- Non-Disclosure to Third Parties: Do not disclose data to third parties without the express authorization of the data controller, except in legally permissible circumstances. If the processor wishes to subcontract, they must inform the data controller and request prior authorization.
- Confidentiality: Maintain confidentiality regarding the personal data accessed as a result of this contract, even after the contract has ended.
- Data Security Training: Ensure that authorized individuals who process personal data commit, in writing and explicitly, to confidentiality and to comply with the relevant security measures, and they must be appropriately informed of these requirements.
- Provide Documentation: Keep documentation available for the data controller, demonstrating compliance with the obligation mentioned above.
- Notification of Data Breaches: In case of any personal data security breaches, the processor must promptly notify the data controller without undue delay, providing all relevant information to document and report the incident. Notifications should at minimum include:
- Description of the nature of the breach, including (where possible) the categories and approximate number of data subjects and personal records affected.
- Contact details for obtaining further information.
- Potential consequences of the breach.
- Measures taken or proposed to address the breach, including steps to mitigate any negative effects.
- Communication to Data Subjects: Upon request by the data controller, the processor will notify data subjects of any breaches as soon as possible if the breach likely poses a high risk to the rights and freedoms of natural persons. Communication must be clear, simple, and should include, at minimum:
- Nature of the data breach.
- Contact information for further inquiries.
- Potential consequences.
- Measures taken or proposed by the data controller to address the breach and mitigate potential adverse effects.
- Security Measures: Implement technical and organizational security measures necessary to ensure the confidentiality, integrity, availability, and resilience of data processing systems and services.
Data Disposal
Upon completion of the service, return all personal data and, where applicable, any records containing the data. This return should entail the complete deletion of any data stored on the processor’s IT systems. The processor may retain a locked copy of the data for potential administrative or judicial responsibilities.
Part 3: Obligations of the Data Controller
It is the responsibility of the data controller to:
- Provide the processor with the necessary data to carry out the contracted service.
- Ensure compliance with the GDPR on behalf of the processor before and during the processing period.
- Supervise processing to ensure compliance with all applicable data protection regulations.
Data Protection Annex 2
NOTICE: Your contract with the company providing the service should include the following contractual clauses:
1. Purpose of Data Processing Contract
These clauses authorize Dinahosting S.L. as the data processor to process personal data on behalf of PEDRO MANUEL FERNÁNDEZ LÓPEZ, acting as the data controller, to provide the following services:
The processing will consist of EMAIL PROVIDER, HOSTING, AND CLOUD SERVICES.
2. Identification of Affected Information
To fulfill the requirements of this contract, PEDRO MANUEL FERNÁNDEZ LÓPEZ, as the data controller, will make available to Dinahosting S.L. the information stored on IT systems that support data processing by the controller.
3. Duration
This agreement is valid for one year and will automatically renew unless otherwise decided.
Upon termination, the processor must return all personal data to the controller and delete any retained copies. However, the processor may keep data in a locked state for potential administrative or judicial purposes.
Data Protection Annex 3
NOTICE: Your contract with the company providing the service should include the following contractual clauses:
1. Purpose of Data Processing Contract
These clauses authorize Sonia Sáez García as the data processor to process personal data on behalf of PEDRO MANUEL FERNÁNDEZ LÓPEZ, acting as the data controller, to provide the following services:
The data processing will consist of WEB DESIGN AND MAINTENANCE.
2. Identification of Affected Information
For the fulfillment of this contract, PEDRO MANUEL FERNÁNDEZ LÓPEZ makes available to Sonia Sáez García the information stored on IT systems that support data processing by the controller.
3. Duration
This agreement is valid for one year and will automatically renew.
Upon termination of this contract, the processor must return the personal data to the controller and delete any copies. However, the processor may retain a locked copy for potential administrative or judicial responsibilities.