PriceSailor Data Processing Agreement

This Data Processing Agreement (“DPA”) was last updated on 11 February 2023.

This Data Processing Agreement and its Annexes (“DPA”) form part of the Agreement entered into between You (“Client”) and Lapik d.o.o. (“Panga”) (collectively, the “Parties”) and sets forth the terms and conditions under which the Parties may process Personal Data. In the event of a conflict in relation to the processing of Personal Data between this DPA, Panga Terms, and any other agreement, this DPA shall prevail. Unless otherwise specified, capitalized terms used but not defined in this DPA shall have the meaning set forth elsewhere in the Panga Terms. This DPA is effective on the date the Agreement is entered into and will continue in force until the expiration or termination of the Agreement in accordance with its terms.

1. DEFINITIONS

When used in this DPA with the initial letter capitalized, in addition to the terms defined elsewhere in this DPA, the following terms have the following meanings:

1.1. Agreement: means the Panga Terms together with any document related to Your subscription to the Services together with any Panga generated service invoices, statements of work, contracts and/or any other agreements executed or approved by You with respect to Your subscription to the Services.

1.2. Contact Data: means Personal Data provided by You to Panga including names, usernames (Panga login details, Slack and other communication software other user names), business email addresses, business phone numbers, job titles, and such other information as is specified in the Panga Terms.

1.3. Controller, Data Subject, Personal Data, Personal Data Breach, Processing, Processor and Supervisory Authority shall have the meanings set out in the GDPR (and related terms such as Process have corresponding meanings). 

1.4. Data Protection Laws: is defined as all legislation and regulations relating to the protection of Personal Data, including (without limitation), the Data Protection Acts 1988-2018, the GDPR, and all other statutory instruments, industry guidelines (whether statutory or non-statutory) or codes of practice or guidance issued by a relevant Supervisory Authority relating to the processing of Personal Data or privacy, each as amended, revised, modified or replaced from time to time.

1.5. GDPR: means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons regarding the Processing of Personal Data and on the free movement of such data.

1.6. Panga Terms: means Panga’s Terms of Service (https://pricesailor.com/legal/terms-of-service/), Privacy Policy (https://pricesailor.com/legal/privacy-policy/), and Cookie Policy (https://pricesailor.com/legal/cookie-policy/). 

1.7. Restricted Transfer: means an international transfer of Personal Data by us to You where such transfer would be prohibited by applicable Data Protection Laws in the absence of a Transfer Solution.

1.8. Security Event: means an incident which results in (or may result in) the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Client’s Personal Data while in the custody or control of Panga or a Sub-Processor. 

1.9. Service Personal Data: means the Personal Data collected, processed, or transferred by and/or to Client using the Services.

1.10. Services: means the service(s) and/or product(s) provided by Panga to You under the Panga Terms and/or an applicable Agreement.

1.11. Standard Contractual Clauses: means (a) in respect of any Personal Data subject to the GDPR[A1], the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 between (i) controllers and controllers (Module 1) (“Controller to Controller”) and/or (ii) processors and controller (Module 4) (“Processor to Controller”) as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at https://ec.europa.eu/info/sites/default/files/sccs_word.zip and the Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (incorporating the Mandatory Clauses of that Addendum) appended to the Standard Contractual Clauses.

1.12. Sub-Processor: means the third-party sub-processors set out in Annex 3 to this DPA engaged by Panga to process Personal Data as authorized by Client in accordance with this DPA. 

1.13. Third Country: means all countries that are not members of the European Economic Area (“EEA”) or which have not been recognised by the European Commission as providing an adequate level of protection for Personal Data.

1.14. Transfer Solution: means the Standard Contractual Clauses or any other means or basis for permitting the transfer of Personal Data in accordance with applicable Data Protection Laws. 

