These "Personal Data Processing" terms are signed between:
(a) On the one hand the client, hereinafter the "Data Controller", and
(b) On the other hand the company NETSTUDIO E.E., which, on the basis of an existing contractual relationship with the Data Controller, processes personal data in printed and/or electronic form, as defined in Article 4(1) GDPR, hereinafter the "Data Processor".
These terms are appended to the Main Contract between the parties hereto, in order to incorporate by reference into the parties' contractual relationship the articles and requirements of the General Data Protection Regulation (GDPR) 2016/679 in force in Greece and across Europe since 25 May 2018, and of the relevant Greek legislation as in force from time to time.
1. Obligations of the Data Processor
The Data Processor shall process the Personal Data only in accordance with this Data Processing Agreement and only on the documented instructions (by email or via the netstudio.support helpdesk) of the Data Controller, which must always be lawful, the Data Controller being liable for any unlawful or improper processing instruction given to the Data Processor. In general, the Data Controller is responsible for every processing instruction it asks the Data Processor to carry out, assuming full responsibility, except where action has been taken on the Data Processor's own initiative.
The Data Processor shall implement appropriate technical and organisational security measures in accordance with Article 32 GDPR to prevent accidental or unlawful destruction, loss or alteration of, or unauthorised disclosure of or access to, the Personal Data, or any other processing in violation of data protection legislation. These technical and organisational security measures shall be defined taking into account: (a) the state of the art, (b) the cost of implementation, and (c) the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
The Data Processor shall fulfil its obligations under this Data Processing Agreement with the diligence expected of a competent and experienced Data Processor and, at minimum, in accordance with commonly recognised industry standards where applicable, with the aim of ensuring the quality and functionality of the technical solutions and the level of skill and capability of the staff assigned to perform the processing.
The Data Processor shall provide the Data Controller, upon request, with sufficient information to allow the Data Controller to verify the Data Processor's compliance with the obligations set out in Article 28 GDPR and in this Data Processing Agreement, including appropriate technical and organisational security measures.
The Data Processor undertakes the following additional obligations toward the Data Controller:
1.1. To process the Controller's personal data while observing the principles of each individual processing operation, with the aim of protecting and safeguarding the rights of the data subject in accordance with the GDPR, the law, the decisions of the Hellenic Data Protection Authority, the Controller's documented instructions and protection and security policies, for the period set in the Contract or in law.
1.2 Not to disclose, communicate, copy or grant access to the Controller's personal data to any third party, and not to subcontract processing to a sub-processor or agent without the Data Controller's prior written permission and approval, subject to the disclosure of any binding order, prosecutor's order or decision from a supervisory, government, tax or judicial authority, of which it must immediately notify the Data Controller in writing by any appropriate means.
1.3. To comply, in general, with the overall regulatory requirements of the GDPR. Where sensitive personal data or special categories of personal data are present, the Data Controller must inform the Data Processor in good time, fully and adequately so that special protection measures can be taken, for which there may be a financial cost to the Data Controller, following written notice from the Data Processor.
1.4 Netstudio's role as Data Processor does not make it responsible for any data loss from the Data Controller's website resulting from hacking or other breach. It is the sole responsibility of the Data Controller to take all necessary measures for the security of its website, indicatively including:
1) using strong passwords stored and retrieved via a password manager,
2) revoking access for employees who leave the company,
3) keeping the website up to date with the latest security releases,
4) carrying out periodic security audits (penetration tests),
5) verifying backups.
2. Data transfers
2.1. The Data Processor shall declare in writing the physical location of the facilities and servers from which it will process the Personal Data under this Data Processing Agreement.
2.2 The Data Processor is, in principle, prohibited from transferring the Controller's personal data to countries outside the European Economic Area (non-adequate countries: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en) and may do so only with the express permission of the Data Controller.
3. Obligation to report security incidents
3.1. The Data Processor shall report any personal data breaches that come to its attention to the Data Controller, in writing and by any appropriate means, without undue delay.
3.2. The breach report must cumulatively state (a) the type and cause of the leak, (b) when it occurred or was detected, (c) the printed records or electronic filing/software/database systems concerned, (d) the type, nature and categories of personal data potentially intercepted or breached, (e) the approximate number of individuals affected, and (f) any potential adverse consequences and risks to the data subjects (e.g. identity theft, customer passwords, credit card numbers, etc.).
4. Liability of the Data Processor
4.1. The Data Processor may not engage another data processor (hereinafter "Sub-processor") for the processing of Personal Data under this Data Processing Agreement without the prior specific permission of the Data Controller.
4.2. The Data Controller has the right to revoke its permission for the use of a Sub-processor where it has objections on substantive and specific grounds.
4.3. The Data Processor warrants that its staff have undertaken a confidentiality commitment.
4.4. If the Data Processor is subject to third-country data protection legislation, the Data Processor declares that such legislation in no way prevents it from fulfilling the terms of this Data Processing Agreement, and that it will notify the Data Controller in writing without undue delay if it identifies any such impediment.
4.5. If the Data Processor is a legal entity, the terms and instructions of this Data Processing Agreement apply to all employees of the Data Processor (and any other persons authorised to process the Personal Data), and the Data Processor must ensure the compliance of its employees and any other persons it has authorised.
4.6. Upon termination of services relating to the processing of Personal Data under this Data Processing Agreement, and at the request of the Data Controller, the Data Processor shall (i) immediately delete all Personal Data, or (ii) return all Personal Data to the Data Controller (or to another data processor if requested by the Data Controller). However, the Data Processor is entitled to retain the Data Controller's Personal Data (or part of it) to the extent that EU or Member State law requires the Data Processor to continue storing it.
5. Term
5.1. These terms apply for the duration of the main contract.
5.2. Any dispute between the parties shall be settled amicably, otherwise by the courts of Athens, unless otherwise provided in the original contract.