Data Processing Addendum
Purpose and use of data
EuroVPS will always describe the nature and purpose of any data collection, processing or use to the parties affected by the collection, processing or otherwise use of that data. In the case of a client relationship, the use of data will be described in accordance with the Data Protection Agreement between EuroVPS and the Client.
The processing of any data will only take place within an EU member state or any other member state that is a part of the GDPR agreement in the European Economic Area. Any transfer of the data to any other state will require the prior consent of those persons/organisations connected to that data and will only take place if the Special Conditions as defined in Article 44 (and similar articles) of the GDPR are met.
Along with complying to all the provisions that we state here, we'll also comply with the statutory obligations in accordance with Articles 28 to 33 of the GDPR. We'll ensure specific compliance with the following requirements:
A Head of Data Protection is appointed to the role of Data Protection Officer. We'll immediately notify the persons concerned of any change in this role. The Data Protection Officer's details will easily be accessible on our website.
We'll stick to strict confidentiality protocols and ensure that only certain employees will be given access to the data collection process. These employees will already meet confidentiality requirements and will be familiar with the security of data protection. Anyone who has access to personal data will only be able to process that data in accordance with the instructions of the persons affected by the use of that data (including those set out in this document), unless otherwise required to do so by law.
When required, the persons/organisations whose data we collect, process or otherwise use, may be required to cooperate with a Supervisory Authority. We may also be required to cooperate with them upon request.
Those persons/organisations will be immediately informed of any inspections or measures taken by the Supervisory Authority when they relate to the collection, processing or otherwise use of their data. This applies if we're under investigation for any infringements regarding the processing of personal data.
If any of our Clients are the subject of an inspection by the Supervisory Authority with regards to an offence or criminal procedure or the claim of an affected party - we'll make every effort to support them to the best of our ability.
We'll regularly monitor all internal processes along with technical and organizational measures to ensure that everything complies to any applicable data protection law and that the rights of all affected parties are protected.
Documentation to verify the measures we’ve taken in this regard will be made available to all concerned parties upon request.
Technical and organizational measures in accordance with Article 32 of the GDPR
Prior to the commencement of any service that requires the collection/processing of any data, we’ll present the technical and organisational measures put in place to protect that data to the persons concerned. Any further use of that data will be restricted to the purposes that are agreed upon between EuroVPS and the concerned party and those measures and purposes will form an integral part of the terms of service binding EuroVPS and the concerned party. Any modifications to those measures or purposes will only be discussed and put into effect after a mutual agreement between EuroVPS and the concerned party.
We’ll take the necessary security measures in accordance with all relevant articles of the GDPR articles. All measures will guarantee a level of data protection that is appropriate to the level of risk in each situation specifically with regards to the confidentiality, integrity, availability and the resilience of the systems in place. Considerations of these measures will take into account the cost of implementation, scope and purpose of the data collected, the state of technology, and the potential risk to the rights and freedoms of an individual/organisation and their data.
We may further develop the technical and organisational measures that we’ve taken to protect the data we collect, including the implementation of alternative measures provided they do not compromise the safety levels of the technical and organisational measures in place. All substantial changes will be documented.
Correction, restriction and deletion of data
We are not entitled to delete or restrict the processing of data on behalf of third parties. If we are contacted regarding a data collection issue, we’ll forward them to the concerned party immediately.
We will carry out any request with regards to the “right to be forgotten,” deletion policies, data correction, portability, and disclosure without delay.
In general we do not distribute the data we collect to any third parties, but in the event that we use an outsourced service that may have access to such data, we will make legally binding contractual arrangements and implement necessary measures to guarantee the protection and security of the data we have collected.
The persons/organisations whose data we have collected will have the right to implement inspections after consulting with us, or to have inspections implemented by inspectors in specific individual cases. They will have the right to verify compliance with this document by using spot inspections which will need to be announced within a reasonable amount of time.
We will ensure that our compliance with the obligations set out under Article 28 of the GDPR can be verified. We will provide the concerned persons/organisations with relevant information upon request, along with documentation of the implementation of technical and organisational measures in place to protect their data.
Documentation of the measures which concern (but are not limited to) the relationship with the person/organisation whose data we collect may be provided in compliance with the approved codes of conduct and certifications set out in the relevant GDPR articles. Documentation may also be provided with regards to reports, including those carried out by independent bodies (such as a Data Protection Officer, IT security department, quality auditor, etc.) along with suitable certification by an IT security department or a data protection audit.
We may require additional fees in order to support an inspection and to fund the provision of documentation and/or certifications.
Communication in the case of infringement
We will comply with our obligations related to personal data security and any requirements for data breaches, impact assessments and prior consultations referred to in Articles 32 - 36 of the GDPR.
These obligations include:
- Ensuring sufficient protection levels with the technical and organisational measures that take into account the various circumstances and purposes of data processing along with the likelihood and severity of any potential breaches of the law due to security vulnerabilities. Measures will also be put in place to detect any breaches of the law as quickly as possible.
- We will immediately report any observed violations of personal data to the concerned parties.
- Where applicable, we will assist the concerned parties with their own obligations to provide information to affected parties. We will also remind the concerned parties of their obligations in this scenario.
- We will assist the concerned parties with their data protection impact assessment.
- We will assist concerned parties prior to their consultation with the supervisory authority.
- We may charge a fee for the provision of support in this regard which is not included the support services we normally offer our clients and which are not required as a result of our own failures.
The issuance of instructions
Any instructions given to us by concerned parties are to be confirmed immediately by the said party in writing.
We will inform a concerned party immediately if we believe that an instruction given violates data protection regulation. We will then be permitted to suspend the execution of any such instruction until the instruction has been modified in such a way that it can be deemed compliant with data protection regulations.
Deletion and return of personal data
We will not create any copies or duplicates of personal data without the prior knowledge of the persons/organisations whose data we collect except with regards to backup copies that are required to ensure proper data processing and with regards to the data required to comply with various statutory obligations.
We will destroy all documents and data sets related to a particular person/organisation in accordance with the data protection law after the conclusion of the service relationship with that person/organisation or upon request of that person/organisation. We will also provide the person/organisation with any information relevant to the nature and time of the deletion of that data.
We will retain any documentation that can prove that the handling of data was processed in a correct manner after the conclusion of the service relationship in accordance with the respective retention periods. We may be absolved of this duty by handing over any such documentation to the concerned parties at the conclusion of the service relationship.