top of page

Scytáles Data Processing Agreement

The parties agree that this Scytáles Data Processing Agreement (“DPA”) sets forth their obligations with respect to the processing and security of Personal Data in connection with the products and services offered by Scytáles. The DPA is incorporated by reference into the Terms and Conditions and other Scytáles’ agreements.  Separate terms, including different privacy and security terms, govern Customer’s use of Non-Scytáles Products.

In the event of any conflict or inconsistency between the DPA Terms and any other terms in Customer’s agreement with Scytáles (“Customer’s agreement”), the DPA Terms shall prevail. The provisions of the DPA Terms supersede any conflicting provisions of the Scytáles Privacy Statement that otherwise may apply to processing of Customer Data, Professional Services Data, or Personal Data, as defined herein.

1. Definitions

The terms used herein and for which no definition is given are those assigned to them in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) (General Data Protection Regulation) (hereinafter referred to as the GDPR).

Personal Data: Any information relating to an identified or identifiable natural person (”data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Legal Framework for the Protection of Personal Data (hereinafter referred to as the "Legal Framework"): The GDPR and any piece of National and European legislation regulating the protection of Personal Data or privacy and which Personal Data falls under, as amended, replaced or superseded from time to time

Controller: Customer, who controls the purposes and means of processing of personal data.

Processor: Scytáles, who processes personal data on behalf of the Controller.

Subcontractor: The natural or legal person /processor, who the processor hires to perform processing activities on behalf of the Controller.

Recipient: Any natural or legal person, public authority, agency or another body, to which personal data are disclosed.

Third party: Any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

2. Scope of this Agreement

2.1       In the context of the Customer’s Agreement, Scytáles processes personal data on behalf of the Customer. In light of the parties’ collaboration as this is defined in the Customer’s Agreement and of the GDPR, the Parties considered necessary to enter into the present Agreement (hereinafter “Data Processing Agreement”), in compliance with the applicable legal framework for the protection of personal data.

2.3      The Data Processing is an integral part of the Customer’s Agreement. In case of conflict, the terms of the Data Processing Agreement supersede those of the Customer’s Agreement, unless otherwise defined.

2.3       The DPA applies only to the processing of data in environments controlled by the Processor or its sub-processors.  This includes data sent to Processor by the Products and Services but does not include data that remains on Customer’s premises or in Customer selected third party operating environments.

 

3. Processing of Personal Data

The Processor processes Personal Data on behalf of the Controller exclusively for the purposes of the Customer’s Agreement. The Data Subjects, the categories of Personal Data, the purpose and the nature of the processing are specified in Annex Ι.

 

4. Controller’s Obligations

The Customer as Controller is obliged:

4.1       to comply with the Legal Framework and is responsible for demonstrating compliance with it,

4.2       to ensure the legal basis for the lawful Processing of Personal Data for all the purposes of Processing, including Processing activities that are performed by the Processor and are described in detail in Annex Ι,

4.3       to inform the Data Subjects and Recipients of personal data for all the purposes of processing and of their rights, including Processing activities that are performed by the Processor,

4.4       to acquire, where necessary, the appropriate required consent from the Data Subjects for the purpose of Processing,

4.5       to provide written instructions to the Processor regarding Processing, according to this Agreement, the nature and the purpose of Processing,

4.6       to implement appropriate technical and organizational measures in order to ensure the security of personal data and be able to demonstrate that processing takes place according to the Regulation and the applicable Legal Framework.

 

5. Processor’s Obligations

Scytáles as Processor is obliged:

5.1       to comply with the applicable Legal Framework for the protection of personal data, being responsible for demonstrating compliance with it,

5.2       to immediately inform the Controller if, in his opinion, an instruction of the Controller does not comply with the Legal Framework,

5.3       to process personal data exclusively for the purpose of the Customer’s Agreement and according to Annex I of the present Agreement and for no other purpose, without prior written consent of the Controller, unless otherwise required by the Legal Framework, which the Processor falls under, and for which the Processor must provide information to the Controller before the Processing of Personal Data, unless that legal framework prohibits such information on important grounds of public interest (Article 28 (3) (a) of GDPR).

