Data Processing Agreement
The following Data Processing Agreement is valid from 28 June, 2019.
This Data Processing Agreement is entered into between the Service Provider and the Customer and is incorporated into and governed by the Terms of Service.
- 1.1. Unless the context explicitly requires otherwise, the following capitalised terms in this Data Processing Agreement will have the following meanings:
|GDPR||Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);|
|Customer Data||personal data as defined in GDPR provided by the Customer (or third party where the Customer acts as a data processor) to Dokobit when using the Services;|
|Services||as per definitions in the Terms of Service;|
|Data Breach||any accidental or unlawful breach of personal data security resulting in accidental or unlawful destruction, loss, alteration or unauthorised disclosure (without authorisation) of or access to processed Customer Data;|
|Compliance Website||Dokobit website’s section available at www.dokobit.com/compliance|
|Sub-Processor||any person engaged by Dokobit for the processing of Customer Data on behalf of Dokobit and in accordance with its instructions to the extent and for the purposes specified in Data Processing Agreement.|
- 1.2 Capitalised terms not defined above will have the same meaning as defined in the Terms of Service, unless the context explicitly requires otherwise.
2. Purpose and scope
- 2.1. Dokobit shall provide Services to the Customer in accordance with the Terms of Services. In providing the Services, Dokobit shall process the Customer Data on behalf of the Customer. Customer Data may include personal data. Therefore, the Customer shall be (i) data controller with respect to the Customer Data; and (ii) data processor, where Dokobit provides personal data processed as a data processor; Dokobit is a data processor. The Data Processor will process and protect such Personal Data in accordance with the terms of this Data Processing Agreement.
3. Processing Conditions
- 3.1. Dokobit shall process the Customer Data in order to provide Services.
- 3.2. Dokobit shall process personal data of such categories of data subjects that the Customer uploads or submits when using the Services.
- 3.3. Dokobit shall process the Customer Data from the moment the Customer uploads or submits them when using the Services until the removal thereof by the Customer but no longer than specified in Article 13.2 of this Data Processing Agreement.
- 3.4. Dokobit shall ensure for the Customer Data to be processed in the European Economic Area.
4. Customer Data Confidentiality
- 4.1. Dokobit shall use the Customer Data only for the provision of the Services and implementation of its rights under the Terms of Service. Unless otherwise required by the law, Dokobit shall not disclose the Customer Data to third parties.
- 4.2. Dokobit shall ensure that the access to the Customer Data would be granted only to those employees or suppliers of Dokobit which require such data for performing work functions or providing services to Dokobit.
- 4.3. Dokobit shall ensure that the employees or suppliers of Dokobit processing Customer Data would comply with this Data Processing Agreement and would undertake to observe the confidentiality clause or would be subject to relevant confidentiality obligation establish under the laws.
- 4.4. If in complying with the requirements of the laws Dokobit is obliged to disclose the Customer Data to third parties (e.g. law enforcement authorities), Dokobit shall immediately notify the Customer about the requirements to disclose the Customer Data, unless otherwise required by the laws.
- 4.5. Such confidentiality obligations shall remain in force indefinitely and following the expiry of this Data Processing Agreement.
5. Customer Instructions
- 5.1. Dokobit shall process the Customer Data only according to documented instructions of the Customer.
- 5.2. The Parties agree to regard this Data Processing Agreement, Terms of Service and Service Settings, which may be set by the Customer when using Services, as documented Customer instructions. The Parties may agree on execution of additional Customer instructions and the price thereof.
6. Technical and Organisational Measures
- 6.1. In processing the Customer Data, Dokobit shall implement appropriate technical and organisational measures to protect the Customer Data. Dokobit shall select technical and organisational measures taking into consideration the level of development of technical possibilities, costs of implementation and the nature, scope, context and purpose of data processing, as well as risks of various probability and seriousness with respect to rights and freedoms of natural persons associated with data processing. Dokobit shall not be obliged to take into consideration the Customer instructions regarding technical and organisational measures.
- 6.2. Dokobit has implemented information security management system according to international security standard ISO/IEC 27001, which, according to the agreement by the Parties, shall be considered as appropriate and maximum technical and organisational measures necessary to achieve goals specified in Item 6.1. Dokobit shall undertake to comply with the requirements or this or equivalent security standard during the entire validity period of this Data Processing Agreement.
