1. CONCTRACT FOR PROVISION OF THE DATA
Applicable when personal data shall be transferred
under the main Agreement concluded between contracting Parties
1. The terms used in the Contract correspond to those used in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter “the GDPR“) and other laws and regulations on the protection of personal data.
2. The Provider undertakes to provide the Recipient with personal data specified in the main Agreement and processed by the Provider, and the Recipient undertakes to use the received personal data for the purpose of the use of personal data specified in paragraph 4 of the Contract, under the conditions and in accordance with the procedures laid down in this Contract.
3. The Provider shall provide personal data to the Recipient in accordance with at least one of the conditions stated in Article 6(1) of the GDPR.
4. The Provider undertakes to provide personal data to the Recipient, and the Recipient undertakes to use the received personal data for the purposes set out in the main Agreement.
5. Personal data received from the Provider may not be processed by the Recipient for purposes incompatible with the purposes of the use of personal data specified in the main Agreement.
6. The Provider undertakes to provide personal data in accordance with the Conditions for the Provision of Personal Data.
7. The Provider undertakes to inform the data subject(s) about the sending of his/their data to the Recipient at the latest when such personal data are first disclosed to the Recipient. Where the processing of personal data is carried out on a legal basis of the data subject’s consent, the Provider undertakes to ensure that the consent given also includes the possibility of disclosing the personal data to the Recipient or to obtain a new consent from the data subject in order to transfer data to the Recipient.
8. The Provider and the Recipient undertake to implement, at their own expense, appropriate organizational and technical measures to protect personal data from accidental or unlawful destruction, alteration, disclosure, as well as from any other unlawful processing.
9. The Provider shall be responsible for the accuracy, correctness and protection of the provided personal data until personal data reach the Recipient.
10. The Recipient shall be responsible for the confidentiality and security of the received personal data from the moment such personal data are received. In the event of a threat or reasonable suspicion of a threat to the confidentiality of provided personal data, and/or if the Recipient does not adequately ensure the security of the provided personal data, the Provider shall inform the Recipient thereof and shall have the right to suspend the provision of personal data.
11. The Recipient shall ensure that his staff who process personal data are made aware of the obligation to retain personal data and of the prohibition on their disclosure to third parties.
12. The Recipient shall have the right to use the processor for the processing of personal data obtained under this Contract, however, such processing of personal data must comply with the requirements of Article 28 of the GDPR.
13. The Recipient shall be entitled to process personal data for no longer than is required by the purpose of processing personal data specified in the main Agreement. The Recipient undertakes to destroy without delay personal data obtained in accordance with the Contract when such data are no longer necessary for the purposes of their processing.
14. During the period of validity of the contract, the Provider shall have the right to require the Recipient to provide the information and/or documents necessary to satisfy himself that the Recipient has properly complied with the requirements of the Contract and legal acts on the protection of personal data (e.g. to prove that certain data safeguards are in place). The Recipient must provide the Provider with this information and/or documents within 30 days of receipt of the request.
15. The Provider shall have the right to take all appropriate measures to assess the Recipient’s ability to fulfil his obligations under the Contract and to verify that the Recipient has taken all appropriate measures to ensure compliance with the requirements of the Contract. The Recipient undertakes to provide the Provider with all the information and assistance necessary to certify that the personal data processing operations comply with the requirements of the Contract and will also authorise the Provider to carry out an audit of the Receiver.
16. If the Provider finds that the Recipient improperly performs the Contract, he shall inform the Recipient thereof and shall have the right to suspend the provision of personal data until such time as the infringements have been rectified. The Recipient must rectify the identified infringements within 30 days. Once the infringements have been rectified, the Recipient shall inform the Provider of his readiness to continue to properly fulfil the requirements of the Contract and legal acts concerning the processing of personal data. The Provider may, on the basis of an assessment of information received from the Recipient, resume the provision of personal data. If the Recipient does not inform the Provider of his readiness to continue to properly fulfil the requirements of the Contract and legal acts on the processing of personal data, the Provider shall have the right to unilaterally terminate the Contract.
