DPA - Data Processing Agreement (DPA) This agreement is entered on Effective Date into by and between:
Tapni GmbH, Praterstrasse 78/3/25, 1020, Vienna, Austria, hereinafter referred to as “Data Processor”, hereinafter referred to as the "Contractor" and acting as DATA PROCESSOR
AND
the other signing contracting party, hereinafter referred to as "Client" and acting as DATA CONTROLLER.
Both hereinafter referred to as the “Parties”.
Term | Definition |
---|---|
APPLICABLE LAW(S) | In this Agreement means each legislation applicable to each party hereto (including regulation and Data Protection Legislation for the avoidance of any doubt). |
DATA CONTROLLER | Means an entity (legal person under this agreement) that determines the purposes and means of the processing of PERSONAL DATA. |
DATA PROCESSOR | Means an entity (legal person under this agreement) that processes PERSONAL DATA on behalf of the controller. |
DATA PROTECTION OFFICER (DPO) | Means a natural person who ensures, in an independent manner, that an organization applies the laws protecting individuals' PERSONAL DATA. |
DATA SUBJECT | Means the identified or identifiable natural person to whom PERSONAL DATA relates as defined by Data Protection Laws and Regulations. |
GDPR | Means the EU General Data Protection Regulation (EU) 2016/679, which is a regulation in EU law on data protection and privacy for all individuals within the European Union. It replaces the prior Data Protection Directive (95/46/EC) of 1995. |
PERSONAL DATA | Means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. |
PROCESSING | Means any operation or set of operations that are performed on PERSONAL DATA or on sets of PERSONAL DATA, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
PERSONAL DATA BREACH | Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, PERSONAL DATA transmitted, stored, or otherwise processed. |
SUB-PROCESSOR | Means a third party engaged by the DATA PROCESSOR that is processing the DATA CONTROLLER's PERSONAL DATA for a specific purpose. |
PARTY(PARTIES) | Means the entity signing this Agreement. |
TAPNI GROUP | Means an economic entity formed of a set of companies which are listed in Annex 1. |
2.1 PROCESSING of PERSONAL DATA consist of storing PERSONAL DATA, and its processing for the purpose of providing services in the area of digital business cards as defined in Annex 2, and processing for the purpose of providing support based on the DATA CONTROLLER’s request.
2.2 The purpose for which PERSONAL DATA shall be processed is only for providing services to clients related to my.tapni.co and business.tapni.co web-based applications and Tapni mobile applications including all additional services and products as defined in Annex 1. Any additional use of the DATA CONTROLLER’s PERSONAL DATA is strictly prohibited unless requested differently by the DATA CONTROLLER.
2.3 PERSONAL DATA which the DATA PROCESSOR processes for the purpose of providing services are deemed confidential, in accordance with the Confidentiality and Non-Disclosure Agreement signed by both Parties.
2.4 The following data categories are processed within the scope of this contract: contact details (first name, last name, telephone number, e-mail), social media profiles, and additional information which can be added by the DATA CONTROLLER.
3.1 The DATA CONTROLLER has the right and obligation to make decisions about the purposes and means of the PROCESSING of PERSONAL DATA.
3.2 The DATA CONTROLLER shall be responsible, among others, to ensure that the PROCESSING of PERSONAL DATA, which the DATA PROCESSOR is instructed to perform, has a legal basis.
3.3 The DATA CONTROLLER shall be responsible for ensuring that the PROCESSING of PERSONAL DATA takes place in compliance with the APPLICABLE LAWS.
3.4 The DATA CONTROLLER shall transfer to the DATA PROCESSOR only PERSONAL DATA obtained in compliance with the relevant provisions of the applicable data protection legislation for the purposes stated in this Agreement.
3.5 The DATA CONTROLLER shall keep up to date and correct all PERSONAL DATA transferred to the DATA PROCESSOR whenever required in particular as set out by the relevant provisions of the applicable data protection legislation.
3.6 The DATA CONTROLLER is solely obliged to provide its DATA SUBJECTS with all information and explanations as required under APPLICABLE LAWS. As between the DATA PROCESSOR and DATA CONTROLLER, the DATA CONTROLLER is also solely responsible for dealing with DATA SUBJECTS in relation to their rights to access their respective data in accordance with APPLICABLE LAWS.
4.1 The DATA PROCESSOR shall process the PERSONAL DATA on behalf of the DATA CONTROLLER pursuant to the written instructions of the DATA CONTROLLER in accordance with APPLICABLE LAWS and the terms and conditions set forth in the Agreement.
