Article 1. Definitions
“Personal Data” refers to any information relating to an identified or identifiable natural person, (“Data Subject“); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Processor” refers to the entity acting on behalf of the Data Controller.
“Processing” means any operation, or a set of operations done, using automatic processes or not, applied to personal data, as collecting, recording, organization, structuration, retention, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction of the personal data.
“Transfer of Personal Data” means the processing, material transfer or distant access to Personal Data from entities established out of the European Economic Area (EEA).
“Personal Data breach“ refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Article 2. Processing of the Controller Personal Data
(1) Gtmhub shall comply with all applicable data protection laws when processing the Controller Personal Data. The Controller Personal Data includes categories of personal data of the Controller’s employees who will be provided with access to the Gtmhub’s services under the Principal Agreement: names, email address, IP address, phone number, position, employer, employee’s personal objectives, key results and tasks.
(2) Gtmhub shall process Controller Personal Data only on the Controller’s documented instructions unless the processing is required by the applicable laws to which Gtmhub is subject. Gtmhub is prohibited to use or otherwise process Controller Personal Data for purposes different than the provision of the services under the Principal Agreement and only for the term agreed under the Principal Agreement.
(3) Gtmhub shall not disclose or provide the Controller Personal Data to third parties, except under the provisions of Art. 4 of this Data Processing Agreement or where there is an obligation under the applicable data protection laws.
Article 3. Gtmhub’s personnel
(1) Gtmhub shall take reasonable steps to ensure the reliability of any of its employees, agents or contractors who may have access to the Controller Personal Data.
(2) Gtmhub shall in each case ensure that access to the Controller Personal Data is strictly limited to those individuals who need to know and/or access the relevant Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with the applicable laws in the context of that individual's duties to Gtmhub, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Article 4. Security of the Controller Personal Data
(1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Controller Personal Data as well as the risks for the rights and freedoms of natural persons, in particular the risk of Controller Personal Data breach, Gtmhub shall implement in relation to the Controller Personal Data appropriate technical and organizational measures to ensure an appropriate level of security.
Article 5. Appointment of subprocessors
(1) The Controller authorizes Gtmhub to appoint subprocessors (the “Subprocessor”) in accordance with this article. Each Subprocessor shall also be entitled to appoint subprocessors to the extent the restriction of this article are complied with.
(2) Gtmhub shall give the Controller prior written notice of the appointment of any new Subprocessors, including full details of the processing activities that the Subprocessor will undertake.
(3) The Controller shall have 3 business days following the receipt of the written notice on the appointment of a Subprocessor to object in writing to the proposed appointment of the Subprocessor. In such cases, if Gtmhub may not by itself perform the services related to the data processing under the Principal Agreement, Gtmhub may unilaterally and without notice terminate the Principal Agreement. If there is no objection on the side of the Controller within the set term, the Subprocessor is deemed approved by the Controller.
(4) Gtmhub shall not disclose Controller Personal Data to Subprocessors which have not yet been notified and approved by the Controller. Gtmhub shall conclude a written contract with the Subprocessor to govern their relation. The contract shall meet the requirements of Article 28, para. 3 of the GDPR and shall contain terms that offer at least the same level of protection for the Controller Personal Data as those set in this Data Processing Agreement. If the appointment of a Subprocessor involves transfers of the Controller Personal Data to third countries, Gtmhub shall incorporate the Standard data protection clauses adopted by the European Commission in its contract with the Subprocessor.
(5) Gtmhub may continue to use and provide access to the Controller Personal Data to Subprocessors which have already been engaged by Gtmhub at the date of conclusion of this Data Processing Agreement. A list of Gtmhub’s Subprocessors is available at: https://help.gtmhub.com/en/articles/1748394-gtmhub-gdpr.
Article 6. Obligations of Gtmhub towards the Controller
(1) Gtmhub shall promptly notify the Controller if it or any of its Subprocessors have received a request from a data subject who wishes to exercise his/her rights related to the Controller Personal Data under the applicable data protection laws. Gtmhub shall reasonably assist the Controller to respond to such requests.
(2) Gtmhub shall ensure that it or any of its Subprocessors does not respond to data subject requests except on the documented instructions of the Controller or as required by the applicable laws to which Gtmhub or the respective Subprocessor is subjected. In case the response to the request is required by the applicable laws, Gtmhub or the Subprocessor shall to the extent permitted by this law prior to responding to the request inform the Controller of this legal requirement.
(3) Gtmhub shall provide the Controller at the latter’s expense reasonable assistance with any data protection impact assessments and prior consultations with the competent data protection authorities, which the Controller reasonably considers necessary pursuant to Art. 35 and Art. 36 of the GDPR.
Article 7. Personal data breach
(1) Gtmhub shall notify the Controller without undue delay on Gtmhub or any of its Subprocessors becoming aware of a personal data breach affecting the Controller Personal Data. Gtmhub shall provide the Controller with sufficient information to allow the Controller to meet its obligations to report or inform the data subjects of the personal data breach as required by the data protection laws applicable to the Controller.
(2) Gtmhub shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist the Controller investigate, mitigate and remediate the personal data breach.
Article 8. Deletion of the Controller Personal Data
(1) Gtmhub shall promptly and in any event within 9 months of the date of cessation of any services involving the processing of the Controller Personal Data delete in a manner that the data could not be recovered and procure the deletion of all copies of Controller Personal Data processed for the services under the Principal Agreement.
(2) Notwithstanding the previous paragraph, Gtmhub may retain the Controller Personal Data to the extent required by the applicable data protection laws and only to the extent and for such periods as required by the applicable laws. In any such case, Gtmhub shall ensure the confidentiality of the Controller Personal Data and shall ensure that such Controller Personal Data is solely processed as necessary for the purpose specified in the applicable laws requiring the storage of the Controller Personal Data.
Article 9. Audit rights
(1) Gtmhub shall make available to the Controller on the latter’s request all information necessary to demonstrate compliance with this Data Processing Agreement. Gtmhub shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the processing of the Controller Personal Data by Gtmhub. All expenses related to the audit are to be borne by the Controller.
(2) The Controller shall give one-month notice to Gtmhub by submitting a detailed audit plan for any audit or inspection to be conducted. The Controller and its mandated auditors shall make reasonable efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to Gtmhub’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. The audits and inspections shall take place during normal business hours for Gtmhub.
(3) If the requested audit scope is addressed in an audit report performed by a qualified thirdparty auditor within twelve months of the Controller’s audit request and Gtmhub confirms there are no known material changes in the controls audited, the Controller agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
Article 10. International transfers
(1) Gtmhub is required to notify the Controller in advance about the third countries to which Gtmhub may transfer Controller Personal Data and undertakes to comply with all additional reasonable instructions given by the Controller in connection with such processing. As at the date of the conclusion of this Data Processing Agreement, the Controller expressly authorizes Gtmhub to transfer Controller Personal Data to the Unites States of America.
Article 11. Miscellaneous
(1) This Data Processing Agreement shall be governed by the Bulgarian law and the Bulgarian courts shall have exclusive jurisdictions for any disputes arising out of or in connection with this Data Processing Agreement.
(2) Should any provision of this Data Processing Agreement be proclaimed invalid or unenforceable, then the remainder of this Data Processing Agreement shall remain valid and in force. The invalid or unenforceable provision shall be amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible.
33 Alexander Malinov Blvd., Floor 6
Sofia 1729, Bulgaria