AGREEMENT BETWEEN DATA CONTROLLER AND DATA PROCESSOR
This “Agreement” is governed by the provisions set out in the Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation or “RGPD”).
1. Object of the assignment to data processing
Under the present Agreement, Mr./Ms. -Sotiria Koumpouli- with professional license number -29400- is designated as “Processor” to processing on behalf of Advocate Abroad S.L., as “Controller”, the protected personal data, the “Data”, from the “Client” which is necessary for the provision of the advisory and consultancy services, as well as the legal assistance and defense and / or representation before the relevant Court, Tribunal or pertinent public entity, referred as the “Services”.
2. Identification of the relevant information
For the fulfillment of the object of this assignment, the Controller makes available to the Processor, the following information from the Client (who will be provided the services described in point 1 above):
⦁ Identifying data of the Client: name and surname.
⦁ Client contact information: email and telephone.
⦁ Literal transcription of the enquiry submitted by the Client, which may reflect identifying data.
The Processor may collect directly from the Client the personal data strictly necessary to carry out its Services, provided that such collection is condition sine qua non for the provision of those Services. The Processor will observe the special rules contained in the arts. 9 and 10 RGPD.
The Controller shall accordingly obtain the consent of Client to process its personal data, pursuant to arts. 6, 7 and 8 RGPD.
The duration of this Agreement will be set according to the whole duration of the Service provided by the Processor, as well as to the duration determined by the legislation in force so as to deal with any eventual administrative or jurisdictional responsibilities. When the Agreement is concluded, the Processor should return the Data to the Controller and delete any copy that is in its possession, as provided in point 4 of this Agreement.
4. Processor obligations
The processor and all its personnel are obliged to:
a) Use the Data provided by the Controller, or the Data which is directly collected, only for the purpose of the assignment, being consequently any external professional use expressly forbidden. In the event that the Processor so did, it would be considered Controller for such processing responding to the infractions in which it might incur and expressly exempting the Controller under this Agreement from any legal liability arising from such action.
b) Process the personal data in accordance with the instructions received by the Controller. If the Processor considers any of the instructions received may be in breach of the applicable RGPD or any other data protection provision of the European Union or any of its Member States, the Processor shall immediately inform the Controller.
c) Keep, in writing, a record of all categories of treatment activities carried out on behalf of the Controller, which may contain:
⦁ The name and contact information of every party involved in the Data processing.
⦁ The Data processing categories held when carrying out its duties.
⦁ The Data transfer register to a third country or international organisation, where appropriate, under the conditions of the Chapter V GDPR including the identification of such third country or international organisation.
⦁ A general description of the technical and organizational security measures related to:
i. Pseudonymization and encryption of Data.
ii. The capability to guarantee the confidentiality, integrity, availability and permanent resilience of Data processing systems and services.
iii. The capability to retrieve and access Data promptly, in the event of a physical or technical incident.
iv. The verification, evaluation and assessment process to ensure the technical and organizational measures are adequate and sufficient to ensure the Data processing security.
d) Not communicate the Data to third parties, unless expressly authorised by the Controller or in some circumstances foreseen by the applicable Law. The Controller can transfer the Data to another Processor under the scope of the Controller when instructed by the Controller. In this case, the Controller will identify, in advance and in writing, the recipient, the personal data to be transferred, and the security measures to be taken. When transferring data to a third country or an international organization, specific rules from Chapter V GDPR are to be observed.
e) Not subcontract any of the Services which consequently involve the processing of Data, except for those auxiliary services required to assist the Processor throughout the duration of this Agreement. If so, this should be communicated in writing to the Controller, at least 7 working days in advance, indicating the object of the subcontract and clearly and unambiguously identifying the subcontractor company and its contact information. The subcontractor, who will also have the status of Processor, is also bound by the obligations set out in this Agreement and the instructions received by the Controller. The Processor shall regulate the sub-contract working relationship so that the subcontractor is subject to meet the same conditions (instructions, obligations, security measures …) as the Processor, in particular concerning the Data processing and the fundamental rights of those involved. The Processor remains fully responsible of the subcontractor activity and Data protection compliance towards the Controller.
