- Involved or involved persons: the identifiable natural person whose personal data is processed.
- Data leak: a breach of the security of personal data that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorized disclosure of or access to data transmitted, stored or otherwise processed.
- Personal data: all information about an identified or identifiable natural person, which TISG processes for the controller in the context of the cooperation agreement.
- Employee(s): the persons authorized by the parties for the execution of this processing agreement and who work under their responsibility.
- Sub-processor: any third party engaged by the processor to process personal data on behalf of the processor, without being subject to the direct authority of the processor.
- Applicable Law: Laws or other (local) regulations, ordinances, guidelines or policies, instructions or recommendations of governmental authorities that apply to the processing of the personal data, including any changes, replacements, updates or other later versions thereof;
- Processing: any operation or set of operations relating to personal data or a set of personal data, whether or not carried out by automated means, such as collecting, recording, organizing, structuring, storing, updating or changing, retrieving, consulting, using, providing by by means of transmission, distribution or otherwise making available, alignment or combination, blocking, erasure or destruction of data.
- TISG undertakes to only process personal data on behalf of the controller in the context of the activities, as described in the cooperation agreement. The cooperation agreement and the processing agreement jointly determine the subject and duration of the processing.
- For the implementation of the cooperation agreement, the continuous development of the IDIL application and to support the controller, TISG can subject the personal data to the following processing operations for the entire duration of the agreement: Store, update or change, consult, use, protect, delete or destroy data.
- TISG processes the following types of personal data:
Names, addresses, residences/establishments, e-mail, telephone numbers, IP addresses, location data, device types, GLN/VAT number, contacts. This personal data relates to the following categories of data subjects:
- Data Controller Customer Relationships.
Rights and obligations of the controller
- The controller makes the personal data available to TISG. The controller determines the purpose and means of the processing. The Controller guarantees that the processing of the personal data, including the collection, takes place in accordance with the relevant applicable Legislation.
- If the employees of the controller process personal data themselves, the responsibility for compliance with the applicable legislation falls under the responsibility of the controller.
- TISG may only process the personal data that are strictly necessary for the execution of the cooperation agreement. TISG has no control over the purpose of the processing of personal data.
- TISG will only disclose the personal data to employees and/or sub-processorss who (necessarily) have access to the personal data for the performance of the obligations under the collaboration agreement, unless otherwise required by applicable law.
- TISG does not process personal data at a location outside the European Economic Area other than possible services from Google, iCloud, DropBox, WeTransfer, The Next Ad, Loomly, Facebook, LinkedIn and Twitter.
- The Personal Data on backups enjoy the same protection as the original Personal Data.
- TISG guarantees that its employees only have access to the personal data insofar as this is necessary to perform their tasks in the context of the processing assignment. TISG will inform its employees about the obligations of this processor agreement.
- TISG is entitled to use sub-processors in the performance of its services. Information about sub-processors can be requested by the controller upon request. The controller can only refuse if there are good reasons.
- TISG remains the point of contact for the controller at all times.
- TISG guarantees that an agreement is concluded with sub-processors engaged, in which the same data protection guarantees are agreed as set out in this Agreement. Processor remains fully responsible towards the Controller for the sub-processor’s compliance with its obligations.
- In addition, after explicit permission from the controller, personal data can be shared with sub-processors if additional services are used.
- TISG is bound by a confidentiality obligation with regard to the Personal Data that are processed on behalf of the Controller. This confidentiality obligation applies in full to the employees of TISG and to any sub-processors. The confidentiality obligation continues even after the processing agreement has been terminated.
- This confidentiality obligation does not apply if the processor is obliged by the supervisory authority, a legal provision or a court order to provide this personal data, if the information is publicly known and if the data is provided on behalf of the controller.
- TISG takes the appropriate technical and organizational measures required to ensure a level of security appropriate to the risk so that the processing complies with applicable law and the rights of data subjects are safeguarded.
- TISG applies an appropriate level of protection, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing.
- TISG is responsible for applying and/or changing the level of protection as deemed necessary or required by law.
- TISG is responsible for applying and/or changing the level of protection if this is deemed necessary under applicable law or if requested by the client.
- Any additional costs will be borne by the client, unless otherwise agreed.
Notification of a data breach
- If TISG discovers a data breach, it will report this to the controller without delay and at the latest within 48 hours after the discovery. This notification shall describe or communicate at least the following:
- The nature of the personal data breach, specifying where possible the categories of data subjects and the personal data concerned;
- The likely consequences of the data breach in relation to personal data;
The measures that TISG takes to tackle the data breach, including, where appropriate, the measures to limit any adverse consequences thereof.
- TISG also informs the controller after a notification based on the previous article about the developments regarding the identified data breach.
- The controller must assess whether it informs the supervisory authority and/or the data subjects about this. The parties both bear the costs incurred by themselves in connection with a report to the supervisory authority and/or the person concerned.
Requests from data subjects or government authorities
- TISG will assist the controller to the extent possible with requests from data subjects. In the event that a data subject makes such a request to TISG, TISG will forward the request to the controller, and the controller will continue to handle the request, unless explicitly agreed otherwise.
TISG assists the controller to the extent possible to respond to requests from government authorities.
- For the implementation of Articles 9.1 and 9.2, the costs incurred by TISG will be reimbursed by the Controller, unless and