Data Processing Agreement

    DefinitionsProcessingStaffSecuritySub-processorRights under DataData breachEffect assessment of data protectionDeletion or return of dataAudit rightsFinal provisionsAppendix: technical and organizational measures

Information Processing Agreement


This Data Processing Agreement between PrismaNote and Retailers or Brands supplements the Terms of Service. Under the General Data Protection Regulation (GDPR) of the European Union, PrismaNote has a position of 'Processor' and the users of PrismaNote have a position of 'Controller' with regard to the personal data provided by the users of PrismaNote.


The Data Processing Agreement is an integral part of the Terms of Service. Terms of this Agreement supersede any provision of the General Terms of Service to the extent that such provision conflicts with the provisions of this Data Processing Agreement.


In the privacy policy we would like to offer transparency in how PrismaNote is the 'Controller'.

1. Definitions


1.1 The following definitions explain some of the terminology and abbreviations used in this Addendum to the Terms of Service:

    “DPA” refers to this Data Processing Agreement. “Terms” refers to the Terms of Service agreement. “Processor / Processor” refers to PrismaNote. “Controller / Controller” refers to the registered user of the PrismaNote services. “Processing” refers to any operation or series of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, reconciliation or combination, restriction, erasure or destruction.'Data / Data' means information provided by Controller to Processor relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. "Data subject" refers to an identified or identifiable natural person to whom the data relates. "Data breach" refers to a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to transmitted, stored or otherwise processed data.

2. Processing


2.1 Processor undertakes to process all Data in accordance with the GDPR and other applicable laws, statutes and regulations.


2.2 Processor may only process the Data in accordance with the documented instructions of the Controller. Instructions referred to herein are incorporated in the Terms or may be contained in another written document prepared or exchanged between the Controller and the Processor.


2.3 During the term of this DPA, the Controller remains the owner of the Data transferred to the Processor. Nothing in this DPA should be construed as transferring ownership of the Data to the Processor or other Third Party.


2.4 Controller guarantees that the Data is obtained in accordance with applicable laws, statutes and regulations and that the Processing requested by Controller does not violate any applicable law, statutes or regulations.


2.5 Data may be processed within the term of this DPA.

3. Staff


3.1 The Processor ensures that all employees, contractors and other persons working under the authority of the Processor are bound by a strict confidentiality statement prior to giving them access to the Data.


3.2 Processor will take measures to ensure that a person acting under the authority of Processor who has access to the Data does not process it, except on instructions from the Controller.

4. Security


4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the Processor will take appropriate technical and organizational take measures to ensure a level of security appropriate to the risk, including, among others:

    The pseudonymization and encryption of the Data; The ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services; The ability to restore the availability of and access to the Data in a timely manner in the event of a physical or technical incident; A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.


4.2 When assessing the appropriate level of security, particular account shall be taken of the risks associated with the processing, in particular resulting from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the data transmitted, stored or otherwise processed data.

5. Sub-processor


5.1 The Processor will not engage any other Processor without the prior specific or general written consent of the Controller. By general written consent, the Processor will inform the Controller of intended changes with regard to the addition or replacement of other processors, giving the Controller the opportunity to object to such changes. The Controller may object to such changes in writing within fifteen (15) days of receipt of the notification of changes.


5.2 If Processor engages another processor to perform specific processing activities on behalf of Controller, the same data protection obligations as set out in this DPA will be imposed on that other processor by contract or other legal act. Sufficient, appropriate technical and organizational measures are taken in such a way that the processing meets the requirements of the applicable laws, statutes and regulations. If that other processor fails to fulfill its data protection obligations, the Processor remains fully liable to the Controller for the fulfillment of the obligations of that other processor.

6. Rights under Data


6.1 Processor will, taking into account the nature of the Processing, assist the Controller with appropriate technical and organizational measures, to the extent possible, to comply with the obligations of the Controller, as reasonably understood by the Controller, to respond to requests to exercise Rights of data subjects under the GDPR.


6.2 Processor will:

    Notify the Controller immediately if Processor or Sub-processor receives a request from a Data Subject pursuant to the GDPR or other applicable law, statute or regulation relating to the Data; and Ensure that the Processor or Sub-processor does not respond to that request except on documented instructions from the Controller or as required by applicable law to which the Processor or Sub-processor is subject, in which case the Processor shall, to the extent permitted by applicable law, inform the Controller at will inform you of that legal requirement before the Processor or Sub-processor responds to the request.

