DATA PROCESSING AGREEMENT

DURATION

2.1 This Contract will be valid for the entire time of the provision of the Services contracted to the Treatment Manager. Notwithstanding the foregoing, both Parties agree that the provisions of this Contract, with express or implied intent to continue in force after its termination or expiration, will remain in force and continue to bind both Parties as per the agreement.

PURPOSE OF THE TREATMENT

3.1 The Data Processor is obliged to ensure that the data processing he carries out is limited to what is necessary to carry out the provision of the Services.

3.2 The Data Processor is obliged to process the data in accordance with the instructions that, at any time, are indicated, in writing, by the Person Responsible for Data Processing.

3.3 If the Person Responsible for Data Processing deems it appropriate to give instructions other than those mentioned, he will expressly notify the Data Processor. In the event that the Data Processor considers that an instruction of the Person Responsible for the Treatment may be contrary to the applicable regulations in the matter of data protection, he will immediately inform him.

3.4 If the Data Processor considers it necessary to carry out a treatment of the data outside these limits or use the data for a purpose other than the provision of the Service referred to in this Contract, he must previously request authorization in writing of the Person Responsible for Data Processing. In the absence of this authorization, the Data Processor may not carry out such treatment.

3.5 The Data Processor will use the maximum diligence in the provision of the Services in relation to the processing of personal data that he carries out under the Contract.

TYPE OF DATA PROCESSED AND CATEGORIES OF STAKEHOLDERS

4.1 The types of personal data that will be processed by the Data Processor will be detailed in the corresponding Annex that accompanies the General Contracting Conditions (GTC).

4.2 The categories of interested parties whose data will be processed by the Data Processor will be detailed in the corresponding Annex that accompanies the General Contracting Conditions (GTC).

PROHIBITION OF COMMUNICATION OF PERSONAL DATA

6.1 The Person Responsible for Data Processing expressly prohibits the Data Processor the subcontracting of third parties, natural or legal, for the provision of all or part of the Services described in the Contract, unless there is express and written authorization of the Person Responsible for Data Processing for that the Data Processor can transfer, partially or totally, the personal data to a third party, natural or legal person (hereinafter, “the Subcontractor”), whose identifying data (full corporate name and NIF) must be communicated to Person Responsible for Data Processing, before providing the service, with a minimum advance of one (1) month.

6.2 In case of making use of the faculty recognized in the previous paragraph, the Data Processor is obliged to transfer and communicate to the third companies and / or subcontracted professionals the set of obligations that for the Data Processor derive from this Contract and, in particular, the provision of sufficient guarantees that it will apply appropriate technical and organizational measures, so that the treatment complies with the applicable regulations.

6.3 In any case, access to the data made by natural persons who provide their services to the Data Processor is authorized by acting within its organizational framework by virtue of a commercial and non-labor relationship. Likewise, the access to the data is authorized to the companies and professionals that the Data Processor has hired in their internal organizational scope so that they provide general or maintenance services (computer services, advice, audits, etc.), provided that the said tasks have not been arranged by the Data Processor in order to outsource all or part of the services provided to the Person Responsible for Data Processing with a third party.

6.4 It is the responsibility of the Initial Data Processor to regulate the new relationship so that the new Data Processor is subject to the same conditions (instructions, obligations, safety measures, etc.) and with the same formal requirements as him, in relation to the adequate treatment of personal data and the guarantee of the rights of the affected people.

6.5 The Data Processor and the Subcontractor must sign an agreement for the provision of services with access to personal data that must meet the requirements set forth in the GDPR. A copy of said Contract will be attached to this Contract.

6.6 The transfer of data from the Data Processor to the Subcontractor will have as sole cause and inexcusable limit the subcontracting of all or any of the Services contracted by the Person Responsible for Data Processing to the Data Processor, restricting, in any case, to those strictly necessary personal data for the realization of outsourced services. Likewise, the transfer will not, under any circumstances, impair or diminish the obligations and responsibilities assumed by the Data Processor through this Contract.

6.7 The authorization granted by the Person Responsible for Data Processing to the Data Processor may not be extended to actions other than those indicated and will not lead, in any case, to the Data Processor acting as a representative, agent or agent of the Person Responsible for Data Processing, nor that their acts and omissions may give rise to links of any kind that bind the Person Responsible for Data Processing to third parties.

