Data Processing Agreement

THIS DATA PROCESSING AGREEMENT (“Data Processing Agreement”) is entered into by and between Gravity Research and Development Zrt. (Company reg. no.: 08-10-001848; registered seat: Bálint Mihály str. 64., H – 9025 Győr, Hungary; postal address: 1113 Budapest, Villányi út. 40/b, Hungary; tax no: HU23841901; “Gravity” or „Data Processor”) and the company ordering Yuspify services via https://yuspify.com/ website („Data Controller”) (jointly referred to as „Parties” and separately as „Party”).

(A) This Data Processing Agreement complements the Gravity Terms of YUSP Service (“Service Agreement” available online at https://yuspify.com/altalanos-szerzodesi-feltetelek/ for Hungarian legal entities, and https://yuspify.com/en/terms-and-conditions/  for all other legal entities. accepted by the Data Controller for the purpose of receiving Yuspify services (“Services”). The Parties amend the Service Agreement with this Data Processing Agreement in order to specify the provisions regarding the processing of Personal Data by the Data Processor.

(B) The purpose of this Data Processing Agreement is to provide the necessary data protection safeguards and to ensure that the processing of Personal Data is in compliance with the statutory obligations of the Data Controller and the Data Processor.

(C) If any provisions of this Data Processing Agreement are contrary to the provisions of the Service Agreement then the provisions of this Data Processing Agreement shall prevail. Capitalized definitions included but not defined in this Data Processing Agreement (if any) shall have the meaning specified by the Service Agreement.

  1. DEFINITIONS
    1. The below definitions shall have the following meaning under this Data Processing Agreement:   Personal Data Breach breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; Data Processing Agreement this Data Proceassing Agreement – including any of its future amendments – consisting of the conditions specified by the body text, its Annexes, Appendices, any attachments and documents becoming part of this Data Processing Agreement by explicit references; Data Processor a natural or legal person which processes personal data on behalf of the Data Controller; Data Controller a natural or legal person which alone or jointly with others, determines the purposes and means of processing personal data; Auditor as defined in Section 10; Data Subject identified or identifiable natural person; European Economic Area (EEA) the economic area consisting of the territory of the member states of the European Union and the member states of the European Free Trade Association (Iceland, Liechtenstein and Norway) excluding Switzerland; Processing any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Any expressions of this Data Processing Agreement referring to “to process” or “processed” shall be understood identically; GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); Applicable Laws Laws applicable to the subject matter of this Data Processing Agreement especially but not limited to the GDPR; Approved Subcontractor Subcontractors defined by Annex No.1. and any other subcontractors approved by the Data Controller; Approved Purpose activities necessary (i) in order to fulfil the purpose of the Service Agreement or (ii) defined by the Data Controller in writing on a case-by-case basis; Contact Person Representatives of the Parties defined in Annex No.1. Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Service Agreement The Service Agreement concluded between the Parties regarding the services provided by the Data Processor to the Data Controller;
      Services Services provided by the Data Processor pursuant to the Service Agreement.
  2. Instructions of the data controller
    1. This Data Processing Agreement regulates the processing of Personal Data by the Data Processor in order to perform the Services specified by the Service Agreement. The Data Processor shall process Personal Data according to the Approved Purpose in compliance with the Applicable Laws, this Data Processing Agreement, the Service Agreement and the additional instructions of the Data Controller. Additional instructions may be given by the Data Controller in writing (including instructions given via e-mail/other recorded/retrievable electronic means). The Data Controller shall be liable for the compliance of its instructions with all Applicable Laws including but not limited to the provisions of the GDPR. If any of the Data Controller’s instructions are not in compliance with the Applicable Laws including but not limited to the GDPR, then the Data Processor shall immediately notify the Data Controller.
  3. Approved purpose of data PROCESSING
    1. The Data Processor shall only process the Personal Data in line with the Approved Purpose.
  4. Assistance by the data processor
    1. The Data Processor shall assist the Data Controller without undue delay and ensure that the Approved Subcontractors of the Data Processor also assist the Data Controller so that the Data Controller can provide information regarding the data processing activities to Data Subjects and national supervisory authorities. The Data Processor shall provide such reasonably requested information and assistance so that the Data Controller can comply with its statutory obligation and the requests of the competent authorities. The Data Processor shall in particular:
      1. erase or correct inaccurate Personal Data;
      2. provide a copy of all Personal Data processed by the Data Processor or any Approved Subcontractors;
      3. provide information regarding the processing of the Personal Data;
      4. assist with any objections or requests made by or on behalf of Data Subjects in relation to the processing of Personal Data; and
      5. if necessary, provide further reasonable assistance for the Data Controller so that the Data Controller can comply with its statutory obligations including assistance with data protection impact assessments.
