ONLINE DATA PROCESSING AGREEMENT

Effective as of July 8, 2019

You are as a customer of our services and/or user of our applications (hereinafter the “Data Controller”) ordered via this website (hereinafter the “Website”) and other related services, and DATA PAYMENTS OÜ, a company incorporated under the laws of Estonia, with Registration Number 14734800 having its registered office at Harju maakond, Tallinn, Lasnamäe linnaosa, Majaka tn 26, 11412 (hereinafter the “Data Processor”), have entered into our terms and conditions under which the Data Processor has agreed to provide you services (as defined in the terms and conditions) and related technical support to Data Controller (the “Agreement“).

BACKGROUND

(A) This Agreement is to ensure the protection and security of data passed from Data Controller to the Data Processor.

(B) This Agreement is compliant with the requirements of Article 28 of the General Data Protection Regulation. 

(C) The parties wish to record their commitments under this Agreement.

IT IS AGREED AS FOLLOWS: 

1. DEFINITIONS AND INTERPRETATION

In this Agreement:

“Data Protection Laws” means any national data protection law, together with legislation incorporating GDPR;

“Data” means personal data passed under this Agreement;

“GDPR” means the General Data Protection Regulation;

“Services” means services which are provided by the Data Processor to the Data Controlled and which are available and offered on the website or any related services offered by the Data Processor.

2. DATA PROCESSING

The Data Controller is the data controller for the Data and the Data Processor is the data processor for the Data. The Data Processor agrees to process the Data only in accordance with Data Protection Laws and in particular on the following conditions:

1. The Data Processor shall only process the Data (i) on the written instructions from Data Controller (ii) only process the Data for completing the Services and (iii) only process the Data in the EU/EEA or any country which has an adequacy decision (Article 28, para 3(a) GDPR);
2. ensure that all employees and other representatives accessing the Data are (i) aware of the terms of this Agreement, internal security policies, and instructions, and (ii) have received instructions/trainings on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality (Article 28, para 3(b) GDPR);
3. The Data Controller and the Data Processor have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR, details of those measures are set out under Part B of the Annex to this Agreement (Article 28, para 3(c) GDPR);
4. the Processor shall not involve any third party in the processing of the Data without the consent of Data Controller. (Article 28, para 3(d) GDPR); 
5. taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of Data Controller’ obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc. (Article 28, para 3(e) GDPR); 
6. assist Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the national data protection authorities, taking into account the nature of processing and the information available to the Data Processor (Article 28, para 3(f) GDPR);
7. at Data Controller’ choice safely delete or return the Data at any time. It has been agreed that the Data Processor will in any event securely delete the Data at the end of the Services. Where the Data Processor is to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement to retain the Data (Article 28, para 3(g) GDPR); 
8. make immediately available to Data Controller all information necessary to demonstrate compliance with the obligations laid down under this Agreement and allow for and contribute to any audits, inspections or other verification exercises required by Data Controller from time to time (Article 28, para 3(h) GDPR);
9. arrangements relating to the secure transfer of the Data from Data Controller to the Data Processor and the safe keeping of the Data by the Data Processor.
10. maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created; and
11. contact the Data Controller within 36 hours if there is any personal data breach or incident where the Data may have been compromised.

3. Termination

The Data Controller may immediately terminate this Agreement on written notice to the Processor. The Processor may not terminate this Agreement without the written consent of Data Controller.

4. General

1. This Agreement may only be varied with the written consent of both parties.
2. This Agreement represents the entire understanding of the parties relating to necessary legal protections arising out of their data controller/processor relationship under the Data Protection Laws.

ANNEX

Part A

Details of personal data being passed and method of secure data transfer arrangements:

ANNEX

Part B

Compliance with Article 32, para 1 of GDPR

1. The Data Processor uses anonymization and encryption techniques to protect personal data. 
2. The Data Processor ensures the ongoing confidentiality, integrity, availability and resilience of processing systems and related services. The Data Processor has non-disclosure agreement with all its employees and other personnel. The data is shared only with management employees who need it to provide services. The Data Processor has security policy and instructions for employees how to handle GDPR requests.
3. The Data Processor, depending on the technical possibility of its subprocessor, may restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
4. The Data Processor provides processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing. 

Compliance with Article 32, para 2 of GDPR

1. The Data Processor assesses the appropriate level of security, in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to data transmitted, stored or otherwise processed.

Compliance with Article 32, para 3 of GDPR

1. There are no approved code of conduct referred to in Article 40 (GDPR) or an approved certification mechanism as referred to in Article 42 (GDPR) which may be used as an element by which to demonstrate compliance with the requirements.

Compliance with Article 32, para 4 of GDPR

1. The Data Processor processes the Data only on behalf of the Data Controller.