Privacy Policy
This Agreement on Customer Data Processing (DPA) reflects the requirements of the European Data Protection Regulation (GDPR), which will enter into force on 25 May 2018. The products and services of the Romanian Shiatsu Association offered within the European Union comply with the GDPR , and this DPA provides you with the necessary documentation on this compliance.
This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service (“Agreement”) between the Romanian Shiatsu Association and the Client. All capitalized terms, which are not defined in this DPA, will have the meaning presented in the Agreement. The Customer enters into this Agreement (DPA) in its own name and, to the extent required by the Data Protection Laws, on behalf of and representing its Authorized Affiliates (defined below).
The Parties agree as follows:
1. Definitions
“Subsidiary” means an entity that controls, is controlled by or is under joint control with an entity, directly or indirectly.
“Authorized Subsidiary” means any of the Customer’s Subsidiary (Subsidiaries), which is permitted to or otherwise be the recipient of the Services under the Agreement.
“Control” means the right of ownership, voting or other similar rights, representing fifty per cent (50%) or more of the total outstanding debts of that entity. The term “Controlled” will be interpreted accordingly.
“Controller” means an entity that determines the purposes and means of processing Personal Data.
“Customer Data” means any data that the Romanian Shiatsu Association and / or its Subsidiaries process on behalf of the Customer in the course of providing the Services in accordance with the Agreement.
“Data Protection Laws” means all laws and regulations on the protection and confidentiality of data applicable to the processing of Personal Data in accordance with the Agreement, including, where applicable, the EU Data Protection Act.
“EU data protection law” means (i) before May 25, 2018, European Parliament and Council Directive 95/46 / EC on the protection of individuals with regard to the processing of personal data and the free movement of such data “Directive”) and on and after May 25, 2018, Regulation 2016/679 of the European Parliament and the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data (General Regulation on Data Protection) (“GDPR”); and (ii) Directive 2002/58 / EC on Personal Data and Privacy Protection in the electronic communications sector and its applicable national implementations (in each case the provisions may be amended or replaced).
“Personal Data” means any Customer Data related to an identified or identifiable individual, to the extent that such information is protected as personal data in accordance with the applicable Data Protection Act.
“Privacy Protection” means the EU-US and Swiss-US Privacy Protection Frameworks, as applied by the U.S. Department of Commerce.
“Privacy Principles” means the Principles of the Privacy Protection Framework (as supplemented by Additional Principles) contained in Annex II of the European Commission Decision of July 12, 2016, in accordance with the Directive, details of which can be found at www.privacyshield.gov/ I-us-framework.
“Processor” means an entity that processes personal data on behalf of the Controller.
“Processing” has the meaning given to it in GDPR, and “processing”, “processing,” and “processed” will be interpreted accordingly.
“Security incident” means any unauthorized or unlawful security breach, resulting in the destruction, loss, alteration, accidental or unlawful disclosure of unauthorized disclosure or access to Personal Data.
“Services” means any product or service provided by the Romanian Shiatsu Association to the Customer in accordance with and based on the more detailed descriptions of the Agreement.
“Sub-processor” means any Processor employed by the Romanian Shiatsu Association or its Subsidiaries to assist in the fulfillment of its obligations regarding the provision of the Services in accordance with the Agreement or this DPA. Sub-processors may include third parties or any other subsidiary of the Romanian Shiatsu Association.
2. Scope and applicability of this DPA
2.1 This DPA applies only to and to the extent that the Romanian Shiatsu Association processes Personal Data on behalf of the Customer during the provision of the Services, and such Personal Data is subject to the Data Protection Law of the European Union, the European Economic Area and / or their Member States, Switzerland and / or the United Kingdom. The Parties agree to abide by the terms and conditions of this DPA in relation to such Personal Data.
2.2 Role of Parties. From the Romanian Association of Shiatsu and Client, the Customer is the Personal Data Controller, and the Romanian Shiatsu Association will process the Personal Data only as a Processor on behalf of the Client. Nothing in the Agreement or this DPA will prevent the Romanian Shiatsu Association from using or distributing any data that the Romanian Association of Shiatsu will otherwise collect and process them independently of Customer’s use of the Services.
