Regulation on the processing of personal data by TechnoLogica EAD

This document regulates the processing, transmission, storage and destruction of personal data, as well as the rights and obligations of the parties to the Subscription Use Agreement software product, in accordance with the terms of the Personal Data Protection Act (PDPA) and Regulation 2016/679 of the European Parliament and of the Council of the European Union (GDPR).

OBJECT

Article 1. (1) The ADMINISTRATOR shall provide access to personal data to the Employee in connection with the execution of specific commercial relationships under the Agreement for Subscription Use of a Software Product, as the same shall be considered as entrusting the Employee on behalf of the ADMINISTRATOR to process the data within the meaning of Art. 4, item 3 of the GDPR.

• The personal data referred to in paragraph 1 are listed exhaustively in Appendix No 1, forming an integral part of this Regulation.
• The ADMINISTRATOR is responsible for the accuracy and completeness of the collected personal data, which it transmits to the Employee.
• The personal data whose processing and protection is regulated by this Regulation shall be collected by the ADMINISTRATOR.
• The data shall be accessed by:
  • Providing data import files;
  • Providing technical and functional support for the software as a HeRMeS eXpress service; Through the Help-desk system to support users.

CONCEPTS

Article 2. The terms used in this document are worded as follows, namely:

ADMINISTRATOR means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be laid down in Union or Member State law.

A Personal Data Processor or Processor is a processor within the meaning of Article 3(3) of the GDPR, i.e. processes personal data through assignment by the ADMINISTRATOR.

Personal Data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Consent of data means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by a statement or a clear affirmative action, expressing his or her consent to the processing of personal data relating to him or her.

Personal Data Security Breach means a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed.

Providing Personal Data are actions for the transfer, in whole or in part, of personal data from one controller to another or to a processor, or to a third party within or outside the territory of the country.

RETENTION AND DESTRUCTION PERIODS

Article 3. (1) After fulfilling the obligations of the PROCESSOR under the subscription agreement for HeRMeS eXpress, the latter undertakes to delete the personal data provided in its databases in electronic and/or paper form, if such are provided. “Deletion” means the removal or destruction of personal data so that it cannot be recovered or restored.

• After the expiration of the subscription period under this Regulation, the retention period of the data for the Employee is 30 calendar days, in order to resolve questions regarding claims made by the ADMINISTRATOR.
• Where a legal act obliges one of the parties to store personal data for a longer, statutory period, then in this case the information shall not be deleted.
• Within 30 days after the expiry of the period referred to in paragraph 2, the TECHNOLOGICA shall submit to the ADMINISTRATOR information certifying the deletion of the same information (e.g. a protocol for the destruction of arrays of information).
• In the event that it retains the data in compliance with its legal obligation, the Party concerned undertakes to apply all technical and organisational protection measures to such data and to use it only for the purposes for which it is stored.

Article 4. (1) At the explicit request of the ADMINISTRATOR, the PROCESSOR shall be obliged to transmit to him (return) the data after the expiration of the retention period under para 2. The return of the data is with the transmission of the documents in the original paper form (if any) and the signing of a handover protocol or transmission by electronic means through a secure file format or encrypted.

(2) After the date of deletion of the data, the parties agree that they will not make any claims against each other regarding the processing of such personal data.

TECHNICAL AND ORGANISATIONAL MEASURES

Article 5. (1) The Parties to this Regulation shall take the necessary technical and organisational measures to protect the data against accidental or unlawful destruction, accidental loss, unauthorised access, alteration or dissemination, as well as other unlawful forms of processing.

(2) The Parties undertake to implement technical and organizational measures for the protection of personal data described in Annex 2 when processing personal data.

Article 6. In implementing the measures referred to in Article 5, the Parties to this Regulation agree that the systems through which data are processed shall be confidential and shall allow the storage of the information in its entirety, as well as its availability and continued sustainability.

Article 7. Each Party to this Regulation shall have the right to modify and require the other party to change the organisational and technical protection measures applied in the event of a recommendation by the Commision for Personal Data Protection (CPDP) or a legislative change.

PERSONAL DATA BREACH

Article 8. (1) In the event of a breach of the security of personal data, the PROCESSOR shall be obliged to notify the ADMINISTRATOR thereof within 24 hours of becoming aware of the breach.

(2) The notification should specify the following information:

1. the nature of the breach and, if possible, the categories of personal data concerned, the approximate number of data subjects concerned, the type of datasets concerned, in paper or electronic form;
2. indicate the official from whom more information can be obtained;
3. Measures taken by the Party concerned to remedy the breach, restore information and prevent and/or limit adverse effects on data subjects.

Article 9. The Parties agree that they will make every reasonable effort to prevent and/or limit any breach and its adverse effects.

RIGHTS AND OBLIGATIONS OF THE PARTIES

Article 10. (1) The ADMINISTRATOR declares and guarantees that the personal data he/she provides within the meaning of Art. 2, item 7 of this Regulation to the PROCESSOR has been collected on a legally determined basis, as well as that the obligations for explicit consent towards the data subject have been fulfilled.

Article. 11. (1) The PROCESSOR processes personal data only after a documented order from the ADMINISTRATOR, including as regards the transmission of personal data to a third country or an international organization, except when obliged to do so by virtue of Union law or the law of a Member State, which applies to the processor of personal data, in which case the PROCESSOR of personal data informs the ADMINISTRATOR of this legal requirement before processing, unless this right prohibits such information on important grounds of public interest.

