Contracting Parties
Mirus Consultanță Fiscală S.R.L. (“Mirus”or “we”), having its legal headquarters in Bucharest, 26 Biharia Street, 1st District, registered with the Trade Registry under no. J40/8224/2011, VAT number RO28785604, bank account IBAN RO65 INGB 0000 9999 0277 1419, opened with ING Bank Romania, legally represented by Mr. Ionuţ Zeche, (the” Provider”)
The following names/phrases contained in this Agreement will have the meaning assigned in the following terms:

„Applicable Law” means the totality of the norms and provisions of the normative acts in force or to be adopted during the duration of this Agreement with respect to or having an impact on the processing of personal data applicable within the European Union and those applicable in the place where the processing is carried out;

„GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

„Personal data” means any information relating to an identified or identifiable natural person (‘data subject’), whose Processing is protected by the Applicable Law;

„Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

„Services” means the totality of services provided to the Beneficiary by the Provider based on the Contract;

„Controller” means the entity that establishes the purposes and means of processing of personal data;

means the entity which processes personal data on behalf of the operator;


„Beneficiary data” means personal data transmitted by the or for the Beneficiary to the Provider and processed by the latter in performance of the Contract;

„Security incident” means destruction, loss, accidental or unlawful alteration, or disclosure or unauthorized access to Personal data transmitted, stored or otherwise processed.

Object of the Agreement. The purpose of the processing of personal data
The object of this Agreement consists in determining the conditions in which the Beneficiary’s Personal data is to be processed by the Provider.


The Provider, as Processor of the Controller, processes the Beneficiary’s Personal Data on behalf of the Beneficiary in accordance with the provisions of this Agreement.


If the Provider processes the Beneficiary’s Personal Data for a purpose other than that provided for in the Agreement, it will provide the data subject with all the information required by the Applicable Law, in particular with regard to the purpose and basis of the processing. In this case, the Provider will acquire the capacity of Controller, together with all the obligations arising from such quality.

 Duration of the Agreement


This Agreement shall produce effects as from the date of its conclusion and shall remain in force until the termination of the Contract.
Obligation of the Beneficiary

The Beneficiary undertakes to transfer to the Provider only Personal Data that has been obtained and processed in accordance with GDPR standards.


The Beneficiary undertakes to inform the data subjects of the disclosure / transfer of Personal Data to the Provider and of any potential change of purpose and to obtain the valid consent under the GDPR, insofar as the basis of the processing is theIR consent.

The Beneficiary will not send instructions to the Provider that are contrary to GDPR provisions.

The Beneficiary undertakes to indemnify and hold harmless the Provider and its affiliates against and against any claims, proceedings, hearings, actions, damages, liability, fines or sanctions, costs, losses, judgments or expenses (including reasonable expenses with legal aid); what might be suffered by the Provider as a result of the breach by the Beneficiary of the above obligations.

Obligations of the Provider
The Provider declares, guarantees and undertakes that it will process the Personal data of the Beneficiary in compliance with all the provisions of the Applicable Law:

The Provider guarantees, in particular:

a)      To process the Beneficiary’s Personal Data solely to the express instructions of the Beneficiary in order to fulfill its obligations under the Contract, unless such processing is required by mandatory national or European law; in such a case, the Provider shall inform the Beneficiary prior to processing;

b)      To immediately inform the Beneficiary in case of, in his opinion one of the Beneficiary’s instruction is not in accordance with the Applicable Law;

c)       Not to transfer or to disclose Personal data to third party without the express, prior and written consent of the Beneficiary;

d)      To ensure that all the employees are under a legal or conventional confidentiality obligation;

e)       To implement suitable technical and organizational measures and to revise periodically this measures in order to ensure a high standard of Personal data security as set out in the Applicable Law.

f)        To delete or return, at the Beneficiary’s choice, all Personal data received from the Beneficiary at his request or at the termination of the Contract, unless mandatory national or European provisions require a longer storage period.

g)      To provide the Beneficiary all the necessary information in order to prove the compliance with the provisions provided by the article 28 from RGPD;

h)      To assist the Beneficiary, to the extent possible, in fulfilling its obligations regarding the exercise of rights by the data subject;

i)        offer assistance to the Beneficiary concerning all necessary data protection impact assessments as per art. 35 of the GDPR, as well as related to any prior consultation request addressed to the supervisory authority according to art.36 of the GDPR.


j)        To create and maintain a up-to-date record of conducted processing under this Agreement, in compliance with the provisions of the Applicable Law;

k)      To notify without delay the Beneficiary regarding any Security Incident and in any case no later than 36 hours as of the moment when he became aware of the Security Incident;

l)        To carry out all processing operations within the European Economic Area.

Provider’s Employees
The Provider undertakes to grant the employees or agents access to the Personal data only under the following conditions:

a)      Personal data access is granted solely to employees or agents who are involved in the providing of Services.

b)      If access is required as per the above provisions, it is limited to those types of Personal data that are strictly necessary for providing the Services.

The Provider declares and warrants that all its employees and agents who will process the Beneficiary’s Personal data:

a)      Are informed regarding the confidentially character of the Beneficiary’s Personal data and are aware of the Provider’s obligations;

b)      Are held by legal or conventional confidentiality obligation;

c)       Are properly trained in the processing of personal data;

d)      They have become aware of the obligations of the Provider and of their personal obligations regarding the execution of the Contract.

