Personal Data Processing Appendix


This Personal Data Processing Appendix (this “Appendix”) is part of the General Terms and Conditions for the Subscription to SMU OS Services, and applicable to the Agreement, to the extent therein determined. Any capitalized terms under this Appendix shall have the meanings given to them under the Terms and Conditions.

The parties to the Agreement agree as follows:  

  1. Purpose of the assignment of personal data processing

By virtue of the clauses of this Appendix, Company is hereby authorized, in its capacity as PROCESSOR, pursuant to the provisions of the applicable regulations (hereinafter, the “PROCESSOR”), to process on behalf of Customer, in its capacity as controller (hereinafter, the “CONTROLLER”), the personal data necessary to provide the service that constitutes the subject matter hereunder.

The personal data processing shall consist of:

  • Management of services for employees of the Controller.

Completion of the processing activities to be carried out:
















through transmission













  1. Identification of the information concerned

In order to perform the obligations arising from the compliance with the subject matter of this assignment, the CONTROLLER provides the PROCESSOR with the following information:

• HR data.







  • Name and Surnames
  • Contact details and employer’s identifying data (name of company/organization, position, duties, etc.)
  • Data related to the services provided

  1. Term

The term of this Exhibit shall be equal to that of the Agreement. Once the Agreement is terminated, the PROCESSOR shall return to the CONTROLLER the personal data and erase any copy that may be in its power.

  1. Obligations of the Processor

The processor and all its staff agree to the following:

  1. Use the personal data being processed, or the data collected for their inclusion, for the sole purpose of this assignment. In no case shall it be authorized to use the data for personal purposes.
  2. Process the data in accordance with the instructions given by the controller. Should the processor consider that any of the instructions violates any provision related to data protection, the processor shall immediately inform the controller of this.
  3. Keep a written record of all the categories of processing activities performed on behalf of the controller, which shall contain:
  1. Name and contact details of the processor(s) and of every controller on whose behalf the former is acting and, where applicable, the representative of the controller or of the processor and the data protection officer.
  2. The categories of processing conducted by every controller.
  3. If applicable, the transfers of personal data to a third country or international organization, including the identification of such third country or international organization, and any requirements applicable in accordance with the relevant data protection regulations.
  1. A general description of security technical and organizational measures related to:
  1. The pseudonymization and encryption of personal data.
  2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  4. The process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  1. Not to transmit the data to third parties, unless the processor has the express authorization of the controller, in the legally admissible scenarios.

The processor may transmit the data to other processors of the same controller in accordance with the instructions given by the controller; in which case, the controller shall previously identify in writing the entity that shall receive the data, the data to be shared and the security measures to apply in order to proceed to the communication.

If the processor must transfer personal data to a third country or an international organization, it shall previously inform the controller of such requirement, unless such notice is prohibited it for important public interest reasons.

  1. Subcontracting.

The processor is hereby authorized to subcontract with the companies that conduct auxiliary production tasks to develop the services contracted between the parties. The performance of obligations entailed in the following processing activities:

  • Production of mediums
  • Logistical tasks
  • Production of management computer applications

In any case, the details of the subcontractor shall be updated in the Clients’ privacy policy, including at least corporate data, contact details and type of service provided, in the following link (

In order to subcontract with other companies, the processor shall inform this to the controller in writing, specifying the subcontractor company and its contact details in a clear and unmistakable manner. The subcontracting may occur provided that the controller does not object to it within 7 days.

The subcontractor, which is also deemed as a processor, is equally obliged to comply with the duties established herein for the processor and the instructions imparted by the controller. The original processor shall regulate the new relationship so that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and the same formal requirements as it, with respect to the suitable processing of personal data and the safeguard of the rights of the persons concerned. Should the deputy processor commit breach, the original processor shall remain fully liable before the controller for the performance of the obligations.

