PERSONAL DATA PROCESSING AGREEMENT
MELP, UAB, legal entity code 305615566, registered office address Klevų st. 10, LT-06248, Vilnius, Lithuania, represented by general manager Vidmantas Šiugždinis, acting in accordance with the Articles of Association of the Company (hereinafter referred to as the Data Processor),
and
Legal person indicated in special conditions of MELP service agreement, named there as a „Client“ (hereinafter referred to as the Data Controller),
hereinafter both Data Processor and Data Controller collectively referred to as the Parties and each individually as the Party.
considering that the Data Controller and the Data Processor have concluded agreements on the MELP services special conditions and MELP platform terms and conditions for organizations (hereinafter referred to as the Master Agreement), under which the Data Processor shall process the Personal Data as defined in this Agreement on behalf of the Data Controller in the provision of services to the Data Controller and in the performance of the established obligations, and shall be granted access to the following Personal Data.
Data Processor and Data Controller have entered into the following Personal Data Processing Agreement (hereinafter referred to as the Agreement), according to which the Parties agreed as follows:
1. TERMS
1.1. The terms used in this Agreement shall have the following meanings:
1.1.1. Legislation Governing the Protection of Personal Data shall mean EU data protection law and, to the extent applicable, the data protection or privacy laws of any other country.
1.1.2. GDPR shall mean the EU General Data Protection Regulation No. 2016/679.
1.1.3. EEA shall mean the European Economic Area.
1.1.4. Sub-Processor shall mean any entity (including third parties or persons related to the Data Processor, but excluding employees of the Data Processor or the employees of the subcontractors thereof) appointed by or on behalf of the Data Processor or a person related to the Data Processor to process Personal Data on behalf of the Data Controller as provided in the Master Agreement.
1.1.5. Standard Contract Terms shall mean the standard data protection terms approved by the Commission in accordance with the committee procedure laid down in Article 93 (2) of the GDPR, as well as other standard data protection terms approved by the Commission which fulfil the condition of Article 26 (4) of Directive No. 95/46/EC, until they are amended or repealed in whole or in part.
1.1.6. MELP Platform shall mean the MELP managed online platform at www.melp.com, or in the MELP Mobile Application. MELP Platform is a tool for Organizations to provide information on and manage the Benefits, and for Users to access this information provided by the Organizations, select the Benefits and perform other permitted actions. Depending on the chosen method of connection to the MELP Platform, the scope of information provided on the MELP Platform and the offered features may differ.
1.2. The terms Controller, Data Subject, Personal Data, Breach of Personal Data Security, Commission,Processor, Processing of Personal Data and Supervisory Authority shall be deemed to have the same meaning as provided in the GDPR and their related terms shall be construed accordingly.
1.3. The word “includes” shall be construed as “includes, but is not limited to” and related terms shall be construed accordingly.
1.4. Terms used in this Agreement shall have the meanings ascribed to them in this Agreement. Capitalised terms, unless otherwise specified in this Agreement, shall be defined in the Master Agreement and/or shall be understood as defined in the Legislation Governing the Protection of Personal Data.
2. SUBJECT MATTER OF THE AGREEMENT
2.1. This Agreement governs the relationship between the Parties in regards to the processing of Personal Data by the Data Processor on behalf of the Data Controller in the performance of the Master Agreement.
2.2. This Agreement and the Master Agreement shall constitute a single agreement between the Parties and supersede any prior agreements or other arrangements between the Parties with respect to the same subject matter. In the event of a conflict between the Master Agreement and the terms and conditions of this Agreement concerning the processing of Personal Data, the terms and conditions of this Agreement shall prevail, unless otherwise provided in this Agreement.
