All products
Checkout
Distribution & Marketing
Website builder
WebStore
Tax management & compliance
Analytical tools
Risk management system
Mobile SDK
All industries
Videogames
Software
Digital goods
Online education
User support
Developer Support
1. Preamble
1.1. The parties have entered into the Principal Agreement.
1.2. The provision of services under the Principal Agreement involves personal data processing subject to the GDPR.
2. Definitions
2.1. DATA EXPORTER – 1D3.
2.2. DATA IMPORTER – means a legal or natural person with whom 1D3 concludes the Principal Agreement.
2.3. GDPR – means Regulation (EU) 2016/679 (the General Data Protection Regulation).
2.4. Supplier – means a potential or existing customer (including its affiliates) of the DATA EXPORTER.
2.5. Principal Agreement – means the Referral Agreement entered into between the Parties.
2.6. Standard Contractual Clauses (SSCs) – means the Annex to the COMMISSION IMPLEMENTING DECISION on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, as officially published at https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf or other official publications of the European Union as updated from time to time (Module One – Transfer controller to controller) and as described in clause 3.1. of this Agreement.
2.7. Terms used, but not defined herein, shall be interpreted in accordance with the GDPR and the SSCs.
2.8. Reference to the GDPR and the SSCs shall be a reference to these documents as updated from time to time.
3. International Data Transfers
3.1. The Parties agree that the SCCs shall be deemed to be executed between the Parties and incorporated herein as a legally binding contract, and:
3.1.1. clause 7 of the SCCs shall be excluded;
3.1.2. in clause 11(a) of the SCCs, the optional paragraph shall not apply;
3.1.3. in clause 17 of the SCCs Option 1 shall apply and the SCCs shall be governed by the laws of Estonia;
3.1.4. in clause 18(b) of the SCCs, disputes shall be resolved before the courts of Estonia;
3.1.5. Annex I A of the SCCs shall be deemed completed with the details of the Parties where DATA EXPORTER shall be the “data exporter” and the DATA IMPORTER shall be the “data importer”;
3.1.6. Annex I B of the SCCs shall be deemed completed with the information set out in Schedule I hereto;
3.1.7. the competent supervisory authority for the purposes of Annex I C of the SCCs shall be the Data Protection Inspectorate of Estonia for the Personal Data Protection;
3.1.8. Annex II of the SCCs shall be deemed completed with the information set out in Schedule II hereto;
4. Miscellaneous
4.1. In case any provision of the Agreement is held invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not in any way be affected or impaired thereby.
4.2. In case of any discrepancy between the SCCs and this Agreement, the SCCs shall prevail.
4.3. The Agreement and any non-contractual obligations arising from or in connection with it shall be governed by and construed in accordance with the laws of Estonia.
Estonia shall have exclusive jurisdiction to settle any dispute which may arise out of or in connection with the Agreement.
Schedule I
Description of transfer
Categories of data subjects whose personal data is transferred:
- Employees, contractors and representatives of the DATA EXPORTER*;
- Directors, shareholders and beneficial owners of the DATA EXPORTER;
- Employees, contractors and representatives of the Suppliers;
- Directors, shareholders and beneficial owners of the Suppliers.
* For the purposes of this Schedule ‘DATA EXPORTER’ includes its affiliates.
Categories of personal data transferred:
Employees, contractors and representatives of the DATA EXPORTER:
- Full name;
- E-mail address;
- Phone number;
- Position;
- Information produced within the work duties.
Directors, shareholders and beneficial owners of the DATA EXPORTER:
- Full name;
- E-mail address;
- Residency address;
- ID data, including date of birth and ID number;
- Phone number;
- Position;
- Rights held at the DATA EXPORTER.
- Employees, contractors and representatives of the Suppliers:
- Full name;
- E-mail address;
- Phone number;
- Position;
- Information produced within the work duties.
Directors, shareholders and beneficial owners of the Suppliers:
- Full name;
- E-mail address;
- Residency address;
- ID data, including date of birth and ID number;
- Phone number;
- Position;
- Rights held at the Supplier.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitations, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:
- Not applicable.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
- Continuous transfer.
Nature of the processing:
Personal data of categories of data subjectsNature of the processingEmployees, contractors and representatives of the DATA EXPORTER- Sending to the DATA IMPORTER via e-mail - Where applicable, uploading in the systems of the DATA IMPORTER and/or DATA EXPORTER.Directors, shareholders and beneficial owners of the DATA EXPORTER- Sending to the DATA IMPORTER via e-mail - Where applicable, uploading in the systems of the DATA IMPORTER and/or DATA EXPORTER.Employees, contractors and representatives of the Suppliers- Sending to the DATA IMPORTER via e-mail - Where applicable, uploading in the systems of the DATA IMPORTER and/or DATA EXPORTER.Directors, shareholders and beneficial owners of the Suppliers- Sending to the DATA IMPORTER via e-mail - Where applicable, uploading in the systems of the DATA IMPORTER and/or DATA EXPORTER.
Purpose(s) of the data transfer and further processing:
Personal data of categories of data subjectsPurpose(s) of the data transfer and further processingEmployees, contractors and representatives of the DATA EXPORTER- Ensuring communication between the Parties under the Principal Agreement.Directors, shareholders and beneficial owners of the DATA EXPORTER- Performance of customer due diligence and other checks by the DATA IMPORTER. - Executing documents with the DATA IMPORTER.Employees, contractors and representatives of the Suppliers- Where relevant, ensuring communication between the Supplier, DATA EXPORTER and the DATA IMPORTER under the Principal Agreement.Directors, shareholders and beneficial owners of the Suppliers- Performance of customer due diligence and other checks by the DATA EXPORTER.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
- No longer than for 2 (two) years, except where a longer retention period is explicitly required by local laws of the DATA IMPORTER.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
- Not applicable.
Schedule II
Technical and organisational measures including technical and organisational measures to ensure the security of the data
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
Measures of pseudonymisation and encryption of personal data:
- Use of VPN tunnels;
- Separating allocation file from data sets, when data is alias.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:
- Individual allocation of user rights;
- Authentication by username and password, strong customer authentication (multifactor authentication);
- Minimum requirements for passwords (i.e. at least eight characters, alphanumeric combinations allowing use of special characters, no acceptance of trivial passwords (e.g. 12345), no acceptance of same characters in a row);
- Password management (storage of password only as hash, blocking of account after a set number (the amount may differ for particular systems) of failed log in attempts, logging of failed log in attempts, presentation of last log in (date, time) to user for self-control; compulsory change of password in a set period (the amount may differ for particular systems), no acceptance of same password in a row);
- Password request after inactivity;
- Password protection for BIOS;
- Encryption of data;
- Virus protection and firewall;
- Intrusion detection systems;
- Security Awareness Training;
- DDoS attack prevention facility;
- Penetration testing;
- DNS protections;
- Fraud prevention facility;
- Vulnerability management;
- Static code analysis;
- Business continuity and disaster recovery;
- Incident management and reporting;
- Information resource classification and handling
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident:
- Access to data only on a need-to-know-basis, separation of duties and least privilege principles;
- Development of a role-based authorisation concept;
- Permanent updating of role-based authorisation concept;
- General access rights only for limited number of administrators.
Measures for the protection of data during transmission:
- Content filter for outgoing data;
- Secure transport containers in case of physical transports;
- Encryption of mobile data carriers (such as USB sticks or external USB hard drives), laptops, tablets and smartphones;
- Recording of data transfers.
Measures for the protection of data during storage:
- Physically separated storage on different hardware systems or data carriers;
- Logical client separation;
- Defining and attaching processing purposes for data sets;
- Defining and implementing database access properties;
- Development of a role-based authorisation concept;
- Separation of test data and live data;
- Encryption of data sets stored for the same purpose;
- VLAN segregation;
- Logging of access to and copying, modifying and deletion of data;
- Intrusion detection systems;
- Secured storage of data carriers;
- Secure data lines and sockets;
- Secure deletion of data and destruction of data carriers and recording of deletion and destruction.
Measures for ensuring physical security of locations at which personal data are processed:
- Permanently locked doors (such premises do not have windows);
- Security locks;
- Single access entry control systems;
- Automated and manual system of access control;
- Chip card readers;Chip locks on doors;
- Monitoring installations (e.g. alarm device, video surveillance);
- Logging of visitors;
- Security personnel;
- Careful selection of cleaning and maintenance personnel;
- Security Awareness Training.
Measures for ensuring events logging:
- Automatic Consolidation of all log records centrally;
- Event monitoring - Real-time alerts & notification policies;
- Generating Reports for Key Stakeholders: Auditors, Security or Compliance Officers and Management Teams.
Measures for ensuring system configuration, including default configuration:
- Configuration Management Plan.
Measures for internal IT and IT security governance and management:
- Business Continuity Plan;
- IT system certification and auditing.
Measures for certification/assurance of processes and products:
- Auditing.
Measures for ensuring data minimisation:
- Internal policy outlining the principles for collection of relevant and non-excessive data only;
- Conducting Data Processing Impact Assessments.
Measures for ensuring data quality:
- Logging of entering, modification and removal of data in/from the system;
- Traceability of entering, modification and removal of data by logging user names (not user groups);
- Individual allocation of user rights to enter, modify or remove based on a role-based authorisation concept;
- File-integrity monitoring.
Measures for ensuring limited data retention:
- Data retention schedules and instructions;
- Periodic audit of the retained data.
Measures for ensuring accountability:
- Assigning a person responsible for data protection;
- Diligent selection of service providers (in particular with respect to IT security);
- Audit rights and continuous review of compliance;
- Logging.
Measures for allowing data portability and ensuring erasure:
- Data retention and erasure schedules;
- Data portability policy;
- Providing data in a structured, commonly used and machine-readable format.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter:
- Not applicable.
