1. Introduction
This Data Processing Agreement forms part of our Terms and Conditions of Use and sets out our agreement in relation to the protection of data that is stored in our software (ReSales Online) by MEMBER AGENTS. This agreement should be read in conjunction with our Legal Notice and Privacy Policy, and the full text of these Terms and Conditions of Use.
In consideration of you, the MEMBER AGENT (“Data Controller”) making Personal Data available to RESALES ANDALUCIA SL (“the Data Processor”), the Data Processor hereby agrees to process the Data Controller’s Personal Data in accordance with the terms and conditions of this Data Processing Agreement.
2. Definitions
'Appropriate Technical and Organisational Measures' means processes and procedures such that having regard to the state of technological development and the cost of implementation, and the nature of the Data Controller´s Personal Data, will ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing of, or accidental loss or destruction of, or damage to, the Data Controller´s Personal Data. Such measures shall comprise, as a minimum, those measures set out in Information Security below and any additional measures from time to time notified in writing by the Data Processor to the Data Controller and reasonably agreed by the Parties.
“Data Controller” (you the MEMBER AGENT) and the “Data Processor” (ReSales Andalucia SL) shall have the meaning given to it in the personal data protection regulations.
“Personal Data Protection Regulations” refers to the General Data Protection Regulation (Regulation (EU) 2016/679); and the Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de Derechos Digitales.
“Data Subject” means an individual who´s Personal Data is being processed through or in relation to the Services.
“Personal Data Breach” means the unauthorised acquisition, access, use or disclosure of Personal Data.
“Personal Data” shall have the same meaning as in the personal data protection regulations.
“Non-adequate Country” means a country that is deemed not to provide an adequate level of protection for Personal Data within the meaning of the personal data protection regulations.
“Services” shall mean the services provided by the Data Processor in relation to the processing of the Data Controller’s Personal Data as described in the Agreement.
3. General obligations of the Data Controller and the Data Processor
The DATA PROCESSOR and all its personnel undertake to:
Use the personal data being processed, or the data collected for subsequent inclusion, for the sole purpose of fulfilling the object of the contract. Under no circumstances may the DATA PROCESSOR process the personal data for his own purposes or for his own benefit or for the benefit of a third party.
Process the personal data in accordance with the instructions of the DATA CONTROLLER, if applicable. If the DATA PROCESSOR considers that any of the instructions infringes the LOPDGDD, the RGPD or any other provision in force on personal data protection in the Union or the Member States, he/she shall immediately inform the DATA PROCESSOR.
Keep a written record of all categories of data processor activities carried out on behalf of the DATA CONTROLLER.
Not to communicate the personal data to third parties, except with the express authorisation of the Data Controller, except in the legally admissible cases, such as the communication of personal data to those employees who, for the fulfilment of the object of the contract, need access to the same, or to those administrative, judicial or police bodies necessary for the same purpose. The DATA PROCESSOR may disclose personal data to other Data Processors of the Data Controller, always in accordance with the instructions of the DATA CONTROLLER. In this case, the DATA CONTROLLER shall identify, in advance and in writing, the entity to which the data are to be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication. If the Data Processor is required by applicable Union or Member State law to transfer the personal data of data subjects to a third country or international organisation, it shall inform the Data Controller of that legal requirement in advance and in writing, unless such law prohibits it for important reasons of public interest.
Maintain the duty of secrecy and confidentiality with respect to the personal data to which it has access by virtue of this contract, even after the end of the object of the main Contract.
Ensure that the persons authorised to process the personal data undertake, expressly and in writing, to respect the duty of secrecy and confidentiality established in this contract, and to comply with the corresponding security measures, of which they must be duly informed.
To keep at the disposal of the Data Controller the documentation accrediting compliance with the obligation established in the previous section.
Assist the Data PROCESSOR in the response to the exercise of the data subjects' rights of access, rectification, deletion, limitation, portability and objection.
Support the DATA PROCESSOR in carrying out prior consultations with the supervisory authority and data protection impact assessments, where appropriate.
Obligations of the Data Controller:
Deliver to the DATA PROCESSOR the personal data referred to in Clause 2 of this contract.
Carry out an assessment of the impact on the protection of personal data of the data processor operations to be carried out by the processor, if applicable.
Carry out the appropriate prior consultations, where appropriate.
Ensure, prior to and during the entire data processor, compliance with the LOPDGDD and the RGPD by the DATA PROCESSOR.
Supervise the data processor's processing of personal data, including the performance of inspections and audits.
Inform the data subjects in advance about the possibility of access to their personal data by the DATA PROCESSOR, responding to the duty of information on data protection included in the applicable regulations.
4. Change of circumstances and law
If the Data Processor:
determines that it is unable for any reason to comply with its obligations under this Agreement and the Data Processor cannot cure this inability to comply;
or becomes aware of any circumstance or change in the Data Protection Laws, that is likely to have a substantial adverse effect on the Data Processor's ability to meet its obligations under this Agreement;
the Data Processor shall promptly notify the Data Controller thereof, in which case the Data Controller will have the right to temporarily suspend the processing until such time the processing is adjusted in such a manner that the non-compliance is remedied. To the extent such adjustment is not possible, the Data Controller shall have the right to terminate the relevant part of the processing by the Data Processor.
5. Sub-processors
The sub-processors listed below are approved for processing of Personal Data under the circumstances specified in this agreement. The Data Controller agrees that this list could change dependent on the needs of the Data Processor for the provision of service. All sub-processors are checked for data protection compliance prior to the engagement of their services:
Amazon Web Services
MailChimp
RedStation
Santander Redsys
Intercom
6. Access to the Data Controller’s Personal Data
The Data Processor shall ensure that access to the Personal Data processed by the Data Processor under scope of the Agreement is limited to:
duly authorised officers, employees, agents and contractors (“the Data Processor’s Personnel”) who need access to the Personal Data to meet the Data Processor’s obligations under the agreement; and
such part or parts of the Personal Data as is strictly necessary for performance of the relevant Data Processor Personnel’s duties.
The Data Processor shall ensure that all the Data Processor Personnel:
are informed of the confidential nature of the Personal Data;
have undertaken training in the care, protection and handling of Personal Data; and
are aware of both the Data Processor’s duties and their personal duties and obligations under the personal data protection regulations and this agreement.
The Data Processor shall take reasonable steps to ensure the reliability of any of the Data Processor’s Personnel and Sub-processors who have access to the Personal Data.
7. Integration of the Data Controller's e-mail account
ReSales-Online allows the Data Controller to enjoy certain functionality in the sending of emails through the system. If you choose this optional functionality, you must provide certain information consisting of:
Email address, unique identifiers, such as user name or password (the password is processed using encryption techniques and is not accessible).
8. Online Card Payments
Our online card facility uses the gateway services of Santander Redsys. When you enter your card details into our software they are encrypted before we send them to Santander Redsys. Your card details are stored on the Santander Redsys servers. At no time are your full card details stored on our servers or accessible by the Data Processor. You can read their Privacy Policy here.
9. Transfer of Personal Data
The Data Processor shall not transfer Personal Data to any Non-adequate Country outside EEA or make such Personal Data accessible from any such Non-adequate Country without the prior written approval of the Data Controller.
Any transfer of, or provision of access to, Personal Data outside the EEA to a third party (including affiliates of the Data Processor) who is located in a Non-adequate Country shall be governed by the terms of a data transfer agreement between the Data Processor and the Data Controller, which will contain standard controller-Data Processor contractual clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC) or any other similar contractual clauses as may be adopted by the European Commission from time to time (‘EU Model Clauses’). If this is applicable, the Parties agree to separately enter and sign the EU Model Clauses.
10. Notification and incidents and data security breaches
The DATA PROCESSOR shall notify the DATA CONTROLLER of the security breaches of the personal data under his/her responsibility of which he/she becomes aware, together with all the relevant information for the documentation and communication of the incident.
Notification will not be necessary when it is unlikely that such security breach constitutes a risk to the rights and freedoms of natural persons.
11. Rights of data subjects
The DATA PROCESSOR shall, where possible and taking into account the nature of the processing, create the necessary technical and organisational conditions to assist the DATA CONTROLLER in its obligation to respond to requests for the data subject's rights. In the event that the DATA PROCESSOR receives a request for the exercise of such rights, it must communicate this to the DATA CONTROLLER without undue delay and within a maximum of 7 days from receipt of the request, together with other information that may be relevant to the resolution of the request.
When the data are processed exclusively with the systems of the DATA PROCESSOR, it must resolve, on behalf of the DATA CONTROLLER, and within the established period, the requests received for the exercise of the data subject's rights in relation to the data that are the object of the assignment, without prejudice to communicating this to the DATA CONTROLLER in accordance with the provisions of the previous paragraph; namely, the rights of access, rectification, erasure and portability of data and those of limitation or opposition to the data processor, and if applicable, not to be subject to automated individualised decisions.
12. The Data Processor’s obligation to assist the Data Controller
Where necessary, the Data Processor shall provide assistance to the Data Controller in complying with any such request and/or enquiry, investigation or assessment of processing initiated by the Data Controller’s employee, customer, third party or any relevant public authority.
