Data Processing Agreement (GDPR)

This Data Processing Agreement (hereinafter referred to as “Agreement”) is between You (The User) in your capacity as Service User, and We, Us (Weemss Ltd. –  a Bulgarian company, with UIC: 202592905.  having its seat registered at Republic of Bulgaria, Sofia, postal code 1680, “Manastirski livadi” District, 9A “Sinanishko ezero” street, office №3), in our capacity as a Service Provider. By using the Service provided by Us, You agree to this Agreement, which is an integral part of the Terms of Use, Privacy Policy and Cookies Policy.

This Agreement is part of the Terms of Service and is concluded on the basis of Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and the free movement of such data and on the repeal of Directive 95/46/Eu (General Data Protection Regulation), hereinafter referred to as “GDPR”. Annex 1 is an integral part of this Agreement and contains information on the technical and organizational security measures applied by Us.

1. DEFINITIONS

1.1. The following terms have the following definitions in this Agreement:

1.1.1. “Personal Data”, “Processing”, “Special categories of Personal Data” “Supervisory Authority”, “Data Controller”, “Data Processor”, “Data Subject” and “Filling system” have the same meaning as they have in Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

1.1.2. “Subcontractor” means any data processor We employed under this Agreement who accepts to receive from Us Personal Data intended to carry out processing activities exclusively on Your behalf.

2. SUBJECT AND TERM OF THE AGREEMENT

2.1. We provide the Service (creating and managing Award-Winning Programs) to You as part of Our contractual relationship regulated by the Terms of Service. You are a Data Controller of the Personal data provided by an individual, who registers for your Award-Winning Program(s) through Our Service (The Applicants). During the provision of the Service, We may process Personal Data of Your Applicants sourced from You. In this case, We act in the capacity of a Data processor on Your behalf as part of the Service provided.

2.2. The Parties agree to enter into this Agreement, which regulates the data protection obligations of the Parties when processing the Personal Data of Applicants and governs the relationship between the Parties in respect of the processing of Personal Data of Applicants in order to ensure compliance with the GDPR and other applicable law.

2.3. We shall process the Personal Data of Your Applicants in our capacity as a Data Processor for the period of the provision of the Service.

2.4. This Agreement enters into force from the moment the Service is provided and shall apply for the entire period of the provision of the Service.

3. DATA PROCESSED AND PURPOSES FOR PROCESSING PERSONAL DATA

3.1. We may process the following categories of Personal Data of Your Applicants for the following purposes:

3.1.1. Name and email address. We process such Personal Data for the purposes of providing Our Service to You, namely: to facilitate registration, log in and identification of Applicants participating in Your Award-Winning Programs.

3.1.2. Any additional Personal Data is processed if You request such from The Applicant via the custom registration form fields provided by Us.

3.2. The types of processing related to personal data and the storage location for each type of processing is as follows:

3.2.1. Application hosting and data storage – We use the services of a subcontractor DigitalOcean, Inc. is located in New York, USA;

3.2.2. Email sending – We use the service of a subcontractor SendGrid located in Colorado, USA;

3.2.3. Image processing –

3.2.4. Support Infrastructure –

4. YOUR OBLIGATIONS

4.1. You accept and warrant that:

4.1.1. You are responsible for the accuracy and completeness of the Personal Data of Your Applicants;

4.1.2. You have collected the Personal Data of Your Applicants in a lawful manner;

4.1.3. You shall not provide Us with any Personal Data that is in violation of this Agreement or is not appropriate for the nature of the Services. In the event that such Personal Data is provided to Us by You, You undertake to indemnify Us for all damages arising from the provision of such Personal Data;

4.1.4. the processing, including the transfer itself of Personal data of Applicants collected through the Service are and will continue to be carried out in accordance with the provisions of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such Personal Data and the applicable law for Data Protection;

4.1.5. you have instructed and during the period of the Personal Data processing services you will instruct Us to process the transferred Personal Data solely on Your behalf and in accordance with the applicable Data Protection Laws and this Agreement;