3. RIGHTS AND OBLIGATIONS OF THE PARTIES
3.1. The Data Processor undertakes:
3.1.1. to process only the Personal Data specified in Annex 1 to this Agreement, and if it is not possible to specify them due to their constantly changing scope, only those which shall be processed by the Data Controller on the MELP Platform, exclusively to the extent necessary for the performance of the Master Agreement;
3.1.2. to process Personal Data only under the terms and conditions of this Agreement and the Master Agreement;
3.1.3. when processing Personal Data in accordance with this Agreement, to ensure compliance of the processing of Personal Data with the Legislation Governing the Protection of Personal Data and the recommendations and instructions of the supervisory authorities;
3.1.4. not to perform such actions, as a result of which the Data Controller would be forced to act not in accordance with the requirements of the Legislation Governing the Protection of Personal Data;
3.1.5. not to transfer or in any other way disclose Personal Data or other information related to the processing of Personal Data to any third party, except as provided by legal acts and this Agreement;
3.1.6. to immediately notify the Data Controller by e-mail and in writing specified in this Agreement about the situation when due to the implementation of the obligations established by legal acts, the Data Processor must disclose the Personal Data which it processes on behalf of the Data Controller. When disclosing Personal Data due to the fulfilment of a legal obligation, the Data Processor must request a third party to maintain the confidentiality of Personal Data;
3.1.7. to appoint a Data Protection Officer and inform the Data Controller thereof in writing, if the Data Processor is obliged to appoint such a person in accordance with the Legislation Governing the Protection of Personal Data;
3.1.8. to process in writing, including in electronic form, the records of all Personal Data processing activities processed on behalf of the Data Controller in accordance with the Legislation Governing the Protection of Personal Data and the terms and conditions of this Agreement, and upon the written request of the Data Controller, to provide them to the Data Controller immediately.
3.2. At the request of the Data Controller, the Data Processor undertakes to provide the Data Controller with all information necessary to prove that the Data Processor's obligations under this Agreement and the Legislation Governing the Protection of Personal Data have been fulfilled within a reasonable term.
3.3. Cooperation and assistance to the Data Controller:
3.3.1. The Data Processor undertakes to cooperate and assist the Data Controller to the extent necessary to respond to the Data Subject's request and to properly exercise the Data Subject's rights, including but not limited to the right to access the Personal Data processed, the right to demand the correction of incorrect and supplementation of incomplete Personal Data, the right to delete or suspend the processing of Personal Data, the right to the portability of Personal Data, etc.
3.3.2. In the event that the Data Processor receives a request / inquiry from the Data Subject in connection with the processing of Personal Data by the Data Processor on behalf of the Data Controller, the Data Processor must immediately transmit such request / inquiry to the Data Controller by the e-mail provided by it. The Data Processor shall execute the relevant requests only in accordance with the written instructions of the Data Controller.
3.3.3. The Data Processor must immediately inform the Data Controller of any circumstances that may prevent the processing of Personal Data in accordance with the requirements of this Agreement and / or the Legislation Governing the Protection of Personal Data. In such a case, the Data Controller shall have the right to prohibit the Data Processor from further processing the Personal Data.
3.3.4. The Data Processor undertakes to provide the Data Controller with all information and assistance necessary to prove that the processing of Personal Data complies with the requirements established by the Legislation Governing the Protection of Personal Data and this Agreement.
3.3.5. The Data Processor undertakes to cooperate with the Data Controller in ensuring the security of the processing of Personal Data, as well as in cases where there is an obligation to notify the Supervisory Authority of a Personal Data breach; to notify the Data Subject about the Personal Data security breach; to carry out a data protection impact assessment.
3.4. Information security and confidentiality:
3.4.1. The Data Processor undertakes to take appropriate technical and organisational measures at its own expense to ensure an appropriate level of security of the Personal Data processed on behalf of the Data Controller and to apply the minimum technical and organisational measures specified in this Agreement.