In particular, the Data Processor shall:
assist the Data Controller in fulfilling its obligations imposed under Articles 32-36 of the GDPR and any equivalent requirements in other Data Protection Laws (e.g. to ensure that appropriate technical and organisational measures are implemented to ensure a high level of security for the Personal Data Processed, to notify the supervisory authority in the event of a Personal Data Breach, to communicate a Personal Data Breach to the Data Subjects, to carry out a data protection impact assessment, and to carry out a prior consultation with the supervisory authority as applicable from time to time),and, for this purpose, the Data Processor shall provide such assistance promptly and in such a way as to ensure that any response periods set out in Data Protection Laws can be adhered to; and
in case of a Personal Data Breach, the Data Processor shall take adequate remedial measures as soon as possible, including but not limited to investigating and reporting to the Data Controller on the cause of the breach, to develop, propose and execute a response plan to address the Personal Data Breach. The Data Processor shall notify the Data Controller prior to any notification being made to any regulatory body regarding any Personal Data Breach and shall give the Data Controller a reasonable opportunity to review and provide input into any such notification. The Data Controller and the Data Processor shall use best endeavours to mitigate the effects of any Personal Data Breach.
13. Term and termination
Where the Data Controller so requests prior thereto, the Data Processor shall return all data containing Personal Data to the Data Controller (or to another party in accordance with the Data Controller´s instructions) or, where the Data Controller so requests, destroy all Personal Data and certify to the Data Controller that this has been done. Where this is not technically possible or where the Data Processor is prevented from doing so by Data Protection Laws, the Data Processor shall provide a warranty that the Personal Data will remain confidential and will no longer be processed in any other manner than being stored, or, alternatively, will anonymise the data in such a way that makes it impossible to recreate.
14. Miscellaneous
This agreement constitutes the entire agreement between the Parties relating to the subject matter hereof. Any changes to the agreement by the Data Processor will be communicated to the Data Controller. In case of discrepancies between this agreement and any previous agreement, this agreement shall prevail.
Should any provision of this agreement be or become invalid, the legal validity of the remaining provisions shall not be affected. Instead of the invalid provision, a valid provision shall be deemed to have been agreed upon which comes as close as possible to the intentions of the Parties.
This agreement applies to and covers any changes, additions or amendments to the Agreement unless a new agreement is entered into. If the Agreement is terminated and a new agreement with a similar scope and purpose to the Agreement is entered into, but without a new agreement, this agreement shall apply to the new agreement. This also applies if an explicit reference is made to this agreement in a agreement between the Data Controller and the Data Processor.
The Data Processor is not eligible for any compensation for the processing of Personal Data under this agreement (in addition to the compensation set out under the Agreement).
15. Information Security
General Requirements
The Data Processor shall not carry out any act or make any omission which has, or could reasonably be expected to have, an adverse impact on the Data Controller's systems or Personal Data.
The Data Processor shall ensure that appropriate technical and organizational measures are implemented to ensure a level of security that is appropriate to the risk of the Processing.
In particular, the Data Processor shall:
secure the Personal Data in such a way as to prevent destruction, alterations, blocking, unauthorized disclosure or access, copying, distribution or any other kind of unauthorized Processing;
ensure that Personal Data and the data files containing Personal Data may only be accessed by authorised personnel that need the data to perform their duties in order to satisfy the Data Processor's obligations under the main agreement and the Agreement and in accordance with the Data Controller´s instructions ('Authorised Personnel');
ensure that Authorised Personnel have either entered into a confidentiality undertaking or are under an appropriate statutory duty of confidentiality that remains valid after the end of their employment or the service with regard to the processing of Personal Data;
ensure that Authorized Personnel comply with the terms and conditions of the agreement and the instructions provided by the Data Controller, and that such personnel are informed of the provisions of the GDPR;
ensure that there is appropriate, up-to-date virus protection at all times in respect of the data files containing Personal Data and that backup copies of such files are made.
Access management
Where the Data Processor provides services connected directly to the Data Controller's ystems, the Data Processor must validate the identity of all the Data Processor personnel with access to the Data Controller´s systems. the Data Processor must notify the Data Controller upon request of the names of the Data Processor personnel and the required and actual levels of access to the Data Controller´s information.
Physical security
The Data Processor is responsible for protecting the Data Controller´s Personal Data from harm through unauthorised physical access and/or damage. This includes physical access controls such as protecting buildings against unauthorised access (e.g. by using locks, bolts or equivalent measures on vulnerable doors and windows), restricting physical access to critical areas to authorised staff only, supervising external parties when they are granted access and protecting communication links and data storage media.
16. Liability
Both parties shall be liable for all actions and/or claims against the other party, if they result from the breach by either party of its obligations under this contract.
17. Applicable law and disputes
This contract shall be applied and interpreted in accordance with the law set out in the Main Contract. However, the Data Processor shall at all times process the personal data in accordance with applicable data protection regulations.