    2. The Data Processor shall notify the Data Controller within 8 (eight) working days in case of receiving a request to access or an objection or any other request regarding the processing of Personal Data from the Data Subject by the Data Processor or any Approved Subcontractors. The Data Processor shall not make any acknowledgements or apply any measures that may negatively affect the defence against such objection or the handling of the case and shall provide reasonable assistance to the Data Controller.
  5. Use of subcontractors
    1. The Data Processor shall only use subcontractors that qualify as an Approved Subcontractor for the purpose of performing its Services. The Data Processor shall ensure that the Approved Subcontractor processes Personal Data in compliance with this Data Processing Agreement. Security measures applied by the Approved Subcontractor shall provide at least the same level of protection as the security measures prescribed for the Data Processor by this Data Processing Agreement. The Data Processor shall limit the Approved Subcontractor’s access to the Personal Data to the extent necessary for the performance of the contractual obligations.
    2. The Data Processor shall ensure that a written data processing agreement is concluded between the Data Processor and the Approved Subcontractor pursuant to the applicable laws – in particular Article 28 (2)–(4) of the GDPR – before the concerned Approved Subcontractor begins the processing of any Personal Data. The data processing agreement shall ensure that the obligations imposed on the Approved Subcontractor provide at least the same level of protection to the Personal Data as the provisions of this Data Processing Agreement
    3. For the purposes of this Data Processing Agreement the Data Processor shall be liable for all conducts and omissions of its subcontractors (whether Approved Subcontractor or not) that affects the Data Controller, the Personal Data or any Data Subjects.
    4. The Data Controller may at its sole discretion withdraw any approvals regarding the use of any subcontractors by the Data Processor. In such cases the Data Controller shall provide the Data Processor with a reasoning of such withdrawal. If the withdrawal limits the Data Processor in performing the Services the Parties shall engage in negotiations in good faith regarding alternative solutions and/or subcontractors in order to ensure the continued provision of the Services.
    5.  The Data Controller acknowledges and approves that the Data Processor may engage Approved Subcontractors which process Personal Data outside of the European Economic Area. The Data Processor undertakes to provide appropriate safeguards when contracting with such Approved Subcontractors in particular to conclude standard data protection clauses adopted by the European Commission.
    6.  The current list of the Approved Subcontractors and their respective data processing activities are specified by Annex No. 1 of this Data Processing Agreement. The use of other subcontractors or change in Approved Subcontractors is allowed only if the Data Controller provides a written approval in advance regarding the subcontractor or:
      1. the Data Processor notifies the Data Controller in advance in writing about the outsourcing of any activities affecting the provision of Services to a subcontractor; and
      2. the Data Controller fails to make an objection to the Data Processor against the planned outsourcing within 15 days calculated from the receipt of the notification by the Data Controller; and
      3. a data processing agreement has been concluded between the Data Processor and the subcontractor pursuant to Section 5.2 above.
  6. Technical and organizational security measures
    1. The Data Processor shall apply appropriate technical and organizational security measures in order to prevent damages arising from unauthorized or unlawful processing, loss, destruction, damage, alternation or unauthorized disclosure of Personal Data having regard to the nature of the protected Personal Data as well as the associated risks. The level of security shall comply with the security measures specified by Annex No. 2.
    2. The Data Processor shall document the applied technical and organizational security measures in order to comply with the requirements specified by Annex No. 2. The documentation shall be provided for the Data Controller upon request.
    3. If the Data Processor becomes aware that its organisation or any Approved Subcontractor’s organisation is not in compliance with the security measures specified by Annex No .2, the non-compliance might need to be reported to the Data Controller pursuant to the rules of reporting Personal Data Breach as defined by Section
  7. Confidentiality
    1. The Data Processor shall ensure that the Data Processor and its employees keep confidential all Personal Data and that the employees of the Data Processor may access Personal Data only to the extent necessary for their work. The Data Processor shall particularly ensure that all employees processing Personal Data sign appropriate confidentiality agreements and are adequately trained and educated with respect to the processing and confidentiality of Personal Data.
    2. Personal Data shall be regarded as confidential information owned by the Data Controller and/or the Data Subject. In addition to the provisions of this Data Processing Agreement, the confidentiality provisions and any obligations undertaken by the Parties in the Service Agreement or otherwise shall also be applicable to the Personal Data.
