
Content
I. Introduction
II. Definitions
III. Application of the Agreement
IV. Processing of Personal Data
V. Access Data
VI. Instructions / Indications
VII. Hostico's Obligations
VIII. Client's Obligations
IX. Rights of the Data Subject
X. Subcontracting
XI. Technical and Organizational Measures
XII. Audit
XIII. Duration
I. Introduction
This agreement regulates the processing of personal data performed by Hostico as the "Data Processor", on behalf of the client acting as the "Data Controller". The Data Processing Agreement represents the understanding between the parties and establishes the rules regarding the processing of data by Hostico as the Processor, on behalf of the client as the Controller. This agreement complements the Terms and Conditions and/or the contract concluded between Hostico and the Client.
II. Definitions
In this agreement:
- Services - represents the service provided to the Client in accordance with the Terms and Conditions and the contract concluded with Hostico
- Personal data - refers to any information relating to an identifiable or identified natural person (data subject)
- Client or Controller - represents the natural person, legal entity, public authority, or any other entity that determines the purpose and means of processing personal data
- Processor or Hostico - represents the authority that will process personal data on behalf of the controller
- Process/processing - represents any operation or set of operations performed on personal data such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or making available, alignment or combination, restriction, deletion or destruction
- Sub-processor or Partner - represents a third party, Hostico partner designated by it for delivering services and/or processing the client's personal data
- Technical and organizational security measures - measures aimed at ensuring an adequate level of security including pseudonymization and encryption of personal data, the ability to permanently ensure confidentiality, integrity, availability, and resilience of processing systems and services, the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident, a regular process for testing and evaluating the effectiveness of processing security
- Applicable Laws - all national laws and European Union regulations in the field of personal data protection
- Data subjects - users respectively clients of the controller
III. Application of the Agreement
In relation to the services offered, this agreement applies:
- all data sent by the client to Hostico for processing
- all data accessed by Hostico for processing on behalf of the client
- all data received by Hostico on behalf of the client
IV. Processing of personal data
In accordance with the GDPR policy, it is the sole responsibility of the client to ensure the accuracy, quality, and processing of the personal data of the data subjects. Hostico will access, use, or process this data on behalf of the client only under the following specific circumstances:
- at the direct request of the client
- for the provision of the contracted services
- to provide technical assistance regarding the services offered
- for maintenance operations
The client will be responsible for determining the origin and purpose of personal data, as well as the categories of data subjects involved.
In view of fulfilling the agreement and specifically for providing the contracted services, Hostico will process certain categories and types of personal data on behalf of the client according to their authorization and request.
The types and categories of personal data processed by Hostico are:
Contact details:
- name, surname, address, phone number, email address, personal identification number
- personal data of representatives, employees, and other third parties provided by the client
These personal data are not included in this Data Processing Agreement but under the Privacy Policy as Hostico acts as the Controller in this situation.
Service Information:
- data that is on Hostico servers
- data stored and processed by users such as: source code, databases, files, etc.
- electronic logs: connection, authentication, access, errors
Hostico has no control over the content of these logs, as they are generated automatically by the services running on the equipment and by the client's applications.
The processing activities performed will be limited only to those necessary and relevant for the services provided. Processing requests from the client will be recorded by Hostico and will be kept until the client's right to be forgotten is exercised. Hostico will process personal data related to the client and the contacts provided by them through the commercial departments and the Hostico.ro website, in accordance with GDPR provisions.
V. Data Access
During the use of the services, the client has the right to access, modify, and delete personal data by logging into their accounts, using common protocols and tools.
In the case of any modification or alteration of the data, the original version can be stored as an entry in a log for a period of 10 years, in accordance with Hostico's data retention policy.
VI. Instructions / indications
Hostico will act and process personal data solely for the purpose of providing the contracted services, in strict accordance with the precise and documented instructions received from the client. By accepting this Data Processing Agreement, it is understood that Hostico has the right to process the client's personal data only for the purpose of providing the contracted services and in accordance with the presented Terms and Conditions, namely the concluded contract. The client guarantees that the personal data provided complies with the applicable laws, including legislative requirements regarding data processing. In the event that Hostico believes that the instructions received from the client regarding data processing conflict with the applicable legislation, Hostico will promptly notify the client in this regard.
VII. Hostico's Obligations
Confidentiality
Hostico will treat all personal data received from clients as confidential information and will ensure that it is used only for the purpose of providing the contracted services. Personal data will not be disclosed or transferred to third parties, except for Hostico employees and partners who need access to this data in order to provide the services and who are bound by confidentiality agreements to treat it with the utmost seriousness and with strict adherence to confidentiality.