6.8 In any case, the Data Processor assumes, directly and fully in any case, the responsibility derived from any breach by the Subcontractor of the regulations on protection of personal data, keeping the Person Responsible for Data Processing of any consequences derived from the Subcontractor actions. The Person Responsible for Data Processing may repeat against the Data Processor for the amount of any sanctions or fines for actions that violate the regulations on personal data derived, directly or indirectly, from actions or omissions of the Subcontractor.

INTERNATIONAL DATA TRANSFERS

7.1 The Data Processor may in no case make international transfers of the data responsible for the Person Responsible for Data Processing outside the European Economic Area without the prior authorization of the latter, in writing.

7.2 If the Data Processor must transfer personal data to a third country or to an international organization, under the law of the Union or of the applicable Member States, he will inform the person responsible for that legal requirement in advance, unless such Law prohibits it for important reasons of public interest.

7.3 In the event that the Person Responsible for Data Processing authorizes the aforementioned international data transfers and the data will be transferred to a country that does not have an adequate level of protection or equivalent, the Spanish Data Protection Agency should be requested the authorization to carry them out, as well as sign the contractual clauses type that the European Commission has established. In this sense, the Data Processor must facilitate said procedures to the Person Responsible for Data Processing, prior to the realization of the international data transfer, since without the prior authorization of the Spanish Data Protection Agency, the processing cannot be carried out.

SECURITY OF PERSONAL DATA

8.1 The Data Processor undertakes to guarantee the application of adequate technical and organizational measures so that the treatment meets the legal requirements, specifically ensuring a level of security appropriate to the risk, as well as defending the rights of the owners of the data, taking into account the most advanced techniques, the costs of application and the nature, scope, context and purposes of the treatment, as well as the risks, of variable probability and severity, for the rights and freedoms of natural persons, including:

(i) Pseudonymisation and encryption of personal data;

(ii) The ability to ensure the permanent confidentiality, integrity, availability and resilience of treatment systems and services;

(iii) The ability to restore availability and access to personal data in a timely manner in the case of a physical or technical incident;

(iv) A process to regularly test, evaluate and assess the effectiveness of technical and organizational measures to ensure the safety of the treatment.

8.2 When assessing the appropriate level of security, the Data Processor undertakes to take into account, specifically, the risks presented by the treatment, in particular due to accidental or illegal destruction, loss and modification, and the disclosure or access not authorized, of personal data transmitted, kept or subject to any other type of treatment.

COLLABORATION IN THE NOTIFICATION OF SECURITY VIOLATIONS

9.1 In the event of a security breach in the systems, the Data Processor that may affect the data of the Person Responsible for Data Processing, the Data Processor within a maximum period of 24 hours after having learned of the violation of personal data, is obliged to notify the Person Responsible for Data Processing through the Project’s Responsible, together with all the relevant information for the documentation and communication of the incident.

9.2 Notification will not be necessary when it is unlikely that such a security breach constitutes a risk to the rights and freedoms of natural persons.

9.3 If the Data Processor has information about it, he will provide the following information to the Person Responsible for Data Processing:

a) The description of the nature of the violation of personal data including, if possible, the categories and the approximate number of data owners affected, as well as the categories and the approximate number of personal data records in question.

b) The name and contacts of the data protection delegate or other contact point where information can be obtained.

c) Description of the probable consequences of the violation of personal data.

d) Description of the measures taken or proposed to remedy the violation of the security of personal data, including, if appropriate, the measures taken to mitigate the possible negative effects. If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be provided gradually without undue delay.

In the case and to the extent that it is not possible to provide all the information at the same time, it may be provided in phases, without unjustified delays.

RIGHTS OF ACCESS, RECTIFICATION, DELETION, LIMITATION, OPPOSITION AND PORTABILITY OF THE DATA

10.1 The Data Processor is obliged to assist the Person Responsible for Data Processing in response to the exercise of the right of access, rectification, deletion, opposition, limitation of processing, data portability and not to be subject to automated individualized decisions (including the preparation of profiles).

10.2 In the event that those affected, exercise their rights before the Data Processor and / or authorized Subcontractor, they must transfer the request immediately to the Person Responsible for Data Processing and in no case beyond the working day following the receipt of the request, together, where appropriate, with other information that may be relevant to resolve the request, so that the Person Responsible for Data Processing duly resolves the said request.

10.3 The Data Processor and / or Subcontractor shall adopt the necessary measures to guarantee said transfer to the Person Responsible for Data Processing, in the expected times, as well as the information that the Person Responsible for Data Processing requires, to give an effective response to the rights exercised.

10.4 In any case, the Data Processor and / or Subcontractor, will be responsible for the negligence that may cause the non-attention of the rights exercised, as well as the damages that may be caused to the Person Responsible for Data Processing.