3.4.2. The Data Processor undertakes to ensure that, when processing Personal Data on behalf of the Data Controller, it shall apply at least the following measures:
3.4.2.1. The premises of the Data Processor, where computer equipment and portable information storage servers are stored, where Personal Data is stored shall be locked when not monitored in order to ensure protection against unauthorised use, exposure and theft of Personal Data;
3.4.2.2. procedures shall be established for determining the issuance and revocation of access to Personal Data by the employees of the Data Processor;
3.4.2.3. it shall be ensured that the user data and password for accessing the Personal Data shall be unique and inaccessible to unauthorised personnel of the Data Processor;
3.4.2.4. it shall be ensured that the history of logins to the Personal Data and the history of actions performed with the Personal Data shall be preserved, and shall be provided to the Data Controller upon written request of the Data Controller;
3.4.2.5. secure transfer of Personal Data shall be ensured. In the case of external communications of Personal Data that are not controlled by the Data Processor, the use of technical means to ensure the authorisation of the connection and the encryption of the transmitted Personal Data shall be ensured;
3.4.2.6. a process for the safe destruction and repair of equipment containing Personal Data shall be ensured.
3.4.3. The Data Processor undertakes to grant access to the Personal Data only to those employees of the Data Processor for whom access to this Personal Data is necessary for the performance of work functions and is necessary to ensure the performance of the Data Processor's obligations under the Master Agreement and this Agreement, as well as to inform the Data Processor's employees how they are obliged to process the Personal Data and to ensure that the Data Processor's employees who have access to the Personal Data have a confidentiality agreement, which includes the obligation not to disclose the Personal Data:
3.4.3.1. In the event of a change in the persons who process Personal Data, their rights of access to the Personal Data of the Data Controller shall be revoked no later than the last day of the tasks for which they require access to the Personal Data of the Data Controller entrusted to the Data Processor for processing, and in the event of termination of the employment of the Data Processor's employee – no later than on the last day of his/her employment.
3.4.3.2. The list of persons granted access to Personal Data must be reviewed periodically at least every 6 months. Under this review, such access to Personal Data shall be revoked if such access is no longer required and the Personal Data shall no longer be available to those persons.
3.4.3.3. At the request of the Data Controller, the Data Processor shall prove that the persons managed by the Data Processor and entrusted with the processing of Personal Data shall be subject to the obligation of confidentiality specified in Clause 7 of the Terms and Conditions.
3.4.4. The Data Processor undertakes to protect the Personal Data from destruction, modification, illegal distribution or unauthorised access and from all forms of illegal processing of Personal Data.
3.5. Management of incidents related to Personal Data:
3.5.1. The Data Processor undertakes to immediately, but not later than within 24 hours from the moment of becoming aware, notify the Data Controller by e-mail and in writing specified in this Agreement about any incident related to the Personal Data processed by the Data Processor on behalf of the Data Controller, including Personal Data breach, inter alia, any unauthorised access to Personal Data.
3.5.2. The notification of an incident involving Personal Data shall include a description of the incident that has occurred or is likely to occur, its nature and significance, the likely consequences and the measures taken or intended to be taken by the Data Processor, the measures proposed to be taken by the Data Controller to reduce or prevent the consequences of this incident, the nature of the Personal Data compromised, the categories of data subjects and their approximate number. The notification of an incident involving Personal Data shall be accompanied by all information and documents relating to that incident, which may be necessary to enable the Data Controller to apply appropriate Personal Data security measures and to comply with the obligation to notify the supervisory authority and the Data Subject (where applicable in accordance with the requirements of the Legislation Governing the Protection of Personal Data) of the Personal Data breach.
3.5.3. The Data Processor undertakes to take all measures to assist the Data Controller in the event of a Personal Data breach in order to minimise the negative consequences of the Personal Data breach, including documentation.
3.5.4. At the request of the Data Controller, the Data Processor shall, in addition to the information specified in Clause 3.5.2 of the Terms and Conditions, provide copies of documents, such as the justification of the actions taken, measures applied or internal inspections performed and conclusions thereof.
3.6. Training
3.6.1. The Data Processor must ensure that all its employees (including temporary staff, contractors and other similar cases) are adequately informed about the security controls of the information system that are relevant to their day-to-day work. Employees involved in the processing of Personal Data must be adequately informed of significant data protection requirements and legal obligations during routine refresher courses.
