Document updated on December 26, 2023.
Reunited
First, ________________________________________________ with ID No. _____________ acting for and on behalf of ________________________________________________ with address at ________________________________________________ and Tax ID No. _____________ hereinafter, the“DATA CONTROLLER“.
And, ____________________________________ with DNI _____________ acting on behalf of GIGAFOX S.L., with address at Calle Infanta Beatriz, 4, 5Bi, 18008, Granada (Granada) and NIF B88202106 hereinafter the“DATA PROCESSOR“.
The DATA CONTROLLER and the DATA PROCESSOR who, hereinafter, may be referred to individually as “the Party” and jointly as “the Parties”, mutually recognizing each other as having sufficient legal capacity to contract and bind themselves in the representation they act, and being responsible for the truthfulness of their statements,
Manifest
- That both parties are bound by a contractual relationship of a commercial nature for the provision of consulting services, development, management, maintenance and / or web hosting (hereinafter SERVICE).
- That for the provision of said service it is necessary for the DATA PROCESSOR to have access to and carry out processing of personal data under the responsibility of the DATA CONTROLLER, whereby it assumes the functions and obligations that Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, stipulates for the Data Processors.
- Both parties acknowledge that they comply with all obligations under EU and national data protection regulations, in particular those relating to the right of information, consent and duty of secrecy, and to the adoption of technical and organizational security measures to ensure the security of personal data.
- That, in compliance with Article 28 of the GDPR, both parties freely and spontaneously agree to regulate this access and processing of personal data in accordance with the following:
Stipulations
FIRST: Object of the contract
By means of the present clauses, the entity DATA PROCESSOR is authorized to process, on behalf of the DATA CONTROLLER, the personal data necessary to provide the service described above.
Specification of the treatments to be performed:
- Collection
- Structuring
- Conservation
- Consultation
- Collation
- Suppression
- Registration
- Modification
- Extraction
- Communication by transmission
- Interconnection.
SECOND: Identification of the affected information
For the execution of the services derived from the fulfillment of the object of this assignment, the DATA CONTROLLER, makes available to the DATA PROCESSOR, the information described below:
- Name
- DNI
- Mailing Address
- Phone
- IP Address
THIRD: Duration
This agreement has a duration of 1 year, automatically renewable for calendar years as long as the commercial agreement remains in force.
Upon termination of this contract, the DATA PROCESSOR must delete/return to the DATA CONTROLLER, or return to another processor designated by the DATA CONTROLLER, the personal data and delete any copies in its possession.
FOURTH: Obligations of the data processor
The DATA PROCESSOR and all its personnel are obliged to:
- To use the personal data subject to processing, or those collected for inclusion, only for the purpose of this order. Under no circumstances may you use the data for your own purposes.
- To process the data in accordance with the instructions of the data controller. If the DATA PROCESSOR considers that any of the instructions violate Regulation (EU) 2016/679 or any other Union or Member State data protection provisions, the Controller shall immediately inform the Controller.
- Not to communicate the data to third parties, except in relations with sub-processors or when expressly authorized by the data controller, in the legally admissible cases. The processor may communicate the data to other processors of the same controller, in accordance with the instructions of the controller. If the processor is required to transfer personal data to a third country or an international organization under Union or Member State law applicable to it, it shall inform the controller of that legal requirement in advance, unless such law prohibits it for important reasons of public interest.
- The manager is authorized to use other managers (sub-managers) to provide the services. The sub-processor shall be subject to the same conditions as the processor with regard to the proper processing of personal data and the guarantee of the rights of the data subjects. Annex I includes the sub officers appointed at this time and their functions. This list may change in the future and will be updated at https://giga4.team/contrato-responsable-del-tratamiento-de-datos/.
- To observe at all times, and in relation to the personal data files to which it has access or to which it may be given by the Controller, for the performance in each case of the work and services that may be agreed upon, the duty of confidentiality and professional secrecy which, in accordance with the provisions of the Data Protection regulations, shall subsist even after the termination of the relationship of the work commissioned in relation to any file as well as, if applicable, after the termination for any reason of this contract.
- Ensure that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, as well as to guarantee them the necessary training on personal data protection.
- It is the responsibility of the person in charge to provide the right to information at the time of data collection.
- The processor shall notify the data controller, without undue delay, and in any case within a maximum period of 48 hours, and via email, the breaches of personal data security of which he/she/they are aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required when such breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons. If available, at least the following information shall be provided:
- Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
- The name and contact details of the data protection officer or other point of contact where further information can be obtained.
- Description of the possible consequences of a breach of personal data security.
- Description of the measures taken or proposed to be taken to remedy the breach of security of personal data, including, if applicable, measures taken to mitigate the possible negative effects. If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.
