Processing of personal data by Teleportel
Article 1 - Scope and objective
In connection with and for the performance of the services under the User Agreement, the customer transfers personal data to Teleportel Europe and authorizes and instructs Teleportel Europe to process such personal data in accordance with the provisions of the User Agreement and these data processing provisions. The personal data may be processed for the purpose of providing the services under the User Agreement, including the following purposes:
Article 2 - Specification of data processing
Any processing of personal data under the User Agreement will be carried out in accordance with all applicable Data Protection Legislation ((A) (i) until 24 May 2018, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and its transposition into the relevant national law, and (ii) from 25 May 2018, EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 94/46/EC ('GDPR'), and (B) together with other laws deriving from this Directive or Regulation, (A and B together 'EU Data Protection Legislation') and/or (C) any other laws of any other country relating to the protection of personal data or privacy).
For the implementation of the services, Teleportel Europe is a Processor acting on behalf of the Controller, i.e. the customer. As Processor, Teleportel Europe will only act on the instructions of the customer. The User Agreement, is the customer's complete instruction to Teleportel Europe in relation to the processing of personal data. Any additional or alternative instructions must be agreed in writing by the parties.
The processing of personal data concerns personal data of staff members and visitors and includes the following types of personal data:
Article 3 - Duration of the processing
These provisions shall apply as long as the Processor processes personal data on behalf of the Controller.
Article 4 - The use of subcontractors
The Processor is permitted to appoint other processors to process Personal Data in the context of the processing operations authorised to him. Within a reasonable period of time before appointing another Subprocessor, the Processor shall inform the Controller of the addition or modification. The Controller may then object to the adoption of the proposed Subprocessor.
Where the processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in these provisions, shall be imposed on that other processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
Article 5 - Confidentiality
The Processor commits himself to handle the personal data and its processing with utter confidentiality.
The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Article 6 - Security measures
The Processor shall implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject.
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, according to Article 32 of the Regulation.
In assessing the appropriate level of security account is taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
A description of the security measures applied by the Processor can be provided at the request of the Controller.
Article 7 - Rights of the data subjects
Taking into account the nature of the processing, the Processor assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the Regulation.
Article 8 - Assistance to the Controller
The Processor shall assist the controller in ensuring compliance with its obligations pursuant to the GDPR, taking into account the nature of processing and the information available of the Processor.
In the case of a personal data breach related to the processing subject of this agreement, the Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
This notification shall at least include following information:
Furthermore, the Processor shall assist the Controller as he carries out a data protection impact assessment in accordance with Article 35 of the Regulation.
Article 9 - Transfer to Third Parties
The transfer of personal data to Third Parties, in any manner possible, is prohibited, unless it’s legally required or in case the Processor has obtained the explicit consent by the Controller to do so. In case a legal obligation to transfer personal data, which are subject to these provisions, to Third Parties, applies, the Processor shall prior to the transfer notify the Controller.
Article 10 - Audit by the Controller
The Controller is entitled to evaluate the compliance with these provisions. He has the right to conduct an audit at any time on the location where the processing activities take place.
The Processor makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
The Controller will inform the Processor in a timely manner about the audit and will bear the costs of appointing an external auditor.
Article 11 - Liability
The Processor is liable for the damage caused by processing where it has not complied with obligations of the Regulation specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the controller.
The Processor is liable to pay administrative fines which result from a breach of the provisions of the Regulation.
The Processor shall be exempt from his liability, only if he proves that he’s not responsible for the event giving rise to the breach of the provisions of the GDPR.
Article 12 - Termination of these provisions
These provisions shall apply as long as the Processor processes personal data on behalf of the Controller.
In the event of breach of these provisions or the Regulation, the Controller can instruct the Processor to stop further processing of the personal data with immediate effect.
The Controller shall not store the data any longer than needed to perform the service for which the data is provided, unless this is deviated from by means of an explicit instruction from the controller. At the choice of the Controller, the Processor shall delete or return all the personal data to the Controller after the end of the provision of services relation to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data. The personal data shall be provided to the Controller without charge, unless otherwise agreed upon.
Article 13 - Exhaustiveness of the provisions
In the event that one contractual clause of this agreement is destroyed or becomes invalid in any other way, the rest of the agreement still applies, and the concerning contractual clause shall be replaced by a valid contractual clause which correctly represents the initial intentions of the Parties.