Data Processing Agreement
Effective Date: December 12, 2019.
This Data Processing Agreement is entered into between the Service Provider and the Customer and is incorporated into and governed by the Terms of Service.
1.1 Unless the context explicitly requires otherwise, the following capitalized terms in this Data Processing Agreement will have the following meanings:
GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Customer Data personal data as defined in GDPR provided by the Customer (or third party where the Customer acts as a data processor) to Justikal when using the Services;
Services as per definitions in the Terms of Service;
Data Breach any accidental or unlawful breach of personal data security resulting in accidental or unlawful destruction, loss, alteration or unauthorized disclosure (without authorization) of or access to processed Customer Data;
Sub-Processor any person engaged by Justikal for the processing of Customer Data on behalf of Justikal and in accordance with its instructions to the extent and for the purposes specified in Data Processing Agreement.
1.2 Capitalized terms not defined above will have the same meaning as defined in the Terms of Service, unless the context explicitly requires otherwise.
2. Purpose and scope
2.1 Justikal shall provide Services to the Customer in accordance with the Terms of Services. In providing the Services, Justikal shall process the Customer Data on behalf of the Customer. Customer Data may include personal data. Therefore, the Customer shall be (i) data controller with respect to the Customer Data; and (ii) data processor, where Justikal provides personal data processed as a data processor; Justikal is a data processor. The Data Processor will process and protect such Personal Data in accordance with the terms of this Data Processing Agreement.
3. Processing Conditions
3.1 Justikal shall process the Customer Data in order to provide Services.
3.2 Justikal shall process personal data of such categories of data subjects that the Customer uploads or submits when using the Services.
3.3 Justikal shall process the Customer Data from the moment the Customer uploads or submits them when using the Services until the removal thereof by the Customer but no longer than specified in Article 13.2 of this Data Processing Agreement.
3.4 Justikal shall ensure for the Customer Data to be processed in the European Economic Area.
4. Customer Data Confidentiality
4.1 Justikal shall use the Customer Data only for the provision of the Services and implementation of its rights under the Terms of Service. Unless otherwise required by the law, Justikal shall not disclose the Customer Data to third parties.
4.2 Justikal shall ensure that the access to the Customer Data would be granted only to those employees or suppliers of Justikal which require such data for performing work functions or providing services to Justikal.
4.3 Justikal shall ensure that the employees or suppliers of Justikal processing Customer Data would comply with this Data Processing Agreement and would undertake to observe the confidentiality clause or would be subject to relevant confidentiality obligation establish under the laws.
4.4 If in complying with the requirements of the laws Justikal is obliged to disclose the Customer Data to third parties (e.g. law enforcement authorities), Justikal shall immediately notify the Customer about the requirements to disclose the Customer Data, unless otherwise required by the laws.
4.5 Such confidentiality obligations shall remain in force indefinitely and following the expiry of this Data Processing Agreement.
5. Customer Instructions
5.1 Justikal shall process the Customer Data only according to documented instructions of the Customer.
5.2 The Parties agree to regard this Data Processing Agreement, Terms of Service and Service Settings, which may be set by the Customer when using Services, as documented Customer instructions. The Parties may agree on execution of additional Customer instructions and the price thereof.
6. Technical and Organizational Measures
6.1 In processing the Customer Data, Justikal shall implement appropriate technical and organizational measures to protect the Customer Data. Justikal shall select technical and organizational measures taking into consideration the level of development of technical possibilities, costs of implementation and the nature, scope, context and purpose of data processing, as well as risks of various probability and seriousness with respect to rights and freedoms of natural persons associated with data processing. Justikal shall not be obliged to take into consideration the Customer instructions regarding technical and organizational measures.
6.2 Justikal has implemented information security management system according to international security standard ISO/IEC 27001, which, according to the agreement by the Parties, shall be considered as appropriate and maximum technical and organizational measures necessary to achieve goals specified in Item 6.1. Justikal shall undertake to comply with the requirements or this or equivalent security standard during the entire validity period of this Data Processing Agreement.
