Data Processing Agreement

By this private instrument and in the best form of law, the parties below named and qualified:

 

 OPERATOR: Is referred to as BIMachine in the Term of Agreement for the Rendering of Services entered into between the parties, which is hereby represented in the form of its articles of incorporation; and;

CONTROLLER: is referred to as the Client in the Agreement of Adhesion to the Rendering of Services entered into between the parties, which is hereby represented in the form of its acts of incorporation.

 

WHEREAS, the Controller wishes to contract the services offered by the Operatorand that, on account thereof, the Parties wish to implement the present Data Processing Agreement in order to meet the legal provisions applicable to the species, mainly, with regard to the General Data Protection Law (Law No. 13,709 of 2018).

 

By common Agreement, the parties qualified above execute this instrument, which shall be governed by the legal provisions applicable to the species and terms and conditions of the clauses described below, namely:

1.1 The terms listed below shall have the following definitions:

 

(i) Agreement: Concerns the present Data Processing Agreement;

 

(ii) Personal Data: All information relating to an identified or identifiable natural person processed by the Operatoron behalf of the Controller on account of the Service Provision Agreement entered into;

 

(iii) LGPD: Refers to the General Law on Personal Data Protection (Law No. 13,709 of 2018);

 

(iv) Controller: Who is responsible for decisions regarding Data Processing;

 

(v) Operator: Performs Data Processing on behalf of the Controller;

 

(vi) Handlers: jointly, Operatorand Controller;

 

(vii) Officer: the person appointed by the Controller and Operatorto act as a communication channel between the Controller, the holders of Personal Data and the National Data Protection Authority – ANPD;

 

(viii) National Data Protection Authority – ANPD: public administration body responsible for overseeing, implementing and supervising compliance with the LGPD throughout the national territory;

 

(ix) Transfer of Data: Refers to the Personal Data obtained by the Controller that are transferred to the Operatorby virtue of the Service Provision Contract signed. In addition, it refers to the authorized transfer of the Personal Data to the third parties listed in Addendum I by the Operator, in compliance with the legal requirements applicable to the species;

 

(x) Data Processing: Any operation performed with Personal Data, such as those relating to the collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction;

 

(xi) Contract: Refers to the Term of Adhesion to the Rendering of Services to be signed/signed between Controller and Operatorto which it integrates this Agreement, and both instruments shall be interpreted jointly;

 

(xii) Services: Refer to the services and functionalities offered by the Operatorto the Controller by virtue of the executed Agreement.  

2.1 The Operator hereby declares and undertakes to: (i) Comply with all the provisions provided for in the LGPD; and, (ii) Not perform Data Processing in disagreement with the instructions given by the Controller.

 

2.2 On the other hand, the Controller hereby undertakes to provide all the information, guidelines and all the other informational support that the Operator requires to perform the Data Processing activity.

 

2.3 The Processing of collected Data will be carried out according to the following scheme:

3.1. The Operator will take all reasonable measures to ensure that all its employees, service providers, agents, or third parties listed in Addendum I, and who are part of its economic group or who may have access to the information provided by the Controller, will have limited access to such information, which will be permitted only for the fulfillment of their professional obligations arising from the contract entered into.

 

3.2 During the term of this instrument and after its termination or rescission, the Operator, its employees, agents, affiliates and third parties listed in Addendum I, undertake to keep under strict secrecy all commercial, accounting, administrative information and the Personal Data disclosed by the Controller, refraining from using them for their own benefit or for the benefit of third parties.

4.1 The Controller hereby states that, as provided for in Article 50 of the LGPD, it maintains a governance and management program for Personal Data that:

 

(a) Demonstrates its commitment to adopt internal processes and policies that ensure compliance, in a comprehensive manner, with standards and good practices regarding the protection of Personal Data eventually shared with the Operator;

 

b) It is applicable to the whole set of Personal Data that are under your control, regardless of how they were collected;

 

c) It is adapted to the structure, scale and volume of its operations, as well as to the sensitivity of the Personal Data processed;

 

d) Establishes adequate policies and safeguards based on a systematic evaluation process of impacts and risks to privacy;

 

e) It has the objective of establishing a relationship of trust with the data subject, through transparent actions that ensure mechanisms for the data subject’s participation;

 

f) It is integrated to its general governance structure and establishes and applies internal and external supervision mechanisms;

 

g) It has incident response and remediation plans; and

 

h) It is constantly updated based on information obtained from continuous monitoring and periodic evaluations.

