Between: Customer who placed the Service Order or executed a similar document with reference to the MSA (hereinafter referred to as “Customer” or “Controller”)
And: Nuevas Soluciones Digitales SAS, incorporated under the laws of Uruguay, established and having its registered office at Andes 1283, Montevideo, Uruguay (hereinafter referred to as "NetworkGrid" or “Processor”)
Controller and Processor are jointly referred to as “Parties” and individually as a “Party”.
WHEREAS
Processor will Process (as defined hereafter) Customer Data and End User Data which will generally qualify as Personal Data (as defined hereafter) on behalf of Controller in providing the Services.
Controller has a legal obligation to enter into a data processing agreement with its processors.
Therefore, Parties wish to enter into the Data Processing Agreement (as defined hereafter) and outline the terms and conditions of the Processing of Personal Data by Processor.
1. Definitions
1.1 Confidential Information as defined in the main body of the MSA includes, without limitation, all documents, information, or data exchanged under this Data Processing Agreement and the existence and content thereof.
1.2 Data Processing Agreement or DPA means this data processing agreement and its schedules.
1.3 Data Subject shall refer to any natural person whose data is subject to processing in accordance with applicable data protection laws.
1.4 Process/Processing shall refer to any operation or set of operations performed on Personal Data or on sets of Personal Data.
1.5 Personal Data shall refer to any information relating to an identified or identifiable natural person.
1.6 Security Incident shall refer to incidents defined in Article 5.
1.7 Any other capitalized terms not defined in this Data Processing Agreement shall have the meaning given in the main body of the MSA and/or applicable data protection regulations.
2. Subject Matter
2.1 This Data Processing Agreement determines the rights and obligations of the Parties regarding the Processing of Personal Data in the provision of the Services, as detailed in Schedule A.
2.2 Nothing in this Data Processing Agreement relieves a Party of its own responsibilities and liabilities under applicable data protection laws.
2.3 This Data Processing Agreement forms an integral part of the MSA and supplements it regarding data protection. In case of conflict between the MSA or other agreements and this Data Processing Agreement, the latter prevails. General matters not specific to data protection (e.g., confidentiality, intellectual property, liability, etc.) are governed by the MSA.
3. Term of the Data Processing Agreement
3.1 This Data Processing Agreement is valid for the duration of the Services.
3.2 Articles 3.2, 12.2, 13, and 14 shall survive termination of this Data Processing Agreement.
4. General Obligations of Processor
4.1 Processor and authorized persons (specified in Schedule A) shall only Process Personal Data strictly as necessary for the Services and upon Controller’s instructions, except where Processor is legally required otherwise. Processor shall inform Controller of such requirements, except where law prohibits this on grounds of public interest.
4.2 Processor shall not Process the Personal Data for any other purpose and acts solely as a processor. Processor shall inform Controller if, in Processor’s opinion, any instruction breaches applicable data protection laws.
4.3 Processor shall implement necessary procedures and measures to ensure compliance with Controller’s instructions, including but not limited to measures enabling compliance with Data Subject requests.
4.4 Processor shall assist Controller, where necessary, to meet data protection obligations, including data protection impact assessments or consultations with supervisory or other authorities.
4.5 Processor shall inform Controller of any investigation by a supervisory authority, as permitted by applicable laws and regulations.
5. Security Measures
5.1 Processor shall maintain technical and organizational measures as outlined in Schedule B to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and other unlawful processing.
6. Notification and Handling of Security Incidents
6.1 Processor shall promptly notify Controller in writing of any Security Incident affecting Personal Data under this Data Processing Agreement within 48 hours of the incident. The notification will include details on the impact on Controller and any affected Data Subjects.
6.2 Processor shall cooperate with Controller in investigating the Security Incident.
7. Audit
7.1 Controller may periodically inspect compliance with this Data Processing Agreement (including security measures) with 15 days' prior written notice. An independent auditor may be contracted to conduct the audit, with conditions agreed upon by the Parties. Processor shall provide necessary information and assistance.
7.2 Processor shall grant access to competent supervisory authorities with legal rights to investigate Controller’s or Processor’s processing activities.
8. Requests and Complaints by Data Subjects
8.1 Processor shall notify Controller immediately upon receiving any Data Subject request regarding access or correction of Personal Data. Processor shall assist Controller in taking any necessary action to respond to such requests, including providing copies of relevant Personal Data and details of processing activities.
8.2 Processor shall:
a. Notify Controller of any complaint or allegation from a Data Subject regarding the Processing of Personal Data.
b. Assist Controller in responding to complaints, including providing details on Personal Data and processing activities.
11. Confidentiality
11.1 Anyone with access to Personal Data under Processor’s authority may only Process such data under a duty of confidentiality, unless disclosure is legally required. Processor shall notify Controller of such legal requirements unless law prohibits this notification on grounds of public interest.
12. Retention of Personal Data
12.1 Processor shall retain Personal Data only as necessary to provide the Services unless otherwise required by law.
12.2 Upon termination of Services, all Personal Data and information provided by Controller, including copies, shall be either destroyed, returned, or transferred to a designated processor per Controller’s request, unless law requires retention. Processor shall confirm destruction in writing.
12.3 Processor shall demonstrate data destruction upon completion.
13. Liability and Indemnification
13.1 Provisions in the MSA regarding liability and indemnification apply to this Data Processing Agreement.
14. Governing Law
14.1 Provisions in the MSA regarding governing law apply to this Data Processing Agreement.
This Data Processing Agreement may be executed in counterparts, including scanned PDF documents, with each deemed an original. Together, all counterparts constitute one and the same Data Processing Agreement.
SCHEDULE A - OVERVIEW OF PERSONAL DATA AND DATA SUBJECTS
1. Nature and Purpose of Processing: Processor may process Personal Data under Controller’s instructions solely to provide the agreed Services.
2. Duration of Processing: Processing shall last per Controller’s instructions and this DPA.
3. Personal Data Processed: May include names, contact information, IP addresses, and other data elected by Controller.
4. Data Subjects Concerned: End Users, employees, contractors, third parties authorized by Controller.
SCHEDULE B - TECHNICAL AND ORGANIZATIONAL MEASURES
Includes measures for physical access control, logical access control, data access control, data transfer control, entry control, instruction control, availability control, and data separation, as detailed in the MSA.
