1. PARTIES AND DEFINITIONS
Data Controller: Client- determines the purposes and means of processing personal data
Data Processor: Interactive Media Network SRL (Maximate) – processes personal data on behalf of the Data Controller
Processing: Any operation performed on personal data including collection, storage, use, disclosure, and deletion
2. SCOPE AND NATURE OF PROCESSING
Subject Matter: White-label email marketing services including database cleanup, audience warming, and campaign delivery
Nature of Processing: Automated processing of personal data for email marketing campaign delivery and performance optimization
Purpose of Processing:
-
Email campaign delivery and optimization
-
Audience segmentation and targeting
-
Campaign performance analytics
-
Database maintenance and cleanup
Duration: For the term of the main service agreement plus 30 days for data deletion
3. CATEGORIES OF DATA SUBJECTS
-
Current customers of the Data Controller
-
Former customers of the Data Controller
-
Prospective customers who have provided consent
-
Business contacts and leads
4. CATEGORIES OF PERSONAL DATA
Primary Data:
-
Email addresses
-
First and last names
-
Phone numbers
-
Customer status indicators (loyal, inactive, etc.)
Technical Data:
-
IP addresses
-
Device information
-
Email engagement behavior
-
Browsing patterns
Content Data:
-
Email content (retained for 30 days)
-
Campaign performance data
-
Segmentation preferences
5. PROCESSOR OBLIGATIONS
Data Security:
-
Implement AES-256 encryption for data at rest
-
Use TLS 1.3 encryption for data transmission
-
Maintain role-based access controls
-
Provide comprehensive access logging
Staff Training:
-
Ensure all personnel understand data protection requirements
-
Implement confidentiality obligations for all staff
-
Regular security awareness training
-
Background verification for admin personnel
Processing Instructions:
-
Process data only on documented instructions from Data Controller
-
Immediately notify Controller of any instruction conflicts with GDPR
-
Maintain detailed records of all processing activities
-
Implement appropriate technical and organizational measures
6. SUB-PROCESSING
Authorized Sub-processors:
-
SparkPost (Email delivery)
-
SendGrid (Email delivery)
-
SMTP2GO (Email delivery)
-
MailTrap (Email delivery)
-
SendPulse (Email delivery)
-
ElasticEmail (Email delivery)
-
Google Analytics (Website analytics)
-
Payment processing services (Billing)
Sub-processor Obligations:
-
All sub-processors bound by equivalent data protection obligations
-
Written contracts with all sub-processors
-
Regular compliance monitoring and assessment
-
Immediate notification of any sub-processor changes
7. DATA SUBJECT RIGHTS
Right to Access:
-
Provide assistance in responding to data subject requests
-
Deliver requested data in CSV format within 7 business days
-
Verify data subject identity through secure means
Right to Rectification:
-
Correct inaccurate data within 48 hours of notification
-
Maintain audit trail of all data modifications
-
Notify all relevant sub-processors of corrections
Right to Erasure:
-
Delete data within 24 hours of verified request
-
Confirm deletion across all systems and backups
-
Provide written confirmation of complete erasure
Right to Data Portability:
-
Export data in structured CSV format
-
Ensure data compatibility with common formats
-
Facilitate seamless data transfer to other controllers
8. SECURITY MEASURES
Technical Measures:
-
Advanced encryption for all data storage and transmission
-
Intrusion detection and prevention systems
-
Regular security monitoring and alerting
-
Automated backup and disaster recovery procedures
Organizational Measures:
-
Access controls based on principle of least privilege
-
Regular security audits and vulnerability assessments
-
Incident response procedures and documentation
-
Business continuity and disaster recovery plans
9. DATA BREACH NOTIFICATION
Notification Timeline:
-
Immediate notification to Data Controller upon discovery
-
ANSPDCP notification within 72 hours (coordinated with Controller)
-
Documentation of all breach response activities
Breach Response:
-
Immediate containment and mitigation measures
-
Comprehensive investigation and root cause analysis
-
Implementation of corrective measures
-
Regular communication with affected parties
10. DATA RETENTION AND DELETION
Retention Periods:
-
Active processing: Duration of service agreement
-
Post-contract: 30 days for orderly data return
-
Backup systems: 30 days maximum retention
-
Compliance records: 30 days for audit purposes
Deletion Procedures:
-
Secure deletion using industry-standard methods
-
Verification of complete data removal
-
Written certification of deletion completion
-
Deletion of all backup copies and logs
11. AUDITING AND INSPECTION
Audit Rights:
-
Data Controller may request compliance documentation
-
Annual self-assessment reports provided
-
Third-party audit rights upon reasonable notice
-
Full cooperation with regulatory investigations
Documentation:
-
Detailed records of all processing activities
-
Security measures and incident response logs
-
Sub-processor agreements and compliance monitoring
-
Training records and policy documentation
12. INTERNATIONAL DATA TRANSFERS
Transfer Restrictions:
-
All processing occurs within European Union jurisdiction
-
Sub-processors located in EU countries with adequate protection
-
No transfers to third countries without appropriate safeguards
-
Compliance with all applicable transfer regulations
13. LIABILITY AND INDEMNIFICATION
Processor Liability:
-
Liable for damages caused by processing violations
-
Indemnification for claims arising from processing failures
-
Limitation of liability as specified in main service agreement
14. TERM AND TERMINATION
Duration: This DPA remains in effect for the duration of the main service agreement plus 30 days for data deletion
Termination Effects:
-
Immediate cessation of all data processing
-
Secure return or deletion of all personal data
-
Termination of all sub-processor agreements
-
Final compliance reporting and documentation