This Data Processing Agreement (“DPA”) forms part of the Agreement governing the provision of Services by DoGood People, S.L. (“DoGood”) to the Client. Where applicable, it applies to both online and offline purchases in accordance with DoGood’s Terms & Conditions.

STIPULATIONS

1. Object and legal position of the parties.

The purpose of this DPA is to define the conditions under which DoGood will carry out the processing of personal data necessary for the provision of the service contracted by the Client in accordance with the provisions of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter «General Data Protection Regulation» or «GDPR»), and all other data protection regulations.

In this regard:

• The Client holds the position of DATA CONTROLLER with the functions, rights and obligations that are proper to it.
• DoGood holds the position of DATA PROCESSOR with its own functions, rights and obligations.
• Where the Client is an individual purchasing Services for personal use, DoGood acts as the Data Controller for such processing.

Where the Client participates in a shared engagement (such as a multi-company Challenge), DoGood shall act as a Data Processor independently on behalf of each participating Client. Each Client remains solely responsible for the personal data of its own Users and retains the role of independent Data Controller.

DoGood will implement strict logical and technical separation between datasets of different Clients and will not share or grant access to any personal data between Clients, except where explicitly authorized in writing by the relevant Data Controller(s). In the context of such shared engagements, DoGood may provide aggregated or anonymized benchmarking or rankings visible to all participants, provided they do not contain identifiable personal data.

1. Duties of the DATA PROCESSOR.

The DATA PROCESSOR shall carry out the processing of personal data derived from the provision of the contracted service, in accordance with the following obligations:

• To limit itself to carrying out the actions that are necessary to provide the DATA CONTROLLER with the contracted Service, these being the execution of maintenance and support tasks on the DoGood Platform.

Specifically, it will undertake to carry out the processing of personal data in accordance with the instructions that, at all times, the DATA CONTROLLER indicates, as well as the provisions of the regulations applicable to it in terms of protection of personal data, including with respect to transfers of personal data to a third country or to an international organisation, unless obliged to do so under Union or Member State law applicable to the DATA PROCESSOR, in which case the DATA PROCESSOR shall inform the DATA CONTROLLER of such legal requirement prior to processing.

Where the DATA CONTROLLER wishes to provide new or additional processing instructions, the DATA PROCESSOR details shall be agreed between the parties and documented and, once agreed, be deemed to be incorporated into this Processing Agreement.

If the DATA PROCESSOR considers that any of the instructions infringes the GDPR or any other Union or Member State data protection provisions, he/she shall immediately inform the DATA CONTROLLER.

• To undertake not to carry out any other processing on the personal data, nor to apply or use the data for a purpose other than the provision of the Service referred to in this Agreement, nor to use them for its own purposes.

• To ensure the necessary training in the protection of personal data of the persons authorised to process personal data.

• To keep a record, in writing, of all processing activities carried out on behalf of the DATA CONTROLLER, containing:

• The name and contact details of the SUPPLIER and the DATA CONTROLLER and, where applicable, of the representative of the Client or the SUPPLIER and, where applicable, of the data protection officer.
• The categories of processing carried out on behalf of each controller.
• Where applicable, transfers of personal data to a third country or international organisation, including the identification of such third country or international organisation and documentation of appropriate safeguards.
• A general description of the technical and organisational security measures.
• Undertake to keep under its control and custody the personal data provided by the DATA CONTROLLER to which it has access in connection with the provision of the Service and not to disclose, transfer, or otherwise share them, not even for safekeeping to others.

• In the event that he/she must transfer personal data to a third country or an international organisation, by virtue of applicable Union or Member State law, to inform the DATA CONTROLLER of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.

• To make available to the DATA CONTROLLER all information necessary to demonstrate compliance with its obligations, as well as to allow and actively collaborate in the performance of audits or inspections carried out by the DATA CONTROLLER or another auditor authorised by it.

• Designate, when appropriate, a data protection delegate and communicate his/her identity and contact details to the DATA CONTROLLER.

1. Security of personal data.

The DATA PROCESSOR shall implement the security measures and mechanisms established in Article 32 of the GDPR to:

• Ensure the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
• Restore availability and access to personal data quickly, in case of any physical or technical incident.
• Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
• Pseudonymise and encrypt personal data, if necessary.

