DATA PRIVACY NOTICE & DATA PROCESSING AGREEMENT
This Data Privacy Notice and Data Processing Agreement are an integral part of each other and the Terms of Services, and the Customer agrees, declares and undertakes to comply with the Terms of Services, Data Privacy Notice and Data Processing Agreement agreements based on the service provided by SGM.
This Privacy Notice describes the policies and procedures of Sigma Telecom. (“SGM”, “we” or “us”) on the collection, use, security and disclosure of personal information about you on https://sgm.gr (the “Site”) and the services, features, content or applications offered by SGM (collectively with the Site, the “Services”). It also describes your choices regarding use, access and correction of your personal information.
This Privacy Notice covers the treatment of the personal information gathered by SGM when you use or access the Services, or when you view or interact with a SGM link (either our sgm.gr links). This Privacy Notice also covers SGM’s treatment of any information about you that SGM’s customers share with SGM.
This Privacy Notice does not apply to the practices of other businesses that SGM does not own or control, including other companies’ websites, services and applications (“Third Party Services”) that you can access through the Services, such as Facebook or Twitter, or to individuals that SGM does not manage or employ. We can not take responsibility for the content or privacy policies of those Third Party Services. We encourage you to review the privacy policies of any Third Party Services you access.
Information We Collect
SGM may collect personal information about you as described in this Privacy Notice when you (i) register for the Site and the Services, through your user account with SGM, including registering through a third-party social networking service (your “Account”), (ii) use the Services, or (iii) view or interact with a SGM link (either our sgm.gr links) on a third-party website. We collect the following types of information from you, some of which might be considered personal information under applicable law.
When You Register for a SGM Account
When you create an Account, we may collect personal information from you, such as your name, phone number, company name, industry, job title, company size and email address. If you create an Account using your login from a third-party account, such as Google, Facebook or Twitter, we will access and collect the personal information about you that the third-party account provides (which is based on your privacy settings with the third-party account), so that you can log into your Account with us. We use your contact information to send you information about our Services and communicate with you about your Account, your activities on our Site and Services and Notice changes. You may unsubscribe from receiving certain types of these messages through your Account settings, although SGM reserves the right to contact you when we believe it is necessary, such as for administrative and account management purposes.
Some features of the Services allow registered users to provide their own content to the Services, such as written descriptions of URLs, comments, images and video. Unless you request deletion of your personal information as described in this Privacy Notice, all content submitted by you to the Services may be retained by SGM, even after you terminate your Account and may continue to be shared by third parties, as described in this Privacy Notice.
When You Create a Link SGM
One feature of the Services is the ability to create shortened uniform resource locators (URLs) of websites (“SGM Link”). Users can create SGM Links without registering for an account. When you create a SGM Link, SGM collects and stores both the original URL and the shortened URL and, if you are logged in to your Account, we will associate that information with your Account. SGM also collects and stores your IP address, your location, which we derive from your IP address, the time and date on which you shortened the original URL, and if you share a SGM Link on a social networking platform, the name of the platform and your username on that platform.
When You Interact With a SGM Link
SGM automatically collects personal information about the interaction (such as clicks or views) with every SGM Link created through the Services (either our sgm.gr links or one of our branded domains) on a third-party website. This information includes, but is not limited to: (i) the IP address and location derived from the IP address; (ii) the referring websites or services; (iii) the time and date of each access; (iv) device settings, such as browser type, operating system, and language; (v) cookies, as described below, and mobile advertising identifiers and (v) information about sharing of the SGM Link on Third Party Services such as Twitter and Facebook. As described in this Notice, we use SGM Link Metrics to provide the Services, to understand and analyze how our Services are used and to identify trends, and to detect, deter and prevent malicious, fraudulent or unlawful activity. Please see the “Information We May Share” section of this Privacy Notice for a description of how we may share information we collect when you create, view or interact with SGM Links.