17. The Provider undertakes to inform the Recipient of the rectification of incorrect, incomplete or inaccurate personal data provided to him no later than within 5 working days after the rectification of such data.
18. If the Recipient finds that personal data provided to him under the Contract are incorrect, incomplete or inaccurate, he shall inform the Provider, accordingly, providing explanations of the circumstances, no later than within 5 working days. Upon receipt of this information, the Provider shall have 5 working days to verify it and, should such information prove to be correct, to rectify any personal data which are incorrect, incomplete or inaccurate. Where incorrect, incomplete or inaccurate personal data have been rectified, the Provider shall inform the Recipient thereof no later than within 5 working days.
19. The Recipient undertakes to ensure adequate security of personal data. The Recipient undertakes to protect the received personal data against destruction, modification, unauthorised distribution or access and other forms of unlawful processing.
20. The Recipient undertakes to limit access to personal data to the Recipient’s staff whose access is necessary to ensure the performance of the Recipient‘s obligations under the Contract. The Recipient shall ensure that persons who have access to personal data have signed a confidentiality agreement including an obligation of non-disclosure of personal data. The scope of the confidentiality agreement must not be less than that of this Contract. The Recipient‘s staff must be made aware of the requirements for the processing of personal data.
21. The Recipient undertakes to take all necessary steps to assist the Provider in the event of a personal data breach and to inform the Provider immediately of any incident relating to the personal data disclosed by the Provider and of any unauthorized access to personal data, as well as of any other personal data breach. The Recipient undertakes to report the incident as soon as possible and, in any case, no later than within 24 hours after having become aware of the incident. The notification must include:- a description of the nature of the incident, indicating, where possible, the categories of personal data and the number of personal data subjects relating to the breach, as well as the categories and estimated number of personal data records;
– the contact details of the personal data officer or other person responsible for the protection of the Recipient’s personal data;
– a description of the circumstances of the breach;
– a description of the measures taken by the Recipient and proposed to the Provider to contain the breach of the protection of personal data, including, where necessary, measures to mitigate the possible consequences.
22. The Recipient undertakes not to disclose or otherwise make available to third parties personal data disclosed by the Provider without the prior written consent of the Provider.
23. The Parties shall be liable for the failure to perform or for improper performance of their obligations under the Contract in accordance with the procedure laid down by the governing laws of the Republic of Lithuania.
24. Disputes concerning the performance of the Contract shall be settled by an agreement between the Parties or, in the absence of an agreement, in accordance with the procedure laid down by the laws of the Republic of Lithuania.
25. If, for unforeseen reasons, a Party is unable to perform an obligation under the Contract, it shall immediately contact the other Party in writing regarding the supplementation, amendment or termination of the Contract.
26. Either party shall be exempt from liability for failure to perform the Contract, if that party proves that the Contract was not performed due to circumstances which were beyond its control and which could not be reasonably foreseen at the time of concluding the Contract, and that the party could not prevent such circumstances or their consequences (force majeure).
27. The Contract shall enter into force on the day of signature of main Agreement.
28. The Contract shall be valid for the term specified in the main Agreement.
29. The Contract shall expire:
– when the Parties agree to terminate the Contract;
– where one Party terminates the Contract in accordance with the procedure specified in paragraph 25;
– where one of the Parties loses the right to process personal data (e.g. the legal basis for the processing of personal data disappears; where a decision/order of a court or other public authority to cease the processing of personal data has become final).
30. The Contract may be terminated:
– at the Provider’s initiative by giving a written notice to the Recipient 20 working days before the termination of the Contract;
– at the Recipient’s initiative by giving a written notice to the Provider 20 working days before the termination of the Contract;
– a Party shall have the right to unilaterally terminate the Contract if the other Party is in breach of the Contract and fails to take measures to rectify the breach within 20 working days of receipt of the request for rectification.