2.3 Obligations of the Client. The Customer agrees to (i) comply with its Controler’s obligations under the Data Protection Laws, respecting the processing of Personal Data and all processing instructions it issues to the Romanian Association of Shiatsu; and (ii) agrees to have informed and obtained (or will obtain) all approvals and rights required under the Data Protection Laws for the Romanian Shiatsu Association to process the Personal Data and provide the Services under the Agreement; and this DPA.
2.4 Data Processing by the Romanian Association of Shiatsu. In the capacity of Processor, the Romanian Shiatsu Association will only process Personal Data for the following purposes: (i) processing for the purpose of providing the Services in accordance with the Agreement; (ii) processing for the purpose of performing any steps necessary for the implementation of the Agreement; and (iii) to comply with any other reasonable instructions provided by Customer insofar as they comply with the terms of this Agreement and only in accordance with the Customer’s legal and documented instructions. The parties agree that this DPA and the Agreement establish the Client’s complete and final instructions to the Romanian Shiatsu Association in relation to the processing of Personal Data, and processing beyond the scope of these instructions (if applicable) will require prior written consent between the Client and the Romanian Shiatsu Association
2.5 Type of Data. The Romanian Shiatsu Association manages Customer Data provided by the Client. Such Client Data may contain special categories of data, depending on how Customer uses the Services. Client data may be subject to the following processing activities: (i) storage and other types of processing required to provide, preserve and improve the Services provided to the Customer; (ii) providing technical support and assistance to the Client; and (iii) disclosure, in accordance with the legal requirements or other provisions set forth in the Agreement.
2.6 Data of the Shiatsu Romanian Association. Without prejudice to the provisions of the Agreement (including this DPA), Customer acknowledges that the Romanian Shiatsu Association will have the right to use and disclose data related to and / or obtained in connection with the operation, support and / or use of the Services for the purposes such as billing, account management, technical support, product development and sales or promotion. To the extent that any such data is considered personal data under the Data Protection Laws, the Romanian Association of Shiatsu is the Controller of such data and will process such data accordingly, respecting the Data Protection Laws.
3. Sub-processing
3.1 Authorized subprocessors. Customer agrees that the Romanian Shiatsu Association may hire Sub-processors for the processing of Personal Data on behalf of the Client. The sub-processors currently employed by the Romanian Shiatsu Association and authorized by the Customers are listed in Appendix A.
3.2 Obligations of Sub-processors. The Romanian Shiatsu Association: (i) signs a written agreement with the Sub-processors, imposing data protection terms requiring Sub-processors to protect Personal Data to the standard required by Data Protection Laws; and (ii) retain responsibility for compliance with the obligations of this DPA and for any act or omission on the part of the Sub-processor that results in Romanian Shiatsu Association violating any of its obligations, in accordance with the DPA.
3.3 Changes to Sub-Processors. The Romanian Shiatsu Association will inform its Customers sufficiently in advance (emailing should be sufficient) if it adds or deletes Sub-processors.
3.4 Objections to Sub-Processors. Customer may object in writing to the appointment of a new Sub-processor by the Romanian Association of Shiatsu, based on reasonable data protection reasons, promptly informing the Romanian Association of Shiatsu in writing within five (5) calendar days of upon receipt of notification from the Romanian Shiatsu Association in accordance with Section 3.3. Such information will explain the reasonable grounds for the objection. In such a situation, the parties will discuss these concerns in good faith in order to reach a reasonable commercial solution. If this is not possible, either party may terminate the request to terminate the provision of applicable Services that can not be provided by the Romanian Shiatsu Association without the involvement of the new Sub-processor, which has been challenged.
4. Security
4.1 Safety measures. The Romanian Shiatsu Association will implement and maintain appropriate technical and organizational security measures to protect Personal Data against Security Incidents and to safeguard the security and confidentiality of Personal Data in accordance with the security standards of the Romanian Association by Shiatsu, described in Appendix B (“Security measures”).
4.2 Confidentiality of processing. The Romanian Shiatsu Association will ensure that any person authorized by the Romanian Shiatsu Association to process Personal Data (including its employees, agents or subcontractors) will have to comply with the appropriate confidentiality obligation (be it a contractual task or statutory status).
4.3 Response to a security incident. Upon becoming aware of a Security Incident, the Romanian Shiatsu Association will inform the Client without undue delay and provide him with timely information on the Security Incident as soon as it is brought to him to the Client or to the reasonable requirements of the Customer.
