For the provision of the services detailed in the main contract to which this annex is attached, or in which reference is made to this document (the “Contract“) concluded between the Parties, SembraMedia, as Data Processor (“Processor“), shall access and process on behalf of the Customer who holds the position of Data Controller (“Controller“), personal data for the purpose of be able to carry out provision of the contracted services.

These figures and their obligations are defined in Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR“) law pursuant to which the following Data Processing Agreement (“DPA“) is signed:

First. – Processing, data and interested parties

Unless expressly instructed in writing by the Controller that modifies this situation, the Data Processor may carry out, exclusively, the following processing:

  1. Collection (capture of information where personal data exists).
  2. Recording (registering or recording the information in some type of system or device, automated or non-automated, for subsequent processing).
  3. Organization (ordering and structuring the information to facilitate its processing).
  4. Modification (altering or changing the information).
  5. Preservation (keeping the information for a certain period of time).
  6. Extraction (obtaining the information from an original system or device to send or transfer it to another system or device).
  7. Consultation (searching the data on the system or device in which it is registered).
  8. Communication by transmission (sending the data to another recipient from its original system or device by electronic means).
  9. Dissemination or any other form of enabling access, collation, interconnection or communication (making the information recorded on a system or device available to other users or recipients).
  10. Deletion (deleting, making the information disappear in the system or device in which it was originally recorded).

The processing shall be carried out on the identification data, contact data, economic data, commercial information, employment details, academic and professional data, social circumstances, personal characteristics, of the employees, clients, contact persons, legal representatives, suppliers of the Controller.


The Controller shall:

  1. Deliver to the Processor the personal data to be processed.
  2. Communicate to the Processor any changes in the processing of personal data that should entail a change in the applicable security measures.
  3. Comply with the obligations that are required by its condition in accordance with the regulations in force.
  4. To supervise the processing and to carry out inspections and audits when necessary. 


The Processor shall:

  1. Process personal data only under the documented instructions of the Controller.
  2. Keep a record of processing activities when legally required to do so.
  3. Not transfer personal data to third parties without the prior express consent of the Controller. 
  4. Inform the Controller when it considers that the instructions contravene the GDPR.
  5. Make available to the Controller all the information necessary to demonstrate compliance with its obligations. 
  6. Allow and actively collaborate in carrying out the necessary audits or inspections with a maximum frequency of one per year, prior notification with, at least, 90 days of margin and at the expense of the Controller.
  7. To preserve confidentiality, professional secrecy and the duty to maintain secrecy during the term of the contract and after its termination. 
  8. To ensure that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, as well as to ensure the necessary training on the protection of personal data of the same.
  9. Notify the Controller through the e-mail address established for such purpose without undue delay and in any case within a maximum period of twenty-four (24) hours, of any security breaches of the personal data under their responsibility of which they become aware, together with all relevant information for the documentation and communication of the incident.
  10. Notify the Controller of any exercise of rights received from data subjects within a maximum period of forty-eight (48) hours, as well as collaborate with the Controller to attend to the exercise of the rights and provide him/her with the necessary information to respond to them in case it is necessary.
  11. The Controller shall implement the necessary security measures to ensure compliance with the requirements set forth in Article 32 of the GDPR. 
  12. Delete the personal data once the relationship has ended, except for the period strictly necessary to defend itself in the exclusive case that liabilities could arise from its relationship with the Data Controller.


The Controller generally authorizes the Processor to subcontract to third parties the services involving the processing of personal data.

In any case, and whenever subcontracting takes place, the sub-processor is also obliged to comply with the obligations established in this DPA for the Processor. In the event of a breach thereof, the initial Processor shall remain fully liable to the Controller for compliance with the obligations set forth herein.

The Processor, or sub-processor, shall not transfer the personal data to a third country outside the European Union or to an international organization, unless it can guarantee that the data will enjoy an adequate level, or similar, of protection in accordance with the requirements of the GDPR, as well as the guidelines and opinions issued by the European Commission.