Other Information We Automatically Collect
When you visit the Site, we automatically collect (i) your IP address and location derived from the IP address; (ii) the referring websites or services; (iii) the time and date of each access; (iv) device settings, such as browser type, operating system, and language; and (v) cookie information. This type of data enables us and third parties authorized by us to figure out how often individuals use parts of the Site so that we can analyze and improve them.
We may receive a confirmation when you open an email from us. We use this confirmation to improve our customer service.
SGM may use third-party APIs and software development kits (“SDKs”) to provide certain functions in our Services.
Third Party Services
Some features of the Services allow you to share your content and SGM Links through your accounts with other companies such as Facebook and Twitter. If you choose to connect SGM to such Third Party Services, we may collect information related to your use of those Third Party Services, such as authentication tokens that allow us to connect to your Third Party Service accounts. We will ask you for permission before you authorize our collection of this information. We will only use that information for the specific reason for which it was provided to us. We may also collect information about how you are using the Services to interact with those connected Third Party Services. Note that Third Party Services may have the ability to restrict the information that is provided to us based on your privacy settings of that account.
To enable us to infer the location from the IP addresses of computers or devices that visit our website, we receive IP-based location information from our third-party service provider. We also receive business contact information of our business customer contacts and prospects from our third party service provider.
Cookies and Other Similar Technologies
SGM cookies also allow SGM to track when you have clicked on a SGM Link. Each click of a SGM Link is tracked using a unique identifier assigned to you in one or more cookies stored by your web browser and associated with SGM. We may associate the unique identifier in our cookies with the other information we automatically collect when you use the Services, as described above, including your IP address, SGM Links you click, SGM Links you create, and information with your Account if you have one.
Most browsers have an option for turning off the cookie feature, which will prevent your browser from accepting new cookies, as well as (depending on the sophistication of your browser software) allowing you to decide on acceptance of each new cookie in a variety of ways. If you disable cookies, you will not be able to use some features of the Services.
Note Regarding Children
We do not knowingly collect personal information from children. If we learn that we have collected personal information of a child under 13 (or older as required by applicable law), we will take steps to delete such information from our files as soon as possible.
How We Use Information
We use the personal information we collect for a variety of administrative and business purposes to:
- operate our Site and provide the Services,
- process and complete any transactions,
- verify individual identity,
- respond to inquiries, questions and comments and provide customer and technical support,
- provide access to certain functionalities of our Services,
- personalize and improve the Services and develop new products and services,
- to communicate with our current and prospective customers concerning our services,
- measure interest and engagement in our Site and Services,
- monitor and analyze usage and trends of the Site and Services,
- provide services to our customers to allow them to understand how you interact with our Services and to help detect, deter and prevent malicious, fraudulent or unlawful activity,
- comply with any legal obligations, and
- enforce our terms and as otherwise described in this Privacy Notice.
Usage Across Devices
We may use the information we collect to make inferences that a unique individual has created or interacted with SGM links on different devices so that we can detect, deter and prevent malicious, fraudulent or unlawful activity and analyze how users use our Services. For example, if you created a SGM link on a computer connected to your residential WiFi network, and you soon thereafter clicked on a SGM link on a mobile device connected to the same WiFi network, we may infer that a single individual created and clicked on the SGM links because both events were associated with the same IP address in the same time period.
Other Legitimate Interests
We also may use personal information to pursue legitimate interests, such as direct marketing, research (including marketing research), network and information security, prevention of fraudulent, malicious and unlawful activities, or any other purpose disclosed to you at the time you provide personal information or allowed by law.
Information We Share
The Services are designed to help you share information with others. In addition, we provide Services to our Customers that use SGM Link Metrics. As a result, some of the personal information generated through your use of the Services is shared publicly or with third parties as described below.
SGM Links You Create
Much of your activity on and through the Services is public by default. For example, when you create a SGM Link, the original URLs you have shortened and the corresponding SGM Links are publicly available.
