a right to store a copy of the Data on back-up tapes (his own or outsourced to third parties) for a period these tapes are overwritten (and thereby the Data deleted) in the normal course of business.
9. Liability
9.1
Where the Processor has failed to comply with this DPA, the Controller shall notify the Processor thereof in writing and grant the Processor the right to fully remedy the infringement within reasonable term, but in all cases not less than twenty (20) Business Days. Where the infringement is not fully remedied, the Controller shall be entitled to terminate the Agreement.
9.2
The Processor shall be liable only for direct damages caused to the Controller as a consequence of a breach of the provisions of this DPA. The Processor in any case will not reimburse indirect or any other kind of special losses of the Controller or any other third party. The amount of reimbursement for direct losses through the whole term of this DPA is limited to the sum of the total Charges paid and payable over the term of the Agreement, calculated by reference to the Charges in force at the Commencement Date.
9.3
The Processor in any case is not liable for any losses of the Controller, data subject or any other third party if any of them are using insecure computer and/or internet connection or software or in the event their email account, phone or other devices, login to the account information is breached, lost or stolen and this results in potentially unlawful or unauthorised use of Personal data.
9.4
The Processor accepts no responsibility for any loss or damages if the Controller or data subject provide any wrong or false information.
9.5
The Processor is at all times released from any liability for damages that occur in execution of direct instructions given by the Controller or on its behalf.
9.6
The Controller is fully liable for processing the Personal Data for correct and sufficient legal ground as stated in article 6 of GDPR. The Processor shall take no liability for any kind of damages arising from such unlawful Personal Data processing.
9.7
For the avoidance of doubt, neither Party shall be liable to the other Party for any fines imposed by the supervisory authorities or for damages awarded by a competent court in respect of such Party’s violation of the Regulations where applicable.
10. Use of Sub-processors
9.1
Processor may use sub-processors to perform tasks under this DPA on its behalf if the Processor notifies them to the Controller. Such notification is sufficient and this DPA is deemed prior written approval of such sub-processors (hereinafter the “Permitted Sub-processor”).
9.2
The Controller acknowledges and agrees that (a) Processor’s affiliates, subsidiaries or parent companies may be retained as sub-processors without separate notification; and (b) Processor and its affiliates, subsidiaries or parent companies respectively may engage third-party sub-processors in connection with the processing of Data within the limitations of this DPA and the Agreement.
9.3
The Processor shall make available to the Controller the current list of sub-processors as part of this DPA (in Annex No. 2) that shall include the names and country locations of those sub-processors, alongside with the scope of services they provide for Processor. The Controller approves these listed sub-processors for the indicated scope of services, by signing this DPA. All of them are treated as Permitted Sub-processors.
9.4
In case of any additions or change to the current list, the Processor shall notify the Controller in advance.
9.5
The Processor shall ensure that any processing of the Data by an Approved Sub-processor complies with the requirements set out under this DPA and the GDPR.
9.6
The Processor shall be responsible for any and all actions or omissions of the sub-processor (whether or not an Approved Sub-processor), under this DPA, as though they were the Processor’s own actions or omissions. The Processor is obliged to regularly monitor the performance of its sub-processors and ensure the same monitoring rights as per Section 6 are granted to the Controller including its control functions (e.g. compliance function, risk management function, internal audit), any external auditors, Regulatory Bodies and agents appointed by such Regulatory Bodies, or other advisers to the Controller.
11. Personal Data transfers
11.1
In case the Personal data is transferred from Controller to Processor or from Processor to Permitted Sub-processor outside the European Economic Area (“EEA”), the Standard Contractual Clauses (including annexes related thereto) are incorporated by reference to this DPA and form an integral part of this DPA to which both the Controller (referred to as the “data exporter” in the SSC) and the Processor or Sub-processor (referred to as the “data importer” in the SSC) oblige to comply, unless the European Commission under article 45 of GDPR has recognised such third country, where Personal Data transfer or processing is planned, as providing adequate protection or other security measures under GDPR have been complied. If any discrepancies between this DPA and the Standard Contractual Clauses (including annexes related thereto) arise, the provisions indicated in Standard Contractual Clauses shall prevail.