Personal Data Security
Taking into account the state-of-the-art technology, implementation costs and the nature, the purpose, context and purposes of processing the Beneficiary’s Personal Data, as well as the risk to the rights and freedoms of the data subjects, the Provider undertakes to implement and maintain technical and organizational measures to ensure an adequate level of security, including, but not limited to, the measures referred to in Article 32 (1) of the GDPR. Notwithstanding the general nature of the foregoing, and in particular its obligation to determine the appropriateness of any additional technical and organizational measures, the Provider shall implement and maintain each of the technical and organizational measures necessary to ensure the security of the Beneficiary’s Personal Data

When assessing the appropriate level of security, the Provider must take into account, in particular, the risks involved in the processing, in particular the destruction, loss, alteration, unauthorized disclosure or unauthorized access to the Beneficiary’s Personal Data transmitted, stored or otherwise processed.

At the request of the Beneficiary, the Provider must provide the Beneficiary with information on the compliance of the Provider with the obligations set forth in this Agreement.

Subcontractors of the Provider
The Beneficiary grants hereto a general written authorization for the Provider to use subcontractors or another processors (the “Subcontractors”) such as attorneys, translators, business consultants, IT and data storage providers. For other types of Subcontractors prior approval shall be needed.

In relation to Subcontractors, the Provider shall:

a)      Make available to the Beneficiary, at his request, full details concerning the data processing to be carried out by the Subcontractors.

b)      Take appropriate safeguards to make sure that each of them is able to ensure a data protection level, for the Beneficiary’s data, that is at least the equivalent of the one provided by the Provider.

c)       Ensure that all Subcontractors will undertake, by written agreement, the same obligations as the ones imposed on the Supplier by this Agreement and Contract. Upon request, the Provider shall supply the Beneficiary with a copy of the agreements signed with the Subcontractors.

d)      Remain fully liable towards the Beneficiary for any failure of the Subcontractors to fulfil their obligations related to the processing of any of the Beneficiary’s data.


Exercise of right by Data Subjects
To the extent possible, the Provider shall support the Beneficiary by implementing suitable technical and organizational measures in order to facilitate the fulfillment of the Beneficiary’s obligations, as operator, in relation to responses to any exercise of rights demands of the data subjects.

The Provider shall notify the Beneficiary in maximum 10 (ten) calendar days from the date of receiving any request from a data subject regarding the data processed in the name of the Beneficiary.

The Provider shall not answer any request from data subjects regarding the data processed in the name of the Beneficiary without a prior written consent of the Beneficiary in this respect.

The Provider shall reasonably cooperate with the Beneficiary in order to satisfy exercise of rights by a data subject regarding the data processed in the name of the Beneficiary, as well as to allow compliance with any evaluation, inquiry or investigation regarding the data processed in the name of the Beneficiary, including by supplying information requested by the Beneficiary within a reasonable timeframe.

Breach of Security
The Provider shall promptly notify the Beneficiary and in any case before the notice of supervisory authority and no later than 36 hours from the moment it has become aware of a security incident, offering the Beneficiary relevant information as to allow it to fulfil its obligations of reporting a personal data breach. The notice mentioned herein shall include, to the extent possible and know by the Provider all information below:

a)      Description of the nature of the security incident and if possible, the categories and number of data subjects affected as well as the categories and approximate number of personal data records concerned;

b)      the name and contact details of the relevant contact person where more information can be obtained;

c)       Description of the likely consequences of the personal data breach;

d)      Description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Provider shall cooperate with the Beneficiary and shall undertake, according to the Beneficiary’s instructions, all the necessary measures to investigate, mitigate and remedy the adverse effects of security breaches.

In case of a security breach, the Provider shall not inform any third party without a prior written consent of the Beneficiary with the exception of the case in which the legislation applicable to the Provider compels it to do so.

The Provider undertakes to keep and to present to the Beneficiary, at his request all documents and/or all information regarding security breaches.

Deletion or return of Personal Data
8.12.1 Upon the date of finishing the processing of the Beneficiary’s data by the Provider or upon the date of termination of the Contract, whichever will be first („Relevant Date”), the Provider shall notify the Beneficiary to express its choice to return or delete the data processed in the name of the Beneficiary.

8.12.2 If the Beneficiary does not respond to the Provider’s notice in 30 (thirty) calendar days, the aforementioned shall delete all existent copies of the data processed in the name of the Beneficiary.

8.12.3 Without prejudice to the provisions above, the Provider shall be entitled to keep the Beneficiary’s data after the Relevant Date only in such a case that the Provider is obliged to do so by the European or nation legislation applicable to it and only for the period of time mentioned in the legislation applicable to it.

Final provisions
This Agreement is governed by the Romanian law and the GDPR provisions. All disputes regarding the validity or arising from the interpretation, performance or termination of this Agreement shall be submitted to and settled by the competent court with jurisdiction over the Provider’s headquarters.

For purposes of this Agreement, the Parties designate the following contact persons:

Ø  For the Provider: Mr. Alexandru-Cezar Daminescu, representative of the Mirus Group DPO, e-mail:;

8.13.3 During the entire Agreement period, any amendment to the applicable legislation will take effect from the date it enters into force, without any prior notice or any amendment of the Agreement being necessary. For removal of doubt, all references in the Contract to the applicable legislation shall concern the version in place at the date of the data processing.