Where permitted by law, if you register a SGM Account with an email address on a domain owned by an organization, (for example, an employer or educational institution where you have an email account), we may share your email address and information about your Account, such as the number of links you have created, with that organization to explore the organization’s interest in creating or managing an enterprise account or for related purposes.
Information We Share With Customers
We may share the personal information we collect as described in this Privacy Notice with our customers. When you create a SGM Link of one of our enterprise customer’s sites, the enterprise customer is able to view the unshortened original URL, the date and time the SGM Link was created, the location where it was created as derived from your IP address, and aggregated information about clicks and views of the SGM Links, including the number of times the SGM Link was shared, whether or not it was viewed, comparison of that SGM Links performance to that of all SGM Links pointing to the same content, whether others are sharing a SGM Link to the same content, geographic regions where the content is being viewed, and identification of social networks on which the SGM Links appear. In addition, we may share SGM Link Metrics with customers to help them detect, deter and prevent malicious, fraudulent or unlawful activity.
Information You Elect to Share
When creating a SGM Link, you can share that SGM Link through Third Party Services. Any information that you elect to distribute through Third Party Services, such as a social network post you create, may then become accessible to users of those services. You can also access other Third Party Services through the Services, for example by clicking on links in the Statistics page for a SGM Link. We recommend that you review the terms of services and privacy policies of such Third Party Services that you access through the Services since SGM does not control and is not responsible for the privacy practices of these Third Party Services.
Information Shared with Service Providers
We may employ and contract with third parties to perform certain tasks on our behalf and under our direction (our “Service Providers”). We may need to share information about you with our Service Providers in order to provide our product with research and analytics on user behavior and to provide advertising products and services to users, to process payments, and to provide email marketing and support services. Our agreements with these Service Providers authorize them to use your information only as necessary to provide services to us. Transfers to subsequent third parties are covered by the service agreements with our Clients.
Information Disclosed Pursuant to Business Transfers
We may transfer and/or provide information about our users in connection with an acquisition, sale of company assets, or other situations where user information would be transferred as one of our business assets. You will be notified via email and/or a prominent notice on our website.
In such a case, the acquirer of SGM may continue to use your information as set forth in this Notice or as otherwise allowed by law.
Information Disclosed for the Protection of SGM and Others
SGM may access, read, preserve, and disclose any information it collects when it has a good faith belief that doing so is reasonably necessary to (i) comply with a law, regulation, or compulsory legal request, including process from a governmental law enforcement or national security agency, (ii) enforce the Privacy Notice or Terms of Service, including investigation of potential violations hereof, (iii) detect, deter, prevent or otherwise address malicious, fraudulent or unlawful activity, (iv) respond to user support requests, or (v) protect the rights, property or safety of SGM, its users and the public. This includes exchanging information with other companies and organizations for protection from malicious, fraudulent or unlawful activity.
Information We Share With Your Consent
We will share information about you when you instruct us to do so, such as when you share SGM Links or content with others through the Services or if we notify you that the information you provide will be shared in a particular manner and you provide such information (like sharing/posting it with a third-party Service).
YOUR PRIVACY RIGHTS & CHOICES
As a Data Controller (a.k.a. Covered Business under CCPA), for Personal Data that SGM receives from you directly, you have the following rights:
- The Right to Transparency: You have the right to be informed about our privacy and data protection practices in this Privacy Notice.
- The Right to Access/Disclosure: You have the right to know about the specific pieces of Personal Data we have about you, and we will provide you with what we have upon request.
- The Right to Rectification: If your Personal Data is incorrect or incomplete, you have the right to ask us to update it.
- The Right to Object: You have the right to object to or ask us to restrict the processing of your Personal Data.
- The Right to Data Portability: You have the right to receive your Personal Data in a structured, commonly used, portable format.
- The Right to Withdraw Consent/CCPA’s ”Do Not Sell My Personal Information”: At any time, you can opt-out of processing or having your Personal Data sold by contacting us.
