ByRATINGS, in its capacity as in charge of the treatment, and in order to comply with the data protection regulations, will only process the data, in the name and on behalf of the data controller, according to the indications of the same, and for the indicated purpose.
FIRST – Object
1.1 The object of this text is to define the conditions in accordance with which the Data Processor will process the personal data that is necessary for the correct provision of the Services to the Data Controller.
1.2 The provision of Services contracted entails the performance by the Data Processor of the following: processing, collection, registration, consultation, retention, dissemination, change and erasure of personal data.
1.3 In the event that the provisions of Services entail the collection of personal data, the Data Processor will comply with the duty of information in accordance with the instructions received from the Data Controller.
SECOND – Duration
This contract will have a duration for the entire period of provision of services contracted to the Data Processor.
THIRD – Purpose of the Processing
The personal data will be processed with the sole purpose of performing the services contracted. If the Data Processor deems necessary a processing with a different purpose, he will need the prior written approval from the Data Controller. Absent said authorisation, the Data Processor will not be able to perform said processing.
FOURTH – Types of processed data and categories of profiles
4.1 The type of personal data that the Data Processor will process:
FIFTH – Data Controller´s Obligations
In order to provide this Service, the Data Controller agrees to provide to the Data Processor the personal data and/or the information that is necessary for the adequate processing.
SIXTH – Data Processor´s Obligations
6.1 The Data Processor agrees to fulfil the following:
a) Process the personal data with the sole purpose of providing the Services contracted, following the written instructions that the Data Controller may provide (unless a regulation requires complementary processing, in which case it will inform the Data Controller of said legal requirement prior to the processing, subject to the law not prohibiting it by reasons of public interest).
b) Duty of confidentiality in relation to the personal data to which it has access, even after the termination of the contractual relationship with the Data Controller, and to guarantee that its own employees agree in writing to keep that confidentiality.
c) Guarantee, considering the state of development of the technology, the application costs and the nature, scope, context and objectives of the processing, along with the potential level of risks for the rights and freedoms of the data subjects. It will also apply proper technological and organisational measures to guarantee a security level adequate to the risk, which should include, amongst others:
• Pseudonymisation and encryption of personal data;
• The capacity to guarantee the permanent confidentiality, integrity, availability and resilience of the systems and services of the processing.
• The capacity to restore the availability and access to the personal data in a prompt manner if there is a physical or technical incident.
• A procedure of regular verification, evaluation and assessment of the efficiency of the technological and organisational measures to guarantee the security of the processing.
Upon assessing the adequacy of the security level, the risks that the data processing present will be of particular importance, especially as a consequence of the destruction, loss or accidental or illicit alteration of the personal data, transferred, retained or processed in another way, or the unauthorised communication or access to said data.
d) Keep under its control and custody the personal data to which it has access by reason of the Services provided and not to disseminate, nor transfer, nor make any other form of communication of said data to someone not included in the Parties´ definition on the heading.
Nevertheless, the Data Controller can expressly provide written authorisation to the Data Processor to appoint another Data Processor (hereinafter, the “Subcontractor”), whose identification details (full name of the company and TIN) and subcontracted services will be communicated to the Data Controller before the provision of that service, with a minimum period of 1 (one) month in advance. Likewise, the Data Processor will inform the Data Controller of any expected change on the addition or replacement of Subcontractors, to enable the Data Controller the opportunity of opposing to said changes.
In the event that the Data Processor chooses the option mentioned in the previous paragraph, it will be obliged to inform the Subcontractor of the duties that it has under this Contract and, in particular, to guarantee that proper technological and organisational measures will be applied, to ensure that the processing is in accordance with the applicable legislation.
In any event, the access to the data by individuals subcontracted by the Data Processor when acting within its organisational framework by virtue of a business relationship and not an employment relationship is hereby authorised. Likewise, the data access by the service providers that the Data Processor has contracted to provide it with general or maintenance services (computing services, advice/consultancy, audits, etc) is also authorised, subject to those tasks not being arranged by it with the aim of subcontracting with a third party all or part of the Services provided to the Data Controller.
e) Delete or return to the Data Controller, in its choice, all the personal data to which the Data Processor has accessed to provide the Service. Likewise, the Data Processor will be obliged to delete the existing copies, unless there is legislation requiring to keep the personal data. Nevertheless, the Data Processor can retain the data, properly blocked, for potential responsibilities arising under his relationship with the Data Controller.
f) Notify the Data Controller, without undue delay, about the personal data security breaches of which the Data Processor becomes aware, giving support to the Data Controller in its notification to the Spanish Data Protection Agency or other competent controlling Authority and, if necessary, to those that have been affected by those security breaches. That support will also be given, when necessary, to the Data Controller´s tasks of making a privacy impact assessment and of the prior consultation to the Spanish Data Protection Agency. It will also assist the Data Controller to fulfil its obligation of providing an answer to the data subject´s request to exercise his/her rights.
g) Keep a written record of all the categories of processed activities performed for the Data Controller.
h) Cooperate with the Spanish Data Protection Agency or other competent controlling Authority, when requested by these in their own fields of competence.
i) Provide to the Data Controller all the necessary information to evidence the fulfilment of the obligations contemplated in this Contract for the performance of audits, including the inspections, by the Data Controller or a third party authorised by him. The lack of accreditation of proper fulfilment of the obligations under this Contract by the Data Processor will be a sufficient reason to terminate the same.
SEVENTH – Contact Us
If you have any questions about this Notice or our processing of data, please contact us
Lead Ratings S.L.
Paseo de San Juan 50, 4º1ª