1.15. TOMs: means technical and organizational measures.

2. DATA PROTECTION ROLES

2.1. The Parties acknowledge that:

• 2.1.1. they each shall be independent joint controllers in respect of the Contact Data; and 
• 2.1.2. Panga shall be a joint Processor and Client shall be a joint Processor and a Controller in respect of the Service Personal Data. 

3. CLIENT OBLIGATIONS

3.1. Client represents and warrants that it will only use the Service Personal Data to process Personal Data if such processing is in compliance with the applicable Data Protection Laws (“Service Data”).

3.2. Client, as a Data Controller for Service Personal Data, shall be responsible, among others, for ensuring that the processing of Service Personal Data, which the Data Processor is instructed to perform, has a legal basis.

3.3. Client will inform Panga in writing without undue delay following the Client’s discovery of a failure to comply with Data Protection Legislation with respect to processing of personal data in accordance with this DPA.

3.4. Client instructs Panga to process Service Personal data or other data in any required capacity and/or method to provide the functionality of the Services to the Client.

4. PANGA OBLIGATIONS

4.1. Panga, as the Controller, will process Contact Data for the purposes of providing the Services to Client and performing the obligations set out under the Terms and any applicable Agreement.

4.2. Panga, as the Processor, will process the Service Personal Data for the purposes of providing the Services to Client and performing the obligations set out under the Terms and any applicable Agreement only on documented instructions from Client.

4.3. Panga warrants that all persons authorized by Panga to Process Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality to ensure that the Service Personal Data is kept safe and secure.

4.4. At the choice of the Client, all Contact Data held by Panga shall be deleted or returned to the Contact upon the termination of the Agreement, unless EU or Member State law otherwise requires such Contact Data to be retained by Panga for a prescribed period.

4.5. Panga shall implement and maintain appropriate TOMs designed to meet the requirements of Article 32 of the GDPR to protect the Data Subject and the Personal Data against any misuse, accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access.

4.6. Panga shall without undue delay, and in any event no later than seventy-two (72) hours, notify Client of a Security Event. Where, and insofar as, it is not possible to provide all information at the same time, the initial notification of a Security Event shall contain the information then available and further information shall be provided as it becomes available without undue further delay.

4.7. Panga will provide Client with information about:

• 4.7.1. the details of a contact point where more information concerning the Security Event can be obtained;
• 4.7.2. the nature of the Security Event (e.g., loss, theft, copying) including the categories and approximate number of Data Subjects and Personal Data records concerned;
• 4.7.3. the likely consequences of the Security Event; and
• 4.7.4. the steps Panga has taken to address the Security Event.

4.8. Panga shall:

• 4.8.1. take all necessary steps to mitigate the effects and to minimize any damage resulting from the Security Event and to prevent a recurrence of such Security Event; and
• 4.8.2 provide such assistance and cooperation as Client requires in responding to the Security Event including in relation to notifying any relevant regulatory authority and/or Data Subject of the Security Event. 

5. SUB-PROCESSORS

5.1. Client agrees that Panga may share Personal Data with the Sub-Processors listed in Annex III.  Panga may remove or replace the current Sub-Processors from time to time as necessary to provide the Services and will notify You of any such changes.  

5.2. Panga must ensure that a written contract is entered into with each Sub-Processor that is compliant with the Data Protection Laws. Panga shall be responsible and liable for acts or omissions of the Sub-Processor.

5.3. Instructions given by Panga to any Sub-Processor must be within the scope of this DPA.

6. THIRD COUNTRY TRANSFER OF PERSONAL DATA

6.1. The Parties acknowledge and agree Panga may from time-to-time transfer Contact Data and Service Personal Data outside of the EEA.

