(27.10.2021)
This Data Processing Agreement (“DPA”) and its exhibits are supplements to the MetricsFlare Terms (“Agreement”) concluded between BLUE GRID DOO, with its seat at Mihajla Pupina Boulevard no. 10a, Belgrade-New Belgrade, registration number 21259128 (“Blue Grid”, “Company”, “us”, “we”, “Data Processor”) and you as our client (“you”, “client”, “Data Controller”) regarding the provision of our services that we provide through our platform located at https://app.metricsflare.com (“Platform”).
In the further text of this DPA, you and we may be designated individually as a Party or jointly as the Parties.
This DPA regulates the processing of personal data by us on your behalf in connection with the services provided through the Platform under the Agreement.
This DPA is effective between you and us as of the date you indicate your acceptance of the DPA. If you do not agree to this DPA and/or any of its subsequent amendments, please note that we may not provide you with the services through the Platform, or we will need to suspend or discontinue the provision of our services to you.
1. Subject matter of the DPA
This DPA regulates the legal relationship between the Parties in connection with the personal data processing entrusted to the Data Processor by the Data Controller.
The subject of processing, nature, and purpose of processing, types of personal data, and types of persons whose personal data are processed are defined in Exhibit 1 to this DPA, which is an integral part of the DPA.
2. Definitions
Definitions:
a) the terms “personal data”, “data subject”, “data processing”, “data controller”, ” data processor”, as well as “breach of personal data”, have the meaning determined by the Law on Personal Data Protection ( “Official Gazette of RS”, No. 87/2018);
b) “sub-processor” is another processor to whom the processor has entrusted the performance of certain processing operations on behalf of the data controller;
c) “protective measures” means appropriate technical, organizational, and personnel measures, which aim to ensure the effective application of the principles of personal data protection, as well as the protection of the rights and freedoms of data subjects;
d) “Law” means the Law on Personal Data Protection (“Official Gazette of RS”, No. 87/2018) with bylaws adopted in accordance with that law;
f) “applicable regulations ” mean regulations of the Republic of Serbia in force.
3. Your obligations
You, as the Data Controller, are obliged to process personal data in accordance with the Law, as well as to apply all data protection measures and ensure the exercise of the rights and freedoms of the data subject.
You, as the Data Controller, undertake to issue instructions to us, as the Data Processor regarding the personal data processing in writing, as well as that such instructions, will be clear, precise, and in all aspects in accordance with the applicable regulations. For the avoidance of doubt, the Parties agree that the Agreement sets out Client’s complete and final instructions to Blue Grid in relation to the processing of personal data under the Agreement and this DPA, and processing outside the scope of these instructions (if any) shall require a prior written agreement between the Parties.
4. Our obligations
We, as the Data Processor, are obliged to process personal data only on the basis of your instructions given under the Agreement and this DPA, as the case may be.
If we are obliged to process certain personal data that fall within the scope of the Agreement due to our legal obligations, we will, as the Data Processor inform you as the Data Controller on such legal obligation before starting the processing, unless the law prohibits the submission of this information due to the need to protect an important public interest.
We, as the Data Processor, have a duty to inform you as the Data Controller without delay if we consider that any of your intentions on personal data processing communicated to us in accordance with the DPA is not in accordance with the Law and/or other applicable regulations.
The procedure and decision-making on further action in the situations referred to in the previous paragraph of this Article of the DPA, as well as the consequences in case of a potentially illegal instruction, are defined in Exhibit 2 to this Agreement, which is an integral part of the DPA.
We, as the Data Processor, will ensure that only persons who need access to personal data in order to fulfill our obligations towards you have access to such data, whereby such persons will be obliged to keep the data confidential or that that person is subject to the legal obligation to keep the data confidential. The need for persons to have access to personal data will be reviewed from time to time, and if it is found that a person has ceased to have access to such data, they will be denied access.
We will, in accordance with our statutory obligations, reasonably assist you as the Data Controller in fulfilling your obligations under the Law.
5. Security of processing personal data
The Parties shall implement appropriate protection measures in order to achieve an adequate level of security in relation to risk, in accordance with the level of technological achievements and costs of their application, nature, scope, circumstances, and purpose of processing, as well as the probability of risk and risk level to rights and freedoms of individuals.