7.1 Taking into consideration the nature of Services provided and the processing of processed data and available information, Justikal shall cooperate with the Customer to ensure the performance of obligations specified in GDPR Articles 32–36. For this purpose and only to the extent specified in this Data Processing Agreement, Justikal shall provide requested information to the Customer which is necessary for proper performance of obligations of the Customer under GDPR.
8. Data Processing Audit
8.1 To verify whether Justikal properly processes the Customer Data, the Customer shall have the right to conduct inspections of such processing under the procedure provided for in Article 8.
8.2 Justikal shall inspect, at least once per calendar year, at its own initiative and expense, whether applicable technical and organization measures are in line with the nature, scope, context and purposes of data processing, as well as risks associated with data processing with respect to the rights and freedoms of natural persons. Justikal shall engage an independent inspector for the inspection with the instructions to prepare inspection report (hereinafter – Report).
8.3 At the request of the Customer and according to an additional agreement by the Parties regarding the protection of confidential information, Justikal shall submit a Report to the Customer. Upon performance of this obligation by Justikal, it shall be considered that the Customer has exercised its right provided for in Item 8.1 of this Data Processing Agreement and GDPR Article 28(3)(h).
8.4 If the Customer wishes to additionally and/or by means other than specified in Article 8 inspect how Justikal processes personal data and/or performs its obligations under this Data Processing Agreement, such inspection may be conducted upon consent of Justikal and the agreement of the Parties on the scope, method, time and price of the inspection. In any case, if the Parties agree on such additional inspection, it will have to comply with the following requirements: (i) the inspection must be related only to the processing of the Customer Data; (ii) the Customer must inform Justikal about the wish to conduct additional inspection within a reasonable time period which must be at least 4 weeks; (iii) additional inspection must be conducted in a way it would not interfere with daily activities of Justikal; (iv) additional inspection must be conducted at the expense of the Customer; (v) additional inspection must be conducted by an independent person whose candidacy must be approved in advance by Justikal and such person must undertake to protect confidential information of Justikal.
8.5 Justikal shall have the right to receive remuneration for assistance in conducting additional inspection. The size of such remuneration will be determined by Justikal taking into consideration costs incurred by Justikal with respect to additional inspection. Justikal shall provide information to the Customer about the size of remuneration before the inspection.
8.6 In the event the Customer is not satisfied with the information provided in the Report and/or the Parties fail to agree on additional inspection as provided for in Items 8.4–8.5 of this Data Processing Agreement, the Customer shall have the right to unilaterally, under out-of-court procedure, terminate this Data Processing Agreement and the Terms of Service. In this case, the termination of the agreements will be the only measure that can be applied by the Customer and Justikal will not be obliged to compensate damages to the Customer.
9.1 The Customer hereby gives general advance consent to Justikal to engage Sub-Processors which will process Customer Data on behalf of Justikal according to the scope and purposes specified in this Data Processing Agreement. Justikal shall engage only those Sub-Processors which will ensure the following: (i) implementation of appropriate technical and organizational measures; (ii) data processing in compliance with GDPR requirements; and (iii) protection of the rights of the data subject.
9.2 Justikal shall ensure that a written agreement has been concluded with Sub-Processors engaged under which Sub-Processors shall undertake to comply with responsibilities of the data processor established in this Data Processing Agreement at least to the extent applicable to Justikal. Justikal shall be liable against the Customer for the performance of obligations of Sub-Processors engaged.
9.3 Up-to-date list of engaged Sub-Processors will be published by Justikal on the Compliance Website. Justikal shall notify the Customer about its plans to replace or engage a new Sub-Processor by making such information available on the Compliance Website no later than 14 days prior to the planned event.
9.4 If the Customer continues using the Services following the replacement or involvement of a new Sub-Processor and notification of the Customer under the procedure provided for in Item 9.3 of this Data Processing Agreement, it shall be considered that the Customer agreed to such actions of Justikal. If the Customer disagrees with such replacement or involvement of the Sub-Processor, the Customer shall have the right to unilaterally, under out-of-court procedure, terminate this Data Processing Agreement and the Terms of Service. In this case, the termination of the agreements will be the only measure that can be applied by the Customer and Justikal will not be obliged to compensate damages to the Customer.