11.2
If sub-processing is approved in accordance with this DPA, the Processor may transfer Personal Data to such Permitted Sub-processor, either within or outside the EEA. This DPA and any additional written approval provided (where applicable for Permitted Sub-processing) is a Controller’s general consent for the Processor to transfer such data outside the EEA provided the Processor ensures that such transfer and such Sub-processor is bound by the terms of the Standard Contractual Clauses, unless the European Commission under article 45 of GDPR has recognised such third country, where Personal Data transfer or processing is planned, as providing adequate protection or other security measures under GDPR have been complied.
11.3
The initial list of approved transfers is provided within the list of Approved Sub-processors in Annex No. 2.
11.4
In case of any additions or change to the list of Approved Sub-processors (Annex No. 2.) the Processor shall notify the Controller in advance and receive its prior written approval.
12. Remuneration
12.1
The Processor is not entitled to any specific remuneration on the basis of the contents of this DPA and shall, thus, not charge Controller under this DPA. Remuneration is solely governed by the Agreement.
12.2
If implementation or completion of the Controller’s specific instructions requires or result in additional costs emerging on Processor’s side (e.g. if Controller requires Processor to implement specific data processing procedures which are not agreed under this DPA), Controller shall cover emerging costs.
13. Contact persons for Personal Data processing issues
13.1
Processor’s contact person is Data Protection Officer whose contact data is as follows:
13.1.1
E-mail: hello@getorbital.com.
13.2
The Party has to inform the other Party immediately in case of contact person’s contact data changed. Having failed to perform these requirements, the guilty Party cannot make any claims or objections with respect to the actions performed by the other Party or not having received messages sent under those details if those actions have been made based on the previously known requisites.
13.3
Parties agree that a notice, sent via email is equal to the written document and has the same power for the Parties.
13.4
Parties are aware of the risks deriving from electronic communication and taking them into consideration agree to exchange of information electronically. The Processor is not liable for the risks related to electronic communication of digitally formatted information.
14. Applicable law and disputes settlement
14.1
The DPA has been concluded and shall be interpreted and performed in accordance with the laws of England.
14.2
All disputes, discrepancies or claims arising from this DPA shall be settled by the Parties applying Disputes Resolution Procedure as indicated in the Agreement. The courts of England shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this DPA or its subject matter or formation following the Disputes Resolution Procedure.
15. Declarations
14.1
The Parties hereby declare and guarantee that according to the effective laws and other legal regulations binding to them, that they and their properly authorised persons signing this DPA have full power and necessary authorisations to enter into this DPA and fulfil all the obligations assumed under this DPA throughout the validity term of the DPA and it will not breach the incorporation documents of the Party, governing bodies' decisions, contractual or any other obligations or third parties' rights or lawful interests, and the legislation and legal regulations binding to them.
16. Final provisions
16.1
DPA is an integral part of the Agreement.
16.2
DPA has been executed in two counterparts in English and each of them has the same legal force. Parties confirm that the language of the DPA is suitable for them and fully understandable. After signing this DPA, each Party shall receive one copy of it. Taking in consideration the fact that the Parties may reside in different countries, DPA could be signed electronically or by exchanging a physically signed copies of the DPA via electronical means of communication without additionally exchanging the signed hard copies between the Parties and Parties agree that such signed DPA shall have the same legal effect as written document, signed by each Party. DPA is binding to the signing Party from the moment of its signing as evidenced by sending the copy of signed DPA to other Party.
16.3
Any amendments to this DPA shall be made in writing and be signed by duly authorised representatives of both Parties.
16.4
Notwithstanding the expiry of the Agreement or this DPA, the provisions stipulating performance of the obligations connected with the settlements, liability, applicable law and settlement of disputes shall remain valid until the full performance of such obligations.
16.5
Invalidity of any provision of the DPA shall not affect the validity of the other provisions. The Parties have agreed to substitute the invalid provision of the DPA by another which would match the economic aim and nature of the previous one in the best way.
16.6
The failure of either Party to assert any of its rights under this DPA shall not be deemed to constitute a waiver of that Party’s right thereafter to enforce each and every provision of this DPA in accordance with its terms.
16.7
Parties may not transfer all or part of its rights and obligations under this DPA to any third party without other Party’s consent.
