Zum Hauptinhalt springen

DATA PROCESSING AGREEMENT

This data processing agreement (hereinafter referred to as the “Agreement”), according to Art 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”) constitutes the legal basis for the processing of personal data and is concluded by and between:

The Personal Data Controller (hereinafter referred to as the “Controller” or “Client”) is the Party concluding the agreement for the provision of Vasco Audience service and this Agreement, and the Processing Entity (hereinafter referred to as the “Processor” or “Processing Entity”) is Vasco Electronics S.A. With its registered office in Cracow, al. 29 listopada 20, 31-401 Cracow, Poland.

The Agreement has been concluded once the Client accepted it electronically. The person effecting the acceptance, acting as an employee, plenipotentiary, consultant or other agent of the Client, represents and warrants that it has the full and binding authority to act on behalf of the Client and to enter into the Agreement.

PREAMBLE

The Agreement has been concluded in relation to the provision of Vasco Audience service by the Processing Entity to the Controller (hereinafter: Master Agreement).

In relation to the execution of the Master Agreement the Processing Entity will be processing personal data on behalf of the Controller, which, according to Art. 28 (3) GDPR requires entering into this Agreement.

  1. DEFINITIONS

    Th following terms in the Agreement, unless expressly stated otherwise, shall have the following meanings:

