This Data Processing Agreement (hereinafter referred to as “Agreement”) forms part of the agreement between SCARPEL LIMITED and Partner covering SCARPEL LIMITED and/or Partner use of the Services (as defined below).
The Parties have entered into a Service Agreement whereby the Party acting as a Provider (“Provider”) is the processor (“Processor”) under this Agreement, and provides services to the Party, acting as a Client/Customer (“Client/Customer”), who is the controller (“Controller”) under this Agreement, whereby the Processor processes personal data (“Personal Data”) on behalf of the Controller on an ongoing basis;
The Parties are therefore obliged to enter into a Data Processing Agreement in accordance with the General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - (hereinafter referred to as “GDPR”), the Law of the Republic of Cyprus providing for the protection of natural persons with regard to the processing of personal data and for the free movement of such data (N. 125(I)/2018), and the guidelines of the EU and the competent supervisory authorities for the protection of personal data, collectively referred to as the “Data Protection Laws”;
1.1 This Agreement applies to the processing of the Personal Data within the scope of a Service agreement or any other relevant agreement between the Parties (hereinafter collectively referred to as the “Service Agreement”). The Personal Data may include data relating to the identified / identifiable data subject.
1.2 Sensitive Data. The Parties generally do not process special categories of personal data of data subjects covered by the Data Protection Laws. If the Party processes such personal data, it will apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved, in accordance with Article 9 of the GDPR and other Data Protection Laws.
1.3 The terms used in this Agreement such as “processing”, “personal data”, “data subject”, “controller”, “processor”, and other terms related to personal data shall have the meaning ascribed to them in the GDPR, the law and official guidance on its implementation.
2.1 The Parties understand that under the Service Agreement the Provider acts as a processor of Personal Data exported by the Client’s/Customer’s counterparties and/or customers, who act as controllers. The Client/Customer appoints the Provider as a Processor, or as a sub-processor of the Client’s/Customer’s counterparties and/or customers for the processing of the Personal Data for the purposes specified herein, in lawful documented instructions of the Controller, or in Data Protection Laws.
2.2 Lawfulness of processing. The Processor warrants that it will only process the Personal Data in a manner and to the extent that it is:
(a) necessary for the provision of the Services or ancillary services in connection with the Service Agreement (e.g. for the purposes of communication, billing, inquiries to financial institutions in connection with payments, and disputes); or
(b) necessary to comply with the Controller’s instructions; or
(c) to comply with legal obligations to which the Processor is subject, in which case the Processor shall be obliged to notify the Controller of such legal obligations, obligations to tax, regulatory, governmental and international authorities, auditors and certifiers; or
(d) necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data; or
(e) permitted by the Data Protection Laws in other cases.
2.3 The Data Processor warrants that it will only process the Personal Data in accordance with the Data Protection Laws and the Controller’s instructions, as set out in the Service Agreement, this Agreement or elsewhere if recorded in writing by the Parties, and that it will implement appropriate technical and organisational measures to comply with the Data Protection Laws.
2.4 Accuracy and data minimisation. Each Party shall ensure that the Personal Data is accurate and, where necessary, kept up to date. The Processor shall take all reasonable steps to ensure that Personal Data which is inaccurate or out of date, having regard to the purpose(s) of the processing, is erased or rectified without undue delay.
2.5 The processing of Personal Data by the Processor shall only take place for the duration of the provision of the Services and ancillary activities in connection with the Service Agreement (e.g. for the purposes of communication, billing, inquiries to financial institutions in connection with payments and disputes).
2.6 Sub-processors. The Processor may engage other persons to process the Personal Data (sub-processors) in accordance with clauses 2.7-2.9 of this Agreement.
2.7 General authorisation. The Client/Customer hereby grants a general authorisation to the Provider to engage the following sub-processors:
(a) contractors (e.g. natural persons who set up new routes for the Client’s/Customer’s SMS or troubleshoot problems in the course of the provision of the Services); and/or
(b) vendors (e.g. providers of software solutions for the relevant Services, SMS aggregators, facilitators of Client’s/Customer’s marketing campaign); and/or
(c) third parties affiliated (related) to the Processor,
for the processing of Personal Data inside and outside the European Economic Area (“EEA”).
