Data Processing Agreement
SaaS Service Agreement
Data Processing Agreement
This Data Processing Agreement represents an addendum and an integral part of the eVAT’s Terms and Conditions Agreement www.evat.com/terms-of-use. Under the Data Protection Laws, eVAT OÜ d/b/a eVAT, with a place of business at Narva mnt 5 10117, Tallinn, Estonia (eVAT) has a position of a ‘Processor’ and eVAT’s customers have a position of a ‘Controller’ regarding the personal data processed using eVAT services (Services).
The following definitions explain some of the terminology and abbreviations used throughout this Data Processing Agreement: ‘DPA’ refers to this Data Processing Agreement. ‘Agreement’ refers to the Terms and Conditions Agreement available at www.evat.com/terms-of-use. ‘Processor’ refers to eVAT OÜ d/b/a eVAT, with a place of business at Narva mnt 5 10117, Tallinn, Estonia. ‘Controller’ refers to the customers of the eVAT Services. ‘Processing’ refers to any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. ‘Data’ refers to information provided by Controller to the Processor or collected by the Processor on behalf of the Controller, relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. ‘Data Subject’ refers to an identified or identifiable natural person to whom Data relates. ‘Data Breach’ refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Data transmitted, stored, or otherwise processed. ‘Data Protection Laws’ refers to all applicable laws and regulations regarding the Processing of Data, including, where applicable, the European Union’s General Data Protection Regulation (2016/679) as may be amended from time to time.
Processor undertakes to process all Data in accordance with Data Protection Laws and other applicable laws, statutes, and regulations. Nature and the purpose of processing, the types of Data processed, and the categories of Data Subjects whose Data is processed are set out in Appendix 1 to this DPA.
Unless otherwise explicitly stated in this DPA, the Processor may process the Data for the purposes of providing the Services set out in the Agreement, and only in accordance with the Controller’s documented instructions. Instructions referred to herein are incorporated in the Agreement or may be contained within other, written document concluded or exchanged between the Controller and the Processor. If the Processor in its opinion believes that an instruction of the Controller infringes the Data Protection Law, it shall immediately inform the Controller.
During the term of this DPA Controller shall remain the owner of the Data transferred to the Processor as well as the Data collected by the Processor on behalf of the Controller. Nothing in this DPA shall be understood to transfer the ownership of the Data to the Processor or any other third-party.
Controller warrants that the Data is obtained in accordance with the applicable laws, statutes and regulations and that Processing which Controller requests does not violate any applicable law, statute, or regulation.
Data that the Processor shall process includes such Data which is requested by the Controller on a case-by-case basis, and which is necessary to perform the services described in the Agreement. Processor shall not process special categories of Data as defined in article 9. of the GDPR.
Data may be processed for the duration of the Agreement unless otherwise instructed by the Controller.
The Processor shall ensure that all employees, contractors, and other persons operating under the authority of the Processor are bound by a strict confidentiality agreement prior to providing them with an access to the Data.
The Processor shall take steps to ensure that any person acting under the authority of the Processor who has access to the Data does not process them except on instructions from the Controller.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymization and encryption of the Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to the Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data transmitted, stored or otherwise processed.
The list of technical and organizational security measures is provided in the Appendix 3 of this DPA.
The Controller agrees that Processor may engage sub-processors listed in Appendix 2 to this DPA. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes. The Controller may object to such changes in writing within fifteen (15) days from receipt of the notice on changes.
Where the Processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same Data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract or other legal act, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the applicable laws, statutes, and regulations. Where that other processor fails to fulfil its Data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that other processor’s obligations.
7. Data Subject rights
Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, as reasonably understood by the Controller, to respond to requests to exercise Data Subject rights under the GDPR.
The Processor shall:
- promptly notify the Controller if Processor or Sub-Processor receive a request from a Data Subject under GDPR or other applicable law, statute, or regulation in respect of the Data; and
- ensure that the Processor or Sub-Processor do not respond to that request except on the documented instructions of the Controller or as required by applicable laws to which the Processor or Sub-Processor is subject, in which case the Processor shall to the extent permitted by applicable laws inform the Controller of that legal requirement before the Processor or Sub-Processor respond to the request.
8. Data Breach
The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach affecting the Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform authorized authorities and Data Subjects where necessary of the Data Breach.
The Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each such Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
The Processor shall provide reasonable assistance to the Controller with any Data protection impact assessments, and prior consultations with competent data privacy authorities, which the Controller reasonably considers to be required the GDPR or equivalent provisions of any other applicable law, in each case solely in relation to processing of the Data by and considering the nature of the processing and information available to, the Processor.
10. Deletion or return of the Data
Subject to sections 10.2 and 10.3 the Processor and each Sub-Processor if any shall promptly and in any event within thirty (30) days of the date of cessation of any Services involving the processing of the Data (the "Cessation Date"), delete and procure the deletion of all copies of those Data.
