Data processing appendix
This Appendix forms an integral part of the Contract and is entered into by:
Each being a "Party" and commonly "Parties".
Preamble
WHERE the Data Importer provides professional software services, computer, and related services;
WHERE pursuant to the Contract, the Data Importer has agreed to provide to the Data Exporter the services specified in the Contract (the "Services");
WHERE, by providing the Services, the Data Importer receives or benefits from access to the Data Exporter's information or the information of other persons having a (potential) relationship with the Data Exporter, such information may be qualified as personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on protecting individuals regarding the processing of personal data and on the free movement of such data ("GDPR") and other applicable data protection laws.
WHERE this Appendix contains the terms and conditions applicable to the collection, processing, and use of such personal data by the Data Importer in its capacity as the authorized data processing agent of the Data Exporter, to ensure that the Parties comply with applicable data protection law.
THEREFORE, and to enable the Parties to continue their relationship lawfully, the Parties have concluded this Appendix as follows:
Part 1
1. Structure of the document and definitions
1.1 Structure
This Appendix comprises different parts as follows:
Part 1: | contains general provisions, e.g. concerning the definitions used in this Appendix, compliance with local laws, timing, and termination |
Part 2: | contains the body of the unamended Standard Contractual Clauses document |
Appendix 1.1 of Part 2: | contains the details of the processing operations provided by the Data Importer to the Data Exporter as the authorized data processing agent (including the processing, nature, and purpose of the processing, the type of personal data, and the categories of data subjects) under this Appendix |
Appendix 2 of Part 2: | contains a description of the Data Importer's technical and organizational security measures, which are applied in connection with all processing activities described in Appendix 1.1 of Part 2 |
Part 3: | contains the signatures of the Parties to be bound by this Appendix and identifies each Data Importer |
1.2 Terminology and definitions
For the purposes of this Appendix, the terminology and definitions used by the GDPR are applicable (In the body of the Standard Contractual Clause document in Part 2, where defined terms are not capitalized).
"Member State" | means a country belonging to the European Union or the European Economic Area |
"Special categories of (personal) data" | refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, if processed for the purpose of uniquely identifying a person, data concerning health, data concerning a person's sex life or sexual orientation |
"Standard Contractual Clauses" | means the Standard Contractual Clauses for transferring personal data of processing agents established in third countries, under Commission Decision 2010/87/EU on the 5th of February 2010, which was amended by the Commission Implementing Decision (EU) 2016/2297 on the 16th of December 2016 |
“Data processor” | means any processing agent, located inside or outside the EU/EEA, who agrees to receive from the Data Importer or any other processor of the Data Importer, personal data for the exclusive purpose of processing activities to be carried out by the Data Exporter after the transfer in accordance with the Data Exporter's instructions, the terms of this Appendix and the Contract with the Data Importer |
2. Obligations of the Data Exporter
2.1 The Data Exporter has an obligation to ensure compliance with all applicable obligations under the GDPR and any other applicable data protection law that applies to the Data Exporter and to show such compliance as required by Article 5 (2) of the GDPR. The Data Exporter warrants that the Data Importer has obtained the prior consent of the data subjects in accordance with Article 6 (a) of the GDPR and has complied with its obligation to inform the data subjects in accordance with Article 13 and 14 of the GDPR.
2.2 The Data Exporter must provide the Data Importer with the respective files of the processing activities in accordance with Article 30 (1) of the GDPR related to the Services under this Appendix, to the extent necessary for the Data Importer to comply with the obligation under Article 30 (2) of the GDPR.
2.3 The Data Exporter must appoint a data protection officer or representative to the extent required by applicable data protection law. The Data Exporter is obliged to provide the contact details of the data protection agent or representative, if any, to the Data Importer.
2.4. The Data Exporter confirms prior to the completion of the processing, by acceptance of this Appendix, that the Data Importer's technical and organizational security measures, as set out in Appendix 2 to Part 2, are appropriate and sufficient to protect the rights of the data subject and confirms that the Data Importer provides sufficient safeguards in this respect.
3. Compliance with local law
In order to meet the requirements of the implementation of the processing agents following Article 28 of the GDPR, the following amendments are applicable:
3.1 Instructions
3.2 Obligations of the Data Importer
3.3 Rights of persons concerned
3.4 Sub-processing
3.5 Expiry
The expiration of this Appendix is identical to the expiration date of the corresponding Contract. Except as otherwise provided in this Appendix, the rights and duties relating to termination shall be the same as those contained in the Contract.
