- Personal Data Processing
- The Data importer acts as data processor of the Data exporter within the meaning of the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 (the GDPR).
- 1.2. The Data importer undertakes to process personal data only based on the instructions of the Data exporter, and to ensure that its employees or other authorized persons who will process personal data received from the Data exporter will be permanently bound by confidentiality agreements to warrant confidentiality of personal data received from the Data exporter.
- Obligations of the Data Processor
- If the Data importer cannot provide compliance with this Data Transfer Agreement or data protection legislation for whatever reasons, it agrees to inform promptly the Data exporter of its inability to comply, in which case the Data exporter is entitled to suspend the transfer of data to the Data importer, to prevent the latter from processing data, and/or terminate the present Data Transfer Agreement.
- The Data importer agrees and warrants that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data exporter and related to the processing of personal data and its obligations under the Data Transfer Agreement.
- The Data importer undertakes to implement the appropriate technical and organizational security measures specified in the legislation, and established or recommended by the competent authorities of data protection before processing the personal data.
- The Data importer undertakes to notify the Data exporter immediately about (i) any legally binding request for disclosure of personal data received from the Data exporter by a law enforcement authority unless otherwise prohibited; (ii) any accidental or unauthorized access to the data, any leak of personal data and/or violation of the personal data security; and (iii) any requests received directly from the data subjects without responding to such requests, unless it has been otherwise authorized to do so.
- The Data importer undertakes no later than within one month to answer comprehensively to all inquiries from the Data exporter relating to its processing of personal data, and to abide by the advice and instructions of the competent supervisory authority with regard to the processing of the personal data.
- The Data importer undertakes to make available to the data subject upon request a copy of the clauses of the present Data Transfer Agreement, except for the part which constitutes the Data importer’s commercial secret, and a summary description of the security measures in those cases where the data subject is unable to obtain such information from the Data exporter.
- Data exporter agrees that the Data importer has the right to subcontract and engage third parties (sub-processors) providing various IT ancillary services to the Data importer and listed in the Exhibit 1 below. The provided list of such sub-processors may be updated from time to time, please check periodically this list.
- Where the Data importer engages a third party (sub-processor) for performance of the present Data Transfer Agreement, the Data importer undertakes to ensure that the contract between the Data importer and third party contains the third party’s obligations similar to this Data Transfer Agreement.
- The Data importer undertakes to assist the Data exporter in ensuring compliance with the duties stipulated in Articles 32-36 of the GDPR taking due regard of the nature of data processing, and the information available to the Data exporter.
- The Data importer must take the measures required under Article 32 of the GDPR regarding security of data processing.
- Obligations of the Data Exporter
- The Data exporter agrees and warrants that the processing of personal data, including their transfer to the Data importer, is and will continue to be carried out in accordance with the data protection legislation and applicable law.
- The Data exporter undertakes throughout the duration of the personal data-processing services to instruct the Data importer to process the personal data transferred only on the Data exporter’s behalf and in accordance with the data protection legislation and the present Data Transfer Agreement.
- The Data exporter agrees to make available copies of the present Data Transfer Agreement and other agreements on personal data processing to a competent supervisory authority, if the latter requests them or if it is required under data protection legislation. The Data importer hereby represents that it has no objections to the same.
- Obligations of the Parties
- Both parties undertake to ensure that personal data are protected against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the costs of their implementation.
- The parties agree that the supervisory authority has the right to conduct an audit of the Data importer, which has the same scope and is subject to the same conditions as would apply to an audit of the Data exporter under the applicable data protection legislation.
- Obligations after the Termination of Personal Data Processing Services
- The parties agree that on the termination of the provision of data-processing services, the Data importer and sub-processors (if any) shall, at the choice of the Data exporter, return all the personal data transferred and the copies thereof to the Data exporter or shall destroy all the personal data and send conformation that it/they has/have done so to the Data exporter, unless legislation imposed upon the Data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the Data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not process the personal data transferred anymore.
- Governing Law and Dispute Resolution
- The present Data Transfer Agreement and the personal data processing are subject to the laws of the Republic of Lithuania and the European Union. Any dispute, disagreement or claim arising out of this Data Transfer Agreement or related thereto (unless settled amicably) shall be resolved by a competent state court of the Republic of Lithuania located in the Vilnius city in the procedure established by the laws.
- Final Provisions
- Invalidity of one provision of this Data Transfer Agreement shall not render the entire Data Transfer Agreement invalid. By an agreement between the parties, the invalid provision must be promptly substituted with a valid one as close to the invalid provision as possible in its spirit and contents, and such substituting provision must have a similar legal and economic effect as the replaced provision.
EXHIBIT 1 TO DATA TRANSFER AGREEMENT
This exhibit forms integral part of the Data Transfer Agreement.
The personal data transferred concern any individuals 16 years of age and above.
Categories of data
The personal data transferred include: photos, name, email address, email correspondence, postal address, payment history, invoice related information, IP address
Special categories of data
SkyBiometry will process submitted photos as biometric data which is necessary for services performing face matching operations.
The transferred personal data will be used solely to provide SkyBiometry cloud services.
Data importer’s sub-processors:
- Amazon Web Services, Inc. – https://aws.amazon.com/
- OVH – https://ovh.com
- Microsoft Azure – https://azure.microsoft.com
- GoDaddy.com, LLC – https://www.godaddy.com/
This Data Transfer Agreement and its Exhibit was last updated on July 27, 2018.