16.8
What is not regulated by this DPA is regulated directly by the provisions of the Agreement. All definitions here have the same meaning as in the Agreement, and all conditions from the Agreement are applicable to this DPA, if not stated differently in this DPA.
17. Annexes (integral parts of DPA)
17.1
Annex No. 1: Instructions for processing of Data including Personal Data on behalf of the Controller.
17.2
Annex No. 2: List of Permitted Sub-processors.
Annex No. 1 to the DPA
Instructions for processing of Personal and other Data on behalf of the Controller
This Annex is entered as of the same day as DPA.
This Annex is integral part of the DPA.
The Processor shall comply with the instructions set forth below in conjunction with the processing of Personal and other Data. The terms “personal data” and “processing” relate to personal data and processing as defined in the DPO and Regulations.
1. Agreement
1.1
Service Agreement
2. Legal background for the Data processing
2.1
Execution of the Agreement (provision of Services)
3. Nature of the processing
3.1
Collection
3.2
Recording
3.3
Structuring
3.4
Monitoring
3.5
Adaptation
3.6
Use
3.7
Consultation
3.8
Alignment
3.9
Storage
3.10
Erasure
4. Purpose of the processing
4.1
Execution of the Agreement (provision of Services)
5. Duration of the processing
5.1
As long as Agreement is valid and not more than 90 (ninety) days after termination of the Agreement or until request from the Controller to stop processing
6. Categories of personal data subjects
6.1
Authorised representatives and management members of the Controller (natural persons);
6.2
Shareholders of the Controller (natural persons);
6.3
Ultimate Beneficial Owners of the Controller;
6.4
Politically exposed persons (“PEP”) related to the Controller;
6.5
Clients of the Controller (natural persons);
6.6
Service providers of the Controller (natural persons);
7. Types of Personal Data
7
Authorised representatives and management members of the Controller (natural persons)
Name
Surname
Date of birth (Personal code)
Residential address
Citizenship
Position
E-mail address
Phone number
The position held at the Customer (Acting grounds) if any
Information regarding the identification document and its copy
Selfie with the identification document
Signature
7.2
Shareholders of the Controller (natural persons)
Name
Surname
Personal code
Data of birth
Citizenship / country of registration
Residential address
Share of benefit (%)
7.3
Ultimate Beneficial Owners of the Controller
Name
Surname
Citizenship(s)
Personal code (Date of birth)
Registered residential address
Taxpayer identification number (TIN)
Place of birth
Share of benefit (%)
Copy of identification document
Other information that Controller may ask during Customer’s verification procedure
7.4
Politically exposed persons (“PEP”) related to the Controller:
Information on whether a Representative of the Controller/ UBO or his / her close associate or immediate family member are PEP
Nature of relationship with PEP
PEP’s name and surname
PEP’s country
PEP’s institution
PEP’s position
7.5
Clients of the Controller (natural persons)
Name
Surname
Address
Email
Phone number
Account numbers
Payment card numbers
Payment information with regard to payments
7.6
Service providers of the Controller (natural persons)
Name
Surname
Address
Account numbers
Payment card numbers
Payment information with regard to payments
8. Personal Data transfer/collection means
8.1
Directly from the Clients of the Controller;
8.2
Directly from the Controller;
8.3
Via API or by using Controller’s databases to which the Processor has the granted access rights
8.4
Directly from third party payment service providers used for conducting the transaction.
9. Security measures
The Processor shall apply proper rules for the organizational and technical security measures for Data and ensure sufficient security of this data. The minimum requirements are:
9.1
Organisational security measures
9.1.1
Security policy and procedures for the protection of data and personal data
9.1.1.1
The organization should document a separate dedicated security policy with regard to the processing of personal data and any other data. The policy should be approved by management and communicated to all employees and relevant external parties.
9.1.1.2
The security policy should be reviewed and revised on an annual basis.
9.1.2
Roles and responsibilities
9.1.2.1
Roles and responsibilities related to the processing of data should be clearly defined.
9.1.2.2
Clear appointment of persons in charge of specific security tasks should be performed
9.1.3
Access control policy
9.1.3.1
Specific access control rights should be allocated to each role (involved in the processing of personal data) following the need to know principle.
9.1.3.2
An access control policy should be detailed and documented. The organization should determine in this document the appropriate access control rules, access rights and restrictions for specific user roles towards the processes and procedures related to personal data.
