For European agreements contracted with our European entity, Aspiration Marketing S.R.L., we apply the following
Effective date: March 1, 2021
Between Aspiration Marketing S.R.L., also referred to as “Provider” and you, also referred to as “Beneficiary”.
This Agreement regulates the conditions applicable to the processing of personal data by the Provider when and while providing services for the Beneficiary. Through this Agreement, the parties intend to ensure that the processing of personal data is carried out in compliance with the relevant legislation on the protection of personal data, including EU Regulation no. 2016/679, respectively with respect to the rights of individuals whose personal data is processed.
1. Definitions of terms
In this Agreement, the following terms shall be defined as follows:
- The "EEA" represents the European Economic Area, consisting of the EU Member States, the United Kingdom, Norway, Iceland and Liechtenstein.
- "Data protection legislation" represents the EU Regulation no. 2016/679 ("GDPR") as well as any other related normative acts.
- "Operator" means any individual or company who, alone or with individuals/companies, establishes the purposes and means of processing personal data.
- "Authorized Person" means the individual or company who processes personal data on behalf of the Operator.
- "Personal Data" means any information regarding an identified or identifiable individual.
- “Data Subject” means any individual whose personal data is processed.
- "Security breach of personal data" means a breach of security that accidentally or illegally leads to the destruction, loss, alteration or unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to it.
- "Services" means any services provided by the Provider to the Beneficiary
2. Rules Regarding the Processing of Personal Data
2.1. The Provider will process the Personal Data as an Authorized Person, in order to provide the Services/Scope of Work, when the provision of the Services requires the processing of Personal Data.
2.2. The Provider undertakes to process the Personal Data according to the Operator's instructions and in compliance with the Data Protection Legislation.
2.3. The Beneficiary, as Operator, has the obligation to ensure that:
- complies and will comply, throughout the Scope of Work and this Agreement, with the Data Protection Legislation regarding the Processing of Personal Data of the Data Subjects.
- collects Personal Data in compliance with the relevant legal provisions and has the consent of the Data Subjects for the transfer of such data to the Provider, or ensures and obeys with all conditions provided by the law for the Provider to process Personal Data in compliance with the related legal provisions.
2.4. The Provider, as the Authorized Person, will ensure that:
- Processes Personal Data in compliance with its obligations under the Data Protection Legislation, as well as in compliance with the Beneficiary's Instructions and the provisions of the Scope of Work and this Agreement.
3. Subcontracting the Processing of Personal Data
3.1. The Provider may subcontract its obligations, respectively may appoint another Authorized Person for the processing of Personal Data, under the following conditions:
- With the prior written consent of the Beneficiary and
- Only by entering in a contract concluded with the subcontractor the same obligations that the Provider has assumed towards the Beneficiary through this Agreement.
4. Security of Personal Data Processing
4.1. The Provider undertakes to implement the appropriate security measures to ensure the security of the Processing of Personal Data, as well as to ensure the confidentiality of the Personal Data that it processes. In this sense, the Provider will take into account the provisions of art. 32 of Regulation (EU) 2016/679, following to implement the security measures imposed by the Regulation, when they are mandatory.
4.2. The Beneficiary undertakes to implement adequate security measures to ensure the security of Personal Data Processing, in accordance with the provisions of Regulation (EU) 2016/679 and other applicable normative acts and/or good practices, regarding its activities of data processing.
4.3. If the Provider or any Authorized Person empowered by them becomes aware of a breach of the security of personal data, the Provider will immediately inform the Beneficiary and provide them with all the necessary information so that they can fulfill their obligations to report to the adequate Supervising Authority and/or in order to inform the Data Subjects. At the same time, the Provider will provide the Beneficiary with all the necessary assistance, without additional costs, in order to remedy the security incident and mitigate its negative effects.
5. Transfer of Personal Data
5.1. The Provider will not transfer the Personal Data that it processes under this Agreement, as an Authorized Person, outside the EEA, unless the transfer is made for the sole purpose of the Scope of Work.
6. Deletion and/or Return of Personal Data
6.1. Within no more than 30 days from the termination of the Scope of Work, the Provider, at the Beneficiary’s choice, will delete or return all Personal Data processed under this Agreement (including any copies in their possession).
6.2. As an exception, even after the termination of the Scope of Work, the Provider will keep Personal Data, if required by a legal obligation. In such a situation, the Provider will archive this data and/or will implement any necessary technical measures to prevent further processing. The provisions of this Agreement shall continue to have effect in respect of such data.
7. Cooperation Between the Parties
7.1. In the event that the Provider receives any request regarding the Processing of Personal Data from Data Subjects, Supervising Authorities or any other third parties, the Provider will redirect the received request to the Beneficiary. The Beneficiary will formulate and send a response to the request’s author in accordance with the provisions of the Data Protection Legislation.
7.2. The Provider will not respond to any such requests, except in the following situations:
- The Provider has received the written authorization of the Beneficiary to formulate and send a response.
- The Provider has a legal obligation to respond to the request. In this scenario, the Provider will inform the Beneficiary and will provide a copy of the response sent.
7.3. The Provider will assist the Beneficiary, at no additional cost, by providing any information it holds, so that:
- The Beneficiary can formulate any necessary response according to the Data Protection Legislation, to the requests received from the Data Subjects, Supervising Authorities or other third parties;
- The Beneficiary is able to fulfill their legal obligations according to the Data Protection Regulations, including the evaluation of the impact of data protection (art. 35 of the Regulation).
8. Liability of the Parties
8.1. According to the Regulation, the Provider, as the Authorized Person, is liable for the damage it may cause through its processing operations that violate the provisions of the Regulation when:
- has not fulfilled the obligations stipulated in the Regulation
- did not follow the Beneficiary's instructions
- any the other situations stated by law.
8.2. At the same time, in case of breach of the obligations assumed by this Agreement, and/or breach of the legal obligations, the Provider undertakes to fully repair the damage caused to the Beneficiary.
8.3. Any eventual fine applied to the Beneficiary for violating the obligations assumed under the Regulation will be paid by the Provider, if the cause of the fine was the non-fulfillment of the obligations assumed by the Provider according to the Agreement or non-fulfillment of its legal obligations. Also, any damage caused to the Data Subjects will be repaired by the Provider in the situation where the damage was caused by them, even if the Data Subject requests the repair of the damage from the Beneficiary.
8.4. The Beneficiary is liable for the damage caused by its processing operations carried out in violation of the Regulation. The Beneficiary shall also be liable for breach of its obligations under this Agreement under the law.
9. Other Clauses
9.1. Your physical address will determine Jurisdiction, Contracting Entity; Applicable Law; Notice as specfied here.
9.2. This Agreement may only be amended by addendums signed by both parties.