Subject to section 10.3, the Controller may in its absolute discretion by written notice to the Processor within seven (7) days prior to the Cessation Date require Processor and each Sub-Processor if any to return a complete copy of all Data to the Controller by secure file transfer in such format as is reasonably notified by the Controller to the Processor; and
The Processor may retain the Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that the Processor ensures the confidentiality of all such Data and ensures that such Data is only processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
The Processor shall provide written certification to the Controller that the Processor fully complied with this section 10 upon written request of the Controller issued after the expiry of the deadline from section 10.1.
11. Audit rights
Subject to provisions of this article 11 the Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Data. All costs of the audit shall be borne by the Controller and must be scheduled at least one month in advance. The Controller may commence audit only if they have provided a bond or security deposit that will serve to compensate any loss or damages that may be caused by the audit such as ceasing of providing the services or employee work hours spent on the audit. The amount of bond or security deposit shall be agreed beforehand with the Processor but in no event shall be less than 10,000€ EUR (ten thousand euros) considering the proportion between the data processed on behalf of the Controller and the number of customers the Processor has.
Information and audit rights of the Controller only arise under section 11.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of the GDPR.
12. Limitation of Liability
Each party’s liability taken together in the aggregate, arising out of, or related to this DPA, whether in contract, tort, or under any other theory of liability, is limited to the cumulative amounts paid by the Controller to the Processor in the past 12 months to the event giving rise to the claim.
13. Final provisions
Any matter that is not regulated by this DPA shall be governed by the Agreement or other subsequent contract concluded or exchanged between the parties to this DPA.
If any part of this DPA is found to be invalid, illegal, or unenforceable in any respect, it will not affect the validity or enforceability of the remainder of the DPA.
Any failure to exercise or enforce any right or the provision of this DPA shall not constitute a waiver of such right or provision.
The section titles in the DPA are for convenience only and have no legal or contractual effect.
Appendix 1 – Description of processing
The purpose of the Processor’s processing of Data on behalf of the Controller is:
- Processor’s provision of Services to the Controller.
The Processor’s processing of Data on behalf of the Controller shall mainly pertain to (the nature of the processing):
- Collecting, processing and submitting various business transaction reports.
The processing includes the following types of personal data about data subjects:
- Data may include but is not limited to the following categories of personal data: first and last name; business role; professional title; department; business contact information (e.g., email, phone, physical address); personal contact information (e.g., email, phone, physical address); and other Data Processed during the use of the Services.
Processing includes the following categories of data subject:
- Controller’s customers and other business contacts; employees and contractors; subcontractors and agents; consultants and prospects.
The Processor’s processing of Data on behalf of the Controller may be performed when this Data Processing Agreement commences. Processing has the following duration:
- Processing shall not be time-limited and shall be performed until this Data Processing Agreement is terminated or cancelled by one of the parties.
Appendix 2 – List of approved sub-processors
|Google LLC||1600 Amphitheatre Parkway, Mountain View, CA 9404||Storing of the data, collection of the data through cloud-based applications, data reports management|
Appendix 3 – Technical and organizational measures of the Processor
The Processor takes the following technical and organizational measures of data security within the meaning of article 28 of the GDPR:
- Entrances and exits of the building are permanently closed and cannot be opened from outside
- Access control via keys with definition and documentation of authorized persons
- Reception area for access control
- Visitors are accompanied by employees
- Procedural instructions for the cancellation of entry rights
- Assignment of user rights
- Creating user profiles
- Authentication of users by user name and password
- Assigned passwords are replaced by secure individual passwords on first login
- Password requirements such as minimum number of characters and complexity guidelines
- Password security through periodic changes
- Authorization by administrator only
- Use of VPN technology
- Use of anti-virus Software
- Use of firewall
- Constant updates for anti-virus software, firewall, operating system and other software
- Separation of company network and guest WLAN
- Instructions for regulating Internet and e-mail use
- Use of tested and approved data carriers
- Role-based authorizations
- Procedural instructions for the cancellation of access rights
- Separate administrator accounts
- Secure destruction of files and data carriers
- Pseudonymization through Customer/User numbers
- Protocol of the installation and operation of IT systems
- Ensure log file security (limited access for network administrator only)
- Conclusion of a contract or other legal instrument in accordance with article 28 of the GDPR and compliance with these regulations
- Previous review of the technical and organizational measures taken by the Sub-Processors
- Employees are obliged to maintain data secrecy
3. Precautions and safety measures
- Fire extinguisher with appropriate extinguishing agent available
- Periodic data backup
4. Procedures for regular monitoring and evaluation
- Data protection management (data protection guidelines, IT security guidelines, data protection instructions, data protection process descriptions)
- Register of processing activities
- Regular training and sensitization of employees
- Obligation of employees to data secrecy
- Obligation of Third Parties to maintain data secrecy
- DPA with Third Party provider and Sub-Processors according to article 28 of the GDPR