3.7. Audit
3.7.1. The Data Controller shall have the right to audit the Data Processor at any time during the term of this Agreement by giving it a notification in regards thereof in advance within a reasonable period of time, but not later than 10 calendar days in advance, by notifying the Data Processor by itself or through a third party in order to determine whether the processing of Personal Data by the Data Processor on behalf of the Data Controller complies with the requirements of this Agreement and the Legislation Governing the Protection of Personal Data.
3.7.2. The Data Processor shall have the right to object to the audit if:
3.7.2.1. The Data Processor has been subject to an appropriate internal or external audit (i.e. performed by external auditors, service providers) during the last 12 (twelve) months;
3.7.2.2. The Data Processor is subject to an internal or external audit (i.e. performed by external auditors, service providers);
3.7.2.3. The Data Controller initiates more than one inspection or audit of the Data Processor per calendar year, with the exception of additional audits or inspections which:
3.7.2.3.1. Are carried out when a data security breach has occurred on the side of the Data Processor related to the Personal Data processed by the Data Processor on behalf of the Data Controller;
3.7.2.3.2. The Data Controller has established a violation of this Agreement and the Data Processor has not eliminated it within the term set by the Data Controller;
3.7.2.3.3. The Data Controller has reasonable information that improper actions and / or omissions of the Data Processor may violate the Data Processor's obligations concerning the security of Personal Data set forth in this Agreement;
3.7.2.3.4. The Data Controller must or is required to do so under Legislation Governing the Protection of Personal Data upon request from the Supervisory Authority or a similar regulatory body responsible for the implementation of Legislation Governing the Protection of Personal Data in any country or territory.
3.7.3. The Data Processor undertakes to create suitable conditions and assist the Data Controller or a third party employed by it to perform the audit of the Data Processor provided for in Clause 3.7.1 of this Agreement. For this purpose, the Data Processor undertakes to ensure access to the Data Processor's premises, to provide access to computer and / or software, documents, etc. to the extent necessary for the performance of the audit of the Data Processor.
3.7.4. The audit of the Data Processor shall be limited to the scope of the Personal Data processed on behalf of the Data Controller and the actions of their processing.
3.7.5. The Data Processor undertakes to enable any authority supervising the activities of the Data Controller to perform an audit of the Data Processor and to assist the Data Controller in the performance of such audit.
3.8. The Data Processor shall not be entitled to claim any additional remuneration for the performance of its obligations under this Agreement.
3.9. All documents and data compiled (submitted) by the Data Processor and / or the Data Controller during the audit must remain confidential and be subject to the highest standards of non-disclosure.
4. SUB-PROCESSOR
4.1. The Data Processor must comply with the requirements set out in Article 28 (2) and (4) of Regulation (EU) 2016/679 in order to use another processor (hereinafter referred to as the Sub-Processor).
4.2. The Data Controller shall authorise the Data Processor to designate (and allow each Sub-Processor appointed in accordance with this Section 4 to designate) the Sub-Processors listed in Annex 2 to this Agreement in accordance with this Section, within the limits set forth in the Master Agreement.
4.3. The Data Processor undertakes to inform the Data Controller about the appointment of a new Sub-Processor by e-mail no later than within 30 calendar days before the Data Sub-Processor starts the processing operations. If the Data Controller does not agree with the appointment of the Data Sub-Processor, this may be considered as a ground for terminating the Master Agreement.
4.4. The Data Processor undertakes to use only those data processors (Sub-Processors) who sufficiently ensure that the appropriate technical and organisational measures are implemented in such a way that the data processing complies with the requirements of the GDPR and other legal acts and ensures the protection of the data subject's rights.
