CONDITIONS OF ADQUIRA AS SUPPLIER´S DATA PROCESSOR
These conditions are part of the Contract signed between Adquira and the SUPPLIER. They not entail novation of the Contract except where specially set out in this document, all the clauses of the former remaining in force and applicable unless this document includes terms different from those set out in the mentioned Contract.
One. - Types of personal data.
The Data Processor may access, to manage the contract, to personal data related to the following categories of data subjects: Clients, Employees and Suppliers. The types of data that ADQUIRA could access may be identification, academic and professional data and, where appropriate, data related to employment.
Should the SUPPLIER provide, through the ADQUIRA platform, other categories of data other than those mentioned previously or special categories of personal data, the SUPPLIER will expressly inform ADQUIRA of this situation so that it may adopt suitable technical and organizational security measures.
The nature of the processing that the Data Processor may carry out, where appropriate, on behalf of the Processor will concern storage of the SUPPLIER’s information on the platform. The purpose of the processing will be that which is derived from the provision of the contracted service.
Two. - Instructions of the Data Processor.
The data that may become known or which are obtained in virtue of the Contract may not be used for any other purpose other than its execution. The data will be confidential and will not be published or made known to third parties without the prior written authorization of the Data Controller, except where expressly authorized by Law.
Three. - Audit. Supervisory Authority Audit.
If a Supervisory Authority requires an audit of the data processing facilities from which Adquira Processes Supplier personal data in order to ascertain or monitor Adquira 's compliance with data protection laws, Adquira shall reasonably cooperate with any such audit. Adquira will make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Contract and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. Supplier may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of the Contract. The audit reports are Confidential Information of the parties under the terms of the Contract.
Four. - Recording of processing activities.
ADQUIRA will keep a written, computerized inventory of all the categories of processing activities carried out, on behalf of the Data Controller, which will include at least the following information:
- Name and contact details of the person responsible for protection of data of the Data Controller and, where appropriate, those of the Data Protection Officer.
- Category of the processing.
- In the event of international transfer, identification of the third country and the documentation setting out adequate guarantees.
- Description of the technical, organizational, physical and administrative security measures
Five.- Duty of confidentiality.
The data, documents and information held by the Data Controller – should they could become known to ADQUIRA in virtue of this Contract – will remain secret. This obligation will remain in force until their destruction. Concerning its employees, ADQUIRA will take the measures necessary to inform them of the obligations bearing upon ADQUIRA as the Data Processor and which they must respect.
Six. - Subcontracting system.
Should ADQUIRA use subcontractors (sub-processors) to carry out certain personal data processing activities on behalf of the SUPPLIER, ADQUIRA must obtain prior authorization from the SUPPLIER. To that end, ADQUIRA will inform the SUPPLIER in writing in advance of the subcontracting that is planned, providing the details of the third parties it seeks to subcontract.
If the SUPPLIER did not state its objection to said subcontracting in writing within 15 days as from the receipt of the relevant notification, it will be understood not to object to it. The same terms and obligations will apply if ADQUIRA has the intention to replace one or several of itssub-processors.
ADQUIRA will impose upon the sub-processor in writing the same data protection obligations set out in this Appendix. Said obligations might, likewise, be extendable for ADQUIRA if the sub-processor uses other third parties and if there is a chain of subcontractors, such that ADQUIRA and any of the successive subcontractors as far as the last in the chain, will be subject to the same obligations. ADQUIRA will be fully liable to the SUPPLIER and will be answerable for the actual fulfilment of the obligations concerning the protection of the data of the possible subcontractors who participate in the processing of the personal data.
Seven. - Security measures.
ADQUIRA will apply appropriate technical and organizational measures to guarantee a level of security adequate to the risk, given the state of the art, the costs of application, the nature of the data stored, the scope, context and purposes of the processing, as well as the impact that this may have on the rights and freedoms of natural persons.
At all events, ADQUIRA must implement mechanisms to: (i) guarantee the permanent confidentiality, integrity, availability and resilience of the processing systems and services; (ii) rapidly restore the availability and access to the personal data in the event of a physical or technical incident; (iii) regularly verify, evaluate and assess the effectiveness of the technical and organizational means implemented to guarantee the security of the processing. Moreover, ADQUIRA will be obliged to fulfil its duties to carry out whatever impact assessments in the area of data protection that it may be obliged to perform.
Eight.- Notification of security incidents.
The Data Processor undertakes to notify the Data Controller, without undue delay, of any incident concerning the security of the personal data, according to the nature of the data processed, the risks associated with the loss, destruction or alteration of said personal data and the information ADQUIRA may hold, so that the Controller can make the suitable decisions with respect to the incident that has occurred. Such decisions will be conveyed to ADQUIRA.
Nine. - Rights of the data subjects.
ADQUIRA shall assist the Data Controller, through the appropriate technical and organizational means according to the nature of the data processed, in the requests to exercise the rights of the interested parties. In particular, their rights of access, rectification, erasure (“right to be forgotten”), object, request for portability of data, restriction to processing, and to not be subject to automated individual decision-making, including profiling. Should natural persons exercise their rights before ADQUIRA, the latter will inform the Data Controller of this matter without undue delay.
Ten.- Return or destruction of the data
After the term of the contract, and if the Data Controller decides to do so, ADQUIRA undertakes to return and/or to destroy the personal data to which it has had access to carry out the purpose of this Contract.