AML – GDPR information clause

As at 25 May 2018

Definitions:

For the purposes of these Rules:

The 'REGULATION' means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), known as GDPR.

'Personal data breach' means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

In connection with a contract for the provision by amavat® of services to the Client and in connection with the fact that personal data entrusted by the Client are to be processed on behalf of the Client:

1. amavat® represents that it provides sufficient guarantees of implementation of appropriate technical and organisational measures to ensure that the processing meets the requirements of the Regulation and protects the rights of the data subjects.
2. Each instance of provision of personal data by the Client to amavat® (with a view to performing the contract for the provision of services) is regarded as an instruction to process them.
3. If not agreed otherwise (i.e. if no special personal data processing agreement has been entered into), the processing by amavat® of personal data provided to it by the Client is done in accordance with these Rules. In particular this means that:
   1. amavat® processes such personal data exclusively on a documented instruction from the Client – this also applies to transfers of personal data to third countries or international organisations – unless such an obligation is imposed on it by Union law or the domestic law of the country to which amavat® is subject; in such a case, before the processing is commenced, amavat® informs the Client of the legal obligation, unless that law prohibits such information on important grounds of public interest;
   2. amavat® ensures that persons authorised to process personal data undertake to maintain confidentiality or that they are under an appropriate statutory obligation of confidentiality;
   3. amavat® undertakes all measures required under Art. 32 of the Regulation;
   4. amavat® complies with the terms of use of services of another processor;
   5. amavat®, taking account of the nature of the processing, within its capabilities, helps the Client by using appropriate technical and organisational measures, to fulfil the obligation to respond to data subjects’ requests regarding the exercise of their rights laid down in Chapter III of the Regulation;
   6. amavat®, taking account of the nature of the processing and information available to it, helps the Client to perform his obligations set out in Art. 32–36 of the Regulation;
   7. after the completion of the provision of services related to the processing, amavat®, at the choice of the Client, permanently erases or returns to the Client all personal data, and deletes all of their existing copies, unless there is a requirement to store the personal data under Union or domestic law;
   8. amavat® makes available to the Client all information necessary for demonstrating fulfilment of the obligations set out in this Section, and enables the Client or the auditor authorised by the Client to conduct audits, including inspections, and contributes to them.

In connection with the obligation set out in Subsec. h), amavat® immediately informs the Client if in its opinion an instruction received from the Client violates the Regulation or any other Union or domestic legal regulation regarding data protection.

4. The Client confirms that he consents to the use by amavat® of services of other processors, including, but not limited to, other members of the getsix® Group, which are listed on https://getsix.eu/company-information/ and the HLB Partner Law Offices, listed on https://amavat.eu/about-us/member-firms/ (depending on the country which the service regards).
   
   The Client may lodge an objection against the use by amavat® of services of other processors. Lodging of an objection in respect of a party that plays a key role in the provision of services by amavat® may result in the need to terminate the contract for the provision of services.
5. If in order to perform specific processing activities on behalf of the Client amavat® makes use of services of another processor, such processor is made subject – under an agreement or another legal act bound by Union or domestic law – to the same data protection obligations as those specified in these Rules, in particular the obligation to provide sufficient guarantees of implementation of appropriate technical and organisational measures so that the processing meets the requirements of the Regulation. If such another processor has failed to fulfil its obligations related to data protection, amavat® is fully liable to the Client for meeting the obligations of such processor.
6. The agreement or another legal act referred to in Sec. 5 is in writing, e.g. in electronic form.
7. Without prejudice to Art. 82, 83 and 84 of the Regulation, if amavat® has violated the Regulation in determining the purposes or ways of processing, it is regarded as the controller in respect of such processing.
8. amavat® undertakes to notify the Client immediately in the following situations:
   1. each request for making personal data available to a competent public authority, unless such notification is banned under the legal regulations;
   2. each confirmed or suspected personal data breach (within 24 hours);
   3. each request from a person whose data amavat® processes on behalf of the Client, and amavat® will not respond to the request.