EUROPEAN COMMISSION
DIRECTORATE-GENERALJUSTICE Directorate C:
Fundamental rights and Union citizenship Unit C.3: Data protection

Commission Decision C(2010)593
Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation: ___________

Address: ___________ Tel: ___________ E-mail: ___________

Other information needed to identify the organisation __________________________________

(the data exporter)

and

Name of the data importing organisation: Trujay

Address: Brodivska 5B st.,/Ternopil 46000/ Ukraine; Tel: 38 (0352) 523831 E-mail: support@trujay.com

Other information needed to identify the organisation_________developer of Trujay________

(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.


Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

2.The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely_______Germany______

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely______Germany_______

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2.The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.


On behalf of the data exporter: ____________

Name (written out in full): ____________

Position: ____________

Address: ____________

Other information necessary in order for the contract to be binding (if any): ____________

Signature ____________ .


On behalf of the data importer: ____________

Name (written out in full): Ivan Karp

Position: CEO

Address: Brodivska 5B st., Ternopil 46000, Ukraine

Other information necessary in order for the contract to be binding (if any): ____________

Signature ____________ .


APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

  • Data exporter
  • The data exporter is an individual or entity that has contracted with CRMOne for CRM data migration services.

  • Data importer
  • The data importer is CRMOne, developer of Trujay, CRM migration service

  • Data subjects
  • The personal data transferred concern the Data Exporter’s end users including employees, contractors and the personnel of customers, suppliers, collaborators, and subcontractors. Data Subjects also includes individuals attempting to communicate with or transfer personal information to the Data Exporter’s end users.

  • Categories of data
  • The personal data transferred concern personal data, entity data, navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the CRM data migration Service.

  • Special categories of data (if appropriate)
  • The parties do not anticipate the transfer of special categories of data.

  • Processing operations
  • With respect to personal data of German end users as data exporters, the following provisions apply:

    Specification of processing activities in accordance with Section 11 BDSG

    Taking into account the requirements of Section 11 German Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG) on commissioned data processing, the processing activities are specified as follows:

    1. Subject and duration of the commission

    Personal data may be processed for the following purposes: (a) to provide CRM data migration Service (which may include the detection, prevention and resolution of security and technical issues); (b) to respond to customer support requests; and (c) otherwise to fulfill the obligations under the Trujay Terms of Service.

    2. The Clauses have been concluded for the duration of the data migration service

    Extent, type and purpose of the planned collection, processing or use of data; the type of data and group of persons affected

    See for the type of data and group of persons affected the descriptions included in this Appendix 1 under the headings “Categories of data” and “Data subjects”.
    The purpose of the processing is: (a) to provide the CRM data migration Service (which may include the detection, prevention and resolution of security and technical issues); (b) to respond to customer support requests; and (c) otherwise to fulfill the obligations under the Trujay Terms of Service.

    3. Technical and organizational measures to be taken under Section 9 BDSG

    The Data Importer will take the appropriate technical and organizational measures to adequately protect data exporter’s Personal Data against misuse and loss in accordance with the requirements of Section 9 BDSG. See Appendix 2 for details.

    4. Correction, erasure and blocking of data

    Where a data subject requests the Data Importer to correct, delete or block data, the Data Importer shall refer such data subject to the data exporter. Deletion, blocking and correction of personal data by the Data Importer shall only happen upon instruction of the data exporter.

    5. Agent’s obligation under sub-Section 4 (of Section 11 BDSG), in particular controls to be undertaken

    See Appendix 2 for details.

    The Data Importer has obliged its employees employed in data processing not to collect, process or use personal data without authorization (data confidentiality). This obligation continues to be valid after termination of the respective employment relationship.

    6. Right to issue subcontracts

    See Clauses 5 (h) and 11 of the Clauses. If the Data Importer intends to instruct subcontractors the Data Importer must notify the data exporter thereof in writing (email to the email address(es) on record in the Data Importer’s account information for data exporter is sufficient)

    7. Principal’s rights of control and the agent’s corresponding obligations to tolerate and cooperate

    See Clauses 5 (e) and (f) of the Clauses.