f) Maintain the confidentiality duty in relation to the Data accessed under this Agreement, even after the end of its duration.
g) Supervise that its personnel undertake, expressly and in writing, to keep the Data confidential and to comply with the corresponding security measures, of which they must be informed accordingly.
h) Keep records of its obligations compliance under this Agreement and make them available when requested by the Controller.
i) Train and support its personnel regarding Data protection.
j) Assist the Controller when notifying responses of the following rights requests:
⦁ Access, rectification, deletion and opposition
⦁ Limitation of treatment
⦁ Data portability
⦁ Not subject to automated individualized decisions (including profiling)
The Processor should resolve, supervised by the Controller, and within the allocated legal period, the requests to exercise the rights of access, rectification, suppression and opposition, limitation of the treatment, portability of data and not to be subject to automated individualized decisions, in relation to the claimant Client.
k) Notify the Controller, with no undue delay, and in any case by the maximum period of 72 hours, via email or by telephone, any Data security breaches of its awareness, alongside the provision of any relevant supportive information or records. This obligation applies unless a breach of security unlikely constitutes a risk to the rights and freedom of natural persons.
Whether appropriate, the following information is to be provided:
⦁ Description of the Data breach nature, including, when possible, the categories and the estimated number of interested parties and Data records involved.
⦁ The name and contact details of the Data Protection Officer or other designated contact from whom further information can be obtained.
⦁ Description of any eventual consequences of the Data security breach.
⦁ Description of the adopted or proposed measures to solve the Data security breach including, if applicable, those aimed to mitigate any possible negative effects.
Whether not possible to provide all the information above simultaneously, that will be provided gradually without undue delay.
l) Support the Controller when carrying out Privacy Impact Assessments, when appropriate.
m) Assist the Controller in reporting previous consultations at the Supervisory Authority, when appropriate.
n) Provide the Controller with all the necessary information so as to demonstrate compliance with its obligations, as well as to carry out audits or inspections to be held by the Controller or other authorised agent.
o) Implement the necessary security measures with the aim of:
⦁ Guaranteeing the confidentiality, integrity, availability and permanent resilience of the Data processing systems and services.
⦁ Retrieving and accessing Data promptly, in case of physical or technical incident.
⦁ Verifying, evaluating and assessing, on a regular basis, the effectiveness of the technical and organizational measures implemented to guarantee the Data processing security.
⦁ Pseudonymizing and encrypting Data, if applicable.
p) Return to the Controller the Data processed once the Service has been completed. This return should demonstrate the total erasure of the existing Data saved in the Processor equipment. However, the Processor may keep a copy of the Data duly blocked, so as to attend to any resulting legal liabilities from the Services provided.
5. Controller obligations
The Controller of the Data processing is obliged to:
a) Obtain the consent of the Client, who is the personal data subject, in order to legally justify its Data processing as stipulated in point 2 of this Agreement, as well as to provide the right to information when collecting the Data.
b) Deliver the Data referred to in clause 2 of this Agreement to the Processor.
c) Access the Data either directly provided or collected by the Processor solely for review and translation purposes when requested by the Processor.
d) Offer commercial advice to the Clients.
e) Not use the Data for a purpose other than which is contained in this Agreement neither transfer nor assign the Data to any third party.
f) Implement and adopt the relevant security measures pursuant to art. 32 RGDP.
g) Carry out a Privacy Impact Assessment when appropriate.
h) Report any previous consultation to the competent Supervisory Authority.
i) Ensure that the Controller complies with the requirements set out in the GDPR.
j) Supervise Data processing, including the performance of inspections and audits.
In Athens on Jun 05 2020
Signed Mr. Stephen McGrath Signed Sotiria Koumpouli
(Advocate Abroad SL) (The “Processor”)
Title Data Protection Agreement
File Name DP-English.pdf
Document ID 0cf3590aa6d747d7b1d12e823ca2d887 Fingerprint 0b2297fe26a87eccc4b9671b5da25539 Status Completed
Jun 05 2020
Document Document Sent to Sotiria Koumpouli (firstname.lastname@example.org)
Jun 05 2020
Document Signed by Sotiria Koumpouli (email@example.com)
Jun 05 2020
This document has been completed.
Jun 05 2020