- The Right to Delete (GDPR’s “RTBF”): You have the right to request to delete your Personal Data and we will honor it to the extent that it is no longer necessary for any Services contracted by our Customer or required for our legitimate business purposes, legal or contractual record keeping requirements.
All of your rights above can be exercised by as specified below in Contact Us section.
As a Data Processor, we provide customer identity and engagement solutions to our Customers that involve the processing of Personal Data, including mobile phone numbers, on their behalf. Inquiries relating to Personal Data that we process through our Services on behalf of our Customers should be directed to our Customers.
You can visit our Websites without providing any Personal Data. If you choose not to provide any Personal Data, you may not be able to use certain features of our Websites.
Our Websites offer publicly accessible blogs. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your Personal Data from our blogs, please Contact Us.
We will not contact you for marketing purposes by email, phone, post or text message unless you have given your prior consent. You can change your marketing preferences at any time by Contacting Us.
DATA SECURITY & RETENTION
The security of your Personal Data and our Customers’ confidential information is important to us. We maintain a comprehensive information security program designed to ensure the security of your Personal Data by implementing physical, technical, and administrative measures and safeguards.
We follow best practices and generally accepted standards to store and protect the Personal Data we collect, both during transmission and once received and stored, including utilization of encryption where appropriate. For Personal Data collected or received over unsecure Internet channels, we encrypt the transmission of that information using secure socket layer technology (SSL/TLS).
Our Privacy and Security Team regularly reviews our security and privacy practices and enhances them as necessary to help ensure the integrity of our systems and security of your Personal Data. Nonetheless, security vulnerabilities are continually evolving which means that no security measures can guarantee absolute security, but we will use reasonable efforts to prevent the accidental or unlawful loss, misuse or alteration of your Personal Data.
We review our data retention periods for Personal Data on a regular basis. We are legally required to hold some types of information to fulfill our statutory obligations. We will hold your Personal Data in our systems for as long as is necessary to provide the Services you have requested or our Customer had contracted for, and thereafter for a variety of legitimate legal or business purposes. These might include retention periods:
mandated by law, contract or similar obligations application to our business operations;
for preserving, resolving (customer support), defending or enforcing our legal/contractual rights; or
needed to maintain adequate and accurate business and financial records (billing purposes).
We take steps to destroy or permanently de-identify Personal Data once it is no longer needed. In some cases, we choose to retain usage information in a depersonalized or aggregated form. Once aggregated, this information ceases to be Personal Data and will not be subject to our regular retention policies or subject to the exercise of your rights and choices as outlined above.
Without prejudice to any other administrative or judicial remedy you might have, you may have the right under data privacy laws in your country (where applicable) to lodge a complaint with the relevant data protection supervisory authority in your country if you consider that we have infringed applicable data privacy laws when processing your personal data. This means the country where you are habitually resident, where you work or where the alleged infringement took place.
We retain the personal information we receive as described in this Privacy Notice for as long as you use our Services or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.
Your Account information is protected by a password for your privacy and security. You can prevent unauthorized access to your Account by selecting and protecting your password appropriately, making use of two-factor authentication, and limiting access to your computer and browser by signing off after you have finished accessing your Account.
SGM endeavors to protect the information it collects about its users using industry-standard security processes and controls, however, despite these efforts, no security measure is perfect or impenetrable and SGM does not guarantee or warrant that such measures will prevent unauthorized access to the information about you that is stored by SGM. In the event we experience a breach of security, we will promptly notify you if your personal information has been compromised, in accordance with applicable law. If you have any questions about the security of your personal information, you can contact us through our website at www.sgm.gr
Choice and Access
You don’t need an Account to create SGM Links, and you can use many of the features of the Services without registering, thereby limiting the type of information that is collected about you individually.
