Home

Terms

Terms

PERSONAL DATA PROCESSING AGREEMENT

 

This personal data processing agreement (hereinafter: “Data Processing Agreement”) is entered into between:

  1.       the Customer  (hereinafter also as “Controller”)

 

And

  1.       Cookie3 OÜ, a company established under the laws of Estonia with its registered office in Tallinn, address: Harju maakond, Tallinn, Nõmme linnaosa, Rännaku pst 12, 10917, entered in the register of enterprises kept by the Registration Department of Tartu County Court, under the No.: 16457724, tax ID number (VAT): EE102487893 (hereinafter: “Processor” or “Cookie3”),

individually referred to as „Party”, and jointly as „Parties”.

 

Cookie3 and the Customer have entered into an agreement for the provision of the Services (as amended from time to time; hereinafter “Agreement” and “Services”). This Data Processing Agreement is entered into by Cookie3 and Customer and supplements the Agreement. The performance of the Services requires the Processor to access Personal Data and its Processing. The Data Processing Agreement specifies the obligations of the Parties regarding the Processing of Personal Data.

If you are accepting this Data Processing Agreement on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this Data Processing Agreement; (b) you have read and understand this Data Processing Agreement; and (c) you agree, on behalf of Customer, to this Data Processing Agreement. If you do not have the legal authority to bind Customer, please do not accept this Data Processing Agreement.

 

  1. Definitions

For the purposes of the Data Processing Agreement the following terms:

a)            Personal Data – means any information about an identified or identifiable natural person, in particular information indicated in the Appendix to the Data Processing Agreement or other information necessary for the Processor to perform the Services;

b)            Data Subject – has the meaning given by the GDPR;

c)             Processing (Processed, Process) – has the meaning given by the GDPR;

  1.              GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  2.             Services - have the meaning given by the Agreement.
  1. Subject matter of Data Processing Agreement, duration and the purpose of the Processing
  1. The Controller is the controller of the Personal Data, and the Processor is the processor within the meaning of GDPR. The Processor represents that it ensures sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subjects.
  1. The Processor will Process the Personal Data exclusively on behalf of the Controller and in accordance with the Data Processing Agreement, including the Appendix to the Data Processing Agreement, and in accordance with the generally binding provisions of law, including the GDPR, for the purposes and for a period necessary to perform the Services.
  1. Instructions to Process
  1. The Personal Data is processed by the Processor exclusively only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country in the meaning of the GDPR, unless required to do so by the European Union or the European Union member state law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Data Processing Agreement constitutes a documented instruction of the Controller.
  1. The Controller instructs the Processor to Process Personal Data in the manner and subject to conditions specified in this Data Processing Agreement and in the scope needed to fully and properly execute the Services.
  1. The Processor will inform the Controller immediately if, in its opinion, the instruction issued by the Controller infringes the GDPR or other European Union or European Union’s member state data protection provisions.
  1. Personnel of the Processor
  1. The Processor will allow only appropriately authorised persons to Process Personal Data.
  1. The Processor will ensure the highest confidentiality for Personal Data, including ensuring that all persons authorised to Process Personal Data maintain confidentiality.
  1. Technical and organisational measures
  1. The Processor will use appropriate technical and organisational measures to ensure the security of entrusted Personal Data, taking into account the scope of application and methods of protection referred to in Article 32 of GDPR.
  1. The Processor must, in particular, secure Personal Data against disclosure to unauthorised parties, and their removal, loss, damage or destruction.
  1. Inspections
  1. The Controller has the right to inspect whether the Processor is securing and Processing Personal Data using organisational and technical measures that ensure the compliance of the Personal Data Processing with the Data Processing Agreement, the GDPR or other binding laws on personal data protection. The inspections may be carried out by the Controller or by an auditor authorised by it. The Processor allows for and contributes to audits.
  1. For each inspection, the Controller notifies the Processor in advance, albeit with not less than 7 days’ notice of the intention to carry out an inspection. The Processor must facilitate the inspection, in particular by providing the appropriate documentation to the extent necessary and providing all necessary information regarding the implementation of provisions of the Data Processing Agreement, subject to the obligations of the Processor that follow from legal provisions or agreements concluded by it and the Processor’s business secrets.
  1. The Controller will exercise the right of inspection during the Processor’s working hours in a way that does not impede the Processor’s work.
  1. The Processor will provide the Controller with all information necessary to demonstrate compliance with the obligations set out in Article 28 of GDPR.
  1. Personal Data breach
  1. The Processor will inform the Controller about any Personal Data breach without undue delay, not later than within 36 hours from having identifying such breach or gaining suspicion of such breach.
  1. The Processor will assist the Controller in complying with the obligation to report a Personal Data breach to the supervisory authority and notify the Data Subject about the breach, in particular by providing the Controller with detailed information regarding the breach or suspected breach and through close cooperation with the Controller.
  2. The Processor shall not provide to any entity, other than the Controller, information regarding a Personal Data breach or suspected Personal Data breach, without the prior written consent of the Controller and determination of the content of such information with the Controller.
  1. Rights of Data Subjects
  1. Taking into account the nature of the Processing, the Processor assists the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR.
  1. If a request is received from any Data Subject, whose Personal Data is being Processed under the Data Processing Agreement, the Processor will promptly forward such request to the Controller.
  1. The Processor shall not provide any Data Subject whose Personal Data it processes under the Data Processing Agreement with any information without the prior written consent of the Controller and determination of the content of such information with the Controller.
  1. Data protection impact assessment and other duties of the Processor