7. Data Breach


7.1 The Processor will inform the Controller without undue delay after becoming aware of a Data Leak that affects the Data. In doing so, he will provide the Controller with sufficient information to enable the Controller to comply with any reporting obligations to the competent authorities and to inform the Data Subjects about the Data Leak where necessary.


7.2 The Processor shall cooperate with the Controller and take all reasonable commercial steps prescribed by the Controller to assist in the investigation, mitigation and recovery of any such Data Breach.

8. Data protection impact assessment and preliminary consultation


8.1 The Processor shall provide the Controller with reasonable assistance in any data protection impact assessments and prior consultation with competent data protection authorities. In any event, solely in connection with the Processing of the Data by and in view of the nature of the processing and information available to the Processor, which the Controller reasonably believes is required by the GDPR or equivalent provisions of any other applicable law.

9. Deletion or Return of Data


9.1 Subject to paragraphs 9.2 and 9.3, the Processor and any sub-processor, if any, shall immediately and in any event within thirty (30) days of the date of termination of the services related to the processing of the data (the "Termination Date") , delete it and make sure that all copies of that data are deleted.


9.2 Subject to paragraph 9.3, the Controller may, in its sole discretion, by written notice to the Processor within seven (7) days of the Termination Date, require the Processor and any Sub-processor to return a complete copy of all Data to the Controller by secure file transfer in a format that has reasonably been reported to the Processor by the Controller; and


9.3 The Processor may retain the Data to the extent required and only for the period required by applicable law and always provided that the Processor guarantees the confidentiality of all such Data and ensures that such Data is only processed if it is necessary for the purpose or purposes specified in applicable laws requiring storage and for no other purpose.


9.4 The Processor must declare in writing to the Controller within sixty (60) days after the Termination Date that the Processor has fully complied with this Article 9.

10. Audit Rights


10.1 Subject to the provisions of this article 10, the Processor shall, upon request, make available to the Controller all information necessary to demonstrate compliance with this DPA, and will facilitate and comply with audits, including inspections, by the Controller or an auditor authorized by the Controller. contributions. regarding the processing of the data.


10.2 Information and auditing rights of the Controller only appear under section 10.1 to the extent that the Terms do not otherwise give them information and auditing rights that meet the relevant requirements of the GDPR.

11. Final provisions


11.1 Any matter not governed by this DPA shall be governed by the Terms or any Work Statement or Order entered into or exchanged between the parties to this DPA.


11.2 If any part of this DPA is found to be invalid, illegal or unenforceable in any respect, this shall not affect the validity or enforceability of the rest of the Terms.


11.3 Failure to exercise or enforce any right or provision of this DPA shall not constitute a waiver of that right or provision.


11.4 Section titles in the DPA are for convenience only and have no legal or contractual effect.

Annex 1: technical and organizational measures of the Processor


Processor takes the following technical and organizational data security measures within the meaning of Article 28 of the GDPR:


Confidentiality

    Assignment of user rightsCreation of user profilesAuthentication of users by username and passwordAssigned passwords are replaced by secure individual passwords on first loginPassword requirements such as minimum number of characters and complexity guidelinesPassword protection by periodic changesAuthorization only by the administratorUse of VPN technologyUse of anti-virus softwareUse of firewallConstant updates for anti-virus software, firewall, operating system and other softwareSeparation of corporate network and guest WLANInstructions for regulating Internet and e-mail use (private use prohibited)Use of tested and approved data carriersRole-based authorizationsProcedural instructions for canceling access rightsSeparate administrator accountsSecure destruction of files and data carriers and encryption (we use TSL for encryption)Pseudonymization via customer/user numbers


Integrity

    Protocol of the installation and operation of IT systemsEnsure security of log files (restricted access only for network administrator)Conclusion of a contract or other legal instrument in accordance with Article 28 of the GDPR and compliance with these regulationsEvaluation of the technical and organizational measures taken by Subprocessors. Employees of PrismaNote are obliged to maintain the confidentiality of data


Precautions and Safety Precautions

    Fire doorsFire extinguisher with suitable extinguishing agent availablePeriodic data backup


Procedures for regular monitoring and evaluation

    Data protection management (data protection guidelines, IT security guidelines, data protection instructions, descriptions of data protection processes) Registration of processing activities Regular training and sensitization of employees Obligation of employees to maintain data confidentiality Third party obligation to maintain data confidentiality DPA with third-party provider and sub-processors according to Article 28 of the GDPR

Last modified: 2/15/2020

Share by: