This Data Processing Addendum (‘Addendum’) supplements the Terms and Conditions of AGA CAD, UAB (‘Data Processor’) available at https://agacad.com/buy/terms-and-conditions, as updated from time to time, and governs the processing of personal data when AGACAD acts as the processor of personal data of the User or the organisation (entity) the User represents (‘Data Controller’). Hereinafter the Data Controller and the Data Processor shall be collectively referred to as the ‘Parties’, and each individually as a ‘Party’,
CHAPTER I
GENERAL PROVISIONS
- Definitions
1.1. Unless the context of the Addendum requires otherwise, in this Addendum, including its preamble, and annexes, the capitalised terms have the following meaning:
‘Personal Data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Personal Data Breach’ means a breach of security leading to the deliberate or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘Sub-Processor’ means the processor engaged by the Data Processor under the terms and conditions of this Addendum or by any other processor engaged by the Data Processor who processes personal data;
‘Addendum’ means this Addendum and annexes hereto;
‘Applicable Legal Acts’ means applicable laws of the Republic of Lithuania, EU legislation, decisions, resolutions, orders, instructions, degrees, permits, licenses and other subordinate legal acts of public authorities and state and municipality bodies;
‘Regulation (EU) 2016/679)’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data of EU data subjects and on the free movement of such data, and repealing Directive 95/46/EC.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Controller’ means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data;
‘DPA’ means Lithuanian State Data Protection Inspectorate, legal entity number 188607912.
‘Transfer Solution’ means the Standard Contractual Clauses or another solution that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR.
2. In this Addendum, unless the context requires otherwise, words importing the singular include the plural and vice versa.
3. In this Addendum, unless the context requires otherwise, a reference to the Article, Clause or Annex is the reference to the specific article, clause or annex of this Addendum.
4. Title of the Addendum or section headings are for convenience only and have no impact on the interpretation of any provision of the Addendum.
CHAPTER II
SUBJECT OF THE ADDENDUM
5. The Addendum sets out the rights and obligations of the Data Controller and the Data Processor when processing Personal Data on behalf of the Data Controller. The purpose of the Addendum is to protect the rights of Data Subjects, to mitigate specific risks to the protection of Personal Data and to ensure clarity of the relationship between the Data Controller and the Data Processor and their respective rights and obligations.
6. Should there be any discrepancies between the provisions on the processing of Personal Data of the Addendum and the Terms and Conditions, the provisions of this Addendum shall prevail, except in cases where the Addendum provides otherwise.
7. Where the Data Processor is mentioned in this Addendum, the respective provisions of the Addendum shall be also applicable to any Sub-Processor engaged by the Data Processor.
CHAPTER III
OBLIGATIONS OF THE PARTIES
8. The Data Controller:
8.1. undertakes to ensure that Personal Data is processed in accordance with Regulation (EU) 2016/679 (see Article 24 of Regulation (EU) 2016/679), any other legislation of the European Union or of a Member State of the European Union governing the protection and/or processing of personal data, as well as with this Addendum;
8.2. has the right and obligation to decide on the purposes and means of processing Personal Data;
8.3. is responsible for, including but not limited to, ensuring that the Processing of Personal Data entrusted to the Data Processor has a legal basis.
9. The Data Processor:
9.1. undertakes to process the Personal Data only in compliance with the requirements of the Applicable Legal Acts, provisions of the Terms and Conditions and the Addendum, and the Data Controller’s instructions for the processing set out in Annex 1 hereto. The Data Processor shall fulfil obligations established for the Processor in the Applicable Legal Acts, and the Data Controller shall fulfil obligations established for the Controller in the Applicable Legal Acts. In cases where the Data Processor has not received any documented orders (instructions) for the Processing required for the implementation of obligations thereof hereunder, the Data Processor shall promptly notify the Data Controller of the same and act in a way so as to ensure the best protection of the Data Controller’s interests until the provision of such instructions.
9.2. undertakes to ensure that the employees of the Data Processor performing the Processing are informed about the obligations of the Data Processor provided in the Addendum and will comply with them;
9.3. taking into account the nature of Processing, assists the Data Controller and provides data Controller information to the extent necessary to respond to the requests from data subjects, supervisory authorities, assists Data Controller in performing data protection impact assessments when they are necessary pursuant to the Regulation (EU) 2016/679; the Data Controller shall reimburse the Data Processor for any time expended by the Data Processor or its Sub-processors in connection with the aforementioned assistance at the Data Processors then-current professional services rates, which shall be made available to the Data Controller upon request.
10. This Addendum shall not relieve the Parties of any other obligations to which they are subject under Regulation (EU) 2016/679 or any other legislation.
CHAPTER IV
CONFIDENTIALITY
11. The Data Processor hereby confirms that it will ensure the confidentiality of Personal Data in the course of processing thereof. Only those employees of the Data Processor who require the access to the Personal Data in order to be able to fulfil the obligations of the Data Processor and who have been obligated to comply with the confidentiality provisions shall have the access to the Personal Data and process them and only to the extent required for the fulfilment of obligations of the Data Processor.
