Last updated on March 20, 2017
1. Introduction and definitions
These Supplemental terms govern the data processing activities, protection, rights and responsibilities of the Client and the Supplier pursuant to the General Terms and Conditions for the use of the Platformax Service.
The expressions used herein shall have the following meaning:
Personal data shall have the meaning of any data relating to an individual, irrespective of the form in which it is expressed, the controller of which in the sense of the Personal Data Processing Act (ZVOP-1-UPB1, Ur. l. RS, št.: 94/ 2007) is the Client.
Individual is an identified or identifiable natural person to whom personal data relates; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, where the method of identification does not incur large costs or disproportionate effort or require a large amount of time.
Processing of personal data means any operation or set of operations performed in connection with personal data that are subject to automated processing or which in manual processing are part of a filing system or which are intended for inclusion in a filing system, such as in particular collection, acquisition, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, communication, dissemination or otherwise making available, alignment or connecting, blocking, anonymising, erasure or destruction; processing may be performed manually or by using automated technology (means of processing).
Filing system is any structured set of data containing at least one piece of personal data, which is accessible according to criteria enabling the use or combination of the data, irrespective of whether the set is centralised, decentralised or dispersed on a functional or geographical basis; a structured set of data is a set of data organised in such a manner as to identify or enable identification of an individual.
Data controller is the Client, which by itself or in cooperation with other persons defines the purpose and the method of personal data processing.
Contractual processor is the Supplier, which processes personal data on behalf and for the account of Data controller and in the event that the Client is not established, does not have its seat or is not registered in a Member State of the European Union or is not a part of the European Economic Area, acts as the Client’s representative in the Republic of Slovenia for the data processed pursuant to the Main Agreement and these Supplemental Terms. In the event the Client wishes to appoint another entity as its representative, the Client shall notify the Supplier without undue delay of such appointed representative.
Sub-contractual processor is a legal or natural person that performs certain tasks involved in the process of processing of personal data.
Data recipient is a natural or legal person or other private or public sector person to whom personal data are supplied or disclosed.
Supply of personal data is the supply or disclosure of personal data.
Integrated Services represent 3rd party services and applications that connect with Service in order to stitch together different data and operations so Service users can access data and operations quickly and easily when needed.
Third country is a country that is not a Member State of the European Union or a part of the European Economic Area.
Filing system catalogue – is a description of a filing system compliant with Article 16 of the PDPA.
Rules on protection of personal data – is an internal act on protecting personal data issued and accepted by the data Controller or data processor.
Personal consent of an individual – is a voluntary statement of the will of an individual that his personal data may be processed for a specific purpose, and this is given on the basis of information that must be provided to such individual by the data controller pursuant to PDPA; personal consent of an individual may be written, oral or some other appropriate consent of the individual.
Sensitive personal data – are data on racial, national or ethnic origin, political, religious or philosophical beliefs, trade-union membership, health status, sexual life, the entry in or removal from criminal record or records of minor offences that are kept on the basis of a statute that regulates minor offences (hereinafter: minor offence records); biometric characteristics are also sensitive personal data if their use makes it possible to identify an individual in connection with any of the aforementioned circumstances.
Biometric characteristics – are such physical, physiological and behavioural characteristics which all individuals have but which are unique and permanent for each individual specifically and which can be used to identify an individual, in particular by the use of fingerprint, recording of papillary ridges of the finger, iris scan, retinal scan, recording of facial characteristics, recording of an ear, DNA scan and characteristic gait.
The processing of the personal data is entirely subject to the provisions of the Personal Data Protection Act (ZVOP-1-UPB1, Official Gazette RS, št.: 94/ 2007), regardless of whether they shall acquaint themselves with personal data by performing services at the data Controller’s premises, Data Processor’s premises, with supervision of the execution of this agreement, via written documentation or any other manner.
2. Object of the Agreement
With this Agreement the Contractual processor binds itself to process personal data for the Data Controller in the scope and manner agreed by this Agreement.
Personal data, which the Contractual processor processes for the purpose of the Main Agreement, are such data as are provided by the Data Controller.
The types of information from an individual Filing system of a Data controller, which the Contractual processor processes for the Data Controller, are listed in the Platformax applications and input forms.
The Data Controller authorises the Contractual data processor to store, administer, maintain and backup the systems, where the data is stored.
The Contractual processor may perform the said acts for the purpose of fulfilling the Main Agreement and may not process them for any other purpose. The Contractual processor may particularly not use the personal data for marketing purposes or undertake any other form of processing not defined in Article 7.
3. Obligations of the contractual processor concerning the procedures and measures for protecting of personal data
The Contractual processor shall with execution of his duties compliant with this Agreement and related to personal data from Articles 5 and 6 of this Agreement concerning their processing from Article 7 of this Agreement, technical and technological procedures and measures ensure such protection of personal information ensure such protection of personal data that accidental or intentional unauthorised destruction, change, loss or unauthorised processing, so that:
- the premises, equipment and system an application software, including input/output units are secured;
- the application software with which the personal data is being processed is protected;
- the unauthorised access to personal data is prevented when such data is transmitted;
- including when transmitted via telecommunication means and networks;
- efficient method of blocking, destruction, deletion or anonymizing of personal data is ensured;
- it is possible at any time determine when certain data was entered into the Filing system, or, when such data was accessed, used or processed and the person who did it.
The procedures and measures for protecting of personal data, which the Contractual processor shall follow pursuant to Article 25 of the PDPA.
3.1. Protecting the premises and hardware
The premises where personal data is stored, as well as the software and hardware, which facilitates access to such data, must be secured by organizational, physical and technical measures, which prevent unauthorised access to data.
Access to secure area shall only be allowed for such employees, who have such right based upon internal act on classification of posts or another internal act of the Contractual processor.
3.2. Security of system and application software and transfer via means of telecommunication
Access to system and application software is protected by a system of passwords for authentication and authorization (particularly on the system software layer and application software layer) which enables access only to authorised staff and Contractors of the Contractual processor who perform maintenance of the hardware and software equipment.
3.3. Protecting the media
The media on which personal data is recorded must be stored in secure area, while if such media is outside secure area, such media must be stored in fireproof and secure locked cabinets.
3.4. Security in transmissions via telecommunication networks
Personal data must be protected when transferred via telecommunication means and networks.
In the transmission of sensitive personal data over telecommunications networks, data shall be considered as suitably protected if they are sent with the use of cryptographic methods and electronic signatures such that their illegibility or non-recognition is ensured during transmission.
3.5. Organization of work processes
The Contractual processor shall in the Act on classification of posts or other similar act define:
- the areas of rights and responsibilities related to data processing from individual file system;
- working positions and persons who are subject of so listed rights and responsibilities related data processing (Authorised persons for data processing).
Only the persons defined in the act from the previous article may process the personal data. All other workers may process personal data only upon written authorisation from the Board of Directors or similar corporate body.
3.6. Measures for ensuring data integrity, confidentiality and accessibility of personal data, as well as tracking processing actions of personal data
The Contractual processor has to ensure integrity of personal data that are processed.
The Contractual processor must ensure confidentiality of personal data that are being processed.
The Contractual processor must ensure the accessibility of personal data that are being processed.
The Contractual processor must ensure traceability of operations with processing of personal information.
The Contractual processor shall ensure traceability of all operations performed upon personal information in such manner, that a later determination as to when certain personal data was used or entered into filing system and which person performed certain actions – for the period when legal protection of individual rights because of unauthorised processing of personal data is still possible.
The Contractual processor has to ensure that for each transmission of personal data it may be possible at a later date to determine, which personal data were transmitted, to whom, when and on what basis, for the period when legal protection of individual rights because of unauthorised processing of personal data is still possible.
3.7. Data collected via Gmail Integration
Platformax is designed for users to improve and track their communication with their contacts. Email communication is one of a basic ones and users can choose to connect their Gmail account with Platformax and authenticate their Gmail with Platformax. This way Platformax can get access to your contacts, the content of your emails and to attachments in order to be able to:
- create business opportunities from emails and relate them with your contacts,
- create cases from emails and relate them with your contacts,
- create new persons from email senders and add them to their Platformax database.
Platformax does not change user’s Google account, except to receive and send mail or change settings as directed exclusively and solely by the user. Nor does Platformax add or amend the folder or label structure of Gmail.
Passwords and authentication tokens used to access user Gmail account are stored encrypted with 256 bit private key. And all email content is securely stored in database server with no public IP or public access.
Platformax does not sell, rent, or share any user’s personally identifiable information with the third-parties. Platformax reserves the right to disclose your Personal Information if we believe such action is necessary to stay in compliance with the law or legal process served at Platformax, protect the rights or property of Platformax (including the enforcement of our agreements) or act in urgent situations to protect the personal safety of users of the Services.
Platformax is committed to protect your personal information from unauthorized access, alteration, disclosure, or destruction. We undertake a range of security measures including physical access restraints, technical security monitoring, and internal security reviews of the environment. Our policy also prohibits employees from viewing personal information without business or legal justification. We take upon ourselves to ensure that Platformax employees and partners are bound by confidentiality obligations.
4. Contractual processors
Contractual processor may from time to time entrust certain actions related to processing of personal data to Sub-contractual processor, who is registered for performing of such work and has the capacity to guarantee proper procedures and measures for protection of personal data.
If the Contractual processor properly entrusts third person with processing of personal data (Sub-contractual processor), the Contractual processor has to ensure that such third person follows the provisions of this present Agreement entirely. The Contractual processor is liable for execution of its obligations from this Agreement as if the Contractual processor would be its subject.
