Personal Data Processing

Annex to Data Processing Agreement

  1. Type of Personal Data

    1. You permit that we, on behalf of you and without your involvement, process Personal Data between you and your Data Subjects.

    2. You alone are responsible for:

      1. securing lawful processing in relation to all types of personal data processed.

      2. any sanctions against unlawful processing in relation to all types of personal data processed.

  2. Categories of Data Subjects

    1. You permit that we, on behalf of you and without your involvement, process Personal Data between you and your Data Subjects.

      1. For clarity, we do not know which categories Data Subjects may belong to, be it customers, suppliers, contractors, children, employees, patients etc.
    2. You alone are responsible for:

      1. securing lawful processing in relation to all categories of Data Subjects.

      2. any sanctions against unlawful processing in relation to all categories of Data Subjects.

  3. Subject-matter

    1. You permit that we:

      1. record the Consent Event Data between you and your Data Subjects.

      2. transfer and store the Consent Event Data within Signatu at Amazon Web Services (“AWS”) in Ireland.

      3. combine all Consent Event Data of a specific Data Subject to create a Consent Event Data Record History of the specific Data Subject.

      4. search and retrieve all Consent Event Data Records of a specific scope, e.g. consent for marketing.

    2. You are solely responsible for:

      1. writing the content of your Consent Request to Data Subjects. We may provide consent request default texts (e.g. for cookie consent banners), which you can edit in the Data Processing Dashboard.

      2. whether your Consent Request (content, formulations, cookie consent banner design, consent banner design etc) to Data Subjects fulfill the requirements of the GDPR.

      3. whether a Consent is valid and how long it lasts.

      4. whether you further process the Consent Event Data in conflict with your initial processing purposes.

      5. determining whether and how a Data Subject can be given access to the Consent Event Data history.

      6. which information to give to us to enable us to identify and/or authenticate your Data Subjects in order to be able to verify whether or not a Data Subject previously has granted permission towards you which in turn will give the Data Subject the right to terminate his or her permission.

      7. copying and transferring copies of the Consent Event Data to you for your purposes.

      8. how you store the back-up copies of the Consent Event Data, including whether Consent Event Data are stored in a form which permit or do not permit authentication of Data Subjects.

  4. Processing Nature

    1. You permit that we, on behalf of you and without your involvement, record, store, searche, retrieve, combine, copy and transfer the Consent Event Data between you and your Data Subjects, as instructed by you in this Data Processing Agreement and as initiated by your use of the Signatu Consent REST API.

    2. You alone are responsible for:

      1. securing lawful processing in relation to all means used for your and our processing and all your and our processing actions.

      2. any sanctions against unlawful processing means and actions in relation to the Personal Data.

  5. Processing Purpose

    1. You permit that we, on behalf of you and without your involvement, process the Consent Event Data between you and your Data Subjects for the purpose of enabling you to demonstrate the recordings of the Consent Event Data towards you, your Data subjects, Supervisory Authorities and other legal or natural persons.

    2. You alone are responsible for:

      1. securing lawful processing in relation to the processing purposes.

      2. any sanctions against unlawful purposes in relation to the processing actions on the Consent Event Data.

  6. Effectuating processing in accordance with consent events

    1. You are solely responsible for:

      1. effectuating your processing in accordance with the Data Subject’s consent events. For example, if a Data Subject refuses to consent or withdraws consent to cookies and remote resources (such as scripts, pixel tags etc), you are solely responsible for not setting cookies, for deleting cookies, for not loading remote resources etc.

7 Transfers of Personal Data

  1. You permit that we, on behalf of you and without your involvement, transfer and store our recordings of the Consent Event Data between you and your Data Subjects at AWS within EU.

  2. If you transfer Consent Event Data from Signatu at AWS in EU to a third country or an International Organisation, then you are solely responsible for the transfer, including:

    1. securing lawful transfer of Consent Event Data from Signatu at AWS in EU to the third country or an International Organisation.

    2. any sanctions against unlawful transfer of Consent Event Data from Signatu at AWS in EU to the third country or an International Organisation.

  3. Processing Duration

    1. You alone are responsible for:

      1. securing lawful processing in relation to the duration of processing of all Consent Event Data.

      2. any sanctions against unlawful processing in relation to the duration of processing of all Consent Event Data.

  4. Analytics

    1. You grant us an irrevocable right toward you that:

      1. We keep, analyse and create statistics and knowledge and research insights about the Consent Event Data between you and your Data Subjects with regard to all the Consent Event Data - except User ID, Authentication details and Token, and that the results and intellectual property rights of such analysis and statistics shall belong to us exclusively.

      2. We use our statistics and research insights about the Consent Event Data to improve our Consent Service, e.g. to understand and implement which permission requests that are likely to be accepted or refused, to improve the consent request dialogue between you and Data Subject, etc.

    2. You acknowledge and agree that when we do not process User ID, Authentication details and Token when analysing and creating statistics, knowledge and research insights about the Consent Event Data, then:

      1. we do not process Personal Data and we are unable to re-identify Data Subjects.

      2. we do not determine the purposes and means of the processing of your Consent Event Data and shall therefore not be considered to be a Controller in respect of the processing.