9.5 If the Customer withdraws its general consent to engage Sub-Processor, Justikal shall have the right to unilaterally, under out-of-court procedure, terminate the Terms of Service, and such termination shall be considered to have been made for important reasons and the Customer shall be deemed not to have suffered any damage due to such termination.
10. Customer Obligations
10.1 The Customer, at its own discretion and responsibility, shall determine the categories of the data subjects whose personal data and the categories of personal data to be provided to Justikal and shall provide to Justikal only personal data necessary for proper provision of the Services by Justikal. The Customer shall assume all related risks, including risks in cases where Justikal receives more personal data than is necessary.
10.2 The Customer represents and warrants that it has obtained and shall retain during the entire validity period of the Terms of Service all necessary permissions and authorisations required for the provision of the Customer Data to Justikal and engage Justikal for the processing of personal data under the Terms of Service and this Data Processing Agreement.
11. Data Breach
11.1 Justikal shall notify the Customer, without undue delay, but no later than within 36 hours after becoming aware about the Data Breach, and taking into consideration the nature of provided Services and the processing of personal data and available information, shall provide the following information to the Customer: (i) the nature of the Data Breach, including, where possible, the categories of the data subjects and approximate number thereof; (ii) possible consequences of the Data Breach; (iii) measures implement by Justikal or proposed to be taken to address the Data Breach, including, where appropriate, measures for mitigating possible negative consequences of the Data Breach; (iv) full name and contact information of data protection officer or any other contact person that could provide further information. Justikal may provide this information to the Customer by making it available on the Compliance Website.
11.2 Justikal shall document all Data Breaches, including facts pertaining to the Data Breach, its impact and corrective actions taken. In cases provided for in legislation, Justikal shall provide such documents to supervisory authority.
11.3 The Customer shall be responsible for the compliance with legislation regulating the delivery of notifications or information to the data subjects about the Data Breach.
12.1 Taking into consideration the nature, scope, context and purposes of data processing, Justikal liability under this Data Processing Agreement shall be limited to and in any case may not exceed the amount the Customer has paid to Justikal in 12 months.
12.2 During this Data Processing Agreement, Justikal shall undertake to insure its civil liability. The copy of insurance policy containing the amount of the insurance will be published on the Compliance Website.
13. Validity and Termination
13.1 This Data Processing Agreement shall come into force upon the entry into force of the Terms of Service and shall be valid for as long as the latter remains in force.
13.2 Upon expiry of the Data Processing Agreement, Dokobit shall destroy the Customer Data no later than within 30 days, unless there are grounds to process or manage the Customer Data other than those arising out of this Data Processing Agreement.
14. Applicable Law and Dispute Resolution
14.1 This Data Processing Agreement shall be subject to the law of the Republic of Lithuania.
14.2 Each dispute, disagreement or claim arising out of or related to this Data Processing Agreement, its violation, termination and validity shall be settled by negotiating. If the Parties are unable to reach an agreement within 15 days from the occurrence of the dispute, disagreement or claim, such dispute, disagreement or claim shall be settled in the court of the Republic of Lithuania.
15. Final Provisions
15.1 All notifications of the Customer to Justikal related to this agreement shall be sent via e-mail email@example.com and shall be deemed to be received when Justikal confirms the receipt thereof by replying to the Customer’s e-mail.
15.2 Justikal notifications to the Customer related to this Data Processing Agreement shall be sent via e-mail specified in the User account or delivered to the Customer in its User account, unless otherwise specified in this Data Processing Agreement.
15.3 The amendments to this Data Processing Agreement shall come into force following publication thereof on the Compliance Website. Justikal shall announce about intended amendment of the Data Processing Agreement at least 30 days prior to the planned amendment. If the Customer continues using the Services following the publication of amendments to the Data Processing Agreement, it shall be deemed that the Customer agrees with the amendments to the Data Processing Agreement. If the Customer disagrees with the amendments, the Customer will not be able to use Services and shall have the right to terminate the Terms of Service.