Data Processing Agreement
entered into on (date) by and between
GBD Consulting and Services Private limited company a company incorporated under the laws of Hungary, seated: Határ út 12., Újlengyel, 2724, Hungary. Tax number: HU27325162, Company Reg. Number: 13-10-042025 (collectively referred to as: „Data Processor”, “Processor”, “Provider”, „we”, or „us”), and
Company name (address) (collectively referred to as: „Data Controller”, “Controller”, or „you”).
Data Controller and Data Processor are hereinafter also jointly referred to as “Parties” and each separately as a “Party”.
The Data Processing Agreement (collectively referred to as: „Agreement”) forms part of the Terms of Service (collectively referred to as: „Terms of Service”) by and between the Parties and it’s subject to the Terms of Service. In the event of any discrepancies between Terms of Service and this Agreement, the provision of this Agreement in relation to personal data protection shall prevail.
The service provided by Provider to the Controller may require Provider to process Personal Data (as defined below), the Parties wish to ensure that the Personal Data processing is in conformity with the applicable laws, in particular with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) – from the moment it shall apply – and with other applicable personal data protection laws.
For the purposes of this Agreement, the Data Controller is the controller of the Personal Data and Provider is the processor of such data, except when the Data Controller acts as a processor of the Data Controller’s Personal Data, in which case Provider is a sub-processor. The detailed scope of Personal Data and the categories of data subjects are as defined below.
It is agreed that by signing (accepting) this Data Protection Agreement any previous Data Protection Agreements between the Data Controller and Data Processor are terminated with immediate effect. Nothing within this agreement relieves the Data Processor nor the Data Controller of its own direct responsibilities and liabilities under the GDPR.
“Data Processor” – a person or company who deals with personal data as instructed by a controller for specific purposes and services offered to the controller that involve personal data processing
“GDPR” – Regulation (EU) 2016/679 of The European Parliament and of The Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” – any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Personal Data regarding to the Service is data entrusted to us by our Data Controller for processing and processed in relation to the use of the Service.
“EmailAcademy”: service provided by Provider.
“Website": emailacademy.com and any of its subdomains. Website is operated by Provider.
"Service" or "Services": as defined in the Terms of Service.
2. BACKGROUND OF DATA PROCESSING
This Data Processing Agreement applies exclusively to the processing of Personal Data that is subject to EU Data Protection Law in the scope of the Terms of Service and this Data Processing Agreement of even date hereof between the parties for the provision of the Service.
Pursuant to Article 28 (3) of the GDPR, the Controller engages Provider in processing the Personal Data and Provider hereby accepts the processing. In this Agreement sets out certain information regarding the processing of the Personal Data as required by the GDPR.
The Parties have entered into this Data Processing Agreement in order to benefit from the expertise of the Processor in processing the Personal Data for the purposes set out below and in the Terms of Service. The Data Processor shall be allowed to exercise its own discretion as it considers necessary to pursue those purpose, subject to the requirements of this Data Processing Agreement and the Terms of Service.
The Data Processor provides the Data Controller with whatever information it needs to ensure they both meet the obligations under GDPR. The Data Controller is responsible for maintaining Data Subjects’ rights. The Data Processor assists the Data Controller allowing Data Subjects to exercise their rights.
The Data Controller warrants that it has all necessary rights to provide the Personal Data to Data Processor for the Processing to be performed in relation to the Services. To the extent required by applicable data protection law, Data Controller is responsible for ensuring that any necessary data subject consents to this processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and Data Processor remains responsible for implementing any Data Controller instruction with respect to the further processing of that Personal Data.
The Data Controller must have a legal basis before beginning processing and should document it. The Data Processor reserves the right to ask the Data Controller for their documented lawful basis for processing. If requested the Data Controller must present their documented lawful basis for processing immediately but not later than 7 days.
The Data Controller represents and warrants, that while using the Service it will not upload any kind of special categories of personal data to the Website neither its own special categories of personal data nor the data subject’s special categories of personal data to whom the email campaigns are addressed.
Special categories of personal data include but are not limited to any government-issued identification number; credit or debit card details or financial account number, with or without any code or password that would permit access to the account; or information on race, religion, ethnicity, sex life or practices or sexual orientation, medical or health information, genetic or biometric information, biometric templates, political or philosophical beliefs, political party or trade union membership, or information on any judicial or administrative proceedings.
