/
Data Processing Agreement

Data Processing Agreement

Owned by ferenc szaraz
Jan 03, 2025

Updated at Jan 3rd, 2025

This Agreement regulates data processing under the UDPR, between the Data Processor and the Data Controller.

Interpretative provisions:

‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; within the meaning hereof: the Data Processor.

Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Data Controller’means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Gowerning law and scope of this agreement

This agreement regulate the data processing activities of the Data Processor in connection with the Sustainian - Carbon Footprint Tracking usage.

Data Processor is a legal entity established in the EU, which makes that independently the seat of the clients of the Data Processor, Data Processor shall handle and process the data of their clients according the regulations of the EU, especially the GDPR.

The data processing activity

Based on this agreement, Data Controller instructs Data Processor to operate Sustainian - Carbon Footprint Tracking app and process End-User Data.

The app processes the following types of End-User Data:

  • Jira information: Anonymized User ID, project/issue ID, key, etc.

  • Workplace information

  • Office data, office-people matrix data

  • User home-office distance data, transport type data

  • User consumption data

  • User-based calculated emission factors

  • Co2e emission factors

  • No sensitive PII is anticipated to be processed.

The app stores the following types of End-User Data:

  • Jira information: Anonymized User ID, Jira authentication token, project/issue ID, key, etc.

  • Workplace information

  • Office data and office-people matrix data

The app store and process these data connected to the Anonymized User ID.

Data Processor uses servers within the territory of the EU to store the data.

Principles of data processing, rights and obligations of the Parties regarding data processing

Data Controller and Data Processor shall protect the data subjects’ right to privacy, fundamental rights and civil rights during data processing, in consideration of the provisions of the Regulation.

Data Controller shall ensure, bearing in mind the principle of data protection by design and default, that the processing of personal data is necessary for the processing purposes defined above and performing the legal obligations of the Data Controller. This obligation shall apply to the quantity, degree of processing, storage duration and accessibility of personal data collected.

Right to give instructions

The Data Processor shall agree to only

  • process personal data in the name of the Data Controller and in accordance with their instruction hereunder; if they are not able to meet such requirements, they shall immediately notify the Data Controller thereof.

  • they are not aware of the fact that the laws they are subject to would impose an obstacle for performing the instructions of the Data Controller and the obligations undertaken in the contract.

The responsibility for torts arising from any procedure deviating from or lacking the instructions of the Data Controller shall rest with the Data Processor.

By signing this Agreement, the Data Controller expressly allows that the Data Processor, within the context of developing the services technically, or any other person holding the copyright of the services develops, alters the underlying IT systems of the service.

Using other processors

Data Processor is entitled to use:

  • Cloudflare, Inc. (101 Townsend St, San Francisco, CA 94107) who provide data storage for the app.

Providing support to processing

The Data Processor shall support the Data Controller:

  • in the impact assessment under Article 35 of the GDPR provided that, if the Data Controller makes an impact assessment concerning the data processing as well, the Data Processor shall provide a written answer to the specific questions of the Data Controller regarding data processing within 20 days,

  • in personal data breaches provided that:

    • if the Data Processor finds a personal data breach of any level, then they shall notify the Data Controller thereof within 24 hours,

    • if the Data Processor notifies the Data Controller of a personal data breach, then the Data Processor shall be involved in the investigation of such breach; in doing so:

      • they shall immediately but within 24 hours at the latest perform investigations if it is a high-level personal data breach in order to decide whether the reason for that breach is connected to service operations and they shall notify the Data Controller of the results of such investigations; furthermore, if the reason for the breach is connected to service operations, then they shall be involved in the measures to handle the breach, make all reasonably expected steps to handle the breach, within a reasonable time;

      • they shall, within 7 working days, perform investigations if it is a low-level personal data breach in order to decide whether the reason for that breach is connected to service operations and they shall notify the Data Controller of the results of such investigations; furthermore, if the reason for the breach is connected to service operations, then they shall be involved in the measures to handle the breach, make all reasonably expected steps to handle the breach, within a reasonable time;

    • if they establish, upon a notification from the Data Controller, that a personal data breach of any level is associated with service operations then they shall start to eliminate the service defect immediately if it is a high-level breach or within 7 working days if it is a low-level breach; if it is a high-level reach, they shall finish the troubleshooting as early as possible within a reasonably expected deadline; if it is a low-level breach, they shall finish the troubleshooting within 30 days, then they shall notify all Data Controllers of the troubleshooting.

    • In the report on the personal data breach, Data Processor shall provide the following data:

      • personal data concerned,

      • name, number of persons concerned by the breach,

      • date & time of the breach,

      • circumstances of the breach,

      • effect of the breach,

      • measures taken by the Data Processor to eliminate the breach,

      • other breach-related data.

In case there is a personal data breach, the Parties shall determine the level of such a breach according as follows:

  • Low-level personal data breach: unauthorised forwarding, alteration, disclosure, willful or accidental erasure or destruction of or unauthorised access to negligible personal data. This is particularly the case if data are not associated with a natural person.

  • High-level personal data breach:

    • unauthorised alteration, forwarding, disclosure, willful or accidental erasure or destruction of or unauthorised access to a significant amount of personal data,

    • regardless of the scope of data, all cases where the incident implies a gravely negative impact on the data subject or the occurrence of the negative consequence is certain.

  • The Data Processor shall, if required, provide the option of personal consultations so that the Data Controller can check the functioning of the services; the Data Processor shall, however, not provide access to the source code underlying the IT systems due to the lack of technical means and copyright limitations.

  • The Data Processor shall immediately notify the Data Controller if, in the opinion of the Data Processor, any of their instructions violates the relevant data protection requirements. If the Data Controller sustains the instruction even after such notification, then the Data Processor shall be released from the responsibility for the particular processing.

Supporting the exercising of data subject’s rights

The Data Controller shall always have the right to request the Data Processor if exercising of data subjects’ rights require the contribution of the Data Processor; in such cases, the Data Processor shall perform such requests within 20 days after consulting with the Data Controller or they shall provide the support necessary for performing the request.

Obligation of record-keeping

The Data Processor shall keep records of their Processing.

Confidentiality

The Data Processor assumes the obligation to treat personal data they become aware of during the data processing specified herein and any data they become aware of during controlling by the Data Controller or data processing by the Data Processor confidentially, and they shall use them to perform the tasks specified herein only.

Obligations applying after the termination of the Data Processing Agreement

Data Controller and Data Processor agree that, after the termination of the processing, the Data Processor and any other processor shall erase or anonymise in a non-restorable manner all personal data they have with them.