A) Clauses for service providers with access to information systems.
1. Purpose of the treatment request
By means of these clauses, SilverSky is authorized, as the person in charge of processing, to deal on behalf of the organization, as the person responsible for the processing, with the personal data necessary to provide the service specified below.
The treatment will consist of Development and maintenance of the site for the client.
2. Identification of the affected information
For the execution of the benefits derived from the fulfillment of the object of this assignment, the organization, as responsible for the treatment, makes available to the SilverSky entity the information available in the computer equipment that supports the data processing performed by the responsible.
This agreement has a duration (determined by the SLA), being renewed automatically unless decided against by any of the parties.
Once the present contract ends, the person in charge of the treatment must return to the person responsible for the personal data processed and delete any copy that he keeps in his possession. However, you can keep the data blocked for the minimum time necessary to address possible liabilities that may arise from your relationship with the organization, destroying yourself safely and definitively at the end of that period.
4. Obligations of the treatment manager
The person in charge of the treatment and all its personnel is obliged to:
Use personal data to which you have access as a result of providing the service only for the purpose of this assignment. In no case may you use the data for your own purposes.
Treat the data in accordance with the documented instructions of the controller. If the data controller considers that any of the instructions provided violates the General Data Protection Regulation or any other provision regarding data protection, the person in charge will immediately inform the person responsible.
Not communicate or disseminate the data to third parties, unless you have the express authorization of the controller or in the legally admissible cases. If the manager wants to subcontract, totally or partially, the services that are the object of this contract, he must inform the person in charge and request his prior authorization.
Maintain the duty of secrecy regarding personal data to which you have had access under this order, even after the end of the contract.
Guarantee that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which the person in charge must inform them accordingly.
Maintain at the disposal of the person in charge the documentation proving compliance with the obligation established in the previous section.
Guarantee the necessary training in terms of protection of personal data of the persons authorized to process personal data.
Notification of data security violations :
The person in charge of the treatment will notify the person responsible for the treatment, without undue delay and through the e-mail address indicated by the person in charge, of the security breaches of the personal data in his charge that he/she has knowledge of, together with all the information relevant for the documentation and communication of the incident. Likewise, it will notify any failure that it has suffered in its systems of treatment and management of the information and that could endanger the security of the treated personal data, its integrity or availability, as well as any possible breach of the confidentiality as a result of the putting in the knowledge of third parties of the data and information accessed during the execution of the contract.
At least the following information will be provided:
a) Description of the nature of the violation of the security of personal data, including, when possible, the categories and the approximate number of interested parties affected, and the categories and the approximate number of personal data records affected.
b) Contact person data to obtain more information.
c) Description of the possible consequences of the violation of the security of personal data.
d) Description of the measures adopted or proposed to remedy the violation of the security of personal data, including, if applicable, the measures adopted to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.
e) Provide the responsible party with all the information necessary to demonstrate compliance with its obligations, as well as to allow and contribute to the performance of audits or inspections carried out by the person in charge or by another auditor authorized by him.
Assist the treatment manager to implement the necessary security measures to:
a) Ensure confidentiality, integrity, availability and permanent systems resilience and treatment services.
b) Restore availability and access to personal data quickly, in case of physical or technical incident.
c) Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the safety of the treatment.
Destination of the data :
The person in charge of the treatment will not keep personal data related to the treatments carried out unless it is strictly necessary for the provision of the service object of the contract and only for the minimum necessary time.
Once the provision of the service object of the contract has been completed, the person in charge of the treatment will delete, return the person in charge or deliver, as the case may be, a new manager, as determined by the organization, all the personal data.
The destruction of data is not applicable when there is a legal provision that requires its conservation, in which case it must be returned to the responsible party who will guarantee its conservation, duly blocked, as long as such obligation persists.
The return must involve the total erasure of the existing data in the computer equipment used by the person in charge. However, the person in charge may keep a copy of the data, duly blocked, as long as responsibilities for the execution of the services provided to the controller can be derived.
5. Obligations of the controller
It corresponds to the person responsible for the treatment:
a) Provide the manager with access to the equipment so that he can provide the contracted service.
b) Ensure, prior to and throughout the treatment, compliance with the provisions in force in data protection material by the processor.
c) Supervise the treatment, including the possibility of requesting information to verify compliance with the obligations established in this contract.