    8. Violations by the agent or persons employed by him/her of provisions to protect personal data or of terms specified in the commission which must be reported

    See Clause 5 (d) of the Clauses.

    9. Extent of the principal’s authority to issue instructions to the agent

    Personal data can only be processed by the Data Importer based upon instructions of the data exporter. Except as legally required, personal data may be processed or used for another purpose, including disclosure to third parties, only with the prior written approval of the data exporter. Copies of the personal data shall not be made without consent of the data exporter, except for copies which are necessary for the processing or if required to comply with statutory retention obligations.

    10. Return of data storage media and the erasure of data stored by the agent after the commission has been completed.


    Data exporter shall be entitled to demand the rectification, deletion, blocking and making available of personal data during and after the term of the respective service agreement (Trujay Terms of Service) in accordance with the further specifications of such agreement on return and deletion of personal data.

    APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

    This Appendix forms part of the Clauses and must be completed and signed by the parties.

    Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

    Trujay currently observes the security practices described in this Appendix 2.

    a) Access Control

    i) Preventing Unauthorized Product Access

    Outsourced processing: Trujay hosts its Service with outsourced, Germany-based data center providers. Additionally, Trujay maintains contractual relationships with vendors in order to provide the Service. Trujay relies on contractual agreements, privacy policies, and vendor compliance programs in order to assure the protection of data processed or stored by these vendors.
    Physical and environmental security: Trujay hosts its product infrastructure with outsourced data center providers.
    Authentication: Trujay implemented a uniform password policy. Users who interact with the product via the user interface must authenticate before accessing non-public customer data.
    Authorization: User data is stored in multi-tenant storage systems accessible to Users via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in Trujay service is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options.

    ii) Preventing Unauthorized Product Use

    v implements industry standard access controls and detection capabilities for the internal networks that support its products.
    Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures include Virtual Private Cloud (VPC) implementations and security group assignment, along with traditional enterprise firewall and Virtual Local Area Network (VLAN) assignment.
    Intrusion detection and prevention: Trujay implemented a Web Application Firewall (WAF) solution to protect all hosted sites as well as Trujay Service access. The WAF is designed to identify and prevent attacks against publicly available network services.

    iii) Limitations of Privilege & Authorization Requirements

    Product access: A subset of Trujay's employees have access to the product and to user data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily.

    Background checks: All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

    b) Transmission Control

    In-transit: CRMOne makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the Trujay products. Trujay HTTPS implementation uses industry standard algorithms and certificates.

    At-rest: Trujay stores user passwords following policies that follow at least industry standard practices for security, User account passwords are hashed. Our own staff can't even view them. If you lose your password, it can't be retrieved—it must be reset.

    c) Input Control

    Detection: Trujay designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Trujay personnel, including security, operations, and support personnel, are responsive to known incidents.

    Response and tracking: Trujay maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Trujay will take appropriate steps to minimize Customer damage or unauthorized disclosure.

    d) Job Control

    The Trujay provides a solution for Customers to conduct CRM data migration. Customers control the data types collected by and stored within their portals. Trujay never sells personal data to any third party.

    Terminating Customers: Core Customer Data is purged upon a customer’s written request, or in 30 days after a customer terminates all agreements for data migration service with Trujay. “Core Customer Data” includes (i) the name, email address, phone number, data that was used for migration and information submitted by customer.

    d) Separation in Processing

    Trujay’s collection of personal data from its Customers is to provide and improve our Product. Trujay does not use that data for other purposes that would require separate processing.


    DATA EXPORTER

    Name: ___________

    Authorised Signature ___________

    DATA IMPORTER

    Name: Ivan Karp

    Authorised Signature ___________






    To continue using this website, you have to allow cookies in accordance with our Cookie Policy.

    ×