12. Personal Data Processing Terms
For the purposes of the terms that relate to the processing of personal data, Client shall be called “Controller” and KOOLMETRIX shall be called “Processor”. Controller and Processor mutually agreed and accepted the following:
- During the performance of this Agreement and for its purposes Controller may disclose or transfer to Processor information that constitute Personal Data under applicable Greek and European Union (EU) legislation (hereinafter “Applicable Law”).
- It may be necessary for Processor to process certain Data that are considered Personal Data under Applicable Law on behalf of Controller, in order to successfully perform its obligations under this Agreement.
Therefore, the following were agreed, stipulated and mutually accepted:
12.1 Processor is appointed by Controller to Process such Personal Data for and on behalf of Controller as is necessary for the performance of this Agreement, and as may subsequently be agreed to by the Parties in writing. Any such subsequent agreement shall be subject to the provisions of this Agreement.
12.2 Processor shall process Personal Data exclusively for the purposes of this Agreement, as entered into between the Parties, on behalf of and only under the direction of Controller, unless Processor has a legal obligation under the Applicable Law to do otherwise.
12.3 In case Controller transfers or in any way discloses to Processor Personal Data which are not necessary for the performance of this Agreement, then Processor shall notify Controller of this occurrence and shall destroy or delete completely the aforementioned unnecessary data.
12.4 The data will be processed exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Any transfer of data to a country which is not a Member State of either the EU or the EEA requires the prior consent of Controller and is subject to compliance with the special requirements on transfers of personal data to countries outside the EU/EEA, in accordance with the Applicable Law.
12.5 Processor shall keep Personal Data logically separate to data Processed on behalf of any other third party.
12.6 Throughout the duration of Processing, Processor shall take measures to establish data security in accordance with Applicable Law. The measures to be taken must guarantee a protection level appropriate to the type of data, to the nature and the purpose of processing and to any relevant risks, and must guarantee the confidentiality, integrity, availability and resilience of the Personal Data. The aforementioned technical and organizational measures shall be monitored and evaluated regularly by Processor.
12.7 Processor undertakes to provide to Controller on request all necessary information, clarifications and evidence that are necessary for Controller in order to attain knowledge of which are the technical and organizational measures that are mentioned in clause 12.6 hereof.
12.8 Processor ensures that its personnel, under any capacity and especially if they have access to Personal Data, are well trained and have the necessary skills and knowledge in order to enable Processor to fully meet its obligations under this Agreement.
12.9 If a Data Subject makes an application directly to Processor to request the exercise of any of its rights that are relevant to his Personal Data that are processed by Processor under this Agreement, then Processor must forward this request to Controller without delay and to execute Controller’s directions accurately. Processor may not on its own authority take any action, especially Processor may not rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of Controller, but shall only do so on written instructions from Controller or if it is required by this Agreement or by Applicable Law.
12.10 Processor shall notify Controller in the most expedient time possible under the circumstances and without unreasonable delay after having become aware of any potential, accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data (hereinafter “Personal Data Breach”). Processor shall investigate the Personal Data Breach and inform Controller. In addition, Processor shall take appropriate measures, within his capabilities, to prevent further Personal Data Breaches. In consultation with Controller, Processor shall take all appropriate actions and measures to restore the security level, to secure the data and to limit any possible further detrimental effect on the Data Subjects and on Controller’s interests, if this detrimental effect is connected to the Personal Data Breach or is a consequence of the Personal Data Breach.
In addition, Processor shall provide to Controller any information that Processor has and that Controller may reasonably ask in relation to the Personal Data Breach.
12.11 Processor shall assist Controller by taking appropriate measures with regard to Controller’s obligation to inform competent authorities and Data Subjects in case of a Personal Data Breach (obligation to notify and communicate a personal data breach), as well as with regard to any obligation to produce an Impact Assessment (DPIA).
12.12 Upon completion of the contractual work as laid down in this Agreement or when requested by Controller, and within a reasonable time which shall not exceed ten (10) days, Processor must, at the discretion of Controller, return to Controller all documents in its possession and all work products and data produced, or delete them in compliance with the Applicable Law. The deletion log must be presented by Processor upon request by Controller.
12.13 Controller hereby declares that upon entering into this Agreement Controller is aware that, for the provision of the Services of this Agreement, it is necessary to use the services of the following third-party providers and consents to such use in case they are considered, for any reason, to be Sub-Processors of Processor:
THIRD-PARTY PROVIDER |
SERVICES |
Google Group of companies (Google LLC, Google Ireland & Affiliates) |
Google Ads, Google Merchant Center, Google Analytics, Google Display Ads |
Meta Group of companies (Facebook Inc, Facebook Ireland & Affiliates) |
Facebook Ads, Meta Business Manager |
Processor is prohibited from assigning to a Sub-Processor the processing in any way of personal data, which Processor undertook under this Agreement, unless, prior to the commencement of the aforementioned processing, the following conditions are met cumulatively:
- a) Processor has notified in writing Controller and has Controller’s written consent. The relevant notification must at least include, apart from Sub-Processor’s identity, the purposes and the extent of the proposed Processing by a Sub-Processor, as well as information on whether the processing will take place in a country outside of the EU/EEA.
- b) Processor has guaranteed that the proposed processing by Sub-Processor is completely compliant with Greek and EU Personal Data legislation.
- c) Processor shall impose on Sub-Processor the same data protection obligations, which Processor undertakes towards Controller, as set out in this Agreement, in particular with regard to the provision of sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Applicable Law.
12.14 In case Controller, with regard to the data mentioned in this Agreement, is considered a processor under Applicable Law, then it is agreed that the other Party herein is considered a sub-processor and that with regard to everything else all the terms of this Agreement apply fully.