Article 1: Purposes of Processing


1.1. The Processor shall process personal data solely based on Controller’s directives within the scope of this agreement, primarily for cloud data storage and associated online services, website and server hosting, and other related or consent-based purposes.
1.2. Details of personal data types and data subject categories are specified in Appendix 1. The Processor commits to processing personal data exclusively for the purposes outlined by the Controller.
1.3. All processed personal data remains under the ownership of the Controller and/or relevant data subjects.

Article 2: Processor’s Obligations


2.1. The Processor is committed to adhering to applicable personal data protection laws, including the GDPR.
2.2. Upon request, the Processor will provide the Controller with documentation of compliance measures related to this agreement.
2.3. All Processor’s obligations are also binding for any person processing personal data under its authority.
2.4. The Processor will notify the Controller if any instructions violate data protection laws, and assist in conducting data protection impact assessments when feasible.

Article 3: Transfer of Personal Data


3.1. Data processing is restricted within the EU, unless explicit consent is provided for transfers outside the EU.
3.2. The Processor will inform the Controller of any data transfer to countries outside of the EU.

Article 4: Division of Responsibility


4.1. Processing activities are conducted by the Processor’s employees within an automated environment.
4.2. The Processor is responsible for the agreed processing tasks and not for other data activities initiated by the Controller.
4.3. The Controller is responsible for the legality of data collection and the accuracy of data provided to the Processor.

Article 5: Engaging Third Parties or Subcontractors


5.1. The Processor may engage third parties within the framework of this agreement and will inform the Controller about any subcontractors used.
5.2. All third parties will be contractually obliged to comply with the same data protection commitments as the Processor.
5.3. The Processor is accountable for any actions of its subcontractors as if it were its own.

Article 6: Security Measures


6.1. Appropriate technical and organizational measures will be implemented to protect personal data against unauthorized processing or loss.
6.2. The Processor does not guarantee absolute security but commits to maintaining a reasonable level of security appropriate to the risk.
6.3. The Controller is responsible for ensuring that data transferred to the Processor is securely managed.

Article 7: Breach Notification


7.1. The Controller is responsible for notifying any data breaches to the supervisory authorities and affected parties. The Processor will assist by reporting any detected breaches within 24 hours.
7.2. All security breaches, no matter their impact, must be reported.

Article 8: Handling Data Subject Requests


8.1. If data subjects contact the Processor directly, their requests will be forwarded to the Controller for resolution.

Article 9: Confidentiality and Privacy


9.1. All personal data processed by the Processor is treated confidentially and will not be used for any purposes other than those specified.
9.2. This confidentiality obligation does not apply if data disclosure is legally mandated or previously agreed upon with the Controller.

Article 10: Audit Rights


10.1. The Controller has the right to audit the Processor’s compliance with this agreement, either directly or through a third-party auditor.
10.2. Audits should be carried out in response to concrete suspicions of data misuse.
10.3. The Processor agrees to cooperate fully with audit activities.
10.4. The costs of any audit are borne by the Controller.

Article 11: Liability


11.1. The Processor’s liability for damages resulting from non-compliance is limited to the amount paid to the Processor by the Controller in the month preceding the incident.
11.2. Liability for indirect damages, such as lost profits or data, is excluded.
11.3. Liability limits do not apply in cases of gross negligence or willful misconduct by the Processor.

Article 12: Duration and Termination


12.1. This Agreement is valid for the duration of the Main Agreement between the parties.
12.2. Upon termination, the Processor will return or delete all personal data unless otherwise agreed.
12.3. Amendments to this agreement are handled as per the terms of the Main Agreement.

Appendix 1.1: Specification of Personal Data


Data Types: Includes personal identifiers, contact details, financial information, and online identifiers.
Data Subjects: Customers and website visitors.
Controller’s Responsibilities: The Controller guarantees the completeness and legality of the personal data provided and indemnifies the Processor against any inaccuracies.

This agreement outlines the formal engagement

between Telemagic B.V. (Processor) and its customers (Controllers) ensuring both parties commit to compliance with GDPR and other relevant data protection regulations.