This Data Processing Agreement (the 'DPA') is made and entered into in conjunction with the Terms of Service (the 'ToS Agreement' or 'ToS') by and between the User and Remotek Retail Ltd., effective upon the User’s acceptance of the ToS. The DPA forms an essential component of the ToS, providing specific terms related to data processing. Acceptance of the ToS by the User, indicated by clicking the 'Agree' or similar checkbox on the Company’s website, constitutes acceptance of this DPA.
1. Definitions and Scope
1.1. Definitions
For the purposes of this Agreement:
- "Personal Data" refers to any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- "Data Subject" means the individual to whom Personal Data relates.
- "Processor" refers to Remotek Retail Ltd., who processes Personal Data on behalf of the Controller.
- "Controller" refers to any client of Remotek Retail Ltd. that owns the Personal Data and determines the purposes and means of processing.
- "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.2. Data Storage Locations
The Processor commits to storing all Personal Data of European clients within data centres located in Europe. This is to ensure compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.
The Processor utilizes two service providers for data storage: Hetzner and Amazon Web Services (AWS). Both providers operate data centres based in Europe, and these facilities are used exclusively for the storage of Personal Data from our European clients.
1.3. Data Security in Transit
The Processor ensures that Personal Data transferred between the Controller, the Processor, and any third parties is protected with strong encryption protocols. This includes data in transit to and from Hetzner and Amazon Web Services (AWS) datacenters.
1.4. Storage Security and Compliance
The Processor shall ensure that Hetzner and Amazon Web Services (AWS) comply with high standards of data security and adhere to relevant data protection regulations.
1.5. Notification of Changes
The Processor shall notify the Controller of any planned changes concerning the addition or replacement of data storage facilities or service providers. This is to ensure continuous compliance with data protection laws and the terms of this Agreement.
1.6. Scope
- This Agreement applies to the Processing of Personal Data by the Processor, on behalf of the Controller, in accordance with the Controller’s instructions.
- The Processor shall process Personal Data for the purpose of providing tax consultancy and related Software as a Service (SaaS), including but not limited to generating invoices, preparing reports, and fulfilling compliance requirements for VAT returns.
- The Processing activities under this Agreement involve Personal Data which may include, but are not limited to, names, addresses, and other identifiers of the Data Subject, as provided by the Controller in accordance with their use of the Processor’s services.
- The Processor shall process Personal Data in compliance with the requirements of the General Data Protection Regulation (GDPR) and any other applicable data protection laws.
- The Processor acknowledges that the Personal Data may originate from various jurisdictions within Europe, and therefore may be subject to varying data protection and retention requirements.
2. Technical Measures
Encryption: All Personal Data, whether at rest or in transit, shall be encrypted using industry-standard encryption technologies.
Access Control: Measures shall be in place to ensure that access to Personal Data is limited to authorized personnel only. This includes the use of secure passwords, two-factor authentication, and access logging.
3. Purpose of Data Processing
3.1. Service Delivery
The Processor processes Personal Data exclusively for the purpose of delivering its tax consultancy and Software as a Service (SaaS) offerings. This includes the issuance of invoices for every order processed by the Controller’s (Client’s) business.
The generation of invoices is a fundamental step in the service delivery, as it enables the accurate compilation of VAT returns. These VAT returns are subsequently filed with the relevant European jurisdictions, as required by the Controller’s business operations and in compliance with applicable tax laws.
3.2. Compliance and Reporting
The processing of Personal Data, specifically in the form of generating invoices and compiling VAT returns, is essential for ensuring the Controller’s compliance with the varied tax regulations across different European jurisdictions.
This processing activity is also crucial for the preparation of accurate financial reports, facilitating both transparency and compliance in the Controller’s financial and tax obligations.
3.3. Legal Basis for Processing
The Processor undertakes these processing activities under the legal basis of contractual necessity, as the processing is essential for the fulfillment of the service agreement with the Controller.
Additionally, such processing aligns with legal compliance obligations, as it is necessary for the Controller to fulfill its tax reporting and compliance requirements under the law.
4. Data Processing Obligations
4.1. General Obligations of the Processor
The Processor shall process Personal Data in accordance with the terms set forth in this Agreement and in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR).
The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by European Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.2. Principles of Data Processing
The Processor agrees to adhere to the principles relating to the processing of Personal Data under the GDPR, which require that Personal Data shall be:
- Processed lawfully, fairly, and in a transparent manner.
- Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and, where necessary, kept up to date.
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
4.3. Data Security
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing activities, including measures to protect data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
These measures shall include, but are not limited to, encryption of Personal Data during transmission and while at rest, regular security assessments, and using secure methods for data storage and transfer.
4.4. Confidentiality
The Processor ensures that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.5. Subprocessing
The Processor shall not engage another processor (subprocessor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors and give the Controller the opportunity to object to such changes.
4.6. Cooperation and Assistance
The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR concerning the security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities.
5. Data Subject Rights
5.1. Acknowledgement of Data Subject Rights
The Processor acknowledges the rights of data subjects under the General Data Protection Regulation (GDPR) and other applicable data protection laws. These rights include the right of access, rectification, erasure (‘right to be forgotten’), restriction of processing, data portability, objection to processing, and the right not to be subject to automated decision-making including profiling.