4. Limitation of Liability
4.1 Each party handles its obligations under this Appendix and the applicable data protection legislation.
4.2 Any liability relating to a breach of the obligations under this Appendix or applicable data protection legislation shall be subject to and governed by the liability provisions set out in, or applicable to, the Contract, except as otherwise provided in this Appendix. If liability is governed by the liability provisions set out in or applicable to the Contract, for calculating liability limits or determining the application of other limitations of liability, any liability arising under this Appendix shall be deemed to arise under the Contract.
5. General provisions
5.1 If there are any inconsistencies or discrepancies between Parts 1 and 2 of this Appendix, Part 2 shall prevail. Specifically, even in such a case, Part 1 which simply goes beyond Part 2 (i.e. the terms of Standard clauses) without contradicting it shall remain valid.
5.2 If any discrepancy arises between the provisions of this Appendix and those of other contracts binding the parties, this Appendix shall prevail regarding the parties' data protection obligations. In case of doubt as to whether clauses in other contracts concern the parties' data protection obligations, this Appendix shall prevail.
5.3 If any provision of this Appendix is invalid or unenforceable, the remainder of this Appendix shall remain in full force and effect. The invalid or unenforceable provision will be (i) amended to ensure its validity and enforceability, while preserving as far as possible the intention of the parties, or - if this is not possible - (ii) interpreted as if the invalid or unenforceable part had never been part of the contract. The foregoing shall also apply if there is an omission in this Appendix.
5.5 To the extent necessary, the Parties may request amendments to Part 1, Clause 3 (Compliance with local law) or other parts of the Appendix in order to comply with interpretations, directives, or orders issued by the competent authorities of the Union or the Member States, national enforcement provisions, or any other legal developments concerning the GDPR or other conditions of delegation to any entities involved in data processing and specifically regarding the use of the Standard Contractual Clauses in the GDPR. The terms of the Standard Contractual Clauses may not be modified or replaced unless the European Commission expressly approves it (e.g. by new adequate clauses and data protection standards).
5.6 Any reference in this Appendix to the " Clauses " shall be understood to refer to all the provisions of this Appendix unless otherwise stated.
5.7 The choice of law in Part 2, Clause 9 applies to the entire Contract.
6. Personal data transmitted and processed by the parties for personal purposes (transfer from the data controller to the data controller)
6.1 The Parties know fully that certain personal data will be transferred from the Data Exporter to the Data Importer and vice versa, and that such data is processed by each Party for its own purposes. Regarding such personal data, it does not affect the other provisions of this Appendix (except for this clause 6).
6.2 The Data Exporter may transfer personal data relating to the staff of the Data Importer to the Data Importer, including information on security incidents, or any other documents or files created or established by the Data Exporter in connection with the Services provided by the staff of the Data Importer. The Data Importer may process such personal data for its own purposes, in particular in its professional relations with the Data Importer's personnel, for quality control and training, or for business purposes.
6.3. The Data Importer may transfer personal data to the Data Exporter, including the name and contact details of the Data Importer's personnel. The Data Exporter may process such personal data for its own purposes.
6.4 Both parties shall comply with any applicable data protection laws, including the GDPR, in collecting, processing, and using such personal data received from the other party under clause 1 of Part 1. In particular, both Parties shall take adequate security measures, providing a similar level of protection to the security measures set out in Appendix 2 of Part 2. Any access to such personal data shall be limited to the need to know them.
