Data Protection Agreement

For the purposes of this Data Protection Agreement, the parties acknowledge that it is intended that the Client shall be the Controller and iDenfy (UAB “Identifikaciniai Projektai”) shall be the Processor. By using the Processor’s service the Client agrees to the Data Protection Agreement and Privacy Policy.

  1. DEFINITIONS
    1.1. Other capitalised notions used in the Agreement shall have the following meaning:
    1.1.1. Personal Data Protection Laws means the EU legal acts regulating data protection (including the GDPR) and the national legal acts regulating data protection and/or privacy;
    1.1.2. GDPR means the EU General Data Protection Regulation No. 2016/679;
    1.1.3. Sub-Processor means any entity (including the third parties or the persons associated with the Processor) appointed by the Processor or the person associated with the Processor for processing of personal data on behalf of the Controller.
  2. PROCESSOR’S OBLIGATIONS
    2.1. The Processor undertakes:
    2.1.1. to ensure compliance of the personal data processing with the GDPR and other Personal Data Protection Laws and recommendations of the supervisory authorities;
    2.1.2. to implement appropriate technical and organisational measures for protecting security of the personal data transmitted by the Controller. Such measures must ensure the personal data protection at least against destruction, alteration and dissemination;
    2.1.3. to process the personal data only referring to the instructions as in this agreement and/or given in writing (including electronically) by the Controller. The initial instructions of the Controller related to the data subjects, periods, purposes and manner of personal data processing, also categories of data subjects are set forth in Appendix 1 to this Agreement;
    2.1.4. to assist the Controller in fulfilling its obligations arising out of the Personal Data Protection Laws;
    2.1.5. to ensure confidentiality of the personal data processed as well as other information pertaining to the processing of personal data;
    2.1.6. to notify the Controller without delay of any situations where the Processor must disclose the personal data processed on behalf of the Controller while discharging the duties stipulated in the Personal Data Protection Laws. If the Processor is obligated to disclose the personal data to perform its statutory duty, the Processor shall also adhere to the following rules: (i) shall disclose as little personal data as possible, i.e. only the amount of personal data and the personal data of the nature which is mandatory to disclose when complying with the statutory duty; and (ii) shall disclose the personal data only to those third parties a disclosure to which is mandatory when complying with the statutory duty; and (iii) the Processor must demand from such third parties (each of them) keeping the personal data confidential;
  3. SUB-PROCESSORS
    3.1. The Controller hereby grants the Processor a general authorisation to appoint Sub-Processors in accordance with the present Agreement.
    3.2. The Processor undertakes to engage only those Sub-Processors which would ensure implementation of appropriate technical and organisational measures so that the personal data processing complies with the requirements of the GDPR and other Personal Data Protection Laws, and ensure safeguarding of rights of data subject.
    3.3. The Processor is fully liable for the actions of the Sub-Processors engaged by him, and must ensure that each Sub-Processor complies with the requirements of the Personal Data Protection Laws and the present Agreement.
  4. PERSONAL DATA BREACHES
    4.1. If the Processor (or any Sub-Processor) becomes aware of a personal data breach (incident) which affects or may affect the personal data transmitted by the Controller, the Processor must notify the Controller thereof without delay and at least within 24 (twenty-four) hours, and provide the Controller with comprehensive information enabling the latter to discharge its duties of notifying the supervisory authority and/or data subjects of the personal data breach in accordance with the requirements of the Personal Data Protection Laws.
    4.2. The Processor shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial actions taken. At the Controller’s request, the Processor shall make such documents available (especially when requested by the supervisory authority).
    4.3. The Processor must actively cooperate with the Controller and take such commercially reasonable steps which would (i) contribute to investigating the actual or potential personal data breach, (ii) assist in mitigating and otherwise remedying the consequences caused by such personal data breach, and (iii) help to prevent occurrence of personal data breaches of identical or similar nature in the future.
  5. DESTRUCTION OR RETURNING OF PERSONAL DATA
    5.1. By this agreement Controller without any obligations agrees that collected personal data is for testing purposes and could be destroyed within 14 days from the testing date.
    5.2. On expiry of the present Agreement, the Processor shall – if so selected by the Controller – destroy or return the personal data received from the Controller on the basis of the the present Agreement. The Processor shall ensure that its Sub-Processor/s would also destroy or return the received personal data.
    5.3. The Processor shall be entitled to keep the personal data received from the Controller to the extent they are necessary for compliance with the requirements of the applicable legal acts, also ensuring the protection and confidentiality of all such personal data.
  6. RIGHT TO AUDIT AND THE INFORMATION OBLIGATION
    6.1. The Processor and each person engaged by the Processor for performance of the Agreement must provide the Controller with all its requested information relating to the performance of the Agreement, and must enable the Controller or its authorised auditor to conduct an audit, including the inspections pertaining to the processing of the personal data transmitted by the Controller. The audit must be conducted during regular business hours (so that it does not undermine the ordinary activities of the Processor), with a prior notice given to the Processor thereof and observing the reasonable requirements for confidentiality. Processor shall have the right to reimbursement of costs and work as notified to the Controller prior to providing such assistance.
    6.2. The Processor undertakes to make available for the Controller all the records of activities, system logs, technical and organisational information as well as any other information that is necessary to demonstrate compliance with the obligations stipulated in the present Agreement, GDPR and other legal acts.
    6.3. The Processor undertakes to notify the Controller without delay of any changes in the technical or organisational measures which may affect the data processing operations carried out when performing this Agreement.
  7. TRANSFER OF PERSONAL DATA
    7.1. If it is necessary for proper performance of the Agreement and/or fulfilment of the requirements of applicable legal acts, the Processor may transfer the personal data outside the European Economic Area (the EEA) to a specific data recipient only by duly complying with the provisions of Chapter V of the GDPR (in such case the Processor shall be liable for adequate compliance with the Personal Data Protection Laws when transferring the data outside the EEA).
  8. LIABILITY
    8.1. The Party defaulting on its performance or inadequately performing its obligations assumed under the Agreement shall indemnify for the direct damages of the other Party sustained as a result.
    8.2. In the event the Processor does not perform its obligations set forth in the Agreement, the Controller’s written instructions (including those transmitted electronically), and/or the requirements of the Personal Data Protection Laws, the Controller shall have the right: (i) to terminate the Agreement unilaterally with a notice given to the Processor 10 (ten) calendar days in advance, if the corresponding infringements have not been eliminated by the Processor within the specified time limit, and/or (ii) to prohibit the Processor, without delay and without any prior notice, from further processing of the personal data transmitted by the Controller.
  9. FINAL PROVISIONS
    9.1. In the event of any discrepancies between the terms of this Agreement and other arrangements made between the Parties, the terms of the present Agreement shall apply.
    9.2. Each Party shall assume the obligation to inform, in an adequate manner complying with the provisions of the GDPR, all the natural persons (their employees, authorised persons and other representatives) engaged for the performance of the Agreement and the Master Contract where the data of such persons are or may be transmitted to another Party as a result (e.g., in the process of electronic communication among the Parties’ employees, etc.) that their personal data are or may be transmitted to another Party for the purposes and on the basis of proper performance of this Agreement and the Master Contract.
    9.3. Appendix 1 to the Agreement – Instructions on Personal Data Processing.