4.4 Updates to Security Measures. Customer acknowledges that Security Measures are subject to technical progress and development and that the Romanian Shiatsu Association may modify or update Security Measures from time to time, provided such updates or modifications do not lead to a degradation of the overall security of the Services purchased by to the Client.
5. Security Reports and Auditing
5.1 The Romanian Shiatsu Association will keep records of its security standards. At the written request of the Client, the Romanian Shiatsu Association will provide (confidentially) copies of relevant ISMS external certifications, summaries of audit reports and / or other documents reasonably requested by the Client to verify compliance by the Romanian Association by Shiatsu of this DPA. The Romanian Shiatsu Association will continue to provide written answers (confidentially) to all reasonable requests for information made by the Client, including responses to information security questionnaires and audits that the Customer (reasonably) deems necessary to confirm the fact that the Romanian Shiatsu Association respects this DPA, provided that the Customer does not exercise this right more than once a year.
6. International Transfers
6.1 Processing locations. The Romanian Shiatsu Association stores and processes the EU Data (defined below) in data centers located within and outside the European Union. All other Client Data may be transferred and processed in Romania and anywhere in the world where Customer, its Subsidiaries and / or its Sub-processors retain their data processing operations. The Romanian Shiatsu Association will implement appropriate safeguards to protect personal data wherever this data is processed in accordance with the requirements of the Data Protection Laws.
6.2 Transfer mechanism: Without prejudice to Section 6.1, to the extent that the Romanian Shiatsu Association processes or transfers (directly or by post-transfer) Personal Data, based on this DPA in the European Union, the European Economic Area and / or from their Member States and Switzerland (“EU Data”) to or to countries that do not provide an adequate level of data protection within the meaning of the applicable Data Protection Laws of the above territories, the Parties agree that the Romanian Shiatsu Association shall be considered responsible for ensuring appropriate safeguards for such data by virtue of its compliance with Privacy Policy, and the Romanian Shiatsu Association will process these data in accordance with the Privacy Principles. The Customer hereby authorizes any transfer of EU Data to or access to EU Data from such destinations outside the EU subject to any of these measures that have been adopted.
7. Return or Delete Data
7.1 At the time of deactivation of the Services, all Personal Data will be deleted unless requested by the Romanian Shiatsu Association, in accordance with the applicable law, to retain some or all of the Personal Data or Personal Data on which has archived them on back-up systems, which the Romanian Association of Shiatsu will isolate safely and will protect them from any further processing, unless the law requires them to do the opposite.
8. Cooperation
8.1 Insofar as the Customer can not independently access the relevant Personal Data within the Services, the Romanian Shiatsu Association will consider (at Client’s expense) the type of processing, provide reasonable co-operation to assist the Customer with the help of appropriate technical and organizational measures, to the extent possible, to respond to any requests from persons or data protection enforcement authorities in connection with the processing of Personal Data under the Agreement. If any such request is made directly to the Romanian Shiatsu Association, the Romanian Association of Shiatsu will not respond directly to such communication without prior authorization to the Client’s part unless it is legally obliged to do so. If the Romanian Shiatsu Association asks for a response to such a request, the Romanian Shiatsu Association will promptly inform the Client and provide him with a copy of the request, unless he is forbidden by law to do so.
8.2 As required by the Romanian Shiatsu Association, under the Data Protection Act, the Romanian Shiatsu Association shall provide (at Client’s expense) the reasonable information requested regarding the processing by the Romanian Association of Shiatsu of Personal Data , based on the Agreement, in order to allow the Customer to carry out personal data protection impact assessments or prior consultations with data protection authorities, as required by law.
9. Miscellaneous
9.1 Except as modified by this DPA, the Agreement remains unchanged and fully effective. If there is any conflict between this DPA and the Agreement, this DPA will prevail within that conflict.
9.2 This DPA is part of and is incorporated into the Agreement so that the references to “Agreement” in the Agreement will include this DPA.
9.3 In no event shall either party limit its own liability to any of the rights of data protection persons under this DPA or otherwise.
9.4 This DPA will be governed and construed in accordance with the applicable law and applicable jurisdiction of the Agreement, unless otherwise required by the Data Protection Laws.