Taking into account the nature of processing and the information available to the Processor, the Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR. If the Controller becomes obliged to carry out a data protection impact assessment on planned processing operations for Personal Data, in accordance with the provisions of Article 35 of GDPR, the Processor will provide the Controller with all assistance so that the Controller may fulfil such obligation.

  1. Use of subprocessors
  1. The Controller agrees that the Processor may use other processors (subprocessors). The Processor has the Controller’s general authorisation for the engagement of subprocessors from an agreed list indicated in the Appendix. The Processor shall specifically inform in writing the Controller of any intended changes of that list through the addition or replacement of subprocessors at least 7 days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned subprocessor(s). The Processor shall provide the Controller with the information necessary to enable the Controller to exercise the right to object.
  1. Where the Processor engages subprocessor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in the Data Processing Agreement shall be imposed on that subprocessor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
  1. The Processor is fully liable for the actions and omissions of subprocessors engaged by the Processor for Processing of Personal Data entrusted for Processing under this Data Processing Agreement as for the Processor’s own actions and omissions.
  1. Transfer of Personal Data outside the European Economic Area
  1. Any transfer of data to a third country by the Processor shall be done only on the basis of documented instructions from the Controller or in order to fulfil a specific requirement under European Union or European Union’s member state law to which the Processor is subject and shall take place in compliance with Chapter V of the GDPR.
  1. The Controller agrees that where the Processor engages a subprocessor in accordance with Clause 10 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the Processor and the subprocessor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) GDPR (hereinafter: “SCC”).
  1. If the Controller outside the European Economic Area whose activities are not subject to the GDPR transfers data to a Processor which is established in the European Union (Estonia), the relevant SCC shall apply to such a data transfer (Module 4: Transfer processor to controller). The relevant SCC between the Processor and the Controller are concluded separately, if applicable.
  1. Entry into force and termination of the Data Processing Agreement
  1. The Data Processing Agreement enters into force on its signing.
  1. The Data Processing Agreement terminates on the date of termination of the Services, without any necessity of any Party to submit any statement.
  1. The Data Processing Agreement may be terminated also earlier, with one month notice given by the Controller in writing.
  1. The Data Processing Agreement may be terminated immediately by the Controller in writing, for serious reasons, in the event of a serious breach by the Processor of the Data Processing Agreement.
  1. Deletion or return of Personal Data
  1. After the termination of the Data Processing Agreement, depending on the choice of the Controller, the Processor will permanently delete all Personal Data stored at any and all data carriers held by the Processor, their copies and in IT systems or return the Personal Data to the Controller in the format chosen by it and will delete all existing copies, unless generally applicable provisions of law require the Personal Data to be stored.
  1. Deletion of Personal Data means the physical destruction of the Personal Data carriers, and in the case of Personal Data stored in (IT) computer systems – the removal of the Personal Data or such modification of it that will irreversibly prevent its identification or possible identification with any particular natural person.
  1. In the period from the date of cessation of the Data Processing Agreement to the date of the deletion of the Personal Data or their return to the Controller, the Processor is entitled only to store the Personal Data.
  1. Service of notices between the Parties

Service of notices related to the performance of the Data Processing Agreement will be deemed to have been properly made, if delivered to the e-mail address of the Controller provided by the Controller during registration or Cookie3.

