This Data Processing Agreement (hereinafter referred to as the “Agreement”) governs personal data handling carried out by Venipak Lietuva, UAB, which acts as a “Data Processor” on behalf of its client acting as a “Data Controller”. This Agreement becomes binding on the Data Processor and Data Controller according to the General Data Protection Regulation.
1. DEFINITIONS AND INTERPRETATION OF THE AGREEMENT
1.1 Unless the context of the Agreement requires some other implication, for the purpose of this Agreement, including its Preamble and annexes to it, capitalised words shall have the following meaning:
|General Data Protection Regulation||Shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.|
|Data Controller||Shall mean a natural or legal party to this Agreement, a public authority, agency or any other institution which – alone or in cooperation with other – sets the purposes and measures of data handling.|
|Data Processor||Shall mean a natural or legal party to this Agreement, a public authority, agency or any other institution which processes personal data on behalf of the Data Controller.|
|Data||Shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.|
|Data processing||Shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Automated means||Shall mean actions which are completely or partly performed by automated measures.|
|Data Subject||Shall mean a natural person whose Data is processed under this Agreement.|
|Third Party||Shall mean a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.|
|Technical and organisational measures
|Shall mean measures designed to protect the Data from incidental or unlawful destruction, modification, disclosure, also from any other illegal handling. These measures must ensure such a level of protection which shall correspond to the nature of the Data and the risk posed by its handling.|
1.2. For the purpose of this Agreement:
(a) a word in plural shall bear the same meaning as the same word in singular and vice versa;
(b) the use of a specific gender (masculine or feminine) in the text of the Agreement shall be interpreted as the use of any of these genders;
(c) the word “include(s)” or “including” shall accordingly mean “include(s) without any restriction” or “including but not limited to”;
(d) the titles of the sections of this Agreement are used for convenience only and shall have no impact on the interpretation of the Agreement;
(e) references to paragraphs, annexes and other provisions are references to the paragraphs, annexes and provisions of this Agreement.
1.3. The Agreement is a common result of negotiation and arrangement between the Parties; therefore, the Agreement cannot be interpreted for the benefit or to the detriment of either Party for the reason that either Party was or could be responsible for drawing up a draft agreement or any of its parts.
1.4. Notions which are not defined herein shall be interpreted in accordance with the provisions of the regulations.
2. SUBJECT MATTER AND OBJECTIVES OF THE AGREEMENT
2.1. This Agreement governs personal data processing conducted by the Data Processor on behalf of the Data Controller. This Agreement becomes binding on the Data Processor and Data Controller pursuant to the General Data Protection Regulation.
2.2. The nature, subject matter and purpose of personal data processing conducted by the Data Processor on behalf of the Data Controller as well as information related to the type of processed personal data and categories of data subjects are specified in the Annex to the Agreement.
3. EFFECT OF THE AGREEMENT
3.1. This Agreement comes into effect and becomes binding on the Data Processor and Data Controller on the basis of the General Data Protection Regulation when it is concluded in accordance with the procedure prescribed in Article 28 (9) of the General Data Protection Regulation.
3.2. This Agreement shall apply as long as the Data Processor handles personal data on behalf of the Data Controller.
3.3. At the request of the Data Controller, the Data Processor must terminate the conducted data handling activities after the expiry or completion of the Agreement and, if the Data Controller wishes so and unless data protection legislation stipulates otherwise, the Data Processor must delete or return all personal data to the Data Controller and remove any available copies of such documents.
4. OBLIGATIONS OF THE DATA PROCESSOR
4.1. The Data Processor has implemented appropriate technical and organisational measures which help ensure that personal DATA processing conducted by the Data Processor under the provisions of this Agreement comply with the requirements of the data protection legislation, namely the requirements of the General Data Protection Regulation, and guarantee the protection of the rights of the Data Subject.
4.2. The Data Processor undertakes to process personal data solely on the basis of instructions of the Data Controller in the form of written documents, except for cases where the applicable laws stipulate otherwise. In such an event, before starting to process personal data, the Data Processor must notify the Data Controller of such a legal requirement to the extent to which the legislation provides for. If the Data Processor is given no instructions on how to process personal data in a specific situation or if any such an instruction violates the applicable data protection legal act, the Data Processor must immediately notify the Data Controller thereof.
4.3. Taking into consideration the character of data processing and using appropriate Technical and Organisational Measures to the allowable extent, the Data Processor assists the Data Controller in fulfilling the Data Controller’s duty to reply to requests for exercising the rights of the Data Subject. Under this Agreement, rights of the Data Subject include the right to request for information and – at the request of the Data Subject – correct, destroy personal data or stop the processing of personal data.
4.4. Given the nature of Data Processing and the available information, the Data Processor helps the Data Controller fulfil specific duties imposed by the applicable data protection legislation. Specific duties include the security of data processing (Article 32 of the General Data Protection Regulation), notification of a personal data breach (Article 33-34 of the General Data Protection Regulation) and data protection impact assessment and prior consultation (Articles 35-36 of the General Data Protection Regulation).
4.5. The Data Processor undertakes to provide the Data Controller with all information and assistance to prove that all obligations undertaken herein are fulfilled as well as provides all conditions and helps the Data Controller or his authorised auditor conduct an audit, including on-site inspections.
5.1. The Data Controller confirms that the Data Processor may use any other companies specified in the Annex to the Agreement as subprocessors. The Data Processor shall inform the Data Controller of all and any planned changes in relation to the use or change of subprocessor, whereas the Data Controller has the right to disagree with such changes.
5.2. The Data Processor shall ensure and, at the request of the Data Controller, shall confirm by documents that subprocessors are committed by means of written agreements according to which, apart from obligations set forth herein, must fulfil the respective data processing obligations. The Data Processor is fully liable to the Data Controller for the fulfilment of the obligations of the subprocessors.
