top of page

Cyrolo Data Protection

  1. Definitions 1.1 Capitalized terms used but not defined herein have the meanings set forth in the Agreement (including the Master Service Agreement and Cyrolo’s Terms & Conditions). 1.2 Specific definitions relating to data protection:

    • “Affiliate,” “Data,” “Data Breach,” “Data Protection Laws,” “Data Subject Request,” “GDPR,” “Standard Contractual Clauses,” “Subprocessor,” “User,” “User Personal Data,” etc., are defined in detail, reflecting their meanings as per GDPR and relevant data protection regulations.

  2. General 2.1 Roles in Data Processing: Clarification of the Customer and Cyrolo’s roles (controller, processor) in data processing activities.

  3. Customer Obligations 3.1 Details the Customer's responsibilities in processing Data, including lawful basis for processing, instructions to Cyrolo, and compliance with Data Protection Laws.

  4. Subject Matter, Duration, and Nature of Data and Processing 4.1 Outlines the purposes, types, and nature of data processing, duration of processing, and any specific requirements or limitations.

  5. Security and Data Breaches 5.1 Details Cyrolo’s obligations in ensuring data security, addressing Data Breaches, and cooperation with the Customer in such events.

  6. Data Subject Requests 6.1 Specifies the procedures for handling Data Subject Requests and the support provided by Cyrolo to the Customer in this regard.

  7. Data Protection Impact Assessments and Prior Consultations

    • Assistance provided by Cyrolo to the Customer for compliance with GDPR requirements for data protection impact assessments.

  8. Subprocessors 8.1 Guidelines and conditions under which Cyrolo can engage Subprocessors, including notifications and Customer's rights in relation to new Subprocessor appointments.

  9. International Transfers 9.1 Conditions and safeguards for the international transfer of data, including adherence to GDPR requirements and Standard Contractual Clauses.

  10. Amendments and Updates

  • Provision for updating the terms to remain compliant with evolving Data Protection Laws.
     

  1. SECTION II – OBLIGATIONS OF THE PARTIES

  2. Clause 8: Data Protection Safeguards

  3. Instructions: a) The data importer shall only process personal data as per the documented instructions from the data exporter. b) The data importer must inform the data exporter immediately if unable to follow the instructions.

  4. Purpose Limitation:

  5. The data importer shall process the personal data solely for the specific purposes outlined in Annex I.B, unless directed otherwise by the data exporter.

  6. Transparency:

  7. Upon request, the data exporter shall provide a copy of these Clauses, including the completed Appendix, to the data subject. Redactions are allowed to protect confidential information but must be accompanied by a meaningful summary.

  8. Accuracy:

  9. The data importer is required to inform the data exporter without undue delay if it becomes aware of any inaccuracies in the personal data.

  10. Duration of Processing and Erasure or Return of Data:

  11. The data importer's processing activities are limited to the duration specified in Annex I.B. Post-processing, the data importer must either delete or return the personal data as per the data exporter's choice.

  12. Security of Processing:

  13. Both the data importer and exporter must implement appropriate measures to ensure data security. Regular checks should be performed to maintain this level of security.

  14. Sensitive Data:

  15. If the transfer involves sensitive data, the data importer must apply specific restrictions and/or additional safeguards.

  16. Onward Transfers:

  17. The data importer can only disclose personal data to a third party based on the data exporter's instructions and under certain conditions detailed in this clause.

  18. Documentation and Compliance:

  19. The data importer must maintain proper documentation of processing activities and comply with audit requests from the data exporter.

  20. Clause 9: Use of Sub-processors

  21. General Authorization and Notice:

  22. The data importer has general authorization to engage sub-processors from an agreed list, with obligations to inform the data exporter of any intended changes.

  23. Contractual Obligations:

  24. Sub-processors must be bound by data protection obligations that are substantively similar to those binding the data importer.

  25. Liability and Cooperation:

  26. The data importer remains fully responsible for the sub-processor's performance and must cooperate with the data exporter in case of any failures.

  27. Clause 10: Data Subject Rights

  28. Notification and Assistance:

  29. The data importer must notify the data exporter of any data subject requests and assist in fulfilling the data exporter's obligations to respond to such requests.

  30. Clause 11: Redress

  31. Handling Complaints:

  32. The data importer is responsible for handling complaints from data subjects and resolving disputes amicably.

  33. SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

  34. Clause 14: Local Laws and Practices Affecting Compliance

  35. Assessment of Laws and Practices:

  36. Both parties warrant that they have assessed the laws in the third country of destination and believe these do not prevent compliance with the Clauses.

  37. Notification of Changes:

  38. The data importer agrees to notify the data exporter if it becomes subject to laws or practices not in line with these Clauses.

  39. Clause 15: Obligations in Case of Access by Public Authorities

  40. Notification and Review of Requests:

  41. The data importer must notify the data exporter of requests for data disclosure by public authorities and challenge any unlawful requests.

  42. SECTION IV – FINAL PROVISIONS

  43. Clause 16: Non-compliance and Termination

  44. Notification of Non-compliance:

  45. The data importer must inform the data exporter if it is unable to comply with these Clauses.

  46. Suspension and Termination:

  47. The data exporter can suspend or terminate the contract if the data importer is in breach or unable to comply with these Clauses.

bottom of page