DATA PROCESSING AGREEMENT
For the provision of the services detailed in the main contract to which this annex is attached, or in which reference is made to this document (the “Contract“) concluded between the Parties, SembraMedia, as Data Processor (“Processor“), shall access and process on behalf of the Customer who holds the position of Data Controller (“Controller“), personal data for the purpose of be able to carry out provision of the contracted services.
These figures and their obligations are defined in Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR“) law pursuant to which the following Data Processing Agreement (“DPA“) is signed:
First. – Processing, data and interested parties
Unless expressly instructed in writing by the Controller that modifies this situation, the Data Processor may carry out, exclusively, the following processing:
The processing shall be carried out on the identification data, contact data, economic data, commercial information, employment details, academic and professional data, social circumstances, personal characteristics, of the employees, clients, contact persons, legal representatives, suppliers of the Controller.
Second. – OBLIGATIONS OF THE CONTROLLER
The Controller shall:
Third. – OBLIGATIONS OF THE PROCESSOR
The Processor shall:
Fourth. – SUBCONTRACTING
The Controller generally authorizes the Processor to subcontract to third parties the services involving the processing of personal data.
In any case, and whenever subcontracting takes place, the sub-processor is also obliged to comply with the obligations established in this DPA for the Processor. In the event of a breach thereof, the initial Processor shall remain fully liable to the Controller for compliance with the obligations set forth herein.
The Processor, or sub-processor, shall not transfer the personal data to a third country outside the European Union or to an international organization, unless it can guarantee that the data will enjoy an adequate level, or similar, of protection in accordance with the requirements of the GDPR, as well as the guidelines and opinions issued by the European Commission.
Fifth. – INTERNATIONAL TRANSFERS
The Controller acknowledges and authorizes the Processor, when required, for the provision of Services, to transfer Personal Data outside the European Economic Area, the Standard Contract Clauses (SCC), adopted by the European Commission by virtue of Decision 2021/915 of 4 June 2021, in its “processor to controller” version, will be incorporated into the contract by reference and are considered part of this Addendum as a whole. To this end, the clauses shall be interpreted in accordance with the following additions, always bearing in mind that they are not intended to modify at any time the non-negotiable obligations imposed in the SSCs:
The description of the processing (Annex II of the SCC), the technical and organizational measures (Annex III of the SCC) may be inferred on the basis of the details subscribed to in this document.
Seventh. – COMMUNICATIONS
All notifications between the Parties shall be made in writing by registered mail with acknowledgement of receipt or by e-mail with confirmation of delivery and reading at the addresses included in the main contract.
Eighth. – JURISDICTION AND APPLICABLE LAW
The present DPA shall be governed and interpreted by the Spanish laws and by the General Data Protection Regulation. Likewise, the parties waive their own or any other jurisdiction to which they may be entitled by law and expressly agree to submit to the Courts and Tribunals of Madrid to resolve any disputes arising between the parties in connection with this agreement.
ANNEX I – DESCRIPTION OF SECURITY MEASURES
This document contains the technical and organizational security measures to be implemented by the Data Processor in the performance of the contracted services.
At least the following security measures must be implemented:
At a minimum, the following security measures should be implemented:
A process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to ensure the security of the processing shall be established, taking into account in particular the risks presented by the processing of the data.
Subscribe to our newsletter, and you will receive monthly news, data analysis, and resources about the digital media ecosystem, as well as opportunities for media outlets and journalists.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |