Interneto vizija UAB, legal entity’s registration number 126350731, registered address at J. Kubiliaus g. 6, LT-08234 Vilnius (hereinafter referred to as the Processor) and the client who uses our services (hereinafter referred to as the Controller) (hereinafter jointly referred to as the Parties, and each separately as the Party) have concluded this personal data processing agreement (hereinafter referred to as the Agreement) which shall regulate the processing carried out by the Processor on behalf of the Controller.
1.1. Hereinafter used definitions shall have the following meanings:
1.1.1. Personal Data shall mean any information on a natural person who can be identified, directly or indirectly, by using identifying data (name, surname, address, personal number, etc.) or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.
1.2. Processing of Personal Data shall mean all actions performed on personal data or on sets of personal data, whether or not by automated means (collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction or any combination thereof).
1.1.3. GDPR shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation).
1.1.4. Principal Contract shall mean Website Hosting Terms, Server Rental Terms.
1.1.5. Services shall mean the services or other activities provided or performed by the Processor to the Controller or on behalf of the Controller under the Principal Contract. On the basis of the Principal Contract, the Processor hereby undertakes to (i) carry out monitoring and maintenance of servers where Personal Data may be located, make backups of data located therein and store them in the backup repository for the period which is not longer than the service of making and storing backups is provided to the Controller (ordered additionally) or (ii) provide hosting service, making of backups of the data located therein and storing thereof in the backup repository for the period which is not longer than the service of making and storing backups is provided to the Controller.
1.1.6. Data Subject shall have the same meaning as prescribed by the GDPR.
1.1.7. Sub-Processor shall mean a third party whose services are used by the Processor and that has or could have access to the Controller’s Personal Data or that processes such data.
1.1.8. Processor’s Personnel shall mean the Processor’s employees, including the persons who provide services to the Processor under author, freelance, cooperation or similar contracts, partners, including partners of joint activities or other partners with whom cooperation is carried out without establishing a separate legal entity as well as authorised representatives, including brokers and agents.
1.1.9. Data Breach shall mean a breach leading to the accidental or unlawful destruction, loss, unauthorised disclosure of the Personal Data or unauthorised access to the Personal Data.
1.2. Other definitions that are not included in this Agreement shall be interpreted and understood as they are defined in the Principal Contract, the GDPR, and/or national legal acts regulating protection of Personal Data.
2.1. In performance of the Principal Contract and provision of the Services, the Processor shall process the Controller’s data. The Controller’s data may include Personal Data. The Processor shall process and store such Personal Data under the terms and conditions of this Agreement.
2.2. The nature, subject matter and purpose, duration of the processing, the type of processed Personal Data, categories of data subjects shall be indicated in the Annex No. 1 to this Agreement which shall be an integral part of this Agreement.
2.3. The Personal Data shall be processed by the Processor only to the extent necessary for the provision of Services under the Principal Contract and this Agreement and by acting under the legitimate instructions from the Controller. The Processor shall immediately inform the Controller, if, in its opinion, the instruction breaches the GDPR or other applicable legal acts.
2.4. The Controller hereby confirms that the processing carried out by the Controller (including the use of the Processor’s Services) shall be carried out in compliance with the respective requirements of the legal acts applicable at the time of transfer of the Personal Data.
3.1. The Processor may process Personal Data only to the extent and in the way necessary to perform the Principal Contract under the Controller’s instructions. For the purposes other than specified in the Principal Contract, the Personal Data may be processed by the Processor only after obtaining a prior acceptance from the Controller.
3.2. The Processor shall contact the Controller, if it is not aware of or does not understand the Controller’s instructions.
3.3. The Processor shall be responsible for confidentiality and security of the processed Personal data from the start of the provision of the Services. This provision shall not be applied in the cases where the Personal Data must be disclosed by the Processor for compliance with the obligations prescribed by the legal acts.
3.4. The Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality of the processed Personal Data or are under an appropriate legal obligation of confidentiality.
3.5. The Processor hereby undertakes to process Personal Data in compliance with the requirements of applicable legal acts, to not take or refrain from taking any action which would lead to a breach of the Controller’s obligations set forth in the legal acts regulating the processing of Personal Data.
3.6. To protect the Personal Data in accordance with the GDPR, the Processor shall apply appropriate technical and organisational security measures. To ensure security, integrity, and interchangeability of the data stored on electronic systems, the Processor shall usually apply the security measures developed by third parties. Such measures shall not be specific to the Controller, they shall be standard and equally applied to all Processor’s services of the same nature and clients. The Controller hereby confirms that such measures are sufficient and appropriate to ensure appropriate level of security of the Personal Data which is compliant to the processing carried out by it and nature, related risks, type of the Personal Data, scope, context and purposes.
3.7. The measures may be changed/updated by the Processor at its own discretion and the Controller does not have to be informed about this separately. Such changes or updates may not provide a lower level of protection than the one provided by the measures at the time of conclusion of this Agreement.
3.8. Any technical organisational measures that are not included in the abovementioned measures may be implemented under the Controller’s instruction only at the Controller’s expense.
3.9. The Processor shall provide the Controller with a possibility to get access to, rectify, erase, restrict and transfer Personal Data processed by the Processor.
3.10. The Processor shall provide all the information which is necessary to prove compliance with applicable obligations of processing and allows to perform audits and inspections carried out by the Controller or its behalf in the way prescribed in the Agreement and cooperate in performance thereof.
3.11. Under the Controller’s request, the Processor shall return all Personal Data of the Controller to the Controller. The form and way to return data shall be chosen under the agreement of the Parties by considering the nature of Personal Data to be returned, terms for processing and storing thereof.
4.1. Under the Controller’s request, the Processor shall provide assistance to the Controller to allow implementation of its obligations under the GDPR, ensure security of the Personal Data, respond to the Data Subject’s requests. Having regard to the processing steps taken by the Processor as well as the scope and nature thereof, the Processor:
4.1.1 Shall provide assistance to the Controller in order to fulfil the Controller’s obligation to respond to the Data Subject’s requests.
4.1.2 Shall cooperate with the Controller and shall provide the information and/or documents requested by the Controller that are necessary for the supervisory authority in performance of the Controller’s inspection and that can be provided by the Processor.
4.1.3 Upon receipt of any official request or requirement related to the processing of the Controller’s Personal Data, it shall immediately inform the Controller thereof unless this is not allowed under the applicable legal acts.
4.1.4 Shall assist in fulfilment of the Controller’s obligations regarding the data protection impact assessment and advance consultations with the supervisory authority.
4.2. The Parties hereby agree that any assistance under this Agreement (including requests to assist in responding to the Data Subjects’ queries or exercising the Data Subjects’ rights) as well as the Controller’s audits, unless this is not included/discussed in the Principal Contract as a part of the Services under it or exceeds the obligations of the Processor provided in the Principal Contract, shall be paid by the Controller according to the rates of the Services approved by the Processor or agreed upon by the Parties that are applicable at that time.
4.3. If the Controller refuses to make such payment, its requests or requirements shall not be fulfilled or shall be fulfilled only to the extent related to ordinary activities of the Processor in performance of the Principal Contract and such actions of the Processor shall not be considered as a breach of this Agreement or Principal Contract. In such case, the Controller shall bear the full risk related to non-fulfilment of the requirements or requests.
5.1, The Processor shall provide the Controller with any information necessary to prove how the Processor’s obligations under this Contract are fulfilled. Such information shall be provided within a reasonable period of time agreed upon by the Parties.
5.2. The Processor shall enable and provide the Controller with a possibility (not more than 1 (one) time a year) to inspect (audit) how the requirements specified in this Agreement are being fulfilled at the time agreed upon by the Parties and at the Controller’s expense. The scope and terms of such inspection (audit) shall be as follows:
5.2.1. Audit shall be carried out within a reasonable advance notice which may not be less than 4 (four) weeks, except for the cases where essential obstacles thereto arise;
5.2.2. Audit may be carried out only in the way not to disturb daily activities of the Processor;
5.2.3. During the audit, questions submitted by the Controller in writing shall be answered and a possibility to interview a respective specialists of the Processor in the Processor’s facilities shall be provided.
5.2.4. The Controller may involve a third party – independent auditor for the audit provided that such party shall not be a competitor of the Processor. If the Processor objects to the involved auditor, the Controller shall be obliged to choose another auditor.
5.3 The Processor shall not provide the Controller or a third party involved by it with access to the Processor’s systems and/or IT infrastructure used for provision of the Services under the Principal Contract.
5.4 Any information found out by the Controller during such audit shall be subject to the provisions of the Principal Contract (including provisions on confidentiality, etc.). Independent auditor must undertake to ensure full confidentiality of the information received from the Processor.
6.1. By this Agreement, the Controller shall grant a general consent to the Processor to involve Sub-Processors into the activities of processing of the Controller’s Personal Data related to the performance of the Principal Contract.
6.2. All Sub-Processors who process the Controller’s Personal Data must comply with the Processor’s obligations that are similar to those specified in this Agreement.
6.3. If the Processor plans to involve a new Sub-Processor, it must provide information on such new Sub-Processor at least 14 days in advance before transfer of any Personal Data to a new Sub-Processor.
6.4. Within the period of notice on the Sub-Processor, the Controller shall notify the Processor about its objection to processing performed by a new Sub-Processor. If the Controller does not object within the period of notice on a new Sub-Processor, it shall be considered that the Controller approves and confirms processing of its data by a new Sub-Processor.
6.5. If the Controller makes a grounded objection to a new Sub-Processor and the parties have not agreed upon the decision within the period of notice on a sub-processor of data and the Processor cannot process Personal Data properly without a Sub-Processor, the Processor shall have the right to terminate the Principal Contract and this Agreement.
6.6. The list of Sub-Processors shall be provided in the Annex No. 1 to the Agreement.
7.1. The Controller guarantees that it shall comply with the Principal Contract, this Agreement, GDPR and other applicable laws regulating data protection.
7.2. The Controller guarantees that it has all permits and authorisations necessary for the Controller and its Sub-Processors to exercise their rights or fulfil their obligations set forth in this Agreement.
7.3. The Controller undertakes to provide the Processor with any information necessary for fulfilment of the obligations of the Processor related to the Controller’s Personal Data that are prescribed in the legal acts regulating protection of Personal Data.
7.4. The Controller acknowledges and agrees that additional payments may be incurred as a result of respective instructions of the Controller, including fulfilment of the Controller’s obligations, destruction of data or return of data. In such case, the Processor shall notify the Controller about such payments in advance, unless agreed otherwise.
8.1. If the Processor becomes aware of a Data Breach or material risk which could lead to a Data Breach, it shall immediately (but not later than within 48 hours after having become aware of it) notify the Controller thereof by telephone, e-mail or in writing, whichever way of communication is the most effective in a specific case.
8.2. The Processor undertakes to report a Data Breach to the Controller only in the case where such breach is related to the Controller’s Personal Data.
8.3. When reporting a Data Breach, the Processor shall indicate the date and time of a potential Data Breach, date and time when the Processor has become aware of a breach of the Controller’s Personal Data.
8.4. The Processor shall keep the register of Data Breaches. The following data shall be recorded in the register:
8.4.1. Description of the nature of a Data Breach or material risk;
8.4.2. Description of possible of actual consequences;
8.4.3. Description of the measures that have been taken or will be taken by the Processor to settle a Data Breach of material risk.
8.5. Information on a Data Breach shall be provided to the Controller by a separate notice. A part of the register of Data Breaches related to a breach of the Controller’s Personal Data shall be provided only if such obligation is provided by the supervisory authority.
8.6. The Controller shall be solely responsible for compliance of the laws regulating reporting on Data Breaches applicable to the Controller or any other obligations related to notification of any Data Breach or Breaches to any third party.
9.1. If the Processor is required under the provisions of the GDPR, the Processor shall fill in the register of data processing activities performed on behalf of the Controller.
9.2. The Processor shall present the register of activities related to the data processed by the Controller to the Controller and/or supervisory authority, if this is requested by the supervisory authority.
9.3. The Processor shall assign the data protection officer and/or any other person responsible for data management and/or a representative in the EU, if this is obligatory to the Processor in accordance with the provisions of the GDPR.
10.1. The Processor shall be liable for the damage caused by the processing of Personal Data only where it has not complied with obligations of this GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller. In such case, the Processor shall be liable only for the damage incurred directly by the breaches of the Processor’s obligations. In any case, the Processor’s liability shall be subject to the terms of liability, including limitations, set forth in the Principal Contract. General liability of the Processor shall be limited to the amount paid by the Controller to the Processor under the Principal Contract within the last 6 months before occurrence of the conditions for liability.
10.2. The Controller shall be responsible for damage incurred by the Processor in case of a breach of this Agreement and/or requirements of the legal acts of the Republic of Lithuania made by the Controller.
10.3. The Party shall be released from liability for non-fulfilment or improper fulfilment of this Agreement only if it proves that the Agreement has not been fulfilled or has been fulfilled improperly due to Force Majeure.
11.1. This Agreement shall enter into force at the moment of its signing and it shall expire when:
11.1.1. The Principal Contract expires;
11.1.2. Any of the Parties lose their right to process Personal Data (for example, there are no legitimate grounds for the processing of Personal Data, state authority adopts a decision on the suspension of Personal Data processing, etc.);
11.1.3. Any of the Parties terminates the Agreement unilaterally, without applying to the court, if another Party makes a material breach of the provisions of this Agreement and does not take any action to rectify the breach within 14 (fourteen) days from the day of receipt of a notice whereby rectification of defects is required.
11.1.4. The rights and/obligations of the Party arising from this Agreement may not be transferred by the Parties to any third person without an advance written approval of another Party.
11.3. Failure to comply with the terms and conditions set forth in this Agreement shall be considered as a material breach of the Agreement.
12.1. When the Controller’s representative approves the terms and conditions of this Agreement (i.e. Ticks and clicks “I agree to the terms of service”), it shall be considered that the Agreement is signed by the authorised representatives of both Parties and enters into force.
12.3. Any disputes arising from performance, amendment or termination of this Agreement shall be solved by the means of negotiations. If the Parties fail to agree and settle the dispute by the means of negotiations, the dispute shall be settled in the courts of the Republic of Lithuania according to the place of the registered office of the Processor in compliance with the laws of the Republic of Lithuania.
12.4. The following shall be an integral part of the Agreement:
12.4.1. Annex No. 1. Description of Personal Data and Terms for Processing.
PERSONAL DATA PROCESSING AGREEMENT
ANNEX NO. 1
DESCRIPTION OF PROCESSED PERSONAL DATA AND TERMS FOR PROCESSING
|Subject and purpose of the processing||Performance of the Principal Contract.|
|Types of processed Personal Data|
– Name, surname;
– Personal number;
– E-mail address;
– Telephone number;
– Other Personal Data stored by the Controller in the Processor’s server.
|Categories of data subjects|
– Controller’s employees;
– Controller’s clients and their representatives;
– Controller’s suppliers, other partners and their representatives;
– Other persons whose Personal Data are stored by the Controller in the Processor’s server.
|Processing activities |
(detailed descriptions of activities specified in the Principal Contract)
|Monitoring and maintenance of servers where Personal Data may be located, making backups of data located therein and storing them in the backup repository for the period which is not longer than the service of making and storing backups is provided to the Controller, and hosting services.|
|Duration of processing||For the period of validity of the Principal Contract.|
|Procedure to receive Personal Data||Data are received during performance of the Principal Contract by the Parties.|
|Time limits for data updating||When necessary|
|Jurisdiction||Republic of Lithuania|
|No.||List of Sub-Processors|
|1.||UAB “Rakrėjus”, address: J. Kubiliaus g. 6, LT-08234 Vilnius, Republic of Lithuania|
|2.||Domreg.lt, Kauno technologijos universitetas, legal entity’s registration number: 111950581, registered address: K. Donelaičio g. 73, 44249 Kaunas.|
|3.||Nic.lv, Institute of Mathematics and Computer Science, University of Latvia Scientific institution, address: Raina bulvaris 29, Riga, Latvija|
|4.||Name SRS AB, address: Truckgatan 13, Kungälv, Sweden.|
|5.||EURid vzw, address: Telecomlaan 9, 1831 Diegem, Belgium|
|6.||EnVers Group SIA, address: J.Dikmana 4-29, Riga, Latvia, LV-1013|
|7.||OpenSRS Tucows Inc., address: 96 Mowat Avenue Toronto, Ontario, Canada|
|8.||NETIM 264, address: avenue Arthur Notebart, 59160 Lille, France|
|9.||Marketgoo Internet, S.L., address: Camino de Malatones, 63 – 28110 Algete, Madrid, Spain|
|10.||AdBud Technologies AB, address: Stålgatan 20, SE-754 50 Uppsala, Sweden|
|11.||Sitelock, LLC, address: East Hartford Drive Suite 200 Scottsdale, AZ 85255, United States of America|
|12.||PrivateVPN Global, address: SE-191 21, Sollentuna, Sweden|
|13.||JMAN Group, address: 10 Lloyd’s Avenue, London, EC3N 3AJ, United Kingdom|
|14.||Miss Group Holdings LTD, group companies, address: Luntmakargatan 96 113 51 Stockholm, Sweden|