By signing this Agreement, the Client/Customer authorises these sub-processors existing on the date of this Agreement. At the request of the Client/Customer the Provider shall provide a list of such sub-processors.
Any change to the list of such sub-processors shall require written notice to the Client/Customer, who may object to such change in writing within one (1) month of receipt of such notice.
2.8 Specific authorisation. The Client/Customer may provide specifically authorise the Processor to engage other sub-processors, not listed in Clause 2.7 hereof, inside and outside the EEA provided that the Client/Customer authorises such sub-processors in writing and in advance.
Any change to the list of such sub-processors shall require the prior written authorisation of the Client/Customer.
2.9 Requirements for sub-processors. The Processor shall ensure that sub-processors comply with the requirements of this Agreement regarding the subject matter, nature, purpose, duration of processing, type of Personal Data and categories of data subjects subject to processing, transfer of Personal Data outside the EEA, and the data breach procedure.
In addition, the Processor shall ensure that the sub-processors provide sufficient guarantees to implement appropriate technical and organisational measures to comply with the Data Protection Laws, e.g. by means of a privacy policy, terms of service, records of processing activities, records management policy, information security policy, reports of external data protection audits, recognised international certifications, e.g. ISO, adherence to a quality management system, compliance with an approved code of conduct or certification mechanism of a sub-processor or its internal/external data protection officer, accession to the personal data provisions of this Agreement, contractual obligations and procedures respecting Data Protection Laws, and other conditions satisfactory to the Processor.
In the case of sub-processing outside the EEA, the Processor shall comply with the additional requirements set out in Article 7 of this Agreement.
2.10 The Client/Customer may from time to time request the Processor to provide the list of all sub-processors, the scope and purposes of such sub-processing. If the list includes the Personal Data and (or) the confidential data, then the Client/Customer shall comply with the requirements of this Agreement and the Service Agreement with respect to such data types.
The Client/Customer may request that a sub-processor be removed from the list of authorised sub-processors of the Provider and its affiliated (related) persons (if any) with respect to Personal Data exported by the Client/Customer.
2.11 A Controller shall specify in its request for exclusion which sub-processors are to be excluded from processing personal data exported by the Controller and, if the Controller so wishes, the scope of the personal data subject to this exclusion.
A Controller’s objection to the inclusion of a sub-processor shall apply to all types of personal data exported by the Controller unless the Controller indicates otherwise.
2.12 The Provider shall not be held responsible for the non-provision or improper provision of the Services if this is caused by the removal of one or more sub-processor(s) in accordance with the request/objection of the Client/Customer, provided that such sub-processor was required for such Service and cannot be immediately replaced by a third party at a similar fee.
3.1 Without prejudice to any existing contractual arrangements between the Parties, the Processor warrants that it will treat all Personal Data as strictly confidential. The Processor shall ensure that all persons or parties (employees, agents and others) involved in the processing of the Personal Data are familiar with the Data Protection Laws relevant to their scope of work, have signed and are bound by an appropriate confidentiality agreement and/or are subject to any other binding obligation of confidentiality.
3.2 The Processor shall not be in breach of this obligation if and to the extent that such disclosure is mandatory under applicable law or if and to the extent that the data subject has publicity disclosed his/her Personal Data.
3.3 Either Party may disclose provisions of this Agreement relating to data subjects’ rights, but not other provisions of this Agreement, provided that the data subjects seek to invoke or enforce their data subjects’ rights (Clause 10.2 hereof).
4.1 Without prejudice to any other security standards agreed by the Parties, the Processor shall take appropriate technical and organisational measures to ensure the security of the processing of the Personal Data. Such measures shall include inter alia:
(a) the anonymization, pseudonymization and encryption of the Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability of and access to the Personal Data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures taken to ensure the security of the processing.
4.2 The extended list of security measures is set out in Appendix 1 to this Agreement.
5.1 The Parties acknowledge that security requirements are constantly changing, and that ensuring effective security, ongoing confidentiality, integrity, availability, and resilience of the processing systems and services requires frequent evaluation and regular improvement of outdated security measures. The Processor shall therefore continuously evaluate its measures implemented in accordance with Article 4 hereof and shall strengthen, supplement and improve such measures in order to maintain compliance with the relevant security requirements.
