Data Processing Agreement
This document outlines the data processing agreement that will be executed by Datintel, S.L., hereinafter referred to as THE PROCESSOR, on behalf of and at the request of the client, hereinafter referred to as THE CONTROLLER.
This document is supplementary to the Contracting Conditions document also available on this site. Unless otherwise stipulated or agreed upon, and provided that this data processing agreement applies to the services contracted by the user, both are accepted when a contract with Golden Owl® is made through this website.
I. IDENTITY OF THE CONTRACTING PARTIES
On one hand, the provider of the goods or services contracted by the user is Datintel, S.L., (Golden Owl®) with registered office at Alicante Science Park, Wes Campus of the University of Alicante, 03005, Alicante, Spain, NIF B56582307, and with customer support email info@golden-owl.eu, hereinafter referred to as THE PROCESSOR.
On the other hand, the CLIENT, registered on the website using their corresponding access credentials, over which they have full responsibility for use and custody. The user is responsible for the truthfulness of the personal data provided to Golden Owl®, hereinafter referred to as THE CONTROLLER.
II. OBJECT OF THE SERVICES PROVIDED
THE PROCESSOR is a company dedicated to providing services in the fields of research, design, development, production, integration, operation, maintenance, repair, and marketing. This work includes, but is not limited to, computer programming, particularly in specialized sectors such as artificial intelligence, data science, and advanced data analysis.
THE PROCESSOR will provide the services contracted by THE CONTROLLER, which may include, depending on the specific option chosen by the latter:
-
Individual identification
-
Business identification
-
Online fraud investigation
-
Business intelligence and risk services
-
In-depth applied intelligence services to corporations
-
Competitive intelligence services
-
Global consulting
-
Social media intelligence services
-
Pre-investment intelligence services
-
Other services chosen by the client
In providing the aforementioned services, THE PROCESSOR will handle personal data for which THE CONTROLLER is legally responsible.
In compliance with Regulation (EU) 2016/679 General Data Protection Regulation, as well as the Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights, it is the intention of both parties to establish the obligations and responsibilities corresponding to each in the processing of personal data, in accordance with the provisions contained in this document.
III. DESCRIPTION OF PROCESSING
THE PROCESSOR will process data at its own facilities, using its own computer system. Tasks associated with the provision of the contracted service include data collection, registration, structuring, updating, modification, storage, retrieval, consultation, communication by transmission, interconnection, comparison, destruction, or return upon completion of the entrusted tasks and the terms within which THE PROCESSOR may have responsibilities.
Data may also be subject to restriction or deletion at the request of an interested party and may be disclosed following the guidelines of the data controller.
It is important to remind the user that Golden Owl® primarily works with data and information available in public sources and sites, therefore it does not have the capacity to modify, delete, or alter the same or external databases not owned by it. Requests to exercise user rights will therefore relate to the treatments that are part of the databases for which Golden Owl® is responsible, if any.
IV. IDENTIFICATION OF AFFECTED INFORMATION
In the execution of the services derived from fulfilling the object of the mandate, THE CONTROLLER authorizes THE PROCESSOR to handle the personal data detailed below. Certain personal data may be treated indirectly or generically.
-
The categories of data subjects whose data may be processed for the provision of services motivating this contract include:
-
Personnel and human resources
-
Suppliers and collaborators
-
Contact persons
-
Legal representatives
-
-
Also, THE PROCESSOR may handle the following types of data, many of which are incidental and not directly processed but stored alongside other data of the data subject:
-
Identifiers
-
Personal characteristics
-
Social circumstances or professional qualifications
-
Academic and professional details
-
Employment details
-
Commercial information
-
Economic, financial, and insurance data
-
Transactions of goods and services
-
V. DURATION OF THE CONTRACT
The validity of this contract begins from the moment of contracting the associated services and is directly related to the provision of the contracted services. It ends at the moment of the completion of the tasks entrusted by THE CONTROLLER.
Its termination, for any reason, will require verifiable notification of no longer receiving, or if applicable providing, the services object of the mandate.
VI. RETURN OF DATA AT THE END OF THE CONTRACT
Once this contract ends, THE PROCESSOR must return to THE CONTROLLER the supports with personal data and delete any copies in its possession. The personal data processed by THE PROCESSOR will not be transferred or communicated to third parties, even for storage, without express consent from THE CONTROLLER.
The return must involve the complete deletion of the data existing in the systems and documents of THE PROCESSOR.
Data destruction will not proceed when there is a legal provision requiring its conservation, in which case they must be returned to the controller, who will ensure their preservation while such obligation persists. The data processor may keep, duly blocked, the data as long as liabilities arising from its relationship with the data controller could arise.
