A. THE CLIENT authorizes XS Design S.L to access information containing personal data for which THE CLIENT is responsible, for the provision of the service indicated in the first stipulation. Specifically, for the execution of the services derived from the fulfillment of the purpose of this assignment, THE CLIENT makes personal data available to XS Design S.L for processing, specifically for the performance of the contracted services.
B. XS Design S.L commits to respecting all obligations that may correspond to it as the data processor in accordance with the provisions of the current data protection regulations, specifically those set out in Article 28 of the General Data Protection Regulation 2016/679 (hereinafter GDPR) and any other applicable supplementary provision or regulation.
C. XS Design S.L will only process data in accordance with the instructions expressly received from THE CLIENT and will not apply or use the data provided by the controller for purposes other than those specified in the external collaboration contract.
D. XS Design S.L guarantees confidentiality in all information about activities, organization, systems, internal operations, services, and any other data or information about THE CLIENT to which it has access, subject to the duty of professional secrecy.
E. XS Design S.L commits not to disclose, transfer, assign, or otherwise communicate the files or data contained therein, whether verbally or in writing, through electronic means, on paper, or via computer access, even for storage purposes, to any third party (except for transfers authorized by law). To this effect, XS Design S.L may only allow access to the data to those employees who need to know it for the provision of the contracted services.
F. When the affected individuals exercise their rights of access, rectification, deletion, and opposition, limitation of processing, data portability, and not to be subject to automated individual decision-making, with XS Design S.L, it must communicate this via email to the address indicated by THE CLIENT. The communication must be made immediately and in no case later than the next working day following receipt of the request, together, where appropriate, with other information that may be relevant to resolving the request.
G. XS Design S.L declares that it has adopted all appropriate technical and organizational measures to guarantee a level of security appropriate to the risk as stipulated in Article 32 of the GDPR. Thus, XS Design S.L applies all security measures that are applicable to the data being processed, following an analysis of the risks involved in processing personal data.
H. Furthermore, XS Design S.L will assist THE CLIENT in ensuring compliance with the obligations established in Articles 32 to 36 of the GDPR, specifically:
a) XS Design S.L will communicate any data security breaches to THE CLIENT without undue delay upon becoming aware of them.
b) XS Design S.L must carry out an impact assessment in accordance with Article 35 of the GDPR, if applicable.
I. Once the contractual service is fulfilled, XS Design S.L will return to the data controller, within a month, all documentation and supports in its possession containing personal data. If for any reason this return cannot be carried out, XS Design S.L will proceed to the immediate destruction of the data, and must certify in writing said return or destruction. The foregoing will always be carried out unless the retention of personal data is required under Union or Member State law.
J. The data processor will make available to THE CLIENT all necessary information to demonstrate compliance with the obligations established in Article 28 of the GDPR, as well as to allow and contribute to the performance of audits, including inspections, by the controller or another auditor authorized by the controller.
K. In general, subcontracting is not authorized in contracts that involve the delivery of personal data. However, should XS Design S.L need to subcontract services entrusted to it by the data controller, XS Design S.L will inform in advance of the identity of the subcontractor for approval. The subcontractor will be required to comply with the security measures described in this document.
L. In accordance with the reference regulations, the parties are informed that their personal data will be processed by the other party as responsible, with the purpose of maintaining the contractual relationship. Such data is necessary, so if it is not provided, the desired relationship between the parties cannot be established.
M. The non-fulfillment of the obligations set forth in this contract or resulting from the current data protection legislation will determine that the data processor is considered responsible for the same, answering for the infractions that may have been incurred.
N. This contract for third-party data access has the same validity as the service provision agreement or contract existing between XS Design S.L and THE CLIENT.