Contents
Definitions
Principles
Identification of the Personal Data Involved
Term and Termination Effects
Obligations of Prometeo as Data Processor
Subcontracting of Data Processing
Data Subject Rights
Security Breach Notification
Obligations of the Client as Data Controller
Termination of Service
Liability and Jurisdiction
Important! Make sure you review this
Scope and Applicability
This Data Processing Agreement (DPA) applies to any processing of personal data carried out under the Master Services Agreement (“MSA”) between the parties.
The processing of personal data shall be governed by: the applicable data protection laws of the country where the Data Controller is established; and the terms of the MSA and this DPA.
In the event of a conflict between the MSA and this DPA, the provisions of this DPA shall prevail, but only with respect to the conflicting subject matter.
Terms not defined in this DPA shall have the meaning assigned to them in the MSA.
This DPA applies to data processing activities where Prometeo acts as a Data Processor on behalf of the Client, for example, in the provision of the Account Validation solution.
Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below:
Personal Data
Data Controller (“Controller”)
Data Processor (“Processor”)
Sub-processor
Processing
Data Subject
Data Breach (also: Security Incident or Incident)
International Data Transfer
Any information relating to an identified or identifiable natural person. In some jurisdictions, this may also include data relating to legal entities.
The natural or legal person who determines the purposes and means of processing personal data. When Prometeo acts as a Controller, the personal data it processes may include: name, surname, tax identification number, address, and email address.
The natural or legal person who processes personal data on behalf of the Controller, in accordance with the Controller’s instructions.
Any third party engaged by the Processor to perform specific processing activities on behalf of and under the instructions of the Controller.
Any operation performed on personal data, whether automated or not, including collection, recording, organization, structuring, storage, adaptation, use, disclosure, deletion, or destruction.
The individual to whom the personal data relates.
Any event that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
The transmission of personal data to a country other than the one in which it was originally collected, whether to another Controller or Processor, for the purpose of processing.
Principles
Both parties agree to process personal data in accordance with the following principles. These principles form binding obligations and are intended to promote a consistent and high standard of data protection across all activities governed by this DPA:
Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity, confidentiality, and security
Accountability
Personal data must be processed lawfully, fairly, and in a transparent manner. A valid legal basis must support each processing activity (e.g., consent, contract, legal obligation, or legitimate interest). Data Subjects must be clearly informed about how their data is collected, used, and protected.
Personal data shall be collected for specific, explicit, and legitimate purposes, and must not be further processed in a way that is incompatible with those purposes. The Processor must process data strictly in accordance with the Controller’s instructions.
Only the personal data that is strictly necessary to achieve the stated purpose may be processed. Unnecessary or excessive data must not be collected or retained.
Personal data must be accurate and, where necessary, kept up to date. Inaccurate or outdated data must be corrected or deleted without delay.
Data must be retained only for as long as necessary to fulfill the intended purpose or to comply with legal obligations. After that, it must be securely deleted or anonymized.
Personal data shall be processed in a way that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental or unlawful loss, destruction, or damage, using appropriate technical and organizational measures.
The Controller is responsible for ensuring compliance with these principles and must be able to demonstrate such compliance. The Processor shall support the Controller by implementing appropriate measures, such as:
- Privacy by design and by default
- Data protection impact assessments (where required)
- Appointment of a Data Protection Officer (DPO), where legally necessary
Important!
Purpose of the Data Processing Assignment
Prometeo, acting as the Data Processor, provides the Client with various technological solutions as part of the contracted services. The use of these services necessarily involves the processing of personal data, as defined under applicable data protection laws.
The personal data is provided by the Client, acting as the Data Controller, who authorizes Prometeo to process it on their behalf, solely for the purpose of delivering the contracted services and in accordance with the Client’s instructions.
Identification of the Personal Data Involved
To properly deliver the contracted services, the Client shall provide Prometeo with the personal data necessary for their execution.
This may include, by way of example:
- Full name
- Email address
- Tax identification number
- Phone number
- Bank account number
- Any other data required to fulfill the scope of the service
Term and Termination Effects
This DPA enters into force on the same date as the Master Services Agreement (MSA) and remains in effect for as long as Prometeo processes personal data on behalf of the Client.
Upon termination of the contractual relationship, Prometeo will, at the Client’s choice:
- Return all personal data and any copies thereof to the Client; or
- Permanently delete the personal data, including any backups, unless retention is required by applicable law.
If retention is legally required, Prometeo will block the data and store it securely, limiting its use strictly to compliance with such legal obligation, in accordance with applicable regulations.
Obligations of Prometeo as Data Processor
Prometeo, acting as Data Processor, undertakes to:
Legal Compliance: Comply with all obligations applicable to data processors under relevant data protection laws and any other binding legal provisions.
Purpose Limitation: Process personal data solely for the purposes set out in this DPA and the Controller’s documented instructions. Prometeo shall not use the data for its own purposes.
Transparency and Cooperation: Provide the Controller with all necessary information to demonstrate compliance with this DPA and allow reasonable audits or inspections, as agreed.
