ANNEX
NON-DISCLOSURE AGREEMENT –
PROTECTION OF PERSONAL DATA –
SAFETY SPECIFICATIONS
PREAMBLE
Cooperation Agreements were concluded / will be concluded between the Parties under specific terms and agreements set out in them.
In addition to the aforementioned agreements and for as long as the cooperation between them endures, the Parties agree and mutually accept the following:
A. NON-DISCLOSURE AGREEMENT
WHEREAS the Parties recognize that for their cooperation to proceed, it is necessary to disclose certain information which is confidential information and trade secrets (hereinafter referred to as "Confidential Information").
WHEREAS the term "Confidential Information" includes, but is not limited to, information disclosed by the parties either verbally or in writing or electronically or in any other way (without necessarily being "confidential") concerning: a) information in relation to the companies or affiliated companies of a group of companies or information about the employees or any other natural or legal person associated with them; (b) all financial data related to the main agreement, which will be used exclusively for the purposes of the cooperation (c) all kinds of information, such as data and details of organization, financial policy, business plans and strategies, partnerships and investments of companies and / or related companies, received by the Parties in any way and in any form (written, electronic or oral) and without necessarily being marked "confidential".
WHEREAS the limitations on disclosure or use of Confidential Information shall not apply to, and the Parties shall not be liable for disclosure or use of Confidential Information if any of the following conditions exist: (a) if, prior to the receipt thereof from the other Party, it has been developed independently by the recipient party, or was lawfully known by the recipient Party; (b) if, subsequent to receipt thereof (i) it is made available to the general public, without restriction, or (ii) it has been lawfully obtained by the recipient Party from other sources, provided such source did not receive it due to a breach of an obligation of confidentiality to a third party or the parties; or (c) if it becomes generally known to the public other than pursuant to disclosure by either Party
WHEREAS the Parties agree to accept the disclosure of such information on a confidentiality basis.
NOW, THEREFORE, in consideration of the promises and the covenants, conditions, and agreements and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties hereby agree as follows:
-
The Parties undertake to use the Confidential Information only within the scope of the agreed purpose.
-
The Parties neither will disclose by their acts nor cause the disclosure of confidential information to any third party.
-
The Parties undertake to make confidential information known only to those of their employees who need to know it and at the same time undertake that the above persons are fully aware of the obligations of the Parties arising from the present agreement and that they assume the same obligations as those set out in this agreement.
-
The Parties undertake to preserve confidential information and to take all necessary measures to prevent disclosure to unauthorized persons.
-
All confidential information, including copies thereof, irrespective of their use, will remain the exclusive property of the Party that disclosed it and will be returned to it without delay upon expiration - for any reason - of the cooperation, or upon request.
-
The Parties agree that in the event that one of them fails to fulfill the above obligations, compensates and redresses any damage suffered (costs, expenses, consequences) of the other Party.
-
The Parties recognize that confidential information is a valuable business secret and that unauthorized disclosure of such information will cause irreparable harm to the other Party.
-
The Parties recognize that their obligations regarding confidential information, non-disclosure and non-use of such information will continue to apply if the co-operation expires or is replaced for any reason.
Notwithstanding the foregoing, the recipient may disclose Confidential Information to the extent that such disclosure is required by Law or Court order, provided, however, that the recipient provides to the disclosing party prior written notice of such disclosure and reasonable assistance in obtaining an order protecting the Confidential Information from public disclosure.
B. PERSONAL DATA PROTECTION – SAFETY SPECIFICATIONS
PREAMBLE
These terms govern the protection of personal data exchanged between the Parties in the context and for the purposes of the cooperation agreement concluded or to be concluded. All terms are bilateral for the Parties.
1. DEFINITIONS
1.1 In the context of this Agreement, the following terms have the following meanings:
1.1.1 "Personal data protection Law": refers to Regulation (EU) 679/2016, as amended, as well as to all applicable national and European legislation, on the protection of individuals with regard to the processing of personal data, the protection of personal data and privacy in the electronic communications sector and any kind of restrictions or conditions regarding the Processing of Personal Data.
1.1.2 "Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.1.3 "Data Protection Supervisory Authority" means the supervisory authority or other competent authority responsible for the monitoring of the application of the Personal data protection Law in the context of Processing under this agreement.
1.1.4 "Applicable Law": all Laws, rules, regulations, regulatory provisions, including case Law, and any directive or circular of any Regulatory Authority and any applicable Code of Conduct as amended and are applicable to the Processing of Personal Data or otherwise in the performance of the obligations of any of the parties herein.
1.1.5 "Security Incident": any accidental, unlawful or unauthorized loss, destruction, alteration, access, use, disclosure, damage or deterioration of the Personal Data under process or otherwise any incident that may reasonably lead to accidental, unlawful or unauthorized loss, destruction, alteration, access, use, disclosure, damage or damage to the Personal Data under process.
1.1.6 "Personal Data" means any information relating to an identified or not directly or indirectly identifiable natural person and has the meaning assigned to it by the Personal Data Protection Law and includes, but is not limited to, the following information: name and surname, age, date of birth, sex, address, contact details, identification documents issued by public authorities (e.g. passport, social security number), identity number, location data, an on-line identifier or any special information related to the physical condition, health, psychological condition, genetic material, mental, economic, cultural and social identity of that natural person.
1.1.7 "Contract" means the cooperation agreement/agreements between the Parties.
1.1.8 "Subcontractor" means any natural or legal person to whom the Parties entrust the performance of all or part of their obligations under this Agreement or who in any case processes on behalf of the Parties the Personal Data.