 

4.2. The Controller undertakes to transmit all information relating to its Personal Data governance and management policy to the Operator, which, in turn, will undertake to implement and respect it as far as it is concerned, as well as to transmit it to the third parties listed in Addendum I.

 

4.2.1 If the Controller does not pass on the information described above, the Operatorwill adopt the Personal Data management policy it deems appropriate and that is in accordance with its operational reality, respecting the legal requirements applicable to the species.

5.1. The details of the Transfer of Data will be defined between the Handling Agents in accordance with Addendum I, via communication channels maintained between them.

6.1 The Controller declares and warrants that:

 

(a) The Data Processing is done and will remain done in accordance with the legal provisions applicable to the species;

 

(b) It will instruct the Operatorso that the Data Processing is carried out in accordance with its guidelines and the provisions set out herein, as well as in compliance with the legislation applicable to the species;  

 

(c) The security measures implemented are appropriate to protect the Personal Data collected against attacks or accidental loss and/or alteration, use and/or unauthorized access, as well as against all other forms of improper Data Processing, stating and warranting that said measures provide an appropriate level of security against the risks inherent in the performance of the activities of the Processors, taking into account the security standards expected in the market;

 

(d) In the event that it becomes necessary to share Personal Data, will obtain authorization to do so;

 

(e) Will make a copy of this instrument available to the owners of the Personal Data that may eventually be subject to Data Processing;

 

(f) In the event of sharing Personal Data to carry out the Data Processing, the security measures adopted will be observed in the same manner;

 

(g) Together with the Operator, appoint an Officer who will be responsible for facilitating communication with the holders of Personal Data, as well as with the National Data Protection Authority – ANPD.

 

6.2 The Operator declares and warrants that:

 

(a) It will perform the Data Processing provided by the Controller in accordance with its instructions, the terms provided for in this instrument, as well as the legal provisions applicable to the species. Should this not be possible, the Operator shall be ready to inform the Controller immediately.

 

(b) None of the orientations passed by the Controller infringes the legislation applicable to the species, or even the provisions contained in this instrument.

 

(c) It has a technical and security organization able to meet the measures requested by the Controller.

 

(d) Will promptly inform the Controller of: any need to pass on the Personal Data provided to the competent authorities, upon official request duly substantiated; any incident with the Personal Data provided; or of any unauthorized access to the Personal Data provided;

 

(e) Will promptly respond to any inquiries made by the owner of the Personal Data eventually provided by the Controller, promptly complying with their requests;

 

(f) Will promptly meet any requests made by the competent authorities upon reasoned request;

 

(g) Will make a copy of this instrument available to the owners of the Personal Data who may eventually request it;

 

(h) If it needs to share the Personal Data eventually provided by the Controller with third parties, it will request the Controller‘s authorization, and will also make every effort to obtain the prior consent of the holder;

 

(i) Together with the Controller, will appoint an Officer who will be responsible for enabling the communication with the owners of the Personal Data eventually passed on, as well as with the National Data Protection Authority – ANPD.

7.1 The Parties agree that when the Controller shares Personal Data with the Operator, for purposes of Data Processing, and any event occurs which causes damage to the holder of the Personal Data, the Controller shall be solely responsible for compensating the holder.

 

7.1.1 The Operator shall only be liable to compensate the holder of the Personal Data shared if the event which caused him/her harm arises from the exclusive fault of the Operatoror any of the third parties listed in Addendum I.

 

7.1.2 If the damage arises from the concurrent fault of the Operator, the third parties listed in Addendum I and the Controller, the Parties will share equally the responsibility to compensate the holder of the Personal Data.

 

7.2 If the Operator, without having been at fault, comes to be sued judicially or administratively by the holder of the Personal Data eventually passed on by the Controller, the latter will be ready to denounce the suit and exclude the Operator from the passive pole of the demand, bearing any eventual indemnifications, fines, penalties, court costs, administrative costs and attorney’s fees eventually incurred.

7.2.1 If, for whatever reasons, it is not possible to exclude the Operator, and the latter is ordered to compensate the holder of the Personal Data, the Controller is hereby obliged to reimburse the Operator for all the costs it incurs, without prejudice to compensation for any losses and damages.

8.1. In order to provide its Services in favor of the Controller, the Operator shall share the Personal Data provided with the service providers listed in Addendum I, under penalty of making the service unfeasible. 8.1.1.

