Collaboration agreement as associated operator
pursuant to GPDR terms
By continuing
this procedure and the voluntary granting of the necessary consent, the undersigned, acting as
Associated Operator,
I understand that
for the purpose of implementing the GDPR, starting with 25/05/2018,
I shall observe the following legal and social norms provided by the normative acts in force regarding the protection of personal data
:
-
Preamble
The undersigned I am an Associated Operator of the company
LIFE CARE CORP S.R.L.
, with registered office in Chisoda, DN 59, Km. 8+550 m Stanga, CP 284, OP 1, Timis County, registered with the Timis County Trade Register Office under no. J35/1827/2005, fiscal code RO 17639166, and as a result I am under legal relations with this company, reason for which I understand that it is imperative to observe the legal norms regarding personal data protection, more specifically the norms provided by Regulation 679/2016
, hereinafter referred to as the
regulation,
as indicated below.
-
Definitions
1.1 Associated operator –
any entity (natural or legal person), who, based on the written contract or by enlisting on the company site, has the position of "Life Care Partner", according to the multilevel marketing system and who has access to the database ("partner network") of Life Care partners, totally or partially (own structure developed);
1.2 Operator – LIFE CARE CORP S.R.L.
1.3 Regulation -
Regulation 679/2016, of the European Parliament and the Council from 27 April 2016 regarding the protection of natural persons regarding personal data processing and the free flow of these data and for cancelling Directive 95/46/EC (General Regulation regarding data protection)
1.4
The terms
processing, personal data, processing restriction, addressee
and
consent
shall keep their meanings mentioned in the Regulation.
-
Obligations of the Operator
Considering the nature, scope, context and the aims of the processing, as well as risks with various degrees of probability and gravity for the rights and liberties of natural persons, the
operator
applies proper technical and organizational measures in order to guarantee and be able to prove that such processing is done in accordance with this regulation.
The said measures are reviewed and updated if necessary.
When they are proportional in relation to the processing operations, the above-mentioned measures include the operator applying proper data protection policies.
Considering the present level of technology, costs of implementation, the nature, scope, context and aims of the processing, as well as risks with various degrees of probability and gravity for the rights and liberties of natural persons which come along with such processing, the operator, both when establishing the means of processing and when conducting the actual processing, shall apply proper technical and organizational measures, which are destined to efficiently apply the data protection principles, such as minimizing data, integrate the guarantees necessary for the processing, in order to meet the requirements of this regulation and protect the rights of the persons in question.
The
Operator
applies proper technical and organizational measures in order to ensure that, implicitly, only personal data necessary for each specific purpose are processed. That obligation applies to the amount of data collected, the degree of their processing, the storage period and their accessibility. More importantly, such measures ensure that, implicitly, personal data cannot be accessed by an unlimited number of people without the intervention of the person.
-
Obligations of the Associated Operator
The associated operator
processes personal data only based on documented instructions from the operator, observing the rules regarding security and access to the operator's database (user + password, etc.), including regarding personal data transfer to third parties or institutions, or to a third party country or an international organization, except when this obligation is for the person authorized under the EU law or internal law applicable; in this case, this legal obligation is notified to the operator before processing, except when that law forbids such a notification for important reasons related to public interest;
The
associated operator
ensures that the person it authorized to process personal data has undertaken to observe the confidentiality or have a proper statutory obligation to confidentiality;
The
associated operator
adopts all the necessary measures pursuant to article 32 of the regulation:
Considering the nature of the processing, the
Associated Operator
shall inform the Operator about meeting the obligations to answer requests regarding the exercising by the person in question of the rights provided at chapter III of the regulation;
Helps the
operator
, if needed, in ensuring the observation of the obligations provided at articles 32-36 of the regulation, considering the nature of the processing and the information at its disposal;
At the choosing of the
operator
, deletes or returns to the operator all personal data after the services are terminated and eliminates all existing copies, except when the law of the EU or the internal law imposes the storage of personal data;
Makes available to the
operator
all the information necessary for proving the observance of the obligations provided in this article, allows the conducting of audits, including inspections made by the operator or another authorized auditor and contributes to these.
If the
Associate Operator
recruits another person for conducting specific processing activities, the same obligations regarding data protection provided in the contract or another legal act concluded between the
operator
and
Associated Operator
and coming from the provisions of normative acts (as provided in article 28 para. (3) of the regulation), shall apply to the recruited persons.
The responsibility shall be based on a contract or another legal act, based on the EU law or internal law, especially providing enough guarantees for the application of proper technical and organizational measures, so that the processing meets the requirements of this regulation. If the recruited person breaches his/her obligations regarding data protection, the
Associated Operator
shall remain completely liable towards the operator with regard to the execution of that person's obligations.
The
Associated Operator
shall answer the Operator in writing regarding any complaint or request from the Users or state institutions which is about personal data it has collected, manages, or of which it has become aware during the execution of the contract.
-
Data processing
The
Associated Operator
and any person acting under its authority, who has access to personal data, as they are defined by the Regulation and, depending on the case, in the contract, the Terms and Conditions and respectively the personal data processing agreement from the operator's site
club.life-care.com
, shall not process such data without the request / consent of the
operator
, except when the EU law or the internal law obliges it to do so.
The
Associated Operator
keeps a record of the processing activities conducted under its responsibility.
Those record shall contain the following information:
a. the name and contact data of the person or persons from which personal data has been collected for the provision of the services in collaboration with the operator;
b. All the data collected/ supplied from/ by Life Care partners and/or by the Life Care operator, as well as the aim of the data collection;
c. If the case, all personal data transfers to a third party (natural or legal person), third party country or an international organization, including the identification of the third party country or the international organization in question and, in case of transfers provided at article 49 paragraph (1) the second item of the regulation, the documentation which proves the existence of proper guarantees;
d. Where it is possible, a general description of the technical and organizational measures for security mentioned at article 32 paragraph (1) of the regulation.
e. The names of the agents or authorized persons of the
Associated Operator
who collected, had knowledge, managed or archived personal data.
-
The security of personal data
The
Associated Operator
implements proper technical and organizational measures for ensuring a proper security level for this risk, including among others, depending on the case:
a. name designation and encryption of personal data;
b. the capacity to ensure confidentiality, integrity, availability and continuous durability of the processing systems and services;
c. the capacity to restore the availability of personal data and access to them in due time in case there is an incident of physical or technical nature;
d. a process for testing, evaluating and regular assessment of the efficiency of technical and organizational measures for guaranteeing the security of the processing.
The
Associated Operator
shall inform the
operator
without undue delay after it learns of a breach of personal data security.
The notification sent by the
Associated Operator
must contain at least:
a. a description of the nature of security breach regarding personal data, including, if possible, the categories and approximate number of persons in question, as well as the categories and approximate number of personal data records in question;
b. name and contact data of the person responsible with data protection, or another contact point where more information can be obtained;
c. description of the probable consequences of breaching personal data security;
d. description of the measures taken or proposed to be taken by the operator in order to remedy the personal data breach, including, depending on the case, measures for reducing possible negative effects.
-
Other mentions
The
Associated Operator
has the obligation to completely observe the provisions of the regulation, nothing from this agreement making the
Associated Operator
be outside this obligation;
The
Associated Operator
understands that breaching the provisions of the Regulation and the obligations regarding GDPR from the contract, or, depending on the case, from the Terms and Conditions from the site of Life Care Corp SRL,
club.life-care.com
, shall cause losses to the company LIFE CARE CORP S.R.L. and make it liable both contractually and legally for the losses caused.
|