Data Processing Agreement

1. INTRODUCTION

This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations which arise from the Data Processor’s processing of personal data on behalf of the Data Controller under the quote, service agreement or other agreement between the Parties (“the Agreement”).

The DPA is adopted as an appendix to the Agreement. In the event that any provision of this DPA is inconsistent with any term(s) of the Agreement, the DPA will prevail.

2. PURPOSE, SCOPE AND RESPONSIBILITIES

2.1. The Data Processor shall only process personal data in accordance with the terms of this DPA.

2.2. The Data Processor shall process personal data for the limited purpose of performing the obligations set out under the Agreement.

2.3. Data processing by the Data Processor shall include such actions as may be specified in the Agreement.

2.4. The term of this DPA shall continue until the latter of the following; the termination of the Agreement, or the date at which the Data Processor ceases to process personal data for the Data Controller.

3. DATA FLOW

3.1. The Data Processor is a software development company, assigned by the Data Controller to make available to the Data Controller software as a service for supporting the creation of business, hospitality, shipping, web and other applications. The content of this DPA reflects the limited amount of personal data the Data Processor handles for the Data Controller.

3.2. In no event will the data processed by the Data Processor include (examples are not exhaustive):

• Personal data as set out in art. 7 or 8 in the Personal Data Protection Act,
• Personal data as set out in art. 9 or 10 in Regulation 2016/679 of 27 April 2016
• Personal Financial data,
• Personal data regarding criminal offences, or
• Data regarding persons’ economy, taxes, debt, sick days, family relations, residential circumstances, car, personality tests, exams or CVs.

3.3 The Data Processor’s data flow is described in Exhibit 1 (the “Data Flow”).

3.4 The Data Processor’s data flow is described in Exhibit 1 (the “Data Flow”).

4. OBLIGATIONS OF DATA PROCESSOR

4.1 The Data Processor warrants that the Data Processor will:

• Comply with the Data Protection Legislation from time to time applicable to the Data Processor’s obligations under the Agreement (“Data Protection Legislation”),
• process any personal data transferred to or collected by the Data Processor only as a ‘processor’, as such terms are defined in the Data Protection Legislation, on behalf of the Data Controller,
• implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the applicable Data Protection Legislation and ensure the protection of the rights of the data subjects,
• ensure that Sub-processors undertakes to process personal data in accordance with the Data Protection Legislation,
• taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights according to the Data Protection Legislation,
• in relevant extent assist the Data Controller in ensuring compliance with the requirements for security of person data.

5. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

5.1. The Data Processor will implement and maintain throughout the term of the DPA and will procure its Sub-processors to implement and maintain through the term of the DPA, the appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, damage or alteration and against unauthorized disclosure, abuse or other processing in violation of the requirements of Data Protection Legislation.

5.2. The Data Processor will ensure that it and its Sub-processors involved in the processing of personal data at all times comply with the minimum data security requirements set out in Exhibit 2.

6. PERSONNEL

6.1. The Data Processor will procure that any personnel of the Data Processor required to access personal data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality.

6.2. The Data Processor will procure that all personnel of the Data Processor required to access personal data are informed of the confidential nature of the personal data and the security procedures applicable to the processing of or access to the personal data.

6.3. The Data Processor’s personnel’s undertaking to abide by such confidentiality requirements will continue after the end term of this DPA.

7. ADDITIONAL RESPONSIBILITIES OF THE DATA PROCESSOR

7.1 To the extent possible, the Data Processor will:

7.1.1. Notify the Data Controller without undue delay of any monitoring activities and measures undertaken by a supervisory authority pursuant to Data Protection Legislation, if such monitoring activities and measures pertains to the data processed under the Agreement;

7.1.2. Notify the Data Controller in writing within five (5) business days if it receives (i) a request from a data subject to have access to that person’s personal data; or (ii) a complaint or request relating to the Data Controller’s obligations under the Data Protection Legislation.

8. SUB-PROCESSORS

8.1. The sub-processors approved at the signing of this DPA are listed in Exhibit 3.

8.2. The Data Processor is authorized to engage further or other sub-processors if deemed relevant or necessary by the Data Processor for the purpose of performing the Data Processor’s obligations under the Agreement. In such case, the Data Processor will ensure to notify the Data Controller at least 30 days prior to the engagement of further or other sub-processors. The Data Controller may object to such new Sub-processor for justified reasons. In the case of justified objection, the Parties shall negotiate in good faith to find an alternative solution. If such alternative solution cannot be found and the Data Processor decides to proceed with such sub-processor, the Data Controller can terminate the Agreement with a notice of 30 days. Neither of the Parties shall be considered in breach of contract in the event of such termination;

8.3. Where the Data Processor sub-contracts its obligations, as described above, it shall do so only by way of a written agreement with the sub-processor which imposes the sub-processors to comply with the obligations of the Data Protection Legislation.