 

8.1.1 The Controller hereby authorizes the sharing of the Personal Data provided to the Operator.

 

8.1.2 Should the Operator need to share the Personal Data provided by the Controller with a third party that is not listed in Addendum I, it will need to request prior authorization from the Controller.

 

8.1.3 Should the Operator need to share Personal Data eventually provided by the Controller with a third party not listed in Addendum I, it will need, in addition to prior authorization from the Controller, to obtain express authorization from the holder of the Personal Data.

 

8.2 The Operator shall enter into private instruments with each of the third parties listed in Addendum I, imposing compliance with the same obligations provided for in this Agreement, making all third parties listed observe the Personal Data security measures passed on by the Controller to the Operator.

 

8.2.1 If, for any reason, the Operator is unable to ensure that the third parties listed in Addendum I comply with the security measures referred to above, it will inform the Controller, who will decide whether or not it is possible to proceed with the Data Processing, being liable to the holders of the Personal Data eventually shared.

 

8.3 Should any of the third parties listed in Addendum I fail to comply with the Controller‘s guidelines passed on by the Operator, they shall be liable to compensate the Controller and/or the Operator and/or the holder of the Personal Data, without prejudice to the injured party seeking further compensation for the losses and damages experienced.

 

8.3.1 It is the Operator’s obligation to inform the third parties listed in Addendum I of the provision set out in Clause 8.3, either by means of a private instrument, verbal Agreement or any other channels of communication that the parties maintain.

 

8.4 The Operator shall keep the list of third parties with whom it shares the Personal Data passed on by the Controller updated, as well as undertake to pass on such list to the Controller in the occurrence of any changes.

9.1 The Controller agrees to make a copy of this instrument available to the competent authorities upon legally founded request in accordance with the legislation applicable to the species.

 

9.2 The parties agree that the National Data Protection Authority – ANPD, upon legally founded request in accordance with the legislation applicable to the species, may audit the data held by the Controller, the Operator and the third parties listed in Addendum I.

10.1 The Parties agree that, unless otherwise provided by law, upon termination of the Data Processing, or when the purpose of the Services offered is achieved, or when the Data Processing proves insufficient to achieve the intended purposes, the Operator and the third parties listed in Addendum I will return such Personal Data, and their respective copies and records, to the Controller. Alternatively, the Operator and the third parties indicated in Addendum I may destroy the Personal Data provided by the Controller, it being the responsibility of these to send the Controller the respective proof.

11.1 This instrument translates the Parties’ complete will and supersedes any and all other Agreements, conventions, or understandings, verbal or written, signed between them previously, provided that they are related to the object of this instrument, which, upon their signature, hereby lose all their validity and effectiveness, being replaced by this contract, the only valid document that embodies the parties’ reciprocal rights and obligations.

 

11.2 The tolerance by any of the parties in relation to the non-compliance with any of the provisions contained herein shall not mean, at any moment or under any hypothesis, waiver to the rights related to such provisions, shall not affect, under any pretext, the validity of this instrument, in whole or in part, and shall not hinder the right of the prejudiced party to demand the compliance of any and all obligations due by the defaulting party.

 

11.3 The invalidity, ineffectiveness or unenforceability of any of the provisions contained herein shall not invalidate or render ineffective or unenforceable any of the other provisions contained herein, which shall remain in full force and effect, and the parties undertake to negotiate and use their best efforts to agree on the necessary measures to remedy such provisions of any vices.

 

11.4 This instrument may be reformed or amended, at any time, by mutual consent of the parties, provided that by written instrument vested with the same formalities as this one.

 

11.5 This instrument is irrevocable and irreversible, binding not only the parties but also their successors in any capacity.

 

11.6 This instrument does not establish any form of partnership, employment relationship, joint liability, subsidiary and/or joint liability between the parties, nor may it be construed as a mandate or agency.

 

11.7 The parties declare and agree that this instrument constitutes an extrajudicial execution instrument.

12.1 This instrument shall be interpreted in accordance with the laws in effect in the Federative Republic of Brazil, being elected the Forum of the County of Lajeado / RS, to judicially resolve any controversies arising from the agreed upon by means of this instrument.

 

And for being so just and agreed, sign this Instrument, which consists of two copies of equal content, for one sole purpose, along with the two witnesses who attended the act, so that it may produce its legal and juridical effects.

To provide the services contracted by the Controller, the Operator will need to share the Personal Data provided with the professionals and companies listed below, undertaking to keep the information provided herein duly updated: