Legal

Data Protection

ONE. The following definitions will apply for the purposes of this document:

Dados pessoais: a informação relativa a uma pessoa singular identificada ou identificável; é considerada identificável uma pessoa singular que possa ser identificada, direta ou indiretamente, em especial por referência a um identificador, como, por exemplo, um nome, um número de identificação, dados de localização, identificadores por via eletrónica ou a um ou mais elementos específicos da identidade física, fisiológica, genética, mental, económica, cultural ou social dessa pessoa singular.

Data Subject: means the identified or identifiable natural person.

Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller, or Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In this case, the CLIENT.

Data Processor, or Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. In this case, Gigas.

Personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

TWO. For the purposes of this document, the Data Controller has entrusted the Data Processor to provide one or more of the following services:

Cloud hosting
Any other activity relating to the arranged service

THREE. To allow for the full and timely performance of the related services, the Controller shall provide the Processor with automated or non-automated personal information containing personal data.

FOUR. Pursuant to prevailing law and regulations on personal data protection, both parties freely agree to regulate the access and processing of the aforementioned personal data, in accordance with the following:

PROVISIONS

ONE. Subject matter: the processing of the personal data that the Controller provides to the Processor so that the latter may provide the services set out in Recital TWO.

TWO. Term: this document will be coterminous with the commercial agreement entered into by the parties.

THREE. Purpose of processing: the Processor is granted access to the personal data stored on the Controller’s data processing systems solely for the purposes listed in Recital TWO above.

FOUR. The Processor will have access to the type of personal data and the category of data subjects set out in this document.

FIVE. Rights and obligations of the Controller: in accordance with applicable personal data protection law, the Controller must:

implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the law;
adopt data protection measures;
ensure that the Data Protection Officer or, failing that, the Privacy Officer is adequately involved in due course in all matters relating to the protection of personal data;
adhere to any Code of Conduct that may be approved by the Commission or relevant body;
maintain a record of all processing activities when processing personal data that is likely to result in a risk to the rights and freedoms of the data subject and/or where the processing is not occasional, or where the processing includes special categories of data and/or data relating to criminal convictions and offences;
provide data subjects with the essential terms of this agreement;
allow all data subjects to exercise their legal rights under applicable personal data protection law and comply with the terms of Clause EIGHT, even where the subject attempts to exercise those rights by approaching the Processor

SIX. Rights and obligations of the Processor: in accordance with applicable personal data protection law, the Processor must:

process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
implement all the technical and organisational measures to ensure a level of security appropriate to the risk of processing;
respect the conditions for engaging another processor, as prescribed by applicable personal data protection law;
taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the rights of data subjects;
assist the controller in ensuring compliance with its obligations, taking into account the nature of processing and the information available to the processor;
at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data;
make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller;
process the personal data made available to the Processor so as to ensure that the persons acting under its authority follow the instructions of the Controller;
ensure that the Data Protection Officer or, failing that, the Privacy Officer, is adequately involved in due course in all matters relating to the protection of personal data;
adhere to any Code of Conduct that may be approved by the Commission or relevant body;
maintain a record of all processing activities when processing personal data that is likely to result in a risk to the rights and freedoms of the data subject and/or where the processing is not occasional, or where the processing includes special categories of data and/or data relating to criminal convictions and offences;
allow data subjects to exercise their legal rights under applicable personal data protection law and comply with the terms of Clause SEVEN, even where the subject attempts to exercise those rights by approaching the Controller

SEVEN. Rights of the data subject: if the data subject directs any request or exercises any of the rights provided for in applicable personal data protection law, the Controller and/or the Processor shall promptly respond by providing the data subject with information on the actions requested and carried out, doing so in all cases within one month of receiving the request. This period may be extended for a further two months if necessary, depending on the complexity of the request and the number of requests.

Where the Controller and/or the Processor fails to process the data subject’s request, it shall inform the data subject without delay, and in all cases within one month of receiving the request, of the reasons for its failure to act and of the data subject’s right to lodge a claim with a Control Authority and institute legal proceedings.

Responses to requests to exercise rights will be sent or made using the same channel of communication as that used by the data subject, unless the latter requests a different channel for the response.

EIGHT. International data transfers: international transfers of personal data may proceed only after satisfying the requirements prescribed by the Spanish Data Protection Agency (Agencia Española de Protección de Datos), and all other applicable domestic or European Union law or regulations.

If an international data transfer is to be made, or has been made, a separate document independent from this services agreement must be signed in order to govern the resulting data transfer and processing. This document will be binding on the parties from the time it is signed. Any such binding document will be attached hereto as an annex.

If the Processor decides to carry out international data transfers without the Controller’s blessing, it will also be considered a data controller and will be held personally liable for any breaches it may commit.

NINE. Breach of data security: where a data security breach has occurred, the Controller and/or the Processor shall, when instructed to do so by a control authority, or because of a change in the law governing disclosure or a delegated act, inform the competent Control Authority without undue delay and, insofar as possible, within 72 hours of the occurrence of that breach.

TEN. Rescission, termination and extinction: the rescission, termination or extinction of the contractual relationship governing the provision of services between the Controller and the Processor will require the latter to retain the personal data furnished by the former to the extent that it is legally obligated to retain that data.

Once the prescription period for seeking liability has elapsed, all personal data must be destroyed or returned to the Controller, as must any medium or document containing any kind of personal data.

SERVICES AGREEMENT

By virtue of applicable law on personal data protection and for the purpose of providing the services envisaged herein, the Processor shall process the types and categories of data of the Controller described below.

Type of data: Descriptive solely
Category of data subject: clients, suppliers and other