CHAPTER V
SECURITY OF DATA PROCESSING
12. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In any event, the security measures implemented by the Data Processor shall be of the security level not lower than the average risk level security measures specified in the guidelines of DPA of 18 June 2020 ‘Guidelines for Data Controllers and Data Processors on Personal Data Security Measures and Risk Assessment’. In the event the above guidelines are amended, supplemented or replaced, the Data Processor shall promptly adapt its security measures so that they adhere to the any relevant recommendations or guidelines of the DPA.
13. In addition, the Data Processor shall assist the Data Controller in ensuring compliance with the Controller’s obligations under Article 32 of Regulation (EU) 2016/679. The Data Controller shall reimburse the Data Processor for any time expended by the Data Processor or its Sub-processors in connection with the aforementioned assistance at the Data Processors then-current professional services rates, which shall be made available to the Data Controller upon request.
14. Data Controller is solely responsible for evaluating for itself whether the security measures applied by the Data Processor and commitments of the Data Processor will meet the needs of the Data Controller, including with respect to any security obligations of the Data Controller under the Applicable Legal Acts.
CHAPTER VI
SUB-PROCESSORS
15. The Data Processor must comply with the requirements set out in Article 28(2) and (4) of Regulation (EU) 2016/679 in order to use a Sub-Processor.
16. Data Controller provides general authorisation to Data Processor’s use of sub-processors to provide processing activities on behalf of the Data Controller (‘Sub-processors’). Annex 2 of this Addendum lists Sub-processors that are currently engaged by the Data Processor. At least 30 days before the Data Processor engages a Sub-processor, the Data Processor will update Annex 2 and provide the Data Controller with a mechanism to obtain notice of that update. To object to a Sub-processor, the Data Controller can cease using the services for which the Data Processor engaged the Sub-Processor.
CHAPTER VII
TRANSFER OF PERSONAL DATA TO THE COUNTRIES OUTSIDE THE EU / EEA
17. Data Processor may store and process Personal Data anywhere the Data Processor or its Sub-processors maintains facilities.
18. If the storage and/or processing of Personal Data involves transfers of Personal Data out of the EU / EEA, and the Applicable Legal Acts applies to the transfers of such data (‘Transferred Personal Data’), the data Processor will make such transfers in accordance with a Transfer Solution, and make information available to Customer about such Transfer Solution upon request.
CHAPTER VIII
INCIDENT MANAGEMENT AND NOTIFICATION ABOUT THE PERSONAL DATA BREACH
19. Should the Data Processor suspect that the Personal Data Breach has occurred or there is a risk of occurrence of such breach, the Data Processor shall without undue delay notify the Data Controller of the same pursuant to the instructions provided by the Data Controller in order to enable the Controller to comply with the Controller’s obligation to notify a Personal Data Breach to the Competent Supervisory Authority pursuant to Article 33 of Regulation (EU) 2016/679.
20. The Data Processor shall document any Personal Data Breaches, possible incidents and the facts relating to the Personal Data Breaches, effects and the remedial actions taken.
CHAPTER VI
DELETION OF DATA
21. Having completed the Processing, the Data Processor shall delete Personal Data, unless applicable legislation prevents the data Processor from deleting such Personal Data. To the extent that the data Controller is bound by laws or regulations that would require the Data Processor to retain Personal Data after expiration of the Processing term and the Data Controller does not inform the Data Processor of such retention obligations, the Data Controller shall be solely liable for any deletion of such data by the Data Processor.
CHAPTER X
AUDITING AND INSPECTION OF THE PROCESSOR
22. The Data Controller shall have the right at any time during working hours of the Data Processor, having submitted a prior reasonable notification, using its own efforts or by engaging an independent third party (an auditor), to perform an audit in order to verify the compliance of the Data Processor’s activities to the requirements set forth in this Addendum. These obligations shall not include the obligation to provide information about other customers of the Data Processor. At the request of a Party, the other Party and/or the auditor shall undertake to keep all information related to the audit confidential. Audit can be performed no more than once per year.
23. Any audits are at the expense of the Data Controller. The Data Controller shall reimburse the Data Processor for any time expended by the Data Processor or its Sub-processors in connection with any audits or inspections under this Chapter at the Data Processors then-current professional services rates, which shall be made available to the Data Controller upon request. The Data Controller will be responsible for any fees charged by any auditor appointed by the Data Controller to execute any such audit.
CHAPTER XI
COMPENSATION OF LOSSES AND LIABILITY
24. Any and all possible losses are compensated according to the Terms and Conditions.
CHAPTER XII
FINAL PROVISIONS
25. The Addendum is incorporated by reference into Terms and Conditions.
26. The Data Controller may at any time at its sole discretion amend this Addendum informing the Data Controller about such amendments as provided in the Terms and Conditions.
27. The Data Processor may be contacted by contact information provided in the Terms and Conditions.
28. This Addendum shall be governed by and constructed in accordance with the laws of the Republic of Lithuania.
29. Any claim or dispute arising out of the breach, termination or invalidity of this Addendum or any of its provisions shall be finally settled by a court of competent jurisdiction.
Annexes to the Addendum
Annex 1. Information on the processing of personal data
Annex 2. List of the Sub-Processors
Version of 1st December 2022
