-
a)
The contractual parties shall protect the personal data, which is collected and processed in order
to carry out the contract and expressly confirm to handle the same in accordance with the General
Data Protection Regulation (hereinafter: GDPR), with the Data Protection Act, respectively with
other applicable laws and regulations,
-
b)
The contractual parties agree unanimously that the Client is participating in the data processing as
the data controller, while Xiphias is participating in the processing of data as the data processor,
based on these General terms and conditions and/or the Contract and according to the provisions
of the GDPR,
-
c)
Should Xiphias, as an exception, participate in the data processing as the data controller, the same
shall be stated expressly in the Contract and Xiphias shall be obliged by all provisions set forth in
these General terms and conditions for the data controller,
-
d)
In case of discrepancies between the provisions of the contract and the provisions of these General
terms and conditions with regard to the processing of personal data, in parts where the processing
of personal data is regulated, the provisions of the General terms and conditions shall prevail,
-
e)
By concluding the Contract, and consequently by the Client agreeing to these General terms and
conditions, the Client is authorising Xiphias to process the personal data of data subjects, as to the
nature and purpose of the processing, which is closely linked to carrying out of obligations by
Xiphias arising from this Contract. Xiphias shall protect the secrecy of personal data and other
information obtained from the Client and shall use the same solely for the contractually agreed
purpose,
-
f)
It is expressly stated that the processing of personal data shall last only as long as necessary for
carrying out of the Contract, respectively until the purpose of a particular processing of data is
fulfilled,
-
g)
The subject matter of processing shall be the following types of personal data:
-
Identification information of the data subject (name and surname of the data subject,
identification number/unique person identification number, personal identification
number (Croatian: MB/JMBG, OIB), address (street, street number, city, postal code),
-
contact information (phone numbers (landline, mobile), e-mail address)
-
h)
By concluding of this Contract and consequently by the client agreeing to these General terms and
conditions, the Client shall, as the data controller, apply appropriate technical and organisational
measures to ensure and be able to proof the processing of personal data based on this Contract is
conducted according to the GDPR, and is especially obliging to:
-
Provide lawful instructions to Xiphias, on a valid and lawful legal basis (lawful data
processing) and in accordance with the other GDPR principles (limitation of purpose,
reduction of data quantity, accuracy, limitation of data storage, integrity and confidentiality
and reliability),
-
Take the according measures to provide the data subjects all the necessary information
regarding the collection and processing of their personal data (including information on the
identity of the data controller, purpose of data processing, recipients and categories of
recipients as well as other information according to the GDPR),
-
Reply to data subjects’ requests based on the data subjects’ right to access, right for
correction and deletion („right to be forgotten“), right to limit processing, right to transfer
and right for complaint and based on the other rights of the data subjects in accordance
with the GDPR, and Cooperate with Xiphias in complying with their obligations according
to the GDPR,
-
i)
In cases when Xiphias is the data processor, Xiphias obliges to:
-
Process personal data only according to the lawful documented instructions Clients/data
controller and only for the purposes as set forth in the Contract and/or these General terms
and conditions,
-
Ensure that the persons authorised to process personal data have obliged to respect the
confidentiality and are complying with the legal obligations regarding confidentiality,
-
Take all necessary measures as described in Article 14. m., Article 14. n. and Article 14. o.
of these General terms and conditions; Respect the conditions for the possible engagement
of another data processor as described in detail in Article 14. k. and Article 14. l. of these
General terms and conditions,
-
Taking the nature of processing into consideration, assist the Client/data controller through
according technical and organizational measures, to the extend as possible, in fulfilling the
obligation of the Client/data controller regarding the requests for exercising of the data
subjects’ rights and inform the Client/data controller of such requests should Xiphias
receive the same directly from the data subject,
-
Assist the Client/data controller in ensuring the compliance with the obligations as set forth
in Articles 32 – 36 of the GDPR (safety of processing, informing the supervisory authority
of the breach of personal data, informing the data subject of the breach of personal data,
assessment of the effects on the data security, and previous consultation) taking the nature
of processing and information available to Xiphias into consideration,
-
Inform the Client/data controller, without unnecessary delay, of the personal data breach
after having been made aware of it and informing of all measures taken in regard to the
same, respectively of all suggested planned measures in order to minimise the negative
effects of the breach,
-
According to the request of the Client/data controller, to delete, anonymise or return all
personal data after the service the data is required for has finished, and to delete the
existing copy unless there is an obligation to store such personal data according to the law
of the European union or law of a member state, in which case Xiphias shall keep the data
confidential and shall not process it actively,
-
Inform the Client/data controller immediately if, according to his opinion, a certain
instruction is in breach of the provisions of the GDPR or other provisions of the European
union or member state regarding data protection, or if one of these provisions is hindering
or may have a sever negative influence on the conduct of Xiphias, according to the
instructions of the Client/data controller,
-
As per request, cooperate with the supervisory authority in fulfilling its tasks,
-
j)
In cases when Xiphias is the data processor, they are not authorised to engage another data
processor without the previous special or general consent of the Client/data controller. In case of
a general written consent, Xiphias shall inform the Client/data controller of all planned
amendments regarding adding or exchange of other data processors, in order to grant the
Client/data controller the possibility to file a complaint regarding such changes,
-
k)
If Xiphias should engage another data processor for conduct of special processing activities on
behalf of the Client/data controller, the same obligations stated in the Contract, these General
terms and conditions and other legal acts between Xiphias and the Client, shall be applied to the
other data processor as well, especially the obligation of providing sufficient guarantees for the
conduct of technical and organisational measures, in ways that the processing is according to the
demands arising from the GDPR,
-
l)
Taking into account the state of the art, the costs of implementation and the nature, scope, context
and purposes of processing as well as the risk of varying likelihood and severity for the rights and
freedoms of natural persons, the Client/data controller and Xiphias /data processor shall cooperate
and implement appropriate technical and organisational measures to ensure a level of security
appropriate to the risk, including inter alia as appropriate:
-
the pseudonymisation and encryption of personal data,
-
the ability to ensure ongoing confidentiality, integrity, availability and resilience of
processing systems and services,
-
the ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident,
-
the process for regular testing, evaluation and assessing the efficiency of technical and
organizational measures for ensuring the processing security,
-
m)
In assessing the appropriate level of security account shall be taken in particular of the risks that
are presented by processing, in particular from accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed,
-
n)
The contracting parties shall take steps to ensure that any natural person acting under the
authority of the Client/data controller or Xiphias /data processor, and who has access to personal
data, does not process them, if it is not according to the instructions of the Client/data controller,
unless he or she is required to do so by Union or Member State law,
-
o)
The contracting parties shall treat the personal data in a manner that ensures their confidentiality,
integrity and availability,
-
p)
Xiphias shall, in no case, be held responsible for the Client’s conduct, which may be in breach of
the applicable provisions regarding data protection,
-
r)
If Xiphias should be held responsible for breach of provisions regarding data protection, based on
the provisions from the GDPR, the Data Protection Act, respectively other applicable laws and
regulations, for the breach of which the Client is responsible, the Client shall compensate Xiphias
for all occurred damages within 15 days, as of the day of receipt of written request from Xiphias.