    1. Provisions concerning data protection - all binding provisions of the law and regulations concerning data privacy and protection; including in particular GDPR and all national provisions of the law concerning data protection.
    2. Controller, Processor, Processing Entity, Personal Data, Processing, Personal Data Infringement, Special Category Personal Data shall have the meaning given to them in GDPR.
    3. User - clients and their representatives and end users of the Controller whose data are entrusted to the Processing Entity in the course of providing Vasco Audience service.
    4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. SCOPE OF AGREEMENT AND INSTRUCTIONS FOR PROCESSING
    1. The Processing Entity shall process the Personal Data entrusted to it pursuant to the Agreement, in accordance with the scope of processing constituting Appendix No 1 to the Agreement.
    2. The Personal Data entrusted by the Data Controller shall be processed by the Processing Entity solely for the purpose of implementing the Master Agreement.
  3. OBLIGATIONS OF THE PROCESSING ENTITY
    1. The Processing Entity undertake to process the User’s Personal Data solely for the purpose of proper provision of the Vasco Audience service according to the scope and documented instructions of the Administrator and detailed description in Appendix No 1 to the Agreement.
    2. The Processing Entity undertakes to exercise due diligence when processing the Personal Data entrusted.
    3. The Processing Entity undertakes to secure the Personal Data processed by applying appropriate technical and organizational measures ensuring conformity with GDPR, including in particular an adequate level of security corresponding to the risk of infringement of rights of liberties of the data subjects. The list of technical and organizational measures applied by the Processing Entity constitutes Appendix No 3 to the Agreement.
    4. The Processing Entity undertakes to grant authorization for personal data processing to all persons who will be participating in the processing of the entrusted personal data. A the same time the Processing Entity represents that only the persons necessary for the provision of services identified in the Master Agreement and having appropriate training in the scope of personal data protection shall participate in the processing of the data.
    5. The Processing Entity represents that the persons authorized by it to process the personal data are bound to confidentiality or will be subject to an appropriate statutory duty of confidentiality referred to in Article 28 (3) b) GDPR, both in the period of their employment with the Processing Entity, and after its termination. The Processing Entity further ensures that the persons referred to in this paragraph shall process personal data according to the “need to know” rule.
    6. After the completion of services related to the processing, the Processing Entity shall immediately delete or return all personal data to the Controller and delete any existing copies of the data, unless the law of the EU or the law of a member country requires the retention of personal data.
    7. The Processing Entity is obliged to inform the Controller in a documented manner of its doubts as to the lawfulness of orders or instructions issued, under the pain of loss of the ability to pursue claims against the Controller.
    8. As far as possible the Processing Entity shall help the Controller fulfill the obligation to respond to the requests of the data subject and meet the obligations identified in Art. 32-36 GDPR. If the Processing Entity receives a request concerning the exercise of data subjects’ rights, the Processing Entity shall immediately inform the Controller about this. When providing the information, the Processing Entity shall provide the Controller with the sender details and content of the request and shall determine to what extent it is able to contribute to the fulfillment of the request.
    9. In case personal data protection infringement is discovered, the Processing Entity shall notify the Controller of the fact without undue delay, not later, however, than within 48 hours after the infringement was discovered. The infringement has to be reported to the Controller by e-mail, to the following address: gdpr@vasco-electronics.com.
  4. OBLIGATIONS OF THE CONTROLLER
    1. Using the Service lawfully, including in accordance with the provisions of GDPR and other applicable provisions of the law on protection of privacy and personal data.
    2. The Controller is obliged to verify whether the nature of the Vasco Audience service, its functionality and obligations of the Processing Entity resulting from the Agreement, meet its needs, in particular in the scope of the need to apply additional security measures in order to ensure the level of security corresponding to the risk related to the Personal Data being processed.
    3. Without prejudice to the obligations of the Processing Entity determined in Section III of the Agreement in the scope concerning the application of technical and organizational measures, the Controller shall be solely responsible for:
      1. securing all account credentials, passwords, access keys and other authorization mechanisms used to access the Vasco Audience service;
      2. securing systems, end devices and networks used by the Controller and its Users to access the Vasco Audience service;
      3. creating and maintaining, if required by the specific nature of the Client’s business or internal policy, backup copies of Client's Data, apart from the Vasco Audience service.
  5. FURTHER TRANSFER OF DATA
    1. The Processing Entity can entrust the personal data covered by the Agreement for its further transfer to its subcontractors only after obtaining prior consent of the data Controller. Appendix No 2 constitutes a list of further processing entities submitted by the Processing Entity and accepted by the Controller.
    2. Entrusting the processing of personal data to further processing entities who have not been identified in Appendix No 2 to the Agreement requires prior notification to the Controller in order to enable it to effectively object. If the Controller objects to this, the Processing Entity shall have no right to transfer the processing of data to another processing entity.
