Data Processing Agreement (DPA)

Last Updated: [Current Date]

This Data Processing Agreement ("DPA") forms part of the Terms of Service between tehnoinvestmens ("Processor" or "We") and you ("Controller" or "You"), the user of tehnoinvestmens's services, concerning the Processing of Personal Data.

This DPA applies where and to the extent that tehnoinvestmens processes Personal Data on behalf of the Controller in the course of providing services (as described in our Terms of Service and Privacy Policy). This DPA is intended to satisfy the requirements of Article 28(3) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent provisions under UK data protection law.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation or set of operations which is performed on Personal Data.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purpose of this DPA, You are the Controller.
• "Processor" means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller. For the purpose of this DPA, tehnoinvestmens is the Processor.
• "Sub-processor" means any third-party data processor engaged by the Processor who agrees to receive from the Processor Personal Data exclusively intended for processing activities to be carried out pursuant to the terms of this DPA and the Terms of Service.

2. Processing of Personal Data

2.1. Scope and Details of Processing

• Nature and Purpose of Processing: To provide Controller with access to tehnoinvestmens's financial literacy courses and related services, including responding to inquiries submitted via the contact form, managing user accounts (if applicable), and facilitating course delivery.
• Duration of Processing: For the duration of the Controller's use of the Service, or as long as required by law or agreed upon in the Terms of Service.
• Types of Personal Data: Name, email address, phone number (if provided), IP address, course progress data, communications content, and any other data submitted by the Controller or its end-users through the Service.
• Categories of Data Subjects: Users of the tehnoinvestmens website and services, including individuals who contact tehnoinvestmens or enroll in courses.

2.2. Processor's Obligations

Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Take all measures required pursuant to Article 32 of the GDPR (Security of Processing). This includes implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
• Respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor (Sub-processor).
• Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights.
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
• At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

3. Controller's Obligations

Controller warrants that:

• It has complied, and will continue to comply, with all applicable data protection laws, including GDPR, in respect to its processing of Personal Data and any processing instructions it issues to the Processor.
• It has obtained all necessary consents from Data Subjects for the processing of their Personal Data by the Processor in accordance with this DPA and the Service.
• It is solely responsible for the accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data.

4. Sub-processing

Controller provides a general authorization for Processor to engage Sub-processors. Processor shall inform Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes.

Where Processor engages a Sub-processor, it will do so by way of a written contract which imposes on the Sub-processor the same data protection obligations as are imposed on the Processor under this DPA.

A list of current Sub-processors (e.g., hosting providers, payment processors if applicable) can be provided upon request by the Controller.

5. Data Subject Rights

Processor shall, to the extent legally permitted, promptly notify Controller if it receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of processing, erasure ("right to be forgotten"), data portability, object to the processing, or its right not to be subject to an automated individual decision making ("Data Subject Request"). Taking into account the nature of the processing, Processor shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller’s obligation to respond to a Data Subject Request under applicable data protection laws.

6. Security Measures

Processor will implement and maintain appropriate technical and organizational security measures to protect Personal Data from security incidents and to preserve the security and confidentiality of the Personal Data, as described in our Privacy Policy and internal security policies. These measures will be reviewed and updated as necessary.

7. Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller’s Data. Processor shall make reasonable efforts to identify the cause of such Data Breach and take those steps as Processor deems necessary and reasonable to remediate the cause of such a Data Breach to the extent the remediation is within Processor’s reasonable control.

8. Term and Termination

This DPA shall remain in effect as long as Processor processes Personal Data on behalf of Controller under the Terms of Service. Upon termination of the Services, Processor will, at Controller's instruction, delete or return all Personal Data, unless legally required to retain it.

9. Governing Law

This DPA shall be governed by the laws of the United Kingdom.

10. Contact

For any inquiries regarding this DPA, please contact tehnoinvestmens at [email protected].

← Back to Homepage