You, as the Data Controller, are obliged to separately assess the probability of risk and the level of risk for the rights and freedoms of individuals, as well as to determine appropriate protection measures to reduce the assessed risk and provide us as the Data Processor with information regarding this matter promptly in writing.
Where appropriate, the protective measures referred to in this Article of the DPA shall include in particular:
a) pseudonymization and crypto protection of personal data;
b) ensuring lasting confidentiality, integrity, availability, and resilience of processing systems and services;
c) ensuring the establishment of re-availability and access to personal data in the event of physical or technical incidents as soon as possible;
d) conducting regular testing, evaluation, and assessment of the effectiveness of technical, organizational, and personnel security measures for processing.
In assessing the appropriate level of security referred to in paragraph 1 of this Article of the DPA, the risks of processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored, or otherwise processed shall be taken into account.
If during the processing it is determined that additional protection measures are needed in relation to those already agreed, the Parties shall subsequently include such protection measures in Exhibit 3 to this Agreement, which is an integral part of the DPA.
Notwithstanding the previous provisions of this DPA, the Data Processor has the right to disclose any personal data at the request of a court or other state body in the exercise of their powers prescribed by applicable regulations, with the obligation to immediately notify the Data Controller, as well as to consult with the Data Controller to the extent possible, on the scope and form of disclosure.
6. Notification on personal data breach
We, as the Data Processor, will inform you as the Data Controller without undue delay regarding the breach of personal data that may produce a risk to the rights and freedoms of natural persons, as well as to assist you in fulfilling your obligations under the Law.
The notification referred to in paragraph 1 of this Article of the DPA shall contain the following information:
1) a description of the nature of the personal data breach, including the types of data and the approximate number of persons to whom the personal data relating to, as well as the approximate number of personal data whose security has been breached;
2) description of possible consequences of the breach;
3) a description of the measures taken or proposed to be taken in connection with the breach, including measures taken to mitigate the harmful consequences.
If there is a breach of personal data, you may temporarily suspend the transfer of personal data to us.
The time limits, content, and manner of notifying the Data Controller of personal data breaches by the Data Processor are defined in Annex 4 to this Agreement, which is an integral part of the DPA.
7. Sub-processors
We, as the Data Processor, may entrust the processing to a sub-processor and by accepting this DPA, you as the Data Controller authorize us to do so.
We may, from time to time, update this DPA, under which update we will inform you as the Data Controller about the intended selection of the sub-processor, i.e. the replacement of the current sub-processor, so that you may inform us, as the case may be, in your opinion regarding such change.
The time limit within which you have the right to notify us of your opinion regarding the selection or replacement of the sub-processor, as well as the list of processors approved by you as the Data Controller, are defined in Exhibit 5 to this DPA, which forms an integral part of the DPA.
8. Rights of the data subjects
Taking into account the nature of the processing, we as the Data Processor are obliged to assist you as the Data Controller, as far as possible, in fulfilling your obligations in relation to the requirements for exercising the statutory rights of the data subjects.
If the data subject submits a request for exercising a right prescribed by applicable regulations to us as the Data Processor, and for whose actions you as the Data Controller is responsible, we will not be authorized to act upon such request and will as soon as possible inform you on such request, as well as data subject that we have informed you about such request.
9. Transfer of the personal data
The transfer of personal data to another country, to a part of its territory, or to one or more sectors of certain activities in that country, or to an international organization may be done in accordance with the provisions of applicable regulations while ensuring an adequate level of personal data protection, the feasibility of all rights and effective legal protection of data subjects.
We, as the Data Processor may transfer personal data to another state, to a part of its territory, or to one or more sectors of certain activities in that state or to an international organization only on the basis of your written instructions.
Your instructions as the Data Controller for the transfer of personal data to another country, to a part of its territory, or to one or more sectors of certain activities in that country or to an international organization, as well as a list of countries to which data transfer is approved, is given in Exhibit 6 of the DPA, which is an integral part of the DPA.
10. Term of the DPA
This DPA is effective between you and us as of the date you indicate your acceptance of the DPA. This DPA shall remain in effect for as long as we carry out processing operations on behalf of you or until termination of the Agreement.
The Parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the services under the Agreement.