4.1.6. you have provided sufficient guarantees regarding the technical and organizational security measures specified in Annex 1 of this Agreement;

4.1.7. after assessing the requirements of the applicable Data Protection Laws, the security measures provided by Us are suitable to protect Personal Data of Applicants from an accidental or unlawful destruction, or from accidental loss, unlawful access, alteration or distribution, as well as from other unlawful forms of processing and that these measures guarantee a level of security adapted to the risks associated with the processing and the nature of the Personal Data subject to protection, taking into account the level of technological development and the costs of their implementation;

4.1.8. if the transferring of the Personal Data involves Special categories of Personal Data, the Applicant concerned has been informed or will be informed before or immediately after the transferring, that Special categories of Personal Data of the Applicant may be transferred to Us;

4.1.9. You shall notify Us of any personal data breach that affects Us.

5. OUR OBLIGATIONS

5.1. We accept and warrant that We:

5.1.1. shall process the Personal Data on your behalf only for the purpose of providing the Service to You and for no other purpose unless required to do otherwise by Applicable Data Protection Laws;

5.1.2. shall process the Personal Data on your behalf in compliance with all obligations under Regulation (EU) 2016/679 on the protection of Natural Persons in connection with the processing of Personal Data and on the free movement of such Personal Data and the current legislation in the field of the protection of Personal Data, as well as all instructions that We have received from You and that do not contradict to the legal requirements;

5.1.3. shall process the Personal Data solely on Your behalf and in accordance with Your lawful instructions and this Agreement; if We cannot ensure compliance between the method of Data processing and the conditions laid down in this Agreement, We agree to promptly inform You of Our inability to ensure compliance, in which case You may terminate the Agreement and stop using the Services;

5.1.4. shall process the Personal Data provided by You solely for the purposes of  fulfilling Our obligations arising from the provision of the Service;

5.1.5. shall apply appropriate technical and organizational measures in such a way that the processing takes place in accordance with the requirements of Regulation (EU) 2016/679 and ensures the protection of the rights of Applicants, whose data are subject to processing operations;

5.1.6. shall apply the technical and organizational security measures specified in Annex 1 when performing the assigned processing operations;

5.1.7. shall implement appropriate technical and organizational measures to ensure a level of data security, including, inter alia, when appropriate and necessary: – pseudonymization and encryption of Personal Data; – the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; – the ability to promptly restore availability and access to Personal Data in the event of a physical or technical incident; – a process of regular testing, assessment and evaluation of the effectiveness of technical and organizational measures in order to guarantee the security of the processing;

5.1.8. shall promptly notify You of:

5.1.8.1. any legally binding request for disclosure of Personal Data provided under this Agreement by an Enforcement Authority,

5.1.8.2. any case of unauthorized access by an unauthorized third party, and

5.1.8.3. any request received directly from the Applicants concerned, without responding to such a request unless You have delegated it to Us;

5.1.9. in the case of subcontracting, We shall inform You about the engagement of a Subcontractor. If You want to object to the subcontracting, You shall do so in writing by sending an objection at [email protected] within 14 days from receipt of the notification of Subcontracting. We shall review, respond to, and work to accommodate your objections, as long as these objections are determined to be reasonable and with sufficient supporting detail. The objection shall be deemed invalid and we shall have no further obligations, if we do not view the objection as providing sufficient supporting details.

5.1.10. in the case of subcontracting, the Subcontractor shall provide at least the same degree of protection of Personal Data and the rights of the Applicant as that provided by Us;

5.1.11. shall respond to written inquiries made by You in connection with the provision of information regarding the technical and organizational measures taken to protect Personal Data from accidental or illegal destruction, or from accidental loss, from illegal access, modification or distribution, as well as from other illegal forms of processing.

5.1.12. shall inform You after We have become aware, without undue delay within 24 hours, that the security of the Personal Data of the Applicants that We process on Your behalf has been breached and We will take measures to protect this data. We undertake to communicate what the Personal Data security breach is, the categories of Personal Data that are affected by the breach, and also the number of Applicants that are affected by the breach. In the event of a determined need to notify the Applicants or the Personal Data Protection Commission of a security breach, We will provide you with all the necessary assistance to carry out an investigation and provide the relevant information.