6.2. In the event of a Restricted Transfer, the Parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of this DPA as follows:

• 6.2.1. Client shall be the “data importer” and Panga shall be the “data exporter”.
• 6.2.2. In relation to Client’s Contact Data, Module One shall apply as the Parties are independent Controllers. In relation to data extracted using Panga Services, Module Four shall apply as Client is the Controller and Panga is the Processor.
• 6.2.3. In Clause 7, the optional docking clause shall not apply.
• 6.2.4. In Clause 9, Option 2 shall apply.
• 6.2.5. In Clause 11, the optional language shall not apply.
• 6.2.6. In Clause 17, the law of Slovenia shall apply.
• 6.2.7. In Clause 18, the courts of Slovenia shall apply.
• 6.2.8. the Annex I and II to the Standard Contractual Clauses are set out in the Annex I and II to this DPA.

6.3. In the event of a change in any applicable Data Protection Laws relating to the country/countries where an adequate level of data protection exists requiring an alternative Transfer Solution to be implemented to permit the continued transfers of Personal Data anticipated in the Agreement, the Parties each agree to act reasonably to seek to agree an alternative Transfer Solution permitting the relevant Party to continue Processing the Personal Data in the relevant country/countries and the relevant international transfer(s) to continue. 

6.4. In the event the European Commission issues any replacement or substitution of the Standard Contractual Clauses, upon receipt of written notice from a Party requiring the same, the Standard Contractual Clauses incorporated into this DPA pursuant to this clause 6.4 shall be deemed to be deleted and replaced with such replacement or substitution which each Party agrees shall be deemed to be incorporated into this Agreement in place of the Standard Contractual Clauses (and all references in this DPA shall be deemed to refer to such replacement or substitutions clauses accordingly).  To the extent necessary, each Party agrees to co-operate taking such other measures as may be necessary to give effect to such replacement or substitution of the Standard Contractual Clauses in order to comply with applicable Data Protection Laws and/or otherwise satisfy any administrative or documentary requirements relating to the same.

7. GENERAL

7.1. Nothing in this DPA reduces the Client’s obligations under the Agreement in relation to the protection of Personal Data. 

7.2. This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed, in accordance with, the laws of Slovenia.

7.3. The Parties irrevocably agree that in relation to any dispute or claim that arises out of or in connection with the DPA or its subject matter or formation (including non-contractual disputes or claims) the courts of Slovenia shall have jurisdiction.

7.4. The term of this DPA shall continue until the latter of the following: the termination of the Agreement, or the date at which Panga ceases to process personal data for the Client.

7.5. Panga shall carry all costs associated with compliance of this DPA in its capacity as joint Data Processor of Service Personal Data and joint Data Controller of Contact Data.

7.6. In respect of Panga’s tasks, that are not an obligation under this DPA, Panga shall be entitled to charge the Client for the additional resources, time and material necessary to fulfill the required task(s), unless such services are already included in the services rendered under the Agreement. Panga will notify the Client in advance of such additional charges and, to the extent possible, provide the Client with a quote of the expected costs. If the Client cannot agree to the costs, Panga shall be entitled not to perform the additional assignment and to terminate the Agreement with a notice of 30 days. Panga shall not be considered in breach of contract in this event.

ANNEX I

1. LIST OF PARTIES

Data exporter(s): 

Data importer(s): 

1. DESCRIPTION OF TRANSFER

1. COMPETENT SUPERVISORY AUTHORITY 

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Panga has implemented and will maintain appropriate administrative, technical and physical safeguards to protect personal data.

System access control

Panga shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.

Data access control

Panga shall take reasonable measures to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing. Panga shall take reasonable measures to implement an access policy under which access to its system environment, to personal data and other data by authorized personnel only.

Transmission control

Panga shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.

Input control

Panga shall take reasonable measures to provide that it is possible to check and establish whether and by whom personal data has been entered into data processing systems, modified, or removed. Panga shall take reasonable measures to ensure that (i) the personal data source is under the control of data exporter; and (ii) personal data integrated into Panga’s systems is managed by secured file transfer from Panga and data subject.

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorized the use of the following sub-processors (including a clear delimitation of responsibilities in case several sub-processors are authorised):