It is important to remind the user again that Golden Owl® primarily works with data and information available in public sources and sites, therefore it does not have the capacity to modify, delete, or alter the same or external databases not owned by it. Requests to exercise user rights will therefore relate to the treatments that are part of the databases for which Golden Owl® is responsible, if any.
VII. OBLIGATIONS OF THE PROCESSOR
THE PROCESSOR and all personnel under its control are obligated to:
-
Use the personal data subject to processing, or those collected for inclusion, only for the purpose of this mandate. Under no circumstances may the data be used for the processor's own or different purposes.
-
Process the data according to the documented instructions of THE CONTROLLER.
-
Not perform international data transfers without authorization from THE CONTROLLER.
-
Maintain, in writing, a record of all categories of processing activities performed on behalf of THE CONTROLLER, containing, in accordance with Article 30.2 of Regulation (EU) 2016/679.
-
Not communicate the data to third parties, unless it has the express authorization of THE CONTROLLER, in legally permissible cases.
-
Maintain the duty of secrecy regarding the personal data processed under this mandate, even after its termination.
-
Ensure that the individuals authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures. THE PROCESSOR must inform about the security measures that must be applied. THE PROCESSOR will keep at THE CONTROLLER's disposal the documentary evidence of compliance with this obligation.
-
Ensure necessary training in personal data protection matters for the individuals authorized to process personal data.
-
When the data subjects exercise their rights of access, rectification, deletion, and opposition, limitation of processing, or data portability against THE PROCESSOR, it must communicate this by email to the address indicated by THE CONTROLLER.
-
Notify THE CONTROLLER of data security breaches. THE PROCESSOR will notify THE CONTROLLER, without undue delay, through the email address indicated by THE CONTROLLER.
-
Assist THE CONTROLLER in notifying security breaches to CONTROL AUTHORITIES and INTERESTED PARTIES: taking into account the nature of the processing and the information available to THE PROCESSOR, it will assist THE CONTROLLER in accordance with Article 33 of the GDPR.
-
Due to the nature of the service, THE PROCESSOR is not obliged to provide information about the processing of their data to those affected who may be included in the reports made at the request of THE CONTROLLER.
-
Provide THE CONTROLLER with all necessary information to demonstrate compliance with its obligations, as well as for conducting audits or inspections performed by THE CONTROLLER or another auditor authorized by it.
-
Implement the necessary technical and organizational security measures to ensure the confidentiality, integrity, availability, and ongoing resilience of the processing systems and services.
-
Verification, evaluation, and periodic valuation of security measures. THE PROCESSOR will implement a periodic procedure that allows it to verify, evaluate, and assess the effectiveness of the technical and organizational measures implemented in the processing systems, workplaces, and users under its control. From this procedure, the implementation of additional mechanisms will arise, if necessary according to the GDPR.
VIII. OBLIGATIONS OF THE CONTROLLER
-
THE CONTROLLER confirms that it has a legitimate interest in requesting the service and that the determination of this legitimate interest falls on it and is not the responsibility of THE PROCESSOR to verify the existence of such interest. THE CONTROLLER commits to comply with all legal obligations associated with the legitimization of the data processing it commissions, ensuring that its request conforms to current data protection legislation.
-
Where applicable, THE CONTROLLER must carry out the impact assessment on the protection of personal data of the processing operations to be performed by THE PROCESSOR. THE PROCESSOR has its own impact assessments that are only applicable to its own activity and will not be responsible for non-compliance with the client's obligation – THE CONTROLLER.
-
THE CONTROLLER must be able to demonstrate that it has legitimization for the data processing mandate it contracts to THE PROCESSOR. In this regard, in case of alleging:
-
Legitimate interest, THE CONTROLLER guarantees to have the corresponding analysis of legitimate interests.
-
Consent, THE CONTROLLER guarantees to have the express, free, clear, and informed consents of the data subjects.
-
Contract, THE CONTROLLER guarantees to have a contract with the data subject, or the subjects who may be affected by the investigation, to carry out such processing. Having adequate legitimization requires, in addition to its validity, having provided, if applicable, the information about the processing to the data subjects. Golden Owl® will only perform analyses with a legitimate interest on the part of the client.
-
-
Deliver to THE PROCESSOR the data necessary for the provision of the service.
-
Perform the corresponding prior consultations.
-
Ensure, prior to and throughout the processing, compliance with the GDPR by THE PROCESSOR.
-
Supervise the processing, including conducting inspections and audits. As well as providing clear instructions on processing; adjusted to reality, especially taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
IX. SUBCONTRACTING
THE PROCESSOR is authorized to subcontract, with prior authorization from THE CONTROLLER, all or part of the services that are part of the object of this contract, and which may involve the processing of personal data.
If there is a need to subcontract any processing, this fact will be communicated in advance to THE CONTROLLER, indicating the processing intended to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. The subcontracting may be carried out if THE CONTROLLER does not express its opposition within the established period.