9.1.3.3
(For High-risk cases) Roles with excessive access rights should be clearly defined and assigned to limited specific members of staff.
9.1.4
Asset management
9.1.4.1
The organization should have a register of the IT resources used for the processing of personal data (hardware, software, and network). The register could include at least the following information: IT resource, type (e.g. server, workstation), location (physical or electronic). A specific person should be assigned the task of maintaining and updating the register.
9.1.4.2
Roles having access to certain resources should be defined and documented.
9.1.4.3
IT resources should be reviewed and updated on annual basis.
9.1.5
Change management
9.1.5.1
Software development should be performed in a special environment that is not connected to the IT system used for the processing of personal data. When testing is needed, dummy data should be used (not real data). In cases that this is not possible, specific procedures should be in place for the protection of personal data used in testing.
9.1.6
Data processors
9.1.6.1
Formal guidelines and procedures covering the processing of personal data by data processors (contractors/outsourcing) should be defined, documented and agreed between the data controller and the data processor prior to the commencement of the processing activities. These guidelines and procedures should mandatorily establish the same level of personal data security as mandated in the organization’s security policy.
9.1.6.2
Upon finding out of a personal data breach, the data processor shall notify the controller without undue delay.
9.1.6.3
Formal requirements and obligations should be formally agreed between the data controller and the data processor. The data processor should provide sufficient documented evidence of compliance.
9.1.6.4
The data controller’s organization should regularly audit the compliance of the data processor to the agreed level of requirements and obligations.
9.1.6.5
(For High-risk cases) The employees of the data processor who are processing personal data should be subject to specific documented confidentiality/ non-disclosure agreements.
9.1.7
Incidents handling / Personal data breaches
9.1.7.1
An incident response plan with detailed procedures should be defined to ensure effective and orderly response to incidents pertaining data.
9.1.7.2
Data breaches should be reported immediately to the management. Notification procedures for the reporting of the personal data breaches to competent authorities and data subjects should be in place, following art. 33 and 34 GDPR.
9.1.7.3
The incidents’ response plan should be documented, including a list of possible mitigation actions and clear assignment of roles.
9.1.7.4
(For High-risk cases) Incidents and data breaches should be recorded along with details regarding the event and subsequent mitigation actions performed.
9.1.8
Business continuity
9.1.8.1
The organization should establish the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing data (in the event of an incident/ data breach).
9.1.8.2
A BCP should be detailed and documented (following the general security policy). It should include clear actions and assignment of roles.
9.1.9
Confidentiality of personnel
9.1.9.1
The organization should ensure that all employees understand their responsibilities and obligations related to the processing of data including specifics of processing personal data. Roles and responsibilities should be clearly communicated during the pre-employment and/or induction process.
9.1.9.2
Prior to up taking their duties employees should be asked to review and agree on the security policy of the organization and sign respective confidentiality and non-disclosure agreements.
9.1.9.3
(For High-risk cases) Employees involved in high risk processing of personal data should be bound to specific confidentiality clauses (under their employment contract or other legally binding document).
9.1.10
Training
9.1.10.1
The organization should ensure that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data should also be properly informed about relevant data protection requirements and legal obligations through regular awareness campaigns.
9.1.10.2
The organization should have structured and regular training programmes for staff, including specific programmers for the induction (to data protection matters) of newcomers.
9.2
Technical Security Measures
9.2.1
Access control and authentication
9.2.1.1
The use of common user accounts should be avoided. In cases where this is necessary, it should be ensured that all users of the common account have the same roles and responsibilities.
9.2.1.2
An authentication mechanism should be in place, allowing access to the IT system (based on the access control policy and system). As a minimum a username/password combination should be used. Passwords should respect a certain (configurable) level of complexity.
9.2.1.3
A specific password policy should be defined and documented. The policy should include at least password length, complexity, validity period, as well as number of acceptable unsuccessful login attempts.
9.2.1.4
User passwords must be stored in a “hashed” form.
9.2.2
Logging and monitoring
9.2.2.1
Log files should be activated for each system/application used for the processing of personal data. They should include all types of access to data (view, modification, deletion).
9.2.2.2
Log files should be timestamped and adequately protected against tampering and unauthorised access. Clocks should be synchronized to a single reference time source.
9.2.2.3
Actions of the system administrators and system operators, including addition/deletion/change of user rights should be logged.
9.2.2.4
There should be no possibility of deletion or modification of log files content. Access to the log files should also be logged in addition to monitoring for detecting unusual activity.
9.2.2.5
A monitoring system should process the log files and produce reports on the status of the system and notify for potential alerts.
9.2.3
Server/Database security
9.2.3.1
Servers should be configured in accordance with documented standards / procedures.
9.2.3.2
Server images should be reviewed, tested and kept up to date (i.e. with recent patches and changes to build/configuration).
9.2.3.3
Servers should be configured to protect against attacks by: disabling unnecessary or insecure user accounts, changing important security-related parameters from their default settings, restricting physical access to a limited number of authorised individuals, maintaining up-to-date malware protection software, monitoring, and by reviewing them on a regular basis.
9.2.3.4
Database and applications servers should only process the personal data that are actually needed to process in order to achieve its processing purposes.
9.2.3.5
(For High-risk cases)Encryption solutions should be considered on specific files or records through software or hardware implementation.
9.2.3.6
(For High-risk cases) Encrypting storage drives should be considered.
9.2.4
Workstation security
9.2.4.1
Users should not be able to deactivate or bypass security settings.
9.2.4.2
Users should not have privileges to install or deactivate unauthorised software applications.
9.2.4.3
The system should have session time-outs when the user has not been active for a certain time period.
9.2.4.4
Critical security updates released by the operating system developer should be installed regularly.
9.2.4.5
(For High-risk cases) It should not be allowed to transfer personal data from workstations to external storage devices (e.g. USB, DVD, external hard drives).
9.2.4.6
(For High-risk cases) Full disk software encryption should be enabled on the workstation operating system drives.
9.2.5
Network/Communication security
9.2.5.1
Whenever access is performed through the Internet, communication should be encrypted through cryptographic protocols (TLS).
9.2.5.2
Wireless access to the IT system should be protected by encryption mechanisms.
9.2.5.3
Remote access to the IT system should in general be avoided. In cases where this is absolutely necessary, it should be performed only under the control and monitoring of a specific person from the organization (e.g. IT administrator/security officer) through pre-defined devices.
9.2.5.4
The network of the information system should be segregated from the other networks of the data controller.
9.2.6
Back-ups
9.2.6.1
Backup and data restore procedures should be defined, documented and clearly linked to roles and responsibilities.
9.2.6.2
Backups should be given an appropriate level of physical and environmental protection consistent with the standards applied on the originating data.
9.2.6.3
Execution of backups should be monitored to ensure completeness.
9.2.6.4
Backup media should be regularly tested to ensure that they can be relied upon for emergency use.
9.2.6.5
Copies of the backup should be securely stored in different locations.
9.2.6.6
In case a third party service for back up storage is used, the copy must be encrypted before being transmitted from the data Processor.
9.2.7
Mobile/Portable devices
9.2.7.1
Mobile and portable device management procedures should be defined and documented establishing clear rules for their proper use.
9.2.7.2
Mobile devices that are allowed to access the information system should be pre-registered and pre-authorised.
9.2.7.3
Mobile devices should be subject to the same levels of access control procedures (to the data processing system) as other terminal equipment.
9.2.7.4
Personal data stored at the mobile device (as part of the organization’s data processing operation) should be encrypted.
9.2.8
Application lifecycle security
9.2.8.1
During the development lifecycle best practices, state of the art and well acknowledged secure development practices, frameworks or standards should be followed.
9.2.8.2
Specific security requirements should be defined during the early stages of the development lifecycle.
9.2.8.3
Specific technologies and techniques designed for supporting privacy and data protection (also referred to as Privacy Enhancing Technologies (PETs)) should be adopted in analogy to the security requirements.
9.2.8.4
Secure coding standards and practices should be followed.
9.2.8.5
During the development, testing and validation against the implementation of the initial security requirements should be performed.
9.2.8.6
Vulnerability assessment, application and infrastructure penetration testing should be performed prior to the operational adoption. The application shall not be adopted unless the required level of security is achieved.
9.2.8.7
Periodic penetration testing should be carried out.
