By concluding the Basic Agreement, the Controller confirms that it fully complies with all legal obligations related to the personal data protection and the General Data Protection Regulation.
The Processor shall provide sufficient guarantees in respect of the implementation of appropriate personal data protection measures, that it possesses the Facility Security Clearance of the security classification level “Confidential” issued by the Croatian Office of the National Security Council, and an integrated quality management and information security system in accordance with the requirements of the norms ISO9001 and ISO27001.
The Controller shall primarily, based on its abilities, make illegible or conceal in any other way all personal data that the Processor may access, in such a way that even theviewing of such data is not considered the processing of personal data.
In case the processing of personal data is required within the scope of the Processor’s obligations under the Basic Agreement, the Controller shall deliver the required information to the Processor before the beginning of processing of personal data by the Processor and ensure the following:
a) the Processor’s expert who is accessing data is authorized in such a way that it can undoubtedly be determined that it is the same Processor’s expert (separate account, login, no joint accounts for system login);
b) the system being accessed supports the logging of access and operations (at least: login account, time stamp login and log-off; data viewing logging, data alteration logging);
c) in case the data is processed at the Controller’s location, a separate secured room where the Processor’s expert would process personal data
The Controller is not authorised to give access to the personal data via secured access available to the Processor to anyone else; engage another processor who shall access personal data via secured access available to the Processor, nor to independently access personal data via secured access for the Processor.
The Processor shall process the personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Processor shall ensure that the Processor’s experts in charge of processing personal data in the scope of fulfilling the Processor’s obligations under the Basic Agreement concluded between the Contracting Parties commit themselves with written statements of confidentiality, that is, subject themselves to legally binding confidentiality obligations
Within the scope of meeting the obligations under the Basic Agreement by the Processor, the Contracting Parties implement appropriate technical and organisational protection measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The Contracting Parties shall take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to personal data does not process them except on instructions from the Controller, unless he or she is required to do so by Union or Member State law.
The Controller provides the Processor with a general written authorisation to engage another processor.
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.
Where the Processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations shall be imposed on that other processor by way of a contract.
The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III of the General Data Protection Regulation, for which the Controller commits to pay a fee to the Processor pursuant to the accepted offer of the Processor for providing those services;
The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor, for which the Controller commits to pay a fee to the Processor pursuant to the accepted offer of the Processor for providing those services.
The Processor deletes or returns all the personal data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data.
The Processor shall make available to the Controller all information necessary for proving the compliance with the determined obligations and information that enable audits, including inspections, performed by the Controller or other auditor authorised by the Controller, and contribute them.
In case that the Processor believes the documented instructions violate the data subjects’ rights, it shall inform the Controller of such instance.
To avoid any doubt, in case the Processor is developing an application code at the Client’s request, the Client shall ensure that the Client meets all obligations related to protection of personal data, especially in relation to application design and architecture.
The Processor shall notify the Controller without undue delay after becoming aware of a breach of personal data being processed under the Basic Agreement.