SGM acknowledges that you have the right to access your personal information that we collect and are able to associate with you. If you have a SGM Account, you may access, correct, or request deletion of your personal information by logging into your Account. Once logged in to your account, you will be able to view a history of the URLs you have shortened and the metrics pages for those URLs. You can delete your Account at any time through your Account settings page. If you delete your Account, you will no longer be able to access or use the Services. If you have an Account but are unable to access it, you can contact us at email@example.com. We will respond to your request within a reasonable timeframe. In certain circumstances, we may be required by law to retain your personal information.
If you do not have a SGM account, SGM has no way of identifying you or verifying that you created or clicked on a SGM link.
Please note that in the interest of ensuring that existing SGM Links continue to function for all of our users, the SGM Links that you have created and shared cannot be deleted or disabled (even if your Account is deleted), and any shortening and sharing activity that has already occurred on your Account also cannot be deleted. If you have concerns about any unauthorized use of your Account, you can delete your account within your Account settings. Please see the Cookie section above for additional choices you may have.
Changes to This Privacy Notice
We reserve the right to change this Privacy Statement at any time in our sole discretion. If we make changes, we will send you a notification so that you can see what information we gather, how we might use that information and in what circumstances we may disclose it.
You have a choice about whether or not you wish to receive information from us. If you do not want to receive direct marketing communications from us about the vital work we do and/or our Services, then you may (i) choose not to submit any Personal Data to us; or (ii) access the unsubscribe option with the SGM email communications; or (iii) unsubscribe via this email address: firstname.lastname@example.org
If you wish to exercise any of your privacy rights, have any questions or comments about our Privacy Notice, our practices or our Services, or wish to lodge a concern or complaint, please Contact Us at:
Please feel free Contact Us regarding to Legal&Data Privacy and other issues;
We will respond to all requests, inquiries, or concerns promptly upon becoming aware but in any case, within thirty (30) days.
DATA PROCESSING AGREEMENT
This agreement is entered on Effective Date into by and between
SMG, SGM.GR (operating as Sigma Group) is registered in Turkey and has its registered office at Metropol Istanbul, Atasehir/Istanbul, Turkey.
hereinafter referred to as “DATA PROCESSOR”
OUR CUSTOMER, hereinafter referred to as “DATA CONTROLLER”.
Both hereinafter referred to as the “Parties”.
The following terms are defined in addition to the definitions of the Agreement, and those terms shall have the meaning given to them under GDPR, and particularly:
- Data Controller
means an entity (legal person under this agreement) which determines the purposes and means of the processing of personal data;
- Data Processor
means an entity (legal person under this agreement) which processes personal data on behalf of the controller;
means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Personal Data Breach
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- Applicable Law(s)
in this Agreement means: each legislation applicable to each party hereto (including regulation and Data Protection Legislation for the avoidance of any doubt);
means the person signing this Agreement;
companies currently engaged by DATA PROCESSOR which are listed at sub-contractors;
means this document including its Schedules;
DATA CONTROLLER and DATA PROCESSOR signed a Service Agreement (“Main Agreement”) pursuant to which the DATA PROCESSOR must perform Services as may be ordered by DATA CONTROLLER.
In order to fulfill the requirements of the Data Protection Legislation pertaining to the Main Agreement, the Parties now wish to additionally enter into this Controller-to-Processor agreement (“Agreement”).
The construction of the capitalized terms used in this Agreement are to be primarily construed as defined in the Main Agreement and if not capitalized herein or not defined in the Main Agreement or in this Agreement, with the meaning that could be reasonably attributed to those terms by the Parties.
The DATA CONTROLLER processes its Personal Data as well as Personal Data of other entities of the DATA CONTROLLER group of companies.
The DATA CONTROLLER wishes to outsource to the DATA PROCESSOR certain processing procedures with respect to such Personal Data and the DATA PROCESSOR is willing to supply such processing services to the DATA CONTROLLER on the terms and conditions contained in this Agreement.
