Data Processing Agreement

This Data Processing Agreement (the “DPA”) is additional to and shall form part of the General Terms and Conditions provided by UPDAT Technologies Limited, which terms shall be found available at: (https://updat.com.mt/terms-conditions) (the “Terms”).

1. Definitions

Any capitalised term not defined in this DPA shall have the same meaning attributed to it in the Terms:

“Supervisory Authority” shall be defined as the competent authority responsible for the compliance with all Data Protection Regulations, which shall specifically refer to either the European Commission (EEA) and the Maltese Information and Data Protection Commissioner (IDPC).

“You/ the Client” shall mean the client/customer who has accepted the Terms and entered into an agreement with UPDAT, who shall provide you with the services as established in the Terms.

“End Users” shall mean the employees / personnel, or any other individuals directly or indirectly engaged by You, who shall be using the services provided by UPDAT through Your Accounts.

“End Users’ Personal Data” shall mean any information belonging to UPDAT’s End Users which shall identify them directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that customer.

“Controller” shall mean UPDAT when it is UPDAT who shall determine the purpose and means of the processing of the personal data, particularly for the purposes of processing and collecting the End Users’ Personal Data which is directly provided by the End User for registration purposes. You shall be deemed the Controller whenever the End Users’ Personal Data is uploaded by the End Users on Your Accounts.

“Processor” UPDAT shall be the Processor whenever you are deemed the Controller, in the event of Customer’s Personal Data being uploaded by End Users on Your Accounts.

“Data Protection Laws” shall mean any applicable laws in Malta including but not limited to the General Data Protection Act (Regulation EU 2016/679 |‘GDPR’) and the Data Protection Act (Chapter 586 Laws of Malta) as may be amended from time to time.

The terms “processing”, “restriction of processing”, “profiling”, “pseudonymisation”, “filing system”, “recipient”, “third party”, “consent”, “personal data breach”, “genetic data”, “biometric data”, “cross border processing”, and “international organisation” shall have the same meaning attributed to it in the GDPR.

2. DATA PROCESSING

Scope Of Processing
The processing shall be divided into two:
1. In the event that UPDAT is the controller, the purpose of processing shall be for registration purposes, where the End User shall input the required personal data, which End Users’ Personal Data shall be controlled by the Controller.
2. In any other situation, the Client shall be the Controller of the data and shall determine the purpose of the processing. In such events UPDAT shall be the processor when the personal data being controlled by the Client will merely be processed by UPDAT through the system as per the terms of the Agreement.
3. Each Party agrees to abide by all the applicable Data Protection Laws in exercising their role whether as a Processor or Controller respectively, and shall ensure compliance through regular audits and monitoring.
4. The Processor shall not process End Users’ Personal Data beyond the specified purpose, unless explicit written consent has been granted and the End Users have been notified of the new purpose. Such consent shall be documented and stored for verification purposes.
5. The responsibilities of the Processor shall extend to any of its personnel, including employees, agents, or contractors who have access to the End Users’ Personal Data. They shall process the data with the same level of confidentiality and responsibility, and their access and use shall be limited to the purpose of the processing. The Processor shall ensure that its personnel undergo regular training on data protection principles.
Nature, Scope, and Retention Periods
1. The subject matter of this DPA shall be the End Users’ Personal Data.
2. UPDAT shall determine the purpose and control the data for registration purposes to be able to set up all necessary account within the system for each End User;
3. UPDAT shall process any data imported by the Client within the system to fulfil its obligations under the Agreement and provide the agreed services to the Client;
4. The categories of personal data that shall be processed include the Client’s employees, officials, directors, agents, volunteers, independent contractors, or any other third party that may engage with the Client and over whom the Client has a legal basis upon which to control the respective data.
5. The personal data that shall be processed by UPDAT shall include but is not limited to: full names, phone numbers, email addresses, residential addresses, identity card numbers, and other relevant information necessary for the services provided.
6. The retention period is for the duration of the Agreement with the Client, unless otherwise required by law.

3. SECURITY

The Processor shall at all times have in place appropriate technical and organisational measures to ensure that the level of scrutiny is adequate to the risk levels when considering the state of the art, the costs of implementation, and the nature, scope, context, and purpose of the processing as well as the risk of likelihood and severity for the rights and freedoms of natural persons. Such measures shall include but are not limited to encryption, access controls, and regular security audits.
The Processor shall ensure that the data is restricted and is not accessible to any unauthorised third parties.
In processing the End Users’ Personal Data, the Processor shall determine the risks and implement measures to mitigate the chances of a personal data breach. Procedures for breach detection, response, and notification, including timelines for informing affected parties and the Supervisory Authority, shall be in place.

4. SUB-PROCESSING

Unless otherwise agreed to in writing between the Parties, the processor shall not assign the right to process and allow any sub-processing activity.
The Processor shall notify the Controller in advance and obtain prior written consent before engaging any sub-processor. A list of approved sub-processors, if applicable, shall be maintained and updated regularly.

5. DATA SUBJECT RIGHTS

All Data subjects shall have the right to:
1. Access the data held by the controller – The Controller assisted by the processor shall confirm whether any personal data is held, and if there results to be personal data on the data subject making the request, the Controller is bound to provide the purpose of the processing; the categories of the personal data concerned; the recipients of the personal data with whom such data may be disclosed; the retention period; the possibility to request erasure or medication of the data; the right to lodge a complaint with the Supervisory Authority. Furthermore, a copy of the personal data held by the Controller shall be provided to the data subject concerned if this is requested.
2. Rectification – The Controller shall be bind to keep accurate and up-to-date all the data of the data subject, therefore the Controller shall be obliged to immediately and without delay modify such data;
3. Be forgotten – The data subject shall have the right to be forgotten by completely erasing any and all the personal data pertaining to the individual making the request. Such request may be overridden by a law which instructs otherwise.
4. Restriction of processing – The Controller shall be obliged to restrict certain processing of data when the accuracy of the data is contested, the processing is unlawful, the data is no longer required by the Controller, or there is no legal basis for processing the data.
5. To object – The data subject shall have the right to withdraw consent, and the Controller shall stop processing unless bale to demonstrate a compelling legitimate ground

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Data Processing Agreement

1. Definitions

2. DATA PROCESSING

3. SECURITY

4. SUB-PROCESSING

5. DATA SUBJECT RIGHTS

Products

Important Links

Company

Follow Us