3. NATURE AND PURPOSE OF DATA PROCESSING
The purpose of processing Personal Data is the performance of the Service as set in Terms of Service, includes following processing activities: collection, recording, storage, adaptation, alteration and back-upping Personal Data, as well as other activities as required to provide the Service.
- TYPE OF PERSONAL DATA, SUBJECT OF THE PROCESSING
The Controller engages Provider in processing of the Personal Data of the following category of data subjects:
- Contacts: including persons whose Personal Data are on the Email list.
The Controller engages Provider for processing of the following categories of Personal Data:
- Email list: Email addresses uploaded by the Controller to the Website and which are subject of the Service.
- IP addresses: IP addresses uploaded by the Controller to the Website and which are subject of the Service.
- Additional information: any Personal Data that is uploaded by the Data Controller into the Data Processor’s system.
4. DURATION OF PROCESSING
The Data Processor will only process the Personal Data according to the Service as set in Terms of Service and during the duration of Terms of Service, except as required to comply with a legal obligation to which the Data Processor is subject. In such a case, the Data Processor shall inform the Data Controller of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the Data Controller.
5. USE OF SUB-PROCESSORS
To ensure proper provision of the Service, Controller authorizes Processor to engage other processors for carrying out processing activities.
For the avoidance of doubt and without limiting the general authorization granted to Processor in the preceding sentence, the Controller agrees to the sub-processors listed currently as set forth on the website of EmailAcademy.
In the event of sub-processing, Processor warrants that the processing activity is carried out in accordance with this Data Processing Agreement by a written agreement with the sub-processor providing at least the same level of protection and confidentiality for the Personal Data and the rights of data subject as the Processor under these clauses.
If no other legal basis applies, Personal Data shall be transferred from the EU to third countries only if at least one of the following conditions is met:
- the transfer is necessary for the performance of a contract between the Controller and the Processor or of pre-contractual measures taken at the Controller’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Controller between the Processor and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for establishment, exercise or defense of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent. In such cases, the Processor shall inform the Controller about the legal bases the transfer is based on via this Website.
The Data Processor may use and disclose other data (not personal data) for any purpose, except where the Data Processor are not allowed to under applicable law. By using our Service and integrating your third-party email marketing account in our Service you agree that we can programmatically access and check your reports and may retain some information and statistics of your verified email addresses. Shared Personal Data will be anonymized with SHA-512 encryption, therefore such shared data will be anonymous information.
6. RETURNING OR DELETION OF PERSONAL DATA
Upon termination of this Data Processing Agreement, upon the Data Controller’s written request, or upon fulfillment of all purposes agreed in the context of the Service whereby no further processing is required, the Data Processor shall, at the discretion of the Data Controller, either delete, destroy, or return all Personal Data to the Data Controller and destroy or return any existing copies.
The Data Processor shall notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.
Without withdrawing your consent Data Processor will keep your Personal Data for up to 1 year following we stopped providing you with our services.
Data Controller has the right to delete personal data and files at any time. In order to ensure the proper functionality of Processor’s systems the files are stored in back-ups for 5 further days after deletion.
The Processor may be allowed to retain Personal Data for a longer period, and the Processor may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
7. SECURITY OF THE PROCESSING
The Data Processor takes appropriate measures to ensure the security of Data Processing. In order to avoid unauthorized use of Personal Data and to avoid misuse of such data, Data Processor has taken comprehensive technical and operational safety measures. Our safety procedures have regularly been controlled and improved in harmony with technological development and in harmony with the Article 32 of the GDPR, such as:
- The Data Processor protect the security of the Personal Data while it is being transmitted by using secure connection,
- The data is processed automatically on the Data Processor’s servers, without human interaction. If the Data Controller requests, or in certain cases when Data Processor requires to review user activities, the Data Processor’s colleagues have the right to review files uploaded and result files provided on the Data Processor’s Website. In case the Data Processor need to investigate a complaint, the Data Processor has the right to process or re-process data in its system.
- All contractors of the Data Processor accessing Personal Data are required to sign a non-disclosure agreement and data processing agreement.
- Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as strictly confidential and it shall inform all its employees, agents and/or sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
- The Data Processor regularly monitors its systems for possible vulnerabilities and attacks and carries out penetration testing to identify ways to further strengthen security.
- The Data Processor completes data protection impact assessments at least once a year and takes necessary actions to improve data security if any improvement areas are found.
The Data Processor will keep all Personal Data confidential and not disclose such data to third parties except as expressly provided herein, unless it has been authorized by the Data Controller or is required by law. Processor undertakes to make Personal Data known only to those who need to know it and at the same time undertake that the above persons are fully aware of the obligations of Processor arising from the present agreement and that they assume the same obligations as those set out in this agreement. Processor recognizes that its obligations regarding Personal Data, non-disclosure and non-use of such information will continue to apply if this agreement or the Terms of Service expire or are replaced for any reason.
The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to request for exercising the data subject’s rights under the GDPR.
The Data Processor shall assist the Controller in replying to requests received from data subjects. By receiving a complaint, inquiry or request related to the Controller’s Personal Data directly from data subjects Processor will notify the Controller within 15 days from the receipt of the complaint, inquiry or request.
The Data Processor shall make available to the Controller on reasonable request, information that is reasonably necessary to demonstrate the Controller's compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller's Personal Data. The Controller shall be responsible for any costs and expenses of Processor arising from the provision of such information and audit rights.
The Data Processor shall assist the Data Controller in ensuring compliance with its obligations and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of processing and the information available to the Data Processor.
9. PERSONAL DATA BREACH
The Data Processor will notify the Data Controller about any Personal Data breaches – including but not limited to accidental or unlawful access or disclosure - within 48 hours of becoming aware of the breach.
When the Data Processor becomes aware of an incident that impacts the processing of the Personal Data that is the subject of this Data Processing Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
The term “breach” and “incident” used in the above section shall be understood to mean including but not limited in the following cases:
- a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law;
- an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;
- any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;
- any breach of the security and/or confidentiality of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place;
- where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject.
Data Controller represents and warrants that all data provided by it (a) comply with all applicable laws and regulations with respect to its activities under the Terms of Service comply with the Data Controllers national law; (b) obtain and maintain all necessary licenses, consents, permits necessary for Data Processor, its contractors, affiliates, to use the data that Controller supplies in accordance with the Terms of Service and with this Agreement; (c) assume sole responsibility for its and its users/contacts’ use of Process Data obtained from the use of the Service, and for conclusions drawn from such use.
The Data Processor shall not be liable for any of the Data Controller’s claims, damages, losses, expenses, costs or other liability in the event of Personal Data breach or loss under any circumstances.
Data Controller agrees to indemnify, defend, and hold the Processor harmless from and against any and all claims of Personal Data subjects in connection with any damage arising from improper processing of Personal Data. The Controller shall unconditionally indemnify the Processor and hold it harmless in respect of any claims filed by the entities whose Personal Data has processed based on the Agreement, and in connection with the processing of such data. If action is brought against the Processor, the Controller shall, if so required by the Processor, join the proceedings as a party and assume full liability for the claim.
11. GENERAL RULES
This Data Processing Agreement shall come into effect on the date the Data Controller electronically accepts this Data Processing Agreement. If both parties agree to the Agreement, it is effective immediately after signature.
Either party may terminate this agreement by giving each other 1 week notice in writing.
The Parties may amend the Agreement from time to time, as the Parties may reasonably consider necessary to meet the requirements of the GDPR.
In the event of any dispute, claim, question, or disagreement arising from or relating to this Agreement, whether arising in contract, tort or otherwise, the parties shall first use their best efforts to resolve the Dispute. If a Dispute arises, the complaining party shall provide written notice to the other party in a document, specifically setting forth the precise nature of the dispute. If a notice is being sent to Provider it must be emailed to [email protected] and sent via mail to: GBD Consulting and Services Private limited company at: Határ út 12., Újlengyel, 2724, Hungary.
In the event that a dispute between the parties cannot be settled, the parties agree to submit the dispute to binding arbitration accordance with Hungarian law and the Hungarian Courts, the language to be used in the arbitral proceedings shall be English.
Effective upon acceptance