4.5. An up-to-date list of the Sub-Processors of the Data Processor shall be available at www.melp.com
4.6. A copy of the Terms and Conditions with the Sub-Processor and any subsequent amendments shall be provided to the Data Controller at the request of the Data Controller, thus enabling the Data Controller to ensure that the Sub-Processor is subject to the same data protection obligations as set out in the Agreement. The Data Processor shall inform the Data Controller of all cases of improper obligations of the Sub-Processor established by such agreement or other legal act. The Data Controller shall not be obliged to provide the personal data processing agreement with business-related provisions that do not affect the legal terms of personal data protection of the agreement concluded with the Sub-Processor.
4.7. The Data Processor shall be responsible for requiring the Sub-Processor to comply with at least the obligations imposed on the Data Processor under the Terms and Conditions and Regulation (EU) 2016/679. If the Sub-Processor fails to comply with the personal data protection obligations, the Data Processor with whom the Agreement has been concluded shall remain fully liable to the Data Controller for the fulfilment of the obligations of the Sub-Processor (and its Sub-Processors). This shall not affect the rights of data subjects under Regulation (EU) 2016/679, in particular the rights provided for in Articles 79 and 82 of Regulation (EU) 2016/679, vis-à-vis the Data Controller and the Data Processor, including Sub-Processors.
5. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
5.1. The Data Processor may transfer personal data to third countries or international organisations only with the documented instructions and/or consents of the Data Controller and in accordance with the requirements of Chapter V of Regulation (EU) 2016/679.
5.2. If personal data need to be transferred to third countries or international organisations in accordance with the law of the European Union or its Member State, which must be complied with by the Data Processor, although the Data Controller has not instructed the Data Processor to do so, the Data Processor shall inform the Data Controller of this legal requirement prior to the transfer, unless that law prohibits the transfer of such information.
5.3. The Data Processor may not take the following actions without documented instructions from the Data Controller or without a specific requirement under the law of the European Union or its Member State, in accordance with these Terms and Conditions:
5.3.1. to transfer personal data to the data controller or data processor in a third country or international organisation;
5.3.2. to transfer the processing of Personal Data to an auxiliary data processor in a third country;
5.3.3. to allow the processing of personal data by a data processor in a third country.
5.4. The Data Controller's instructions or authorisations for the transfer of personal data to a third country, including, where applicable, the grounds for the transfer of personal data to third countries set out in Chapter V of Regulation (EU) 2016/679, shall be set out in Annex 3 to the Terms and Conditions.
5.5. These Terms and Conditions shall not be considered to be standard data protection conditions as defined in Article 46 (2) (c) and (d) of Regulation (EU) 2016/679 and the parties may not invoke the Terms and Conditions as a basis for the transfer of personal data to third countries or international organisations under Chapter V of Regulation (EU) 2016/679.
5.6. Upon receipt of the Data Controller's documented instructions and/or consents, the Data Processor undertakes to conclude agreements with sub-processors outside the European Union (hereinafter referred to as the EU) and the European Economic Area (hereinafter referred to as the EEA) on the protection of Personal Data in accordance with the Standard Contract Terms.
6. LIABILITY
6.1. The Data Processor shall be liable for the confidentiality and security of the processed Personal Data from the moment of receipt of the Personal Data.
6.2. In the event of a reasonable suspicion that the Data Processor does not comply with the requirements of this Agreement and / or the Legislation Governing the Protection of Personal Data, the Data Controller shall have the right to contact the Data Processor in writing, setting a deadline for the provision of explanations on the processing of Personal Data. If the suspicion is confirmed and found to be a material violation of the Agreement, the Data Controller shall have the right to unilaterally terminate this Agreement and the Master Agreement due to the fault of the Data Processor or to set a term for the complete elimination of the violation in accordance with the procedure established in this Agreement.
6.3. The Data Processor undertakes to indemnify the Data Controller for the losses incurred due to the violation of the Legislation Governing the Protection of Personal Data caused by the fault of the Data Processor and / or the Sub-Processor (s) used by the Data Processor. The amount of these losses shall include all costs incurred by the Data Controller, including but not limited to fines, fees, indemnification to the Data Subject, etc.