Safeguards ensured by the Provider / Recipient: https://www.enisa.europa.eu/publications/handbook-on-security-of-personal-data-processing
DUOMENŲ TEIKIMO SUTARTIS
Taikoma kai asmens duomenys turi būti teikiami vykdant pagrindinę sutartį, sudarytą tarp Šalių
1. Sutartyje vartojamos sąvokos atitinka Europos Parlamento ir Tarybos reglamente (ES) 2016/679 2016 m. balandžio 27 d. dėl fizinių asmenų apsaugos tvarkant asmens duomenis ir dėl laisvo tokių duomenų judėjimo ir kuriuo panaikinama Direktyva 95/46/EB (toliau – BDAR) ir kituose asmens duomenų apsaugą reglamentuojančiuose įstatymuose bei teisės aktuose vartojamas sąvokas.
2. Sutartimi Teikėjas įsipareigoja teikti Gavėjui Teikėjo tvarkomus asmens duomenis, nurodytus pagrindinėje Sutartyje, o Gavėjas įsipareigoja gautus asmens duomenis naudoti Sutarties 4 punkte nurodytu asmens duomenų naudojimo tikslu šioje Sutartyje nurodytomis sąlygomis ir tvarka.
3. Teikėjas teikia asmens duomenis Gavėjui taikydamas BDAR 6 straipsnio 1 dalyje nurodytą bent vieną iš sąlygų.
4. Teikėjas įsipareigoja teikti asmens duomenis Gavėjui, o Gavėjas gautus asmens duomenis įsipareigoja naudoti tikslais, kurie nurodyti pagrindinėje Sutartyje.
5. Asmens duomenų, gautų iš Teikėjo, Gavėjas negali tvarkyti tikslais, nesuderinamais pagrindinėje sutartyje nurodytais asmens duomenų naudojimo tikslais, išskyrus atvejus kai kitus asmens duomenų tvarkymo tikslus numato Gavėjui privalomi teisės aktai.
6. Teikėjas įsipareigoja asmens duomenis teikti pagal Asmens duomenų teikimo sąlygas.
7. Teikėjas įsipareigoja informuoti duomenų subjektą (-us), apie tai, kad jo(-ų) asmens duomenys bus siunčiami Gavėjui, ne vėliau kaip tokius asmens duomenis atskleidžiant Gavėjui pirmą kartą. Kai asmens duomenys tvarkomi duomenų subjekto sutikimo teisiniu pagrindu, Teikėjas įsipareigoja užtikrinti, kad duotas sutikimas apima ir galimybę perduoti asmens duomenis Gavėjui, arba gauti naują asmens duomenų subjekto sutikimą asmens duomenų perdavimo Gavėjui atvejui.
8. Teikėjas ir Gavėjas įsipareigoja savo lėšomis įgyvendinti tinkamas organizacines ir technines priemones, skirtas apsaugoti asmens duomenims nuo atsitiktinio ar neteisėto sunaikinimo, pakeitimo, atskleidimo, taip pat nuo bet kokio kito neteisėto tvarkymo.
9. Teikėjas atsako už pateiktų asmens duomenų tikslumą, teisingumą ir apsaugą, kol asmens duomenys pasieks Gavėjus.
10. Gavėjas atsako už gautų asmens duomenų konfidencialumą ir saugumą. Tuo atveju, jei nustatoma grėsmė ar kyla pagrįstų įtarimų dėl grėsmės teikiamų asmens duomenų konfidencialumui, ir (arba) jei Gavėjas netinkamai užtikrina teikiamų (pateiktų) asmens duomenų saugumą, Teikėjas apie tai informuoja Gavėją ir turi teisę sustabdyti asmens duomenų teikimą.