6.5 Both Parties must delete such personal data as soon as possible after the objectives have been achieved.
Part 2
DECISION OF THE COMMISSION
on the 5th February 2010
on standard contractual clauses for the transfer of personal data to data processors established in third-party countries under the 95/46/EC Directive of the European Parliament and of the Council
Clause 1
Definitions
Within the meaning of the clauses:
a) 'personal data', 'special categories of data', 'processing/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in the 95/46/EC Directive of the European Parliament and of the Council of the 24th October 1995 on protecting individuals regarding the processing of personal data and on the free movement of such data (1);
b) the 'Data Exporter' is the Data controller transferring the personal data;
c) the 'Data Importer' is the Data processor who agrees to receive from the Data Exporter personal data intended to be processed on behalf of the Data Exporter after the transfer in accordance with its instructions and under the terms of these clauses and who is not subject to the mechanism of a third country ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; (d) 'Data processor' means the Data processor engaged by the Data Importer or by any other Data processor of the Data Importer who agrees to receive from the Data Importer or any other Data processor of the Data Importer personal data exclusively for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with the instructions of the Data Exporter, under the conditions set out in these Clauses and under the terms of the written sub-contracting the data processing contract;
e) "applicable data protection law" means the legislation protecting the fundamental rights and freedoms of individuals, including the right to privacy regarding the processing of personal data, and applying to a controller in the Member State where the Data Exporter is established;
f) “technical and organizational measures relating to security” means measures intended to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over networks, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer, including, where appropriate, special categories of personal data, are specified in Appendix 1, which forms an integral part of these clauses.
Clause 3
Third-party beneficiary clause
1. The data subject may enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e) and (g) to (j), Clause 6 (1) and (2), Clause 7, Clause 8(2) and Clauses 9 to 12 as a third party beneficiary
2. The data subject may enforce this Clause, Clause 5 (a) to (e) and (g), Clause 6, Clause 7, Clause 8 (2) and Clauses 9 to 12 against the Data Importer where the Data Exporter has physically disappeared or has ceased to exist in law, unless all of his legal obligations have been transferred, by contract or by operation of law, to the successor entity, to which the rights and obligations of the Data Exporter therefore revert, and against which the data subject can therefore enforce the said clauses.
The data subject may enforce this Clause, Clause 5 (a) to (e) and (g), Clause 6, Clause 7, Clause 8 (2) and Clauses 9 to 12 against the Data processor, but only in cases where the Data Exporter and the Data Importer have physically disappeared, ceased to exist in law or have become insolvent, unless all the legal obligations of the Data Exporter have been transferred, by contract or by operation of law, to the legal successor, to whom the rights and obligations of the Data Exporter are therefore vested, and against whom the data subject may therefore enforce such clauses. Such liability of the Data processor must be limited to its own processing activities under these clauses.
4. The parties do not object to the data subject being represented by an association or other body if he or she so wishes and if national law so allows.
Clause 4
Obligations of the Data Exporter
The Data Exporter accepts and guarantees the following:
a) the processing, including the actual transfer of personal data, has been and will continue to be carried out in accordance with the relevant provisions of applicable data protection law (and, where applicable, has been notified to the competent authorities of the Member State in which the Data Exporter is based) and does not infringe the relevant provisions of that State;
b) they have instructed, and will instruct for the duration of the personal data processing services, the Data Importer to process the personal data transferred on the sole behalf of the Data Exporter and in accordance with applicable data protection law and these clauses;
c) the Data Importer will provide sufficient safeguards regarding the technical and organizational security measures specified in Appendix 2 to the present contract;
d) after evaluation of the requirements of the applicable data protection law, the security measures are adequate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing and ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the level of technology and the cost of implementation;
e) they will ensure compliance with security measures;
f) if the transfer relates to special categories of data, the data subject has been informed or will be informed before the transfer, or as soon as possible after the transfer that his or her data may be transferred to a third country that does not offer an adequate level of protection within the meaning of Directive 95/46/EC;
g) they will forward any notification received from the Data Importer or any Data processor under Clauses 5 (b) and 8 (3) to the data protection supervisory authority if it decides to continue transferring or to lift its suspension;
h) they shall make available to data subjects, if they so request, a copy of these Clauses, except for Appendix 2, and a summary description of the security measures, and a copy of any further subcontracting agreement, concluded under these Clauses unless the Clauses or the agreement contain commercial information, in which case he may withdraw such information;
i) in case of sub-contracting the data processing process, the processing activity is carried out in accordance with Clause 11 by a Data processor providing at least the same level of protection of personal data and data subject's rights as the Data Importer under these Clauses; and
j) it will ensure compliance with Clause 4 (a) to (i).
