MARFEEL as the Processor undertakes to process personal data on behalf of the Publisher, being the Controller, in accordance with the conditions laid down in this Data Processing Clause. The processing will be executed exclusively within the framework of the Service Provision Agreement, and for all such purposes as may be agreed to subsequently.
A. The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller. The Controller will inform the Processor of any such purposes which are not contemplated in this Data Processing Agreement.
B. All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data subjects. The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision thereof to third parties and the storage duration of the data.
C. The Processor will endeavor to take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under this Data Processing Agreement.
D. The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the GPDR.
E. In the event of a security leak and/or the leaking of data, as referred to in article 34a of the GDPR, the Processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. The Processor will endeavor that the furnished information is complete, correct and accurate. The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding:
· the (suspected) cause of the leak;
· the (currently known and/or anticipated) consequences thereof;
· the (proposed) solution;
· the measures that have already been taken.
F. Keep in writing, a record of the categories of treatment activities carried out on behalf of the person in charge.
G. Not to communicate, disclose or transfer the personal data in its custody to third parties, not even for its conservation, unless it has the express authorization of the Controller. The ENTRANT may communicate the data to other data processors, in accordance to the instructions of the Controller. In this case, the Controller will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication.
H. Guarantee the adequate training in data protection of the employees authorized to process personal data. Where a Data subject submits a request to the Processor to inspect, or to improve, add to, change or protect their personal data, the Processor will forward the request to the Controller and the request will then be dealt with by the Controller. The Processor may notify the Data subject hereof.
Browsing data:
Processor will not store nor process personal data of users during web browsing, nor will they associate them with an e-mail account or with an IP address for the identification thereof, unless the Controller requires it so.
In the event that the Controller does so at the expense of Processor, the Controller will be responsible for the use of such personal data, as well as for the compliance with the legal obligations arising from the GDPR, in particular, those related to the information and consent obligations.
The Controller exempts the Processor from any responsibility in relation to the treatments and uses that it may give to the personal data that collects or uses through the Processor’s products and services.
Limitation of Liability:
The Processor shall only be responsible for processing the personal data in accordance with the Controller’s instructions and under the (ultimate) responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and / or for other purposes.
Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Clause. For further information, consult the Opinion 2/2010 on behavioral advertising of the Working Group of article 29.
Engaging subcontractors
The Processor is authorized within the framework of the Service Provision Agreement to engage third parties, without the prior approval of the Controller being required. Prior to the engagement, the Processor shall inform the Controller about the third party/parties engaged.
The Processor shall in any event ensure that such third parties will be obliged to agree in writing to the same duties that are agreed between the Controller and the Processor.
The Processor may process the personal data in countries outside the European Union, in particular in the USA, only with service providers that guarantee an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this Data Processing Clause and the GDPR.