1.1.9 "Services" means the services provided on the basis of the Parties' agreement / agreements.
1.1.10 "Personal Data under process" is defined as the Personal Data provided by any of the Parties to the other Party or the Personal Data which are under process by any of the Parties on behalf of the other Party. Personal Data under process include the following categories of data subjects and personal data.
Categories of Data Subjects: Customers and Staff
Categories of Personal Data: All
2. GENERAL OBLIGATIONS OF PARTIES
2.1 In fulfilling their obligations under the Contract, including the Processing of Personal Data under process, the Parties are required to comply with the Personal Data Protection Law.
2.2 The Parties are not entitled to use or process the Personal Data under process except to provide the Services specified in the Contract and only for the period specified in the Contract. If any such processing does not fall clearly within the scope of the agreed Services, the Parties shall not process such treatment unless there is a prior written instruction from the Party collecting the personal data and provided that it is permissible by Law. Subject to clause 3 of this Annex (Subcontracting), the Parties will not disclose the Personal Data under process to any third party, unless it is expressly required to do so by the Applicable Law. Each Party should take into account the suggestions of the other Party's Data Protection Officer if they are lawful, recognizing in advance that such suggestions are aimed at the unimpeded cooperation of the Parties. Each party is solely responsible for receiving and processing personal data that has come to its knowledge at the exercise of its commercial activity.
2.3 The Parties shall implement appropriate technical and organizational measures in accordance with applicable best practice and state of the art in the area of activity concerned to protect the Personal Data under process from accidental or unlawful destruction or accidental loss (including deletion), alteration (including destruction), unauthorized disclosure, use or access and any other illegal form of Processing. In particular, the Parties will ensure that access tests, encryption and pseudonymisation measures are applied, that there is a regular testing and evaluation procedure for the effectiveness of technical and organizational measures for the security of the processing.
2.4 The Parties shall ensure that the Personal Data under process is accessible and processed only by the personnel of the Parties which is strictly necessary to carry out the duties currently available to them and that such personnel is properly trained in relation to the Processing of Personal Data and is bound by a confidentiality obligation with regard to the Processing of Personal Data.
3. SUBCONTRACTORS
3.1 The Parties may engage with reliable Subcontractors in fulfilling their obligations and for the provision of the Services, under the terms and conditions of the present agreement.
3.2 Any Subcontractor may process Personal Data only if it is necessary to fulfill the Parties' obligations under the Contact and the Parties will make every effort to ensure that the Subcontractor will not process Personal Data for any other purpose.
4. SECURITY INCIDENT
4.1 In view of the purpose of the cooperation and in good faith, each Party shall notify the other Party as soon as possible once it becomes aware of any Security Incident through e-mail and this information shall include, wherever possible, the categories and approximate number of data subjects and records relevant to the incident, its impact and potential consequences and the affected data subjects from this Incident, as well as the corrective measures to be taken by the Parties. The duty to cooperate extends to cases where a data subject withdraws his / her consent. It is expressly agreed that the above duty of information between the parties concerns security incidents that are relevant to the purpose of their cooperation, as is apparent from the relevant Contract.
4.2 Each Contracting Party shall implement, at its own expense (insofar as the Security Incident stems from a breach of its obligations hereunder), all remedies to address the causes of the Security Incident and shall provide all reasonable assistance to other Party in the course of the corrective actions to be taken by the latter.
5. CO-OPERATION AND FACILITATION
5.1 The Party that processes personal data received from the other Party will also notify the other Party within three working days if it receives communication from any person, public authority or any third party about the Personal Data under process and it will not respond in any application unless it is required to do so in accordance with the Applicable Law. In that respect, the other Party will promptly facilitate with all reasonable means the Contracting Party which collects and processes the personal data, in order for it to respond to such requests regarding the Personal Data under the statutory deadlines.
6. DURATION AND TERMINATION
6.1 Breach of any term of this Annex is considered to be a material breach of the Contract.
6.2 It is expressly agreed that the obligations assumed by the Parties under this Annex shall survive the termination (by any means or in any manner) of the Contract.
7. FILE AND REPORTS
7.1 Each Contracting Party shall keep all records required by the Personal data protection Law and, at the request of the Party that collects the personal data, make it available to it.
7.2 Each Contracting Party shall have the right at its own expense and with prior notice and with the agreement of the other Party to conduct an audit of the systems, policies and procedures followed by the other Party in the processing of the Personal Data. Such inspection may be carried out with the agreement of the Parties up to once a year, with the exception of inspections made at the request of a competent Data Protection Authority, which may be requested at any time or following a security incident. Upon completion of the above inspections, the Party that carried out the audit should notify the other Contracting Party of non-compliance to the data protection obligations set forth herein. In this case, the under-inspection Party will have to make any necessary changes to comply with these obligations.
7.3 Notwithstanding the foregoing, each Party is under an obligation to provide at the request of the other Party any necessary information demonstrating its compliance with the Personal Data Protection Law, including, inter alia, a copy of the Reports of every Independent Auditor, which relates to the compliance with this Agreement (subject to the limitation that it will not be made more than once a year).
8. INTERNATIONAL TRANSMISSIONS
8.1 Each Party shall be obliged to notify the other Party in advance of any processing by people or by any of its Subcontractors established outside the EU. Upon signing this Agreement, the processing of Personal Data by the Parties and the subcontractors may also take place in countries outside the EU.
8.2 In any case the transmission is in accordance to the Personal Data Protection Law.
Last modified date: 13/6/2019
Publish date: 13/6/2019