OBLIGATIONS OF THE TREATMENT MANAGER

11.1 The Data Processor undertakes to fulfill the following obligations:

Treat personal data, only, to carry out the provision of the contracted Services, in accordance with the instructions that, at any time, indicate in writing, the Person Responsible for Data Processing (unless there is a regulation that requires complementary treatments, in such case, the person in charge will inform the person in charge of that legal requirement prior to the treatment, unless such Law prohibits it for important reasons of public interest)

Maintain the duty of secrecy with respect to the personal data to which you have access, even after the end of the contractual relationship, as well as to ensure that the persons in your charge have committed in writing to maintain the confidentiality of the personal data processed.

Guarantee, taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for the rights and freedoms of natural persons, shall apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which may include, among others:

(i) pseudonymisation and encryption of personal data;

(ii) the ability to guarantee the permanent confidentiality, integrity, availability and resilience of treatment systems and services;

(iii) the ability to restore availability and access to personal data quickly in case of physical or technical incident;

(iv) a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of the treatment.

In assessing the adequacy of the security level, you will particularly take into account the risks of data processing, in particular as a result of the destruction, loss or accidental or unlawful alteration of personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to such data.

In the event that the adoption of specific security measures is necessary, they will be added to this Contract by means of Annex.

Keep under your control and custody the personal data that you access on the occasion of the provision of the Services and not to disclose, transfer, or otherwise communicate them, even for their preservation to other persons outside the same and to the provision of Services object of this Contract.

However, the Person Responsible for Data Processing may expressly and in writing authorize the Data Processor to resort to a Subcontractor, whose identifying data (full corporate name and NIF) and outsourced services must be communicated to the Person Responsible for Data Processing, before the provision of the service, with a minimum advance of one (1) month. The Data Processor will also inform the Person Responsible for Data Processing of any changes planned in the incorporation or replacement of the Subcontractors, thus giving the person responsible the opportunity to oppose said changes.

In case of making use of the faculty recognized in the previous paragraph, the Data Processor is obliged to transfer and communicate to the Subcontractor all the obligations that for the Data Processor derive from this Contract and, in particular, the provision of sufficient guarantees that you will apply appropriate technical and organizational measures, so that the treatment complies with the applicable regulations.

In any case, access to the data made by natural persons who provide their services to the Data Processor is authorized by acting within its organizational framework by virtue of a commercial and non-labor relationship. Likewise, the access to the data is authorized to the companies and professionals that the Data Processor has hired in their internal organizational scope so that they provide general or maintenance services (computer services, advice, audits, etc.), provided that the said tasks have not been arranged by the Data Processor in order to outsource all or part of the Services provided to the Person Responsible for Data Processing.

Delete or return to the Person Responsible for Data Processing, at your choice, all personal data to which you have had access to provide the Services. Likewise, the Data Processor is obliged to delete the existing copies, unless there is a legal norm that requires the preservation of personal data. However, the Data Processor may keep the data, duly blocked, as long as responsibilities may arise from his relationship with the Person Responsible for Data Processing.

Provide support to the Person Responsible for Data Processing in the notification to the Spanish Data Protection Agency and, where appropriate, to those interested in security breaches that occur, as well as to give support, when necessary, in conducting assessments impact of privacy and in prior consultation with the Spanish Data Protection Agency, where appropriate, as well as assist the Person Responsible for Data Processing so that he can comply with the obligation to respond to requests for the exercise of rights.

Keep, in writing, a record of all categories of treatment activities carried out on behalf of the Person Responsible for Data Processing.

Cooperate with the Spanish Data Protection Agency or another Control Authority, at its request, in the fulfillment of its powers.

Make available to the Person Responsible for Data Processing all the information necessary to demonstrate compliance with the obligations established in this Contract and to allow and contribute to the performance of audits, including inspections, by the Person Responsible for Data Processing or a third party authorized by him. The lack of accreditation that the Data Processor is correctly fulfilling the obligations assumed in this Contract, will be cause for its resolution.

11.2 If the Data Processor or any of its Subcontractors violates this Contract or any regulations when determining the purposes and means of the treatment, he will be held responsible for said treatment.

OBLIGATIONS OF THE TREATMENT MANAGER

12.1 For the execution of the Service, the Person Responsible for Data Processing undertakes to make available to the Data Processor the personal data and / or the information necessary for the adequate treatment of the same for the provision of the Services.