    3. The Processing Entity shall inform the Controller of its intention to engage a new sub-contractor or replace the existing one with at least 14 days’ notice. The Controller may object to this change within 14 days of receiving the notification, whereas the objection has to be duly justified and based on rational grounds related to the threat to the protection of the personal data processed, lack of conformity with GDPR or lack of adequate guarantees on the part of the proposed further processing entity. In case of lack of proper justification for the objection - the Processing Entity has the right to ask the Controller to supplement the objection. After the Processing Entity has accepted the objection, each of the Parties has the right to terminate the Agreement with an immediate effect.
    4. Transfer of the entrusted data to a third country may only happen upon the Data Controller’s documented order, unless the Processing Entity is obliged to do so by the law of the EU or the law of a member country to which the Processing Entity is subject. In such a case before the processing begins the Processing Entity shall inform the Data Controller about this legal obligation, provided that the law does not prohibit the disclosure of such information on grounds of important public interest.
    5. The Processing Entity undertakes that the transfer of Personal Data outside of the European Economic Area (EEA) shall only occur if the Entity receiving the Data ensures an appropriate level of protection, compliant with GDPR, and the transfer is based on one of the security mechanisms mentioned in Chapter V GDPR, in particular: the decision of the European Commission establishing the appropriate level of protection (Art. 45 GDPR), Standard Contractual Clauses (SCC) or other appropriate securities.
    6. Further subcontractors referred to in paragraph 1 above should meet the same guarantees and obligations that have been imposed on the Processing Entity in the Agreement.
    7. Processing Entity shall be liable towards the Controller for lack of fulfillment of the obligations of the subcontractor resulting from the Agreement.
  6. THE RIGHT TO AUDIT AND RETURN OF DATA
    1. The Controller has the right to conduct audits and inspections in order to check the compliance of the Processing Entity’s processing of the Data with the requirements of this Agreement.
    2. The audit referred to in paragraph 1 above may only be conducted after the Processing Entity has been notified of the intention to conduct it with at least 14 days’ notice.
    3. After the Controller’s audit request has been received, the Parties shall agree on the date of the audit’s commencement, its duration, scope and security and confidentiality control measures applied during the audit. The Processing Entity has the right to propose to the Controller that the audit be conducted in writing instead of at the premises of the Processing Entity, provided that the materials submitted are sufficient to verify the compliance of the processing.
    4. The Controller, exercising the right to audit at the premises of the Processing Entity, undertakes to conduct the audit only within the standard working hours of the Processing Entity and in a way that minimizes interference with its ongoing, everyday activity.
    5. Before the audit begins at the Processing Entity’s premises, the Controller is obliged to ensure that the persons authorized to conduct the audit sign a confidentiality agreement and present the Processing Entity with documents confirming their authority. The Processing Entity has the right to deny access to its systems to persons who do not met these requirements or infringe on the internal security rules of the Processing Entity.
    6. The Controller agrees not to use the right to audit more often than once in twelve (12) calendar months, except for situations, where the audit is required by a relevant data protection authority or is necessary due to proven Data Breach.
    7. The Processing Entity may propose to the Controller that the report from the external audit is accepted instead of a physical inspection, provided that the reports concerns systems used for the Vasco Audience service.
  7. RIGHT OF CONTROL
    1. Upon the Controller’s request the Processing Entity shall share all information necessary to fulfill or demonstrate the fulfillment of obligations resulting from the Regulation.
    2. Information referred to in paragraph 1 shall be provided within 30 working days, subject to the timely completion of tasks arising from the Regulation from the date of delivery of the application subject to paragraph 3 below.
    3. If the request referred to in paragraph 1 concerns the fulfillment of the obligation to report the breach of personal data protection or remove its effects, the Processing Entity shall provide the information as early as possible, yet not later than within 48 hours from the delivery of the request.
  8. RESPONSIBILITY OF THE PROCESSING ENTITY
    1. The Processing Entity shall be responsible only for the damage done as a result of processing, where it had not fulfilled its obligations which GDPR or the Agreement impose directly on the Processing Entity or where it acted outside of the lawful instructions of the Data Controller or against these instructions.
    2. The Processing Entity shall not be responsible in particular for:
      1. irregularities resulting from the Controller’s instructions;
      2. errors in configuration of the Vasco Audience service made by the Controller;
      3. Breaches caused by third parties, where the Processing Entity did not exercise due diligence in the scope identified in the Agreement.
    3. The Processing Entity undertakes to immediately inform the Data Controller about a proceeding, administrative decision, court decision, control or inspection, provided that it is legally allowed and that it has direct and significant impact on the processing of Personal Data entrusted pursuant to this Agreement or on the measures for the protection of these data in the systems of the Processing Entity.
    4. The disclosure obligation referred to in paragraph 3 above shall not cover the proceedings and inspections concerning solely the internal processes of the Processing Entity, its employees or other clients, if they do not lead to direct risk of breach of security or confidentiality of the Personal Data processed on behalf of the Client.
  9. TERM OF THE AGREEMENT

