GDPR Data Processing Agreement
Last Modified: May 22, 2018
This GDPR Data Processing Agreement (DPA) forms part of the Terms of Service available at https://www.datamolino.com/terms-of-service or such other location as the Terms of Service may be posted from time to time, entered into by and between the Customer and Datamolino s.r.o. (Datamolino), pursuant to which Customer has accessed Datamolino’s Services as defined in the applicable Terms of Service. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.
If the Customer entity entering into this DPA is not party to the Terms of Service, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement executes this DPA.
This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Terms of Service, and any such individually negotiated agreement or addendum shall apply instead of this DPA.
In the course of providing the Services to Customer pursuant to the Terms of Service, Datamolino may process personal data on behalf of Customer. Datamolino agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Services or collected and processed by or for Customer through the Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Terms of Service.
Data Processing Terms
In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.
“data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;
The parties agree that Customer is the data controller and that Datamolino is its data processor in relation to personal data that is processed in the course of providing the Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Datamolino pursuant to the Terms of Service.
The subject-matter of the data processing covered by this DPA is the Services ordered by Customer through Datamolino’s website and provided by Datamolino to Customer via www.datamolino.com or app.datamolino.com, or as additionally described in the Terms of Service or the DPA. The processing will be carried out until the term of Customer’s ordering of the Services ceases. Further details of the data processing are set out in Annex 1 hereto.
In respect of personal data processed in the course of providing the Services, Datamolino:
- shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Terms of Service or as otherwise notified by Customer to Datamolino (from time to time). If Datamolino is required to process the personal data for any other purpose provided by applicable law to which it is subject, Datamolino will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest;
- shall notify Customer without undue delay if, in Datamolino’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation;
- shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected;
- may hire other companies to provide limited services on its behalf, provided that Datamolino complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Datamolino has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Datamolino remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Datamolino transfers personal data will have entered into written agreements with Datamolino requiring that the subcontractor abide by terms substantially similar to this DPA. A list of subcontractors is available to the Customer below in Annex 2. If Customer requires prior notification of any updates to the list of subprocessors, Customer can request such notification in writing by emailing privacy@datamolino.com. Datamolino will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in Datamolino’s reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to Datamolino, terminate the Terms of Service.
- shall ensure that all Datamolino personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause;
- at the Customer’s request and cost (and insofar as is possible), shall assist the Customer by implementing appropriate and reasonable technical and organisational measures to assist with the Customer’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that Datamolino reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
- when the General Data Protection Regulation (Regulation (EU) 2016/279) comes into effect, shall take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA, provided that Datamolino reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
- at the end of the applicable term of the Services, upon Customer’s request, shall securely destroy or return such personal data to Customer;
- may transfer personal data from the EEA to a service provder outside the EEA provided that Datamolino maintains safeguards in place to ensure the personal data remain protected;
- shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Terms of Service, which shall include providing reasonable access to the premises, resources and personnel used by Datamolino in connection with the provision of the Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Datamolino is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Datamolino of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Datamolino’s IT personnel.Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Datamolino’s IT system, data hosting sites or centers, or infrastructure will be permitted;
- If Datamolino becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Datamolino in the course of providing the Services (an “Incident”) under the Terms of Service it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer content. Datamolino shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident;
- Datamolino shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.
Annex 1
Details of the Data Processing
Datamolino shall process information to provide the Services pursuant to the Terms of Service. Datamolino shall process information sent by Customer’s end users identified through Customer’s implementation of the Services. As an example, in a standard programmatic implementation, to utilize the Services, Customer may allow the following information to be sent by default as “default properties:”
Types of Personal Data
When it comes to users of our Service:
- name
- phone number
When it comes to the files that users of our Service submit to us, we process the following data, some of which may be considered as personal data:
- IP address used during login to our Service
- Invoice Supplier and Customer data in the extent of: name, supplier id, tax id, vat id, bank account details, street, city, postal code, country.
- Invoice contents in the extent of: full invoice text, invoice description, invoice line items, invoice number, SEPA reference, variable symbol, specific symbol, issue date, tax date, due date. currency, currency rate, invoice quantities, sums and applicable taxes.
- Metadata connected to file uploads in the extent of: who uploaded the file, what file was uploaded, which channel was used to upload the file (web, email, api, mobile app), email address of the user that uploaded files to our service.
Additional detail regarding what information Customer may send to Datamolino can be found in the Terms of Service.
Categories of Data Subjects
Users of the Customer’s services.
Processing Activities
The provision of Services by Datamolino to Customer. Customer support and advertising of services to Datamolino users and Customers.
Annex 2
The subcontractors and subprocessors of Datamolino
Intercom – to provide customer support and chat and to send certain marketing and support emails, United States
DoubleClick by Google – to help manage our digital marketing activities, United States
Google AdWords Conversion – to see if our ad campaigns are effective, United States
Facebook Custom Audience – to provide relevant advertisements, United States
Facebook Connect – social media, United States
Google Dynamic Remarketing – to provide relevant advertisements, United States
Google AdWords User Lists – to provide relevant advertisements, United States
Google Analytics – to analyse the use of our site and improve it, United States
Hotjar – to see how users interact with our marketing site, United States
Linkedin – to help manage our digital marketing activities, United States
Mixpanel – to analyse user actions on our site and services that we provide, United States
Segment – to provide deeper usage analytics of our site and services that we provide, United States
IP Mappers – to provide you with our contact information relevant to your geolocation, United States
GA Audiences – to analyse traffic to our site, United States
AppSignal – to monitor technical performance of our site and services, Netherlands