6.4. The Data Processor hereby assumes full liability for the actions of the Sub-Processors used and shall ensure that the Sub-Processors used comply with all the terms and conditions of this Agreement.
7. VALIDITY AND EXPIRATION OF THE AGREEMENT
7.1. This Agreement shall enter into force on the date of its signing and shall remain in force as long as the Data Processor processes the Personal Data on behalf of the Data Controller. The obligation of confidentiality provided for in this Agreement shall remain in force indefinitely.
7.2. Annexes, amendments and supplements to this Agreement shall be valid only if they are made in writing and signed by authorised representatives of both Parties.
7.3. The Data Processor undertakes to cooperate and agrees to any future amendments to this Agreement that shall be mandatory in order to implement the changed mandatory requirements of the Legislation Governing the Protection of Personal Data.
7.4. The Data Controller shall have the right to immediately terminate this Agreement and prohibit the Data Processor from further processing Personal Data on behalf of the Data Controller, if the Data Processor, after being notified by the Data Controller of improper performance (non-performance) of the Agreement, has not remedied the violation (s) of the Agreement within the prescribed term and such violation is considered to be material.
7.5. The Data Processor shall have the right to terminate this Agreement unilaterally in the event that the Master Agreement is terminated at the initiative of the Data Processor.
8. MEASURES TAKEN AT THE END OF THE PROCESSING OF PERSONAL DATA
8.1. Upon expiration of this Agreement and the Master Agreement, the Data Processor undertakes to delete / destroy the Personal Data processed on behalf of the Data Controller, as well as to destroy the existing copies of the Personal Data, and to prove to the Data Controller in writing that it has done so and/or, upon the Data Controller's written notification to the Data Processor, to return to the Data Controller all Personal Data received and processed on behalf of the Data Controller under the Master Agreement and this Agreement. This obligation shall not apply if European Union or national law applicable to the Data Processor requires the retention of Personal Data after the expiry of this Agreement. The Data Processor shall ensure that the Sub-Processor (s) used by the Data Processor perform the same steps for the processing of this Personal Data. The requirements of this Clause shall not apply in cases when, after the expiry of this Agreement and the Master Agreement, the Data Processor has a basis other than arising from this Agreement and/or the Master Agreement to continue processing the Personal Data as an independent data controller. If the Data Processor has a basis other than arising from this Agreement and/or the Master Agreement to further process a part of the Personal Data – the requirements of this Clause shall not apply only to that part of the Personal Data which the Data Processor, as an independent data controller, has a legal basis to continue processing after the expiry of this Agreement and the Master Agreement.
8.2. The Data Controller is hereby informed and understands that it has the possibility to delete the Personal Data from the MELP Platform before the termination of the Master Agreement, i.e. as long as it has active connections to the MELP Platform.
8.3. Upon the written request of the Data Controller, the Data Processor undertakes to provide the Data Controller with a list of the measures taken to ensure the orderly termination of the processing of Personal Data.
8.4. In the event that the Data Controller has given consent in the Master Agreement on the transfer of personalised Personal Data to the Data Processor for statistical purposes, the Data Controller understands that such data shall remain in the possession of the Data Processor after the expiry of the Agreement and the Master Agreement. The Data Processor undertakes to depersonalise such Personal Data in such a way that it is no longer possible to link it to a specific data subject.
8.5. If the Data Controller requests that the Personal Data be retained for a certain period of time specified by the Data Controller after the expiry of this Agreement, this shall be done in accordance with the instructions established in the Data Controller's documents.
9. DISPUTE RESOLUTION
9.1. The law of the Republic of Lithuania shall apply to this Agreement.
9.2. All disputes arising from the performance of this Agreement shall be settled in the courts of the Republic of Lithuania. Information on access to justice, litigation information and the decision shall be treated as confidential by the Parties. The Parties hereby agree that, at the request of either Party, a dispute between the Parties concerning the performance of this Agreement shall be heard in closed court proceedings.