8.4. The Data Processor may only transfer personal data within the EU/EEA or within countries that have been recognized by the EU Commission to ensure an adequate level of data protection. The Data Processor may not transfer data outside these countries without the prior written approval of the Data Controller. In the event such approval is granted, the Data Processor undertakes to comply with the requirements after the Data Protection Legislation for transfer out of the EU/EEA, e.g. by use of the Commission’s model contracts, Privacy Shield Institute, consent from the data subjects or similar, to the extent applicable.

8.5. At the signing of this DPA, approval for transfer of personal data out of the EU/EEA, cf. section 8.4, has been given for transfer to the sub-contractors listed in Exhibit 3.

8.6. A list of the Sub-processors engaged by the Data Processor and a copy of the data processing agreement(s) between the Data Processor and the Sub-processors can at every given time be required either upon request to the Data Processor.

9. OBLIGATIONS OF THE DATA CONTROLLER

9.1. The Data Controller and the Data Processor will be separately responsible for conforming with the Data Protection Legislation as applicable to them.

9.2. The Data Controller will inform the Data Processor in writing without undue delay following the Data Controller’s discovery of a failure to comply with Data Protection Legislation with respect to processing of personal data in accordance with this DPA.

10. NOTIFICATION OF DATA BREACH

10.1. The Data Processor shall without undue delay in writing notify the Data Controller in case of any identified or potential breach of personal data processed under the DPA.

10.2. The notification referred to in section 10.1. must, to the extent possible, contain:

• describe the nature of the personal data breach including where possible (e.g. loss, theft, copying), the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,
• communicate the name and contact details of the person with the Data Processor where more information can be obtained,
• describe the likely consequences of the personal data breach, and
• describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

11. DELETION OF PERSONAL DATA

11.1. Following the end term or termination of the Agreement, the Data Processor will destroy all personal data processed for the Data Controller that is in the Data Processors possession or control, unless requirements arising from the Data Protection Legislation requires storage of the personal data.

11.2. Upon the Data Controller’s request, the Data Processor shall certify in writing the destruction of the personal data.

12. SIGNATURES

Signed for and on behalf of the Data Processor

Date: January 30, 2018

Name: Polis Yiannoudes

Title: General Manager

EXHIBIT 1: DATA FLOW

This Exhibit 1 sets out the data flow between the Data Controller and the Data Processor under the DPA.

The Data Processor is a global and generic multi-tenant Software-as-a-Service solution, that is hosted in the Microsoft Azure Cloud.

The Data Processor’s data flow can be illustrated as follows:

EXHIBIT 2: DESCRIPTION OF MINIMUM DATA SECURITY

The Data Processor will by itself, and shall ensure that all of its Sub-processors, at all times complies with the following minimum security requirements:

1.1.1. Availability
Data Processor has implemented the necessary security measures to ensure that data is available, e.g. through use of anti-virus and DDOS mitigation technologies etc

1.1.2. Integrity
Data Processor has implemented the necessary security measures to ensure that data is authentic and has not been maliciously or accidentally altered during processing, storage or transmission, e.g. backup and authentication codes and signatures.

1.1.3. Confidentiality
Data Processor has implemented the necessary security measures to ensure the confidentiality of personal data, including, e.g. encryption technologies, training programs, authorization, contractual clauses etc.

1.1.4 Isolation (purpose limitation)
Data Processor has implemented the necessary procedures and controls to ensure that personal data is only accessed and used for legitimate purposes, e.g. through access management, division of roles and responsibilities etc.

1.1.5. Portability
Data Processor has ensured the portability of personal data, e.g. use of standardised or open data formats and interfaces.

1.1.6. Accountability
Data Processor has implemented the necessary technical and organisational measures to ensure accountability and traceability of the processing of personal data, e.g. through use of logging, self-auditing etc.

1.1.7. Physical security
Data Processor’s business is cloud based and Data Processor does not use or provide physical storage of personal data. Such locations are provided by Sub-processors, as described in Exhibit 3.

EXHIBIT 3: DESCRIPTION OF MINIMUM DATA SECURITY

This Exhibit 3 sets out the Data entailed by the Data Processor’s and its Sub-processors’ processing of personal data under the DPA.