11. Gavėjas užtikrina, kad jo darbuotojai, kurie tvarko asmens duomenis, yra supažindinti su pareiga saugoti asmens duomenis ir draudimu juos atskleisti tretiesiems asmenims.
12. Gavėjas turi teisę pasitelkti duomenų tvarkytoją asmens duomenų gautų pagal šią Sutartį tvarkymui, tačiau toks asmens duomenų tvarkymas turi atitikti BDAR 28 str. reikalavimus.
13. Gavėjas turi teisę tvarkyti asmens duomenis ne ilgiau, negu to reikalauja pagrindinėje Sutartyje nurodytas asmens duomenų tvarkymo tikslas. Gavėjas įsipareigoja nedelsiant sunaikinti arba grąžinti Teikėjui pagal Sutartį gautus asmens duomenis, kai šie duomenys tampa nebereikalingi jų tvarkymo tikslams pasiekti.
14. Sutarties galiojimo metu, Teikėjas turi teisę reikalauti Gavėjo pateikti informaciją ir (ar) dokumentus, kurių reikia norint įsitikinti, kad Gavėjas tinkamai vykdo Sutartyje ir teisės aktuose nustatytus asmens duomenų apsaugos reikalavimus (pvz., įrodyti, jog taikomos tam tikros duomenų saugumo priemonės). Gavėjas privalo neatlygintinai Teikėjui pateikti šią informaciją ir (ar) dokumentus per 30 dienų nuo prašymo gavimo dienos.
15. Teikėjas turi teisę imtis visų, reikiamų priemonių tam, kad galėtų įvertinti ar Gavėjas yra pajėgus įvykdyti jam Sutartyje įtvirtintas pareigas, taip pat patikrinti ar Gavėjas ėmėsi visų priemonių tam, kad užtikrintų atitiktį Sutartyje nustatytiems reikalavimams. Gavėjas įsipareigoja Teikėjui neatlygintinai suteikti visą informaciją bei pagalbą, kuri reikalinga siekiant patvirtinti, jog asmens duomenų tvarkymo veiksmai atitinka Sutartyje įtvirtintus reikalavimus, taip pat suteiks teisę Teikėjui atlikti Gavėjo auditą.
16. Teikėjas, nustatęs, kad Gavėjas netinkamai vykdo Sutartį, apie tai informuoja Gavėją ir turi teisę sustabdyti asmens duomenų teikimą iki tol, kol bus pašalinti pažeidimai. Gavėjas, per 30 dienų turi pašalinti nustatytus pažeidimus. Pašalinęs pažeidimus, Gavėjas informuoja Teikėją apie pasirengimą toliau tinkamai vykdyti Sutartyje ir teisės aktuose nustatytus asmens duomenų tvarkymo reikalavimus. Teikėjas, įvertinęs iš Gavėjo gautą informaciją, gali atnaujinti asmens duomenų teikimą. Jei Gavėjas neinformuoja Teikėjo apie pasirengimą toliau tinkamai vykdyti Sutartyje ir teisės aktuose nustatytus asmens duomenų tvarkymo reikalavimus, Teikėjas turi teisę vienašališkai nutraukti Sutartį.
17. Teikėjas įsipareigoja informuoti Gavėją apie jam perduotų neteisingų, neišsamių ar netikslių asmens duomenų ištaisymą ne vėliau kaip per 5 darbo dienas nuo tokių duomenų ištaisymo.
18. Jei Gavėjas nustato, kad jam pagal Sutartį perduoti asmens duomenys yra neteisingi, neišsamūs ar netikslūs, jis ne vėliau kaip per 5 darbo dienas apie tai informuoja Teikėją pateikdamas aplinkybių paaiškinimus. Teikėjas, gavęs šią informaciją, privalo per 5 darbo dienas ją patikrinti ir, jai pasitvirtinus, neteisingus, neišsamius ar netikslius asmens duomenis ištaisyti. Ištaisęs neteisingus, neišsamius ar netikslius asmens duomenis, Teikėjas ne vėliau kaip per 5 darbo dienas apie tai informuoja Gavėją.
