APPENDIX 2 - HackMD

[TOC] # APPENDIX 2 ## Definitions **Service Provider**: An individual/company contracted to provide services as part of this contract. **Client**: {{COMPANY_NAME}}. {{COMPANY_NAME}} is also the data's administrator in regard to the provisions of the GDPR. **GDPR**: General Data Protection Regulation 2016/679, --- ## Data Processing Agreement {{COMPANY_NAME}} The following Data Processing Agreement is concluded between: {{COMPAN_NAME}}, a company entered on the Bulgarian Commercial Register of the Registry Agency with Unique ID Code 204478925, having its registered office and place of business at addres_ Sofia, represented by _____name, Director, on the one hand, hereafter the **CLIENT** and {{names}}, {{address}}, {{ID_number}}, {{telephone}}, {{email}}, hereinafter referred to as "**PROVIDER**", on the other hand, individually referred to as "Party" or collectively as "Parties", ## I. Subject matter and duration of the Agreement The subject matter of the order is the data protection in the process of execution of the main contract, between the parties for consulting and support services. The legal basis of this Agreement is article 28 of the General Data Protection Regulation (hereafter “GDPR”). The contractually agreed service will be provided in the country of residency of the Service Provider unless agreed upon otherwise. Every outsourcing of a service or of part of the work to a third country requires the Client’s prior consent and may only be given provided the particular conditions of article 44 f. GDPR are fulfilled (e.g. the Commission’s adequacy decision, standard data protection clauses, approved code of conduct). The Agreement is concluded for the duration of the main contract. The Client may terminate the Agreement at any time without compliance with a notice period, should the Service Provider have committed a severe infringement of the data protection regulations or the provisions of this Agreement, should the Service Provider be unable to carry out an instruction from the Client or should the Service Provider reject the Client’s control rights in breach of the Agreement. In particular, failure to comply with the obligations agreed in this Agreement and derived from article 28 GDPR constitutes a severe infringement. ## II. Nature and purpose of processing, type of personal data and categories of persons affected The purpose of this Agreement is the lawful processing of data during the execution of the main contract, between the parties. The processing is necessary for the performance of the contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The data that is to be processed here relates to the following personal data: - Contact data (e-mail address and telephone number) - Payment account information - Name - Address ### Categories of individuals affected: - individuals contracted by the Client for the execution of the main contract between the parties. ## III. Client’s rights and obligations and authority to issue instructions The Client is responsible for assessing the reliability of processing in accordance with article 6 para. 1 GDPR as well as for safeguarding the rights of the individuals involved as required by articles 12 to 22 GDPR. The Service Provider is required to forward questions, that are clearly addressed only to the Client, immediately. Both the material processed and also the process may be amended following appropriate consultation between the Client and the Service Provider. These changes must be stipulated in writing in an electronically documented format. As a rule, the Client will issue all orders, parts of orders and instructions in writing or in an electronically documented format. Verbal instructions must be confirmed immediately in writing or in an electronically documented format. At the beginning of processing and thereafter at regular intervals, the Client is entitled to assure itself appropriately that the technical and organizational measures taken by the Service Provider as well as the obligations stipulated in this Agreement are being complied with. It will notify the Service Provider immediately should it identify errors or irregularities as part of these checks. The Client undertakes to treat as confidential all information on the Service Provider’s business secrets and data security measures obtained as part of the business relationship. This obligation will remain in force after this Agreement has ended. ## IV. Client’s representatives entitled to issue instructions, Service Provider’s recipients of instructions The following representatives of the Client are entitled to issue instructions: - **_______________**, Research Director - Tel: +442032872811 - research@bed.money - **_______________**, Director - Tel: +442032872811 - research@bed.money In the event of a change of the contacts referred to above or their absence for a long period of time, the contractual partner must be informed of this person’s deputy immediately and, as a matter of principle, in writing or electronically, stating his/her e-mail address. ## V. Service Provider’s obligations The Service Provider will process personal data solely in accordance with the Agreements concluded and the Client’s instructions. Should the Service Provider be required to carry out any different processing (e.g. investigations by criminal prosecution or state security authorities) due to EU law or the law of a member-state to which it is subject, the Service Provider will inform the Client of these legal requirements prior to processing unless the law in question forbids such notification for reasons of some important public interest. In a case that the Service Provider is processing the personal data of Non-EU citizens, it is his