Terms of processing personal data through the platform

1. Subject of the Terms

1.1. The Subject of these Terms is the processing of personal data through the PLATFORM, whereby the company Telum d.o.o., Sv. Vinka Paulskog 14a, 23000 Zadar, OIB: 69522639296 acts in the capacity of processor (hereinafter referred to as “Processor”), while the Client acts in the capacity of controller (hereinafter referred to as “Controller”) in the sense of the General Terms, as defined by the Applicable Law.

1.2. The provisions specified below, as well as the processing of personal data will be applied only in the event that the Processor processes Personal Data on behalf of the Controller, on the basis of the General Terms and the agreed terms of cooperation, i.e. throughout the duration of use of the PLATFORM.

2. Definitions

2.1. For the purpose of applying these Terms, the following terms have the following meaning:

2.1.1. “Processing System” implies notes on the data and selected options of the configuration of the PLATFORM, which are chosen by the Controller and are implemented in the user account on the PLATFORM. This term particularly encompasses the following items: (i) categories of Personal Data that are processed as part of the service of the PLATFORM, (ii) input channels of Personal Data, and (iii) other data on selected options and configuration of the PLATFORM. Records on the items listed above are stored within the user account on the PLATFORM and are accessible in an appropriate manner to the Controller and the Processor. The Processing System makes up an integral part of these Terms;

2.1.2. “Examinee” implies the User as defined by the General Terms, i.e. a natural person who visits the webpages of the Controller, and who is identified or identifiable;

2.1.3. “Personal Data” implies any data that refer to an individual who is identified or identifiable (Examinee). An individual who is identifiable is a person who can be identified directly or indirectly, particularly by means of an identifier such as a name, identification number, location data, online identifier, or by means of one or more factors that are characteristic for the physical, physiological, genetic, mental, economic, cultural, or social identity (in accordance with the definition in the Applicable Law) processed by the Processor on behalf of the Controller when enabling the services of the PLATFORM. The categories of Personal Data that are processed as part of the service of the PLATFORM will be defined as part of the Processing System;

2.1.4. “Processing” implies any procedure or a set of procedures that are conducted on personal data or sets of personal data, be it by using automated or non-automated means such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, in accordance with the Applicable Law. The Processing of Personal Data, on the basis of the General Terms and agreed terms of cooperation, is also listed as part of the Processing System;

2.1.5. “Personal Data Breach” includes any violation of security or privacy that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. For the avoidance of any doubt, the aforementioned includes any kind of violation caused by the employee or subcontractor of the Processor or any other person who acts on behalf of the Processor (e.g. consultants and the like);

2.1.6. “Third Country” is a country that is not a member of the European Union (EU) and/or the European Economic Area (EEA).

2.2. Other phrases, definitions and terms defined in the General Terms section are also appropriately applied in these Terms.

3. Purpose of Personal Data Processing

3.1. The purpose of Personal Data Processing that is the Subject of these Terms is the execution of service of the PLATFORM, i.e. enabling the use of service of the PLATFORM on part of the Controller for the purpose of marketing, communications, sales and internal statistics.

4. Responsibilities of the Controller

4.1. The Controller implements appropriate technical and organisational measures so as to ensure and be able to prove that the Processing is conducted in accordance with the Applicable Law.

4.2. The Controller has the option to connect to Facebook ads and Google Analytics accounts to enable cost import from Facebook ads campaigns to Google Analytics.

5. Responsibilities of the Processor

5.1. The Processor will process Personal Data exclusively in accordance with the General Terms, with these Terms, and in accordance with the needs and instructions of the Controller, which are substantially contained as part of the Processing System, unless particular Processing is required by the Applicable Law. In that case, the Processor will have informed the Controller of the aforementioned legal obligation prior to the Processing, unless this right prohibits such reporting due to important reasons of public interest.

5.2. The Processor will keep Personal Data confidential and ensure that the persons who are authorised to process Personal Data have committed themselves to confidentiality or are under appropriate legal obligation of confidentiality.

