Agreement concerning data processing by a processor in accordance with Art. 28 GDPR
Version: March 4, 2021
The controller:
User (Hereinafter referred to as client)
The processor:
Web Future Studio SRL
15 Episcopul Chesarie street, Office 2, Room 1, Tronson F building, ground floor
District 4, Bucharest, Romania
(Hereinafter referred to as contractor)
1. Subject matter of the agreement
(1) The subject matter of this agreement is the implementation of the following tasks: Automated processing of image data (including metadata) as well as integration, monitoring, and troubleshooting of image-related processes. This agreement is to be considered a supplementary document to the processor’s Terms of Use.
(2) The following data categories are processed: Contents of image files, their metadata, and processing instructions.
(3) The following categories of data subjects are subject to the processing: Persons referred to in data provided by the client, e.g., customers or collaborators of the client.
2. Duration of the agreement
The agreement does not have a defined endpoint and can be ended by either party with a notice period of one month on the last day of the month. The option to terminate due to exceptional circumstances remains unaffected.
3. Obligations of the contractor
(1) The contractor commits himself to process the data and the processing results exclusively within the scope of the client's assignment. Should the contractor be required to release data of the client by request of the authorities, then he has to – as far as it is legally permitted – inform the client of the above without delay and refer the authorities to the client. Likewise, the processing of data for the contractor’s own benefit requires written approval by the client.
(2) The contractor declares that he has imposed on any persons assigned to process the data, to adhere to the confidentiality practices prior to the beginning of the task, or that they are bound by an appropriate, legal non-disclosure obligation. The non-disclosure obligations are upheld, even when their assignment is completed, and the contractor no longer employs them.
(3) The contractor declares that he has taken all required steps to ensure that the security of the processing is upheld in accordance with Art. 32 GDPR.
(4) The contractor implements the appropriate technical and organizational measures so that the client can comply with the rights of the affected individuals as per chap. III of the GDPR (information, access, rectification and erasure, data portability, objection, as well as automated individual decision-making) at any time and within the legal deadlines and will submit all necessary information to the client. Should a relevant request be sent to the contractor and should this request show that the sender of the request mistakenly considers him the controller of the processing operated by the contractor, then the contractor must forward this request to the client without delay and notify the sender on the above.
(5) The contractor supports the client with adhering to the obligations, as outlined in Art. 32 to 36 GDPR (data security, notification of a personal data breach to a supervisory authority, communication of a personal data breach to the data subject etc.).
(6) With regard to the provided data, the client is entitled to view and check that data processing facilities at any time, whether in person or via a commissioned third party. The contractor is obligated to provide the client with all necessary information to monitor the compliance with the obligations as outlined in this agreement.
(7) Following the termination of this agreement, the contractor is obligated to destroy, at his request, all processing results and documents that contain data.
(8) The contractor must inform the client immediately, if he is of the opinion that an instruction of the client constitutes a violation of the data protection regulations of the Union or of the Member States.
4. Place of performance of data processing
Data processing is, at least in part, also executed outside of the EU or the EEA, namely in the USA. The appropriate data protection level is established on the basis of an adequacy decision by the European Commission in accordance with Art. 45 GDPR.
5. Sub-Processors
(1) The contractor can employ sub-processors. He must inform the client of the planned use of a sub-processor in such a timely manner, that the client can forbid it. The contractor enters into an agreement with the sub-processor in accordance with Art. 28 para. (4) GDPR. In doing so, he must ensure that the sub-processor adheres to the same obligations as the contractor, with regard to this agreement. Should the sub-processor not comply with data protection obligations, then the contractor is liable vis-à-vis the client for the compliance with obligations of the sub-processor.
(2) The contractor can employ the following sub-processor for the purpose of hosting of cloud infrastructure and services: Amazon S3 Cloud Services.
This service provider has been carefully selected since it offers strong guarantees that any operation involving Personal Data processing conducted by it complies with the GDPR.
The privacy policy of Amazon S3 Cloud Services can be accessed at the following link: https://aws.amazon.com/privacy/.