General Data Protection Regulation (GDPR)
Subcontractor: Fix-IT SPRL – identified with the CBE under the number 0833.617.505
Processing Manager:Each customer of the Subcontractor, individually
Contractual relationship: the main contract between the Subcontractor and the Processing Manager defining the delivery of the services and / or the products or the collaboration between them, including all its modifications and annexes and all that is later agreed between the Parties.
Fix-IT, as a subcontractor, agrees to respect the following obligations.
Article 1: Data Processing
The Subcontractor undertakes to Process the Data in accordance with the written instructions of the Treatment Manager contained in the possible Contractual Relationship or during any official communication by the Processing Manager.
If the Subcontractor reasonably considers that an instruction constitutes a violation of the GDPR or other provisions of European Union law or the Member States data protection law (“Contested Instruction”), he shall inform immediately the Head of Treatment.
In the event of such notification, the Subcontractor is authorized to suspend the execution of the Contested Instruction and to continue processing the Personal Data in accordance with the instructions previously received. The controller will not be entitled to compensation or compensation for this purpose.
If the Subcontractor is obliged under European Union law or the law of the Member State to which he is subject to transfer Personal Data to a third country or to an international organization, he shall inform the Person responsible for processing this legal obligation prior to the processing, unless the right concerned prohibits such information for reasons of public interest.
Article 2 : Confidentiality
The Subcontractor undertakes to guarantee the confidentiality of Personal Data processed within the framework of the Contractual Relationship between the Parties.
To this end, access to Personal Data is strictly limited to persons who, in the context of the performance of the Contractual Relationship between the Parties, must have access to it or be aware of it.
The obligation of confidentiality remains in force after the termination of the Contractual Relationship between the Parties.
Article 3 : Authorized persons
The Subcontractor undertakes that persons authorized to Process Personal Data:
■ undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
■ be sensitized / trained in the protection of personal data
Article 4 : Technical and Organizational Measures
Given the state of knowledge, the costs of implementation and the nature, scope, context and purpose of the Processing as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the Subcontractor implements the appropriate Technical and Organizational Measures to ensure a level of security adapted to the risk.
These Technical and Organizational Measures will, inter alia and where applicable, include the list of applicable minimum security measures below.
Article 5: Subsequent Subcontracting
The Subcontractor is authorized to use another Subcontractor (hereinafter the Subsequent Subcontractor). By the Contractual or similar relationship, the Processing Manager grants the Subcontractor the general authorization to recruit Subcontractors Subsequent.
The Subcontractor may continue to work with Subsequent Subcontractors who had already been appointed on the effective date of the DPA provided they meet the following conditions as soon as possible.
These conditions apply to any subsequent Subcontracting :
■ The Subcontractor must ensure in advance that the Subsequent Subcontractor provides sufficient guarantees for the implementation of appropriate Technical and Organizational Measures so that the Processing meets the requirements of the GDPR.
■ The Subcontractor contractually imposes upon the Subsequent Subcontractor the same data protection obligations as those set out in Article 4..
As part of this general authorization, the Subcontractor undertakes to inform the Processing Manager at least two (2) weeks in advance of the changes envisaged regarding the addition or replacement of Subsequent Subcontractors the possibility for the controller to issue any objections (on reasonable purposes) to these changes. Unreasonable and invalid objections include, but are not limited to, undocumented objections. Reasonable and valid objections are, inter alia, but not limited to, situations in which the Data Controller has made documented objections to the Subcontractor’s ability to protect Personal Data and to guarantee its protection. Confidentiality. In order to be valid, objections must be issued before the expiration of half of the notice period.
The Subcontractor will endeavor to provide a reasoned response to the objections (documented and valid) made. If the Subcontractor does not fulfill its Data Protection obligations, the Subcontractor remains fully responsible to the Processing Manager of the other Subcontractor for its obligations.
Article 6: Rights of Concerned Persons
It is the responsibility of the controller to provide the persons concerned with the information provided in relation to their rights (Chapter III of the GDPR).
Whenever possible, taking into account the nature of the Processing, and through appropriate Technical and Organizational Measures, the Subcontractor will provide all reasonable assistance to enable the Controller to fulfill his obligation to comply with the requests. exercise of the rights of the persons concerned.