CONFIDENTIALITY

13.1 The duty of secrecy and confidentiality arising from this Contract obliges the Data Processor during the term of the relationship maintained with the Person Responsible for Data Processing and will be extended, depending on the type of information in question, during the maximum terms provided in the current legislation that is applicable. In particular, regarding the processing of personal data, the duty of confidentiality will have an indefinite duration, even after the relationship between the Parties has been extinguished.

13.2 The Data Processor ensures that the persons in charge, authorized to process the personal data under the responsibility of the Person Responsible for Data Processing, will assume a commitment of confidentiality and that they will be subject to adequate legal obligations of confidentiality, even after the termination of the Contract. The Data Processor will keep at the disposal of the Person Responsible for Data Processing the documentation proving that the corresponding confidentiality commitments have been signed.

13.3 The Data Processor undertakes to allow access to said data only to those employees who must know them for the proper execution of their functions under the Contract.

OBLIGATION TO RETURN DATA

14.1 Once the provision of the Services object of the Contract has been fulfilled, upon termination / termination of the Contract for any reason, or when the Person Responsible for Data Processing so requires, within a maximum period of one (1) month from when it is duly indicated, The Data Processor undertakes to delete or return information that contains personal data that has been transmitted by the Person Responsible for Data Processing to the Data Processor for the purpose of providing the Service, as well as the computer support or media or documents containing personal data, without retaining any copy thereof or of the information provided or generated.

14.2 Likewise, in the event that the Person Responsible for Data Processing so requires, the Data Processor shall issue a certificate certifying the confidential delivery and / or destruction, as well as the absence of copies thereof within a maximum period of five (5) working days from the request.

14.3 Similarly, the Data Processor undertakes, in case of destroying the information, to carry out this process in a safe and confidential manner, adopting the necessary organizational and technical measures to guarantee the non-recovery of the data and by both the non-usage of them later or accessed by unauthorized third parties. Said system must be creditable by issuing the corresponding certificate that must be provided to the Person Responsible for Data Processing. In any case, the Data Processor will be responsible for the execution of the aforementioned procedure and its accreditation in case of requirement by the Person Responsible for Data Processing, the Spanish Data Protection Agency or agency with competence in the matter, being the Data Processor, responsible for possible breaches arising from the non-adoption of the necessary precautions or the non-execution of the process contemplated in this stipulation.

14.4 If there is a legal obligation for which the Data Processor must keep certain data for a period of time, they must remain blocked, and cannot be used for other purposes, being kept only available to the Public Administrations, Judges and Courts, for the attention of the possible responsibilities born of the treatment, during the period of prescription of these, after which it must proceed to the cancellation.

COMPLIANCE GUARANTEE

15.1 The Data Processor guarantees the fulfillment of the obligations that correspond to him as the Data Processor by virtue of the regulations that apply to him regarding the protection of personal data.

15.2 The Person Responsible for Data Processing reserves the right to verify compliance by the Data Processor with the obligations specified in this Contract, periodically and always with prior notice on the performance of the audit and ensuring the minimum inconvenience.

15.3 In this regard, the Data Processor undertakes to provide the Person Responsible for Data Processing with the certificates and documents accrediting these terms, if required.

15.4 Likewise, in case of inspection or request to the Person Responsible for Data Processing, by the Spanish Data Protection Agency, or other Agency with competence in the matter, the Data
Processor will provide as much information as is necessary in relation to the object and development of the Services contemplated in this Contract, in order to prove compliance with current regulations.

COOPERATION AND RESPONSIBILITIES IN CASE OF COMPLAINT

16.1 If the Data Processor is involved in any investigation or administrative sanction procedure initiated by the Spanish Data Protection Agency or another Control Authority, or in a claim of a third party, he will immediately notify the Person Responsible for Data Processing, describing the facts that are imputed to him and the actions carried out. Once the procedure is finished, you must provide a copy of the Resolution issued.

16.2 In the event that the Spanish Data Protection Agency or another Control Authority sanctions the Data Processor or any of its clients as a consequence, directly or indirectly, that the Data Processor has not complied with the provisions of this Contract, Data Processor will indemnify the Person Responsible for Data Processing or, where appropriate, the client with an amount equal to the penalty, plus legal interests, plus defense and procedural expenses that it originates, plus the quantification of any other damages that could be caused.

16.3 Without prejudice to the foregoing, both parties, by mutual agreement, undertake to respond to all damages and losses that are caused to the other in all cases of negligence or guilty conduct in the fulfillment of contractual and regulatory obligations that are incumbent upon it in accordance with this Contract.

