Data Processing Agreement
Effective as of 2024 July 13th
This Data Processing Agreement ("DPA") is entered into by and between:
- Alma Total Solutions, having its registered office at 28 Armenias , #103, Nicosia 2003, Cyprus (hereinafter referred to as the "Processor")
- You, a natural person or a legal person forming a small business entity (hereinafter referred to as the "Controller").
Preamble
According to the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as the "GDPR"), the Processor and the Controller are entering into this data processing contractual relationship in order to define the terms and conditions for the processing of personal data, the manner of its protection, as well as to define other rights and obligations of both parties in the processing of personal data of data subjects on behalf of the Controller during the course of performing the subject matter of the main contract.
1. Subject Matter and Duration
1.1 The Processor agrees to process Personal Data on behalf of the Controller in accordance with the terms and conditions set forth in this DPA.
1.2 This DPA is effective as of the date above and will remain in force for the duration of the Controller's use of the Processor's services, or until the termination of the main contract, whichever is earlier.
2. Definitions
2.1 "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
2.2 "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data as defined in Article 4(2) of the GDPR.
3. Nature and Purpose of Processing
3.1 The Processor will process Personal Data as necessary to perform the services pursuant to the main contract, including but not limited to data storage, data backup, and technical support services.
3.2 The Processor shall not process Personal Data for any purpose other than those specified in the main contract or this DPA, unless it has obtained prior written consent from the Controller.
4. Categories of Data Subjects
4.1 The categories of data subjects whose Personal Data will be processed under this DPA include the Controller's customers, employees, and other end users whose data is provided to the Processor by the Controller.
5. Types of Personal Data
5.1 The types of Personal Data processed may include but are not limited to:
- Identification data (e.g., name, contact details)
- Financial data (e.g., payment information)
- Technical data (e.g., IP addresses, device information)
- Any other Personal Data provided by the Controller to the Processor.
6. Obligations of the Processor
6.1 The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
6.2 The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3 The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- The pseudonymization and encryption of Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
6.4 The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
6.5 The Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
6.6 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
7. Obligations of the Controller
7.1 The Controller shall ensure that it has all necessary consents and notices in place to enable the lawful transfer of Personal Data to the Processor for the duration and purposes of this DPA.
7.2 The Controller shall provide documented instructions to the Processor for the processing of Personal Data.
7.3 The Controller shall immediately inform the Processor about any data subject requests or regulatory inquiries related to this DPA.
8. Sub-Processing
8.1 The Controller authorizes the Processor to engage sub-processors to assist in the processing of Personal Data under this DPA, provided that the Processor imposes data protection terms on any sub-processor it appoints that require it to protect the Personal Data to the standard required by the GDPR.
8.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.
8.3 The Processor shall remain fully liable to the Controller for the performance of the sub-processor’s obligations.
9. International Data Transfers
9.1 Any transfer of Personal Data to a third country or an international organization by the Processor shall be done only on documented instructions from the Controller and in compliance with Chapter V of the GDPR.
9.2 The Processor shall ensure that such transfers are subject to appropriate safeguards as required under the GDPR.
10. Security of Processing
10.1 The Processor shall implement and maintain appropriate technical and organizational measures to ensure the security of the Personal Data, including measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
10.2 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.
11. Data Subject Rights
11.1 Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.
11.2 The Processor shall promptly notify the Controller if it receives a request from a data subject under the GDPR in respect of Personal Data, and it shall not respond to that request except on the documented instructions of the Controller or as required by Union or Member State law.
12. Breach Notification
12.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach and shall provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform data subjects of the personal data breach under Articles 33 and 34 of the GDPR.
13. Liability and Indemnity
13.1 The Processor shall be liable for any damage caused by processing which infringes the GDPR or this DPA. The Processor shall indemnify the Controller against all claims, actions, third-party claims, losses, damages, and expenses incurred by the Controller and arising directly or indirectly out of or in connection with a breach of this DPA and the GDPR by the Processor.
14. Governing Law and Jurisdiction
14.1 This DPA shall be governed by and construed in accordance with the laws of the Republic of Cyprus and the European Union. Any disputes arising out of or in connection with this DPA shall be resolved by the courts of the Republic of Cyprus.
15. Miscellaneous
15.1 Any amendments or modifications to this DPA must be made in writing and signed by both parties.
15.2 If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain effective and enforceable to the fullest extent permitted by applicable law.
15.3 The headings in this DPA are for reference only and shall not affect the interpretation of this agreement.
Contact Information
If you have any questions or need further information regarding this DPA, please contact us at:
Alma Total Solutions
28 Armenias , #103, Nicosia 2003, Cyprus
Technical Support: https://alma.com.cy/index.php/contact