4.2 The DATA PROCESSOR shall correct, modify, block or erase (as instructed by the DATA CONTROLLER) any PERSONAL DATA processed by the DATA PROCESSOR in case it is not possible for the DATA CONTROLLER to do so.
4.3 The DATA PROCESSOR warrants and represents that it has implemented (and shall maintain during the term of this Agreement and as long as required by law) the technical and organizational security measures for the protection of PERSONAL DATA before processing the PERSONAL DATA which are transferred, and additional security measures as mutually agreed by the DATA PROCESSOR and the DATA CONTROLLER. The DATA PROCESSOR has been adopting security measures based on best practices in order to protect the DATA CONTROLLER’s PERSONAL DATA. All of the organizational and technical measures are applied in accordance with appropriate information security (e.g. ISO 27001) practices and GDPR requirements. A general overview of the applied measures is given in Annex 2 below.
4.4 The DATA PROCESSOR shall not less than once per calendar year test the implemented measures.
4.5 In order to ensure compliance with such security measures, the DATA PROCESSOR shall permit the DATA CONTROLLER to conduct periodic inspections of its premises and the implemented security measures during usual business hours. The DATA CONTROLLER shall provide the DATA PROCESSOR with reasonable (but in no event less than thirty [30] days) advance notice of each inspection.
4.6 The DATA PROCESSOR must ensure that its personnel engaged in the processing of PERSONAL DATA comply and shall comply at all times with the data secrecy requirements.
4.7 The DATA PROCESSOR shall only allow access to the PERSONAL DATA to its staff or consultants where and to the extent that such access is required for the performance of the services and subject to such staff and consultants have entered into an adequate non-disclosure agreement.
4.8 In the event that the DATA PROCESSOR shall discover that the DATA CONTROLLER is in breach of any of its obligations provided by the relevant data protection legislation, the DATA PROCESSOR shall without delay notify the DATA CONTROLLER of this fact and suspend the performance of the suspected infringing processing until such time as the breach is remedied.
4.9 The DATA PROCESSOR undertakes to inform the DATA CONTROLLER without delay about any complaints, requests, or other communications received by it from its data subjects, data protection regulator(s) or third parties related to the processing of PERSONAL DATA by the DATA PROCESSOR and/or the DATA CONTROLLER.
4.10 The DATA PROCESSOR shall immediately inform the DATA CONTROLLER if instructions given by the DATA CONTROLLER, in the opinion of the DATA PROCESSOR, contravene the APPLICABLE LAWS.
4.11 The DATA PROCESSOR must comply with this Agreement at all times.
5.1 Taking into account the nature of PROCESSING data, the DATA PROCESSOR shall assist the DATA CONTROLLER in the fulfillment of the DATA CONTROLLER’s obligations to respond to requests for exercising the DATA SUBJECT’s rights laid in the APPLICABLE LAWS.
5.2 The DATA PROCESSOR shall assist the DATA CONTROLLER in ensuring compliance with:
a) the DATA CONTROLLER’s obligation to, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the PERSONAL DATA BREACH to a competent supervisory authority, unless the PERSONAL DATA BREACH is unlikely to result in a risk to the rights and freedoms of natural persons; b) the DATA CONTROLLER’s obligation to, without undue delay, communicate the PERSONAL DATA BREACH to the DATA SUBJECT when the PERSONAL DATA BREACH is likely to result in a high risk to the rights and freedoms of the DATA SUBJECT; c) the DATA CONTROLLER’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of PERSONAL DATA (a data protection impact assessment).
6.1 The DATA PROCESSOR is under a strict obligation to immediately notify the DATA CONTROLLER of any PERSONAL DATA BREACH and no later than within 24 hours of the DATA PROCESSOR becoming aware of the breach, to enable the DATA CONTROLLER to comply with the DATA CONTROLLER’s obligation to notify the PERSONAL DATA BREACH to a competent supervisory authority.
6.2 The DATA CONTROLLER is under obligation to, without undue delay, communicate the PERSONAL DATA Breach to the DATA SUBJECT, when the PERSONAL DATA BREACH is likely to result in a high risk to the rights and freedoms of the DATA SUBJECT.
6.3 The DATA PROCESSOR agrees to provide any reasonable assistance as is required by the DATA CONTROLLER or the supervisory authority to facilitate the handling of any PERSONAL DATA BREACH in an expeditious and compliant manner.