    The Agreement shall be in effect from the date of its conclusion for the duration of the Master Agreement, and also for the time necessary to end the processing of the Personal Data entrusted to the Processing Entity according to the Agreement, including their deletion or return to the Administrator.

  10. FINAL PROVISIONS
    1. The Parties confirm that the Agreement constitutes an integral part of the Master Agreement and the Terms and Conditions for the Vasco Audience service provision. In the case of any conflict between the provisions of the Agreement and the Master Agreement or Terms and Conditions in the scope of rights and obligations concerning the protection of personal data, the provisions of the Agreement shall prevail.
    2. All matters concerning the validity, interpretation and performance of the Agreement, including the resulting disputes, shall be governed by the Polish law.
    3. The Parties shall first attempt to solve all disputes, controversies or claims resulting from the Agreement or in relation to it, including those concerning its validity, breach, termination or invalidity, in an amicable way.
    4. The court having jurisdiction over the disputes resulting from the Agreement shall be the court having jurisdiction over the Processing Entity.
    5. The Processing Entity reserves the right to amend the Agreement in accordance with the procedure provided for amendments to the Master Agreement. The Processing Entity undertakes to inform the Controller of all significant amendments to the Agreement with at least 14 days’ notice before they come into force.
    6. In case of lack of acceptance of the new terms and conditions of the Agreement, the Client shall have the right to terminate the Agreement immediately. To this end, not later than within 14 days from the date of entry into force of the amendments to the Agreement, the Client has to:
      1. delete their Account;
      2. notify Vasco about the termination of the Agreement due to non-acceptance of amendments thereto, by e-mail to the following address: support@vasco-electronics.com.
    7. Lack of termination within the period stated in paragraph 6 above shall mean acceptance of the new provisions of the Agreement.
    8. If a competent court deems any provision of the Agreement as invalid, unlawful or unenforceable, it shall not have impact on the validity, lawfulness or enforceability of the remaining provisions of the Agreement. In such a case the Parties undertake to immediately replace a provision that is invalid, unlawful or unenforceable with a new provision, whose content and purpose shall be as close to the initial economic intention of the Parties as possible.

APPENDIX NO 1

DESCRIPTION OF THE METHOD OF PERSONAL DATA PROCESSING

The object and nature of processing

The object of processing is the content of statements and their translations, voice and identification data of Users of events organized by the Client. The nature of processing is automated and consists in managing the machine translation process in near real time.

The processing covers such activities as: gathering, recording, organizing, storing, verifying, sending and deleting the data upon the request of the Controller.

The purpose of processing

The performance of the Master Agreement, i.e. providing the Client with the service of automated translation of speech in the format of one-to-many or several-to-many through the Vasco Audience app. Providing the Client with the possibility to manage access and list of event participants and enabling the participants to ask questions in text form and receive translation.

Duration of processing

The processing shall continue for the duration of Master Agreement. The data of the content published by the User shall be stored until the event is closed, the history is deleted or the Account is deleted by the Client.

Type (categories) of Personal Data

Data related to statements:

  1. the voice of the speaker;
  2. the content published by the speaker, including transcripts and their translations;
  3. the content of questions asked by users in the text form together with their translations.

User identification data such as User name, related to a specific event organized by the Controller.

Categories of Data Subjects

Users using the Vasco Audience service as speakers and participants of events who join a specific event organized by the Controller.


APPENDIX NO 2

FURTHER TRANSFER OF DATA

Below is a list of subcontractors whom the Processing Entity can hire to provide services for the Controller.

SUBJECT DATA LOCALIZATION THE PURPOSE OF PROCESSING
Google LLC European Union Provider of the platform for the provision and management of mobile and web apps
Google LLC Global endpoints Translation service provider
Microsoft Azure Global endpoints Translation service provider
AWS Global endpoints Translation service provider
DeepL European Union Translation service provider
Translate.com European Union Translation service provider
DigitalOcean European Union Proxy server provider
AWS Japonia/USA Proxy server provider
Cloudflare, Inc. United States Balancer provider


APPENDIX NO 3

LIST OF TECHNICAL AND ORGANIZATIONAL MEASURES

LIST OF TECHNICAL AND ORGANIZATIONAL MEASURES

Measures of pseudonymization and encryption of personal data.

All data sent to or from Vasco is encrypted in transit using TLS 1.2+.

Vasco is unable to connect the device with a particular user. The device is not assigned to the user at any stage of the sales and service provision process.

All application endpoints are TLS/SSL only.

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

Vasco tests its Business Resiliency capabilities and defines the objectives based on a thorough Business Impact Assessment.

Data are backed up and tested in accordance with the business resiliency and recovery objectives.

Vasco’s infrastructure is exclusively managed and developed by Vasco’ employees.Vasco’s infrastructure is managed by the engineering teams located in Europe, and relies on a zero-trust model where there is no direct reliance on specific office locations to sustain operations. Vasco leverages a range of best-of-breed technologies and other critical tools to deliver uninterrupted remote work for all employees.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.

Vasco infrastructure continuous monitoring of its compliance against industry standards and best practices.

Vasco performs a regular review of the security systems and processes to ensure they meet the requirements of the Information Security policy.