- It is the responsibility of the controller to communicate data security breaches to the Data Protection Authority and to the data subjects.
- Make available to the responsible party all the information necessary to demonstrate compliance with its obligations.
- Implement the necessary security measures to:
- Ensure the ongoing confidentiality, integrity, availability and resilience of treatment systems and services.
- Restore availability and access to personal data quickly in the event of a physical or technical incident.
- Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
- Pseudonymize and encrypt personal data, if applicable.
- Return to the data controller the personal data and, if applicable, the media on which they are stored, once the service has been provided. The return must entail the total deletion of the existing data on the computer equipment used by the person in charge. However, the person in charge may keep a copy, with the data duly blocked, for as long as liabilities may arise from the performance of the service.
FIFTH: Obligations of the Data Controller
It corresponds to the DATA CONTROLLER:
- Deliver to the person in charge the data referred to in clause SECOND of this document.
- Conduct a personal data protection impact assessment of the processing operations to be carried out by the processor.
- Carry out the appropriate prior consultations.
- Ensure, prior to and throughout the processing, the compliance of the processor with Regulation (EU) 2016/679.
- Oversee treatment, including conducting inspections and audits.
SIGNATURE
| The DATA CONTROLLER | The DATA PROCESSOR |
|---|---|
ANNEX I: Subcontractors
For the correct and complete provision of services, the data processor may contract with other companies that in turn assume the role of data processors. We assess companies for a sufficient level of GDPR compliance. This list contains all the subcontractors within all the services we provide, if you want to know the exhaustive list of subcontractors involved in your specific case, please contact us.
Providers of management, tax and accounting services.
| Subencargado | Provides | Country | Information |
|---|---|---|---|
| Ecosistemas Digitales de Negocio S.L. | Accounting and taxation. | Spain, EU | Privacy |
| Fiscaliti Asesoría y Gestión S.L. | Accounting and taxation. | Spain, EU | Privacy |
| Banco de Sabadell S.A. | Banking services. | Spain, EU | |
| Slack Technologies, LLC Slack Technologies Limited | Internal communication. | USA Ireland, EU. | DPA GDPR |
| Zoho Corporation B.V. | Customer service platform. Contract signature management. | Netherlands, EU | Zoho Desk GDPR Zoho Sign GDPR GDPR Compliance |
| AgileBits, Inc. | Secure password storage. | Canada (Servers in EU) | Legal Center |
| TELCOM Business Solutions S.L. | Voice over IP | Spain, EU | Privacy |
Data storage and backup providers
| Subencargado | Provides | Country | Information |
|---|---|---|---|
| Apple Distribution International Ltd. | Storage of backup copies. | Ireland, EU | Legal DPA |
| Backblaze – | Storage of backup copies. | California, USA (Servers in Netherlands, EU) | DPA GDPR |
| GoDaddy.com LLC – | Backup storage and remote site management. | Arizona, USA (Servers in EU) | DPA |
Version Control Providers
| Subencargado | Provides | Country | Information |
|---|---|---|---|
| GitHub, Inc. | Version control and continuous integration. The transmission of personal data contained in databases to this platform will be encrypted. | California, USA | DPA |
| Atlassian | Version control and continuous integration. The transmission of personal data contained in databases to this platform will be encrypted. | Australia | GDPR |
Providers of information processing services.
| Subencargado | Provides | Country | Information |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Servers, data storage, backup storage and outgoing email. | Luxembourg (Servers in EU) | GDPR Center |
| Cloudways Ltd. | Server management. | Malta, EU | DPA Privacy policy |
| DigitalOcean – | Servers | New York, USA (Servers in EU) | DPA GDPR |
| SiteGround Spain S.L. | Web servers and email | Spain, EU | Legal DPA |
| Dinahosting S.L. | Web servers and email | Spain, EU | Legal |
| IP Corporate Solutions, S.L. | Domain registration | Spain, EU | Legal |
| Linode, LLC – | Servers | Philadelphia, USA (Servers in EU) | DPA GDPR |
| Google, inc. | Web servers and email | DPA GDPR | |
| 10DENCEHISPAHARD, S.L. | Web servers and email | Spain, EU | Legal RGPD |
| Hostinger International Ltd | Web servers and email | Cyprus, EU | Legal DPA |
| Hetzner Online GmbH | Web servers and email | Germany, EU | Legal DPA |
| Cloudflare, Inc. – | DNS, CDN, Firewall and Load Optimization | California, USA | RGPD DPA |
| Auttomatic, Inc. – Aut O’Mattic A8C Ireland Ltd. | Spam blocking service for comments and forms. | California, USA Ireland, EU | Privacy |