Data Processing Agreement
In these circumstances you/ your organization/ company is considered to be acting on its own behalf as the “Controller”, and CRED will be acting on its own behalf as the "Processor", each being a “Party” and together the “Parties”.
The terms used in this DPA shall have the meanings set forth in this DPA.
This DPA applies if there is no Controller submitted DPA signed by the Parties.
The Controller commits to having a valid legal basis under Applicable Laws, for Processing the Personal Data that will be input into CRED Platform.
Definitions
1.1 In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 "Applicable Laws" means (a) the UK and European Union or Member State laws with respect to any Personal Data in respect of which any entity which Processes Personal Data is subject to such legislation; and (b) any other applicable law with respect to the protection of Personal Data and those natural persons to whom it pertains to from around the Globe, as applicable to the Processing under the Credinvestments Platform Service;
Where local legislation is less protective of the rights and freedoms of those natural persons whose Personal Data is under Processing, the EU GDPR ruling shall prevail.
1.1.2 "Controller Personal Data" Personal Data pertaining to prospective customers of the Corporate Client by Credinvestments or on CRED Platform;
1.1.3 "EEA" means the European Economic Area;
1.1.4 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (General Data Protection Regulation) and laws implementing or supplementing the GDPR and (ii) any data privacy legislation including the E-privacy Directive and as amended, replaced or superseded from time to time;
1.1.5 "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
1.1.6 “Personal Data” means any of the following (i) Personal Data as defined in EU Directive 95/46/EC and transposed with Domestic legislation of each member state and as amended, replaced or superseded from time to time (ii) Personal Data as defined in the GDPR as amended, replaced or superseded from time to time; and (iii) personal data as defined in the local data protection or data privacy legislation or laws of another country (including Switzerland) if applicable;
1.1.7 "International Transfer" in the context defined by the EU and the UK does not apply because all such Personal Data is publicly accessible; nevertheless, all Personal Data is hosted in the EU;
1.1.8 "Services" means the services and other activities to be supplied to or carried out from the CRED Platform , by or on behalf of Processor for a Controller via the Controller or directly by Controller users, pursuant to the Terms and Conditions;
1.1.9 "Subprocessor" means any 3rd party (including any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or any Processor Affiliate to Process Personal Data on behalf of the Controller, the Controller in connection with the Terms and Conditions;
1.1.10 "Processor Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Processor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data Breach", "Processing", “International Transfer” and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
Authority
2.1 Processor warrants and represents that, prior to having any Subprocessor Processing any Controller Personal Data, the Processor shall have entered into a DPA with that Subprocessor which bears at least the same amount of commitment towards the observance of Applicable Law and the protection of the Rights and Freedoms of those natural persons whose Personal Data is under Processing.
2.1 Processor warrants and represents that, prior to having any Subprocessor Processing any Controller Personal Data, the Processor shall have entered into a DPA with that Subprocessor which bears at least the same amount of commitment towards the observance of Applicable Law and the protection of the Rights and Freedoms of those natural persons whose Personal Data is under Processing.
Processing of Controller Personal Data
3.1 Processor and each Processor Affiliate shall:
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.1.1 Comply with all Applicable Laws in the Processing of Controller Personal Data;
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.1.2 Not process Controller Personal Data other than on the relevant Controller`s or Controller`s documented instructions unless Processing is required by Applicable Laws to which the relevant Subprocessor is subject, in which case Processor or the relevant Processor Affiliate shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data:
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.2 The Controller shall ensure that:
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.2.1 Instructs Processor and each Processor Affiliate (and authorises Processor and each Processor Affiliate to instruct each Subprocessor) to:
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.2.1.1 Process Controller Personal Data;
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.2.1.2 In particular, transfer Controller Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Terms and Conditions.
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.3 Annex 1 to this DPA sets out certain information regarding the Processors' Processing of the Controller Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Applicable Laws). Controller may make reasonable amendments to Annex 1 by written notice to Processor from time to time as Controller reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 3.3) confers any right or imposes any obligation on any party to this DPA.
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.4 Immediately and within less than 1 month from receiving Personal Data from the Processor, while fulfilling the requirements under article 14 of the EU GDPR, Controller is required to have the Data Subject informed and aware of which Personal Data is under Processing and its origin and purpose.