sole responsibility to abide by the laws governing personal data that apply in the country of residency of said citizens. The Service Provider will not use the personal data provided for processing for any other purposes, particularly not its own purposes. Copies or duplicates of the personal information may not be made without the Client’s knowledge. The Service Provider affirms the implementation according to the Agreement of all measures agreed. It gives an assurance that all data processed on behalf of the Client will be strictly separated from other data material. The data media provided by the Client or used for the Client will be specially identified. Entry and exit as well as the current use will be documented. The Service Provider is required to carry out regular checks in its area on the complete performance of the service for the Client. The results of these checks must be documented and, if requested, submitted to the Client. The Service Provider is required as far as possible to cooperate and support the Client in its fulfilment of the rights of the individuals affected in accordance with articles 12 to 22 GDPR, in preparing lists of processing activities as well as in data protection impact assessments carried out by the Client. It is required to provide the information needed for this purpose to the Client. The Service Provider will notify the Client immediately should an instruction issued by the Client, in its opinion, infringe provisions of the law. The Service Provider is entitled to suspend carrying out the instruction in question until it is confirmed or amended by the Client’s responsible representative after having examined the issue. The Service Provider is required to correct or to delete personal data resulting from the contractual relationship or to restrict their processing should the Client demand this by way of an instruction and this is not contrary to any legitimate interests of the Service Provider. The Service Provider may not divulge any information to third parties or to those affected regarding personal data related to the contractual relationship, unless this has been approved by the Client. Subject to appropriate agreement of an appointment, the Client is entitled to verify compliance with the regulations governing data protection and data security as well as the terms of the Agreement, either itself or through a third party appointed by the Client, particularly by obtaining information and by inspecting the data stored and the data processing programs as well as by way of checks and inspections on site. The Service Provider gives an assurance that it will, as far as is necessary, cooperate in these checks. In processing personal data belonging to the Client according to the Agreement, the Service Provider undertakes to safeguard the confidentiality of the data. This obligation will remain in force after the Agreement has ended. The Service Provider confirms that it is aware of the relevant data protection provisions of the GDPR relating to order processing. The Service Provider gives an assurance that it will acquaint the employees involved in carrying out the work with the provisions of data protection relevant to them before they start their work and will in some suitable way bind them to confidentiality both during the period of their activity and also after the employment relationship has ended. The Client must be notified immediately of any change in the data protection officer. ## VI. Service Provider’s obligation to report malfunctions in processing and infringements in the protection of personal data The Service Provider will notify the Client immediately of malfunctions or infringements on the part of the Service Provider or any of the persons it employs both against provisions of data protection law or the conditions stipulated in the Agreement as well as any suspicion of infringements of data protection law or irregularities in processing personal data. This applies above all with respect to any reporting or notification obligations by the Client in accordance with articles 33 and 34 GDPR. The Service Provider gives an assurance that, should this be necessary, it will provide the Client with appropriate support in fulfilling its obligations in connection with articles 33 and 34 GDPR. The Service Provider may not fulfil any obligations in accordance with articles 33 and 34 GDPR on behalf of the Client unless the Client has issued such as instruction. ## VII. Sub-contracting relationships with sub-contractors The appointment of sub-contractors to process the Client’s data is only permitted subject to the Client’s written consent. This consent can only be given provided the Service Provider notifies the Client of the sub-contractor’s name and address as well as the work foreseen. Moreover, the Service Provider must ensure that it selects the sub-contractor carefully with particular regard to its suitability for the technical and organizational measures taken in accordance within the meaning of article 32 GDPR. If requested, the Client must be provided with the documents used as part of this check. The Service Provider is required to ensure by contract that the rules agreed between the Client and the Service Provider also apply to sub-contractors. The Client is entitled, should the need arise, to carry out appropriate checks and inspections, or to have them carried out by a third party that it appoints. The Agreement with the sub-contractor must include an appropriate provision. The Agreement with the sub-contractor must be in writing. Data may not be forwarded to the sub-contractor until the sub-contractor has bound its employees to data secrecy. The Service Provider is required to monitor compliance with the