  8. Monitoring, audit
    1. The Data Processor shall keep all information that are necessary for verifying compliance with the provisions of the Data Processing Agreement. The Data Processor shall maintain an up-to-date record of data processing activities in accordance with Article 30 of the GDPR.
    2. 8.2 The Data Controller is entitled to monitor and audit by its own auditor the Data Processor’s compliance with this Data Processing Agreement during the Data Processor’s regular business hours with a 10 (ten) working day prior notice in accordance with this section 8. The Data Controller is entitled to appoint an independent third party auditor (“Auditor”) in order to examine and audit the technical and structural security measures applied by the Data Processor in order to protect the Personal Data processed by the Data Processor during the Data Processor’s regular business hours with a 10 (ten) working day prior notice. The Data Controller/Auditor is entitled to conduct maximum one audit at the Data Processor in a calendar year. The Data Processor shall provide all reasonable assistance necessary for such audits. The Data Controller is entitled to receive the full version of the report prepared by the Auditor. The Data Controller and the Auditor shall keep the audit report confidential and cannot forward it to any third party, entity or authority without the prior, written consent of the Data Processor except if the competent data protection authority request the report in line with Applicable Laws.
    3. If the audit reveals any non-compliance the Data Controller shall be entitled to conduct reasonable follow up audit (e.g. by its own auditor) to the extent necessary in order to protect its interests specified by this Data Processing Agreement.
    4. The Parties shall bear their own costs of conducting monitoring or audits as specified in Section 8.
  9. Reporting personal data breach
    1. If the Data Processor becomes aware of any Personal Data Breach, the Data Processor shall notify the Data Controller without undue delay but within 48 hours at the latest as from gaining knowledge of the Personal Data Breach and shall fully cooperate in order to reasonably remedy the issue as soon as possible. The notification shall include the data and information specified by Annex No. 3. in particular the following information (if available):
      1. description of the Personal Data Breach including the nature of Personal Data Breach, categories and number of affected Data Subjects; summary of the events leading to the Personal Data Breach; the date of the concerned event; the categories and number of the affected data records; the nature and content of the affected Personal Data, the location of the Personal Data Breach and the affected data medium;
      2. description of the likely consequences and potential risks that the Personal Data Breach may cause to the Data Subject(s);
      3. description of the measures recommended or taken by the Data Processor and/or the Approved Subcontractor to mitigate the harmful effects of the Personal Data Breach;
      4. any additional information that may be relevant for mitigating and managing the Personal Data Breach, in particular information that the Data Controller formerly marked as relevant.
    2. The notification on Personal Data Breach shall be sent to the Contact Person of the Data Controller specified by Annex No. 1 via e-mail as follows:
      1. the e-mail shall be marked as urgent with a subject including: “URGENT – BREACH OF PERSONAL DATA”; the e-mail shall be sent to the e-mail address of the Data Controller’s Contact Person and to the email address given by Data Controller at the registration process of Yuspify services; and
      2. following the notification as specified above the Data Processor shall immediately call the Contact Person of the Data Controller and provide detailed information of the Personal Data Breach
    3. The Data Controller may give additional detailed guidance and instructions to the Data Processor regarding how to communicate and act in case of detecting a Personal Data Breach.
    4.  In case of a Personal Data Breach the Contact Person of the Data Processor shall be available in order to provide immediate reasonable assistance and to answer all additional relevant questions of the Data Controller.
    5. Depending of the nature of the Personal Data Breach the Data Controller may have an obligation to report the Personal Data Breach to the competent data protection authority and/or inform the Data Subjects. The Data Processor shall provide the Data Controller with all reasonably requested information that are necessary for the Data Controller to comply with the above reporting and information obligations. The Data Processor shall not be entitled to make reports to any data protection authorities or inform Data Subjects about Personal Data Breach unless expressly required by the Applicable Laws or the Data Controller consents in writing to that or instructs the Data Processor in writing to do so.
  10. Additional notifications
    1. The Data Processor shall:
      1. notify the Data Controller in writing without undue delay regarding any planned modification of the technical, organizational or financial aspects of the Services provided by the Data Processor and any organizational changes of the Data Processor or its Approved Subcontractors that may adversely affect the ability of the Data Processor or its Approved Subcontractors to process the Personal Data in compliance with this Data Processing Agreement;
      2. notify the Data Controller without undue delay if any data protection authorities or other bodies orders the Data Processor or any of its Approved Subcontractors to provide access to the Personal Data processed by the Data Processor. If possible, such notification shall be made before the provision of any Personal Data or other information on the data processing activity by the Data Processor to the extent permitted by the Applicable Laws.