RESPONSIBILITIES

17.1 The Data Processor undertakes to comply with the obligations established in this Contract and in the current regulations, in relation to this personal data processing order.

17.2 In the event that the Data Processor allocates the data for another purpose, communicates them or uses them in breach of the provisions of this Contract, he will also be considered Person Responsible for Data Processing, responding to the infringements that he had personally incurred.

17.3 The Data Processor will respond personally to the infractions that could be incurred in the event that he allocates the personal data for another purpose, communicates them to a third party or uses them irregularly, as well as when he does not adopt the security measures established by current legislation, according to the level of the data, or breaches the provisions of this Contract or any provisions of the data protection regulations.

17.4 The Data Processor shall indemnify the Person Responsible for Data Processing for any claims, damage, debt, loss, fine, penalty, costs and expenses, including reasonable attorneys’ fees, with cause in any breach by the Data Processor of any of the Obligations contained in this Contract or the regulations that apply to it.

17.5 Likewise, the Data Processor undertakes to indemnify the Person Responsible for Data Processing for all damages caused by a third party subcontracted by the Data Processor, derived from any type of non-compliance, related to the processing of personal data, such as international transfers of personal data that are made without the prior written authorization of the Person Responsible for Data Processing.

DATA OF THE PARTICIPANTS

18.1 The personal data included in the GTCs and those others exchanged between the Parties to enable the provision of the Services will be treated by the other Party in order to allow the development, compliance and control of the agreed service provision relationship, being the basis of the treatment is the fulfillment of the contractual relationship, keeping the data for as long as it remains and even later, until they prescribe the possible responsibilities derived from it. The parties agree to transfer to the holders of the information provided this information, as well as to indicate that they may write to the respective addresses indicated to exercise their rights of access, rectification, opposition and cancellation.

MISCELLANY

19.1 Integrity of the Contract: This Contract, as well as the Annexes incorporated thereto, constitute the totality agreed by the Parties in relation to the object of the same, and substitute any other agreements, agreements, background, negotiations, and any other communications, verbal or written, existing between the Parties until the date of signature of this Contract and that were related to the object thereof.

19.2 Assignment: This Contract is intuitu personae for the Parties and therefore neither Party is entitled to assign its contractual position to any third party unless it has obtained the written consent of the other party.
Despite the provisions of the preceding clause, the Parties are entitled to assign their contractual position to any of the companies that belong to their group of companies in accordance with the provisions of Ley 24/1998, de 28 de julio, del Mercado de Valores [Law 24/1998, of July 28, of Stock market].

19.3 Notifications: All notification between the parties will be made to the respective addresses indicated in the heading of this Contract. Any notification made between the parties will be made in writing and will be delivered in any way that certifies receipt by the notified party.

19.4 Illegality and nullity: If any or some of the sections or stipulations of this Contract were declared null or unenforceable, said sections or stipulations shall be considered excluded from it, without implying the nullity of the entire Contract, keeping it in force as regards the remaining pacts. In that case, the parties will do everything in their power to find an equivalent solution that is valid and duly reflects their intentions.

19.5 Modifications: Modifications to this Contract must be made by mutual agreement between the Person Responsible for Data Processing and the Data Processor. For this purpose, the party proposing the modification shall request the written agreement of the other party at least fifteen (15) days prior to the effective date of modification, the latter having to give a written reply within fifteen (15) days after receipt of the request. The lack of response to the request for modification or the response after the deadline for doing so, will be understood as a non-acceptance of it. In any case, the proposed modifications may not contravene those established in the data protection regulations or the criteria of the Spanish Data Protection Agency.

19.6 Non-waiver of rights: The non-requirement by any of the parties of any of their rights, in accordance with the provisions of this Contract, shall not be deemed to constitute a waiver of said rights in the future.

LEGISLATION AND APPLICABLE JURISDICTION

20.1 This Contract shall be governed in accordance with Spanish and European regulations on the Protection of Personal Data, as well as the resolutions and guidelines of the Spanish Data Protection Agency and other competent bodies in the field.

20.2 In order to resolve any discrepancies with respect to the interpretation and / or execution of what is established in this Contract, both Parties agree to proceed to an amicable resolution of the same.

ENTRY INTO FORCE

21.1 This Contract enters into force on the date of the signing of the GTCs and will be in force until the date of termination of the relationship of provision of the Services by the Data Processor in favor of the Person agency and the obligations have been fulfilled contemplated in this Contract, regardless of any other legal obligation that was applicable to the parties after the termination of said relationship.