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Processor and Processor Affiliate Personnel
Processor and each Processor Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, as strictly necessary for the purposes of the Terms and Conditions , and to comply with Applicable Laws in the context of that individual's duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:
Access to your information
Request correction of your personal data
Request deletion of your personal data
Object to processing of your personal data
Request restriction of processing your personal data
Request transfer of your personal data
Right to withdraw consent
Right to review by an independent authority
If you wish to exercise any of the rights set out above, please contact us at privacy@credinvestments.com. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
CRED may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. CRED may also contact you to ask you for further information in relation to your request to speed up our response.
CRED will endeavor to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
5. Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor and each Processor Affiliate shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor and each Processor Affiliate shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
5.2 In assessing the appropriate level of security, Processor and each Processor Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.2 In assessing the appropriate level of security, Processor and each Processor Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.3 The technical and organizational implemented measures by the Processor and each Processor Affiliate are listed on Annex 2.
5.3 The technical and organizational implemented measures by the Processor and each Processor Affiliate are listed on Annex 2.
6. Subprocessing
6.2 Processor and each Processor Affiliate may continue to use those Subprocessors already engaged by Processor or any Processor Affiliate as at the date of this DPA, subject to Processor and each Processor Affiliate in each case as soon as practicable meeting the obligations set out in section 6.4.
6.2 Processor and each Processor Affiliate may continue to use those Subprocessors already engaged by Processor or any Processor Affiliate as at the date of this DPA, subject to Processor and each Processor Affiliate in each case as soon as practicable meeting the obligations set out in section 6.4.
6.3 Controller authorises the Processor to subcontract subprocessors which the Processor considers necessary for the correct service provision of the services agreed in the main contract. Upon Controller´s request, the Processor will provide an updated list of all categories of subcontractors involved in the service provision contracted by the former.
The subprocessor shall also be regarded as processor in the same terms as the Processor in this agreement. In this sense, the Processor agrees to sign a data processing agreement with the third-party subprocessor through which the Subprocessor agrees to comply with the obligations established in this agreement, as a Subprocessor.
In any case, the same data protection obligations will be imposed on the subcontractor in such a way that the processing complies with the provisions of GDPR (being at present date the most comprehensive piece of Personal Data Protection legislation being enforced).
6.3 Controller authorises the Processor to subcontract subprocessors which the Processor considers necessary for the correct service provision of the services agreed in the main contract. Upon Controller´s request, the Processor will provide an updated list of all categories of subcontractors involved in the service provision contracted by the former.
The subprocessor shall also be regarded as processor in the same terms as the Processor in this agreement. In this sense, the Processor agrees to sign a data processing agreement with the third-party subprocessor through which the Subprocessor agrees to comply with the obligations established in this agreement, as a Subprocessor.
In any case, the same data protection obligations will be imposed on the subcontractor in such a way that the processing complies with the provisions of GDPR (being at present date the most comprehensive piece of Personal Data Protection legislation being enforced).
6.4 With respect to each Subprocessor, Processor or the relevant Processor Affiliate shall:
6.4 With respect to each Subprocessor, Processor or the relevant Processor Affiliate shall:
6.4.1 before the Subprocessor first processes Controller Personal Data (or, where relevant, in accordance with section 6.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Controller Personal Data required by the Terms and Conditions;
6.4.1 before the Subprocessor first processes Controller Personal Data (or, where relevant, in accordance with section 6.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Controller Personal Data required by the Terms and Conditions;
6.4.2 ensure that the arrangement between on the one hand (a) Processor, or (b) the relevant Processor Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand, the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of Article 28(3) of the GDPR;
6.4.2 ensure that the arrangement between on the one hand (a) Processor, or (b) the relevant Processor Affiliate, or (c) the relevant intermediate Subprocessor; and on the other hand, the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of Article 28(3) of the GDPR;
7. Data Subject Rights
7.1 Taking into account the nature of the Processing, Processor and each Processor Affiliate shall implement appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of its legal obligations, to respond to the exercise of Data Subject rights under the Applicable Laws.
7.1 Taking into account the nature of the Processing, Processor and each Processor Affiliate shall implement appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of its legal obligations, to respond to the exercise of Data Subject rights under the Applicable Laws.