THE PROCESSOR will regulate the new relationship so that the new subcontractor is subject to the same conditions (instructions, obligations, security measures...) and with the same formal requirements as it. In the event of non-compliance by the subcontractor, the initial PROCESSOR will continue to be fully responsible to THE CONTROLLER regarding the compliance with the obligations.
Express authorizations for subcontracting in this contract
THE CONTROLLER authorizes THE PROCESSOR to subcontract all possible data processing, direct or indirect, that could be performed by companies and professionals providing auxiliary services, such as computer maintenance, consultancy, auditing, management, and software maintenance, among others, necessary for the normal functioning of its activity.
In these cases, the third party, that is, the subcontractor, will also be considered as a PROCESSOR. It will be up to the initial PROCESSOR to regulate the new relationship so that the new PROCESSOR is subject to the same conditions (instructions, obligations, security measures...) and with the same formal requirements as it, regarding the proper treatment of personal data and the guarantee of the rights of the affected persons.
In the event of non-compliance by the subcontractor, the initial PROCESSOR will continue to be fully responsible to THE CONTROLLER regarding the compliance with the obligations.
The subcontracting authorizations will be attached as an annex to this contract.
X. BREACH
The parties commit to comply with their respective obligations established in this agreement, ensuring the normal functioning of its terms. In particular, THE CONTROLLER will be considered responsible for any breach of data protection laws, including the General Data Protection Regulation (GDPR), when such breach results from its own determination of the purposes and means of the data processing. This includes the responsibility to ensure the existence of a legitimate interest or any other necessary legal basis for the data processing it commissions to THE PROCESSOR. If THE PROCESSOR violates the GDPR by acting outside the instructions of THE CONTROLLER, the latter will be considered THE CONTROLLER of the processing with respect to that processing.
XI. LIABILITY
The parties will be liable for all damages in all cases of negligent or wrongful conduct in the fulfillment of the obligations that respectively correspond to them, according to what is agreed upon in this agreement.
Neither party will assume any responsibility for non-performance or delay in the performance of any of the obligations under this agreement if such non-performance or delay resulted from or was a consequence of a force majeure event or fortuitous event recognized as such by Jurisprudence, in particular: natural disasters, war, state of siege, public order disturbances, transport strike, electrical supply cut-off, or any other exceptional measure taken by administrative or government authorities.
XII. CONFIDENTIALITY
The parties guarantee that they will maintain the strictest confidentiality and express compliance with the duty of professional secrecy concerning the data that they may have known about one another, and that were obtained on the occasion of this contract, during the term of the provision of services and after its termination.
THE PROCESSOR, during and after the validity of this agreement, will treat all information owned by THE CONTROLLER in a strictly confidential manner, taking the necessary measures so that it is not disclosed to third parties, nor can these have access to it without express authorization from THE CONTROLLER.
XIII. DATA PROTECTION OF THE PARTICIPANTS IN THE CONTRACTUAL RELATIONSHIP
The personal data of participants in the contracting of the services, for cases in which they are a natural person or in the case of representatives of a legal entity, will be processed by the other party, with the execution of the contract as the purpose and legitimization of the processing.
In the cases of contact persons whose data are collected during the provision of services, the data will be processed for the proper development of the object of the contract, legitimately in accordance with the legitimate interest of the parties, in accordance with Article 19 LOPD 3/2018.
The data will be kept for the legal periods provided for under applicable fiscal, tax, and commercial legislation.
Both parties are informed of the possibility to exercise their rights of access, rectification, deletion, and in some cases, if applicable, the right to data portability and limitation of processing. To exercise these rights, they may request the corresponding forms from the other party, or download them from www.aepd.es. Likewise, if they are not satisfied with the response received from the other party, they may file a complaint with the Spanish Control Authority www.aepd.es.
XIV. AUTONOMY OF THE PARTIES
Each of the Parties expressly declares and states that the relationship hereby contracted does not have an employment, partnership, or any other similar nature and that each of the contracting parties is independent and autonomous concerning the other, assuming each party the responsibility that corresponds to it in the scope of their respective activities, management, commitments, and obligations, and acting with complete freedom of criteria and conscience in the making and in the exercise of decisions, schedules, and respective functions. Likewise, the Parties state that in no case can THE PROCESSOR or its employees be considered as an agent or employee of THE CONTROLLER.
XV. NULLITY OR VOIDABILITY OF THIS AGREEMENT
If any of the clauses present in this data processing agreement were considered voidable or null and void, it will be considered as not put, without its voidability affecting the validity of the contract, and maintaining all other clauses their binding force between the parties.
This document constitutes an integral part of the Terms of Use and must be considered and read in conjunction with them.
Date of Last Modification: September 2024