In this clause, “Data Protection Laws” means all privacy laws applicable to any Personal Data processed under or in connection with the Agreement, including, without limitation, the Lei Geral de Proteção de Dados Pessoais, nº 13.709/20189 (the “LGPD”) and all national legislation implementing or supplementing the foregoing, all as amended, re- enacted and/or replaced and in force from time to time;
To the extent that a party acts a data processor (“Processor”) acts on behalf the other party acting as a data controller (“Controller”) in respect of any personal data comprised in the Customer Data (“Personal Data”) are defined in the Data Protection Laws , the Processor shall ensure that:
(i) unless required to do otherwise by applicable Data Protection Laws, it shall (and shall take steps to ensure each person acting under its authority shall) process the Personal Data only on and in accordance with the Controller’s documented instructions as set out in the Data Processing Details, as updated from time to time by agreement between the parties;
(ii) persons authorised by the Processor to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(iii) if Data Protection Laws require it, to process Personal Data other than in accordance with the Data Processing Details, it shall notify the Controller of any such requirement before processing the Personal Data (unless applicable law prohibits such information on important grounds of public interest);
(iv) it informs the Controller of any addition, replacement or other changes of Sub-processors and provides the Controller with the opportunity to reasonably object to such changes on legitimate grounds. The Controller acknowledges that these Sub-processors are essential to provide the Services and that objecting to the use of a Sub-processor may prevent the Processor from offering the Services to the Controller. The Processor will enter into a written agreement with the Sub-processor imposing on the Sub-processor obligations comparable to those imposed on the Processor under this Agreement, including appropriate data security measures. In case the Sub-processor fails to fulfil its data protection obligations under such written agreement with the Processor, that Processor will remain liable towards the Controller for the performance of the Sub-processor’s obligations under such agreement. By way of this Agreement, the Controller provides general written authorization to the Processor to engage Sub-processors as necessary to perform the Services; including those listed in Linte’s privacy policy. “Sub-processor” means another data processor engaged by the Processor for carrying out processing activities in respect of the Personal Data on behalf of the Controller;
(v) taking into account the nature of the processing, it shall assist the Controller by appropriate technical and organisational measures (at the Controller’s sole expense), insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in the LGPD;
(vi) it shall implement and maintain the technical and organisational measures in relation to the processing of Personal Data by the Processor, as set out in the Data Processing Details, and taking into account the nature of the processing;
(vii) at the choice of the Controller, it deletes or returns all the Personal Data to the Controller after the end of the provision of Services relating to processing, and deletes existing copies unless Data Protection Laws require storage of the Personal Data;
(viii) it will contribute to audits or inspections by making available to the Customer upon request audit reports which the Controller must treat confidentially. The Processor will respond to a written security questionnaire submitted to it by the Controller provided that the Controller will not exercise this right more than once per year;
(ix) in respect of any Personal Data Breach involving Personal Data, the Processor shall, without undue delay notify the Controller of the Personal Data Breach; and provide the Controller with details of the Personal Data Breach. “Personal Data Breach” means any actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data;
(x) maintain complete and up to date records of processing activities carried out on the Controller’s behalf as required by the Data Protection Laws.
To the extent that Linte processes any Personal Data on the Customer’s behalf when performing its obligations under this Agreement, the Customer shall:
(i) ensure that the Customer is entitled to lawfully transfer the Relevant Personal data to Linte so that Linte may lawfully use, process and transfer the Personal Data in accordance with this Agreement on the Customer’s behalf;
(ii) ensure that the relevant third parties have been informed of, and have given their permissions or consent to, such use, processing, and transfer as required under Data Protection Laws or other applicable law;
(iii) take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage;
(iv) not instruct or request Linte (including in the Customer’s use of the Services) to undertake any processing which is not in accordance with Data Protection Laws; and
(v) notwithstanding any other indemnity provided by the Customer in connection with this Agreement, the Customer shall indemnify Linte (and each of their respective officers, employees and agents) against all losses, costs, expenses or liabilities incurred by Linte as a result of any breach of this clause.
In the event that each party acts as independent controllers, each party agrees that it shall:
(i) at all times during the term of this Agreement, comply with the Data Protection Laws;
(ii) provide reasonable assistance as is necessary to each other to:
a. enable each party to comply with any subject access requests (whether in relation to access to personal data, rectification, restrictions on processing, erasure or portability) and to respond to any other queries or complaints from their data subjects (“Data Subject Request”) in accordance with the Data Protection Laws;
b. facilitate the handling by the other party of any Personal Data Breach for which the other party is responsible as soon as reasonably practicable upon becoming aware which shall include the applicable supervisory authority and data subjects as required under the Data Protection Laws; and (ii) before such notification, each party agrees not to make any other announcement or otherwise make public any notice or information about a Personal Data Breach without the other party’s approval, where applicable; and
c. provide reasonable assistance as is necessary to the other party to respond within a reasonable time to any enquiries from the applicable supervisory authority.
The Customer shall be responsible for maintaining the security of accounts, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer accounts with or without the Customer’s knowledge or consent.
The Customer acknowledges that it is responsible for taking back-up copies of any data and appropriate precautions to protect the Customer’s computer systems against unauthorised access. If the Customer does anything to or in relation to the Services which is a criminal offence under any law the Customer’s right to use the Services will be withdrawn immediately. Due to the nature of the Internet the Services are not guaranteed to be delivered free of all viruses and technical defects of any description.