5.2. Assistance to the Controller
The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights under the GDPR. The Processor shall provide timely assistance, considering the nature of the Personal Data and the processing performed.
The Processor shall implement necessary measures and systems to enable and facilitate the Controller’s response to such requests from data subjects.
5.3. Direct Requests from Data Subjects
In the event a data subject contacts the Processor directly regarding their Personal Data, the Processor shall promptly forward such requests to the Controller without responding to the data subject, unless otherwise instructed by the Controller or required by law.
The Processor shall not disclose any Personal Data to a data subject without the explicit instruction or authorization from the Controller, except as required by law.
5.4. Record of Requests
The Processor shall maintain a record of all requests received from data subjects and the actions taken in response. This record will be provided to the Controller upon request, ensuring transparency and accountability in processing activities.
5.5. Training and Awareness
The Processor shall ensure that its employees and any other personnel involved in the processing of Personal Data are adequately trained and aware of the rights of data subjects. This includes training on how to identify a data subject request and the procedure for forwarding such requests to the Controller.
6. Data Transfer and Storage
6.1. Data Storage Locations
The Processor commits to storing all Personal Data of European clients within data centres located in Europe. This is to ensure compliance with the General Data Protection Regulation (GDPR) and other relevant data protection laws.
The Processor utilizes two service providers for data storage: Hetzner and Amazon Web Services (AWS). Both providers operate data centres based in Europe, and these facilities are used exclusively for the storage of Personal Data from our European clients.
6.2. Data Transfer
Any transfer of Personal Data outside the European Economic Area (EEA) shall be conducted in compliance with the provisions of the GDPR and other applicable data protection laws. Such transfers shall only occur under necessary circumstances and with appropriate safeguards in place.
In cases where data transfer is required, the Processor shall implement standard contractual clauses, as approved by the European Commission, or rely on other suitable GDPR-compliant mechanisms to ensure an adequate level of data protection.
6.3. Data Security in Transit
The Processor ensures that Personal Data transferred between the Controller, the Processor, and any third parties is protected with strong encryption protocols. This includes data in transit to and from Hetzner and Amazon Web Services (AWS) datacenters.
6.4. Storage Security and Compliance
The Processor shall ensure that Hetzner and Amazon Web Services (AWS) comply with high standards of data security and adhere to relevant data protection regulations.
Regular audits and assessments shall be conducted to verify the compliance and security standards of Hetzner and AWS, ensuring that they align with the Processor’s obligations under the GDPR and this Agreement.
6.5. Notification of Changes
The Processor shall notify the Controller of any planned changes concerning the addition or replacement of data storage facilities or service providers. This is to ensure continuous compliance with data protection laws and the terms of this Agreement.
7. Security Measures
7.1. Implementation of Security Measures
The Processor shall implement and maintain comprehensive technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These measures shall be appropriate to the risk associated with the processing activities and the nature of the data being processed.
7.2. Technical Measures
Encryption: All Personal Data, whether at rest or in transit, shall be encrypted using industry-standard encryption technologies.
Access Control: Measures shall be in place to ensure that access to Personal Data is limited to authorized personnel only. This includes the use of secure passwords, two-factor authentication, and access logging.
Network Security: The Processor will implement robust network security measures, including firewalls, intrusion detection systems, and regular network monitoring to prevent unauthorized access.
7.3. Organizational Measures
Employee Training: All employees of the Processor will receive regular training on data protection and security protocols relevant to their roles.
Data Minimization: The Processor will ensure that only the necessary amount of Personal Data is processed for the intended purpose and that data is not retained longer than necessary.
Incident Response Plan: The Processor shall have a documented incident response plan in place to quickly and effectively address any potential data breaches or security incidents.
7.4. Subprocessor Security
Any subprocessors engaged by the Processor, including Hetzner and Amazon Web Services (AWS), will be required to implement equivalent security measures to protect Personal Data.
7.5. Regular Audits and Assessments
The Processor shall conduct regular security audits and assessments to ensure the ongoing effectiveness of the security measures. This includes periodic reviews of Hetzner’s and AWS’s security practices.
7.6. Data Breach Notification
In the event of a data breach, the Processor shall promptly notify the Controller and relevant authorities in accordance with applicable data protection laws. The notification will include all necessary information to enable the Controller to comply with its obligations to report or inform data subjects about the breach.
8. Subprocessors
8.1. Use of Subprocessors
The Processor may engage third-party subprocessors to process Personal Data on behalf of the Controller. The engagement of subprocessors will be in strict accordance with the GDPR and will adhere to the same data protection obligations as set out in this Agreement.
8.2. Approval of Subprocessors
The Processor shall not engage any subprocessor without the prior specific or general written consent of the Controller. Where general consent is provided, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors, thereby giving the Controller the opportunity to object to such changes.
8.3. Subprocessor Agreements
Where a subprocessor is engaged, the Processor shall enter into a written agreement with the subprocessor. This agreement will impose data protection terms that require the subprocessor to protect Personal Data to the standard required by the GDPR.