Clause 5
Obligations of the Data Importer
The Data Importer accepts and guarantees the following:
a) they will process the personal data only on behalf of the Data Exporter and under the Data Exporter's instructions and these clauses; if it cannot comply for any reason, they agree to inform the Data Exporter of its inability as soon as possible, in which case the Data Exporter may suspend the data transfer and/or end the contract;
b) they have no reason to believe that the law applicable to them prevents him from fulfilling the instructions given by the Data Exporter and the obligations incumbent upon him under the contract, and if such law is subject to a change which could have a material adverse effect on the warranties and obligations under the Clauses, he shall notify the Data Exporter of the change without delay after becoming aware of it, in which case the Data Exporter may suspend the data transfer and/or end the contract; (c) they have implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
d) they will notify the Data Exporter without delay:
i) any binding request for disclosure of personal data from a law enforcement authority, unless otherwise specified, such as a criminal prohibition aimed at preserving the secrecy of a police investigation;
ii) any incidental or unauthorized access; and
iii) any request received directly from the persons concerned without replying to it unless he has been authorized to do so; administrators
e) they will deal promptly and properly with all inquiries from the Data Exporter concerning its processing of the personal data being transferred and will act under the opinion of the supervisory authority regarding the processing of the data transferred;
f) at the request of the Data Exporter, they will subject its data processing facilities to an audit of the processing activities covered by these clauses to be carried out by the Data Exporter or a supervisory body composed of independent members with the requisite professional qualifications, subject to an obligation of secrecy and chosen by the Data Exporter, where appropriate with the agreement of the supervisory authority;
g) they will make available to the data subject, if he so requests, a copy of these Clauses, or any existing sub-contracting the data processing contract, unless the Clauses or the contract contain commercial information, in which case it may remove such information, except for Appendix 2, which will be replaced by a summary description of the security measures, where the data subject cannot obtain a copy from the Data Exporter;
h) in the case of confidential further sub-contracting the data processing, he will ensure that he informs the Data Exporter in advance and obtains the Data Exporter's written consent;
i) the processing services provided by the Data processor shall comply with Clause 11;
j) they will promptly send a copy of any sub-contracting of the data processing agreement entered into by it under these Clauses to the Data Exporter.
Clause 6
Responsibility
1. The parties agree that any data subject who has suffered damage because of a breach of the obligations referred to in Clause 3 or Clause 11 by one party or by a Data processor may obtain compensation from the Data Exporter for the damage suffered.
2. If a data subject is prevented from bringing an action for damages as referred to in paragraph 1 against the Data Exporter for failure by the Data Importer or its Data processor to comply with any of its obligations under Clause 3 or Clause 11 because the Data Exporter has physically disappeared, ceased to exist in law or has become insolvent, the Data Importer agrees that the data subject may lodge a complaint against it as if it were the Data Exporter unless all legal obligations of the Data Exporter have been transferred, by contract or by operation of law, to its successor entity, against which the data subject may then enforce his rights. The Data Importer may not rely on a breach of its obligations by a Data processor to avoid its own liability.
3. If a data subject is prevented from bringing the action referred to in paragraphs 1 and 2 against the Data Exporter or the Data Importer for breach by the Data processor of its obligations under Clause 3 or Clause 11 because the Data Exporter and the Data Importer have physically disappeared, ceased to exist in law or have become insolvent, the Data processor agrees that the data subject may lodge a complaint against it regarding its own processing activities in accordance with these clauses as if it were the Data Exporter or Data Importer unless all legal obligations of the Data Exporter or Data Importer have been transferred, by contract or by operation of law, to the legal successor, against whom the data subject may then assert his rights. The liability of the Data processor must be limited to its own processing activities in accordance with these clauses.
Clause 7
Mediation and jurisdiction
1. The Data Importer agrees that if under the clauses, the data subject invokes against him the right of the third party beneficiary and/or claims compensation for the prejudice suffered, he will accept the decision of the data subject:
a) to submit the dispute to mediation by an independent person or, where appropriate, the supervisory authority;
b) to bring the dispute before the courts of the Member State where the Data Exporter is based.
2. The parties agree that the choice made by the data subject shall not affect the procedural or substantive right of the data subject to obtain redress in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The Data Exporter agrees to deposit a copy of the present contract with the supervisory authority if the latter so requires or if such deposit is provided for by the applicable data protection law.
2. The parties agree that the supervisory authority may carry out checks at the Data Importer and any Data processor to the same extent and under the same conditions as with checks carried out at the Data Exporter in accordance with applicable data protection law.
3. The Data Importer shall inform the Data Exporter as soon as possible of the existence of legislation concerning the Data Importer or any Data processor which prevents verification at the Data Importer or any Data processor in accordance with paragraph 2. In such a case, the Data Exporter may take the measures provided for in Clause 5 (b).