7.2 Processor shall:
7.2 Processor shall:
7.2.1 promptly notify Controller if the Processor or any Subprocessor receives a request from a Data Subject under any Applicable Law in respect of Controller Personal Data; and
7.2.1 promptly notify Controller if the Processor or any Subprocessor receives a request from a Data Subject under any Applicable Law in respect of Controller Personal Data; and
7.2.2 ensure it shall not neither its Subprocessor respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor or the Subprocessor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Controller of that legal requirement prior to having the Subprocessor responding to the request.
7.2.2 ensure it shall not neither its Subprocessor respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor or the Subprocessor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Controller of that legal requirement prior to having the Subprocessor responding to the request.
7.2.3 Given the fact that the Processor shall be Processing the Personal Data while not having it shared with the Controller for certain periods, if a Data Subject exercises his/ her Rights during such a time frame the Processor will fulfill such requests without informing or asking the Controller for instructions.
7.2.3 Given the fact that the Processor shall be Processing the Personal Data while not having it shared with the Controller for certain periods, if a Data Subject exercises his/ her Rights during such a time frame the Processor will fulfill such requests without informing or asking the Controller for instructions.
8. Personal Data Breach
8.1 Processor shall notify Controller without undue delay upon Processor or any Subprocessor becoming aware of a Personal Data Breach on their side, affecting Controller Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data Breach under the Applicable Laws. "Such notification shall as a minimum contain the following information:
8.1 Processor shall notify Controller without undue delay upon Processor or any Subprocessor becoming aware of a Personal Data Breach on their side, affecting Controller Personal Data, providing Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data Breach under the Applicable Laws. "Such notification shall as a minimum contain the following information:
8.1.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.2 communicate the name and contact details of Processor's data protection officer or other relevant contact from whom more information may be obtained;
8.1.2 communicate the name and contact details of Processor's data protection officer or other relevant contact from whom more information may be obtained;
8.1.3 describe the likely consequences of the Personal Data Breach; and
8.1.3 describe the likely consequences of the Personal Data Breach; and
8.1.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.1.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.2 Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8.2 Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
Processor and each Processor Affiliate shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, as defined under Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Subprocessors.
You have the right to stop us processing your personal data for direct marketing purposes. CRED will always inform you if we intend to use your personal data for such purposes, or if CRED intends to disclose your information to any third party for such purposes. You can usually exercise your right to prevent such marketing by checking certain boxes on the forms used to collect your data, or as otherwise stated in the relevant contract detailing our engagement with you. You can also exercise the right at any time by contacting us at privacy@credinvestments.com.
You may also object to us processing your personal data where CRED are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, CRED may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
10. Deletion or return of Controller Personal Data
10.1 Subject to section 10.2, Controller may in its absolute discretion by written notice to Processor request that within thirty (30) days of the Cessation Date require Processor and each Processor Affiliate to (a) return a complete copy of all Controller Personal Data to Controller by secure file transfer in such format as is reasonably notified by Controller to Processor; and (b) delete and procure the deletion of all other copies of Controller Personal Data processed by any Subprocessor. Processor and each Processor Affiliate shall comply with any such written request within 30 days of the Cessation Date.
10.1 Subject to section 10.2, Controller may in its absolute discretion by written notice to Processor request that within thirty (30) days of the Cessation Date require Processor and each Processor Affiliate to (a) return a complete copy of all Controller Personal Data to Controller by secure file transfer in such format as is reasonably notified by Controller to Processor; and (b) delete and procure the deletion of all other copies of Controller Personal Data processed by any Subprocessor. Processor and each Processor Affiliate shall comply with any such written request within 30 days of the Cessation Date.
10.2 Each Subprocessor may retain Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Processor and each Processor Affiliate shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
10.2 Each Subprocessor may retain Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Processor and each Processor Affiliate shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
10.3 Processor shall provide written confirmation document to Controller certifying that the Processor and its Subprocessors have fully complied with this section 10 within 30 days of the Cessation Date.
10.3 Processor shall provide written confirmation document to Controller certifying that the Processor and its Subprocessors have fully complied with this section 10 within 30 days of the Cessation Date.
10.4 For the purposes of this clause, “delete” means to remove or obliterate Personal Data that it should not be recovered or reconstructed”, “Cessation Date” means the date of cessation of any services involving the processing of Controller Personal Data.