9.2.8.8
Information about technical vulnerabilities of information systems being used should be obtained.
9.2.8.9
Software patches should be tested and evaluated before they are installed in an operational environment.
9.2.9
Data deletion/disposal
9.2.9.1
Multiple passes of software-based overwriting should be performed on all media prior to their disposal. In cases where this is not possible (CD’s, DVD’s, etc.) physical destruction should be performed.
9.2.9.2
Shredding of paper and portable media used to store personal data shall be carried out.
9.2.9.3
(For High-risk cases) If a third party’s services are used to securely dispose of media or paper based records, a service agreement should be in place and a record of destruction of records should be produced as appropriate. Where possible it should be considered that the process takes place at the premises of the data controller or processor (and avoid off-site transfer of personal data).
9.2.10
Physical security
9.2.10.1
The physical perimeter of the IT system infrastructure should not be accessible by non-authorised personnel. Physical barriers should, where applicable, be built to prevent unauthorised physical access.
9.2.10.2
Clear identification, through appropriate means e.g. ID Badges, for all personnel and visitors accessing the premises of the organization should be established, as appropriate.
9.2.10.3
Secure zones should be defined and be protected by appropriate entry controls. A physical log book or electronic audit trail of all access should be securely maintained and monitored.
9.2.10.4
Intruder detection systems should be installed in all security zones.
9.2.10.5
Vacant secure areas should be physically locked and periodically reviewed.
9.2.10.6
An automatic fire suppression system, closed control dedicated air conditioning system and uninterruptible power supply (UPS) should be implemented at the server room.
Annex No. 2 to the DPA
Permitted Sub-processors
This Annex is entered as of the same day as DPA.
This Annex is integral part of the DPA.
The list of subcontractors engaged by the Processor as sub-processors can be found here: Sub-processors
The list will be updated as needed to reflect any changes as regards Permitted Sub-processors.
List of Orbital’s sub-processors
This list forms part of the Data Processing Agreement and defines the list of currently used sub-processors by the Service providers at Orbital, the purpose of the processing, the location of processing and the measures used for personal data transfer outside the UK and/or EEA (if applicable).
Sub-processor & location
Purpose of processing
Measures for legal transfer to the Processor (SCC etc.) – if/when applicable
Amazon Web Services - Australia, Germany, Ireland, Singapore, USA
Platform hosting & Infrastructure
SCC
MongoDB Atlas - EU, US
Cloud based Managed Database Service
SCC
Github - US
Source Control Management & Project Management
SCC
Auth0 - US
Authentication and Authorisation cloud provider
SCC
Metabase - US
Development platform, data analysis
SCC
CrowdStrike - EU, US
Endpoint protection software for malicious threats
SCC
TruNarrative (LexisNexis) - UK
Identification, validation and screening
-
WorldCheck (by Refinitiv) - UK
Sanctions, PEP and Adverse Media screening
-
Chainalysis (KYT and Reactor) - UK, EU
Virtual Assets (VA) transaction monitoring, screening and investigation
-
Notabene - US
VA transaction management for the purpose of compliance with the VA Travel Rule
SCC
Atlassian: Jira, Confluence, UpRaise - AUS
Business administration, project management, HR
SCC
Slack - US
Business administration, messaging service
SCC
Google Workspace - US
Business administration
SCC
Hubspot - US
Sales and marketing
SCC
Resources & Support
Resources & Support
NB! Information provided on this website is intended to inform eligible corporate customers about Orbital’s services and does not constitute financial or investment advice. The availability of particular Orbital’s services is subject to jurisdictional and regulatory limitations. Orbital does not recommend buying or selling any particular digital assets and makes no representation on the suitability or reliability of any such asset. Cryptocurrencies are highly volatile and carry significant risks, including potential total loss. Stablecoins carry risks related to issuer solvency, reserve adequacy, and evolving regulatory frameworks.
Orbital is the trading name representing the Pay Perform group of traditional financial and digital asset service providers. Regulatory status of Orbital’s services differs per jurisdiction, and you may not be protected by government or regulatory protection schemes. Please see Legal Disclosures for more information or reach out to us at: hello@getorbital.com
Subscribe to receive the latest digital asset retail payment trends report
Thanks for subscribing
.svg)
.avif)