19. Gavėjas įsipareigoja užtikrinti adekvatų asmens duomenų saugumą. Gavėjas įsipareigoja saugoti gautus asmens duomenis nuo sunaikinimo, modifikavimo, neteisėto platinimo arba neteisėtos prieigos, bei kitų formų neteisėto tvarkymo.
20. Gavėjas įsipareigoja, kad prieigą prie asmens duomenų suteiks tik tiems Gavėjo darbuotojams, kuriems prieiga yra būtina, siekiant užtikrinti Gavėjo pareigų, pagal Sutartį, vykdymui. Gavėjas užtikrina, kad asmenys, kurie turi prieigą prie asmens duomenų, yra pasirašę konfidencialumo susitarimą, kuris apima ir asmens duomenų neatskleidimo įsipareigojimą. Konfidencialumo susitarimo apimtis privalo būti ne mažesnė nei šios Sutarties. Gavėjo darbuotojai turi būti supažindinti su asmens duomenų tvarkymo reikalavimais.
21. Gavėjas įsipareigoja imtis visų veiksmų, kad padėtų Teikėjui asmens duomenų saugumo pažeidimo atveju, taip pat nedelsiant pranešti Teikėjui apie bet kokį incidentą susijusį su Teikėjo atskleistais asmens duomenimis bei apie neautorizuotą prieiga prie asmens duomenų, taip pat apie kitus asmens duomenų saugumo pažeidimus. Gavėjas įsipareigoja apie incidentą pranešti, jei įmanoma, nedelsiant, bet kuriuo atveju, ne vėliau nei per 24 val. po sužinojimo apie įvykį. Pranešime privalo būti nurodyta:
– pažeidimo pobūdžio aprašymas, kuriame, jei įmanoma, nurodomos asmens duomenų kategorijos bei asmens duomenų subjektų, kurie susiję su pažeidimu, skaičius, taip pat asmens duomenų įrašų kategorijos bei apytikris skaičius;
– asmens duomenų pareigūno ar kito, už Gavėjo asmens duomenų apsaugą atsakingo, asmens kontaktinė informacija;
– pažeidimo aplinkybių apibūdinimas;
– apibūdinimas priemonių, kurių ėmėsi Gavėjas ir kurių siūloma imtis Teikėjui tam, kad būtų suvaldytas asmens duomenų apsaugos pažeidimas, įskaitant, kai būtina, priemonės, skirtos sušvelninti galimus padarinius.
22. Gavėjas įsipareigoja be išankstinio Teikėjo rašytinio sutikimo tretiesiems asmenims neatskleisti ar kitais būdais padaryti prieinamus Teikėjo atskleistus asmens duomenis.
23. Už Sutarties įsipareigojimų nevykdymą arba netinkamą vykdymą Šalys atsako Lietuvos Respublikos įstatymų nustatyta tvarka.
24. Ginčai dėl sutarties vykdymo sprendžiami Šalių susitarimu, o nagrinėjami Lietuvos Respublikos įstatymų nustatyta tvarka kompetentingame Lietuvos Respublikos teisme.
25. Jeigu Šalis dėl nenumatytų priežasčių negali įvykdyti kurio nors Sutartimi prisiimto įsipareigojimo, ji nedelsdama raštu kreipiasi į kitą Šalį dėl Sutarties papildymo, pakeitimo ar nutraukimo.
26. Šalis atleidžiama nuo atsakomybės už Sutarties neįvykdymą, jeigu ji įrodo, kad Sutartis neįvykdyta dėl aplinkybių, kurių ji negalėjo kontroliuoti bei protingai numatyti Sutarties sudarymo metu, ir kad negalėjo užkirsti kelio šių aplinkybių ar jų pasekmių atsiradimui (force majeure).