5.4       to implement all required Technical and Organisational measures for the protection of Personal Data, according to Article 6 of the present Agreement,

5.5       to maintain a record of processing activities for the processes it conducts for the Customer, according to Article 30 (2) of the GDPR,

5.6       to implement all necessary measures for ensuring the credibility of personnel, subcontractors and generally assignees, so that persons who are involved with the Processing of Personal Data and have access to them:

(a) are authorized to process Personal Data and process them only upon instructions of the Customer,

(b) have access only to the absolutely necessary information, data and structures for carrying out and fulfilling the purposes of the Agreement and for complying with the Legal Framework in the context of its responsibilities as Processor and

(c) have entered into a confidentiality commitment or are subject to the appropriate obligation of confidentiality of Personal Data even after termination in any way of their involvement with Processing.

5.7       not to engage any other processor without the prior specific written consent of the Customer. In such a case, that is to say, in the case of specific written consent by the Customer, the Processor should impose on the other processor the same obligations with regard to data protection in order to carry out specific processing activities on behalf of the Customer, through an agreement which will be concluded between them.

5.8       to make available to the Customer the necessary information in order to demonstrate compliance with the GDPR.

5.9  The Processor shall have the right not to proceed to a certain processing activity and/or follow a specific instruction of the Controller, in case such processing activity and/or instruction is in breach of the Legal Framework for the protection of Personal Data.

6. Technical and Organizational measures

6.1       Taking into consideration the state of the art, the cost of implementation, the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymization and encryption of Personal Data, especially during their transfer and storage

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of Processing.

6.2       The Processor undertakes the obligation to inform the Data Protection Officer of the Customer without delay for any development which may materially affect his ability to conduct Processing effectively.

6.3       The Processor is obliged, when assessing the appropriate level of security of the Processing, to take into account indicatively the risks arising therefrom, and in particular from a Personal Data Breach.

6.4       The applicable technical and organizational measures are defined in Annex II.

 

7. Exercise of Data Subjects’ Rights

The Processor shall assist the Customer in the fulfillment of its obligations as a Controller, respond to Data Subjects’ requests relating to their rights, as stipulated in the Legal Framework (i.e. right of access, rectification, erasure, restriction of Processing, objection, portability), and shall immediately inform the Customer if the Processor receives a request from the Data Subjects in relation to the Personal Data of the Controller, within the limits of the Controller’s instructions.

 

8. Transfer of Personal Data

8.1       Personal Data are disclosed to the Processor by the Customer. Unless otherwise defined, the processor does not transfer Personal Data to Recipient and/or Third parties.

8.2       If Personal Data are required to be transferred to Recipients other than those specified in paragraph 8.1 and any Subcontractors, the Processor is required to inform the Controller in writing of the terms and obligations of the transfer and not to transfer the Personal Data before the written consent of the Controller.

8.3       The Processor shall not process nor transfer Personal Data outside the European Economic Area or countries or international organizations that the European Commission has decided that do not ensure an adequate level of protection, without the Customer’s prior written consent. In the event that the Personal Data of the Customer are transferred to a country outside the European Economic Area which is not recognized by the European Commission as providing an adequate level of protection, the Parties ensure that the Customer's Personal Data is adequately protected in accordance with Articles 46-49of the GDPR.

 

9. Personal Data Breach

9.1       The Processor declares and warrants that he has established and implements information security policies, including the management of breach incidents, and that its staff and generally appointed persons who have access to or process Personal Data are aware of the relevant policies and procedures and have received all necessary instructions regarding the handling of personal data breaches.

9.2       The Processor shall inform the Controller without delay from the time that a Personal Data Breach comes to his attention affecting the Personal Data of the Controller, providing the Controller with sufficient information which will enable him to comply with the requirements for the disclosure of Personal Data breaches to the Supervisory Authority and / or Data Subjects, as defined in the Legal Framework and Articles 33 and 34 of the GDPR.

9.3       The Processor shall cooperate with the Controller and act at the Controller’s request in order to assist in investigating, limiting and dealing with any Personal Data Breach.

 

10. Duration and Termination

10.1     The present DPA is effective from the date of signature of the Customer’s Agreement and shall continue until the termination of that agreement. 

10.2     The terms of this DPA apply retroactively to all personal data received and processed under the Customer’s Agreement even prior to the Effective Date of this DPA.

10.3     After the termination of the Customer’s Agreement, the Controller may in his discretion request from the Processor to return or erase all the Personal Data and any copies of them, unless otherwise stipulated by law.