5.3. The Processor will undertake and implement all necessary measures in accordance with Article 6 of these Terms (Security of Processing).

5.4. The Processor will maintain records of Personal Data Processing in the sense of Article 30, Paragraph 2 of the GDPR.

5.5. The Processor will appoint a Data Protection Officer, provided that the presuppositions from Article 37 of the GDPR have been fulfilled.

5.6. While taking into account the nature of the Processing, the Processor will assist the Controller through appropriate technical and organisational measures, to the extent possible, so as to fulfil the obligation of the Controller in terms of responding to requests for the exercise of rights of the Examinee that are defined by the Applicable Law.

5.7. The Processor will assist the Controller in ensuring compliance with the obligations in accordance with the Applicable Law, while taking into account the nature of the Processing and the information available to the Processor.

5. Responsibility for the content

5.8. At the choice of the Controller, the Processor will delete or return all Personal Data to the Controller following the end of provision of service of the PLATFORM, and delete existing data unless there is an obligation of storing Personal Data, in accordance with the law of the Union or the law of the member country.

5.9. The Processor will make available to the Controller all information that are necessary to prove compliance with the obligations defined in this Article 5 of these Terms, and allow supervision by the Controller or another auditor authorised by the Controller. In this respect, the Processor will immediately inform the Controller if, in their opinion, a particular instruction infringes the Applicable Law or other relevant regulations of an EU member state on the protection of personal data.

5.10. The Processor will alter the provisions of the General Terms and/or these Terms which are required for compliance with the obligations in the Applicable Law.

5.12. The Processor will not use, share, or store any of the Facebook user data that becomes available while connecting to Facebook API. The Processor will just store the Access Token for the sole purpose of importing Facebook cost from Facebook ads campaigns to Google Analytics. The Processor will delete Access Token immediately after The Controller deletes the connection to Facebook ads from the PLATFORM interface.

6. Security of processing

6.1. While taking into account the state of the art, the costs of implementation, and the nature, scope, context and purpose of the Processing, as well as the risks of varying likelihood and severity posed to the rights and freedoms of natural persons, the Processor will have implemented appropriate technical and organisational measures prior to undertaking any kind of Processing, so as to ensure a level of security that is adequate to the risk, which includes, among other things, the following where necessary:

6.1.1. the pseudonymisation and encryption of Personal Data;

6.1.2. the ability to ensure ongoing confidentiality, integrity, availability and resilience of the Processing System;

6.1.3. the ability to establish in a timely manner the availability and access to Personal Data in the event of a physical or technical incident;

6.1.4. a process for regular testing, assessment, and evaluation of effectiveness of technical and organisational measures for ensuring security of the Processing.

6.2. When assessing the appropriate level of security, particular account will be taken of the risks posed by the Processing, especially the risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data that are transmitted, stored, or otherwise Processed.

6.3. The Controller and the Processor will take steps to ensure that any natural person, who acts on behalf of the Controller or the Processor and therefore has access to Personal Data, does not process the aforementioned data except in the manner defined by these Terms, the Applicable Law, and in accordance with the initial instructions and wishes of the Controller in terms of the configuration of the PLATFORM. An exception is made in the event that this person is obliged to do so according to the law of the European Union or the law of the EU member state.

6.4. The Processor will notify the Controller within 24 (twenty-four) hours should they learn of any kind of Personal Data Breach. Such notification is to be sent to the contact address of the Controller, which is used in standard communication for the purposes of the PLATFORM, concurrently with sending a copy to [email protected]. When and to the extent at which it is not possible to simultaneously provide all information on the Personal Data Breach, the remaining information can be delivered in phases, but without undue further delay.

7. Subcontractors of the Processor

7.1. By using the services of the PLATFORM, the Controller is aware of the fact that the Processor uses subcontractors for the purpose and functionality of the PLATFORM, and that there is a possibility that additional subcontractors would have to be employed or existing ones changed. The Controller consents to the employment of these subcontractors as sub-processors.