6.1 The Party (“Auditing Party”) shall have the right to perform an audit of the other Party (“Reviewed Party”) if the Auditing Party has concerns about the Reviewed Party’s compliance with the provisions of this Agreement. The audit may be performed if all of the following conditions are met:
the audit is performed no more than once every twelve (12) months;
the audit is performed by the Auditing Party and (or) an independent third party (auditor) at the expense of the Auditing Party;
be preceded by two (2) months’ notice from the Auditing Party, specifying the purpose and location of the audit and the detailed list of information to be audited.
6.2 The Reviewed Party shall, at the first request of the Auditing Party, provide the Auditing Party with all information that the Auditing Party deems reasonably necessary to comply with or demonstrate compliance with its legal requirements, including in any event the requirements of the Data Protection Laws, provided that such access does not violate any confidentiality agreements that the Reviewed Party may have with other partners and/or applicable laws.
7.1 The Parties agree that the Personal Data will not be transferred outside the EEA, unless otherwise expressly agreed in this Agreement or the Service Agreement (e.g. as an integral part of the provision of the Services and other reasons listed in Clause 2.2 hereof).
7.2 Where the provision of the Services involves the transfer of the Personal Data to a processor outside the EEA, additional requirements must be met in order to ensure an adequate level of data protection as set out in Chapter V of the GDPR. In particular, the Processor may transfer the personal data to a third party located outside the EEA if the third party is subject to or agrees to be subject to:
(a) the provisions of this Agreement or provisions no less stringent than those of this Agreement;
(b) standard contractual (data protection) clauses adopted by the European Commission - Adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as of the date of this Agreement;
(c) the principles of the data privacy framework (DPF) program - The EU maintains such a program with the US and the UK as of the date of this Agreement. or
if such third party is located in a country with an adequate level of data protection as determined by the European Commission.
7.3 The Parties agree that if and to the extent any processor (sub-processor) engaged by the Processor fails to comply with its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of such other processor’s obligations. The Processor shall impose the same data protection obligations as set forth herein on the processor (sub-processor) by contract or other legal act in accordance with applicable law.
8.1 The Processor shall at all times notify the Controller of any incident involving the processing of the Personal Data without undue delay after becoming aware of the incident, but no later than within twenty-four (24) hours, and shall at all times cooperate with the Controller and follow the Controller’s documented instructions in order to enable the Controller to perform a thorough investigation, formulate a correct response and to take appropriate further steps in relation to such incident. In particular, the Processor warrants that it will provide the Controller with all information necessary to fulfil its legal obligations, such as the obligation to report incidents under the Data Protection Laws.
8.2 The term “Incident” as used in Clause 8.1 hereof shall in any case mean:
(a) any communication by a data subject in relation to his/her Personal Data except his/her opt-out right under clause 8.5 hereof;
(b) an investigation or seizure of the Personal Data by government officials, or any indication that such an investigation or seizure is about to take place, receipt of a request for disclose of the Personal Data from a competent regulatory authority, court, or other public authority, or direct access (e.g. wiretapping) by such authorities to such Personal Data;
(c) any data breach;
(d) any other breach of the security and/or confidentiality or of provisions of Articles 3 and 4 of this Agreement resulting in loss or any form of unlawful processing, including destruction, alteration, unauthorized disclosure of or access to the Personal Data, or any indication that such a breach has occurred or is about to occur.
8.3 In the event of an incident as described in Clause 8.2 hereof the Processor shall notify the Controller within twenty-four (24) hours of becoming aware of the incident. Such notification shall include: (i) the nature of the incident; (ii) the date and time the incident occurred and was discovered; (iii) the (number of) data subjects affected by the incident; (iv) the categories of Personal Data involved in the incident; and (v) whether and, if so, what security measures – such as encryption – have been taken to render the Personal Data unintelligible or inaccessible to anyone not authorized to access such data.
In the event of a personal data breach involving Personal Data, the Processor shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.
8.4 Generally, the Processor is not required to notify data subjects of an incident unless the Controller instructs the Processor otherwise. However, in the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the Processor shall also notify the data subjects concerned without undue delay of the personal data breach and its nature, if necessary, in cooperation with the Client/Customer, together with information on:
(a) the likely consequences of the data breach;
(b) the measures taken or proposed to address the data breach; and
(c) the details of a contact point where further information can be obtained;
unless the Processor has taken measures to significantly reduce the risk to the rights and freedoms of natural persons or notification would involve disproportionate effort.
In the case of such a high risk, the Processor shall issue a public notice or take a similar measure, by individual notice or on its website, to inform the public of the personal data breach and provide a contact point authorised to handle questions and complaints.
8.5 Right to opt-out. If a data subject has and exercises his/her right to object to and stop the manual and/or automated processing of his/her personal data (such as stop, unsubscribe, end, quit, cancel commands), the Parties shall implement this by technical and organizational means. The Parties are not required to inform the data subject of the measures taken to implement his/her objection.
9.1 Upon termination of this Agreement, or upon the written request of the Controller, the Processor shall, at the option of the Controller, either destroy the Personal Data and its copies or return them to the Controller in the manner and format specified by the Controller. The Processor shall simultaneously destroy all existing copies of the Personal Data, unless the storage of the Personal Data is required by applicable law. Until the Personal Data and its copies are deleted or returned, the Processor shall continue to ensure compliance with this Agreement.
9.2 The Processor shall notify sub-processors of the termination of the Agreement and shall ensure that all such third parties shall at the Controller’s discretion either destroy the Personal Data and its copies or return them to the Processor for further transfer to the Controller, unless the storage of the Personal Data is required by applicable law.
10.1 Each Party shall be liable to the other Party for any damage caused to the other Party by any breach of this Agreement.
The Processor may not rely on the conduct of a sub-processor to avoid its own liability to the data subject and (or) the Client/Customer.
10.2 Third party rights. Data subjects may invoke and, where appropriate, enforced against the Party(-ies) the clauses of this Agreement relating to the rights of data subjects provided for by this Agreement or the Data Protection Laws as third-party beneficiaries.
In particular, data subjects may claim any material or non-material damages from a Party for breach of the said data subjects’ rights by a responsible Party, and (or) seek redress through a competent supervisory authority or a competent court.
This Clause 10.2 is without prejudice to any other remedies available to data subjects under the Data Protection Laws. As of the date of this Agreement, the competent supervisory authority in the Republic of Cyprus is:
Office of the Commissioner for Personal Data Protection
Office address: Kypranoros 15, Nicosia 1061, Cyprus
Postal address: P.O.Box 23378, 1682 Nicosia, Cyprus
Tel: +357 22818456
Email: commissioner@dataprotection.gov.cy
10.3 The Processor shall be liable to the data subject, and the data subject shall be entitled to receive compensation for any material or non-material damage caused to the data subject by the Processor or its sub-processor as a result of a breach of the third-party beneficiary rights under this Agreement.
The Parties agree that if the Processor is held liable under Clause 10.2 hereof for damage caused by the data importer (or its sub-processor), the Processor shall be entitled to recover from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
10.4 Where more than one Party is responsible for damage caused to a data subject as a result of a breach of this Agreement or the Data Protection Laws, all responsible Parties shall be jointly and severally liable to the data subject.
If a Party is held liable under this Clause 10.4 it shall be entitled to recover from the other Party(-ies) that part of the compensation corresponding to its / their responsibility for the damage.
11.1 This Agreement shall enter into force on the effective date of the Service Agreement or as soon as the processing of the Personal Data on behalf of the Controller commences and shall terminate automatically either: when the Service Agreement is terminated or expires; or when the Processor has deleted or returned all Personal Data and copies thereof in accordance with Article 9 of this Agreement, whichever occurs first.
11.2 In the event that either Party breaches or fails to comply with this Agreement (in this clause – the “Breaching Party”), the other Party may:
(a) identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be taken by the Breaching Party to remedy the situation, if necessary, in consultation with the Breaching Party; and/or
(b) suspend the transfer of personal data to the Breaching Party until compliance is restored or the Agreement is terminated.
11.3 Termination or expiry of this Agreement shall not relieve the Party of its obligations under Articles 3, 9 and 10 hereof and other provisions which by their nature or purpose are intended to survive termination or expiry of the Agreement.
12.1 The Parties agree that the terms as set out herein supersede and replace any existing privacy and data protection terms contained in the Service Agreement relating to the processing of the Personal Data.
12.2 Hierarchy. In the event of any inconsistency between this Agreement and any other provisions of the Service Agreement between the Parties in existence at the time this Agreement is entered into or thereafter, this Agreement shall prevail.
12.3 This Agreement shall be governed by and construed in accordance with the laws of the Republic of Cyprus. The Parties submit to the exclusive jurisdiction of the Limassol District Court, Cyprus for the resolution of any dispute relating to this Agreement.
A data subject may also bring legal proceedings against the Party(-ies) in the courts of the EU Member State in which he/she has his/her habitual residence.
12.4 Except as otherwise expressly provided in this Agreement, each Party shall be responsible for its own fees and expenses incurred in connection with this Agreement and the transactions contemplated hereby, including fees of attorneys, data protection officers, information security specialists, and any other activities related to the foregoing.
12.5 Terms not defined in this Agreement shall have the meanings ascribed to them in the Service Agreement unless otherwise stated.
12.6 By entering into the Service Agreement, the Client/Customer is deemed to have signed this Data Processing Agreement, including their Annexes, as of the effective date of the Service Agreement.
1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in the premises and facilities (including databases, application servers and related hardware) where Personal Data are processed, such as:
establishment of security areas, restriction of access routes;
establishing access authorizations for employees and third parties;
access control systems (e.g. ID reader, magnetic card, chip card);
door locking (electric door openers etc.);
security guards, caretakers;
surveillance equipment, video/CCTV monitoring, alarm system;
security of distributed computing equipment and personal computers.
2. Virtual access control
Virtual access control Technical and organizational measures to prevent the use of data processing systems by unauthorized persons include:
user identification and authentication procedures;
ID/password security procedures (special characters, minimum length, password changes);
automatic blocking (e.g. password or timeout);
intrusion attempt monitoring and automatic user ID disabling after multiple incorrect passwords attempts;
creation of a master record per user, per user master data procedure, per computing environment;
encryption of archived media.
3. Data access control
Technical and organizational measures to ensure that persons authorised to use a data processing system only have access to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified, or deleted without authorization, including:
internal policies and procedures;
authorization control schemes;
differentiated access rights (profiles, roles, transactions and objects);
monitoring and logging of accesses;
disciplinary action against employees who access Personal Data without authorization;
access reports;
access procedures;
amendment procedures;
deletion procedures;
encryption.
4. Disclosure control
Technical and organizational measures to ensure that Personal Data during electronic transmission, transport or storage on storage media (manual or electronic) cannot be read, copied, modified, or deleted without authorization and that it can be verified to which companies or other legal entities Personal Data is disclosed, including:
encryption/tunnelling;
logging;
transport security.
5. Entry control
Technical and organizational measures to monitor whether data has been entered, modified, or removed (deleted) from data processing systems, and by whom, including:
logging and reporting systems;
audit trails and documentation.
6. Control of instructions
Technical and organizational measures to ensure that Personal Data is processed only in accordance with the instructions of the controller including:
unambiguous wording of the contract;
formal mandate (request form);
criteria for selection of the processor.
7. Availability control
Technical and organizational measures to ensure that Personal Data are protected against accidental destruction or loss (physical/logical) including:
backup procedures;
hard drive mirroring (e.g. RAID technology);
uninterruptible power supply (UPS);
remote storage;
anti-virus/firewall systems;
disaster recovery plan.
8. Separation control
Technical and organizational measures to ensure that Personal Data collected for different purposes can be processed separately including:
separation of databases;
“Internal client” concept / limitation of use;
segregation of functions (production/testing);
procedures for storing, amending, deleting and transferring data for different purposes.
Last updated: 18 Sep 2024