5.1.13. shall assist you with your obligations as a Data Controller in relation to Security Breach notification requirements;

5.1.14. our employees, whom We have authorized to process the Personal Data have undertaken a commitment to confidentiality or are required by law to respect confidentiality;

5.1.15. shall delete Personal Data of Applicants at Your request, or in the event that the  Applicant sends a Personal Data deletion request directly to Us, unless applicable law requires the storage of such Personal Data.

5.1.16. shall delete and return to You all Personal Data after completion of the processing services and delete the existing copies, unless the law of the European Union or the law of the Republic of Bulgaria requires the storage of such Personal Data.

5.1.17. shall immediately notify You if, in Our opinion, Your order violates Regulation (EU) 2016/679 or other Data Protection regulations – in this case, We have the right to refuse to carry out processing operations that We consider to violate the Regulation;

5.1.18. shall process Personal Data lawfully and in good faith;

5.1.19. shall use the Personal Data to which We have access in accordance with the purposes for which they are collected and will not further process them in a manner incompatible with these purposes;

5.1.20. shall comply with Data Processing principles according to Regulation (EU) 2016/679;

5.1.21. shall delete or correct Personal Data when it is found to be inaccurate or disproportionate to the purposes for which it is processed;

5.1.22. shall maintain the Personal Data in a form that allows the identification of the relevant Applicants for a period no longer than is necessary for the purposes for which these Personal Data are processed;

5.1.23. shall not allow unauthorized persons into the premises where Personal data is stored.

5.1.24. shall notify You immediately if We receive a request to disclose Personal Data from a government, regulatory, judicial or other state authority. We shall also notify You immediately if We receive a request to disclose Personal Data from a third party.  We shall also notify You immediately if we are required to disclose Personal Data by any court order, a requirement by law, or other legal judicial process.

5.1.25. shall provide You, subject to a charge, all reasonable assistance regarding responding, objecting or challenging any requests, inquiries, communications or complaints.

 

6. RIGHTS OF DATA SUBJECTS

6.1. Both You, in Your capacity as a Data Controller, and We, in Our capacity as a Data Processor, guarantee the rights of the Applicants. The rights of the Applicants as Data Subjects are expressly listed in the GDPR.

6.2. In the event that a Applicant makes a request to Us to exercise any of his/her rights, We shall notify You of his/her request.

7. SUBCONTRACTING

7.1. We have the right to subcontract Our obligations under this Agreement only by means of a written agreement with a Subcontractor, which imposes on the Subcontractor the same obligations as those imposed on Us under this Agreement.

7.2. You hereby agree and are hereby providing Us a general written authorization allowing Us to engage the services of Subcontractors to process personal data in connection with the Services and in line with Article 28 of the GDPR.

7.3. We currently use the services of the following Subcontractors, who assist Us in providing Our Service:

7.3.1. DigitalOcean Inc – for the purpose of data storage;

7.3.2. SendGrid – for the purpose of Email deliverability.

8. TRANSFERING DATA OUTSIDE THE EEA

8.1. We are a Data Processor located in the territory of the European Union (EU) and the European Economic Area (EEA). We process Personal Data in accordance with European legislation. You hereby agree and are hereby providing Us a general written authorization allowing Us to store the Personal Data outside the EEA. In cases where the Personal Data is stored outside the EEA, We guarantee that this Personal Data shall be processed in compliance with Data Protection Laws and all appropriate technical and organizational measures have been taken by  process Personal Data outside the territory of the EU and the EEA, We undertake to apply the relevant legislation related to the storage and processing of Personal Data, as well We and Our Subcontractors have taken the necessary technical and organizational measures for the protection of the Personal Data.

8.2. In cases where We process Personal Data through a subcontractor located outside the territory of the EU and EEA (transfer of Personal Data), We and the Subcontractor undertake to process Personal Data in accordance with the GDPR by using Standard Contractual Clauses, provided the conditions for the use of those Standard Contractual Clauses are met.