7.2. In order to ensure maintaining a high level of protection of personal data and security of the PLATFORM, the Processor will make the decision on the selection of individual sub-processors carefully and by applying a high standard of professional diligence. The Processor will not subcontract any Personal Data Processing without entering into a written agreement with the sub-processor, which will contain the obligations of protection of personal data as specified in these Terms.

7.3. If the Controller disagrees with the subcontracting of Processing on part of the Processor, the Controller can terminate any kind of cooperation with the Processor in relation to the services of the PLATFORM.

8. Supervision and audit

8.1. The Controller has the right to supervise, autonomously or by appointing an independent third person (who is not a competitor of the Processor, and upon acceptance by the Processor), whether the Processor adheres to the obligations specified in these Terms, and whether they act in accordance with initial requirements and instructions of the Controller. The Processor will cooperate with and assist the Controller or a third person performing the audit, insofar that they will provide the requested information, submit the requested documentation, and enable access to business premises, IT systems and other tools needed for effective supervision over the adherence to the provisions of these Terms.

8.2. The Processor will ensure that the Controller has equal rights in relation to all selected sub-processors. The Processor can offer alternative solutions for supervision, e.g. an audit conducted by an independent third person, which can or do not have to be accepted by the Controller.

8.3. The supervision specified in this Article must be announced to the Processor no later than 30 days prior to its exercise, and must be conducted on the basis of the framework plan, on which the Controller and the Processor will have agreed before the supervision is conducted. In the event that they fail to agree on the framework plan, the Controller has the right to define it autonomously.

8.4. The Processor will enable a supervisory authority, competent for data protection at the level of the Republic of Croatia or the EU, to conduct supervision in business premises of the Processor.

8.5. In the event that any authority, competent for data protection or another (supervisory) authority, initiates a review of Personal Data Processing on part of the Controller, or that an Examinee submits a complaint against the Controller, on the subject of Processing that is presumed to have been executed by the Processor, the Processor will assist the Controller by providing documentation and other information related to the Processing, so as to enable the Controller to satisfy the competent authorities in their supervision and to respond to any complaint.

9. Additional protective measures

9.1. Notification: The Processor will continuously and timely provide the Controller with all current information on Processing, which the Controller can reasonably request when required for the fulfilment of their obligations according to the Applicable Law.

9.2. Personal Data Breaches: Upon request of the Controller, the Processor will cooperate with the Controller and provide information on the nature, circumstances, and causes of Personal Data Breach. The Processor will undertake all actions required to prevent further losses or limit the repercussions of Personal Data Breach in another manner. The Processor will conduct professional forensic and security verification and audit in relation to Personal Data Breach. Personal Data Breach will be resolved in accordance with the Applicable Law and the instructions that may be given to the Processor by the Controller.

9.3. Obligation of cooperation to ensure the rights of the Examinee: Should the Controller request this, the Processor will do the following without any additional costs for the Controller or the Examinees:

9.3.1. immediately deliver to the Controller a copy of Personal Data in an intelligible form, and/or

9.3.2. in accordance with the decision of the Controller, enable them access to Personal Data at any moment, and/or

9.3.3. immediately modify, correct, block or delete Personal Data in a manner specified by the Applicable Law.

9.4. Management of requests and complaints of public entities: depending on what is permitted by the Applicable Law, in the event that the Processor receives a request or complaint of the Competent Authority concerning any type of Personal Data, they will inform the Controller of this without delay, with indication of the Competent Authority in question, the scope of the request, and the basis specified in the request or the complaint. In this respect, the Processor will refer without delay the request or complaint of the Competent Authority to the Controller so that the Controller could respond to the request or complaint of the Competent Authority following consultations with the Processor, unless otherwise specified by the Applicable Law or another law applicable to these Terms.