Customer (hereinafter, “the Controller”) of the one part, AND
Leap Tools (hereinafter, “the Processor”) of the other part,
The purpose of these clauses is to define the conditions in which the Processor undertakes to carry out, on the Controller’s behalf, the personal data processing operations defined below.
As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 which is applicable from 25 May 2018 (hereinafter “the General Data Protection Regulation” or “GDPR”).
The Processor is authorized to process, on behalf of the Controller, the necessary personal data for providing the services outlined in the Agreement (the “Services”). The purpose of the Services is to enable a user to visualize the Controller’s product in a room picture, to store such a picture and to share such a picture with third parties. For this purpose the following personal data shall be processed by the Processor:
The Services as well as any personal data being processed by the Processor is run on IT-infrastructure (including server) of the Processor.
The categories of data subjects are users of the software Roomvo.
As a result of being included in the Agreement, this Data Processing Agreement enters into force in concurrence with the Agreement for the duration of the Agreement.
The Processor shall undertake to:
The Processor may engage other processors (hereinafter “the sub-processors”) to conduct processing activities. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors.
It is the Controller’s responsibility to inform the data subjects concerned by the processing operations prior to the time data are being collected.
The Processor shall assist the Controller, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
The Processor shall notify the Controller of any violations of the protection of personal data processed on behalf of the Controller.
The notification shall contain the following information, if known at the time of the notification:
The Processor assists the Controller in carrying out data protection impact assessments.
The Processor assists the Controller with regard to prior consultation of the supervisory authority.
The Processor undertakes to implement the following security measures:
At the end of performing the Services, the Processor undertakes to destroy all non-pseudonymized personal data, except for archiving in the public interest, scientific or historical research purposes for statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by GDPR.
The Processor shall communicate to the Controller the name and contact details of its data protection officer, if it has designated one in accordance with Article 37 of the GDPR.
The Processor states that it maintains a written record of all categories of processing activities carried out on behalf of the Controller, containing:
The Processor provides the Controller with the necessary documentation for demonstrating compliance with all of its obligations and for allowing an independent third-party auditor, appointed by the Controller and approved by the Processor, to conduct audits, including inspections, and for contributing to such audits. The Controller shall compensate the Processor for any and all costs related to audits and inspections.
The Controller undertakes to:
Last Updated: June 10, 2020