5.3. The Data Controller may request that the Data Processor verify the subprocessor or submit a confirmation of such verification or, if possible, obtain or help the Data Controller to obtain a report of an external auditor on the activities/performance of the subprocessor with the aim of ensuring the compliance of the requirements of the data protection legislation.
6. DATA TRANSFER TO THIRD COUNTRIES
6.1. The obligation to process personal data under the Agreement may be fulfilled solely in the EU or EEA member stated. Any transfer of personal data to a non-EU or non-EEA member state may be conducted solely with the prior written consent of the Data Controller and only in cases where all special terms and conditions laid down in the applicable data protection legislation and Chapter V of the General Data Protection Regulation have been fulfilled.
6.2. The Data Controller may cancel its consent with regard to data transfer to third countries pursuant to Paragraph 6.1 of the Agreement at any time. In such case, the Data Processor must immediately terminate the data transfer and, at the request of the Data Controller, provide a written confirmation of such a termination.
7. SECURITY AND CONFIDENTIALITY OF INFORMATION
7.1. The Data Processor ensures proper personal data protection under this Agreement with the purpose of protecting personal data from destruction, alteration, unauthorised disclosure or access. Personal data shall also be protected from any other kind of unlawful processing.
7.2. The Data Processor shall prepare and continuously update the description of technical, organisational and physical measures so that it complies with the requirements of the data protection legislation.
7.3. The Data Processor undertakes not to disclose personal data processed under this Agreement or not to allow any Third Party to access personal data, except for subprocessors used under this Agreement, without a prior written consent of the Data Controller.
7.4. The Data Processor ensures that all persons related to personal data processing are obliged to ensure confidentiality or that they are subject to the respective confidentiality obligation imposed by laws.
8. APPLICABLE LAW AND DISPUTE SETTLEMENT
8.1. This Agreement has been drawn up and shall be interpreted in accordance with legal acts of the Republic of Lithuania, except for the principles of conflict-of-law, when otherwise other regulations may apply.
8.2. The Parties agree that the only and exceptional place in which all and any disputes arising out of this Agreement shall be resolved is the courts of the Republic of Lithuania according to jurisdiction.
9. LIMITATION OF LIABILITY AND DAMAGE COMPENSATION
9.1. Unless the Parties agree otherwise, they shall be liable according to the general applicable regulations specified in Section 8 of the Agreement. Regardless of the aforementioned, the Parties shall not assume responsibility for performance damages, loss of profit, loss of prestige, or any other indirect losses or damage in their consequences. Loss of data is considered indirect damage.
9.2. The general liability of the Data Processor under this Agreement and all obligations is in any case limited to the amount of EUR 3,000. In any case, the Data Processor shall not bear responsibility for performance losses, loss of profit, loss of prestige, or any other indirect losses or damage in their consequences. Loss of data is by mutual agreement between the Parties considered an indirect damage.
Severability of Provisions
10.1. If any provision of this Agreement is recognised by court or arbitration tribunal as unlawful, invalid or implausible, other provisions of the Agreement shall remain valid and apply to the full extent. Any provision of the Agreement recognised to be unlawful, invalid or implausible solely in part or to some extent shall remain valid to the extent to which it was not recognised unlawful, invalid or implausible. The Parties will replace such unlawful, invalid or implausible provisions of the Agreement with lawful, valid and plausible provisions and they shall be as close to the intentions of the Parties at the time of the conclusion of this Agreement as possible. The Parties will put every effort to ensure implementation of all provisions of this Agreement.
Absence of Conflicting Agreements
10.2. This Agreement is a document over which the Parties negotiated and which was drafted by both Parties. This Agreement shall replace all previous arrangements between the Parties regarding the object of the Agreement and shall be an absolute and the only one statement by the Parties on the conditions of the Agreement. This clause does not limit the right to impose liability for fraud by the other Party.
10.3. Every Party undertakes not to conclude any other arrangements which would be incompatible with the obligations of the Parties under this Agreement after the conclusion of this Agreement.
Amendments and Supplements to the Agreement
10.4. Any annexes, amendments and supplements to the Agreement (including the amendment and supplement to this clause) shall be valid only when they are formalised by a written document signed by all Parties.
10.5. Every Party shall pay for its costs in relation to negotiation over this Agreement, drawing up, signing, entry into force and implementation of this Agreement.
Annex No. 1 to the Data Processing Agreement
|Subject and purpose of data processing||Fulfilment of the following tasks or provision of the following services of Data Processor to the Data Controller:
Service provision – for the processing, administration of services purchased (ordered) by the Data Subject; for the identification of the Data Subject in the Data Processor’s information systems; for the identification of the Data Subject to access its account on the Data Processor’s website (when the Data Processor ensures such access); for the resolution of problems related to the implementation, provision, and use of services; for contacting the Data Subject in the case of changes to the terms and conditions to the services purchased by the Data Subject; for the fulfilment of other contractual obligations; for the purposes of direct marketing; for business analysis and statistical analysis; for general surveys which enable the improvement of services and their quality; for audit.
|Types of personal data to be processed||Personal data to be processed includes:
Personal business contact information, such as name, surname, phone number or mobile phone number, email, residential address, workplace.
|Categories of data subjects||Representatives of the Data Controller and end users, such as employees, candidates to a job position, contractors, colleagues, partners, also clients of the Data Controller and other persons which must be entered into the central data controller’s system of the Data Processor.|
|Data processing activities||Input, correction and deletion of personal data, also making of backup copies of servers, which might contain personal data, and their storage.|
|List of subprocessors||N/A|