sub-contractor’s or sub-contractors’ obligations. The result of these checks must be documented and made available to the Client on request. The Service Provider is liable to the Client for the sub-contractor’s fulfilment of its data protection obligations that were imposed on it contractually by the Service Provider in accordance with the present part of the Agreement. Currently, the sub-contractors referred to in attachment ......... together with their names, addresses and the contents of the assignment are involved in processing personal data to the extent shown in this attachment. The Client declares its consent to their appointment. ## VIII. Technical and organizational measures in accordance with article 32 GDPR An adequate degree of protection is guaranteed for the precise order processing commensurate with the rights and liberties of the individuals affected by the processing. The confidentiality, integrity and accessibility of the systems and services as well as their robustness with respect to the nature, scope, circumstances and purpose of the processing are ensured in such a way that the risk is permanently precluded by means of suitable technical and organizational remedial measures. The Service Provider is required as the need arises but at least annually to have an audit, appraisal and evaluation of the effectiveness of the technical and organizational measures in order to ensure the security of the processing carried out by internal or external specialists. The Client must be notified of the result together with the complete investigation/audit report. Decisions regarding organization of data processing and on the procedures applied that are relevant to security must be agreed between the Client and the Service Provider. The Service Provider will notify the Client immediately should the measures taken not meet the Client’s requirements. During the course of the order, the measures taken by the Service Provider which may be adapted to further technical and organizational developments, must however meet the agreed standards (agreed technical and organizational measures – (see attachment below) . The Service Provider must agree major changes with the Client in a documented form (ex: by letter, electronically). Such agreements must be stored during the term of the Agreement. ## IX. Service Provider’s obligations during and after completion of the order Both parties must retain agreements on technical and organizational measures as well as control and audit documents (also concerning sub-contractors) as long as they are in force and thereafter for a period of three full calendar years. After the contractual work has been completed, the Service Provider will be required to hand over to the Client and to delete or to destroy on instruction in a manner required by data protection law, all data, documents and the results of processing and use in its possession as well those obtained by the sub-contractor in connection with the contractual relationship. The deletion or destruction together with the date must be confirmed to the Client in writing or in an electronically documented format. This will not apply should legal retention requirements preclude deletion. ## X. Fees The fee for the services described above is included in the fee in the main Contract between the Parties. ## XI. Miscellaneous Side-agreements must be agreed in writing. Should individual parts of this Agreement be invalid, this will not affect the validity of the rest of the Agreement. This Agreement was drawn up in English and signed in two identical copies, a copy to be obtained by each party. | Client | Service Provider | | ---------- | ---------------- | | Signature _______________________ | Signature _______________________ | {{Place}}, {{date}} --- # Attachment “Check list: Documentation of technical and organisational measures” Check list: documentation of technical organisational measures Content of the rule ## Examples: Entry control (Measures to prevent unauthorized entry) - [ ] Access control system, central management of keys, magnetic card, biometric barriers to access - [ ] Keys/issue of keys is centrally and organizationally clearly established - [ ] Clear allocation of entitlements (access to the building, office, server room) - [ ] Protection of the building at nights and weekends guaranteed - [ ] Porter’s lodge/reception equipped with video surveillance - [ ] Careful selection of employees involved with security - [ ] Rules governing visitors (visitor’s pass, accompanied whilst in the building, visits recorded) - [ ] Video surveillance of sensitive parts of the building (basement garage) - [ ] Cupboards and offices locked during absence - [ ] Alarm system Memory control (Prevention of unauthorized entry of personal data as well as unauthorized disclosure, alteration and deletion of personal data) - [ ] Authentication with user and password, management of user entitlements - [ ] Guideline on log-in passwords concerning length, combination of letters and numbers, no trivial passwords, passwords changed at regular intervals, pre-inserted passwords must be changed; - [ ] Automatic exclusion (e.g. rules on automatic blocking of computer after a certain period of inactivity (approx. 