Article 7 : Assistance to the Manager in terms of impact analysis and prior consultation
The Subcontractor assists the Processing Manager to ensure compliance with its obligations regarding impact analysis and prior consultation (GDPR Articles 35 to 36), taking into account the nature of the Processing and the information provided, available to the Subcontractor (unless this information is already available to the Controller) will provide all reasonable assistance to enable the Controller to fulfill its obligation to respond to requests for the exercise of the rights of individuals concerned.
Article 8: Violation of Personal Data
The Subcontractor will notify the Person in charge of the Processing of any Personal Data Violation as soon as possible after having read it without undue delay. This notification shall be accompanied, as far as possible, by all relevant documentation in order to enable the Controller, if necessary, to notify the relevant Control Authority of this violation.
Article 9 : Deletion or return of Personal Data
The Subcontractor will delete or have deleted (by the Subsequent Subcontractors) all copies of the Personal Data of the Data Controller, as soon as possible and, in any event, within 12 months from the date on which the service provision relating to the Processing of Personal Data has ended (End Date). The Processing Manager is free to require, by written notification to the Subcontractor within 15 days after the End Date, that the Subcontractor will return a complete copy of all Personal Data
The Subcontractor will respond to any written request of this nature as soon as possible and at the latest within 3 months after the End Date. If under the law of the European Union or the law of the Member State, the Subcontractor is obliged to keep, for a prescribed period, the Personal Data of the Data Controller, the deadlines indicated above do not apply. will start running only at the end of the imposed period. In this case, the Subcontractor will guarantee the confidentiality of such Personal Data and will ensure that such Personal Data of the Data Controller is processed exclusively for the purposes specified in the laws that require it to be retained.
Article 10: Documentation and Auditing Rights
At the request of the Processing Manager, the Subcontractor will make available all the information necessary to demonstrate compliance with this PAD, and to allow the conduct of audits or inspections by the Processing Manager himself or herself. by an auditor whom he has appointed for this purpose.
The Subcontractor will be entitled to compensation from the Data Controller for the communication and provision of the necessary information.
Any request for audit must be made in writing at least 15 working days in advance by the Processing Manager.
The audit will take place only during working hours and without substantially disrupting the operational activities of the Subcontractor. Audits will be charged at a daily rate of € 1,000.00 (excluding VAT)
Details of the processing of the Contractor’s personal data
This page contains certain details about the Processing of Personal Data of the Data Controller, as stipulated in Article 28 (3) of the GDPR.
Purpose and Duration of Processing of Personal Data of the Processing Manager
The purpose and duration of the processing of personal data of the controller is described in the Contractual Relationship and this annex.
The Nature and Purpose (Purpose) of Processing the Personal Data of the Process Owner
In accordance with the legal and regulatory provisions and with the instructions of the Customer, the personal data are used by Fix-IT, as a subcontractor, to offer computer technical assistance.
Types of Personal Data of the Processing Manager
Personal identification data, hours of presence
The categories of Interested persons to whom the Personal Data of the Person Responsible for Processing relates
The staff occupied by the controller
Minimum security measures applicable
1. Security Policy
The subcontractor has policy and security procedures. These are periodically reviewed, updated and communicated to staff and authorized third parties.
2. Security Organization
Security responsibilities are defined and assigned to the subcontractor.
3. Human Resources
The internal and external collaborators of the subcontractor are made aware of the security of information and personal data in particular.
4. Asset Management
The subcontractor has a regularly updated inventory of assets. The rules for using these assets are defined and clearly communicated.
5. Physical and Environmental Security
The premises of the subcontractor where the information, the data and their processing devices are located have secure access.
6. Operational Security
■ The contractor implements anti-virus and anti-malware measures to prevent tampering or theft of data using malware. These protections are regularly updated.
■ The subcontractor has a process for managing access requests.
■ Employees’ access is limited to the information necessary for the performance of their duties Administrator rights on the systems are strictly limited to the indispensable persons.
■ The subcontractor has a password policy (including special characters, minimum length, regular change)
■ The subcontractor has in place a backup policy that allows the restoration of data in case of need (loss, damage, theft, ..).
■ The use of storage media (USB, external hard disk, ..) is regulated.
7. Communications Security
The subcontractor uses security measures to protect information transfers using secure protocols.
8. Incident Management
The contractor has a documented incident management procedure that is communicated to staff and authorized third parties.
The subcontractor limits the risk of system failure through good maintenance and redundancy.