European Data Protection Regulation (RGPD)

Definitions

Subcontractor: GOVR SPRL - identified at the ECB under number 0675.970.531

Controller: Each customer of the processor, individually

Contractual Relationship: the main contract between the Processor and the Data Controller defining the delivery of services and/or products or the collaboration between them, including all its modifications and annexes and all that is subsequently agreed between the Parties.

GoVR, in its capacity as subcontractor, undertakes to comply with the following obligations

Article 1: Data processing

The Subcontractor undertakes to Process the Data in accordance with the Data Processor's written instructions contained in the Contractual Relationship, if any, or in any official communication from the Data Processor.
If the Subcontractor reasonably considers that an instruction constitutes a breach of the GDPR or other provisions of European Union or Member State law relating to Data Protection ("Disputed Instruction"), it shall immediately inform the Data Processor.

In the event of such notification, the Subcontractor is entitled to suspend the execution of the said Contested Instruction and to continue to Process the Personal Data in accordance with the instructions previously received. The Data Processor shall not be entitled to any compensation or indemnity for this.

If the Processor is obliged under European Union law or the law of the Member State to which it is subject to transfer Personal Data to a third country or to an international organization, it shall inform the Controller of this legal obligation prior to Processing, unless the law concerned prohibits such information for important reasons of public interest.

Article 2: Confidentiality

The Subcontractor undertakes to guarantee the confidentiality of the Personal Data Processed as part of the Contractual Relationship between the Parties.

To this end, access to Personal Data is strictly limited to those persons who, in the context of the performance of the Contractual Relationship between the Parties, need to have access or knowledge thereof.

The obligation of confidentiality remains in force after the termination of the Contractual Relationship between the Parties.

Article 3: Authorized persons

The Subcontractor undertakes that the persons authorized to Process Personal Data:
■ undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;

■ are made aware of / trained in the protection of Personal Data

Article 4: Technical and organizational measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, as well as the risks, whose degree of probability and seriousness varies, to the rights and freedoms of natural persons, the Subcontractor implements the appropriate Technical and Organizational Measures in order to guarantee a level of security appropriate to the risk.

These Technical and Organizational Measures will include, inter alia and where appropriate, the list of applicable minimum safety measures set out below.

Article 5: Subsequent subcontracting

The Data Processor is authorized to call on the services of another Data Processor (hereinafter referred to as the "Subcontractor"). Through the Contractual Relationship or similar, the Data Controller grants the Subcontractor general authorization to recruit Subsequent Subcontractors.

The Subcontractor may continue to work with subsequent Subcontractors who had already been appointed on the effective date of the DPA provided that the following conditions are met as soon as possible.

These conditions apply to any Subsequent Subcontractor:
■ The Subcontractor must first ensure that the Subsequent Subcontractor presents sufficient guarantees regarding the implementation of appropriate Technical and Organizational Measures so that the Processing meets the requirements of the GDPR.

■ The Subcontractor contractually imposes the same Data protection obligations on the Subsequent Subcontractor as set forth in Article 4.

Within the framework of this general authorization, the Subcontractor undertakes to inform the Data Controller at least two (2) weeks in advance of any contemplated changes concerning the addition or replacement of Subsequent Subcontractors, giving the Data Controller the opportunity to express any objections (based on reasonable grounds) to such changes. Irreasonable and invalid objections include, but are not limited to, undocumented objections. Reasonable and valid objections include, but are not limited to, situations in which the Controller has documented objections to the Subcontractor's ability to protect Personal Data and guarantee its confidentiality. In order to be valid, objections must be raised before the expiry of half of the notification period.

The Subcontractor shall provide a reasoned response to any objections (documented and valid) raised.

If the Subsequent Subcontractor does not fulfil its Data Protection obligations, the Subcontractor remains fully liable to the Data Controller for the performance by the other Subcontractor of its obligations.

Article 6: Rights of Persons Concerned

It is up to the Data Controller to provide data subjects with the information provided in relation to their rights (Chapter III of the GDPR).

To the extent possible, taking into account the nature of the Processing, and by means of appropriate Technical and Organizational Measures, the Subcontractor will provide all reasonable assistance to enable the Data Controller to fulfill its obligation to comply with requests to exercise the rights of data subjects.