    2. Applicable Laws or courts, authorities or other bodies oblige or order the Data Processor to retain documents or other materials including Personal Data that the Data Processor shall otherwise return or destroy, the Data Processor shall notify the Data Controller of the data retention obligation in writing to the extent permitted by the Applicable Laws by specifying the details of the retained documents or materials.
    3.  Any notifications shall be regarded as delivered in writing when sent to the Contact Person of the other Party via e-mail.
  11. Obligation to erase data
    1. Personal Data processed by the Data Processor cannot be retained by the Data Processor after the time necessary for achieving the purpose of the processing the Personal Data.
    2. The Data Processor shall erase all Personal Data processed within the framework of this Data Processing Agreement when the Service Agreement expires or terminates unless otherwise instructed by the Data Controller or Applicable Laws require the retention of Personal Data by the Data Processor. For the purposes of this Section erasure shall mean erasing Personal Data pursuant to the best industry standards in a way that the Personal Data cannot be restored by any known technologies.
    3. The Data Processor shall request permission from the Contact Person of the Data Controller before erasing any Personal Data. If the Data Processor is not granted such permission the Data Processor shall be entitled and obliged to erase the Personal Data following a 30 (thirty) day period after the Service Agreement expires or terminates unless otherwise instructed in writing by the Data Controller or Applicable Laws require the retention of Personal Data by the Data Processor.
    4. Notwithstanding the above the Data Processor shall erase the Personal Data during the term of this Data Processing Agreement upon written request by the Contact Person of the Data Controller.
  12. Term
    1. This Data Processing Agreement shall enter into force on the day of its execution by all of the Parties thereto and shall remain in force until the Data Processor processes the Personal Data.
  13. Breach of contract
    1. Any non-compliance with the requirements specified by this Data Processing Agreement shall be regarded as a breach of contract by the Data Processor. The Data Processor shall ensure that any potential breach of contract is remedied as soon as reasonably possible. The Data Processor shall continuously inform the Contact Person of the Data Controller regarding any potential developments and document the measures applied in order to remedy the non-compliance.
    2. Irrespective of the above, in case of any breach of this Data Processing Agreement the Data Controller shall be entitled to order the Data Processor to suspend or cease the processing of Personal Data with immediate effect.
    3. The Data Processor shall fully indemnify the Data Controller in respect of all reasonable and justified claims, obligations, costs, expenses, damages and losses that arise directly due to the non-compliance of the Data Processor with this Data Processing Agreement and the Applicable Laws. In case of any third party claims the Data Processor shall: i) notify the Data Controller without undue delay; ii) reasonably assist and cooperate with the Data Controller; and iii) allow the Data Controller to take part in defending against the claims including resolving the dispute.
  14. Surviving provision
    1. All provisions of this Data Processing Agreement that are expressly or consequently intended to be fulfilled or remain in force following the termination of this Data Processing Agreement shall fully remain in force following the termination of this Data Processing Agreement.
    2. For the avoidance of any doubts confidentiality obligations specified by Section 7 of this Data Processing Agreement including the confidentiality obligations of employees, consultants etc. shall remain in force following the expiry or termination of this Data Processing Agreement.
  15. Miscellaneous
    1. Entire Agreement; Contradictory Provisions: This Data Processing Agreement supersedes and repeals all current or prior oral or written undertakings, covenants, agreements or communications, in particular all prior data processing agreements between Data Controller and the Data Processor with respect to the subject matter of this Data Processing Agreement. If any provisions of this Data Processing Agreements are contrary to any provisions of the Service Agreement, the provisions of Section 1.2 above shall apply.
    2.  Liability: The liability of the Parties shall be as specified by the GDPR. The Data Processor shall be fully liable for breaching any obligations specified by this Data Processing Agreement and the Applicable Laws.
    3. Applicable law: Hungarian law shall be applicable for this Data Processing Agreement. The Parties declare that at the time of the execution of this Data Processing Agreement the relevant Hungarian data protection legislation has been harmonized with the provisions of the GDPR.
    4. Dispute resolution. All legal proceedings, disputes, procedures or claims arising out of or in connection with this Data Processing Agreement shall be resolved exclusively and finally by the competent courts of Hungary.