Data Processing Schedule
This Data Processing Schedule (“Schedule”) to the Agreement shall apply where the provision of services (the “Services”) by Digital and Legal s.r.o. (“Green0meter”) to you (“Customer”) involves the processing of Personal Data which is subject to Privacy Laws and Green0meter acts as Processor on behalf of the Customer as the Controller. This Schedule does not apply where Green0meter is the Controller. In the event of conflict between this Schedule and the Agreement, this Schedule shall control with respect to its subject matter.
“Agreement” means the Framework Agreement between Customer and Green0meter for the provision of the Services to the Customer.
“Controller” means an entity which, alone or jointly with others, determines the purposes and means of the processing of the Personal Data.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Personal Data” means any information relating to an identified or identifiable natural person which is processed by Green0meter in the performance of the Agreement
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed under this Schedule.
“Privacy Laws” means any data protection and privacy laws to which a party to this Agreement is subject and which are applicable to the Services provided, including where applicable, GDPR.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means an entity which processes the Personal Data on behalf of the Controller.
Processing of Personal Data
2.1 Roles of the Parties
Green0meter may process Personal Data under the Agreement as a Processor acting on behalf of the
Customer as the Controller.
Green0meter will process Personal Data in accordance with Customer’s documented instructions. Customer agrees that this Schedule, the Agreement and any subsequent statements of work or services orders, and any configurations by Customer or its authorized users, comprise Customer’s complete instructions to Green0meter regarding the Processing of Personal Data. Any additional or alternate instructions must be agreed between the parties in writing, including the costs (if any) associated with complying with such instructions. Green0meter is not responsible for determining if Customer’s instructions are compliant with applicable law. However, if Green0meter is of the opinion that a Customer instruction infringes applicable Privacy Laws, Green0meter shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.
2.3 Processing Details
Subject matter and duration of the Processing
The subject matter and duration of the Processing shall be accordingly to the subject and duration of the Agreement and related documentation.
Purpose of Processing
Personal Data will be processed for the purpose of creation of ESG audits, scores, reports and/or to measure Carbon Footprint of the Customer or its suppliers. The Agreement and the relevant service descriptions and statements of work shall apply for the specifics and possible additional services.
Nature of Processing
Nature of processing are reporting tools, excel spreadsheets, AI and further analytical tools used exclusively in relation to the Purpose and Subject matter of the Processing.
Customer and Green0meter agree to comply with their respective obligations under Privacy Laws applicable to the Personal Data that is Processed in connection with the Services. Customer has sole responsibility for complying with Privacy Laws regarding the lawfulness of the Processing of Personal Data prior to disclosing, transferring, or otherwise making available, any Personal Data to Green0meter.
4.1 Technical and organisational security measures
Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing, and any other relevant circumstances relating to the Processing of the Personal Data on Green0meter systems, Green0meter shall implement appropriate technical and organizational security measures to ensure security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Personal Data are commensurate with the risk in respect of such Personal Data. Green0meter will periodically (i) test and monitor the effectiveness of its safeguards, controls, systems and procedures and (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Personal Data, and ensure these risks are addressed.
4.2 Technical Progress
The Information Security Measures are subject to technical progress and development and Green0meter may modify these provided that such modifications do not degrade the overall security of the Services provided under the Agreement.
Green0meter shall ensure that persons authorized to access the Personal Data (i) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and (ii) access the Personal Data only upon documented instructions from Green0meter, unless required to do so by applicable law.
Personal Data Breach
Green0meter will notify the Customer without undue delay after becoming aware of a Personal Data Breach in relation to the Services provided by Green0meter under the Agreement and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Personal Data Breach.
Deletion of Personal Data
Upon termination of the Services (for any reason) and if requested by Customer in writing, Green0meter shall, as soon as reasonably practicable, return or delete the Personal Data on Green0meter systems unless applicable law requires storage of the Personal Data. Green0meter may defer the deletion of the Personal Data to the extent and for the duration that any Personal Data or
copies thereof cannot reasonably and practically be expunged from Green0meter’s systems. For such retention the provisions of this Schedule shall continue to apply to such Personal Data. Green0meter reserves the right to charge Customer for any reasonable costs and expenses incurred by Green0meter in deleting the Personal Data pursuant to this clause.