1. General terms and conditions
1.1. These Rules for the processing of personal data (hereinafter: RPPD) were introduced so that the processing of personal data transferred by the Client to Port1 in accordance with the Service Agreement concluded between Port One OÜ (hereinafter: Port1) and its Client complies with the General Data Protection Regulation (hereinafter: GDPR)) and other applicable data protection laws.
1.2. In the part where the Client transfers personal data to Port1, the Client is the responsible processor of personal data and authorizes Port1 to process personal data. The procedure and rules for the processing of personal data are set out in this RPPD.
1.3. In the event of a conflict between the Service Agreement and this RPPD in relation to the processing of personal data, the Parties apply the RPPD.
1.4. These RPPD are presented on the Port1 website www.port1.ee and are a unilateral commitment.
2. Duties of Port1
2.1. Port1 agrees to the following and confirms that:
(a) Port1 processes personal data only on behalf of the Client and in accordance with his instructions and RPPD, including in connection with the transfer of personal data to a third country or international organization, if Port1 is required to do so in accordance with applicable law. In such a case, Port1 must notify the Client of this legal requirement prior to processing personal data, unless such notification is prohibited by this right due to prevailing public interests;
(b) if Port1 cannot ensure the processing of personal data in accordance with clause 2.1 (a), Port1 notifies the Client, in which case the Client has the right to suspend the transfer of personal data, and the Client and / or Port1 have the right to unilaterally terminate the operation, notifying the other Party in writing 14 days in advance;
(c) there are no circumstances preventing or precluding Port1’s ability to comply with instructions received from the Client and Port1’s obligations under this RPPD;
(d) Port1 guarantees that the persons authorized to process personal data have undertaken to maintain confidentiality;
(e) Port1 must take all the measures required by Article 32 GDPR and Port1 has implemented technical and organizational security measures to protect personal data from accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular when the processing involves the transfer of personal data over the network; other possible illegal processing;
(f) Port1 must immediately notify the Client of the following circumstances:
I. legally binding requests from law enforcement agencies for the disclosure of personal data;
II. cases of accidental and unauthorized access;
III. requests received directly from data subjects;
(g) taking into account the nature of the processing of personal data, Port1 should, as far as possible, assist the Client in fulfilling the Client’s obligation to comply with the legal requirements of the data subject set out in Chapter III of the GDPR by using appropriate technical and organizational measures;
(h) Port1 assists the Client in fulfilling the obligations set out in Articles 32-36 GDPR, taking into account the nature of the processing of personal data and information available to Port1;
(i) Port1 provides the Client with all the information necessary to confirm compliance with the obligations set out in Article 28 of the GDPR and allows, at the Client’s request, to audit its personal data processing facilities, procedures and storage locations organized by the Client or an audit body selected by the Client, consisting of independent members with the necessary professional skills and a duty of confidentiality. The costs of the audit are borne by the Customer. Port1 notifies the Client if, in his opinion, the Client’s order in relation to this ITR clause conflicts with applicable law;
(j) Port1 promptly and correctly processes all Client requests related to the processing of personal data, and complies with the recommendations of the supervisory authority regarding the processing of the transferred personal data.
3. Scope and principles of personal data processing
3.1. The Client provides Port1 with access to the following personal data necessary to fulfill the agreement between him and Port1: name, date of birth, address of residence, personal means of communication and methods of communication, as well as other personal data necessary for the implementation of the Service Agreement.
3.2. The parties agree that Port1 processes personal data only for the purposes and within the framework of the provision of the Service and in the manner necessary for the provision of services.
3.3. Port1 stores personal data until the termination of the Service Agreement or until the Client sends an application to Port1 to terminate the processing of personal data (if the retention of personal data is not mandatory in accordance with applicable law).
4. Additional processing
4.1. Customer hereby authorizes Port1 to transfer personal data to the following third parties:
(a) Cooperation Partners to the extent necessary to provide the Services to the Client. The list of cooperation partners is available on the Internet at www.port1.ee.
(b) public authorities of the European Community, Norway and the United Kingdom to the extent necessary to provide the Services to the Customer;
(c) cloud server providers to the extent that Port1 uses such service providers to store data securely (for example, Dropbox (Dropbox, Inc., Dropbox International Unlimited Company)). The transfer of personal information to Dropbox is governed by the European Commission’s model guidelines. The customer has the right to request from Port1 a complete list of cloud server service providers to which Port1 transfers personal data.
4.2. Client hereby grants Port1 general permission to include additional third parties at its sole discretion. In this case, Port1 notifies the client. The customer has the right to file an objection to a new third party within two weeks after notification. In case of objection, the Parties enter into negotiations to add a new third party. If, as a result of negotiations, the Client retains his objection, then he must stop transferring personal data to Port1, and both Parties have the right to terminate the Service Agreement (with RPPD) with 14 days’ notice by sending a written notice to the other Party. …
4.3. Port1 has entered into and will enter into agreements with new third parties that provide reasonable assurance that appropriate technical and organizational measures will be taken to ensure that the processing of personal data complies with personal data protection laws. If a third party fails to comply with its data protection obligations, Port1 is liable to the Client for fulfilling the obligations of that third party.
5.1. RPPD is based on the legislation of the Republic of Estonia. These RPPD are valid while Port1 is processing personal data received from the Client. All indefinite obligations of the Parties remain in force.
5.2. Port1 will update the RPPD on its website as needed, adding the RPPD start date.