EFFECTIVE DATE: 24 FEBRUARY 2023

Data Processing Agreement

VEZI VARIANTA ÎN ROMâNĂ

This addendum („Addendum”) is concluded by and between:

  • The natural or legal person who accesses and uses the Platform (as defined below) for the transcription of video / audio files („Client”); and
  • VATIS TECH S.R.L., having its headquarters at 50 Lucian Pricop Street, Vădăstrița, Olt, sole identification number (CUI) 43155475, registered with the Trade Registry under no. J28/696/2021 („Vatis Tech”)

Hereinafter, collectively, referred to as “Parties”, and, individually, referred to as “Party”.

WHEREAS

  • Vatis Tech offers a software product to be used for the transcription of video / audio files through the platform available at https://vatis.tech (“Platform”);
  • The Client agreed to the general terms and conditions of the Platform ("Agreement");
  • In the performance of the Agreement, the Parties process personal data as controller and processor;
  • The Parties have decided to regulate the processing of personal data in order to meet the obligations relating to the protection of personal data imposed by the applicable legislation.

THE PARTIES DECIDED AS FOLLOWS

DEFINITIONS

Personal Data

means any information about an identified or identifiable natural person;

Data Subject

means the natural person whose Personal Data is Processed;

Processing / to Process

means any operation or set of operations which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller

means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

Processor

means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller;

Subcontractor

means any Processor appointed by the Processor to Process Personal Data;

Personal Data Breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;

Relevant Personal Data

means Personal Data Processed by the Processor on behalf of the Controller, as described in Annex 1;

GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Applicable Legislation

means GDPR, any relevant law implementing GDPR or regulating the protection of Personal Data, and any guidelines, codes of practice or other documents issued by the competent authorities;

Supervisory Authority

means the National Supervisory Authority for the Processing of Personal Data as well as any other supervisory authority concerned, in accordance with the GDPR;

Standard Contractual Clauses

means the standard clauses issued by the European Commission, in accordance with Article 46 of GDPR, for the transfer of Personal Data to countries outside the European Union and the European Economic Area, to which the European Commission has not recognised an adequate level of protection within the meaning of Article 45 of GDPR;

Services

means the services provided by the Parties in the performance of the Agreement.

PARTIES

In Processing Relevant Personal Data:

  • The Client acts as a controller (“Controller”);
  • Vatis Tech acts as a processor (“Processor”).

The Parties shall Process Relevant Personal Data in accordance with the obligations set out in this Addendum, as well as in accordance with obligations imposed by Applicable Legislation.

PROCESSING OF PERSONAL DATA

The Processor Processes the Relevant Personal Data of the Data Subjects only for the purposes set out in Annex 1. The Processor Processes the Personal Data only based on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by the European Union or member state law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing. For the avoidance of any doubt, any further Processing of any Personal Data contained in the audio / video files (when the latter gave their consent) for training the artificial intelligence algorithms will not represent a breach of Client’s instructions.

The Controller instructs the Processor and authorizes the Processor to instruct each Subcontractor to Process Relevant Personal Data and to transfer Relevant Personal Data to any third country, as necessary for the provision of the Services and the performance of the Agreement, in compliance with the provisions of this Addendum concerning the use of the Subcontractors and the transfer of the Personal Data.

PROCESSOR’S PERSONNEL

The Processor takes reasonable steps to ensure compliance with the Applicable Legislation by persons who may have access to Relevant Personal Data, ensuring that the access is strictly limited to those who must have such access. 

The Processor shall ensure that all the persons referred to in paragraph 1 are informed of the confidentiality of Relevant Personal Data and have undertaken to respect the confidentiality of Relevant Personal Data. 

USE OF SUBCONTRACTORS

The Controller authorizes the Processor to use any Subcontractor, under the terms provided for in this Addendum, in connection with the Processing of the Relevant Personal Data.

The Processor shall ensure that each Subcontractor is able to respect the level of protection of Relevant Personal Data as required in this Addendum. The Processor shall enter into a contract with each Subcontractor. Obligations similar to those set out in this Addendum for the Processor shall be imposed to the Subcontractor.

The Processor shall inform the Controller of any expected changes regarding the addition or replacement of Subcontractors, the Controller having the right to object, on reasonable grounds, to the Subcontractor used by the Processor.