Article 7: Assisting the Data Controller with impact analysis and prior consultation

The Subcontractor shall assist the Data Controller in ensuring compliance with its obligations in relation to impact analysis and prior consultation (Articles 35 to 36 of the GDPR), taking into account the nature of the Processing and the information available to the Subcontractor (unless such information is already available to the Data Controller), and shall provide all reasonable assistance to enable the Data Controller to fulfil its obligation to comply with requests to exercise the rights of data subjects.

Article 8: Violation of Personal Data

The Subcontractor shall notify the Controller of any Personal Data Breach as soon as possible after becoming aware of it and without undue delay. This notification shall be accompanied, as far as possible, by any useful documentation to enable the Controller, if necessary, to notify this Breach to the competent supervisory authority.

Article 9: Deletion or return of personal data

The Subcontractor shall delete or cause to be deleted (by Subsequent Subcontractors) all copies of the Personal Data of the Controller, as soon as possible and, in any event, within 12 months from the date on which the service relating to the Processing of the Personal Data has ended (End Date). The Controller is free to require, at its discretion, by means of a written notification to this effect to the Subcontractor within 15 days following the End Date, that the Subcontractor return to it a complete copy of all the Personal Data.

The Subcontractor shall respond to any such written request as soon as possible and no later than 3 months following the End Date.

If, by virtue of European Union law or the law of a member state, the Subcontractor is required to retain the Data Processor's Personal Data for an imposed period of time, the time periods indicated above will only begin to run at the end of the imposed period. In this case, the Sub-Contractor will guarantee the confidentiality of this Personal Data and will ensure that this Personal Data of the Data Controller is Processed exclusively for the purposes specified in the legislation that requires it to be retained.

Article 10: Documentation and audit rights

At the request of the Data Controller, the Subcontractor will make available all information necessary to demonstrate compliance with this DPA, and to enable audits or inspections to be carried out by the Data Controller itself or by an auditor appointed by it for this purpose.

The Subcontractor shall be entitled to compensation from the Controller for the communication and provision of the necessary information.

Any audit request must be made in writing at least 15 working days in advance by the Data Controller.

The audit will only take place during working hours and without substantially disrupting the Subcontractor's operational activities. Audits will be invoiced at a daily rate of €1,000.00 (excluding VAT).

Details of the processing of the contractor's personal data

This page contains certain details about the Processing of Personal Data of the Data Controller, as stipulated by Article 28(3) of the GDPR.

Purpose and duration of the Processing of the Data Processor's Personal Data
The purpose and duration of the Processing of the Data Processor's Personal Data are described in the Contractual Relationship and this appendix.

The nature and purpose of the Data Processor's Personal Data Processing
In accordance with legal and regulatory provisions and the Customer's instructions, personal data is used by Fix-IT, in its capacity as subcontractor, to provide IT technical assistance.

Types of Personal Data held by the Data Controller
Personal identification data, hours of attendance

Categories of Data Subjects to whom the Data Controller's Personal Data relates
Staff employed by the Data Controller

Minimum applicable safety measures

1. Security policy
The subcontractor has security policies and procedures. These are periodically reviewed, updated and communicated to staff and authorized third parties.

2. Safety organization
Safety responsibilities are defined and assigned by the subcontractor.

3.Human Resources
The subcontractor's internal and external employees are made aware of information and personal data security, in particular

4. Asset management
The subcontractor has a regularly updated inventory of assets. Rules for the use of these assets are defined and clearly communicated.

5. Physical and environmental security
The subcontractor's premises, where information, data and their processing devices are located, have secure access.

6. Operational Safety 

  • The subcontractor implements anti-virus and anti-malware measures to prevent any alteration or theft of data by malicious software. This protection is regularly updated.

  • The subcontractor has a process for managing access requests

  • Employee access is limited to the information required to perform their duties. System administrator rights are strictly limited to essential personnel.

  • Subcontractor has password policy (incl. special characters, minimum length, regular change)

  • The subcontractor has put in place a backup policy that enables data to be restored if necessary (loss, damage, theft, etc.).

  • The use of storage media (USB, external hard disk, etc.) is regulated.

7. Communications security
The subcontractor uses security measures to protect information transfers using secure protocols.

8. Incident management
The subcontractor has a documented incident management procedure that is communicated to authorized personnel and third parties.

9. Continuity
The subcontractor limits the risk of system failure through proper maintenance and redundancy.