 

11. Other terms

11.1     In the event of a breach of any of these terms, which are all considered material, the non-breaching party has the right to withdraw immediately and without compensation from the present Agreement and the Principal Agreement. The results of withdrawal are effective from the date of receipt of the notice of withdrawal by the other party or as otherwise stated in the notice of withdrawal.

11.2     Failure to exercise all or part of the rights of the Data Processing Agreement shall not be construed, interpreted, or deemed as a waiver from them.

11.3     If any term hereof is deemed invalid or void for any reason, this shall not affect the validity of the remaining terms.

11.4     This Agreement incorporates all of the agreements between the Parties and takes precedence over any other prior written or oral agreement or regulation relating to matters governed by it.

11.5     The Data Processing Agreement along with the attached Annexes herein, which constitute an integral part thereof, is amended, supplemented or annulled only by written agreement of the Parties.

11.6    In order to resolve any dispute arising from the present Agreement, relating to its execution, application and interpretation, as well as to the relationships generally created by it, it is agreed that Greek law shall be applicable, and the Courts of Athens are competent exclusively.

13.7     It is expressly agreed that where written communication between the parties is defined in the Data Processing Agreement, email communication is also included. The present Agreement was drawn up in two (2) original copies, was signed by the legal representative of each of the Parties and each Party received one original copy.

 

ANNEX Ι

Data subjects: Data subjects include the Customer’s representatives and end-users including employees, contractors, collaborators, and customers of the Customer. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by Scytáles. Scytáles acknowledges that, depending on Customer’s use of the Scytáles Products and Services, Customer may elect to include personal data from any of the following types of data subjects in the personal data:

•          Employees, contractors and temporary workers (current, former, prospective) of Customer;

•          Dependents of the above;

•          Customer's collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former);

•          Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of Customer's services;

•          Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the Customer and/or use communication tools such as apps and websites provided by the Customer;

•          Stakeholders or individuals who passively interact with Customer (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the Customer);

•          Minors; or

•          Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).

 

Categories of data: The Personal Data that is included in a Digital Identity Wallet in electronic form in the context of the Scytáles Products and Services.   Scytáles acknowledges that, depending on Customer’s use of the Products and Services, Customer may elect to include personal data from any of the following categories in the personal data:

•          Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children;

•          Authentication data (for example user name, password or PIN code, security question, audit trail);

•          Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);

•          Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver's license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology);

•          Pseudonymous identifiers;

•          Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness);

•          Commercial Information (for example history of purchases, special offers, subscription information, payment history);

•          Biometric Information (for example DNA, fingerprints and iris scans);

•          Location data (for example, Cell ID, geo-location network data, location by start call/end of the call. Location data derived from use of wifi access points);

•          Photos, video and audio;

•          Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities);

•          Device identification (for example IMEI-number, SIM card number, MAC address);

•          Profiling (for example based on observed criminal or anti-social behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences);

•          HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location and organizations);

•          Education data (for example education history, current education, grades and results, highest degree achieved, learning disability);

•          Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit);

•          Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority;

•          Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offences); or

•          Any other personal data identified in Article 4 of the GDPR.

 

 

 

ANNEX II

The Processor needs to be certified or otherwise be able to prove that it implements an applicable and recognized cybersecurity standard, framework and/or scheme and apply at least the following technical and organizational measures while processing the Personal Data and throughout the duration of the present Agreement, in order to ensure an adequate level of protection of the Personal Data.

 

The Processor shall review the below measures regularly and at least once every year and shall inform the Customer on any possible changes or reviews, taking into consideration the technological developments and the possible future risks for the Personal Data.

(A) Minimum Security Controls

  • Management and organizational information security

    • Risk management

      • The Processor identifies, assesses and manages information security and privacy risks.

    • Information security policy

      • The Processor has an approved and published information security policy which provides direction and support for information security (in accordance with business needs and relevant laws and regulations) and is regularly reviewed.

    • Information security responsibility

      • The Processor has defined and allocated information security responsibilities and has established a framework to coordinate and review the implementation of information security.

    • Outsourcing

      • The Processor has established written agreements with all third-party Processors and processors that ensure the personal data that they access and process on your behalf is protected and secure.

      • The Processor has controls or a policy defining how contractor access is granted to secure locations.

    • Training and awareness

      • The Processor has regular information security awareness training for all staff, including temporary, locum or contracted employees, to ensure they are all aware of and fulfil their responsibilities.