11. Applicable law and jurisdiction
This DPA is construed and shall be interpreted in accordance with the laws of the Republic of Serbia, and you irrevocably agree that the competent courts of the Republic of Serbia shall have exclusive jurisdiction to settle any dispute arising out or in connection with this DPA.
If any part of this DPA is held to be invalid or unenforceable, the remaining provisions of the DPA shall continue to be in full force and effect.
On all matters that are not regulated by this DPA, the laws of the Republic of Serbia shall apply.
Exhibit 1
Exhibit 1 is an integral part of the DPA.
Subjects of personal data processing under the DPA are personal data of the Data Controller’s customers. The purpose of personal data processing is to help the Data Controller to advance and improve customer service quality by allowing its customers to leave feedback and rate for a survey a company representative created for such purpose.
The type of personal data that is subject to processing is e-mail addresses and country of residence.
Exhibit 2
Exhibit 2 is an integral part of the DPA.
If we as the Data Processor consider that your intention on personal data processing communicated to us in accordance with the DPA is not in accordance with the Law and/or other applicable regulations, we shall immediately upon receipt of such communication inform you in writing that such intention is not in accordance with the Law and/or other applicable regulations. The Parties shall jointly eliminate the reasons for non-compliance within 5 days from the receipt of the Data Processor’s notification if they jointly determine their existence, which will be stated in writing.
Exhibit 3
Exhibit 3 is an integral part of the DPA.
Description of protective measures:
1) technical measures:
- Firewall as protection against unauthorized access;
- Control of access to the entrance to the official premises;
- Communication encryption;
2) organizational measures:
- The availability of personal data is limited to the Data Processor’s premises and servers used by the Processor;
- Access level permission policies;
3) personnel measures:
- A limited number of persons with the Data Processor participate in the processing of personal data, and such persons have the obligation to maintain the confidentiality of data;
Exhibit 4
Exhibit 4 is an integral part of the DPA.
The Data Processor is obliged to notify the Data Controller of the data breach within 72 hours from the knowledge of the breach.
The Data Processor is obliged to inform the Data Controller in writing, which includes an e-mail message, regarding the breach of personal data. The Processor Notice contains at least the following information:
1) a description of the nature of the personal data breach, including the types of data and the approximate number of persons to whom the personal data relating to, as well as the approximate number of personal data whose security has been breached;
2) name and contact details of the person for the protection of personal data or information on other ways in which information on breach can be obtained;
3) description of possible consequences of the breach;
4) a description of the measures taken or processed by the Data Processor in connection with the breach, including the measures taken to mitigate the harmful consequences.
If all the above information cannot be provided at the same time, the Data Processor shall gradually provide the available information without undue delay.
The Data Processor shall document any breach of personal data, including the facts of the breach, its consequences, and the measures taken to remedy them and provide such data to the Data Controller at its request.
Exhibit 5
Exhibit 5 is an integral part of the DPA.
The Data Controller may inform the Data Processor within 5 days on its opinion regarding the selection or replacement of the intended sub-processor from the date of written notice of selection or replacement of the intended sub-processor.
In the event that the Data Controller does not respond within the prescribed period, it will be considered that it has provided consent for the selection or replacement of the intended sub-processor.
List of the sub-processors:
- AWS, (https://aws.amazon.com/)
- Google, (https://google.com, https://analytics.google.com/)
- IBM Tone Analyzer, (https://www.ibm.com/cloud/watson-tone-analyzer)
- Zendesk, (https://www.zendesk.com/)
- Drift, (https://www.drift.com/)
- Paypal, (https://www.paypal.com/)
Exhibit 6
Exhibit 6 is an integral part of the DPA.
The Data Controller allows the transfer of personal data to another state, to a part of its territory, or to one or more sectors of certain activities in that state or to an international organization in accordance with the Law and/or applicable regulations.
List of countries where transfer of personal data is allowed:
- Germany
- USA
Exhibit 7
Exhibit 7 is an integral part of the DPA.
The Data Controller may once per year at its own expense organize an audit/inspection from a third party regarding the Data Processor’s compliance with this DPA.
Since the systems of the Data Processor are used by multiple Data Controllers the Data Controller grants for security reasons the Data Processor the authority to determine that the audit should be performed by a third-party inspector or auditor that the Data Processor selects.