DATA PROCESSING AGREEMENT
Concluded between:
Ceeport, IIN 860103301234, Kazakstan, ZKO, Uralsk, Garokova str, 36 (hereinafter „Processor”), and You or Legal entity represented by you (hereinafter „Controller”),
hereinafter referred to individually as “Party” and together as “Parties”. Parties have agreed regarding hereinafter indicated provisions, that will be applicable for the Processor, while processing personal data, owned by Controller.
1. Scope of application
This agreement regarding processing of personal data (hereinafter “Data Management Agreement” or “DTS”) is appendix of the contract regarding BPM4B services, concluded via electronically means (hereinafter „Contract“) and is an integral part of the Contract. This DTS sets the terms and conditions applicable to the Processor, while processing personal data on behalf of the Manager.
2. Procession and security of personal data
The Processor shall process personal data in order to fulfill the Contract concluded between the Parties and to perform the duties provided for in the Contract. The data processing activity includes the management of the personal data in the database of the Controller.
The Processor obligates to process personal data only according to the written instructions of the Controller.
The Processor ensures proper personal data protection under this DTS with the objective of protecting personal data from destruction, alteration, unauthorized disclosure or unauthorized access. Personal data is also protected against any other form of unlawful processing.
The Processor may obtain personal data from systems managed by the databases and / or directly from the Controller.
The Processor will comply with all the instructions of the Controller and will also adhere to the best practices in the market that are normally used to prevent unauthorized access or disclosure, alteration, destruction or loss.
Unless otherwise agreed by the Parties, the Processor will implement the following measures:
(i) will select the technical and organizational measures for the protection of personal data, corresponding to the nature of the data and the level of risk of their handling, and will ensure their continuous operation;
(ii) will ensure the confidentiality, integrity, and resistance of the personal data;
(iii) will implement and maintain the security control and protection measures required to meet with the requirements of data protection legislation.
The Processor, arbitrarily and without written permission of the Controller, undertakes not to seek access and undertakes to refuse access to any third parties with the personal data which he is not entitled to access and who are not required to provide the services specified in the Contract.
The Processor shall promptly (no later than the next working day) undertake to inform the Controller of any concerns of the data subjects, data protection authorities or other law enforcement or supervisory authorities, which the Controller will have the right to decide at his own discretion.
The Processor may use third parties for the processing of personal data only with the prior written consent of the Controller. In addition, without prior written consent of the Controller, the Processor undertakes not to disclose any personal data processed by this DTS or otherwise disclose data to any third party.
The Processor ensures that all persons involved in the processing of personal data are bound by the obligation of confidentiality or that they are subject to the relevant confidentiality obligation established by law both during and after the term of the Contract.
The obligation to process personal data under this agreement may only be carried out in a Member State of the European Union (EU) or in a Member State of the European Economic Area (EEA). Any transfer of personal data to a country which is not an EU or EEA Member State may only be carried out with the prior written consent of the Contoller and only if the specific conditions specified in the applicable data protection legislation are met.
3. Obligations and Liabiliy
The Controller undertakes to process personal data in accordance with the procedure prescribed by law, to properly implement the rights of data subjects, to provide the Processor with all necessary information related to the processing of personal data.
The Processor commits himself and undertakes to ensure that his employees, other data processors and other service providers (if any) undertake to the extent applicable to the services provided by the Processor under the Contract:
(i) take appropriate technical and organizational measures to prevent the unauthorized and unlawful processing of the personal data, as well as the incidental loss, alteration, destruction or violation of personal data;
(ii) ensure the proper security of the premises where personal data is stored.
The Controller undertakes not to use and dispose of personal data for any other purposes, except for the ones provided for in the Agreement, and not to grant any rights and not to sell, not disclose, use, transmit, or otherwise operate and not use personal data without the prior written permission of the Controller‘s consent.
Personal data is and will remain the property of the Controller. Unless otherwise provided by applicable law, the Processor will return, or at the discretion of the Controller, destroy (and in the event of destruction, within a reasonable time, to confirm that such destruction has taken place in accordance with the data protection requirements specified in this DTS) personal data:
(i) at the request of the Controller;
(ii) upon expiry of the Contract; or
(iii) when the personal data is no longer required for the Processor.
The Party to the fault of the other party suffering damage shall be liable to compensate the other Party for direct losses incurred by it. The Parties agree that neither of the Parties is liable for indirect looses. None of the Parties shall compensate non-material damage suffered by the other Party and / or third parties (customer’s employees, employees, consultants, etc.), except in the cases provided for by law. The Parties agree that the Parties’ obligations in this paragraph regarding liability and indemnity shall continue to be in force at the end of the Contract or this agreement.
4. Breaches of data protection and notifications
The Processor shall promptly, and in any case, within twenty four (24) hours from the date of the communication, provide the Controller with a written completeness letter (“Notice of breach”) about:
(i) any loss of the personal data;
(ii) any unauthorized access to the personal data; or
(iii) any third-party notice of breach of law of the data Processor relating to the personal data.
5. Final provisions
This Agreement applies as long as the Processor process personal data i. e. until the contract is in force.
In the event that the provisions of other agreements concluded between the Parties conflict with this DTS, the provisions of the DTS applicable to the relationship between the Parties shall prevail.
By approving this Agreement, you agree to the provisions set forth herein in full and do not object to them.