9. FORCE MAJEURE

9.1. We shall not be held liable for total or partial non-performance of this Agreement if it is due to “Force Majeure”. “Force majeure” means an extraordinary circumstance (event) that arose after entering into this Agreement, could not be foreseen and is not dependent on Our will, including without limitation: fire, industrial accidents, military actions, natural disasters – storms, torrential rains, floods, hailstorms, earthquakes, ice, drought, landslides, etc. natural elements, embargo, government bans, strikes, riots, lock-outs, compliance with any law or governmental order, the default of subcontractors, etc.

9.2. In the event that We are unable to fulfill Our obligations due to a Force Majeure, We shall be obligated within 10 days to notify You in writing of its occurrence, as well as the supposed period of validity and termination of the Force Majeure.

10. RESOLVING DISPUTES WITH APPLICANTS OR SUPERVISORY AUTHORITY

10.1. In the event of a dispute or complaint filed by the Applicant or the Supervisory Authority relating to the processing of Personal Data against one or both parties, the parties shall inform each other of any such dispute or complaint unless prohibited by law and shall cooperate with a view to timely settlement of the same in a spirit of understanding.

11. TERMINATION

11.1. The Agreement is terminated upon the termination of an agreement for Services. You can terminate this Agreement at any time by sending a request for the deletion of Your Account to the following email address: [email protected] The Agreement shall be deemed terminated upon deletion of Your Account.

11.2. In case we are in breach of our obligations under the Agreement You have the right to terminate the Agreement or instruct us to suspend the processing of personal data until the processing complies with the clauses laid down in the Agreement.

12.OBLIGATIONS AFTER COMPLETION/TERMINATION OF PERSONAL DATA PROCESSING SERVICES

12.1. The parties agree that upon completion/termination of the provision of Personal Data processing services, We and Our Subcontractor/s (when engaged) shall return all  Personal Data (if any) and copies made (if any) to You or destroy all Personal Data (according to Your instructions) and certify this fact in writing to You unless the legislation applicable to Us prevents Us to return or destroy all or part of the  Personal Data or in cases where the protection of Our legitimate interest requires the preservation of personal data or a relevant part thereof. In such case, We guarantee that the Personal Data will be kept confidential and will not be actively processed for additional purposes.

13. FINAL PROVISIONS

13.1. All communications and notices between the Parties shall be made in writing. The written form shall be deemed to be observed and when the message was sent by e-mail.

13.2. For the purposes of this Agreement Our e-mail address is [email protected] and Your email address is the one you provided when registering Your Account.

13.3. Any subsequent modification of addresses shall be reasonably and timely communicated in advance to the effect of this Agreement. In the event that We change Our email address, the new email address will be set forth in this Agreement, the Terms of Service, The Privacy Policy and the Cookies Policy. By setting forth Our new email address, We shall assume that You have been notified of the change. If You change Your email address, You have an obligation to notify Us. If You have not notified us, We shall not be responsible for messages that have not been received by You.

13.4. If any portion of this Agreement is found to be invalid or unenforceable, such provision will be deemed severable from the remainder of this Agreement and will not cause the invalidity or unenforceability of the remainder of this Agreement.

13.5. The provisions of the legislation in force in the Republic of Bulgaria, including the applicable EU law, apply to all matters not settled in this Agreement.

13.6. For any dispute regarding the existence and validity of the Agreement or in connection with its breach, including disputes concerning the validity, interpretation, execution, breach or termination, as well as for all issues not covered, shall be settled amicably by the Parties. In the event of failure to reach an agreement, the dispute shall be referred to the competent court.

13.7. In the event of а conflict between this Agreement and Our Terms of Use, in Our capacity as a Service Provider, this Agreement shall prevail.

 

Annex 1

This Annex is an integral part of the Data Processing Agreement /Agreement/. By accepting the Agreement, you also accept this Annex.