10. CONTACT DETAILS OF DATA PROTECTION OFFICERS
10.1. E-mail addresses of the Data Protection Officer of the Data Processor and the Data Controller are indicated in the Special conditions of Master Agreement.
11. FINAL PROVISIONS
11.1. This Agreement is an integral part of the Master Agreement.
11.2. Each Party hereby represents and warrants that the representative of the Party has all the powers, consents and approvals necessary to sign this Agreement.
11.3. The invalidity of any provision of this Agreement shall not invalidate this Agreement in its entirety. The Parties undertake to make every effort to replace the invalid Clause of this Agreement with a new existing Clause which is closest in meaning and content to the invalid Clause and has a similar legal and economic result to the amended Clause of this Agreement.
11.4. The Annexes to this Agreement shall form an integral part thereof. The Annexes to this Agreement are as follows:
11.4.1. Annex 1 – Description of Personal Data and Terms of Processing.
11.4.2. Annex 2 – Information on Sub-Processors.
DESCRIPTION OF PERSONAL DATA AND TERMS OF PROCESSING
The purpose of the processing of Personal Data by the Data Processor is:
1. The Parties have entered into a service agreement for the provision of services, during the performance of which the Data Processor shall be obliged to process the Personal Data for which the Data Controller is responsible.
2. The main purpose of Personal Data processing shall be the provision and improvement of basic services – the provision of the MELP Platform for the administration of employee benefits.
3. Administration and hosting of customer employee accounts created on the MELP Platform.
4. Creation and administration of accounts for the MELP Platform for personnel specialists of the organizations (root admin).
5. Creation (on request) and administration of accounts for the MELP Platform for the personnel specialists of organizations.
Categories of data subjects whose Personal Data are processed by the Data Processor on behalf of the Data Controller:
Employees of the Data Controller or other persons related thereto.
Personal Data / categories of Personal Data processed by the Data Processor:
Personal Data of all categories of Personal Data entered by the Data Controller into the MELP Platform for the purpose of using the services provided for in the Master Agreement. The categories of Personal Data processed by the Data Processor shall always depend on the MELP functions used by the Data Controller (Objectives 1-3 in this Annex).
Identifying personal data (name, surname), contact data (e-mail address, tel. No.) (Objectives 4-5 of this Annex).
Personal data processing actions / operations performed by the Data Processor:
All and any actions initiated by the Data Controller on the MELP Platform. The actions of Personal Data processing and the operations performed by the Data Processor shall always depend on which MELP functions are used by the Data Controller.
Administration and hosting of customer employee accounts created on the MELP Platform.
Creation and administration of accounts for the MELP Platform for personnel specialists of organizations (root admin).
Creation (on request) and administration of accounts for the MELP Platform for the personnel specialists of organizations.
Creation of customer employee accounts on the MELP Platform at a separate request of the Data Controller by importing a CSV or Excel format document provided by the Data Controller with personal data of employees.
Location of personal data processing:
Republic of Ireland, Republic of Lithuania.
Systems: AWS (Amazon Web Service); Salesforce (CRM system); MELP Platform and Mobile Application.
Duration of processing of personal data (period):
1. Until the Data Controller deletes the Personal Data from the MELP Platform; or
2. Until the Data Controller instructs to delete the Personal Data from the MELP Platform.
3. In the event that the Data Controller does not delete the Personal Data from the MELP Platform itself or does not give an instruction to delete or return the Personal Data within 10 calendar days of the termination of the Master Agreement, MELP shall immediately contact the Data Controller for instructions on what to do with the Personal Data. If the Data Controller does not provide a response within 10 calendar days from the date of receipt of the request, MELP shall permanently delete the Personal Data.
4. In the event that the creation of customer employee accounts on the MELP Platform takes place at the separate request of the Data Controller by importing a CSV or Excel format document with personal data provided by the Data Controller, MELP shall permanently destroy such documents immediately after importing Personal Data.