27. Sutartis įsigalioja nuo pagrindinės sutarties pasirašymo dienos.
28. Sutartis galioja pagrindinėje Sutartyje nurodytą terminą.
29. Sutartis pasibaigia:
– kai Šalys susitaria nutraukti Sutartį;
– kai viena Šalis nutraukia Sutartį 25 punkte nurodyta tvarka;
– kai viena iš Šalių netenka teisės tvarkyti asmens duomenis (pvz., išnyksta teisinis pagrindas asmens duomenų tvarkymui; kai yra įsiteisėjęs teismo ar kitos valstybinės institucijos sprendimas/nurodymas nutraukti asmens duomenų tvarkymo veiksmus).
30. Sutartis gali būti nutraukta:
– Teikėjo iniciatyva įspėjus Gavėją raštu prieš 20 darbo dienų iki Sutarties nutraukimo;
– Gavėjo iniciatyva įspėjus Teikėją raštu prieš 20 darbo dienų iki Sutarties nutraukimo;
– Šalis turi teisę vienašališkai nutraukti Sutartį, jei kita Šalis pažeidžia Sutartį ir nesiima priemonių pažeidimui pašalinti per 20 darbo dienų nuo reikalavimo jį ištaisyti gavimo dienos.
Tiekėjo / Gavėjo užtikrinamos saugumo priemonės: https://www.enisa.europa.eu/publications/handbook-on-security-of-personal-data-processing
* * *
2. DATA PROCESSING AGREEMENT
Applicable when personal data shall be processed under the Main Agreement concluded between Parties
1. The definitions used in the Processing agreement
1.1. Personal Data means personal data of natural persons necessary to ensure the proper provision of the Services rendered to the Controller. Personal data processed on the basis of this Agreement are specified in the Special Conditions of this Agreement.
1.2. General Data Protection Regulation means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.3. Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transferred, stored or otherwise processed.
1.4. General Conditions of the Agreement means these conditions which set out the general requirements for the processing of Personal Data.
1.5. Special Conditions of the Agreement means the Special Conditions of the Data Processing Agreement, which set out special conditions for the processing of data transferred in accordance with the Service Agreement referred to in such conditions. The Special Conditions of the Agreement together with the General Conditions of the Agreement constitute the Data Processing Agreement (hereinafter referred to as the Agreement).
1.6. Processing Agreement is an integral part of the main Agreement concluded between Parties.
2. Subject matter of the agreement
2.1. The parties agree that the Processor undertakes to process the personal data specified in the Special Conditions of the Processing Agreement on behalf of the Controller and only in accordance with the Controller’s documented instructions, including the transfer of personal data to a third country or international organization, except as required by EU law or the law of its Member State which applies to the Processor. In such a case, the Processor shall notify the Controller of such a legal requirement before processing the data, unless such law prohibits such communication for overriding reasons of public interest.
3. Obligations of the Processor. The Processor undertakes to:
3.1. process the data solely for the purpose(s) subject to the Processing Agreement;
3.2. process Personal Data only in accordance with the instructions formalized in this Agreement and other documents. All such instructions must be given in writing (in writing, by e-mail, etc.). If the Processor considers that the instructions of the Controller violate GDPR or other requirements of European Union law, it must immediately inform the Controller. In addition, the Processor undertakes to inform the Controller of the transfer of data to a third country or international organization, if such an obligation is provided for him by the law of the EU or the Member State of the Processor;
3.3. guarantee the confidentiality and security of processed personal data. The Processor is responsible for the security and confidentiality of the transferred Personal Data throughout the processing of Personal Data;
3.4. ensure that the persons authorized to process the personal data have committed themselves to the obligation of confidentiality and have received the appropriate personal data protection training;
3.5. take into account the principles of privacy by design and by default while providing services and offering digital products;
3.6. take all measures required pursuant to Article 32 GDPR (Security of Processing) including but not limited to implementing appropriate technical and organisational measures;
3.7. cooperate and assist the Controller to implement data subjects’ rights, other obligations of the Controller provided in the Articles 33-36 of the GDPR;
3.8. cooperate and assist the Controller in carrying out data protection impact assessments; or by consulting the supervisory authority prior to the processing;
3.9. upon the expiry of the Processing Agreement, transfer all personal data without retaining the copies of Personal Data to the Controller that has been transferred to the Processor for the purpose of the processing. If personal data cannot be returned, such data shall be destroyed irreversibly.