6.4 In respect of any PERSONAL DATA BREACH, the DATA PROCESSOR shall provide the following details regarding the PERSONAL DATA BREACH to the DATA CONTROLLER:
a) the description of the nature of the PERSONAL DATA BREACH including, where possible, the categories and an approximate number of DATA SUBJECTS concerned as well as categories and an estimated number of PERSONAL DATA records concerned; b) name and contact details of the DATA PROTECTION OFFICER or another contact for further relevant inquires; c) the description of the likely consequences of the PERSONAL DATA BREACH; d) the description of the measures taken or proposed to be taken to address the PERSONAL DATA BREACH, including, where appropriate, measures to mitigate its possible adverse effects.
7.1 The PERSONAL DATA shall be retained by the DATA PROCESSOR in order to perform the services for the time period as defined by the DATA CONTROLLER and in any case no longer than what is strictly necessary for the DATA PROCESSOR to (i) provide requested services (ii) process the PERSONAL DATA in line with this Agreement or (iii) as the case may be, to meet any of its legal obligations (in particular statutory archival and retention obligations).
7.2 Subject to any legal obligations or the request from the DATA CONTROLLER to archive or retain PERSONAL DATA, at the request of the DATA CONTROLLER, the DATA PROCESSOR shall carry out the liquidation of any or all the PERSONAL DATA without undue delay after all the specific purposes for which the PERSONAL DATA were processed cease to exist or upon receipt of a written request by the DATA CONTROLLER.
7.3 On the instructions of the DATA CONTROLLER, the DATA PROCESSOR shall ensure that the PERSONAL DATA processed under this Agreement is returned to the DATA CONTROLLER or destroyed in accordance with the DATA CONTROLLER’S instructions if those instructions are not in contradiction with APPLICABLE LAW. The DATA CONTROLLER reserves the right to issue instructions to the DATA PROCESSOR under this clause at any time. In case these instructions are not in accordance with the APPLICABLE LAW, then the APPLICABLE LAW shall prevail.
7.4 Following the deletion of PERSONAL DATA under this clause, the DATA PROCESSOR shall notify the DATA CONTROLLER that the PERSONAL DATA in question has been deleted. Where applicable, the DATA PROCESSOR shall also provide confirmation that the PERSONAL DATA has been destroyed in accordance with any instructions issued by the DATA CONTROLLER, if those instructions are not in contradiction with the APPLICABLE LAW. In case these instructions are not in accordance with the APPLICABLE LAW, then the APPLICABLE LAW shall prevail.
8.1 The DATA PROCESSOR agrees to maintain records of all PERSONAL DATA processed under the Agreement and its processing activities. The DATA CONTROLLER reserves the right to inspect the records maintained by the DATA PROCESSOR under this clause at any time, with reasonable (but in no event less than 30 days) advance notice of each inspection.
8.2 If the DATA SUBJECT, in any case, requires information from the DATA CONTROLLER on the subject of what type of that DATA SUBJECT's PERSONAL DATA is being processed under this Agreement, and if the DATA CONTROLLER is not able to provide this type of information without the DATA PROCESSOR’s help, the DATA PROCESSOR is obliged to provide any reasonable help.
8.3 The records shall be in writing, including in electronic form.
8.4 The DATA CONTROLLER or the DATA PROCESSOR and, where applicable, the DATA CONTROLLER’s or the DATA PROCESSOR’s representative, shall make this record available to supervisory authorities on request.
8.5 The DATA CONTROLLER reserves the right to inspect the records maintained by the DATA PROCESSOR under this clause at any time, with reasonable (but in no event less than 30 days) advance notice of each inspection.
8.6 If the DATA SUBJECT, in any case, requires information from the DATA CONTROLLER on the subject of what type of that DATA SUBJECT's PERSONAL DATA is being processed under this Agreement, and if the DATA CONTROLLER is not able to provide this type of information without the DATA PROCESSOR’s help, the DATA PROCESSOR is obliged to provide any reasonable help.
9.1 The DATA PROCESSOR shall only grant access to the PERSONAL DATA being processed on behalf of the DATA CONTROLLER to persons under the DATA PROCESSOR’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this periodic review, such access to PERSONAL DATA can be withdrawn, if access is no longer necessary, then PERSONAL DATA shall consequently not be accessible anymore to those persons.