Security
Hostico will implement and maintain appropriate technical and organizational measures to protect personal data against unlawful or unauthorized processing, as well as against accidental loss, destruction, or damage. A detailed description of the conditions under which backups are made and stored is available in the documentation for the backup provided by Hostico.
To ensure the confidentiality and security of personal data, Hostico will limit access to this data solely to employees who need it for the provision of services contracted by the client. All employees will be subject to confidentiality agreements and will be trained to process the client's personal data in accordance with the precise instructions received from them.
If the client requests, Hostico will provide detailed information regarding the implemented security measures, so that they can assess and verify how personal data is protected.
Hostico will periodically review and update the security measures to ensure that they are effective and in accordance with technological advancements and legal requirements regarding personal data protection.
Security breaches
In the event that Hostico identifies a breach of personal data security, affecting the personal information of its customers, the affected customer will be notified immediately. To the extent possible, Hostico will commit to providing the Customer with the necessary information and appropriate assistance, in order to enable them to fulfill all obligations related to reporting data breach incidents.
VIII. Client's Obligations
The Client is obligated to fully comply with the applicable legal requirements as a data controller. In this responsibility, it is the Client's duty to ensure that any transfer or provision of personal data to Hostico is carried out with the explicit consent of the data subjects. Furthermore, the Client must be able to justify each transmission of personal data to Hostico and provide the reasons and justifications for the decisions made regarding the processing and use of this data.
IX. Rights of the data subject
Hostico is committed to providing the Client with access to the services that manage the personal data of the data subjects, so that they can perform actions such as deletion, release, correction, or blocking of the respective data. In the event that providing this access is not feasible for certain reasons, Hostico will act in accordance with the instructions received from the Client, in order to carry out these operations in full compliance with the applicable legislation. Additionally, Hostico will commit to forwarding to the Client any requests received from data subjects regarding access to their own personal data.
Location of personal data processing
Personal data is processed by Hostico exclusively within its offices, workplaces, and data centers of its partners. Any transfer of personal data to international organizations or third countries will be carried out only if such action is necessary and permitted, and complies in full with applicable legal provisions. By international organizations or third countries, reference is made to domain registries or certificate providers.
X. Subcontracting
Hostico will not subdelegate any processing operation on behalf of the Client according to this Agreement, without the prior consent of the Client. In the case of services that do not fall under Hostico's direct administration (domains, certificates, licenses), by placing and paying for the order, the client expresses their agreement for the processing of personal data by third-party providers.
Hostico has the implicit right to engage third parties to perform client data processing operations without the need for written approval from the Client. However, in order to ensure transparency and respect the rights of the Client, Hostico will provide information regarding the identity of the third party upon explicit request from the Client.
XI. Technical and organizational measures
Hostico will ensure that throughout the processing of personal data on behalf of the Client, appropriate technical and organizational measures will be implemented and maintained. These measures include, but are not limited to, hiring qualified personnel, strict control of access to data centers and equipment, rigorous management of data access, using secure protocols for data transmission, detailed logging of system activities, isolating the Client's data from that of other clients on internal systems, periodic backups, etc.
XII. Audit
The client has the right, based on transparency and respect for the protection of personal data, to request an audit by submitting a written request, in order to verify how Hostico fulfills its obligations under the Data Processing Agreement. As part of this procedure, the specific details regarding the selection of the auditor and the audit procedures will be established through clear and transparent consensus between the parties. However, Hostico reserves the right to refuse the request for an audit in situations where the client has not complied with the contractual provisions and the Data Processing Agreement.
XIII. Duration
The Data Processing Agreement has a lifespan equal to the entire validity period of the Contract concluded between the Client and Hostico. In accordance with legal provisions, the authorization granted by Hostico for processing personal data on behalf of the Client will immediately cease upon the expiration of the Contract.
As a data processor, in accordance with the legal requirements and regulations, Hostico is committed to continue processing personal data for 30 days after the termination of the Contract. At the same time, Hostico will keep a backup copy of the Client's data according to its established backup policies. Any data processing action performed by Hostico during this period will be considered to be in accordance with the instructions received from the Client.
Hostico undertakes to delete all personal data processed on behalf of the Client within a maximum of 45 days from the termination of the Agreement. However, in cases where there are requests or legal requirements that mandate data retention, Hostico will act in accordance with these requirements, while ensuring the security and confidentiality of the respective data.
As a controller, Hostico will process customer data in accordance with Article IV of the Privacy Policy
Last update: 30.08.2023