Last updated: 2023-03-26
for SaaS First, provided by GBD Software as a Service Private Limited Company
entered into on (date) by and between
GBD Software as a Service Private Limited Company, a company incorporated under the laws of Hungary, seated: Szikra tanya 93., Lakitelek, 6065, Hungary. Tax number: HU27325162, Company Reg. Number: 03-10-100682 (collectively referred to as: “Processor”, “Provider”, „we”, or „us”), and
Company name (address) (collectively referred to as: “Controller”, or „you”).
Controller and Processor are hereinafter also jointly referred to as “Parties” and each separately as a “Party”.
The Data Processing Agreement (collectively referred to as: „Agreement”) forms part of the Terms of Service (collectively referred to as: „Terms of Service”) by and between the Parties and it’s subject to the Terms of Service. In the event of any discrepancies between Terms of Service and this Agreement, the provision of this Agreement in relation to personal data protection shall prevail.
The service provided by Provider to the Controller may require Provider to process Personal Data (as defined below), the Parties wish to ensure that the Personal Data processing is in conformity with the applicable laws, in particular with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) – from the moment it shall apply – and with other applicable personal data protection laws.
For the purposes of this Agreement, the Controller is the controller of the Personal Data and Provider is the processor of such data, except when the Controller acts as a processor of the Controller’s Personal Data, in which case Provider is a sub-processor. The detailed scope of Personal Data and the categories of data subjects are as defined below.
It is agreed that by signing (accepting) this Data Protection Agreement any previous Data Processing Agreements between the Controller and Processor are terminated with immediate effect. Nothing within this agreement relieves the Processor nor the Controller of its own direct responsibilities and liabilities under the GDPR.
As per our Terms of Service.
This Data Processing Agreement applies exclusively to the processing of Personal Data that is subject to EU Data Protection Law in the scope of the Terms of Service and this Data Processing Agreement of even date hereof between the parties for the provision of the Service.
Pursuant to Article 28 (3) of the GDPR, the Controller engages Provider in processing the Personal Data and Provider hereby accepts the processing. This Agreement sets out certain information regarding the processing of the Personal Data as required by the GDPR.
The Parties have entered into this Data Processing Agreement in order to benefit from the expertise of the Processor in processing the Personal Data for the purposes set out below and in the Terms of Service. The Processor shall be allowed to exercise its own discretion as it considers necessary to pursue those purposes, subject to the requirements of this Data Processing Agreement and the Terms of Service.
The Processor provides the Controller with whatever information it needs to ensure they both meet the obligations under GDPR. The Controller is responsible for maintaining Data Subjects’ rights. The Processor assists the Controller allowing Data Subjects to exercise their rights.
The purpose of processing Personal Data is the performance of the Service as set in Terms of Service, includes following processing activities: collection, recording, storage, adaptation, alteration and back-upping Personal Data, as well as other activities as required to provide the Service.
The Processor will only process the Personal Data according to the Service as set in Terms of Service and during the duration of Terms of Service, except as required to comply with a legal obligation to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal obligation before processing, unless that law explicitly prohibits the furnishing of such information to the Controller.
Processor will keep the Account Data and Personal Data you provided for up to 12 months following we stopped providing our Users with our services, and will delete all these records or Personal Data permanently after this period.
1 month before the deletion of the account, we are sending a reminder in email, asking you whether you wish to continue using our services.
To ensure proper provision of the Service, Controller authorizes Processor to engage other processors for carrying out processing activities.
In the event of sub-processing, Processor warrants that the processing activity is carried out in accordance with this Data Processing Agreement by a written agreement with the sub-processor providing at least the same level of protection and confidentiality for the Personal Data and the rights of data subject as the Processor under these clauses.
In line with Recital 81 GDPR, after the completion of the processing on behalf of the Controller, the Processor should, at the choice of the Controller, return or delete the Personal Data, unless there is a requirement to store the personal data under Union or Member State law to which the Processor is subject.
Upon termination of this Data Processing Agreement, upon the Controller’s written request, or upon fulfillment of all purposes agreed in the context of the Service whereby no further processing is required, the Processor shall, at the discretion of the Controller, either delete, destroy, or return all Personal Data to the Controller and destroy or return any existing copies.
The Processor shall notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Controller, at the discretion of the Controller.