Likewise, the DATA PROCESSOR shall adopt all those technical and organisational measures that, based on the risk analysis carried out by the DATA CONTROLLER, the latter considers necessary to ensure an adequate level of security, taking into account the state of the art and the cost of their implementation with respect to the risks and the nature of the personal data to be protected. Such measures shall be provided to the DATA PROCESSOR in writing, which shall be incorporated into and form an inseparable part of this DPA.

Notwithstanding the above, the DATA PROCESSOR may carry out its own risk analysis and propose to the DATA CONTROLLER the adoption of additional or alternative security measures to those proposed by same, provided that such measures result in an adequate level of security.

Regarding biometric authentication, the security of this feature relies on the security measures implemented on the user’s device. The DATA PROCESSOR is not responsible for the security of biometric data or the functionality of biometric authentication on the user’s device.

1. Notification of data security breaches.

The DATA PROCESSOR shall notify the DATA CONTROLLER, without undue delay, and in any case before the maximum term of 72 hours, of any security breaches of the personal data under its responsibility of which it becomes aware, including all the relevant information for the documentation and communication of the incident.

If available, the DATA PROCESSOR shall provide, as a minimum, the following information:

• A description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
• The name and contact details of the data protection officer or other point of contact where further information can be obtained.
• Description of the possible consequences of the personal data security breach.
• Description of the measures taken or proposed to be taken to remedy the personal data breach, including, if applicable, measures taken to mitigate the possible negative effects.

If and to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a phased manner without undue delay.

1. International Transfers

The Data PROCESSOR may not, under any circumstances, store Personal Data on servers located outside the European Economic Area or carry out actions involving an international transfer of data without the prior explicit written consent of the Data Controller, unless the Data Processor is obliged to do so under Union or Member State law applicable to the Data Processor.

In such an exceptional case, the data PROCESSOR shall immediately inform the CONTROLLER of this legal requirement prior to such transfer, unless this is not permitted for important reasons of public interest.

In the event that it ultimately becomes necessary for the PROCESSOR or any of its sub-processors to carry out an international transfer of personal data in order to perform its services, in order to be in a position to ensure compliance with the obligations of the GDPR, the CONTROLLER shall require from the PROCESSOR such documentary evidence as it deems necessary to ensure that the PROCESSOR, and any sub-processors authorised by the CONTROLLER, comply with the appropriate mechanisms for a correct and adequate international transfer of personal data, be it an adequacy decision by the Commission or other appropriate safeguards (binding corporate rules, standard contractual clauses, etc.).

1. Obligation to return or destroy the data.

Once the provision of the service that is the object of this Contract has been fulfilled, the DATA PROCESSOR undertakes to return to the DATA CONTROLLER or to the person determined by the latter any documentation containing personal data that has been transmitted by the DATA CONTROLLER to the DATA PROCESSOR on the occasion of the provision of the Service.

Once the return process has been completed, the DATA PROCESSOR shall carry out the destruction of any data existing in the computer equipment and other supports used.

Notwithstanding the provisions of the preceding paragraph, the DATA PROCESSOR may keep the processed data and information, duly protected, in the event that liabilities may arise from its relationship with the DATA CONTROLLER.

1. Subcontracting.

To provide the services covered under this agreement, DoGood may engage third-party service providers for specific functions, such as cloud storage, email delivery, and analytics. All subcontractors engaged by DoGood comply with applicable data protection regulations, including the GDPR, and appropriate security measures are in place to ensure the protection of personal data.

The list of current subprocessors is available upon request, and updates will be communicated in accordance with applicable law. Clients may request to be notified of new subprocessors before engagement.

In accordance with the terms of this Agreement, the PROCESSOR may not subcontract any of the services forming part of the object of this Agreement that involve the processing of personal data, except for the ancillary services necessary for the normal operation of the PROCESSOR’s services.

To subcontract other companies, the DATA PROCESSOR must notify the DATA CONTROLLER in writing, clearly and unequivocally identifying the subcontracting company and its contact details.

