Data Processing Agreement (“DPA”)
Updated April 19th, 2021
This DPA governs the processing of Personal Data (as defined below) by:
The Company RINGHEL TEAM S.R.L. (PROCESIO, the “Company”), headquartered in Bucharest, 14 Geniului Bvl., District 6, registered with Bucharest Trade Registry with no. J40/2629/2011, fiscal code RO28139450, tel. 0755 262 752, e-mail: office@ringhel.com, legally represented by Marian VOICU – Deputy CEO
A recipient may provide certain Personal Data (as defined in this document) to the Ringhel Team (named in this document also as “The Company”) as part of using the Software’s service (the “Service”). This document, the Data Processing Agreement (DPA), outlines how the Company will process this Personal Data and applies to any Personal Data that the Recipient controls under Data Protection Laws. This includes details such as the purpose and duration of the processing, the type of Personal Data and categories of data subjects involved, and the Recipient’s obligations and rights under Data Protection Laws. The terms of the DPA do not limit either party’s existing data protection obligations under the Agreement. If a capitalized term is not defined in the DPA, it will have the meaning given to it in the main body of the Agreement.
The Subscriber is solely responsible for any information or data uploaded, processed, transferred, transmitted, or supplied by the Subscriber or any Sub-Subscriber in connection with their use of the Service. This responsibility includes ensuring that the use of the Service to store, process, and transmit Subscriber Data is compliant with all applicable laws and regulations.
The terms used in this Data Processing Agreement (DPA) have the meaning given to them under Data Protection Laws, and they shall be interpreted accordingly. Specifically:
- DEFINITIONS
- “Data Protection Laws” term refers to the EU General Data Protection Regulation 2016/679 (“GDPR”) and any other national legislation or act that has the force of law regarding data protection. It includes decisions made by the Supervisory Authority.
- “Personal Data” refers to any information related to the end-user for whom the Recipient acts as a data controller (“Data Subject”).
- “Personal Data Breach” refers to any event that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data that is transmitted, stored, or otherwise processed.
- “Process” or “Processing” refers to any action or series of actions performed on Personal Information, whether automated or not, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, transmission, dissemination, or other means of making available, alignment or combination, restriction, erasure, or destruction.
- “Processor” means an entity, whether it be an individual, corporation, government agency, or other organization, that processes Personal Information on behalf of a controller (as defined under the GDPR).
- “Sub-processor” refers to any third party engaged by the Company pursuant to Article 28, paragraph 2, GDPR.
- “Supervisory Authority” refers to the Authority provided for under Article 51 of the GDPR, which performs the tasks set forth in Section 57 of the GDPR.
- “Security Measures” refers to the minimum-security measures provided for by Article 32 of the GDPR and the measures/decisions of the relevant Supervisory Authority.
- “UK GDPR” refers to the General Data Protection Regulation (GDPR) that has been amended and adopted into UK law through the UK European Union (Withdrawal) Act 2018, along with any relevant additional legislation passed under that Act.
- PROCESSING OF PERSONAL DATA
The recipient is the controller of the Personal Data described in Section 3 of this DPA and the Company shall process the Personal Data solely (a) as a processor on Recipient’s behalf and (b) in accordance with the provisions set out in this DPA and with the Recipient’s documented processing instructions.
The Personal Data processed by the Company under this Data Processing Agreement (DPA) includes the following details:
- Subject matter: The collection and processing of Personal Data related to Data Subjects in connection with the Service.
- Categories of data subjects: End users who have a subscription to the authentication services provided by the Company on behalf of the Recipient. This includes the Recipient’s employees, consultants, contractors, or end-customers depending on the Recipient’s use case.
- Types of personal data: Data Subject profile information, such as their username or email address, that they use to log in, and device data from the Data Subject’s device, such as their IP address.
- Purpose and nature of the processing: The Company processes the Personal Data to provide, maintain, and improve the services related to the use of the Software, as described in the Agreement.
- Duration of processing: The Company will process the Personal Data for as long as the Recipient uses the Software in accordance with the license granted by the Company under the Agreement.
- RECIPIENT RESPONSIBILITIES
The Recipient shall ensure compliance with its controller obligations under Data Protection Laws and acknowledge that it is accountable for:
- assessing if the Service is suitable for processing Personal Data in compliance with its legal and regulatory responsibilities;
- complying with Data Protection Laws concerning the use of the Service; and
- acquiring the necessary consents and permissions, if required, and issuing any mandatory notices under Data Protection Laws.
- CONFIDENTIALITY
The Company will make sure that its personnel who are authorized to handle Personal Information are bound by either confidentiality agreements or professional/ statutory obligations that require them to maintain confidentiality.
- SECURITY MEASURES
The Company is committed to maintaining a high level of security for processing activities in compliance with Data Protection Laws, including Article 32 of the GDPR. To achieve this, the Company will implement a range of technical/IT and organizational measures to ensure the confidentiality, integrity, availability, and resilience of processing systems and services. In the event of a physical or technical incident, the Company will have the ability to restore timely availability and access to personal data. The Company will regularly test, verify, and evaluate the effectiveness of these measures to ensure the ongoing security of processing.
- PERSONAL DATA BREACH NOTIFICATION
If there is a breach of personal data, the Company will promptly notify the Recipient and provide them with reasonable assistance to comply with their obligations under Data Protection Laws. This includes notifying the relevant supervisory authority and/or the data subjects affected by the breach.
In the event of a Security Incident, the Company will take reasonable measures to mitigate its effects and minimize any damage caused by it. Upon your request, The Company will also provide reasonable assistance and cooperation to help you fulfill any legal obligations you may have to notify affected Data Subjects and regulatory authorities.
- INTERNATIONAL TRANSFERS
The Company ensures that all transfers of Personal Data of the Data Subjects outside the European Union are done in compliance with the Data Protection Laws. To achieve this, the Company may utilize measures such as standard contractual clauses adopted by the European Commission or other suitable safeguards like binding corporate rules, to ensure that Personal Data receives an adequate level of protection. If the European Commission makes an adequacy decision, it will also be considered. The Company will take all necessary actions to ensure that international transfers of Personal Data comply with the relevant laws and regulations.
- DELETION OR RETURN OF PERSONAL DATA
After the termination or expiry of the Agreement, the Company will delete or return all Personal Data in its possession or control, as per the Recipient’s choice. However, if the applicable law requires the Company to retain Personal Data, the Company shall take necessary measures to protect and isolate the Personal Data until its legal deletion is permitted.
- COMPLIANCE WITH THE LAW
If there is a change in Data Protection Laws or a determination by a Supervisory Authority or competent court that affects the data processing under this DPA, both parties will work together in good faith to make any necessary amendments to this DPA or changes to the Service to ensure continued compliance with Data Protection Laws.
- MODIFICATION OF DPA
The Company may modify this DPA from time to time as necessary to ensure compliance with Data Protection Legislation, regardless of any conflicting provisions in the Agreement.