The signature of this Agreement does not create any obligation to transfer any processing activity from the DATA CONTROLLER or any DATA CONTROLLER Company to the DATA PROCESSOR. The signature of any Order pursuant to the Main Agreement may trigger the processing of Personal Data by DATA PROCESSOR in which case such activities shall be governed by this Agreement and the applicable terms and conditions of the Main Agreement.
This Agreement is incorporated into the Main Agreement and the Main Agreement shall fully apply to and prevail over this Agreement unless a term or condition of this Agreement expressly deviates from the Main Agreement in which case such deviating term or condition shall apply for this Agreement only.
NOW IT IS AGREED as follows:
For the avoidance of any doubt, the recitals of this Agreement are part of this Agreement.
Any breach of this Agreement by DATA PROCESSOR shall be construed as a material breach of the Main Agreement, and liability (if any) of the DATA PROCESSOR shall be governed by the terms and conditions of the Main Agreement.
The DATA CONTROLLER and the DATA PROCESSOR each must comply at all times with applicable Laws and the provisions of this Agreement.
- Purpose of the Personal Data Processing
1.1 The purposes for which the Personal Data shall be processed is for providing services to DATA CONTROLLER, related to SGM platform including all applications and services, which are determined by Main Agreement.
- Obligations of the DATA CONTROLLER
2.1 The DATA CONTROLLER shall transfer to the DATA PROCESSOR only Personal Data obtained in compliance with the relevant provisions of the applicable Data Protection Legislation for the purposes stated in this Agreement.
2.2 The DATA CONTROLLER shall keep up to date and correct all Personal Data transferred to the DATA PROCESSOR whenever required in particular as set out by the relevant provisions of the applicable Data Protection Legislation.
2.3 The DATA CONTROLLER is solely obliged to provide data subjects with all information and explanations as required under applicable Laws. As between DATA PROCESSOR and DATA CONTROLLER, the DATA CONTROLLER is also solely responsible for dealing with data subjects in relation to their rights to access their respective data in accordance with applicable laws.
- Obligations of the DATA PROCESSOR
3.1 The DATA PROCESSOR shall process the Personal Data on behalf of the DATA CONTROLLER pursuant to the written instructions of the DATA CONTROLLER in accordance with applicable Laws and the terms and conditions set forth in the Agreement
3.2 The DATA PROCESSOR shall correct, modify, block or erase (as instructed by the DATA CONTROLLER) any Personal Data processed by DATA PROCESSOR in case it is not possible for the DATA CONTROLLER to do so.
3.3 The DATA PROCESSOR warrants and represents that it has implemented (and shall maintain during the term of this Agreement and as long as required by Laws) the technical and organizational security measures for the protection of Personal Data before processing the Personal Data which are transferred, and additional security measures as mutually agreed by the DATA PROCESSOR and the DATA CONTROLLER in an Order. DATA PROCESSOR has been adopting security measures including encryption, pseudonymization, resilience of processing systems and backing up personal data in order to be able to reinstate the system. All of organizational and technical measures are applied in accordance with ISO 27001 standard and GDPR requirements.
3.4 The DATA PROCESSOR shall not less than once per calendar year and in any cases as required from the DATA CONTROLLER from time to time, test the measures and promptly communicate the result of such testing to the DATA CONTROLLER.
3.5 In order to ensure compliance with such security measures, the DATA PROCESSOR shall permit the DATA CONTROLLER to conduct periodic inspections of its premises and the implemented security measures during usual business hours. The DATA CONTROLLER shall provide the DATA PROCESSOR with reasonable (but in no event less than thirty  days) advance notice of each inspection.
3.6 The DATA PROCESSOR must ensure that its personnel engaged in the processing of Personal Data comply and shall comply at all times with the data secrecy requirements.
3.7 The DATA PROCESSOR shall only allow access to the Personal Data to its staff or consultants where and to the extent that such access is required for the performance of the Services and subject to such staff and consultants having entered into an adequate non-disclosure agreement.