Authorized Personnel: Ensure that any personnel authorized to process personal data:
- Are bound by a written confidentiality obligation;
- Have received appropriate data protection training; and
- Process data only in accordance with the Controller’s instructions or applicable legal requirements.
Security Measures: Implement and maintain appropriate technical, physical, and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized access, or disclosure. These measures shall include, at a minimum:
- Pseudonymization and/or encryption, where appropriate;
- Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- The ability to restore access to personal data in a timely manner in the event of an incident;
Regular testing and evaluation of the effectiveness of the implemented security measures.
Recordkeeping and Supervision: Maintain records of processing activities as required by law and make them available to the Controller or competent authority upon request. Cooperate fully with any regulatory audit or investigation.
Subcontracting of Data Processing
Prometeo may engage third parties (“Sub-processors”) to perform specific personal data processing activities, provided that the Client gives prior written authorization.
By entering into the service agreement, the Client provides general authorization for Prometeo to subcontract essential ancillary services necessary for the standard operation of the services (e.g., cloud hosting, technical support).
Prometeo shall ensure that any Sub-processor is bound by the same data protection obligations as those set forth in this DPA, including appropriate technical and organizational measures to ensure data security and compliance.
Prometeo remains fully liable to the Client for any actions or omissions of its Sub-processors that result in a breach of this DPA.
Data Subject Rights
Prometeo shall implement appropriate technical and organizational measures, considering the nature of the processing, to assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws.
If Prometeo receives a data subject request directly, it must:
- Promptly notify the Controller; and
- Provide all relevant information necessary for the Controller to respond appropriately.
If the data is processed exclusively through systems managed by Prometeo, and if agreed with the Controller, Prometeo may respond directly to the request on the Controller’s behalf, in accordance with applicable legal deadlines. The Controller must still be informed of the request and the response provided.
Security Breach Notification
In the event that Prometeo detects a personal data breach affecting data processed under this DPA, it shall notify the Controller without undue delay, to enable appropriate mitigation and response actions.
The breach notification shall include, at a minimum:
- A description of the incident and how it was detected;
- The categories and estimated number of affected data subjects and records;
- The likely consequences of the breach;
- Measures taken or planned to address and mitigate the breach;
- Contact details for further information or coordination.
If legally required, Prometeo will also cooperate with the Controller in notifying the relevant supervisory authority and affected data subjects.
Obligations of the Client as Data Controller
The Client, acting as Data Controller, shall be solely responsible for the following obligations:
Lawful Basis for Processing
Ensure that all personal data provided to Prometeo is processed on a valid legal basis, in accordance with applicable data protection laws. The Client must be able to demonstrate this basis upon request.
Instructions to the Processor
Provide Prometeo with clear, lawful, and written instructions regarding the processing of personal data. Instructions must include:
- The purpose and scope of processing;
- The duration of the processing;
- The nature and categories of personal data;
- The categories of data subjects;
- The specific obligations and rights of the Client that Prometeo must support.
Transparency and Information Duties
Inform data subjects, in a clear and lawful manner, about the processing of their personal data, in compliance with applicable transparency requirements.
Data Subject Rights
Implement procedures and channels to allow data subjects to exercise their rights. Inform Prometeo of any request that involves data it processes, and provide necessary instructions for response.
Monitoring and Supervision
Actively monitor Prometeo’s compliance with this DPA and applicable laws. This includes the right to conduct audits or assign an independent auditor, with reasonable notice.
Notification of Personal Data Breaches
In the event of a data breach, the Client is responsible for assessing whether notification is required and, if so, notifying the relevant authority and affected data subjects. Prometeo shall support this process as necessary.
Impact Assessments and DPO
Where legally required, the Client shall conduct data protection impact assessments and appoint a Data Protection Officer.
Termination of Service
Upon termination of the services, Prometeo shall return to the Client all personal data and any related documents or media, including all copies.
Once the data has been returned, Prometeo will proceed with its permanent deletion, unless retention is legally required.
If retention is required by law, Prometeo shall:
- Store the data securely,
- Block further processing, and
- Use the data solely to comply with the legal obligation.
The confidentiality obligations set forth in this DPA shall survive the termination of the services.
Liability and Jurisdiction
Liability
Indemnification
Controller Responsibility
Governing Law
Jurisdiction
Each party shall be liable for any fines, damages, or losses resulting from a breach of its obligations under applicable data protection laws.
Each party agrees to indemnify and hold the other harmless from any claims, penalties, losses, or proceedings arising from its own failure to comply with applicable data protection obligations.
The Client expressly acknowledges that Prometeo shall not be held liable for breaches that fall under the Client’s responsibility as Data Controller, whether such obligations are expressly stated in this DPA or derive from applicable data protection laws.
This DPA shall be governed by the laws of the country in which the Data Controller is established.
Any disputes arising from or related to the processing of personal data under this DPA shall be submitted to the exclusive jurisdiction of the courts of the country where the Data Controller is located.