Vasco leverages an independent third-party to conduct annual penetration tests on the applications and web systems.

Measures for user identification and authorization.

Vasco uses appropriate data access mechanisms. Vasco limits the number of authorized employees and applies hierarchical privilege management according to the requirements of the position and employee level.

Vasco provides access to Data based on a need-to-know basis, for a permitted purpose, and following the principle of least privilege.

Vasco performs regular user access reviews. Accounts are deprovisioned and access revoked upon termination/resignation of employment, or a change in job role that results in employees no longer requiring access to Data.

Vasco monitors and alerts the internal IT team on any suspicious user activity detected on the platform by leveraging user behavior analytics tools.

Vasco monitors production systems and implements security controls and procedures designed to prevent, detect, and respond to identification and authorization threats and risks.

Prior to obtaining permission to process Data, employees are familiarized with Vasco's data processing policies and are required to keep all information confidential.

Vasco regularly conducts training sessions for employees aimed at continuously increasing awareness and knowledge of the processing of personal data.

Measures for the protection of data during storage

Data storage endpoints are not exposed to the internet and are monitored to prevent such access.

Vasco keeps its systems and software up to date with the latest upgrades, updates, bug fixes, new versions, and other modifications necessary to ensure the security of the Data.

Vasco provides security and privacy training for all employees with access to Data.

Contracts with employees consist of an obligation to maintain confidentiality regarding information and data entrusted to employees in the course of performing their duties.

Customer instances are logically separated, and attempts to access data outside allowed domain boundaries are prevented and logged. The logical isolation of data is also regularly audited through penetration testing from the internal security teams, and annually by an independent third -party.

Vasco uses anti-malware software and keeps the anti-malware software up to date.

Access Control Lists (ACL) are maintained and regularly updated.

Measures for ensuring physical security of locations at which personal data are processed.

Vasco’s servers are hosted in AWS & Digital Ocean that, who present the adequate guarantees for ensuring physical security of locations at which personal data are processed.

AWS & Digital Ocean SOC2 certifications are reviewed by Vasco upon certification renewal.

Measures for ensuring event logging.

Access, security and application logs are recorded and securely stored in an encrypted format for not longer than 1 year.

The retention period of the logs depends on their type, importance in the context of security and ensuring the quality and support of services.

Measures for ensuring data minimization.

Data collection is limited to the purposes of processing.

Security measures are in place to provide only the minimum amount of access necessary to perform required functions and services.

Vasco complies with individual’s right to rectification and carefully considers any challenges to the accuracy of the personal data as documented in Vasco’ Privacy Policy.

Measures for ensuring limited data retention.

Data retention is limited to the purposes of processing.

Vasco has appropriate processes in place to comply with an individuals’ requests for erasure under ‘the right to be forgotten’.

Measures for ensuring accountability.

Vasco implements the appropriate measures to comply with Data Privacy Regulations in the regions where it operates, at the highest management level(s), and throughout the organization.

Vasco has implemented data protection policies.

Vasco follows a data protection by design and default approach.

Vasco maintains written contracts in place with organizations that process personal data on its behalf.

Vasco maintains documentation of the processing activities.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub- processor.

Vasco performs an assessment of the data security controls of third parties prior to business engagement.

Vasco will restrict the onward sub-processor’s access to Data only to what is strictly necessary to provide the Services.

Vasco imposes contractual data protection obligations on any sub- processor it appoints that requires said sub-processor to protect Data to the standard required by applicable Data Protection Regulation. This includes appropriate technical and organizational measures to protect personal data.

Vereinbaren Sie einen Rückruf

Rückruf vereinbaren

Bitte hinterlassen Sie Ihre Telefonnummer; wir werden Sie zur gewünschten Zeit anrufen.

Ihre Telefonnummer:*

Wählen Sie ein Thema:*

Gewünschte Rückrufzeit:

Ich willige in die Verarbeitung meiner personenbezogenen Daten ein zum Zweck der Durchführung eines Gesprächs gemäß der Datenschutzerklärung. Die Angabe der Daten ist freiwillig, aber für die Bearbeitung der Anfrage notwendig.