3.8 In the event that the DATA PROCESSOR shall discover that the DATA CONTROLLER is in breach of any of its obligations provided by the relevant Data Protection Legislation, the DATA PROCESSOR shall without delay notify the DATA CONTROLLER of this fact and suspend the performance of the suspected infringing processing until such time as the breach is remedied.
3.9 The DATA PROCESSOR undertakes to inform the DATA CONTROLLER without delay about any complaints, requests or other communications received by it from data subjects, data protection regulator(s) or third parties related to the processing of Personal Data by the DATA PROCESSOR and/or the DATA CONTROLLER.
3.10 The DATA PROCESSOR must comply with this Agreement at all times.
- Data Security Breaches and Reporting Procedures
4.1 The DATA PROCESSOR is under a strict obligation to immediately notify the DATA CONTROLLER of any Data Security Breach and no later than within 24 hours of the DATA PROCESSOR becoming aware of the breach.
4.2 The DATA PROCESSOR agrees to provide any reasonable assistance as is required by the DATA CONTROLLER or the Data Protection Authority to facilitate the handling of any Data Security breach in an expeditious and compliant manner.
- Retention Period and Liquidation of Personal Data
5.1 The Personal Data shall be retained by the DATA PROCESSOR in order to perform the Services for the time periods as defined by DATA CONTROLLER and in any case no longer than what is strictly necessary for the DATA PROCESSOR to (i) process the Personal Data in line with this Agreement or (ii) as the case may be, to meet any of its legal obligations (in particular statutory archival and retention obligations).
5.2 Subject to any legal obligations or request from DATA CONTROLLER to archive or retain Personal Data, at the request of the DATA CONTROLLER, the DATA PROCESSOR shall carry out the liquidation of any or all the Personal Data without undue delay after all the specific purposes for which the Personal Data were processed cease to exist or upon receipt of a written request of the DATA CONTROLLER.
5.3 On the instructions of the DATA CONTROLLER, the DATA PROCESSOR shall ensure that the PERSONAL DATA processed under this Agreement are returned to the DATA CONTROLLER or destroyed in accordance with the DATA CONTROLLER’S instructions. If those instructions are not in contradiction with an Applicable Laws. The DATA CONTROLLER reserves the right to issue instructions to the DATA PROCESSOR under this Clause at any time. In case, that instructions are not in accordance with applicable laws, applicable laws shall prevail.
5.4 Following the deletion of Personal Data under this clause, the DATA PROCESSOR shall notify the DATA CONTROLLER that the Personal Data in question has been deleted. Where applicable, the DATA PROCESSOR shall also provide confirmation that the Personal Data has been destroyed in accordance with any instructions issued by the DATA CONTROLLER, if those instructions are not in contradiction with an Applicable Laws. In case, that instructions are not in accordance with applicable laws, applicable laws shall prevail.
- Record Keeping
6.1 The DATA PROCESSOR agrees to maintain records of all Personal Data processed under the Agreement and its processing activities. The DATA CONTROLLER reserves the right to inspect the records maintained by the DATA PROCESSOR under this clause at any time, with reasonable (but in no event less than 30 days) advance notice of each inspection.
6.2 If DATA SUBJECT in any case requires information from DATA CONTROLER on subject of what type of that subject’s personal data is being processed under this agreement, and if DATA CONTROLER is not able to provide this type of information without DATA PROCESSOR’s help, DATA PROCESSOR is obliged to provide any reasonable help.
- SGM Sub-Contractors
7.1 In order to provide services, to the standard required by the client (DATA CONTROLLER) as agreed in the main agreement, DATA PROCESSOR might engage companies from SGM. All members of SGM have the same information security policies and procedures established in accordance with ISO 27001 standard and data protection policies and procedures in accordance with GDPR requirements. By signing this agreement DATA CONTROLLER agrees that other members of SGM are considered as SUB-PROCESSORS.
