DECODO DATA PROCESSING AGREEMENT
UAB “Data troops” legal entity code 305893779, with an address Švitrigailos str. 34, Vilnius, Lithuania (“Decodo”) (hereinafter referred to as the Data Processor);
and Natural or legal person concluding this data processing agreement (hereinafter referred to as the Data Controller);
Hereinafter referred to collectively as the “Parties“ and individually as a “Party”, taking into account that:
(A) The Parties have entered into a contractual arrangement in which the Data Processor agrees to deliver the services specified in the Service Agreement and/ or License Agreement, along with related technical support, to the Data Controller ("Agreement");
(B) During the provision of these services to the Data Controller, the Data Processor is required to process personal data on behalf of and in the interest of the Data Controller;
(C) Article 28(3) of the European Union Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) requires that processing by a processor shall be governed by a contract or other legal act under the EU or the EU Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller;
Have concluded this data processing agreement (“Data Processing Agreement”) and agreed as follows:
1. DEFINED TERMS
1.1. Unless otherwise specified by the context, the capitalized terms in this Data Processing Agreement, including its preamble and annexes, shall carry the definitions provided herein:
Term
Definition
Personal Data
refers to any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
Data Controller
refers to any entity or individual that has entered into the Agreement and exercises authority over the purposes and means by which Personal Data is processed;
Data Processor
means Decodo, which processes Personal Data on behalf of the Data Controller under this Data Processing Agreement;
Sub-Data processor
refers to a third-party subcontractor engaged by the Data Processor that, in the course of providing services, processes Personal Data on behalf of the Data Controller;
Scraper API Services and Site Unblocker (Services)
means one or more automated data collection tools, provided by Decodo;
Applicable Data Protection Laws
refers to all relevant national or international data protection laws and regulations that apply to the Data Controller or Data Processor at any point during the term of this Data Processing Agreement, including the GDPR.
2. SUBJECT MATTER
2.1. The Data Controller shall comply with all Applicable Data Protection Laws as a data controller, ensuring that its processing of Personal Data and any instructions provided to the Data Processor are in accordance with these laws.
2.2. The Data Controller represents that it has obtained all necessary privacy notices, consents, and rights under Applicable Data Protection Laws to authorize the Data Processor to process Personal Data and provide services as outlined in the Agreement and this Data Processing Agreement.
2.3. The Data Processor shall process Personal Data exclusively based on documented instructions from the Data Controller, including instructions related to transfers of Personal Data to third countries or international organizations. Unless required by Applicable Data Protection Laws, the Data Processor shall not process Personal Data without such instructions. If Applicable Data Protection Laws mandate the processing of Personal Data, including transfers to third countries or international organizations, the Data Processor shall inform the Data Controller of this legal requirement prior to processing, unless disclosure is prohibited by law for important public interest reasons.
2.4. When processing Personal Data under this Data Processing Agreement, the Data Processor shall make its best efforts to comply with Applicable Data Protection Laws. The Data Processor shall implement appropriate technical and organizational measures to ensure that its processing activities meet the requirements of Applicable Data Protection Laws and safeguard the rights of Data Subjects.
3. CONTROLLER’S DATA PROCESSING INSTRUCTIONS
3.1. The Data Processor shall process Personal Data exclusively based on documented instructions from the Data Controller, including instructions related to transfers of Data to third countries or international organizations. Unless required by the Applicable Data Protection Laws, the Data Processor shall not process Personal Data without such instructions.
3.2. The Data Processor shall promptly notify the Data Controller if there are no instructions for the Processing of Data in a specific situation or if the instructions violate this Data Processing Agreement or the Applicable Data Protection Laws. The Data Processor shall refrain from any actions that could cause the Data Controller to violate the Applicable Data Protection Laws.
3.3. The Data Controller authorizes the Data Processor to enter into agreements with Sub-processors on its behalf to fulfill the Data Processor's obligations under this Data Processing Agreement. The Data Processor shall maintain a current list of Sub-processors used for this purpose. Upon written request, the Data Controller may obtain a copy of this list to review the Sub-processors currently engaged by the Data Processor.
3.4. The Data Controller's instructions to the Data Processor, specifying the subject matter, duration, nature, and purpose of the processing, as well as the types of Data and categories of Data subjects, are as follows:
Term
Definition
Subject Matter
Provision of Scraper API and Site Unblocker services (hereinafter – Services) to the Data Controller
Nature and Purpose of the Processing
The Data Processor will process Personal Data solely for the purpose of delivering Services and any related services (if any), as outlined in the Data Processing Agreement
Categories of Data Subjects
Individuals whose Personal Data is processed by the Data Controller when utilizing Services and related services (if any)
Types of Personal Data
Data pertaining to individuals that the Data Controller processes when using Services and related services (if any)
Duration of Processing
Throughout the Data Controller's use of Services and related services (if any)
4. DATA SECURITY
4.1. The Data Processor shall safeguard Personal Data against destruction, modification, unauthorized dissemination, unlawful access, and all other forms of unlawful processing. Considering the state of the art, implementation costs, and the nature, scope, context, and purpose of the processing, the Data Processor shall implement appropriate technical and organizational measures to mitigate risks to individuals' rights and freedoms.
4.2. Without the Data Controller's prior written consent, the Data Processor shall not disclose or make Personal Data processed under this Data Processing Agreement available to any third party, except for Sub-processors engaged in accordance with this Data Processing Agreement.
4.3. The Data Processor shall restrict access to Personal Data to only those employees who require it to perform their direct work functions under this Data Processing Agreement. These employees shall be subject to confidentiality obligations equivalent to those imposed on the Data Processor.
4.4. The Data Processor shall promptly notify the Data Controller of any accidental or unauthorized access to Personal Data or other security incidents (Personal Data breaches), taking all necessary actions to assist in addressing the situation.
5. COORDINATION
5.1. The Data Processor shall reasonably assist the Data Controller in fulfilling its legal obligations under the Applicable Data Protection Laws, including but not limited to the Data Controller's obligation to respond to data subjects' requests for information, correction, blocking, or erasure of Personal Data.
5.2. For any requests made by data subjects, competent authorities, or any other third parties to the Data Processor regarding the processing of Personal Data covered by this Data Processing Agreement, the Data Processor shall promptly refer such requests to the Data Controller.
5.3. As agreed by the Parties, the Data Controller shall be entitled to take reasonable measures, in its capacity as the data controller, to verify that the Data Processor is able to comply with its obligations under this Data Processing Agreement and that the Data Processor has implemented necessary measures to ensure such compliance.
5.4. As agreed by the Parties and to the reasonable extent, the Data Processor shall assist the Data Controller in data protection impact assessments, prior consultations, and other communications with data protection authorities.
6. FINAL PROVISIONS
6.1. Unless otherwise defined in this Data Processing Agreement, all terms used herein shall have the same meaning as ascribed to them in the Agreement.
6.2. The provisions of this Data Processing Agreement shall apply during the period in which the Data Processor processes Personal Data for which the Data Controller is the data controller.
6.3. Upon termination of this Data Processing Agreement, the Data Processor shall, as directed by the Data Controller, either delete or return all Personal Data to the Data Controller and ensure that any Sub-processors do the same.
6.4. This Data Processing Agreement shall be an integral component of the Agreement. Any matters not expressly governed by this Data Processing Agreement shall be subject to the provisions of the Agreement.