  1. Keep the duty of secret in respect of the personal data it may have accessed hereunder, even after the termination of its subject matter.
  1. Ensure that the persons authorized to process personal data agree to respect confidentiality and comply with the relevant security measures –which they shall be conveniently informed of– expressly and in writing.
  1. Keep the supporting documentation of the performance of the obligation stated in the section above available to the controller.
  1. Ensure the necessary training in personal data protection of the persons authorized to process personal data.
  1. Assist the controller in the response to the exercise of the rights to:

1. Access, rectification, erasure and objection

2. Restriction of processing

3. Data portability

4. Not to be object of automated individual decision-making (including the creation of profiles)

When the persons concerned exercise the rights to access, rectification, erasure and objection, restriction of processing, data portability and the right not to be object of automated individual decision-making before the processor, the latter shall inform this to the controller by email to the address usually used by the parties. The communication shall be sent immediately and in no case after two working days following the date on which the request is received, together with, as the case may be, any further information that may be relevant to settle the request.

  1. Right to information 

The controller shall facilitate the right to information when the data are collected. In any case, the Processor shall be as transparent as possible and shall have its privacy policies published so that they can be readily accessed and consulted.

  1. Notice of violations to data security

The processor shall give notice to the controller, without undue delay, and in any case prior to the maximum term of 48 hours, and through the usual channel of communication, of any security violations of the personal data it is in charge of and which it becomes aware of, together with all further relevant information for the documentation and communication of the incident.

The controller shall inform the data security violations to the Data Protection Authority according to the parameters below.

Notice shall not be necessary where it is unlikely that such security violation constitutes a risk for the rights and liberties of individuals.

If resort is had to the notice, it shall provide, at least, the following information:

  1. Description of the nature of the security violation of personal data, including, whenever it is possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned.
  2. The name and contact details of the data protection officer or other contact point where further information may be obtained.
  3. Description of the potential consequences of the security violation of personal data.
  4. Description of the measures adopted or put forward to remedy the security violation of personal data, including, if applicable, the measures used to mitigate potentially negative effects.

Where it is not possible to provide the information simultaneously, and as long as it remains impossible to do so, the information shall be given gradually and without undue delay.

Notice of security violations to the supervisory authority or to data subjects shall be given by the Controller.

The processor shall communicate as soon as possible any violations or breaches of security of data to data subjects, when it is expressly appointed by the collector for that purpose and on a case by case basis; provided that the controller considers that the processor shall communicate such breach of security to the data subjects in a quicker and more detailed manner.  This circumstance shall occur in cases where it is likely that the violation or breach implies a higher risk for the rights and liberties of individuals.

The communication shall be given in a clear and plain language and shall, at least:

a) Explain the nature of the data violation.

b) Indicate the name and contact details of the data protection officer or other contact point where further information may be obtained.

c) Describe the potential consequences of the security violation of personal data.

d) Describe the measures adopted or put forward by the controller to remedy the security violation of personal data, including, if applicable, the measures used to mitigate potentially negative effects.

  1. Offer the controller support in the performance of impact assessments related to data protection, whenever applicable.
  1. Offer the controller support in the performance of prior consultations to the supervisory authority, whenever applicable.
  1. Make available to the controller all the necessary documentation to demonstrate compliance with its obligations and the performance of audits or inspections conducted by the controller or other auditor authorized by the controller.
  1. Implement the following security measures:

The following security measures, in accordance with the risks assessment made by the

processor. This assessment is regularly revised:





modification or alteration of personal data

of functions through access profiles

of monitoring of on-net threats


loss or erasure of personal data


in different locations

to restore availability


access to personal data

of access control





of the productive database are obfuscated for the environments of
development, test and final acceptance by user (UAT)


resilience of systems

for regularly testing, assessing and evaluating effectiveness

  1. Appoint a data protection officer and communicate its identity and contact details to the controller

To contact the Entity: 

  1. Destiny of data

Destroy the data once the provision of services of the main agreement is complied with. Once destroyed, the processor shall certify their destruction in writing and deliver the certificate to the controller.

Nevertheless, the processor may keep a copy –with the data duly blocked– while liabilities may arise from the performance of the obligation.

5. Obligations of the Controller

The controller shall:

  1. Deliver the data mentioned in the second clause herein to the processor.
  1. Perform an assessment of the impact on personal data protection of the processing operations to be conducted by the processor.
  1. Have the relevant prior consultations.
  1. Ensure that the processor complies with the applicable data protection regulations prior to and during the whole processing.
  1. Supervise the processing, including the performance of inspections and audits.
  2. Timely obtain any required authorizations for the processing or transfer of any Personal Data shared with the PROCESSOR.