Ruebik Limited will carry out processing of personal data in accordance with the Data Protection Act 1998, as amended and supplemented by the GDPR. The specific processes which shall be followed are set out below:
- Personal data processing
The provision of services may entail the Processor’s access to confidential information and personal data for which the Client is responsible. Consequently, Ruebik will be considered Data Processor and the Client will be considered the Controller and any processing of personal data for which the Client is responsible will involve the different processes as agreed in the Agreement.
In order to perform the services contained in this Agreement, the Client will make the Client Data available to the Agency.
- Confidentiality and duty of secrecy
Unless the Parties otherwise agree, the Parties will keep the utmost secrecy of this Agreement, their business and any information and documentation related to the other Party, of which they may become aware as a result of performing the Agreement. Furthermore, the Processor hereby specifically undertakes to treat as confidential any information for which the Controller or third parties may be responsible, which it may access due to providing its services, and undertakes to maintain the secrecy of such data.
For these purposes, the Processor hereby undertakes to take any measures that may be necessary, with respect to its employees or sub-contractors, in order for the latter to be informed of the need to fulfil its binding obligations as Processor and which, consequently, they must uphold, as well as to guarantee that any personal data known by virtue of this Agreement remain secret, even after the Agreement is terminated for any reason. To do this, the Processor will duly inform its employees or sub-contractors (through training, awareness campaigns, etc.), in order to ensure that such obligations are fulfilled. The foregoing will be comprehensibly notified of the existence of this Agreement, of any security rules affecting the development of their tasks, the consequences that may ensue in the event of breach and the confidential nature of such information and the duty to keep all personal data secret; this duty of confidentiality and secrecy will remain even after the relationship with the Processor has ended.
Such confidential information and documentation may not be used for any purpose other than fulfilment of this Agreement, unless such information has become general knowledge and except as regards any information required by law or further to any other applicable and mandatory regulations.
Once this Agreement has ended, the confidentiality obligation and duty of secrecy foreseen in this clause will remain valid indefinitely, even after the contractual relationship with the Controller has ended, for any reason.
If any misconduct is detected, by any person rendering professional services for the Processor (access to information not inherent to his tasks, misuse of User ID and passwords, if a user is granted more authorisations that are strictly necessary, etc.), the Processor will be responsible and expressly obliged to immediately notify the Controller.
- Controller’s instructions
The Processor undertakes to process any personal data it may access exclusively in accordance with any written instructions provided by the Controller for this purpose. This commitment will also cover any international personal data transfers to a third country or international organisation.
Consequently, any data that is known or obtained by virtue of this Agreement:
– may not be used for any other purpose than performance thereof; it will be confidential and may not be published or made available to third parties without the Controller’s prior written consent. In no case will such data be used privately.
– will not be notified to third parties without the Controller’s prior written consent. Consequently, the Processor, in writing and before the Controller authorises such communication, will identify the entity(ies) receiving the data, which data or category of personal data will be reported and any security measures applicable.
In this regard, the Processor hereby undertakes to immediately inform the Controller if any of the Controller’s instructions could potentially infringe applicable provisions in data protection matters, under Community or Member State laws.
In the event that the Processor should use the data for another purpose or Reports or uses it in breach of the stipulations of this Agreement, it will also be considered data Controller, and will be personally liable for any infractions it may have incurred, as well as for any loss and damage that the Controller may consequently suffer.
- Service outsourcing
The Processor will not outsource all or part of the services covered by this Agreement to another Processor, without the Controller’s prior written consent, granted specifically or in general. The Controller hereby consents the outsourcing to HubSpot. The Processor will inform the Controller of any change in the hiring of new processors, or their replacement, thereby granting the Controller the chance to challenge any such change.
If the Processor resorts to a sub-processor for the execution of certain processing activities on account of the Controller, always subject to the Controller’s prior authorisation, the sub-processor will be bound by the same data protection obligations stipulated for the Processor. The Processor will be fully liable to the Controller, and will be liable for effectively complying with data protection obligations on the part of such sub-processor.
Furthermore, the Processor undertakes to inform the Controller of any change foreseen in the hiring of new processors, or their replacement, sufficiently in advance (10 Business Days) and by authentic means, thus granting the Controller the chance to challenge such changes.
- Security measures
Under the GDPR, the Processor will be subject to security measures that are adequate to protect personal data and other information, to be implemented by the Processor in accordance with the outcome of any risk evaluation completed by the Controller, based on the state of the art, application costs, the nature of the data stored, the scope and purposes of the processing and the risks to which it is exposed. Consequently, the Processor will provide the Controller with the necessary information in those cases where its risk analysis indicates that the processing is high-risk, or if so is considered by the Processor.
The Processor will at least provide the Controller with the following information, in writing (subject to availability):
– Any security measures implemented.
– Any other information that the UK Information Commissioner may request, held by the Processor.
