CleanShot Cloud Data Processing Addendum
Last update: December 22, 2021
As on the basis of Terms of Service MTW and the User started co-operation as part of which MTW provides for the account of the User, as part of Application services in the course of which personal data are processed (“Services”), the MTW and the User conclude the personal data processing agreement as part of Terms of Service in the form of these Data Processing Addendum.
This Data Processing Addendum (“DPA”) is the supplement and an integral part of the Terms of Service of the Platform, that can be found here. All words defined in the Terms of Service have the same meaning in DPA.
By accepting Terms of Service, the User also accepts DPA and represents that it is the Personal Data Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR” or “Regulation”), in particular personal data processed in connection with provision of the Services.
MTW represents that it is the Personal Data Processor within the meaning of the GDPR, in particular with regard to personal data processed in connection with provision of the Services, and further that it holds adequate measures, in this due safeguards, which enable the processing of personal data in accordance with the provisions of the GDPR, and warrants that it undertakes any measures required under Article 32 of the GDPR and fulfils the requirements prescribed in Article 28 of the GDPR.
Personal data shall be processed by MTW only for the purpose of correct provision of the Services. Data shall be processed by MTW for the term of the co-operation between the User and MTW and the provision of the Services by MTW.
As part of the Agreement MTW shall process data referring to the following categories of persons: Application users, other persons whose data have been fixed in screenshots and recordings in connection with the use of the Application by a user in accordance with the Terms of Service.
The processing shall comprise the following personal data: first and last name and ID of the User, e-mail address, image, other data which have been fixed in screenshots and recordings in connection with the use of the Application by the user in accordance with Terms of Service and DPA.
The processing shall comprise only those data which are essential for MTW to properly co-operate with the User and which have been entered into the Application by the User.
The processing of data shall be understood as any operation performed on personal data, such as collecting, recording, storing, developing, altering, making available and erasing, in particular that performed in IT systems. The processing shall be carried out in electronic form.
MTW shall process personal data upon documented, i.e. in the form of an e-mail or in writing, order of the User. Acceptance of Terms of Service with DPA shall also constitute an order for processing.
MTW is obliged to maintain, for the entire term in which it processes personal data, any measures and safeguards connected with data processing in accordance with the generally applicable legal provisions, in particular in line with the requirements of the GDPR.
Furthermore, MTW: i) ensures that persons authorised to process personal data agree to keep confidentiality or are made subject to the relevant statutory confidentiality obligation; ii) shall take all measures required pursuant to Article 32 of the GDPR; ii) taking into account the nature of processing, MTW shall assist the User by appropriate technical and organisational measures, insofar as possible, to fulfil the obligation to respond to data subjects’ requests for exercising their rights laid down in chapter III of the GDPR; ii) taking into account the nature of processing and available information, MTW shall assist the User in satisfying the obligations prescribed in Articles 32 to 36 of the GDPR; ii) shall provide the User with any information necessary to prove fulfilment of the obligations prescribed in this section, and shall enable the User or an auditor authorised by the User to carry out audits, including inspections, and shall contribute thereto, with a proviso that the User is obliged to notify MTW on a planned audit at least 14 days in advance.
In the case of a personal data breach, without undue delay – as practicable but no later than within 36 hours from stating the breach – MTW shall report it to the User, unless there is little probability that the breach would give rise to the risk of infringement of rights or freedoms of natural persons.
MTW may transfer the transferred personal data to a third country (i.e. beyond the European Economic Area), in particular to the United States of America. In such a case, MTW shall transfer personal data on the basis of model contractual clauses, where both MTW and its counterparty shall undertake to ensure appropriate level of security of the personal data. Prior to signing the model contractual clauses, MTW shall verify each of its counterparties which would have access to the personal data and assess whether the country to which the personal data would be transferred enables enforcement of User’s rights and provides the User with effective legal remedies.
If the European Commission issues a decision in which it determines whether the relevant third country ensures the appropriate level of personal data protection, then transferring personal data to such country may also proceed on the basis of such decision.
Where it is not possible to apply the model contractual clauses and there is no decision of the European Commission as mentioned above, then personal data shall be transferred only in special cases understood as performance of an agreement concluded between the User and a data subject or implementation of pre-contractual measures taken upon request of a data subject (as per Article 49.1(b) of the GDPR) or conclusion or performance of an agreement concluded in the interest of a data subject between the User and MTW (as per Article 49.1(c) of the GDPR). Also in such case MTW shall carry out thorough verification of each of its counterparties which would have access to the personal data so as to ensure their maximum security, and the Parties undertake to satisfy all their obligations under Article 49 of the GDPR.
In each case where personal data are transferred to a third country, the User is authorised to obtain a copy of such data.
MTW may transfer the data transferred by the User for processing to other entities for the purpose of performance of the Agreement and as part of the MTW’s internal processes for handling the User (general consent of User). You can find here the full list of such entities (sub-processors).
MTW shall notify the Use on any planned change involving engagement or replacement of other processors at least 7 (seven) business days before the planned date on which such another processor commences processing, thereby enabling the User to object to the use of another processor by MTW. In the absence of such objection, the User shall be deemed to have given its consent to such change.
MTW is obliged to ensure that the provisions of the agreement concluded with the entity to which it transfers the data transferred by the User for processing reflect the provisions related to data protection as agreed upon between the User and MTW in this Agreement and the GDPR recommendations in this scope.
If personal data are sub-transferred for processing to entities from third countries, such sub-transfer shall take place on the basis of respective model contract clauses or decisions of the European Commission, i.e. in particular on the basis of the model contract clauses included in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries issued on the basis of the GDPR, and decisions stating that the relevant third countries ensure the appropriate level of personal data protection.
MTW shall be held liable for any damage caused to third persons which arose in connection with non-performance or improper performance of the personal data transfer clauses of these Terms of Serivce, in particular in connection with the processing of the transferred personal data by MTW in violation of the Agreement. In order to avoid any doubt, MTW shall be held liable for actions of its employees and other persons through which it processes the transferred personal data as for own actions or omissions. MTW shall be held liable for any damage caused to third persons which arose in connection with non-performance or improper performance made by the entities to whom data have been transferred under the sub-transfer agreement.
MTW shall not be held liable for the transferred personal data being disclosed to unauthorised persons, taken by an unauthorised person, damaged or destroyed, where the foregoing is caused exclusively by an action or omission of the User.
In the case of termination or expiry of the Agreement or the co-operation between the Parties, MTW, depending on the decision of the User, is obliged to immediately erase or return the transferred data and to delete any existing copies, unless the generally applicable legal provisions require it to store personal data. The copy of the data kept in backups produced by MTW will be deleted within 30 days from the date of its creation. After that time, upon each request of the User, MTW is obliged to present within 7 (seven) days a written declaration confirming the fact that personal data have been destroyed from the MTW’s main system, both from backup copies and archive copies.