Privacy

Processing of personal data

With regard to any information relating to an identified or identifiable natural person (“personal data”), the following provisions shall apply, if and when Electude processes such personal data on behalf of any person or entity which alone or jointly with others, determines the purposes and means of the processing of such personal data.

 

Electude:

  • shall process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law to which Electude is subject; in such a case, Electude shall inform the Controller of that legal requirement before processing the personal data, unless that law prohibits such information on important grounds of public interest;

  • ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

  • takes all measures required to ensure a level of security appropriate to the risk of processing the personal data pursuant to applicable data protection laws and regulations;

  • assists the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the identified or identifiable natural persons’ rights;

  • assists the Controller in ensuring compliance with the applicable data protection laws and regulations taking into account the nature of processing and the information available to Electude;

  • returns or deletes, at the choice of the Controller all the personal data after the end of the provision of services relating to processing the personal data, and deletes existing copies unless applicable data protection laws and regulations require storage of the personal data. Specifics of the retention of personal data are set out in Annex 1, which may be amended by Electude from time to time;

  • makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the applicable data protection laws and regulations and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The costs of the audit at the Controller’s request are at the Controller’s expense, unless the findings of the audit show that Electude has failed to comply with the applicable data protection laws and regulations.

 

Electude and any person acting under authority of the Controller or Electude, who has access to personal data, shall not process data except on instructions from the Controller, unless required to do so by applicable data protection laws and regulations.

 

The Controller shall comply with applicable data protection laws and regulations. Electude shall immediately inform the Controller if, in the opinion of Electude, an instruction from the Controller infringes applicable data protection laws and regulations.

 

Electude shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing:

  • the name and contact details of each Controller on behalf of which Electude is acting, and, where applicable, of the Controller's or Electude's representative, and the data protection officer;

  • the categories of processing of personal data carried out on behalf of each Controller;

  • where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in case it is necessary, the documentation of suitable safeguards;

  • where possible, a general description of the technical and organizational security measures.

 

A description of the processing activities and the purposes for processing is set out in Annex 1, which may be amended by Electude from time to time.

 

Electude may engage another party for carrying out specific processing activities on behalf of the Controller (hereinafter “Sub-processor”) provided that prior general written authorization is given by the Controller. Any engaged Sub-processor is set out in Annex 1, which may be amended by Electude from time to time.

 

Electude shall impose the same data protection obligations as set out in these Terms on the Sub-processor.

 

The Controller and Electude shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing of personal data, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. A description of the technical and organizational measures is set out in Annex 2, which may be amended by Electude from time to time.

 

Adherence to an approved code of conduct or an approved certification mechanism as referred to in applicable data protection laws and regulations may be used as an element by which to demonstrate compliance with the requirements as set out in the applicable data protection laws and regulations.

 

Electude shall notify the Controller without undue delay after becoming aware of a personal data breach.

 

Electude shall be entitled to transfer personal data freely within the European Union or the European Economic Area in order to render its Products. Unless otherwise agreed in writing, Electude is also entitled to transfer personal data outside the European Union or the European Economic Area in compliance with the applicable data protection laws and regulations. The Controller is entitled to receive information from Electude at any time on the location where personal data is processed.

 

If personal data is processed outside the European Union or the European Economic Area, all parties involved with the processing of personal data shall ensure for its part that the processing of personal data complies with the applicable data protection laws.