9.2 The DATA PROCESSOR shall at the request of the DATA CONTROLLER demonstrate that the concerned persons under the DATA PROCESSOR’s authority are subject to the above-mentioned confidentiality.
10.1 In order to provide services to the standard required by the client (DATA CONTROLLER), the DATA PROCESSOR might engage other companies from the TAPNI GROUP. All members of the TAPNI GROUP have the same information security and data protection policies, procedures, and technical and organizational measures in place. By signing this agreement, the DATA CONTROLLER agrees that other members of TAPNI GROUP are considered SUB-PROCESSORS in accordance with notes given in Annex 1.
10.2 By signing this Agreement, the DATA CONTROLLER agrees that the DATA PROCESSOR may at any time engage another DATA PROCESSOR, which should be considered a SUB-PROCESSOR. In that case, the DATA CONTROLLER has to be informed by the DATA PROCESSOR about the addition or replacement of any SUB-PROCESSORS. The DATA PROCESSOR should make sure that there is a signed Data Processing Agreement between the DATA PROCESSOR and the SUB-PROCESSOR in place, and that any engaged SUB-PROCESSOR at least complies with the obligations to which the DATA PROCESSOR is subject, pursuant to this Data Processing Agreement and the applicable legislation. The DATA CONTROLLER reserves the right to object to these changes.
10.3 The DATA PROCESSOR uses Amazon Web Services, Inc. as its infrastructure sub-processor. All of the DATA PROCESSOR’s services and platforms used for storing and processing the DATA CONTROLLER’s data are hosted in a data hosting location in Frankfurt, Germany. Based on a service contract between the DATA PROCESSOR and Amazon Web Services, Inc., all hosted services and stored data is owned and can be accessed only by the DATA PROCESSOR.
10.4 The DATA PROCESSOR shall store PERSONAL DATA originating from and sent to a country located in the EU/EEA solely in countries situated in the EU/EEA and not cause any cross-border transfer of PERSONAL DATA from a country situated in the EU/EEA to any country situated outside the EU/EEA unless it is requested specifically by DATA CONTROLLER.
11.1 In addition to the monitoring and/or audit rights set out in this Agreement, the DATA CONTROLLER is entitled to proceed with any verifications (including on the DATA PROCESSOR’s site(s)) during usual business hours, provided the DATA CONTROLLER gives reasonable (but in any event no less than 30 days) prior written notice to the DATA PROCESSOR.
11.2 The DATA PROCESSOR shall duly and promptly cooperate with the DATA CONTROLLER, upon request of the DATA CONTROLLER, by giving access to all documents, infrastructure, premises, information and/or staff reasonably required by the DATA CONTROLLER to ensure such data processing is compliant with this Agreement.
11.3 The costs and consequences of the monitoring and audits shall be borne by the DATA CONTROLLER, including support costs.
12.1 Any transfer of PERSONAL DATA by the DATA PROCESSOR is strictly prohibited and data should be processed only on Amazon Web Service at a defined hosting location. For providing services access to data is only allowed to TAPNI GROUP employees based on notes given in Annex 1 and only for the purpose of providing services defined in Annex 2.
12.2 The transfer of PERSONAL DATA shall be made only upon the DATA CONTROLLER’s request, for the purpose of providing the requested support.
13.1 Any notice or other communication which is given under this Agreement to the other party will be addressed and sent to the other party at the address as specified in this Agreement, or at any other address as otherwise notified by the other party (including for the avoidance of doubt in a statement of work).
13.2 For data privacy and security-related questions and concerns the DATA CONTROLLER should contact the DATA PROCESSORS’ DPO.
13.3 The specified address, telephone number, and email address for each Party for the purposes of this clause are listed on the last page of this Agreement.
14.1 In case the applicable data protection and applicable law change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the parties will amend the Agreement. In such circumstances, the DATA PROCESSOR agrees to implement any changes to its processing activities as are necessary to comply with the amended terms of the Agreement.
15.1 In addition, the DATA CONTROLLER may terminate this Agreement with 30 days prior notice to the DATA PROCESSOR without any termination fees or penalty.
15.2 This Agreement constitutes the entire agreement between the parties with respect to the subject matter contained herein.
15.3 This Agreement may be altered or supplemented only in writing. and provided any such amendment is signed by the duly authorized representatives of both parties.
15.4 If any provision of this Agreement is held invalid, illegal, or unenforceable for any reason, such provision shall be severed, and the remainder of the provisions hereof shall continue in full force and effect as if this Agreement has been executed with the invalid, illegal or unenforceable provision eliminated and the parties shall promptly discuss and amend the Agreement with a valid, legal and enforceable provision.
