1. Definitions and Background
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service between Amortoae Petru PFA (“Data Processor”) and the Client (“Data Controller”). “Personal Data” means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller. This DPA establishes the legal framework for the processing of Personal Data in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable local laws.
2. Nature, Purpose, and Duration of Processing
The Processor shall process Personal Data solely for the purpose of providing the website hosting, CRM (LocalDesk), and marketing automation services described in the principal agreement. The processing shall continue for the duration of the active subscription and for a maximum of 30 days post-termination to allow for data export. Categories of data subjects include the Controller’s customers and leads. Types of Personal Data processed include names, email addresses, phone numbers, physical addresses, and service request details.
3. Obligations of the Processor
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject.
- Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Take all necessary measures pursuant to Article 32 of the GDPR to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest.
- Respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor (Subprocessor).
- Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.
- Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of Processing, Data Breach Notification, Data Protection Impact Assessments).
- At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
4. Subprocessors
The Controller provides general authorization for the Processor to engage Subprocessors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving the Controller the opportunity to object to such changes. The Processor shall impose on any Subprocessor the same data protection obligations as set out in this DPA via a legally binding contract.
5. Data Transfers
If the Processor transfers Personal Data outside the European Economic Area (EEA), such transfers shall be based on an Adequacy Decision or subject to Standard Contractual Clauses (SCCs) adopted by the European Commission, combined with appropriate supplementary measures where necessary to ensure an essentially equivalent level of protection.
6. Audits and Inspections
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller shall give a minimum of 30 days prior written notice of any intended audit.