The Contractual processor shall for each Sub-contractual processor enter into a written agreement for data processing, where, inter alia, it shall be defined to which data such Sub-contractual processor has access, the extent of its authorisation with processing file systems (access, view, change, write, transmittal) and what are the measures and procedures the Sub-contractual processor needs to implement for protection of such data.
Contractual processor may perform certain actions related to processing of personal data within the scope of authorisation of the Contractual processor and may not process personal data for any other purpose. The Contractual processor shall monitor the performance of such procedures and measures with Sub-contractual processor.
In case of dispute between the Contractual processor and Sub-contractual processor, the Sub-contractual processor must upon request of the Contractual processor immediately return the data processed for the Contractual processor. Eventual copies of such data must be immediately destroyed or transferred to state body, which is by law authorised to investigate and prosecute criminal acts, to a court or another state body if such body is authorised by law.
5. Rights and obligations of the data controller
Data controller or such person as the Data controller authorizes is under obligation to monitor the performance of provisions from Articles 7, 9 and 10 of this Agreement, while the Contractual processor shall allow such monitoring. The monitoring shall be performed during the working hours of the data processor, with no prior announcement.
The person performing the monitoring has to present its credentials and authorization from the data controller.
The Contractual processor shall with fulfilling of its obligations under this Agreement act with diligence of good professional.
With fulfilling its obligations under this Agreement, the Contractual processor is not liable for damage caused by the Data controller.
If the arisen damage or disadvantage to the Contractual processor is caused also by the Data controller or any person for whom the data controller is responsible, the liability of the Contractual processor is proportionally decreased.
The Contractual processor is not liable for any loss, damage or other form of change of personal data if such change was due to force majeure. Events which shall be recognized as force majeure are events which are unpredictable and sudden events which occur independently of the parties’ will and which the parties could not foresee with entering into the Agreement and may in any way affect the execution of contractual obligations. The Contractual processor shall notify the data controller of a force majeure event in no more than ten days after such event occurred.
7. Protecting the confidentiality of data
The Contractual processor shall make sure that the employees and other individuals who perform work with personal data or perform related tasks shall keep confidential all data such persons encounter with performance of their work/tasks. The duty of keeping personal data confidential shall bind such persons also after cessation of their employment or performing their work or tasks related to contractual processing of data.
The data of the Data controller that are not publicly accessible and come into possession of the contractual parties during the execution of the provisions of this Agreement shall be treated as confidential (e.g. financial data, methodology and tools used, etc.)
The contractual parties may disclose confidential information only to persons who are directly engaged in performance of this Agreement. With that, it is important with appropriate instructions and measures, particularly in light of Article 7 of this Agreement, to ensure, that the recipients of confidential information do not use such information contrary to the provisions of this Agreement.
Each reproduction of data in written or oral form, in whole or in part, or their distribution to an unauthorised person, and any other form of disclosure of confidential information shall be considered as unauthorised.
The parties of this agreement shall keep business secrets confidential during the term of this Agreement, as well as after this Agreement has expired.
8. Duration of the Agreement
This Agreement is entered into for the duration of the Main Agreement.
Cessation or Termination of the Main Agreement shall at the same time cause cessation or termination of this Agreement.
In case of cessation or termination of the main Agreement the Contractual processor shall immediately stop processing personal data of the data controller. In exceptional circumstances the Contractual processor may process data to finish already started tasks pursuant to the Main Agreement, if such tasks are mandated by the Main Agreement.
In case of cessation or termination of the main Agreement, the Contractual processor shall immediately return the Data controller all personal information, and immediately destroy all eventual copies of such data.
if the Contractual processor does not perform according to Articles 9 and 10 of this Agreement and such omission causes a danger of destruction, change, loss or unauthorised processing of personal data, the Data controller has to issue a warning to the Contractual processor and set appropriate time to cure the deficiency. If the Contractual processor does not comply with Data controller’s warning, the Data controller may without notice terminate this Agreement and the Main Agreement and claim damages.
In case of cessation of Contractual processor, such contractual processor has to ensure that the personal data from Articles 5 and 6 and the copies thereof are without undue delay returned to Data controller.
9. Final provisions
In case of dispute between the Data controller and Contractual processor, the Contractual processor must upon request of the Data controller immediately return the data. Eventual copies of such data must be immediately destroyed or transferred to state body, which is by law authorised to investigate and prosecute criminal acts, to a court or another state body if such body is authorised by law.
The parties agree that eventual disputes arising from this Agreement will be resolved in the spirit of mutual understanding. If consent could not be reached, a materially competent court in Ljubljana, Slovenia, has jurisdiction. The validity, construction, interpretation and enforceability of this Agreement shall be governed by Slovenian law.
These terms are subject to change with notice on the https://platformax.com.