3.10. upon request of the Controller, provide all necessary information to prove that the Processor complies with the requirements of Article 28 GDPR and this Agreement;
3.11. to perform other duties and instructions provided in this Processing Agreement or in the legal acts applicable to the Controller and the Processor.
4. Period of personal data storage
4.1. By agreement of the parties, the Processor shall process the entrusted Personal Data for so long as is necessary for the proper and complete performance of main Agreement and until the expiration of the main Agreement, unless otherwise provided by the Controller in writing. Separate periods of the processing of Personal Data may be specified in the Special Conditions.
5. The Sub-processor authorised by the Processor
5.1. By agreement of the Parties, the Processor shall be granted a general authorization to engage Sub-Processors established and operating in EU or EEA countries.
5.2. When the Processor intends to use a Sub-processor established outside EU and / or EEA, the Processor should obtain the written prior authorization of the Controller.
5.3. The Processor undertakes to sign written agreements with the engaged Sub-processors provided that the provisions therein shall set the equivalent and stringent data protection obligations as the Controller has imposed on the Processor. The Processor shall ensure that the engaged Sub-processor applies appropriate technical and organizational measures that the processing complies with the requirements of the GDPR.
5.4. The Processor remains directly liable to the Controller for the performance of a Sub-processor’s data protection obligations.
6. Exercise of data subjects’ rights
6.1. The Processor undertakes to cooperate with the Controller, within the scope of the Personal Data processed, to enable the Controller to respond to requests from data subjects within a reasonable period of time, if the provision of such responses requires information from the Processor which the Controller does not have and cannot obtain otherwise.
6.2. Where the data subjects submit requests to the Processor to exercise their rights, the Processor must forward these requests as soon as they are received by email to person indicated in the main Agreement.
7. Security and breaches of security of Personal Data
7.1. The Processor, in cooperation with the Controller, shall assist the Controller with the implementation of technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the nature of Personal Data and the impact on data subjects’ rights and freedoms.
7.2. The Processor shall notify the Controller of any Personal data breach not later than 24 hours after having become aware of it and via the following means [provide e-mail address and phone number).
7.3. The Processor shall indicate the following information in the notification of a Personal Data Breach:
7.3.1. the nature of the Personal Data Breach, including, where possible, the categories and approximate numbers of data subjects concerned, as well as the categories and approximate numbers of relevant personal data records;
7.3.2. the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including measures to mitigate its possible adverse effects;
7.3.3. Another information, which is necessary, for the Controller to notify to the supervisory authority.
7.4. The Processor shall provide the Controller with the information necessary to demonstrate compliance with the Processor’s obligations under this Agreement and with legislation on the protection of personal data, facilitate and assist the Controller or the person authorized by the Controller with audits, including inspections to the extent consistent with the personal data protection provisions laid down in European Union or national legislation.
8. Audit
8.1. The Processor undertakes to provide the Controller with all information and to provide him with all assistance in proving that the obligations assumed under this Agreement have been fulfilled. The Controller or an external auditor engaged by him (not a Processor’s competitor) may, by giving 14 calendar days’ notice, verify that the Processor complies with the requirements provided for in this agreement and Article 28 of the GDPR.