• The PROCESSOR guarantees that the persons authorized to process the personal data have undertaken a commitment to confidentiality or are obliged by law to observe confidentiality.
• The PROCESSOR shall take all necessary and reasonable measures pursuant to Article 32 of the GDPR.
• The PROCESSOR complies with the conditions under Art. 28, para. 2 and 4 of the GDPR for the inclusion of another personal data processor.
• The PROCESSOR, taking into account the nature of the processing, assists the ADMINISTRATOR, as far as possible, through appropriate technical and organizational measures in fulfilling the ADMINISTRATOR’s obligation to respond to requests to exercise the rights of data subjects provided for in Chapter III of the GDPR.
• The PROCESSOR assists the ADMINISTRATOR in guaranteeing the fulfillment of the obligations according to articles 32-36 of the GDPR, taking into account the nature of processing and the information to which the personal data processor has access.

Article 12 (1) The ADMINISTRATOR has the right once a year, after prior agreement, to audit or check the fulfillment by the PROCESSOR of the obligations under this regulation. The audit can also be performed by an auditor authorized by the ADMINISTRATOR.

• The ADMINISTRATOR shall provide the PROCESSOR with a notification of the performance of the audit or verification within a reasonable time, not less than 30 days before their implementation, except in the cases where the audit is initiated by acts or actions of state bodies.
• The ADMINISTRATOR and the auditors selected by him shall not cause any damage, interruptions or disturbances in the premises, equipment, staff and business of the PROCESSOR for the time the staff is on the premises while an audit or inspection is being carried out.
• The PROCESSOR is obliged to provide the necessary assistance to the ADMINISTRATOR in carrying out the audit or verification.
• The carrying out of an audit or verification under Article 12, paragraph 1 of the Regulation shall not be grounds for providing commercial, financial, economic, know-how or other type of information, which is of a confidential nature for the PROCESSOR, as well as information representing copyright and/or intellectual right protected by law of national or Community law. In this case, the ADMINISTRATOR performs an audit without providing the information of a confidential nature. The PROCESSOR may not invoke confidentiality regarding the technical and organisational protection measures applied.
• For damages suffered and lost benefits by the PROCESSOR, which are a direct consequence of the audit in accordance with Art. 12, the ADMINISTRATOR owes compensation in full for lost benefits.
• All expenses, travel, transportation, expenses for an external auditor, are for the account of the ADMINISTRATOR.

Article 13. Each Party to this Regulation shall have the following obligations vis-à-vis the other Party:

• To process the personal data lawfully, accurately, in good faith in the performance of its duties;
• Collect only such personal data necessary to achieve the purposes of processing and not further process it in a manner incompatible with those purposes;
• Provide a technical possibility to update the data where necessary;
• Delete and/or correct the data where it is found to be inaccurate or disproportionate in relation to the purposes for which they are processed;
• To monitor compliance by its employees with the internal rules for the processing of personal data, with the mandatory instructions and methodologies of the CPDP, with the normative provisions of national and Community law;
• To provide its data processors with appropriate training on data protection, to inform them of the confidentiality of personal data and the risks of a possible breach;
• Notify the other party to this Regulation upon receipt of a request/application/by a data subject under Art. 15-22 GDPR;
• Notify the other parties to this Regulation of the receipt of a complaint by a data subject by submitting a copy thereof;
• Put in place, at its own expense, all reasonable organisational and technical protection measures under this Regulation.
• Require the other Party to make reasonable changes to the technical and organisational protection measures applied, in accordance with the regulatory requirements or instructions of the CPDP.
• Obtain information on checks, audits and impact assessments carried out by the other party to the Regulation.
• To receive information about complaints received and/or the exercise of a right of defence by a data subject.

NON-COMPLIANCE AND COMPENSATION

Article 14. (1) The ADMINISTRATOR involved in the processing of personal data shall be liable for damages arising from the processing carried out, which is in violation of this Regulation and the PDPA.

• The PROCESSOR shall be liable for damages arising from the processing carried out only where it has failed to comply with the obligations under this Regulation and the PIPA specifically directed at it or where it has acted outside or contrary to the lawful instructions of the ADMINISTRATOR.
• The ADMINISTRATOR and/or the PROCESSOR shall be relieved of liability pursuant to paragraphs 1 and 2 where he proves that he/she is not responsible in any way for the event giving rise to the damage.
• Where both Parties to this Regulation are involved in the same processing operation, they shall be jointly and severally liable for all the damage where they are liable under paragraphs 1 and 2 for damage caused by the processing in order to ensure effective compensation to the data subject.

Article 15. (1) Each Party shall promptly notify the other party of any complaint and/or alert concerning processed data under this Regulation.

• Each Party undertakes to notify the other Party without undue delay of any administrative proceedings initiated by the CPDP or any other authority with special jurisdiction when the relevant proceedings deal with the processing of data under this Regulation.
• Each Party undertakes to provide the other Party with the necessary assistance and support in the relevant administrative and/or judicial proceedings, with due diligence.

ADDITIONAL PROVISIONS

Article 16. This regulation may be amended or supplemented with the express consent of the parties expressed in writing.

Article 17. For all irregular issues, the provisions of the PDPA, the GDPR and the regulations, methodologies and instructions of the CPDP and the competent authorities shall apply.

Article 18. Disputes arising concerning the conclusion, operation, interpretation, amendment, implementation and termination of this Regulation shall be settled between the parties by negotiation, in a spirit of equal treatment and mutual compromise. In the event that a resolution of the dispute cannot be reached, it concerns a resolution before the CPDP and the property disputes before the competent Bulgarian court in Sofia.