    • Personnel Security

  • The Processor has a policy stating that all users sign a confidentiality agreement that includes or extends to customers’ data.

 

  • Physical security

    • Secure areas

      • The Processor has entry controls to restrict access to premises and equipment in order to prevent unauthorized physical access, damage and interference to personal data.

    • Secure storage

      • The Processor has secure storage arrangements to protect records and equipment in order to prevent loss, damage, theft or compromise of personal data.

    • Secure disposal

      • The Processor has a process to dispose securely of records and equipment when no longer required.

 

  • Computer and network security

    • Asset management

      • The Processor has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities.

    • Secure configuration

      • The Processor configures new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.

      • The Processor has a standard “hardening” procedure to ensure all its servers and network devices have been securely configured in accordance with generally accepted good practices.

    • Removable media

      • The Processor has established controls to manage the use of removable media in order to prevent unauthorized disclosure, modification, removal or destruction of personal data stored on it.

      • Personal data stored in removable media are protected by state-of-the-art encryption (data-at-rest).

    • Secure communication (data-in-transit)

      • The Processor has established controls to protect the confidentiality and integrity of data in transit, such as encryption and the use of digital signatures.

    • User access controls

      • The Processor assigns user accounts to authorized individuals and manages user accounts effectively to provide the minimum access to information.

    • System password security

      • The Processor has appropriate password security procedures and 'rules' for information systems and has a process in place to detect any unauthorized access or anomalous use.

    • Malware protection

      • The Processor has established effective anti-malware defenses to protect computers from malware infection.

    • Backup and restoration

      • The Processor routinely backs-up electronic information to help restore information in the event of disaster.

      • The Processor uses state-of-the-art encryption to protect the confidentiality and integrity of all back-up media not otherwise protected by physical security means or held by third parties (e.g. external back-up services).

      • The Processor has a procedure to erase personal and confidential data securely after contract termination.

    • Monitoring

      • The Processor logs and monitors user and system activity to identify and help prevent data breaches.

    • Boundary firewalls

      • The Processor has boundary firewalls, including intrusion detection and prevention devices (IDS/IPS) to protect computers from external attack and exploitation and help prevent data breaches.

    • Incident management

      • The Processor has effective processes to identify, report, manage and resolve any personal data breaches. You have appropriate training in place to ensure staff know how to recognize and what to do if they detect a personal data breach.

      • The Processor has a procedure in place to report any breach affecting the Customer in a timely fashion.

      • The Processor has a procedure in place to report a breach to the relevant Data Protection Authorities and to affected individuals, where necessary, in a timely fashion.

      • The Processor has procedures in place to effectively investigate the cause(s) of a breach and implement measures to mitigate future risks.

    • Technical support assistance and consulting (assistance, consulting)

  • The Processor has established and maintains an organization and process to provide assistance for the Supported Service/Product/Software including at least diagnosis and resolution of the deficiencies

  • The Processor has established and maintains an organization and process to provide consulting for the implementation or use of Supported Service/Product/Software

  • Warranty

  • The Processor has a warranty policy for the software provided, in case this doesn’t function as described

    • Development and maintenance

  • The Processor has a secure development policy describing at least the secure repositories, security in version control and security in software methodology.

  • The Processor has established and appropriately protected software/system development environments.

  • The Processor has a staging/pre-production system used to validate build artifacts before promotion to production.

  • The Processor has implemented a policy for outsourced development.

 

(B) Indicative list of acceptable certifications, frameworks, schemes or standards [these are applicable only to Processors that are legal entities]

 

  • AICPA, Service Organization Control (SOC) 2

  • BSI, IT-Grundschutz Certificate

  • HIPAA Privacy Rule or Standards for Privacy of Individually Identifiable Health Information

  • HIPAA Security Rule or Security Standards for the Protection of Electronic Protected Health Information

  • ISF, The Standard of Good Practice for Information Security

  • ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements

  • ISO/IEC 27002:2013, Information technology — Security Techniques — Code of practice for information security controls

  • ISO/IEC 27017:2015, Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services

  • ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

  • ISO/IEC 29100:2011, Information technology -- Security techniques -- Privacy framework

  • NCSC, Cyber Essentials or Cyber Essentials Plus schemes

  • NIST, Cybersecurity Framework

  • NIST, SP 800-53

bottom of page