Data Processing Agreement

đź“„ We present to you our Data Processing Contract:

The Client shall act as Data Controller and Bounsel as Data Processor according to the following obligations:

• Processor Obligations:

1. Process personal data following the instructions given by the Controller, complying with Data Protection rules in force, ensuring all necessary security measures.

2. Register in writing all the data processing categories made on behalf of the Controller.

3. Do not communicate personal data to third parties unless: they have the express authorization of the Controller, when it’s necessary for rendering the Services, for a legal obligation or public interest reasons.

4. Outsource only the services of the Contract that refer to the use of auxiliary services necessary for the operation of the commissioned Service. In this case, the subcontractor, who acts as the data Processor, is also obliged to comply with these obligations and the instructions issued by the Controller. The Processor will regulate the new relationship, so that the sub-processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as him, with regard to the proper processing of personal data and the guarantee of the rights of the interested parties. In the event of breach by the sub-processor, the Processor will continue to respond directly to the Controller regarding compliance to the aforementioned obligations.

5. Maintain the confidentiality of personal data carried out by the Processor, even when the Contract is finished.

6. Guarantee that people authorized to process personal data undertake, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, informing themselves appropriately, guaranteeing their necessary training in data protection matters.

7. Help Controller respond to the exercise of rights by interested parties. When interested parties exercise their rights before the Processor, he shall immediately notify the Controller.

8. Provide by the Controller information right when data is gathered.

9. Notify the Controller, within a maximum period of 24 hours, the known violations of the security of the personal data under his charge, with all the material information for the documentation and communication of the incident.

10. Offer the Controller sufficient and appropriate guarantees to correctly apply the technical and organizational measures that allow meeting the requirements of current Spanish regulations and GDPR, including the appropriate security measures.

11. Ensure that the processing of personal data will have the appropriate security measures that are relevant in each case in accordance with article 32 of GDPR.

12. Delete or return, at the option of the Controller, all personal data when the rendering of the data processing ends, and delete all existing copies unless they have to be kept by an imperative rule.

13. Guarantee that people authorized to process personal data undertake, expressly and in writing, to respect confidentiality and comply with the corresponding security measures, informing themselves appropriately, guaranteeing their necessary training in data protection matters.

• Controller Obligations:

1. Indicate to the Processor the technical and organizational security measures required to comply with the obligation set forth in number 11.

2. Collaborate with the Processor in those obligations that require such collaboration.

3. Inform the Processor about the impact assessment results carried out by the Controller in relation to the data processing.Do not communicate personal data to third parties unless: they have the express authorization of the Controller, when it’s necessary for rendering the Services, for a legal obligation or public interest reasons.

Last Update: 27/02/2023