GDPR

„Applicable Law” means the totality of the norms and provisions of the normative acts in force or to be adopted during the duration of this Agreement with respect to or having an impact on the processing of personal data applicable within the European Union and those applicable in the place where the processing is carried out;

„GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

„Personal data” means any information relating to an identified or identifiable natural person (‘data subject’), whose Processing is protected by the Applicable Law;

„Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

„Services” means the totality of services provided to the Beneficiary by the Provider based on the Contract;

„Controller” means the entity that establishes the purposes and means of processing of personal data;

„Processor” means the entity which processes personal data on behalf of the operator;

„Beneficiary data” means personal data transmitted by the or for the Beneficiary to the Provider and processed by the latter in performance of the Contract;

„Security incident” means destruction, loss, accidental or unlawful alteration, or disclosure or unauthorized access to Personal data transmitted, stored or otherwise processed.

The Provider, as Processor of the Controller, processes the Beneficiary’s Personal Data on behalf of the Beneficiary in accordance with the provisions of this Agreement.

If the Provider processes the Beneficiary’s Personal Data for a purpose other than that provided for in the Agreement, it will provide the data subject with all the information required by the Applicable Law, in particular with regard to the purpose and basis of the processing. In this case, the Provider will acquire the capacity of Controller, together with all the obligations arising from such quality.

The Beneficiary undertakes to transfer to the Provider only Personal Data that has been obtained and processed in accordance with GDPR standards.

The Beneficiary undertakes to inform the data subjects of the disclosure / transfer of Personal Data to the Provider and of any potential change of purpose and to obtain the valid consent under the GDPR, insofar as the basis of the processing is theIR consent.

The Beneficiary will not send instructions to the Provider that are contrary to GDPR provisions.

The Beneficiary undertakes to indemnify and hold harmless the Provider and its affiliates against and against any claims, proceedings, hearings, actions, damages, liability, fines or sanctions, costs, losses, judgments or expenses (including reasonable expenses with legal aid); what might be suffered by the Provider as a result of the breach by the Beneficiary of the above obligations.

The Provider guarantees, in particular:

a)      To process the Beneficiary’s Personal Data solely to the express instructions of the Beneficiary in order to fulfill its obligations under the Contract, unless such processing is required by mandatory national or European law; in such a case, the Provider shall inform the Beneficiary prior to processing;

b)      To immediately inform the Beneficiary in case of, in his opinion one of the Beneficiary’s instruction is not in accordance with the Applicable Law;

c)       Not to transfer or to disclose Personal data to third party without the express, prior and written consent of the Beneficiary;

d)      To ensure that all the employees are under a legal or conventional confidentiality obligation;

e)       To implement suitable technical and organizational measures and to revise periodically this measures in order to ensure a high standard of Personal data security as set out in the Applicable Law.

f)        To delete or return, at the Beneficiary’s choice, all Personal data received from the Beneficiary at his request or at the termination of the Contract, unless mandatory national or European provisions require a longer storage period.

g)      To provide the Beneficiary all the necessary information in order to prove the compliance with the provisions provided by the article 28 from RGPD;

h)      To assist the Beneficiary, to the extent possible, in fulfilling its obligations regarding the exercise of rights by the data subject;

i)        offer assistance to the Beneficiary concerning all necessary data protection impact assessments as per art. 35 of the GDPR, as well as related to any prior consultation request addressed to the supervisory authority according to art.36 of the GDPR.

j)        To create and maintain a up-to-date record of conducted processing under this Agreement, in compliance with the provisions of the Applicable Law;

k)      To notify without delay the Beneficiary regarding any Security Incident and in any case no later than 36 hours as of the moment when he became aware of the Security Incident;

l)        To carry out all processing operations within the European Economic Area.

a)      Personal data access is granted solely to employees or agents who are involved in the providing of Services.

b)      If access is required as per the above provisions, it is limited to those types of Personal data that are strictly necessary for providing the Services.

The Provider declares and warrants that all its employees and agents who will process the Beneficiary’s Personal data:

a)      Are informed regarding the confidentially character of the Beneficiary’s Personal data and are aware of the Provider’s obligations;

b)      Are held by legal or conventional confidentiality obligation;

c)       Are properly trained in the processing of personal data;

d)      They have become aware of the obligations of the Provider and of their personal obligations regarding the execution of the Contract.

When assessing the appropriate level of security, the Provider must take into account, in particular, the risks involved in the processing, in particular the destruction, loss, alteration, unauthorized disclosure or unauthorized access to the Beneficiary’s Personal Data transmitted, stored or otherwise processed.

At the request of the Beneficiary, the Provider must provide the Beneficiary with information on the compliance of the Provider with the obligations set forth in this Agreement.

In relation to Subcontractors, the Provider shall:

a)      Make available to the Beneficiary, at his request, full details concerning the data processing to be carried out by the Subcontractors.

b)      Take appropriate safeguards to make sure that each of them is able to ensure a data protection level, for the Beneficiary’s data, that is at least the equivalent of the one provided by the Provider.

c)       Ensure that all Subcontractors will undertake, by written agreement, the same obligations as the ones imposed on the Supplier by this Agreement and Contract. Upon request, the Provider shall supply the Beneficiary with a copy of the agreements signed with the Subcontractors.

d)      Remain fully liable towards the Beneficiary for any failure of the Subcontractors to fulfil their obligations related to the processing of any of the Beneficiary’s data.

The Provider shall notify the Beneficiary in maximum 10 (ten) calendar days from the date of receiving any request from a data subject regarding the data processed in the name of the Beneficiary.

The Provider shall not answer any request from data subjects regarding the data processed in the name of the Beneficiary without a prior written consent of the Beneficiary in this respect.

The Provider shall reasonably cooperate with the Beneficiary in order to satisfy exercise of rights by a data subject regarding the data processed in the name of the Beneficiary, as well as to allow compliance with any evaluation, inquiry or investigation regarding the data processed in the name of the Beneficiary, including by supplying information requested by the Beneficiary within a reasonable timeframe.

a)      Description of the nature of the security incident and if possible, the categories and number of data subjects affected as well as the categories and approximate number of personal data records concerned;

b)      the name and contact details of the relevant contact person where more information can be obtained;

c)       Description of the likely consequences of the personal data breach;

d)      Description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Provider shall cooperate with the Beneficiary and shall undertake, according to the Beneficiary’s instructions, all the necessary measures to investigate, mitigate and remedy the adverse effects of security breaches.

In case of a security breach, the Provider shall not inform any third party without a prior written consent of the Beneficiary with the exception of the case in which the legislation applicable to the Provider compels it to do so.

The Provider undertakes to keep and to present to the Beneficiary, at his request all documents and/or all information regarding security breaches.

8.12.2 If the Beneficiary does not respond to the Provider’s notice in 30 (thirty) calendar days, the aforementioned shall delete all existent copies of the data processed in the name of the Beneficiary.

8.12.3 Without prejudice to the provisions above, the Provider shall be entitled to keep the Beneficiary’s data after the Relevant Date only in such a case that the Provider is obliged to do so by the European or nation legislation applicable to it and only for the period of time mentioned in the legislation applicable to it.

For purposes of this Agreement, the Parties designate the following contact persons:

Ø  For the Provider: Mr. Alexandru-Cezar Daminescu, representative of the Mirus Group DPO, e-mail: dataprotection@mirus-group.eu;

8.13.3 During the entire Agreement period, any amendment to the applicable legislation will take effect from the date it enters into force, without any prior notice or any amendment of the Agreement being necessary. For removal of doubt, all references in the Contract to the applicable legislation shall concern the version in place at the date of the data processing.