DATA SUBJECTS’ RIGHTS

The Processor shall assist the Controller in the fulfilment of its obligations arising from the exercise by the Data Subjects of their data protection rights.

The Processor shall notify and cooperate with the Controller on any request from a Data Subject for the exercise of a right in connection with Relevant Personal Data.

SECURITY OF PERSONAL DATA

The Processor shall implement appropriate technical and organisational measures to ensure a level of security adequate to this risk, as provided for by the GDPR.

PERSONAL DATA BREACH

The Processor shall notify the Controller within 72 hours, as of the moment when the Processor becomes aware of a Personal Data Breach in connection with Relevant Personal Data.

The Processor shall take immediate action to investigate the Personal Data Breach in connection with Relevant Personal Data and to identify, prevent and mitigate its effects as much as possible.

The Processor shall cooperate with the Controller and take reasonable steps in accordance with the Controller’s documented instructions for the remedy of the Personal Data Breaches in connection with Relevant Personal Data.

DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Considering the nature of Processing and the information available to the Processor, the Processor assists the Controller in ensuring compliance with the obligations provided for by Articles 35 and 36 of GDPR regarding the data protection impact assessment and prior consultation.

ERASURE OR RETURN OF RELEVANT PERSONAL DATA

At the time of ceasing the provision of the Services involving the Processing of Relevant Personal Data, the Controller may request the Processor (i) to return to the Controller a copy of all Relevant Personal Data and to remove all copies of the Relevant Personal Data Processed by the Controller and/or (ii) to delete all Relevant Personal Data and to remove all copies of relevant Personal Data Processed by the Processor. The Processor will act in accordance with the instructions received from the Controller, without undue delay.

By way of exception to the provisions of paragraph 1, the Processor shall be able to keep a copy of the Relevant Personal Data, insofar is subject to a legal obligation to that effect and for the storage period required by the European Union or member state law to which the Processor is subject.

INFORMING THE CONTROLLER AND THE AUDIT RIGHT

The Processor shall inform the Controller if, in its opinion, an instruction infringes the GDPR or other Union or member state data protection provisions.

The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Addendum and in the Applicable Legislation and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller or the mandated auditor obliges to undertake confidentiality obligations towards the Processor to protect the confidentiality of the information of the Processor and of third parties which might be found out by the Controller or the mandated auditor during the audit.

TRANSFER OF PERSONAL DATA

If the Relevant Personal Data is transferred to a territory or to a country outside the European Union or the European Economic Area not designated by the European Commission as providing an adequate level of protection, the Parties will take appropriate safeguards, including by concluding Standard Contractual Clauses.

DURATION

This Addendum shall enter into force on the date of its signature and shall cease on the latest of the following dates: (i) the date of termination of the Agreement or (ii) the date of termination of the last Services provided under the Agreement.

MISCELLANEOUS

This Addendum is governed by Romanian law. The Parties agree that any disputes or complaints arising under this Addendum fall within the jurisdiction of the competent Romanian courts.

Where there is a discrepancy between the provisions of this Addendum and any other agreement between the Parties, including the provisions of the Agreement, this Addendum shall prevail in respect of matters relating to the data protection obligations.

Where the obligations of the Parties need to be amended as a result of changes in the Applicable Legislation or as a result of the issuance by the European Commission or the Supervisory Authority of standard contractual clauses, including in case of modification or adoption of new Standard Contractual Clauses on international transfers, the Parties undertake to amend this Addendum accordingly.

ANNEX 1

Relevant Personal Data

  • Name, surname and any other Personal Data regarding the Data Subject that uses the Platform for transcription purposes or such Personal Data that is contained in the video / audio file;
  • Any Personal Data of any other natural persons contained in the video / audio files.

Data Subjects

  • Natural persons who use the Platform for transcription purposes;
  • Other natural persons whose Personal Data is contained in the audio / video files.

Nature and purpose of the Processing of Relevant Personal Data

  •  The provision of Services.

Subject-matter and duration of the Processing of Relevant Personal Data

  • Relevant Personal Data will be Processed during the existence of the Client’s account on the Platform;
  • Thereafter, the Relevant Personal Data will be stored for a period of time necessary to fulfil the legal obligations and legitimate interests of Vatis Tech.

Processing operations

  • Vatis Tech will store the Relevant Personal Data;
  • Vatis Tech will process the Relevant Personal Data in any other way necessary for the provision of the Services.