|15.||Pipedrive group companies, inc, Pipedrive Inc., address: 490 1st Ave South, Suite 800, St. Petersburg, Florida, United States of America|
|16.||Intercom, Inc., address: 55 2nd Street, 4th Fl., San Francisco, CA 94105, United States of America|
|17.||„Paysera LT“, UAB, legal entity’s registration number: 300060819, Pilaitės pr. 16, LT-04352 Vilnius, Lithuania|
|18.||PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg|
|19.||Marketgo Miss Hosting AB reg. no. 556732-5336, Luntmakargatan 96 Stockholm Sweden|
|20.||Sitelock Miss Group Inc Routing Number 026009593, 2719 Hollywood Boulevard, Suite – A-241 Hollywood, FL 33020 USA|
|21.||Intercom Miss Group Inc Routing Number 026009593, 2719 Hollywood Boulevard, Suite – A-241 Hollywood, FL 33020 USA|
|22.||UAB “Tezaurus auditas”, legal entity’s registration number:122740926, address: J. Jasinskio g. 4-15, Vilnius, Lithuania|
|23.||BDO auditas ir apskaita, UAB, legal entity’s registration number 135273426, K. Baršausko str. 66|
LT-51436 Kaunas, Lithuania
|24.||UAB “FINANSŲ VALDYMO SISTEMOS”, legal entity’s registration number: 126350731, Laisvės pr. 125-303, 3 floor, LT-06118 Vilnius, Lithuania|
|25.||Law Firm TRINITI JUREX, legal entity’s registration number: 302633203, Vilniaus g. 31, LT-01402 Vilnius, Lithuania|
|26.||AB Šiaulių bankas, legal entity’s registration number:1120252515, Tilžės g. 149, LT-76348, Šiauliai, Lithuania|
|27.||MailerLite Limited, Address: Ground Floor 71 Lower Baggot Street, Dublin, Ireland|
|28.||Mailchimp c/o The Rocket Science Group, LLC 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA|
|29.||Support Hunt Limited, 2301, Bayfield Building 99 Hennessy Road Wanchai, Hong Kong|
|30.||Peoplefone, UAB, legal entity’s registration number: 302744004 , address: Perkūnkiemio g. 3, 9 floor, Vilnius, Lithuania|
|31.||„Regional Network Information Center“ (JSC „RU-CENTER“)2/1, 3d Khoroshevskaya str., 123308 Moscow, Russia|
|32.||UAB Neste Lithuania, legal entity’s registration number: 211472890, P. Lukšio g. 32, 08222 Vilnius, Lithuania|
|33.||SpamExperts B.V., Rokin 113-115 | 1012 KP Amsterdam, Holland|
|34.||Cpanel, 2550 N Loop W Suite 4006 Houston, TX 77092-8902, JAV|
|35.||CM4ALL GmbH-ein Unternehmen der we22-Gruppe, Im Mediapark 6a • 50670 Köln, Germany|
|36.||Leaseweb Asia Pacific Pte, 11 Collyer Quay / The Arcade #16-02, Singapore 049317|
|37.||Leaseweb Deutschland GmbH, Kleyerstraße 75-87, 60326 Frankfurt am Main, Germany|
|38.||Leaseweb Netherlands B.V., Hessenbergweg 95, 1101 CX Amsterdam, Holland|
|39.||Leaseweb UK Ltd., 5 Merchant Square, Paddington, London W2 1AY, United Kingdom|
|40.||Leaseweb USA Inc., 9301 Innovation Drive Suite 100, Manassas VA 20110, Virginia, JAV|
|41.||Miss Group Inc Routing Number 026009593, 2719 Hollywood Boulevard, Suite – A-241 Hollywood, FL 33020 USA|
|42.||AON UADBB “Aon Baltic” reg. no. 110591289 Karaliaus Mindaugo pr. 35, LT-44307 Kaunas|
|43.||Hostbill HostBill Krzysztof Pająk ul. Szkolna 30A/2, 35-301 Rzeszów POLAND NIP PL8133336364, REGON: 180579931|
|44.||Adbud: AdBud Technologies AB Stålgatan 20, 754 50 Uppsala, Sweden|
|45.||Stripe Inc 510 Townsend Street San Francisco, CA 94103 United States|
|46.||BitPay Inc 3405 Piedmont Rd Ne No 200 Atlanta, GA 30305 United States|
|47.||Devbunch – Pakistanian support team – Devbunch Private Limited, 4 Commercial, J1-, Sunflower Housing Society Block J 1 Phase 2 Johar Town, Lahore, Punjab 54700, Pakistan|
|48.||SNWN Tech Solution 2220600316517611 Flat No-5, Rahul Prasad APT, ABB Circle, above Apana Co. Bank, Mahatma Nagar, Nashik, maharashtra 422012 India|
|49.||Call maker – CM Software AB, 556999-9971, Stora Badhusgatan 18 14 TR Ort 411 21 Goteborg Sweden|