Data Controllers and Processors Agreement
The company DEAC - “Digitālās Ekonomikas Attīstības Centrs” Ltd, registration number 40003455216, legal and actual address: Čuibes street 17, Riga LV-1063 (hereinafter referred to as the “DEAC”, “us”, “we”, or “our”) operates my.deac.eu (the “myDEAC”). This page informs you of our rules and conditions regarding the data controller and processor, from users of myDEAC. By using the myDEAC, you agree to this data controllers and processors agreement.
- Data Controllers and Processors Agreement - Agreement.
- Data Center – Processor-owned data center located in Riga, 17 Cuibes Street.
- Data center services – services provided under the Master Services agreement.
- MSA - Master Services Agreement.
Information and Data Processing System - A set of interrelated methods and tools belonging to the Controller and serving the purpose of information, incl. the collection, processing and storage of personal data, as well as files containing the information that is stored, processed and the system stored in the system, and system documentation.
Personal data – any information relating to an identified or identifiable natural person; an identifiable natural person is one which can be directly or indirectly identified, in particular by referring to an identifier, such as the name, surname, identification number, location data, online identifier of that person or one or more physical, physiological, genetic, mental, economic, cultural or social identity.
Regulation – Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Security incident – is a harmful event or offence, including but not limited to a Personal Data Protection breach, which endangers or threatens the security of the Information system – its confidentiality, integrity and availability.
1. Subject of the Agreement
1.1. This Agreement sets out the manner, order and extent to which the Processor processes the data of natural persons (hereinafter – Personal Data), which, in the context of the MSA, has been placed by the Controller, with the help of information and data processing systems, for the storage and processing of the technical resources belonging to the Processor in the Data Center owned by the Processor.
1.2. The purpose of this Agreement is to establish the guiding principles of the Controller-Operator relationship, to separate and identify areas of responsibility, to describe or specify the issue arising from the MSA and related to the processing of personal data.
1.3. By providing the Controller with the Data Center’s services, it is forbidden to access and use the Controller’s personal data. In accordance with this Agreement, under the MSA, the Processor, on behalf of the Controller and in accordance with the Controller’s instructions, only performs the following activities related to the Personal Data Processing:
1.3.1. Technical provision of personal data storage at the level of provided services through myDEAC and infrastructure, i.e. the provision of data storage with known technical resources to the Controller for individual use, ensuring the continuity and physical security of these data storage facilities to the requirements of business continuity and physical security requirements of the MSA and this Agreement.
1.3.2. Technical support for the Personal Data Controller at the level of provided services through myDEAC and infrastructure, i.e. the assignment of a virtual machine with known technical resources to the Controller in separate use and ensuring the continuity and physical security of these virtual machines in accordance with the Business Continuity and Physical Security requirements of the MSA and this Agreement, the technical provision of the electronic mail operation. The purpose of personal data processing in accordance with this Agreement is to provide technical support for the storage and processing of personal data necessary for the Controller’s purposes.
2. Organisational and technical requirements for the Processor
2.1. In fulfilling the obligations arising from the MSA, the Processor shall ensure the following organisational and technical requirements:
2.1.1. The data center has been designed and built in compliance with industry standards, which set requirements for power supply systems, cooling systems and telecommunication systems.
2.1.2. Access to data center premises is controlled by electronic and biometric personal identification systems.
2.1.3. The data center is equipped with early warning systems (airborne analysers) and gas extinguishing systems that use gas that is safe for humans and equipment located in data centers.
2.1.4. The data center’s rooms and perimeter are equipped with alarm and video surveillance systems, as well as 24-hour physical security and physical access control, which ensures that the Processor provides adequate protection against the risk of physical damage to Personal Data in the Data Center.
2.1.5. The Processor develops and applies data security policies in his or her business.
2.1.6. The communication channels and their capacity are duplicated, and an automatic switchover is provided in the event of a breakdown of one of the communication channels.
2.1.7. The data center is equipped with UPS equipment and several diesel generators that automatically turn on if there is a power failure.
2.1.8. Data center infrastructure equipment is serviced and maintained by competent specialists.
2.1.9. Upon the termination of the MSA, in accordance with the MSA, the Processor will permanently delete all of the Controller’s data, unless the Controller has agreed on another procedure for as to what the Processor does with the data from the Controller.
2.1.10. For the monitoring of the work of the data center the Processor uses the Processor’s internal control systems, which meet the international standards for information security and business continuity.
2.2. All other organisational and technical requirements that may be imposed in accordance with applicable laws and regulations in relation to the processing of personal data that the Controller carries out in his information and data processing systems, but which are not mentioned in Clause 2.1 of this Agreement, are organised, provided and executed by the Controller.
3. Obligations of the Parties
3.1. The Parties undertake to use the appropriate technical and organisational means necessary to protect Personal Data and prevent their unlawful processing, namely:
3.2. The rights of the Controller
3.2.1. to give the Processor guidance as to the part of the processing of Personal Data provided by the Processor for the Controller. If the execution of the Controller’s instructions requires the Processor to provide additional services in the meaning of MSA or involves the introduction of additional organisational and technical measures not originally stipulated in Article 2.1 of the Agreement, the Controller is obliged to agree with the Processor on the arrangement of additional payment coverage of the cost of the Processor.
3.2.2. when detecting unlawful or unauthorised processing of Personal Data by the Processor, which is not related to the provisions of the Agreement or its execution, to request the Processor to immediately stop the processing of such data.
3.2.3. to request information from the Processor related to the obligations undertaken by the Processor.