Description of the technical and organizational security measures applied by Us:

SECURITY AREA SECURITY MEASURES TO PROTECT PERSONAL DATA
1. SECURITY OF NETWORKS AND SYSTEMS 1.1 Firewall and router configurations are set to restrict incoming traffic from “untrusted” networks (including wireless) and hosts.
1.2 Personal data is protected against hacking and malware by activating appropriate electronic tools, including anti-virus programs, which are updated periodically and according to the technical requirements of the software. When using anti-virus programs to protect the server and workstations:

ü  scanning of all files is performed:

ü  scanning of internet pages is performed;

ü  scanning of attachments is performed;

ü  daily update of anti-virus definitions is performed.

In addition, only copyrighted software installed by authorized persons is used.

1.3 Software updates are carried out periodically and according to the technical requirements and capabilities (for example, patching) of the operating systems, the server and the main applications), and the main updates are installed in a timely manner.
2. DATA SECURITY 2.1 The period of storage of personal data is limited to the extent necessary for the provision of every single service in compliance with the applicable legal and/or regulatory obligations.
2.2 For the deletion of data that is no longer necessary for the provision of the single service, as well as for the deletion of ICT assets, irreversible and secure cleaning procedures are carried out in order to delete all personal data and/or overwrite them in a safe and irreversible way before their destruction or reuse. If this is impracticable, the data carriers must be destroyed or rendered unusable.
2.3 Paper documents that contain personal data are physically destroyed by means of a shredding machine or other suitable technical means before being discarded.
2.4 Personal data is rendered in an unreadable format (e.g. by encryption) when stored on portable digital media, backup media and log files.
2.5 The number of registered personal data (e.g. databases, files, copies, archives) is reduced to a minimum and unnecessary duplication is avoided.
2.6 The transmission of personal data over free-access, public or unsecured networks is protected by secure encryption and the use of security protocols. In the event that an encryption channel is not applicable, files and applications containing personal data are protected by means of encryption whenever they are transmitted over free-access, public or unsecured networks.
2.7 Database encryption/data storage is based on the appropriate classification of assets according to the level of criticality.

 

2.8 Personal data is not copied to portable media, except those media that are expressly permitted by You for specific tasks.
2.9 Personal data that is stored is protected by encryption in case it is stored by cloud technology providers and/or other third parties that process personal data.
2.10 Media (portable and non-portable) containing personal data are protected against unauthorized access by means of appropriate physical and logical security measures.
2.11 Employees are appropriately informed and trained about the rules of conduct that are adopted to protect personal data contained in paper documents (for example: when leaving the workplace, they must ensure that no one has access to confidential information, to protect original documents and photocopies from theft or unauthorized use, to store documentation in drawers and cabinets that are locked at the end of the working day). Follow-up training of employees is carried out on a periodic basis and when necessary.
2.12 When using e-mail, information containing personal data is sent in an attachment.
3. DATA AVAILABILITY 3.1 Appropriate procedures have been introduced for the timely restoration of the availability of personal data. For this purpose, back-up records are prepared as follows:

ü  daily data transfer for virtual servers

ü  Image storage for the last 60 calendar days.

3.2 The protection of electronic data is carried out by maintaining backup copies and periodic archiving. Archiving and backup of personal data are carried out separately from the main device periodically by employees designated by the manager with a view to keeping the information up-to-date and the possibility of restoring it in case of destruction of the main medium. Only the authorized employees have access to the archives.
4. IDENTITY AND ACCESS MANAGEMENT 4.1 Access to production environments containing personal data is granted on a “need to know” and “least privilege” basis.
4.2 Policies and procedures are in place to ensure proper identification of users and administrators who have access to system components managing personal data. Each user must obtain a username before being granted access to authentication systems or personal data. Each username must identify only one user.
4.3 Individual remote administrative access to systems managing personal data is protected by an authentication mechanism that requires password changes every 180 days or less frequently. In addition, password managers (specific tools) are evaluated to ensure data security.
4.4 Restrictions on access to personal data are guaranteed by entering a password for starting the operating system and a password for accessing the program environment. Passwords for systems and devices managing personal data must be complex and meet the following requirements:

ü  contain a minimum of 8 characters using at least 3 types of characters;

ü  to be changed every 42 days, the password cannot be changed more than once within 24 hours, and the last 13 passwords are remembered by the system and cannot be used;

ü  does not include names or standard phrases;

ü  not be identical to those of their personal accounts.