7.2 By signing this agreement DATA CONTROLLER agrees that DATA PROCESSOR may at any time engage another processor, which should be considered as a SUB-PROCESSOR, but in that case DATA CONTROLLER have to be informed by DATA PROCESSOR about addition or replacement of SUB-PROCESSORS. DATA PROCESSOR should make sure there is signed Data Processing Agreement, between DATA PROCESSOR and SUB-PROCESSOR, in place and that any engaged SUB-PROCESSOR is GDPR compliant. DATA CONTROLLER retains opportunity to object to these changes. DATA PROCESSOR reserves the right to engage telecom provider or third-party telecom supplier for providing services that require their engagement (e.g. SMS or voice traffic). SUB-CONTRACTORS are also considered to be engaged as SUB-PROCESSORS by DATA PROCESSOR.
7.3 DATA PROCESSOR shall store personal data originating from and sent to a country located in the EU/EEA or Switzerland solely in countries situated in the EU/EEA or Switzerland and not cause any cross-border transfer of personal data from a country situated in the EU/EEA or Switzerland to any country situated outside the EU/EEA or Switzerland unless it is required in writing by DATA CONTROLLER.
- Monitoring and Audit Rights of the DATA PROCESSOR by DATA CONTROLLER
8.1 In addition to the monitoring and/or audit rights set out in the Agreement, the DATA CONTROLLER is entitled to proceed to any and all verifications (including on the DATA PROCESSOR’s site(s)) during usual business hours provided the DATA CONTROLLER gives reasonable (but in any event no less than 30 days’) prior written notice to the DATA PROCESSOR.
8.2 The DATA PROCESSOR shall duly and promptly cooperate with the DATA CONTROLLER, upon request of the DATA CONTROLLER, by giving access to all the documents, infrastructures, premises, information and/or staff reasonably required by the DATA CONTROLLER to ensure such Data Processing is compliant with this Agreement.
8.3 The costs and consequences of the monitoring and audits shall be borne by the DATA CONTROLLER including support costs.
9.1 Any notice or other communication which is given under this Agreement to a Party will be addressed and sent to that Party at the address as specified in this Agreement, or at any other address as otherwise notified to the other Party (including for the avoidance of doubt in a Statement of Work).
9.2 For data privacy and security related questions and concerns DATA CONTROLLER should contact DATA PROCESSORS’s DPO.
- Changes to Applicable Law
10.1 In case the applicable data protection and applicable laws change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the Parties will amend the Agreement. In such circumstances, the DATA PROCESSOR agrees to implement any changes to its processing activities as are necessary to comply with the amended terms of the Agreement.
- Final Provisions
11.1 This Agreement is entered into as of its Effective Date and for the whole term of the Agreement. For the avoidance of any doubt, it will follow the term of the Agreement and shall be automatically terminated whenever the Agreement is terminated or expired. Termination or expiry of this Agreement shall not terminate the Agreement;
11.2 In addition, the DATA CONTROLLER may terminate this Agreement with a 30 days prior notice to the DATA PROCESSOR without any termination fees or penalty;
11.3 This Agreement constitute the entire agreement between the Parties with respect to the subject matter contained herein;
11.4 This Agreement may be altered or supplemented only in writing and provided any such amendment is signed by the duly authorized representatives of both Parties;
11.5 If any provision of this Agreement is held invalid, illegal, or unenforceable for any reason, such provision shall be severed, and the remainder of the provisions hereof shall continue in full force and effect as if this Agreement has been executed with the invalid, illegal or unenforceable provision eliminated and the Parties shall rapidly discuss and amend the Agreement with a valid, legal and enforceable provision;
11.6 DATA CONTROLLER may modify this Agreement at all times upon written notice to DATA PROCESSOR and such changes shall be effective and applicable to both Parties as indicated in such written notice.
11.7 This Agreement is governed by the laws of Switzerland and GDPR, without regard to their conflicts of law principles.