15.5 The DATA CONTROLLER may modify this Agreement at all times upon written notice to the DATA PROCESSOR and such changes shall be effective and applicable to both Parties as indicated in the such written notice.
15.6 This Agreement is governed by the laws of the Republic of Austria and GDPR, without regard to their conflicts of law principles.
The following Annexes form an integral part of this Agreement: Annex 1 – Tapni GROUP Annex 2 – Service description Annex 3 – Technical and organizational measures
TAPNI GROUP is acting as a group of companies led by the same goal, mission, and vision. TAPNI GROUP members are strategic and technology partners applying the same rules, regulations, and measures toward information security, data protection, and privacy. All group members can be involved in the service provisioning lifecycle to its clients. TAPNI GROUP members are listed below:
Tapni d.o.o, Veljka Dugosevica 54, 11000 Belgrade, Serbia Tapni GmbH, Praterstrasse 78, 1020 Vienna, Austria
All Tapni products and services are provided and maintained only by TAPNI GROUP members and their employees are the data is hosted and stored on Amazon Web Service Inc. in hosting location Frankfurt, Germany.
Privacy and security notes and due diligence within TAPNI GROUP:
Data can be accessed only by some of TAPNI GROUP employees based on the least privilege rule. All employees signed NDA and all employees are following the same strict rules and principles towards data protection and privacy when accessing any PERSONAL DATA. Data is hosted on AWS and it is not transferred outside the cloud environment, this means that data will not be transferred between TAPNI GROUP entities unless otherwise requested by the client. Any download or saving of the data to local machines is strictly prohibited. DPA is signed between all TAPNI GROUP members. Encryption is used at any time when data is accessed where TLS connections are used during accessing platforms over GUI and VPN is used when employees are accessing virtual machines on AWS. All privileges they receive are based on the least privilege model and with any change/modification revision. All access assigning is strictly monitored during on boarding process and accesses are revoke during off boarding. There are in place system and software logs to make sure everything is properly monitored.
Any processing of DATA CONTROLLER’s PERSONAL DATA is strictly prohibited for TAPNI GROUP members listed below: Tapni d.o.o, Veljka Dugosevica 54, 11000 Belgrade, Serbia
Annex 2 - Service Description Tapni for Business provides digital networking tools to its clients so they can share their professional contact details in a modern, efficient, and entertaining way.
Individual, digital profiles are created and personalized via the Tapni my.tapni.co web-based platform or using Tapni mobile applications, meaning that each digital profile can be completed with professional or personal contact information, social profiles, and other custom web links.
The final result is an online version of a business card that can be managed using previously mentioned platforms and applications. The Tapni digital business card can be shared in multiple ways. One is to share the Tapni digital profile via a reusable NFC smart card or other NFC accessories (such as stickers, key tags, or wristbands).
These NFC smart cards or accessories are associated with their users’ respective online profiles. The Tapni owner presents the NFC card or NFC accessory to another individual, who can then scan the NFC tag with their smartphone. Another way to share and read the Tapni digital business card is via a QR code. The QR code can be printed on the NFC smart card and is also stored in the digital profile of the Tapni digital business card owner.
In addition to the above-described functionalities, Tapni Enterprise provides an intelligent and powerful web-based platform business.tapni.co for enterprise clients to manage, automate and analyze the data of the Tapni digital business card profiles.
The Contractor designs and uses relevant controls to maintain the confidentiality, integrity and availability of information and PERSONAL DATA using best practice frameworks and standards, and applies adequate measures including:
Defining information security policies and procedures Establishing appropriate asset management and access control Taking organizational security and human resources into account Applying physical and environmental security Enhancement of communication, network and system security Introducing information security into development, testing and maintenance processes Setting up incident response, disaster recovery and business continuity strategies and procedures In addition to the above-mentioned security measures, additional measures have been implemented which are particularly related to GDPR requirements: Appointment of a Data Protection Officer, as noted above Reviewing and properly defining a Privacy Policy, and other privacy related documentation, and taking action in order to make the websites and all systems compliant Mapping personal information processing and creating a proper inventory of processing activities that is reviewed on a regular basis Initiating signing of Data Processing Agreements with customers and suppliers Optimizing products and services in order to provide the appropriate regulation of data subject access rights and to make sure that only GDPR compliant services are offered to customers