DATA PRIVACY PROVISIONS
Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR” and/or the “Privacy Regulation”) enters into force on May 25, 2018, and applies to Force 5, Inc. partners and providers in case of processing of personal data wholly or partly by automated means or other than by automated means which form part of a filing system or are intended to form part of a filing system, if any of the following criteria is met:
A. the processing of personal data is done in the context of the activities of an establishment of a controller or a processor in the European Union, regardless of whether the processing takes place in the European Union or not;
B. the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or (b) the monitoring of their behavior as far as their behavior takes place within the European Union.
SECTION I: UNDERTAKING IN RESPECT OF DATA PROCESSING UNDER GDPR
1) Parties will only disclose the Personal Data to the extent reasonably necessary for them to be able to perform their obligations under the Partnership and shall not use such Personal Data for any other purposes, except if legal requirements for such additional processing have been observed (e.g. Client consented in advance, legal obligations are in place and require processing).
2) You shall ensure that you have appropriate operational and technological processes and procedures in place to safeguard against any unauthorized or unlawful access, loss, destruction, theft, use or disclosure of the Personal Data as mentioned under Section III below.
3) Without undue delay, you shall notify Force 5, Inc.:
3.1. but in no event after 72 hours of becoming aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, Personal Data transmitted, stored or otherwise processed (provided that such breach qualifies to be notified to the supervisory authority pursuant to GDPR),
3.2. any investigation or request concerning the Personal Data by a public authority (including the supervisory data protection authority) unless otherwise prohibited, such as (but not limited to) a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
4) Upon reasonable request, you shall:
4.1. deal promptly and properly with all enquiries from Force 5, Inc. relating to processing of the Personal Data;
4.2. submit and shall procure that your relevant information about their data processing facilities, procedures and documentation relating to the processing of Personal Data Controller, to scrutiny by Force 5, Inc. (or a third party authorized by Force 5, Inc. ).
5) Before exiting our partnership regardless of the reason, or earlier, upon Force 5, Inc.’s motivated request, you shall destroy or delete permanently any Personal Data in your direct or indirect possession (including backup copies) and certify in writing to Force 5, Inc. that you have done so (up to the extent that further retention is imposed by law or legitimate interest) unless the data is transferred according to a legitimate interest and as per applicable laws.
SECTION II: MUTUAL OBLIGATIONS UNDER GDPR
6) To the extent they are applicable due to the nature of the commercial relationship or due to your obligations and Force 5, Inc. in respect of processing of Personal Data, upon one or both parties the following obligations will be instated:
6.1. Parties shall maintain relevant records of processing (provided such other requesting party submits arguments for which it considers the commercial relationship as amounting to a data controller – data processor relationship);
6.2. Parties shall transfer or process personal data outside European Economic Area or European Union only with the observance of the GDPR and with prior notification to the other party;
6.3. Parties shall appoint or use third parties for the processing of Personal Data only with the observance of the GDPR;
6.4. Parties shall appoint a Data Protection Officer and/or a representative in the European Union and indicate the contact details thereof.
7) Where a party (the “Damaged Party”) suffers Losses as a result of the breach by the other party of any of its representations and warranties or such other party fails or refuses to comply with any of its covenants or obligations contained above (the “Responsible Party”), then the Damaged Party shall be entitled to claim specific performance and/or full compensation from and be indemnified and held harmless by the Responsible Party for such Losses, including all costs and expenses, and seek all available legal remedies to put it in the position where it would have been had the relevant breach or Loss not occurred.
8) For the purpose of this paragraph, “Losses” shall mean any and all current and future damages, fines, fees, penalties, investments and expenses (including, without limitation (i) interests, (ii) court expenses, (iii) fees of attorneys, (iv) accountants and other experts or other expenses of litigation, (v) other proceedings or of any claim, (vi) all losses, damages or other payments due to data subjects based on final and enforceable authority order or court decision for non-observance of the GDPR incurred by a party as a result of the breach by the other party of its representations and warranties or of its obligations and covenants related to Personal Data processing).
SECTION III: MINIMUM REQUIREMENTS FOR TECHNICAL AND ORGANIZATIONAL MEASURES
9) Area of responsibility. You shall continuously comply with the minimum requirements set herein from both a technical and organizational measures for the processing of the Personal Data. It is your responsibility that these requirements be observed and contractually binding to its employees, collaborators, agents, subcontractors, etc. You shall remain fully liable to Force 5, Inc. for their observance of these requirements.
10) Training and Awareness of relevant personnel. All personnel authorized by you to access Personal Data shall be trained and made aware of your responsibilities under GDPR and how to protect Personal data.
11) Restricted access to Personal Data of personnel. You shall ensure that those employees who are processing Personal Data are reliable and have had sufficient/adequate training pertinent to GDPR’s obligations and that no other employees than the ones needed are allowed to access Personal Data. You shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All your personnel must access only the Personal Data required to perform their job assignments. For this purpose, you shall determine the types of access, by functionality (such as administration, input, processing, rescue, etc.) and after actions on personal data (such as writing, reading, deleting) procedures for these types of access. Anonymous data will be used to prepare users or make presentations.
12) Technical measures. All assets that process Personal Data are in restricted area and out of reach from non-authorized personnel. Effective access to Personal Data is recorded and may be tracked in case of data breach or non-authorized access. All software used is licensed and safe. Awareness policy and procedures in case of computer viruses or any other informatics attacks are in place and periodically tested.