Terms and conditions on processing of personal data when providing services under the Technical Support Agreement

Zabbix SIA, a company registered in the Republic of Latvia under registration number 40003738045 (hereinafter “Zabbix”) and legal organization that is using Zabbix support services (hereinafter “Company”) set out the terms and conditions that regulate the processing of personal data (hereinafter “Terms and Conditions”) when Zabbix is providing services to Company under the applicable agreement between parties based on the Technical Support Terms and Conditions (“Service Agreement”) between the parties.

  1. Processing as separate controllers

    1. Parties are regarded as separate controllers of personal data processing activities, each conducting data processing activities for their own purposes (for example, the processing of personal data of contact persons of the other party). Each party, as separate controller, is responsible of compliance with the General Data Protection Regulation.
    2. Each party is responsible that they are transferring data to the other party with compliance of the General Data Protection Regulation.

  2. Processing on behalf of a controller

    1. Zabbix technical support service is designed to eliminate the need to process natural person data as a processor of the Company, however, in some cases this may be necessary. If such necessity arises, the Company is obliged to provide documented instructions to Zabbix about this.
    2. Company shall take reasonable endeavors to ensure that the processing of personal data has been and will continue to be carried out in accordance with applicable Data Protection Legislation.
    3. Where processing is to be carried out on behalf of the Company as a controller, parties shall be governed by the terms and conditions under Section 2 of these Terms and Conditions: “Processing on behalf of a controller”. The nature and purpose of the processing, the type of personal data and categories of data subjects, anticipated term of processing and the obligations of parties are set out in Service Agreement or other documented instructions from the controller.
    4. Taking into account the nature, scope, context and purposes of processing, Zabbix as a processor processes personal data with the highest level of care, skill, diligence and confidentiality, and solely in accordance with Company's documented instructions and Service Agreement.
    5. Zabbix limits access to the personal data only to authorized and properly trained personnel who have committed themselves to confidentiality.
    6. Taking into account the nature of the processing Zabbix assists the Company with appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company's obligation to respond to requests for exercising the data subject's rights laid down in General Data Protection Regulation and to respond to requests from the supervisory authority.
    7. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 36 hours after having become aware of it, notify the personal data breach to the Company. The notification shall:
      1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
      2. describe the likely consequences of the personal data breach;
      3. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    8. Zabbix have the right to subcontract the processing of personal data with sub-processors, including in a third country. Such subcontracting and the resulting sub-processing is carried out in accordance with these Terms and Conditions. At the written request of the Company, Zabbix shall provide a list of all current sub-processors and processing locations of the personal data.
    9. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
      1. the pseudonymization and encryption of personal data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
      4. a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
    10. If the Company provides such documented instructions, Zabbix shall delete the personal data and existing copies, after the end of the provision of services relating to processing, unless Union or Member State law requires storage of the personal data.

  3. Miscellaneous

    1. The Parties agree that the requests of data subjects, authorities and third parties shall be primarily transferred between the parties in accordance with their obligations under these Terms and Conditions, Service Agreement and applicable laws. In the case of such requests, parties shall use all reasonable and proportionate measures to avoid loss to themselves and / or the other party.
    2. These Terms and Conditions are an integral part of the Service Agreement. The governing law and dispute resolution, assignment and amendment terms and conditions of the Service Agreement shall be applied to these Terms and Conditions. In the event of any contradiction, inconsistency, or other discrepancy between the terms of the Service Agreement and the terms of these Terms and Conditions, Service Agreement shall prevail.

The latest update of this policy was on August 19th, 2019.