10.4 For the purposes of this clause, “delete” means to remove or obliterate Personal Data that it should not be recovered or reconstructed”, “Cessation Date” means the date of cessation of any services involving the processing of Controller Personal Data.
11. Audit rights
11.1 Processor and each Processor Affiliate shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA.
11.1 Processor and each Processor Affiliate shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA.
12. General Terms
Governing law and jurisdiction
Governing law and jurisdiction
12.1 Without prejudice to clauses 7 (Mediation and Jurisdiction):
12.1 Without prejudice to clauses 7 (Mediation and Jurisdiction):
12.1.1 the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms and Conditions with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
12.1.1 the Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms and Conditions with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
12.1.2 this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms and Conditions.
12.1.2 this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms and Conditions.
Order of precedence
Order of precedence
12.2 Nothing in this DPA reduces Processor's or any Processor Affiliate’s obligations under the Terms and Conditions in relation to the protection of Personal Data or permits Processor or any Processor Affiliate to process (or permit the Processing of) Personal Data in a manner which is prohibited by the Terms and Conditions.
12.2 Nothing in this DPA reduces Processor's or any Processor Affiliate’s obligations under the Terms and Conditions in relation to the protection of Personal Data or permits Processor or any Processor Affiliate to process (or permit the Processing of) Personal Data in a manner which is prohibited by the Terms and Conditions.
12.3 Subject to section 12.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Terms and Conditions and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
12.3 Subject to section 12.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Terms and Conditions and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Changes in Applicable Laws, etc.
Changes in Applicable Laws, etc.
12.4 Controller may:
12.4 Controller may:
12.4.1 by written notice to Processor propose any other variations to this DPA which Controller reasonably considers to be necessary to address the requirements of any Data Protection Law.
12.4.1 by written notice to Processor propose any other variations to this DPA which Controller reasonably considers to be necessary to address the requirements of any Data Protection Law.
12.5 If Controller gives notice under section 12.4.1:
12.5 If Controller gives notice under section 12.4.1:
12.5.1 Processor and each Processor Affiliate shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 6.4.3; and
12.5.1 Processor and each Processor Affiliate shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 6.4.3; and
12.6 If Controller gives notice under section 12.4.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller's notice as soon as is reasonably practicable.
12.6 If Controller gives notice under section 12.4.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller's notice as soon as is reasonably practicable.
12.7 Neither Controller nor Processor shall require the consent or approval of any Controller Affiliate or Processor Affiliate to amend this DPA pursuant to this section 12.5 or otherwise.
12.7 Neither Controller nor Processor shall require the consent or approval of any Controller Affiliate or Processor Affiliate to amend this DPA pursuant to this section 12.5 or otherwise.
Severance
Severance
12.8 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.8 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.9 Contact information of the Parties
12.9 Contact information of the Parties
Each Party is hereby informed that the contact information of their representatives and employees will be processed by the other Party for the purpose of executing, developing, complying and controlling the provision of the agreed services, considering the compliance of the contractual obligations as the legal grounds for the data processing. Personal data will be retained during the term of the commercial agreement and for statutory limitation periods upon termination of the agreement in order to comply with any potential liabilities arising thereof. In addition, each of the Parties shall comply with its obligation of information to their respective representatives and employees.
The data of the Parties may be transferred to banks and financial entities for payment management and collection, to the Tax Authorities and other Public Administrations for the purpose of carrying out the corresponding tax declarations and complying with their respective legal obligations, in accordance with applicable regulations, and to the Public Administrations in the event of statutory requirements.
The Parties may request access to the personal data which is referred to in this clause, its rectification, erasure, portability, and restriction of its processing, as well as objection of said processing, at the address of the Parties as specified in Annex 3.
Each Party is hereby informed that the contact information of their representatives and employees will be processed by the other Party for the purpose of executing, developing, complying and controlling the provision of the agreed services, considering the compliance of the contractual obligations as the legal grounds for the data processing. Personal data will be retained during the term of the commercial agreement and for statutory limitation periods upon termination of the agreement in order to comply with any potential liabilities arising thereof. In addition, each of the Parties shall comply with its obligation of information to their respective representatives and employees.