Agreement on Provision of Personal Data
Appendix 1

Data Controller (the Controller)
The Data Controller is (briefly specify its activities related to data processing):
[Customer‘s name]

Data Processor (the Processor)
The Data Processor is (briefly specify its activities related to data processing):
UAB “Identifikaciniai projektai”, remote personal identification

Sub-Processors
UAB „Identifikaciniai projektai“ keep a list of subprocessors, to receive sub-processors list, contact directly UAB „Identifikaciniai Projektai“

Categories of data subjects
The transmitted personal data are related to the following categories of data subjects (to be specified):
The potential/existing customers of the Controller, i.e. the natural persons who wish to use services of the Controller or to update information about them and/or Controller

Kinds of personal data
The transmitted personal data are related to the following categories of data (to be specified):
Name, surname, sex, number of the personal ID document, personal ID number (if assigned), date of birth, expiry date of the personal ID document, photograph/s of the personal ID document, date and manner of personal identification, person‘s address (if provided), face images, IP address.

Kinds of special categories of personal data
The transmitted personal data are related to the following special categories of personal data (to be specified):
Biometric data, biometric data collected from facial image/s

Data processing activities (processing operations)
The following main processing operations are carried out with respect to the data (to be specified):
Main processing activity is to try UAB „Identifikaciniai Projektai“ remote identity verification system.
To document facial images of data subjects and the original ID documents shown by the data subjects by means of transmitting a photograph directly through the online system;
to verify whether the data subject who is undergoing the personal identification procedure is the holder of the submitted ID document by means of the online system;
to provide the Controller with a conclusion / data concerning the identity of the data subject;
to store the processed personal data of the Controller.

Place of document storage
(The data centre address to be specified):
Servers of Amazon Web Services – Dublin, Ireland

Other information
(To specify additional information on data processing):
The maximum storage period of the data process is 8 (eight) years from termination of the relations with the Controller.

Consent Text of the Consent:

I hereby consent to the processing of my personal data, including special categories of personal data incl. biometric personal data, for the purpose of verifying my identity and stopping fraud. Subject to this consent, UAB “Identifikaciniai Projektai” an authorised processor of [Customer’s name] will process your personal data, incl. biometric personal data. Without processing biometric data and without this necessary consent, the verification, identification, fraud prevention processes cannot be carried out.

This consent may be withdrawn at any time, but withdrawal of consent shall not affect the lawfulness of the prior processing.

[TICK-BOX] I have read the applicable privacy policies and understand how and for what my personal data is processed.

[TICK-BOX] I agree to the processing of my personal data, incl. special categories of personal data for the purpose of verification and fraud prevention.