In any case, the Processor will include the following measures as part of its technical and organisational measures.
- Notification of security breaches
The Processor will be obliged to guarantee implementation of the security requirements foreseen in this Agreement and to inform the Controller without undue delay of any incident affecting any information, documentation and personal data for which the Controller is directly or indirectly responsible.
If the Processor or any person involved in the services were to detect an incident entailing data theft, loss or damage, if a person has had unauthorised access thereto, or if the information has been misused, the Processor will immediately get in touch with the Controller, providing details of the incident and, in any case, within 40 hours of breach detection, by email to the Controller, attaching any relevant information to document and notify the incident, to include at least the following:
1. Description of the nature of the personal data security violation to include, whenever possible, the categories and approximate number of affected parties, and the categories and approximate number of personal data files affected.
2. The name and contact details of the data protection officer where more information may be obtained.
3. Description of any possible consequences.
4. Description of the measures adopted or proposed to remedy the personal data breach to include, if applicable, any measures to mitigate potential negative effects.
If it is not possible to provide the information simultaneously, and insofar as it is not simultaneous, information will be provided gradually and promptly. The Processor will be responsible for taking any action that may be necessary to contain and resolve the incident.
The Controller will carry out periodic checks on the progress of the resolution of the incident; the Processor undertakes to respond and provide any reports that may be requested.
- Record of processing categories
Under the GDPR and only in those cases where the Processor has more than two hundred and fifty (250) employees or its processing entails a high risk for the rights of interested parties or it is processing particularly sensitive data or related to convictions and criminal offences, it will keep a written record of all its processing categories, to include:
a. Contact details of both the Controller and the Processor to include, as the case may be, of its representatives and data protection officers.
b. The processing categories completed on behalf of the Controller.
c. A general description of any technical and organisational measures applied.
- Data subjects’ rights
The Processor will assist the Controller, by applying any appropriate technical and organisational measures and pursuant to the nature of the processed data, in relation to any requests to uphold the rights of interested parties, to particularly include their rights of access, rectification and cancellation (the “right to be forgotten”), and challenge to the processing of their data, a request for personal data portability, any processing limitations, as well as the right to not be the object of an automated individual decision, profiling included.
In the event that any data subject were to uphold the aforementioned rights vis-à-vis the Processor, the latter will duly notify the situation by email to the Controller. This notification must be made immediately and, in any case, no later than by the next business day following receipt of the request, along with any other information that may be relevant to attend the request.
- Termination
At the end of the Agreement, the Processor undertakes to return any personal data and, as the case may be, any physical media containing the data, once the service is provided. This return will include a total erasure of all data existing in any computer equipment used by the Processor.
Furthermore, the Processor will guarantee that at the end of any contractual relationship held with any person carrying out professional duties:
– such person returns and does not withhold, in any way, the Controller’s information and resources.
– the foregoing is confirmed in writing.
– all authorisations to data processes are immediately cancelled.
Without prejudice to the foregoing, the Processor may keep a copy, with all data duly removed, insofar as it remains liable for performance of the services.
- Audits
The Controller, further to its controlling capacity, may carry out its own check-ups, in order to verify compliance with the security policies and measures required in this Agreement to protect personal information and data. These checks may be conducted on data systems and data processing facilities of the Processor, or may involve the gathering of information to corroborate the Processor’s compliance. In any case, the Processor will keep documentation available to the Controller (in printed or electronic form), confirming compliance with its obligations under the Agreement.
In order to facilitate or even avoid the Controller’s verification, the Processor may provide certifications, whose scope of application includes the services and staff offered by the latter to the Controller.
The foregoing will apply without prejudice to the possibility of completing any other audits or checks in order to verify other obligations foreseen in this Agreement.
- Duty of care
The Processor undertakes to provide to the Controller any information that may be necessary to evidence compliance with its obligations, and will inform the Processor in relation to its adhesion to an approved code of conduct, or its subscription of any certification system that is able to guarantee compliance with its personal data processing obligations.
Any persons carrying out professional tasks for the Processor must be aware of the importance of the Controller’s information, will process it safely and will be trained and qualified for each and every one of the data processing stages, for each and every task performed. Such persons will take the necessary care and will adopt adequate measures to protect the data processing, further to their contractually binding duty of good faith.
- Duty of information
The personal data of the Processor’s representatives or employees will, in turn, be processed by the Client, acting as the Controller, in order to manage the relationship with the Agency, as the Processor, based on the performance of services.
The Agency has a legitimate interest in recording any phone conversations maintained between the Parties. The data subject may exercise its rights of access, rectification, cancellation and challenge, may limit processing and portability, and may decide not to be the object of automated individualised decisions, by addressing the Data Protection Officer at the foregoing address, referring to Data Protection on the envelope, or by sending an email to accounts@ruebik.com. The data subject may file a claim with the Information Commissioner’s Office.