In order to fulfill the requirements of the applicable data protection laws, concerning Monitis, until further notice, agree on the following regulations concerning commissioned (data) processing which supplement the Terms of Service. The details of the data processing are described in Annex 1.
2. RIGHTS AND OBLIGATIONS OF MONITIS
2.1 Compliance with Applicable Laws. The obligations of Monitis shall arise from this Agreement and the applicable laws. The applicable laws shall particularly include the General Data Protection Regulation ("GDPR").
2.2 Processing on Instructions Only. Monitis shall only process personal data within the scope of General Data Protection Regulation (“GDPR”) and on documented instructions from the Customer mutually agreed by the parties in the Terms of Service. Customer may issue additional instructions to the extent required in order to comply with the applicable data protection laws, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which Monitis is subject; in such a case, Monitis shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Monitis shall ensure that this also applies for any persons granted access to personal data.
2.3 Obligation of Confidentiality. Monitis shall ensure and provide verification upon request that those persons authorized to process personal data have committed themselves to confidentiality, unless they are subject to a statutory obligation of confidentiality.
2.4 Security Measures Pursuant to Art. 32 GDPR
2.4.1 Principle. Monitis declares that it will implement the necessary measures for the security of processing according to Art. 32 of the GDPR (collectively, the "Security Measures").
2.4.2 Scope. For the concrete commissioned processing, a level of security appropriate to the risk for the rights and freedoms of the natural persons who are the subject of the processing shall be guaranteed. In this regard, the protection objectives of Art. 32(1) of the GDPR, especially the confidentiality, integrity, availability and resilience of the processing systems and services in terms of the nature, scope, context and purposes of the processing shall be taken into account in such a way that any risks shall be mitigated permanently through appropriate security measures.
2.4.3 Data Protection Concept. The data protection concept describes in detail the selection of security measures. Please contact us at email@example.com to receive a copy of our security measures.
2.4.4 Procedure for Reviewing. The data protection concept describes the procedures for regularly reviewing, assessing and evaluating the effectiveness of the security measures. Please contact us at firstname.lastname@example.org to receive a copy of our security measures.
2.4.5 Changes. The Security Measures are subject to technical progress and further developments. Monitis shall be permitted in principle to implement alternative adequate measures. The level of security may thereby not fall below the level existing prior to this Agreement based on the Security Measures already implemented or to be implemented.
2.5 Engagement of Additional Processors. The obligations of Monitis engaging additional processors ("Subcontractors") are regulated in clause 3.
2.6 Assistance with Safeguarding the Rights of Data Subjects. Monitis shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling its obligations to respond to rights to access, rectification, deletion or blocking according to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR. If a data subject should directly contact Monitis for the purposes of exercising the data subject’s rights, Monitis shall forward this request to the Customer at latest within one month after receiving the request. Additional request for assistance with User Rights shall be borne by the Customer.
2.7 Assistance with Ensuring Compliance. Considering the nature of processing and the information available to Monitis, Monitis shall assist the Customer in ensuring compliance with the obligations pursuant to Art. 32 – 36 GDPR, with respect to the security of the processing, data protection impact assessments and consultation of supervisory authorities. Additional request for assistance with User Rights shall be borne by the Customer.
2.8 Deletion and Return at the End of Processing. At the choice of the Customer, Monitis shall delete or return the personal data that is the object of the commissioned data processing, unless the law of the European Union or a Member State to which Monitis is subject requires storage of the personal data. Additional request for assistance with User Rights shall be borne by the Customer.
2.9 Information to Demonstrate Compliance with Data Protection Obligations and Inspections. Monitis shall make available to the Customer all information necessary to demonstrate compliance with the obligations resulting from clauses 2 and 3. In the event of any failure to provide such information or audit reports, Monitis will regularly, at least every 18 months, conduct internal audits and make the audit reports available for the customers upon their requests. Monitis allows for and contributes to additional audits, including inspections, conducted by the Customer or another auditor mandated by the Customer; the costs for such additional audits shall be borne by the Customer (rates will be discussed upon request) except in case Monitis internal audits results give substantial rise to concerns of non-compliance.
2.10 Obligation to Notify Doubts About Instructions. Monitis shall immediately inform the Customer if, in its opinion, the execution of an instruction could infringe any applicable data protection laws.
2.11 Obligation to Notify Breaches. If Monitis detects any breaches of applicable data protection laws, this Agreement, instructions of the Customer relating to the data processing, or instructions of the data protection officer, Monitis shall notify the Customer without undue delay.
2.12 Designation of a Data Protection Officer. Monitis has designated a data protection officer, Mr. Iskikian, who can be reached at email@example.com to the attention of Mr. Barkev Iskikian, 5741 Rio Vista Drive, Largo, FL, USA.
2.13 Disclosure or Publication of Appropriate or Suitable Safeguards for Transfers to a Third Country. Monitis agrees to disclose or publish information on the appropriate or suitable safeguards that have been used to make a transfer to a third country to the extent that this is required under Art. 13(1) f) or 14(1) f) of the GDPR in order to inform the data subject.
3.1 Subcontractors Engaged Upon Conclusion of the Agreement. Monitis has engaged a number of Subcontractors, and a list is available upon request. The Customer shall treat the list of Subcontractors as a confidential business secret and shall not disclose it to third parties.
3.2 Additional Subcontractors. If Monitis would like to engage additional or different Subcontractors to render the contractually agreed services, such Subcontractors shall be selected using the due care required by law. Monitis shall give the data exporter prior notice of the appointment of any new Subcontractors 15 days in advance. The Customer may object against the instruction of the new Subcontractors on reasonable grounds. In case an understanding cannot be reached, Monitis is entitled to terminate the Terms of Service with 2 weeks notice.
3.3 Obligations of Subcontractors
3.3.1 Structuring Contracts According to the Requirements of the Agreement. Monitis shall structure the contracts with Subcontractors in such a way that they comply with the requirements of the applicable data protection laws and this Agreement.
3.3.2 Engagement of Additional or Different Subcontractors. Monitis shall obligate any Subcontractors to commit in particular to refraining from engaging any additional or other Subcontractors to process personal data without complying with sec.3.2.
3.3.3 Checking Safeguards of Subcontractors. Monitis will examine whether sufficient safeguards will be provided to implement appropriate technical and organizational measures in such a way that the applicable data protection laws and this Agreement are complied with.
Annex 1: Details of the Data Processing According to GDPR Data Processing
Agreement. Monitis will examine whether sufficient safeguards will be provided to implement appropriate technical and organizational measures in such a way that the applicable data protection laws and this Agreement are complied with.
1. Object. The object of the data processing arises from the Terms of Service.
2. Duration. The duration of the data processing shall depend on the term of the Terms of Service.
3. Nature and Purpose of the Processing. Monitis shall process all personal data solely for the purposes of enabling the use of the products and services provided under the Terms of Service and according to documented instructions on behalf of the Customer.
4. Type of Personal Data. The following types of personal data shall be processed:
4.1 Customer Information
4.1.1 First name, name and country of the Customer;
4.1.2 Contact information such as company name, email and phone number;
4.1.3 Payment details - Credit card info, billing address;
4.2 User Information. Personally identifiable information collected and processed to enable product operation functionality:
- IP address
- Date and time of the request
- Time zone difference from Greenwich Mean Time (GMT)
- Content of the request (specific site)
- Access status / HTTP status code
- Volume of data transmitted each time
- Website from which the request comes
- Operating system and its interface
- Language and version of the browser software
- The country of origin for the visitor