- 7.1. Taking into consideration the nature of Services provided and the processing of processed data and available information, Dokobit shall cooperate with the Customer to ensure the performance of obligations specified in GDPR Articles 32–36. For this purpose and only to the extent specified in this Data Processing Agreement, Dokobit shall provide requested information to the Customer which is necessary for proper performance of obligations of the Customer under GDPR.
8. Data Processing Audit
- 8.1. To verify whether Dokobit properly processes the Customer Data, the Customer shall have the right to conduct inspections of such processing under the procedure provided for in Article 8.
- 8.2. Dokobit shall inspect, at least once per calendar year, at its own initiative and expense, whether applicable technical and organisation measures are in line with the nature, scope, context and purposes of data processing, as well as risks associated with data processing with respect to the rights and freedoms of natural persons. Dokobit shall engage an independent inspector for the inspection with the instructions to prepare inspection report (hereinafter – Report).
- 8.3. At the request of the Customer and according to an additional agreement by the Parties regarding the protection of confidential information, Dokobit shall submit a Report to the Customer. Upon performance of this obligation by Dokobit, it shall be considered that the Customer has exercised its right provided for in Item 8.1 of this Data Processing Agreement and GDPR Article 28(3)(h).
- 8.4. If the Customer wishes to additionally and/or by means other than specified in Article 8 inspect how Dokobit processes personal data and/or performs its obligations under this Data Processing Agreement, such inspection may be conducted upon consent of Dokobit and the agreement of the Parties on the scope, method, time and price of the inspection. In any case, if the Parties agree on such additional inspection, it will have to comply with the following requirements: (i) the inspection must be related only to the processing of the Customer Data; (ii) the Customer must inform Dokobit about the wish to conduct additional inspection within a reasonable time period which must be at least 4 weeks; (iii) additional inspection must be conducted in a way it would not interfere with daily activities of Dokobit; (iv) additional inspection must be conducted at the expense of the Customer; (v) additional inspection must be conducted by an independent person whose candidacy must be approved in advance by Dokobit and such person must undertake to protect confidential information of Dokobit.
- 8.5. Dokobit shall have the right to receive remuneration for assistance in conducting additional inspection. The size of such remuneration will be determined by Dokobit taking into consideration costs incurred by Dokobit with respect to additional inspection. Dokobit shall provide information to the Customer about the size of remuneration before the inspection.
- 8.6. In the event the Customer is not satisfied with the information provided in the Report and/or the Parties fail to agree on additional inspection as provided for in Items 8.4–8.5 of this Data Processing Agreement, the Customer shall have the right to unilaterally, under out-of-court procedure, terminate this Data Processing Agreement and the Terms of Service. In this case, the termination of the agreements will be the only measure that can be applied by the Customer and Dokobit will not be obliged to compensate damages to the Customer.
- 9.1. The Customer hereby gives general advance consent to Dokobit to engage Sub-Processors which will process Customer Data on behalf of Dokobit according to the scope and purposes specified in this Data Processing Agreement. Dokobit shall engage only those Sub-Processors which will ensure the following: (i) implementation of appropriate technical and organisational measures; (ii) data processing in compliance with GDPR requirements; and (iii) protection of the rights of the data subject.
- 9.2. Dokobit shall ensure that a written agreement has been concluded with Sub-Processors engaged under which Sub-Processors shall undertake to comply with responsibilities of the data processor established in this Data Processing Agreement at least to the extent applicable to Dokobit. Dokobit shall be liable against the Customer for the performance of obligations of Sub-Processors engaged.
- 9.3. Up-to-date list of engaged Sub-Processors will be published by Dokobit on the Compliance Website. Dokobit shall notify the Customer about its plans to replace or engage a new Sub-Processor by making such information available on the Compliance Website no later than 14 days prior to the planned event.
- 9.4. If the Customer continues using the Services following the replacement or involvement of a new Sub-Processor and notification of the Customer under the procedure provided for in Item 9.3 of this Data Processing Agreement, it shall be considered that the Customer agreed to such actions of Dokobit. If the Customer disagrees with such replacement or involvement of the Sub-Processor, the Customer shall have the right to unilaterally, under out-of-court procedure, terminate this Data Processing Agreement and the Terms of Service. In this case, the termination of the agreements will be the only measure that can be applied by the Customer and Dokobit will not be obliged to compensate damages to the Customer.