3.2.4. The Controller is responsible for the correctness of the Personal Data and its timely renewal, correction or deletion in accordance with the requirements of the regulatory enactments regulating personal data protection.
3.2.5. to execute the requirements of the regulatory enactments regulating the protection of personal data concerning the provision of information to the Data subject without involving the Processor in this process.
3.3. The obligations of the Controller
3.3.1. To comply with the requirements of legal acts regulating the processing of personal data, to fulfil the obligations and obligations of the Controller arising from regulatory enactments in relation to data subjects, processors, third parties.
3.3.2. Prior to deploying personal data to the Processor’s virtual resources, the Client shall take all necessary steps to configure its information and data processing systems and arrange the logical and non-specified physical security issues of this system in a manner that is in accordance with the requirements of regulatory enactments regulating personal data protection.
3.3.3. The Controller is responsible for assigning the responsible employee (s) for their information and data processing systems, the security incident management system.
3.4. The obligations of the Processor
3.4.1. to only carry out processing of Personal Data in accordance with the procedure and in the amount prescribed by the Agreement.
3.4.2. to ensure fulfilment of the requirements referred to in Paragraph 2.1 of this Agreement.
3.4.3. to provide the list of the Processor’s staff involved in the performance of duties and obligations assumed by the Contract. The Processor undertakes to present its employees who are directly involved in the provision of the Data Center services to the Controller, with the obligations of the Processor specified in this Agreement.
3.4.4. Ensure that technical operations related to the provision of Data Center services are only performed by properly trained staff of the Processor. The Processor is obliged to make audit trails on the activities performed by the Processor’s employees in connection with the subject-matter of the Contract. The audit trail has a saving period of at least 6 months.
3.4.5. in accordance with the Internal Security incident management procedure established by the Processor, to carry out timely identification, registration, classification, elimination of the consequences of the incident, analysis of the causes of the incident and preparation of the necessary reports.
3.4.6. in the event that the Security incident occurred in the responsibility sphere of the Processor and it affected the Virtualisation platform and / or Data Center Infrastructure serving that platform of the Processor, it is the Processor’s duty to report this within 24 hours to the Controller and to act in accordance with the Internal Security Inventory Management Procedures developed by the Processor.
3.4.7. at the sole request of the Controller, to provide the Controller with information regarding the Security incident.
3.4.8. in the event that the Processor, due to any reason (including, but not limited to, technical, legal, etc.), cannot properly fulfil the obligations of the Processor arising from this Agreement, it is obliged to inform the Controller without delay and agree on further action.
4.1. During the term of the Contract, and for a further period of 2 (two) years after the termination of the Agreement, the Parties shall ensure the confidentiality of the information obtained during the term of the Contract, regardless of the receipt of information (in writing, orally or electronically) and the type of storage. The exception to this is Personal data, the confidentiality of which must be provided for an unlimited period of time.
4.2. Any information obtained by each party during the period of validity of the Agreement, without prior agreement with the other party, may only be disclosed in the cases and according to the procedures provided for in regulatory enactments.
5. Term of validity and termination of the Agreement
5.1. The Agreement shall enter into force from the moment it is signed by the Parties. The Agreement remains in force while the MSA outsourcing agreement is in force or until this Agreement has been terminated in accordance with the contract or regulatory enactments.
6. Force Majeure
6.1. Parties are exempt from the fulfilment of the provisions of the Agreement, if it is caused by force majeure, events independent of the will of the Parties, the occurrence of which is not dependent on the will of the parties and the possibilities to control them, and as a result of which the Agreement can no longer be enforced. Such events include, but are not limited to, natural disasters, strikes, hostilities, and significant and unpredictable changes in the regulatory enactments.
6.2. The Party which, because of force majeure, cannot fulfil its obligations, informs the other Party in writing within 3 (three) days, and justifies the causal link between this fact and the inability to fulfil its obligations.
6.3. If, due to force majeure circumstances the Agreement is not operating for more than 3 (three) months, each Party shall have the right to terminate the Agreement by at least 20 (twenty) days’ advance notice to the other Party in writing. In such case, neither Party can claim damages resulting from the termination of the Agreement.
7. Responsible persons of the Parties and information exchange arrangements
7.1. The Parties agree that matters related to the execution and control of the Contract shall be resolved by the responsible person of the Controller who has been designated as such within the framework of the provision of IT services; while the responsible persons related to the compliance with the requirements of the execution and control of the Contract of the Processor is DEAC , e-mail [email protected].
7.2. The responsible persons are not entitled to alternate or amend the Agreement.
8. Other Provisions
8.1. Amendments and additions to the Agreement shall be made in writing by the Parties, which, upon signing, become an integral part of the Agreement.
8.2. If any Paragraph of the Agreement is held to be invalid, unenforceable or non-compliant with the laws in force in the Republic of Latvia due to unforeseen circumstances, it shall not affect the performance of other obligations under the Agreement that are not affected by such changes.
8.3. None of the Parties are entitled to transfer the obligations of the Agreement to a third party without the written consent of the other Party.
8.4. Disputes arising in connection with the Agreement shall be settled by mutual agreement between the Parties, but, if no agreement is reached, in the manner prescribed by the regulatory enactments of the Republic of Latvia, in a court of general jurisdiction.
8.5. Each Party shall undertake not to perform any activities, which may directly or indirectly harm the interests of the other Party.
8.6. Any relations of the Parties not discussed in the text of the Agreement shall be regulated according to the legal acts in force in the Republic of Latvia.
8.7. The Parties agree that, in the sending and receiving of correspondence, the regulatory framework of the Law on Communications shall apply, unless otherwise provided by the Agreement.