Clause 9
Applicable law
The clauses apply and are governed by the law of the Member State where the Data Exporter is based.
Clause 10
Modification of the contract
The parties undertake not to modify the present clauses. The parties remain free to include other commercial clauses that they deem necessary, provided that they do not contradict the present clauses.
Clause 11
Subsequent subcontracting
1. The Data Importer shall subcontract none of its processing activities carried out on behalf of the Data Exporter under these clauses without the prior written consent of the Data Exporter. The Data Importer shall only subcontract its obligations under these Clauses, with the consent of the Data Exporter, through a written agreement with the Data processor imposing on the Data processor the same obligations as those imposed on the Data Importer under these Clauses. If the Data processor cannot comply with its data protection obligations under that written agreement, the Data Importer shall remain fully responsible to the Data Exporter for the fulfillment of those obligations.
2. The prior written agreement between the Data Importer and the Data processor shall also include a third-party beneficiary clause as set out in Clause 3 for cases where the data subject is prevented from bringing the claim for damages referred to in Clause 6 (1), against the Data Exporter or Data Importer because the Data Exporter or Data Importer has physically disappeared, ceased to exist in law or has become insolvent and all legal obligations of the Data Exporter or Data Importer have not been transferred, by contract or by operation of law, to another successor entity. Liability of the Data processor must be limited to its own processing activities in accordance with these clauses.
3. The provisions relating to the data protection aspects of sub-contracting the data processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.
4. The Data Exporter shall keep a list of the sub-contracting the data processing agreements concluded under these Clauses and notified by the Data Importer in accordance with Clause 5 (j), which shall be updated at least once a year. This list shall be made available to the Data Exporter's data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1. The parties agree that upon completion of the data processing services, the Data Importer and the Data processor will, at the Data Exporter's convenience, return all personal data transferred and copies thereof to the Data Exporter, or destroy all such data and provide proof the destruction to the Data Exporter, unless legislation imposed on the Data Importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the Data Importer guarantees that it will ensure the confidentiality of the personal data transferred and that it will no longer actively process the data.
2. The Data Importer and the Data processor shall ensure that, if so requested by the Data Exporter and/or the supervisory authority, they will subject their means of data processing to verification of the measures referred to in paragraph 1.
Appendix 1.1 to Part 2
Details of the transfer
Data Exporter
The Data Exporter is the Customer defined in the Contractual agreement.
Data Importer
The Data Importer is POSTCODEZIP and is assigned to process the data, providing services to the Data Exporter.
Subjects of the data
The personal data transferred concern the following categories of data subjects:
☐ telephone subscribers listed in the universal directory
☒ Others, including:
Categories of data
The personal data transferred concern the following categories of data:
Categories of personal data of the Data Exporter's data subjects in particular,
☐ Full name
☒ Postal address
☐ Contact details (e-mail, telephone, IP address, etc.)
☐ Details of marketing activities concerning the telephone subscriber
☒ Others, including the type of housing, income, and average ages by the city made anonymously
Special categories of data (if applicable)
The personal data transferred concern the following special categories of data:
☒ The transfer of special categories of data is not foreseen
☐ Race or ethnic origin
☐ Religious or philosophical beliefs
☐ Trade union membership
☐ Political views
☐ Genetic information
☐ Biometric information
☐ Information on sexual orientation or sexual life
☐ Health data
Processing activities
The personal data transferred will be subject to the following basic processing activities:
The processing undertaken on behalf of the Data Exporter is based on the following subjects, in particular:
☒ Taking charge of the products or services offered by the Data Exporter
☒ The offer of a product or service that the called person can request
☒ Orders taken from the persons called and further processing of these orders
☒ Study questionnaires and analyses
☒ Telemarketing
☐ Others, including:
The Data Importer processes the personal data of the data subjects on behalf of the Data Exporter, in order to provide the following services, and most notably:
☒ Sales and Marketing
☒ Others, including updating databases of town halls and political parties
POSTCODEZIP mainly combines, centralizes, and provides services to the Data Exporter. The services provided by the named service provider may be structured (among others as appropriate) around the following ancillary services: (i) provision of applications, tools, systems, and IT infrastructure in relation to the data processing centers used, in order to provide and support the services, including the processing of the personal data of the data subjects as described above, via such applications, tools, and systems, (ii) the provision of IT support, maintenance and other services relating to such applications, tools, systems and IT infrastructure, including potential access to personal data stored in such applications, tools, and systems, and (iii) the provision of data protection services, protection monitoring, and incident response services, including potential access to personal data when providing such protection services. POSTCODEZIP may engage Data processors as set below to provide the services, including ancillary services.