8.4. Liability of Subprocessors
The Processor remains responsible to the Controller for the performance of the subprocessor’s data protection obligations. Any violation of the data protection obligations by a subprocessor shall be deemed a violation by the Processor.
8.5. List of Current Subprocessors
The Processor shall maintain an up-to-date list of the names and locations of all subprocessors. This list shall be available to the Controller upon request.
9. Audit Rights
9.1. Audit and Inspection Rights
The Controller shall have the right to conduct audits and inspections of the Processor’s data processing activities to ensure compliance with this Agreement and applicable data protection laws. This includes the right to review documentation, processes, and measures related to the processing of Personal Data.
9.2. Notification and Timing of Audits
The Controller must provide reasonable notice to the Processor before conducting any audit or inspection. The specific terms, such as the frequency and duration of audits, shall be agreed upon in advance between the Controller and the Processor.
9.3. Conduct of Audits
Audits shall be conducted in a manner that minimizes disruption to the Processor’s operations. The Controller shall use its best efforts to avoid causing any damage, injury, or disruption to the Processor’s premises, equipment, personnel, and business while conducting audits.
9.4. Third-Party Auditors
The Controller may engage a mutually agreed-upon third-party auditor to conduct the audit. Any third-party auditor must be bound by the same confidentiality obligations as the Controller.
9.5. Cost of Audits
The Controller shall bear the cost of any audits or inspections. However, if the audit reveals material non-compliance by the Processor, then the Processor shall bear the reasonable costs of such audit.
10. Duration and Termination
10.1. Duration of the Agreement
This Data Processing Agreement shall remain in effect as long as the Processor is processing Personal Data on behalf of the Controller, or until terminated by either party in accordance with the terms of this Agreement.
10.2. Termination by Notice
Either party may terminate this Agreement by providing [specify notice period, e.g., 30 days] written notice to the other party. Termination shall be without prejudice to any data processing conducted prior to the date of termination.
10.3. Obligations upon Termination
Upon termination of this Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data processed on behalf of the Controller. This process shall be completed within a reasonable period following termination, unless European Union or Member State law requires storage of the Personal Data.
The Processor shall also delete existing copies of the Personal Data unless European Union or Member State law requires storage of the data.
10.4. Survival of Certain Provisions
Notwithstanding the termination of this Agreement, provisions relating to confidentiality, data security, and any other provisions which by their nature should survive termination, shall continue to be effective after the termination of this Agreement.
11. Compliance with Specific Requirements
11.1. Compliance with Amazon Requirements
In accordance with the specific requirements of Amazon, the Processor shall not store Personal Data on its servers for more than thirty days after order fulfillment. This complies with Amazon’s policy for handling customer data.
11.2. Adaptation to Various Jurisdictions
The Processor acknowledges the diverse requirements for invoice retention across different European jurisdictions. The Processor commits to complying with these varying legal requirements, ensuring invoices and associated Personal Data are retained for at least seven years, or as mandated by the relevant jurisdiction.
11.3. Use of Amazon Glacier for Long-Term Storage
To align with Amazon’s requirements and various European jurisdictions' rules on invoice retention, the Processor will utilize Amazon Glacier for long-term cold storage of Personal Data. This ensures compliance while maintaining data security.
11.4. Regular Review and Adaptation
The Processor shall regularly review its practices to ensure ongoing compliance with the specific requirements of marketplaces like Amazon and the varying regulations across European jurisdictions. Adjustments will be made as necessary to maintain compliance.
12. Legal Compliance and Jurisdiction
12.1. 12.1 Adherence to Applicable Laws
The Processor shall process Personal Data in full compliance with all applicable laws and regulations, including but not limited to the General Data Protection Regulation (GDPR) and relevant national data protection laws.
12.2. 12.2 Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of [Specify Jurisdiction, e.g., the country where your company is headquartered]. Any disputes arising from this Agreement shall be resolved in the courts of [Specify Jurisdiction].
12.3. 12.3 Changes in Law
The Processor commits to regularly monitoring changes in data protection laws and regulations and adapting its data processing practices accordingly to remain in compliance.
The Processor shall inform the Controller of any significant changes in law or regulation that may affect the processing of Personal Data under this Agreement.
12.4. 12.4 Cooperation with Authorities
The Processor shall cooperate with supervisory authorities in the event of investigations or inquiries relating to the processing of Personal Data under this Agreement.
13. Amendments and Updates
13.1. Right to Amend
The Processor reserves the right to amend this Data Processing Agreement as necessary to reflect changes in legal requirements, industry standards, or business practices.
13.2. Notification of Amendments
Any amendments to this Agreement will be communicated to the Controller in a timely manner. The Controller shall be given a reasonable period to review and respond to any proposed changes.
13.3. Acceptance of Amendments
Continued use of the Processor’s services by the Controller after the effective date of any amendments shall constitute acceptance of the amended terms.
13.4. Record of Amendments
The Processor shall maintain a record of all amendments made to this Agreement, including dates and details of the changes. This record shall be available to the Controller upon request.
