1. GENERAL INFORMATION
Between NIALUM, with Tax ID number __________, registered office at __________, and email address __________, hereinafter referred to as the Data Processor. And The Educational Center, with Tax ID number __________, registered office at __________, and email address __________, hereinafter referred to as the Data Controller. It is agreed That the Data Processor commits to processing the personal data of the Data Controller in accordance with the following Stipulations First. Purpose of the data processing assignment The processing will consist of: Rental of customized software for the management of the Alumni community. Specification of the treatments to be carried out: conservation, registration, communication, and access. Access will only be carried out when necessary for the maintenance of the software and the provision of the service, and it will be done in a controlled and secure manner, respecting the established security measures. Second. Identification of the affected information The types of personal data and categories of data subjects that are processed are as follows: Identification and contact data of students, alumni, teachers, and staff of the educational center. Academic and professional data of students and alumni. Billing and payment data of the educational center. Third. Duration The duration of this contract will extend from the date of its acceptance until the termination of the service contracted by the Data Controller, or until the Data Controller requests the deletion or return of the personal data. Fourth. Obligations of the Data Processor The Data Processor is obliged to: Process the personal data only following the documented instructions of the Data Controller, unless there is a legal obligation that requires it, in which case the Data Processor will inform the Data Controller of that legal requirement prior to processing, unless that law prohibits it for important reasons of public interest. Not communicate the data to third parties, except with the express authorization of the Data Controller, or in legally admissible cases. If the Data Processor has to transfer the data to a third party for the correct provision of the service, it must previously inform and in writing to the Data Controller, identifying the assignee and the purpose of the transfer. The assignee will be bound, by contract, to the same obligations as the Data Processor, and the Data Processor will be responsible for the actions of the assignee as if they were their own. Maintain the duty of secrecy regarding the personal data to which it has access under this contract, even after its termination. The Data Processor guarantees that it has informed the personnel involved in the processing of the data of these obligations, and that it has obtained from them a commitment to confidentiality or that they are subject to a legal obligation of confidentiality. Ensure that the authorized persons to process the personal data commit, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, about which they must be properly informed. Make available to the Data Controller all the information necessary to demonstrate compliance with its obligations, as well as to allow and contribute to the performance of the audits or inspections carried out by the Data Controller or another auditor authorized by them. Fifth. Security measures The Data Processor commits to applying the appropriate technical and organizational security measures to protect the Platform and the personal data stored and processed on it, in accordance with the GDPR and applicable national legislation. These measures include: Use of HTTPS encryption in data transmissions Perimeter firewalls Intrusion Detection Systems (IDS) Antivirus software on all systems Daily backups with a 30-day retention Authentication using username and password Authorization based on profiles Annual internal audits Business continuity policy with server redundancy and backup center Access control policy with customized permissions Sixth. Obligations of the Data Controller The Data Controller is obliged to: Provide the Data Processor with the personal data necessary for the correct provision of the contracted service, ensuring that they are adequate, relevant, and limited to what is necessary for the purposes of the processing. Ensure that the personal data have been obtained lawfully, fairly, and transparently, and that they have the consent of the data subjects or another legal basis that legitimizes the processing. Inform the Data Processor of any limitation, condition, or modification that affects the processing of the data, for example, the revocation of consent by the data subjects, the exercise of their rights, or the rectification or deletion of the data. Monitor compliance with the GDPR and this contract by the Data Processor, and carry out the consultations deemed appropriate to verify it. Respond to the data subjects and the control authorities for any damages arising from processing that infringes the GDPR, without prejudice to the responsibility that corresponds to the Data Processor. Seventh. Subcontracting The Data Processor may subcontract other data processors to carry out specific processing activities, provided that it has the prior written authorization of the Data Controller. The Data Processor must inform the Data Controller of any planned change regarding the incorporation or replacement of other data processors, giving them the opportunity to oppose such changes. The subcontracted data processor will be bound, by contract, to the same obligations as the Data Processor, and the Data Processor will be responsible for the actions of the subcontracted processor as if they were their own. Eighth. International data transfers The Data Processor may carry out international data transfers, that is, transfer personal data to a country or international organization located outside the European Economic Area, provided that it has the prior written authorization of the Data Controller, and that the conditions established in the GDPR are met.