The Controller acknowledges and authorizes the Processor, when required, for the provision of Services, to transfer Personal Data outside the European Economic Area, the Standard Contract Clauses (SCC), adopted by the European Commission by virtue of Decision 2021/915 of 4 June 2021, in its “processor to controller” version, will be incorporated into the contract by reference and are considered part of this Addendum as a whole. To this end, the clauses shall be interpreted in accordance with the following additions, always bearing in mind that they are not intended to modify at any time the non-negotiable obligations imposed in the SSCs:

  • Clause 7: Not applicable
  • Clause 8: Module Two “Transfer controller to processor” shall apply
  • Clause 9: Module Two “Transfer controller to processor” shall apply. Option 2 “General Written Authorization” shall apply, being the notice period set at 7 calendar days.
  • Clause 10: Module Two “Transfer controller to processor” shall apply
  • Clause 11: Module Two “Transfer controller to processor” shall apply
  • Clause 12: Module Two “Transfer controller to processor” shall apply
  • Clause 13: Module Two “Transfer controller to processor” shall apply, being the competent authority, the one where the data exporter is established.
  • Clause 16: Module Four “Transfer processor to controller” shall apply
  • Clause 17 is established as follows: These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Spain.
  • Clause 18 is established as follows: Any dispute arising from these Clauses shall be resolved by the courts of Spain.

The description of the processing (Annex II of the SCC), the technical and organizational measures (Annex III of the SCC) may be inferred on the basis of the details subscribed to in this document.



All notifications between the Parties shall be made in writing by registered mail with acknowledgement of receipt or by e-mail with confirmation of delivery and reading at the addresses included in the main contract.


The present DPA shall be governed and interpreted by the Spanish laws and by the General Data Protection Regulation. Likewise, the parties waive their own or any other jurisdiction to which they may be entitled by law and expressly agree to submit to the Courts and Tribunals of Madrid to resolve any disputes arising between the parties in connection with this agreement.


This document contains the technical and organizational security measures to be implemented by the Data Processor in the performance of the contracted services. 

  • Logical access control to systems that process personal data 

At least the following security measures must be implemented:

  • Access control:
    1. Access to the systems after authentication of authorized personnel.
    2. Existence of an updated list of users with authorized access to the information systems. 
    3. Access control based on roles and profiles, implemented in a manner consistent with the principle of least privilege, i.e., that users only access the information that is essential to carry out the assigned functions.
    4. Prohibition of the use of anonymous or generic accounts, except in justified and limited situations. 
  • Identification and authentication:
    1. Use of passwords with minimum security parameters (uppercase, lowercase, numbers, letters and special characters, minimum number of 6 characters, and expiration once a year), and keeping them unintelligible. 
    2. Use of a procedure for assigning, distributing and storing passwords that guarantees their confidentiality and integrity.
    3. Automatic locking of the user’s device after a period of inactivity. Mandatory identification and password to restart its use.
  • Media management:
    1. Identification and inventory of the devices that process personal data, as well as the users who access them.  
    2. Adoption of measures aimed at preventing subsequent access or recovery of the information contained in the media, once it is decided to discard them. To this end, they must be destroyed or completely erased by means of secure erasure systems. Devices containing personal data should be physically destroyed or the information should be destroyed, erased or overwritten using techniques that do not allow the recovery of the original information, instead of using normal erasure or formatting.
  • Back-up copies and continuity of service. 
    1. Documentation of the backup and recovery procedures, which guarantee at all times their reconstruction in the state in which they were at the time of the loss or destruction.
    2. Periodic verification of the correct definition, operation and application of the procedures for backing up and recovering data.
  • Network security controls
    1. Use of firewall, router and VPN-based access controls to protect private service networks and back-end servers.
  1. Incident Logging

At a minimum, the following security measures should be implemented:

  1. Procedure for notification and management of incidents affecting personal data. 
  2. Procedure for notification and management of security breaches or violations, and their notification in due time and form to the Data Controller, in order to comply with the requirements of the regulations. 
  3. Maintenance of a record of the incidents/violations that have occurred.  
  • Periodic verification of controls.

A process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to ensure the security of the processing shall be established, taking into account in particular the risks presented by the processing of the data.