5 min) requiring subsequent renewed log-in). - [ ] In addition to automatic blocking: manual signing-out on leaving the office - [ ] Automatic standby-operation of the local computer Data medium control (Prevention of unauthorised reading, copying, alteration or deletion of data media) - [ ] Encoding hard disc of laptops/ data media and smartphones - [ ] Possibility of deletion of smartphones in the event of loss - [ ] Blocking external interfaces (e.g. USB connections) User control (Prevention of use of automatic processing systems with the aid of installations for unauthorized data transmission) - [ ] Use of anti-virus software - [ ] Use of firewalls - [ ] Use VPN technologies Access control (The entitlements concept and access rights are designed according to requirements as are surveillance of the systems and record-keeping) - [ ] Differentiated entitlements (profiles, roles) - [ ] Logging of access to applications, particularly as regards input, alteration and deletion of data - [ ] Differentiated filing concept (e.g. all files should be named in a uniform and logical manner and stored in such a way that they can be recovered without any problems). - [ ] Data media must be clearly identified and securely stored/ clear separation of data media from different clients required. - [ ] Correct deletion of data and/or destruction of data media; use of carefully selected service providers to carry out destruction of files and data (certificate). - [ ] Logging destruction of data - [ ] Data media (USB sticks, CD-ROMs) with confidential material may not be left lying around - [ ] Adaptation of standard settings relevant to security in the case of new programs and IT systems - [ ] Deactivation of programs and functions relevant to security that are no longer required (chiefly in the case of smartphones) ## Transfer control (Verification and identification at which points personal data were transmitted or made available or can be made available with the aid of data transmission installations) - [ ] E-mail encoding - [ ] Tunnel connection (VPN = Virtual Private Network) - [ ] Electronic signature possible - [ ] Hardware and software that has not been released should not be used - [ ] No forwarding of e-mails to employees’ private e-mail accounts - [ ] Rules regarding handling of backup tapes - [ ] Guideline governing printing out secret documents (ensuring that no else can inspect printouts). - [ ] Rules governing use of USB sticks and CD-ROMs - [ ] Logging recipients of data and the duration of planned availability or agreed deletion deadlines Transport control (Measures to ensure secure transmission of personal data as well as the secure transportation of data media) - [ ] Secure transport containers/packaging - [ ] Careful selection of transport personnel and vehicles - [ ] Forwarding of data in anonymized form or use of pseudonyms - [ ] Creation of a summary of regular call-off and transmission transactions Input control (Measures enabling subsequent verification as to whether and by whom data has been entered, altered or removed (deleted)) - [ ] Logging and logging evaluation systems are used or can be applied as part of existing software applications - [ ] Access to data processing systems only possible after log-in - [ ] No forwarding of passwords - [ ] Creation of a summary of which data can be entered, altered and deleted with which applications - [ ] Logging entry, alteration and deletion of data Order control (The measures (technological and organizational ) to determine the division of powers between client and service provider are adequately determined in terms of data protection law) - [ ] Written Agreement exists - [ ] Order only mandated in accordance with instructions or formalized order award system (order form) or written instructions - [ ] Criterion for selection of service provider are complied with (certification) - [ ] Permanent checks on service provider and his activities; particularly in regards to ensuring employees’ obligation to safeguard the confidentiality of the data; prior checks on the security measures taken by the service provider and appropriate documentation; agree rights to exercise effective control over the service provider - [ ] Data protection officer ensures checks that Agreement is carried out Recoverability (Systems can be recovered in the event of a malfunction) - [ ] Creation of backup and recovery concept (which data is secured and for how long? inclusion of laptops and systems not covered by network; regular checks on backup tapes; documentation of security procedures) - [ ] Mirroring of hard discs, e.g. RAID procedure - [ ] Testing of data recovery Accessibility control (Measures to counter accidental destruction or loss of data (data security (physical/logical) - [ ] Separate storage of data/ storage of data backup at a secure external location - [ ] Protection against fire, excessive heat, water damage, electrical surge and power breakdown in the server room - [ ] Emergency plan exists and is regularly tested - [ ] Emergency electricity supply/uninterrupted power supply - [ ] Fire extinguishers in the server rooms, alarm in event of unauthorized entry to server rooms, fire and smoke alarm systems - [ ] Air conditioning in server rooms/protected socket conduits in server rooms Separability (Measures to ensure that personal data can be processed separately) - [ ] Physically separate storage on special systems or data media - [ ] Separation of operating and test systems - [ ] Logical separation of clients Reliability (Ensuring that all the functions in the system are available and that malfunctions are reported) - [ ] Monitoring of the services required for the processing of personal data with alarm facility in the event of malfunctions Data integrity (Ensuring that stored personal data cannot be damaged as a result of system malfunctions) - [ ] Regular checks on the integrity of data banks in which personal data is stored - [ ] Integrity checks of IT systems/applications with which personal data is processed Other - [ ] Creation of inventory list (transparent in the event of loss; amount insured) - [ ] Creation and regular updating of installation and system documentation - [ ] Regular maintenance