Consentio Platform, S.L. (hereinafter the “Consentio” or “Data Processor” or the “Processor”), is the owner of the website https://www.consentio.co/,
the website https://es.consentio.co/, and the app https://webapp.consentio.co/
This Data Processing Addendum (“DPA”) complements the Consentio Terms and Conditions (available at https://www.consentio.co/legal/terms-condtions), and is part of the agreement between Consentio and the entity you represent (hereinafter, the "Company" or “Data Controller” or “Controller”).
The terms “Data Controller”, “Data Processor”, “Data Subject”, “Member State”, “Personal Data”, “Processing” and “Supervisory Authority” shall have the same meaning as in the General Data Protection Regulation 679/2016 (“GDPR”).
2. OBJECT AND TERM
This DPA regulates the processing of Personal Data by Consentio, under Terms and Conditions of Consentio, with respect to data under the responsibility of the Company. The duration of such processing shall be for the period during which the Parties perform their applicable obligations under the Terms and Conditions.
3. DATA PROTECTION LAWS COMPLIANCE
Each Party shall comply with all applicable laws relating to privacy and data protection, including the GDPR, the EU Privacy and Electronic Communications Directive (2002/58/EC) as implemented in each jurisdiction, and any amending or replacement legislation from time to time (collectively and individually, “Data Protection Laws”).
4. DATA ACCESSED AND PURPOSE OF THE PROCESSING
Consentio may have access to the type of personal data (“Data Controller Personal Data”) and the categories of Data Subjects described below in Appendix I. Consentio may have access to such personal data only for the purposes described in Appendix I.
5. RIGHTS AND RESPONSIBILITIES OF CONSENTIO AS THE DATA PROCESSOR
As established in the GDPR, Consentio, as Data Processor, shall:
a) Process Data Controller Personal Data only on the basis of documented instructions from the Data Controller, including transfers of Data Controller Personal Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law.
b) Ensure that all the persons authorised to process Data Controller Personal Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality.
C)Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing, including:
1. The pseudonymisation and encryption of Data Controller Personal Data;
2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. The ability to restore the availability and access to Data Controller Personal Data in a timely manner in the event of a physical or technical incident;
4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
d) Not to have recourse to another Data Processor, with the exceptions described in clauses 7 and 8.
e) Assist the Data Controller, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the data subjects.
f) Assist the Data Controller in ensuring that it complies with their obligations, taking into account the nature of the processing and the information that is available to the Data Processor.
g) At the choice of the Data Controller, either destroy or return all Data Controller Personal Data once the processing services have been completed and destroy any existing copies unless the retention of such Personal Data is required under Union or applicable Member State law.
h) Make available to the Data Controller all information necessary to demonstrate compliance with the obligations established in herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorised auditors for the Data Controller.
i) Process Data Controller Personal Data placed at the disposal of the Data Processor in a way that ensures that the personnel in charge follow the instructions of the Data Controller.
j) Ensure that the Consentio Data Protection Officer is involved in an adequate and timely manner in all matters relating to the protection of Data Controller Personal Data.
k) Adhere to a relevant Code of Conduct that is approved by the Commission or other competent authority, if applicable.
l)Keep a record of processing activities in the case of processing Personal Data that may pose a risk to the rights and freedoms of the data subject and/or in a non-occasional manner, or which involves the processing of special categories of data and/or data relating to convictions and infractions.
6. DATA SUBJECT'S EXERCISE OF THEIR RIGHTS
If the Data Subjects addresses a request or exercises any of the rights established in the Data Protection Laws, the Controller and / or the Processor must provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.
Similarly, but in the event that the Data Controller and / or the Processor do/es not proceed with the request of the Data Subject, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Data Subject with the reasons why he/she/they has/ve not acted and inform the Data Subject of his right to file a complaint before a competent authority and to file a judicial appeal. The response to the Data Subject’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.
Consentio, as Data Processor of Data Controller’s Personal Data may not under any circumstances sub-license his services to another Sub-processor. In the event that such subcontracting is necessary, the Consentio must have the written authorization of Data Controller, and the Sub-Processor must state the purpose and objectives of the subcontracting as well as the identification of the Sub-processor.
8. INTERNATIONAL TRANSFER OF DATA CONTROLLER PERSONAL DATA
No international transfer of Data Controller Personal Data may be performed, with the exception of the transfers to the international sub-processors described in clause 7 which in such case Consentio will regulate the contractual relationship by an agreement with its appropriate contractual safeguard attached as Appendix II, as prescribed by law under Data Protection Laws, is signed with each of them. Any international transfer to sub-contractors must be previously approved by the Data Controller by a written authorization.
9. SECURITY BREACH
Insofar as there exists an instruction from a competent Supervisory Authority, a development of a national legislation or a delegated act, in the event of a security breach of the Data Controller Personal Data, the Data Processor shall notify Data Controller of such breach without undue delay, and if possible, no later than 24 hours after it happened.
10. TERMINATION, RESOLUTION AND EXPIRATION
In the event of termination, resolution or expiration of the Agreement, the Processor shall not keep the Data Controller Personal Data unless otherwise legally required to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, the Processor shall destroy or return to the Data Processor all Data Controller Personal Data and any copy of it, as well as any support or other document containing any Data Controller Personal Data.
In accordance with the provisions set out in herein and in the GDPR, Consentio may access and process the type and category of Personal Data provided by the Data Controller set out hereunder (Data Controller Personal Data):
Nature of processing:
Purpose of processing: Processing necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures at the request of the data subject.