The passwords of employees appointed to the position of “system administrator” should meet additional requirements, namely:

ü  contain a minimum of 18 characters using 4 types of characters;

ü  to be changed every 30 days.

4.5 System resources and access rights are assigned individually to each user profile.
4.6 All-access to databases containing personal data is secured/controlled to ensure “need to know”, “least privilege” and traceability.
4.7

 

Users’ access rights to personal data are determined based on employee functions, with employees within departments having the same access rights, with a view to ensuring interchangeability and teamwork. Each higher hierarchical level also has the access rights of the lower level. Access rights should be reviewed/re-authenticated at regular intervals and in any case at least once a year according to the regular identity and access management process.
4.8 We implement access control measures to premises/sources of personal data to ensure:

ü  the physical protection of information assets;;

ü  access to relevant information assets in accordance with an established access matrix and of the organization’s management and only after official authorization of access requests by the manager;

ü  implementation of physical access control mechanisms;

ü  determining the levels of access in accordance with the role to be performed by the employees of the organization and the classification levels of the information and assets;

ü  access during non-working hours and outside the office only via VPN;

ü  withdrawal of access rights upon departing of an employee;

ü  periodic review of access and access rights;

ü  update access control in response to new threats, opportunities, business requirements or incident findings.

5. LOGIN AND MONITORING 5.1 Access to production environments containing personal data, and access to personal data in general, is monitored and logged to accurately establish the relationship between the access and the individual user accessing the personal data. Tracking is performed as necessary to prevent and detect threats to the security of personal data.
5.2 Any access to personal data (consultation, modification, destruction, addition) is tracked by recording the minimum information required to reconstruct the access methods and allow the system to be controlled, noting at least:

ü  User identification;

ü  Type of access;

ü  Date and time;

ü  Success or failure indication;

ü  Access source;

ü  Identification of the affected data (data subject identifier), system component or resource.

6. ORGANIZATION AND PHYSICAL PROTECTION 6.1 Adequate procedures are in place to ensure the continued availability of personal data: backup personnel is designated to ensure continuity of service for the data subject wishing to access his or her own personal data.

 

6.2 A formal security awareness program is in place to familiarize all staff with the policy and procedures relating to the security of personal data.
6.3 Clear agreements are signed with all service provider subcontractors. These agreements shall comply as much as possible with the instructions and measures described in this document.
6.4 The responsibilities and obligations of employees regarding the confidentiality of personal data are clearly stated to be valid both during the action and after the termination or modification of their employment relationship.
6.5 Data is stored only in special, locked sections/cabinets. All premises where personal data is stored and/or processed are equipped with a fire extinguisher/fire extinguishing systems subject to the instructions of the control authorities.
7. DATA PROTECTION BY STAGE AND BY DEFAULT 7.1 Adequate technical and organizational measures have been introduced with the aim of effective data protection, applicable both at the time of determining the means of processing (built-in security) and at the time of the processing itself, which more specifically include::

ü  Pseudonymization;

ü  Minimize the processed data;

ü  Processing only personal data that is necessary for the respective specific purpose of the processing;

ü  Defined levels of access to personal data, consistent with the “need to know” principle, and any intentional violation of the rules and restrictions on access to personal data by the employees may be grounds for enforcement of disciplinary sanctions.

8. NOTICES OF PERSONAL DATA BREACH 8.1 Incident management processes and tools are implemented and/or enhanced in a way that allows for the detection and classification of personal data breaches so that they are properly communicated to the manager within the specified regulatory and/or internal deadlines.
8.2 A register of personal data breaches is created and maintained.

Last updated: 9 September 2022