Description of the technical and organisational measures taken by the Data Processor
ACCESS CONTROL (REQUIREMENTS FOR PHYSICAL PROTECTION MEASURES)
· The office premises shall be protected by a lockable door, to which the employee must have a magnetic card in order to enter;
· Office premises shall be protected by alarm and fire protection systems;
ACCESS CONTROL (RESTRICTION OF ACCESS TO SYSTEMS BY UNAUTHORISED PERSONS)
· Passwords shall be created and stored in accordance with internal password setting policies and must be changed systematically;
· Physical and logical access to data centres shall be restricted to authorised personnel responsible for the respective functions.
ACCESS CONTROL (RESTRICTION OF UNAUTHORISED ACCESS TO SYSTEMS IN EXCESS OF ESTABLISHED POWERS).
· A username and password shall be required to access the Data Processor's systems and individual computers/accounts.
· The protection of the user and passwords and the procedure for their use shall be set out in the internal policy.
· If the user does not perform any actions on the system for a certain period of time, access to the system shall be restricted. Access to the system may be renewed by re-entering the login details (username, password).
· Different authorisation levels shall be used for login to ensure that access for each individual user is limited to a certain scope. Access by unauthorised users shall be restricted.
· Access to SharePoint shall be severely restricted. The principle of granting the lowest level of privileges shall be followed when granting access. Access shall be provided by the responsible person.
All employees shall undertake confidentiality obligations when entering into employment contracts.
INPUT CONTROL (TRACEABILITY, DATA MANAGEMENT AND MAINTENANCE DOCUMENTATION)
· Connection to data management systems shall be done separately.
CONTROL OF INSTRUCTIONS
· The Data Processor shall change, delete or otherwise change the Personal Data if so instructed by the Data Controller.
· Upon written instruction from the Data Controller, the Data Processor shall establish a procedure to ensure compliance with the specified traceability requirements.
ACCESSIBILITY CONTROL
· The Data Processor shall use antivirus and/or other security software in its operations.
· The Data Processor shall take appropriate measures to ensure the availability of the data and the connection for the maximum period of time.
· Backup and restore procedures for Personal Data.
· All data we collect from our customers and store shall be encrypted using data encryption solutions provided by AWS (RDS, S3, etc.).
SEPARATION CONTROL
· The data processing of the Data Controller shall be performed using a minimum of two environments (i) for production and (ii) for testing/programming purposes.
CERTIFICATES
· ISO/IEC 27001
Sub-Processor (s):
Current information is available at https://melp.com/legal/sub-processor
Transmission of data outside the EU and the EEA or to an international organisation (if applicable):
At the time of concluding the Agreement, Personal Data shall not be transferred outside the EU and the EEA or to an international organisation. Relevant information is available at www.melp.com
INFORMATION ON SUB-PROCESSORS
1. SUB-PROCESSORS:
Sub-Processors used by the Data Controller at the moment of the conclusion of the Agreement are indicated on the webpage
https://melp.com/lt/legal/sub-processor
Upon concluding this Data Processing Agreement, the Data Controller hereby agrees that the Data Processor shall use the sub-processors specified in this Annex 2 for the purposes specified in Annex 1 to the Agreement, in accordance with the requirements of Chapter V of the Agreement. In order to use the said sub-processors for the processing of personal data for purposes other than those set out in Annex 1 to the Agreement, the Data Processor undertakes to inform the Data Controller at least 15 calendar days before the start of such data processing operations.
2. PRIOR NOTICE ON THE USE OF NEW SUB-PROCESSORS
The Data Processor undertakes to inform the Data Controller about the appointment of a new Sub-Processor by e-mail no later than within 15 calendar days before the Data Sub-Processor starts the processing operations. If the Data Controller does not agree with the appointment of the Data Sub-Processor, this may be considered as a ground for terminating the Master Agreement.
Version of the Data Protection Agreement: V.1.1.
Date of entry into force: 1 July 2024