General Terms of Service (Data Processing Agreement)

The contracting of Software services implies the acceptance of ASENJO-MONTENEGRO VIGO SOLUCIONES, S.L. as the data processor, authorized to process data on behalf of the client as necessary for the provision of the service. Pursuant to Article 33 of the GDPR, the processing activities will be governed by the following:

 

DATA PROCESSING AGREEMENT

PRELIMINARY STIPULATIONS

The parties are bound by a contractual service agreement aimed at providing software maintenance and backup services.

For the provision of these services, the data processor must have access to personal data for which the data controller is responsible.

The provision of these services requires the data processor to access the information system where personal data is stored and processed by the data controller.

Services will be provided remotely, with a strict prohibition against incorporating data into systems or media that are not owned by the data controller.

Services will be performed at the data processor’s premises, separate from the data controller’s location.

The parties wish to formalize in this agreement the conditions for data processing by the data processor, in accordance with Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016, on the protection of natural persons regarding the processing of personal data and the free movement of such data. As such, they enter into the following agreement.

CLAUSES

1. PURPOSE OF THE DATA PROCESSING AGREEMENT

Through these clauses, ASENJO-MONTENEGRO VIGO SOLUCIONES, S.L., as the data processor, is authorized to process personal data on behalf of the client (the data controller) for the purpose of providing software maintenance and backup services.

In relation to the contracted services, the following treatments are implicit. The person in charge of the treatment can make the adaptations that he/she considers by communicating it to the e-mail admin@amvsoluciones.com.

The processing activities covered by this agreement include:

• Recording
• Storage
• Structuring
• Extraction
• Consultation
• Comparison
• Destruction
• Erasure

2. IDENTIFICATION OF THE AFFECTED INFORMATION

For the execution of the services derived from the fulfillment of the object of this order, the client, responsible for the treatment, puts at the disposal of ASENJO-MONTENEGRO VIGO SOLUCIONES, S.L. in charge of the treatment, the information hosted in the contracted Software. For this purpose, if the client decides to incorporate personal data, he/she must inform ASENJO-MONTENEGRO VIGO SOLUCIONES, S.L. about the type of personal data and categories of interested parties by e-mail admin@amvsoluciones.com.

3. DURATION

This agreement has a duration equal to the duration of the main service contract.

4. OBLIGATIONS OF THE DATA PROCESSOR

The data processor and all its personnel are obliged to:

1. Use the personal data being processed, or those collected for inclusion, only for the purpose of this order. Under no circumstances may you use the data for your own purposes.
2. Process the data in accordance with the controller’s instructions. If the processor considers that any of the instructions violate the GDPR or any other Union or Member State data protection provisions, the processor shall immediately inform the controller.
3. Keep, in written form, a record of all categories of processing activities carried out on behalf of the controller, containing:
4. The name and contact details of the person or people in charge and of each controller on whose behalf the person in charge is acting and, if applicable, of the representative of the controller or the person in charge and of the data protection officer.
5. The categories of processing carried out on behalf of each person in charge.
6. Where applicable, transfers of personal data to a third country or international organization, including the identification of such third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documentation of appropriate safeguards.
7. A general description of the technical and organizational security measures relating to:
8. a) Pseudonymization and encryption of personal data.
9. b) The ability to ensure the continued confidentiality, integrity, availability and resilience of the processing systems and services.
10. c) The ability to restore availability and access to personal data quickly in the event of a physical or technical incident.
11. d) The process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of the processing.
12. Not to communicate the data to third parts, except with the express authorization of the data controller, in the legally admissible cases. The processor may communicate the data to other processors of the same controller, in accordance with the instructions of the controller. In this case, the controller shall identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication.

If the processor is required to transfer personal data to a third country or an international organization under Union or Member State law applicable to it, it shall inform the controller of that legal requirement in advance, unless such law prohibits it for important reasons of public interest.

1. Subcontracting.

Not to subcontract any of the services that are part of the object of this contract involving the processing of personal data, except for auxiliary services necessary for the normal operation of the services of the person in charge.

If it is necessary to outsource any processing, this fact must be previously communicated in writing to the controller, with a notice of one month indicating the processing to be outsourced and identifying clearly and unequivocally the subcontracting company and its contact details. The subcontracting may be carried out if the data controller does not express its opposition within the established term.

The subcontractor, who will also have the status of data processor, is also obliged to comply with the obligations established in this document for the data processor and the instructions issued by the data controller. It is up to the initial processor to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements as him/her, as regards the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the subcontractor, the initial processor will remain fully liable to the controller for the fulfillment of the obligations.

1. Maintain the duty of secrecy with respect to the personal data to which it has had access by virtue of the present assignment, even after the end of its object.
2. Ensure that the persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
3. Keep at the disposal of the person in charge the documentation accrediting compliance with the obligation established in the previous section.
4. Ensure the necessary training in personal data protection for persons authorized to process personal data.
5. Assist the data controller in responding to the exercise of the rights of:
6. Access, rectification, suppression and opposition.
7. Treatment limitation.
8. Data portability
9. To not be subject to automated individualized decisions (including profiling).

When the data subjects exercise their rights of access, rectification, erasure and objection, limitation of processing, data portability and the right not to be subject to automated individualized decisions, the data processor must communicate this to the data controller via the usual contact e-mail address. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request.

1. Right of information

It is the responsibility of the person in charge to provide the right to information at the time of data collection.

1. Notification of data security breaches.

The processor shall notify the controller, without undue delay, and in any case no later than 24-48 hours, and via the usual contact e-mail address, of any breaches of security of the personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident.

If available, at least the following information shall be provided:

1. a) Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
2. b) If applicable, the name and contact details of the data protection officer or other point of contact where further information can be obtained.
3. c) Description of the possible consequences of the personal data security breach.
4. d) Description of the measures taken or proposed to be taken to remedy the breach of security of personal data, including, if applicable, measures taken to mitigate the possible negative effects.

If that it is not possible to provide the information simultaneously, the information shall be provided gradually without undue delay.

1. Support the controller in conducting data protection impact assessments, where appropriate.
2. Support the controller in carrying out prior consultations with the supervisory authority, where appropriate.
3. Provide the person in charge with all the information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the person in charge or another auditor authorized by the person in charge.
4. Security guarantee. ASENJO-MONTENEGRO VIGO SOLUCIONES, S.L. has security measures that guarantee the security of the data of the responsible. This guarantee is accredited by means of the ISO 27001 certification, obtained on 16/01/2025.

If the responsible party so requests, ASENJO-MONTENEGRO VIGO SOLUCIONES, S.L. can provide the Responsible Party with a list of the measures available to the entity.

1. Designate a data protection officer and communicate his/her identity and contact details to the data controller when his/her designation is mandatory.
2. Destination of data.

Return personal data to the data controller and delete any copies held by the data controller. The return must entail the complete deletion of all data on the computer equipment used by the data processor.

The data processor may keep, duly blocked, a copy of the data, as long as liabilities may arise from its relationship with the data controller.

5. OBLIGATIONS OF THE DATA CONTROLLER

It is the responsibility of the data controller:

1. a) Deliver to the person in charge the data referred to in clause 2 of this document.
2. b) Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the processor.
3. c) Carry out the appropriate prior inquiries.
4. d) To ensure, prior to and throughout the processing, compliance with the GDPR by the processor.
5. e) Supervise treatment, including the performance of inspections and audits.

6. APPLICABLE LAW AND DISPUTE RESOLUTION

Any dispute relating to this Agreement and the relationship between the parties shall be governed by Spanish law, and the parties agree to submit to the competent Courts and Tribunals in accordance with the law.