The data of the Parties may be transferred to banks and financial entities for payment management and collection, to the Tax Authorities and other Public Administrations for the purpose of carrying out the corresponding tax declarations and complying with their respective legal obligations, in accordance with applicable regulations, and to the Public Administrations in the event of statutory requirements.
The Parties may request access to the personal data which is referred to in this clause, its rectification, erasure, portability, and restriction of its processing, as well as objection of said processing, at the address of the Parties as specified in Annex 3.
12.10 Liability
12.10 Liability
The Processor shall be responsible for all penalties and fines arising from the failure to comply with the obligations set under this agreement.
The Processor shall be responsible for all penalties and fines arising from the failure to comply with the obligations set under this agreement.
Annex 1: Description of Processing of Personal Data
Annex 1: Description of Processing of Personal Data
This Annex includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Personal Data
The subject matter and duration of the Processing of Personal Data are set out in the Terms and Conditions and the Privacy Policy.
The nature and purpose of the Processing of Personal Data
The nature and purpose of the Processing of Personal Data are set out in the Terms and Conditions and the Privacy Policy.
The categories of Data Subject to whom Personal Data relates
The Data Subjects whose Personal Data will be under Processing by the Processor consist of Controller’ prospective customers (natural persons).
The types of Personal Data to be processed
This Annex includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Personal Data
The subject matter and duration of the Processing of Personal Data are set out in the Terms and Conditions and the Privacy Policy.
The nature and purpose of the Processing of Personal Data
The nature and purpose of the Processing of Personal Data are set out in the Terms and Conditions and the Privacy Policy.
The categories of Data Subject to whom Personal Data relates
The Data Subjects whose Personal Data will be under Processing by the Processor consist of Controller’ prospective customers (natural persons).
The types of Personal Data to be processed
First Name
Last Name
Phone (Company)
Corporate email
Company
Company Address
Role/ Job Title/Department
Company Size
Location/ City
Employment history
Education Background
Social Media Profiles
TimeZone
PhotoURL (meaning weblink to a Data Subject photo)
Date of death
Customer of (companies)
Volunteering Member
Member of Groups
Interests
Followed persons in Social Media
Followed companies in Social Media
Is an investor (Y/N)
Continent; Country; City of residence
Bio
Birthdate
Education
Professional Data
Gender
Estimated professional experience - statistical
Estimated salary range - statistical
Estimated interests based on Social Media - statistical
Estimated pet owner - statistical
Social Media and followers
Languages
Other persons with similar interests and walks of life
First Name
Last Name
Phone (Company)
Corporate email
Company
Company Address
Role/ Job Title/Department
Company Size
Location/ City
Employment history
Education Background
Social Media Profiles
TimeZone
PhotoURL (meaning weblink to a Data Subject photo)
Date of death
Customer of (companies)
Volunteering Member
Member of Groups
Interests
Followed persons in Social Media
Followed companies in Social Media
Is an investor (Y/N)
Continent; Country; City of residence
Bio
Birthdate
Education
Professional Data
Gender
Estimated professional experience - statistical
Estimated salary range - statistical
Estimated interests based on Social Media - statistical
Estimated pet owner - statistical
Social Media and followers
Languages
Other persons with similar interests and walks of life
The obligations and rights of Processor and Processor Affiliates
The Processor has the obligation to meet and observe Applicable Laws’ requirements mainly and specifically the EU Regulation 2016/ 679 (the General Data Protection Legislation – GDPR) which under European Union law takes precedence over each member state local transposition legislation.
The obligations and rights of Processor and Processor Affiliates
The Processor has the obligation to meet and observe Applicable Laws’ requirements mainly and specifically the EU Regulation 2016/ 679 (the General Data Protection Legislation – GDPR) which under European Union law takes precedence over each member state local transposition legislation.
© 2024 CRED. All rights reserved.
At CRED, we are committed to the highest standards of data security and privacy. To affirm our dedication, we are fully SOC 2 and GDPR compliant, having undergone rigorous third-party audits to verify our data handling practices meet all criteria for security, availability, processing integrity, confidentiality, and privacy.
© 2024 CRED. All rights reserved.
At CRED, we are committed to the highest standards of data security and privacy. To affirm our dedication, we are fully SOC 2 and GDPR compliant, having undergone rigorous third-party audits to verify our data handling practices meet all criteria for security, availability, processing integrity, confidentiality, and privacy.