Controller has the right to delete personal data and files at any time. In order to ensure the proper functionality of Processor’s systems the files are stored in back-ups for 5 further days after deletion.
The Processor may be allowed to retain Personal Data for a longer period, and the Processor may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
The Processor takes appropriate measures to ensure the security of Data Processing. In order to avoid unauthorized use of Personal Data and to avoid misuse of such data, Processor has taken comprehensive technical and operational safety measures. The Processor undertakes that its safety procedures have regularly been controlled and improved in harmony with technological development and in harmony with the Article 32 of the GDPR, such as:
The Processor will keep all Personal Data confidential and not disclose such data to third parties except as expressly provided herein, unless it has been authorized by the Controller or is required by law. Processor undertakes to make Personal Data known only to those who need to know it and at the same time undertake that the above persons are fully aware of the obligations of Processor arising from the present agreement and that they assume the same obligations as those set out in this agreement. Processor recognizes that its obligations regarding Personal Data, non-disclosure and non-use of such information will continue to apply if this agreement or the Terms of Service expire or are replaced for any reason.
The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to request for exercising the data subject’s rights under the GDPR.
The Processor shall assist the Controller in replying to requests received from data subjects. By receiving a complaint, inquiry or request related to the Controller’s Personal Data directly from data subjects, the Processor will notify the Controller within 15 days from the receipt of the complaint, inquiry or request.
The Processor shall make available to the Controller on reasonable request, information that is reasonably necessary to demonstrate the Controller's compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller's Personal Data. The Controller shall be responsible for any costs and expenses of the Processor arising from the provision of such information and audit rights.
The Processor shall assist the Controller in ensuring compliance with its obligations and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of processing and the information available to the Processor.
The Processor will notify the Controller about any Personal Data breaches – including but not limited to accidental or unlawful access or disclosure – within 48 hours of becoming aware of the breach.
When the Processor becomes aware of an incident that impacts the processing of the Personal Data that is the subject of this Data Processing Agreement, it shall promptly notify the Controller about the incident, shall at all times cooperate with the Controller, and shall follow the Controller’s instructions with regard to such incidents, in order to enable the Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
The term “breach” and “incident” used in the above section shall be understood to mean including but not limited in the following cases:
Controller represents and warrants that all data provided by it (a) comply with all applicable laws and regulations with respect to its activities under the Terms of Service comply with the Controllers national law; (b) obtain and maintain all necessary licenses, consents, permits necessary for Processor, its contractors, affiliates, to use the data that Controller supplies in accordance with the Terms of Service and with this Agreement; (c) assume sole responsibility for its and its users/contacts’ use of Process Data obtained from the use of the Service, and for conclusions drawn from such use.
The Processor shall not be liable for any of the Controller’s claims, damages, losses, expenses, costs or other liability in the event of Personal Data breach or loss under any circumstances.
Controller agrees to indemnify, defend, and hold the Processor harmless from and against any and all claims of Personal Data subjects in connection with any damage arising from improper processing of Personal Data. The Controller shall unconditionally indemnify the Processor and hold it harmless in respect of any claims filed by the entities whose Personal Data has processed based on the Agreement, and in connection with the processing of such data. If action is brought against the Processor, the Controller shall, if so required by the Processor, join the proceedings as a party and assume full liability for the claim.
This Data Processing Agreement shall come into effect on the date the Controller electronically accepts this Data Processing Agreement. If both parties agree to the Agreement, it is effective immediately after signature.
Either party may terminate this agreement by giving each other 1 week notice in writing.
The Parties may amend the Agreement from time to time, as the Parties may reasonably consider necessary to meet the requirements of the GDPR.
In the event of any dispute, claim, question, or disagreement arising from or relating to this Agreement, whether arising in contract, tort or otherwise, the parties shall first use their best efforts to resolve the Dispute. If a Dispute arises, the complaining party shall provide written notice to the other party in a document, specifically setting forth the precise nature of the dispute. If a notice is being sent to Provider it must be emailed to [email protected] and sent via mail to: GBD Consulting and Services Private limited company by shares at: Szikra tanya 93., Lakitelek, 6065, Hungary.
In the event that a dispute between the parties cannot be settled, the parties agree to submit the dispute to binding arbitration according to Hungarian law and the Hungarian Courts, the language to be used in the arbitral proceedings shall be English.
Effective upon acceptance.