  1. Miscellaneous
  1. The Parties are not entitled to any remuneration for the performance of any obligations under the Data Processing Agreement.
  1. The Data Processing Agreement is the entire agreement between the Controller and the Processor concerning the Processing of Personal Data in order to perform the Data Processing Agreement and supersedes all previous agreements between the Parties in this respect. In the event of any discrepancies between the Data Processing Agreement and any other agreement between the Parties, the Data Processing Agreement is decisive.
  1. In the event of the invalidity, unlawfulness or unenforceability of any clause of the Data Processing Agreement in any respect, this will not affect the validity, legality and enforceability of the remaining clauses of the Data Processing Agreement in any way, or limit their power, and if the clause at issue is be partly valid after the deletion of part of the clause, this clause will be binding following the deletions required to maintain its validity and effectiveness.
  1. If any clause of the Data Processing Agreement becomes unlawful, void or unenforceable in any jurisdiction, it will not affect or limit:

a)            the legality, validity or enforceability in that jurisdiction of any other provision of the Data Processing Agreement; and

b)            the legality, validity or enforceability in any other jurisdiction of the given clause or any other clauses of the Data Processing Agreement.

  1. The Appendix to the Data Processing Agreement constitutes its integral part.
  1. The Data Processing Agreement is subject to Estonian law and will be interpreted in accordance with it. Generally binding provisions of law will apply to matters not regulated in the Data Processing Agreement.
  1. All disputes arising from or associated with the Data Processing Agreement will be resolved by the court with jurisdiction for the Processor’s registered office.

 

 

 

 


APPENDIX TO THE PERSONAL DATA PROCESSING AGREEMENT

This Appendix contains detailed information about the Processing of Personal Data:

  1. Processing operations and nature of Processing

Personal Data will be subject to the following basic Processing operations: as applicable to the Services provided by the Processor and the instructions of the Controller: collecting, recording, organising, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying personal data for the purpose of providing the Services and any related technical support to the Controller in accordance with the Agreement and the Data Processing Agreement.

Personal Data will be processed:

                 with the use of the Processor’s IT infrastructure, hardware, software and systems;

                 electronically;

                 on a continuous basis or from time to time depending on the Services provided by the Processor in accordance with the Agreement.

The Controller declares and warrants that Personal Data will not be processed using any machine learning or other artificial intelligence system.

  1. Purpose(s) for which the Personal Data is processed on behalf of the Controller

Personal Data will be processed for the purpose of performing the Services by the Processor and related technical support in accordance with the Agreement.

  1. Duration of the Processing

Personal Data will be processed for the duration of the Agreement and until deletion or return of all Personal Data by the Processor in accordance with these Data Processing Agreement.

 

  1. Categories of Data Subjects

                             users and visitors of the Controller’s websites or applications

                             other Data Subjects whose data is transferred by the Controller to the Processor for the performance of Services in accordance with the Agreement. This category may include in particular: users of social media (users of Twitter, Discord, Telegram) and holders of a private key / owners of a crypto wallet addresses.

 

 

 

 

 

  1. Types of Personal Data – key categories

 

Types of Data Subjects

Key categories of Personal Data subject to Processing

Users and visitors of the Controller’s websites or applications

 

          crypto wallet address,

          title of the page being viewed

          URL of the page viewed,

          URL of the page which was viewed before the current page,

          bounce rate,

          session record,

          time spent on the site and on sub-pages,

          site search,

          mouse events (movements, content forms and clicks),

          device or software characteristics, e.g. screen resolution

          device type (unique device identifiers),

          browser information (main language,  browser user agent, type of browser extension),

          cookie identifiers,

          IP address,

          time in local time zone,

         geographical location (country, region and city).

Other Data Subjects whose data is transferred by the Controller to the Processor for the performance  of Services in accordance with the Agreement

          crypto wallet address,

          Twitter username,

          Discord username,

          Telegram username,

         Email address

No special categories of data (sensitive data) will be processed.

 

  1. Subprocessors

The Controller has authorised the use of the following subprocessors:

  1.    Vercel Inc., with its registered office in 440 N Barranca Ave Suite 4133 Covina, CA 91723 United States USA, is a provider of cloud computing services, including PaaS (Platform as a Service), which provides Cookie3 with, among others, application interface hosting support.
  2.    Hetzner Online GmbH, with its registered office in Gunzenhausen, Industriestr. 25, 91710 Gunzenhausen, Germany, is a provider of cloud computing services, which provides Cookie3 with colocation services (the provision of servers where the databases containing all the Personal Data is stored).

Converted to HTML with WordToHTML.net

Public Beta just launched!

Sign up now to get early access to the platform!