The subcontractor, who also has the status of DATA PROCESSOR, is also obliged to comply with the obligations established in this document for the DATA PROCESSOR and the instructions issued by the DATA CONTROLLER. It is up to the initial DATA PROCESSOR to regulate the new relationship in accordance with Article 28 of the GDPR, so that the new processor is subject to the same conditions (instructions, obligations, security measures…) and with the same formal requirements as him/her, regarding the proper processing of personal data and the guarantee of the rights of the data subjects.

1. Rights of data subjects.

The DATA PROCESSOR will assist the DATA CONTROLLER in responding to the exercise of the rights of data subjects (rights of access, rectification, erasure, opposition, limitation of processing, data portability, and not to be subject to automated individualized decisions).

In this regard, the DATA PROCESSOR must immediately forward the request to the DATA CONTROLLER and, at the latest, within three calendar days of its receipt, so that the DATA CONTROLLER can duly resolve the request. It shall also provide DATA CONTROLLER with all the information necessary for the proper resolution of the request and implement any changes that may be necessary as a result of the exercise of rights by the data subject within the legally established deadlines.

1. DATA CONTROLLER’s obligations.

The following obligations correspond to the DATA CONTROLLER:

• To deliver to the DATA PROCESSOR the data to be processed in accordance with the provisions of this contract. The DATA CONTROLLER shall be responsible for having obtained the data legitimately and, where appropriate, with the consent of the data subjects.
• To undertake not to use the tool to process personal data that are considered special categories of data (e.g. economic or social profiles, ideology, religion, beliefs, racial origin, health or sexual orientation).
• To perform the risk analysis that may arise from the processing activity to be commissioned and, based on such analysis, indicate to the DATA PROCESSOR the technical and organisational measures to be implemented for the provision of the service.
• To perform, if necessary, an assessment of the impact on the protection of personal data of the processing operations to be carried out by the DATA PROCESSOR.
• To carry out the appropriate prior consultations.
• To ensure, prior to and throughout the processing, compliance with the GDPR by the DATA PROCESSOR.
• Supervise the processing, including the performance of inspections and audits.

1. Responsibilities.

The DATA PROCESSOR agrees to comply with the obligations set forth in this DPA and in the regulations in force, in connection with this agreement.

1. Entry into force.

This DPA shall enter into force on the date of its signature, except for those obligations that are introduced ex novo by the application of the GDPR which shall enter into force on May 25, 2018, and shall remain in force until the date of termination of the licensing relationship by the DATA PROCESSOR in favour of the DATA CONTROLLER, without prejudice to the subsistence of all those obligations (such as the obligation to return data) which, in accordance with its nature or the terms of this Agreement, should survive its termination, as well as independently of any other obligation of a legal nature that would be applicable to the parties after the termination of the said relationship.

This DPA is incorporated by reference into DoGood’s Terms & Conditions for Online and Offline Purchases and shall be deemed accepted upon acceptance of said Terms.

APPENDIX I PERSONAL DATA PROCESSING AGREEMENT: DATA TO BE PROCESSED

APPENDIX II PERSONAL DATA PROCESSING AGREEMENT: SECURITY MEASURES APPLICABLE TO DATA PROCESSING

• Organisation chart and assignment of roles to oversee the responsibilities of each team member with respect to data and security processes.
• Procedure for controlling access to the application through unique identifiers and passwords to prevent unwanted or unauthorised access.
• Procedure for controlling access to the application backoffice through unique identifiers and passwords to prevent unwanted or unauthorised access.
• Activity monitoring system to track each user’s activity on the application and prevent the publication of unwanted, offensive, illegal or illegal content or content that violates any law or agreement between DoGood and its client.
• Procedure for the management of special access privileges to the application’s backoffice, to limit unauthorised access permissions to personal information.
• User password management procedure (secure key policy) on all corporate devices and software tools.
• Inventory of corporate media and maintenance process, including recording the allocation of assets to personnel in charge to keep track of devices and detect potential leaks of information due to loss or theft of devices.

GENERAL CONDITIONS AND APP PRIVACY POLICY (TO BE ACCEPTED BY THE USERS BEFORE REGISTRATION)

The General Conditions and App Privacy Policy are available online at the following links:

• General Conditions of Use of the Program: https://www.dogoodpeople.com/terms-and-conditions-app/
• App Privacy Policy: https://www.dogoodpeople.com/privacy-policy-app/

All users must review and accept these documents before registration.