8.2. The Processor undertakes to rectify the observed violations and deficiencies immediately. Any inspections of the Processor’s premises would be carried out only during the Processor’s working hours with the least possible disruption to normal business procedures. The persons who will carry out the inspection will be required to sign an undertaking of confidentiality. At the request of the Processor, the Controller will provide an inspection report. Each party undertakes to cover the costs of the audit at its own expense. If the audit reveals that the Processor has committed a material breach of the provisions of this agreement (failure to provide technical security measures that pose a significant risk to data security, unlawful disclosure of data, etc.), he undertakes to cover a reasonable amount of audit costs.
9. Liability
9.1. In the event of any suspicions that the Processor has failed to comply with the essential conditions of this Agreement, the Controller shall notify the Processor thereof in writing. Upon confirmation that the provisions of this Agreement have not been complied with, the Controller shall grant the Processor the right to eliminate the breach completely within a reasonable time limit specified by the Controller, if such breach is the result of direct action or omission by the Processor. In the event that the Processor fails to eliminate the breach, within a reasonable time limit agreed by the parties, or the breach is related to non-appropriate technical and organisational measures, the Controller shall acquire the right to terminate the Agreement unilaterally, including Agreement 1, where performing the agreement in the absence of data processing is not possible.
9.2. The Processor undertakes to compensate the Controller for any damage or loss caused by actions or inactions of the Processor or Sub-processor.
10. Validity and termination of the Agreement
10.1. This Agreement shall enter into force from the date of its signature.
10.2. This Agreement shall terminate automatically upon expiry or early termination of the main Agreement, without concluding any other Agreement between the parties. If the parties have concluded multiple Agreements of which only one or some Agreements expire, the processing of Personal Data shall be terminated to the extent defined by the expired Agreements, unless further processing of Personal Data is necessary under the remaining effective Agreements.
11. Final provisions
11.1. Either party shall be exempt from liability for failure to perform the Agreement, if that party proves that the Agreement was not performed due to circumstances which were beyond its control and which could not be reasonably foreseen at the time of concluding the Agreement, and that the party could not prevent such circumstances or their consequences (force majeure).
11.2. The parties have disclosed to each other all information known to them which is essential for the conclusion and performance of this agreement.
11.3. The parties acknowledge, confirm and warrant that all negotiations between them prior to the date of conclusion of the Agreement have been conducted in good faith; each party expressly agrees to each of the conditions of the Agreement; none of the conditions of the Agreement at the time of the conclusion of the Agreement shall be considered as unduly favoring any of the parties; all conditions of the Agreement fully comply with the best interests and the freely expressed will of the parties; and at the time of concluding the Agreement the parties hereto are independent of each other and have no economic difficulties or urgent needs.
11.4. Any amendments and/or supplements to the Agreement shall be signed by the Parties and constitute an integral part of the Agreement.
11.5. All disputes between the parties shall be settled by negotiations or, failing that, shall be examined by a competent court of the Republic of Lithuania under the procedure established by the laws of the Republic of Lithuania. This Agreement shall be governed by the law of the Republic of Lithuania.
11.6. Any notification under this agreement shall be given in writing (sent by registered post or delivered personally or by email specified in this Agreement) to the last address of the recipient known to the notifier. The date of notification shall be the date of delivery of the letter. The date of receipt of a notification sent by email shall be the day of sending the email. The parties undertake to notify each other of any changes in their contact details 3 (three) business days prior the change of their contact details.
11.7. The information contained in the Agreement shall be confidential, and the parties undertake not to disclose the information relating to the agreement to third parties, except in cases provided for by the law.
11.8. The Agreement is made in two copies carrying equal legal force, one copy for each party to the Agreement.
11.9. The Agreement constitutes an integral part of Main Agreement. This Processing Agreement consists of the General conditions and the Special conditions, in the event of any conflict between the two parts, the Special conditions shall prevail.
The Processor undertakes to ensure technical and organisational measures the minimum list of which is presented by the European Union Agency for Cybersecurity (ENISA):
https://www.enisa.europa.eu/publications/handbook-on-security-of-personal-data-processing