- 9.5. If the Customer withdraws its general consent to engage Sub-Processor, Dokobit shall have the right to unilaterally, under out-of-court procedure, terminate the Terms of Service, and such termination shall be considered to have been made for important reasons and the Customer shall be deemed not to have suffered any damage due to such termination.
10. Customer Obligations
- 10.1. The Customer, at its own discretion and responsibility, shall determine the categories of the data subjects whose personal data and the categories of personal data to be provided to Dokobit and shall provide to Dokobit only personal data necessary for proper provision of the Services by Dokobit. The Customer shall assume all related risks, including risks in cases where Dokobit receives more personal data than is necessary.
- 10.2. The Customer represents and warrants that it has obtained and shall retain during the entire validity period of the Terms of Service all necessary permissions and authorisations required for the provision of the Customer Data to Dokobit and engage Dokobit for the processing of personal data under the Terms of Service and this Data Processing Agreement.
11. Data Breach
- 11.1. Dokobit shall notify the Customer, without undue delay, but no later than within 36 hours after becoming aware about the Data Breach, and taking into consideration the nature of provided Services and the processing of personal data and available information, shall provide the following information to the Customer: (i) the nature of the Data Breach, including, where possible, the categories of the data subjects and approximate number thereof; (ii) possible consequences of the Data Breach; (iii) measures implement by Dokobit or proposed to be taken to address the Data Breach, including, where appropriate, measures for mitigating possible negative consequences of the Data Breach; (iv) full name and contact information of data protection officer or any other contact person that could provide further information. Dokobit may provide this information to the Customer by making it available on the Compliance Website.
- 11.2. Dokobit shall document all Data Breaches, including facts pertaining to the Data Breach, its impact and corrective actions taken. In cases provided for in legislation, Dokobit shall provide such documents to supervisory authority.
- 11.3. The Customer shall be responsible for the compliance with legislation regulating the delivery of notifications or information to the data subjects about the Data Breach.
- 12.1. Taking into consideration the nature, scope, context and purposes of data processing, Dokobit liability under this Data Processing Agreement shall be limited to and in any case may not exceed the amount the Customer has paid to Dokobit in 12 months.
- 12.2. During this Data Processing Agreement, Dokobit shall undertake to insure its civil liability. The copy of insurance policy containing the amount of the insurance will be published on the Compliance Website.
13. Validity and Termination
- 13.1. This Data Processing Agreement shall come into force upon the entry into force of the Terms of Service and shall be valid for as long as the latter remains in force.
- 13.2. Upon expiry of the Data Processing Agreement, Dokobit shall destroy the Customer Data no later than within 30 days, unless there are grounds to process or manage the Customer Data other than those arising out of this Data Processing Agreement.
14. Applicable Law and Dispute Resolution
- 14.1. This Data Processing Agreement shall be subject to the law of the Republic of Lithuania.
- 14.2. Each dispute, disagreement or claim arising out of or related to this Data Processing Agreement, its violation, termination and validity shall be settled by negotiating. If the Parties are unable to reach an agreement within 15 days from the occurrence of the dispute, disagreement or claim, such dispute, disagreement or claim shall be settled in the court of the Republic of Lithuania.
15. Final Provisions
- 15.1. All notifications of the Customer to Dokobit related to this agreement shall be sent via e-mail firstname.lastname@example.org and shall be deemed to be received when Dokobit confirms the receipt thereof by replying to the Customer’s e-mail.
- 15.2. Dokobit notifications to the Customer related to this Data Processing Agreement shall be sent via e-mail specified in the User account or delivered to the Customer in its User account, unless otherwise specified in this Data Processing Agreement.
- 15.3. The amendments to this Data Processing Agreement shall come into force following publication thereof on the Compliance Website. Dokobit shall announce about intended amendment of the Data Processing Agreement at least 30 days prior to the planned amendment. If the Customer continues using the Services following the publication of amendments to the Data Processing Agreement, it shall be deemed that the Customer agrees with the amendments to the Data Processing Agreement. If the Customer disagrees with the amendments, the Customer will not be able to use Services and shall have the right to terminate the Terms of Service.
- 15.4. Relevant version of the Data Processing Agreement may be downloaded here.