POSTCODEZIP engages external and third-party service providers, which are not subsidiaries of POSTCODEZIP, to support the provision of services to the Data Exporter. The Data Exporter approves such external third-party service providers as sub-entities assigned to data processing.
If a sub-entity involved in data processing is located outside the EU/EEA, in a country deemed not to have an adequate level of data protection under a decision of the European Commission, the Data Importer will take steps to obtain an adequate level of data protection in accordance with the GDPR and section 3.4 (iv) of Part 1.
Appendix 2, Part 2
Technical and organizational protective measures
The Data Importer shall take the following technical and organizational protection measures confirmed by the Data Exporter, in order to guarantee an appropriate level of security for the rights and freedoms of individuals, depending on the risks. In assessing the level of protection concerned, the Data Exporter has considered, in particular, the risks involved in the processing, including accidental or unlawful destruction, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed. By clarification: These technical and organizational protection measures do not apply to the applications, tools, systems, and/or IT infrastructure provided by the Data Exporter.
1 General technical and organizational protection measures |
1.1 General information and data protection strategies |
The following steps should be taken to follow general data and information protection strategies: |
|
|
|
|
|
1.2 Organization of information protection |
The following measures should be taken in order to coordinate data and information protection activities: |
|
|
|
1.3 Access control to processing areas |
The following measures must be taken to prevent unauthorized persons from gaining access to data processing systems (in particular software and hardware) when personal data are processed, stored, or transmitted: |
|
|
|
|
1.4 Access control to data processing systems |
The following measures must be taken in order to prevent unauthorized access to data processing systems: |
|
|
|
|
|
|
1.5 Controlling access to particular areas of use of data processing systems |
The following measures must be taken to ensure that authorized persons with the right to use the data processing system can only access data within their respective responsibilities and access authorizations and that personal data cannot be read, copied, modified, or deleted without authorization: |
|
|
|
|
|
|
|
1.6 Transmissions control |
The following measures must be taken in order to prevent personal data from being read, copied, modified, or deleted by unauthorized third parties during the transmission or transport of data storage devices (depending on the processing of personal data undertaken): |
|
|
|
1.7 Data entry control |
The following measures must be taken to ensure that it is possible to verify and determine whether personal data have been entered into or deleted from data processing systems and by whom: |
|
|
1.8 Work control |
In the case of delegated processing of personal data, the following measures must be taken to ensure that such data are processed in accordance with the instructions of the Supervisor: |
|
|
|
|
1.9 Separation from processing for other purposes |
The following measures must be taken to ensure that data collected for other purposes can be processed separately: |
|
|
1.10 Pseudonymization |
The following measures must be taken regarding the pseudonymization of personal data: |
|
|
1.11 Encryption |
The following steps should be taken to encrypt personal data in applications and transmissions that support encryption:
|
|
|
1.12 Completeness of data processing systems and services |
The following measures must be taken in order to ensure the completeness of data processing systems and services: |
|
|
|
1.13 Availability of data processing systems and services and the possibility of restoring access to and use of personal data in the event of a material or technical incident |
The following measures must be taken in order to ensure the availability of data processing systems, as well as to be able to quickly restore the availability of and access to personal data, in the event of a material or technical incident (in particular by ensuring that personal data are protected against accidental destruction or loss): |
|
|
|
|
|
|
|
1.14 Resilience of data processing systems and services |
The following measures must be taken to ensure the resilience of data processing systems and services: |
|
|
|
1.15 Procedure for regularly testing, evaluating, and assessing the effectiveness of technical and organizational measures to ensure the security of data processing |
Procedure for regularly testing, evaluating, and assessing the effectiveness of technical and organizational measures to protect data processing. |
|
|
|
Part 3
Signatures of the parties and list of Data Importers
When you fill in the online order form and validate it by ticking the box accepting the general terms and conditions of use, the contract governing the relationship between the Customer and POSTCODEZIP is established.
Sending the payment to POSTCODEZIP will consider the contract agreed to and established.
Take a note: This text has been translated from French. The original French version, which is valid and legally restrictive, is available here.