Data Protection Addendum

Last Updated: 05.01.2025

This Data Protection Addendum ("Addendum") is entered into by and between MISS obrt za usluge, operating as "Concepta Digital" ("Concepta Digital"), and the customer agreeing to this Addendum ("Customer").

This Addendum becomes effective as of the date the Customer accepts or opts in ("Addendum Effective Date") and supersedes any previous data protection agreements.

If you accept this Addendum on behalf of a legal entity, you confirm that:

You have read and understood this Addendum;

You have full authority to bind the entity;

You accept these terms on behalf of the entity.

If you lack such authority, do not accept this Addendum.

1. Introduction

This Addendum governs Concepta Digitals’ processing of Customer’s Personal Data under the terms of the Service Agreement between the parties.

2. Definitions

Unless otherwise defined in this Addendum, all terms shall have the meaning given to them under the EU General Data Protection Regulation ("GDPR"). The following key definitions apply:

"Addendum Effective Date": The date of Customer’s acceptance.

"Adequate Country": A jurisdiction approved by the European Commission as providing adequate data protection.

"Data Subject": Any identified or identifiable person whose Personal Data is processed.

"Personal Data": Data relating to a Data Subject that can be used to identify them.

"Processing": Any operation performed on Personal Data.

"Data Controller": Entity determining the purpose and means of processing.

"Data Processor": Entity processing data on behalf of a Data Controller.

"Data Transfer Mechanism": Lawful mechanism to transfer data outside the EEA.

"Data Protection Laws": All applicable data privacy and protection laws.

"Data Protection Authority": National or regional authority overseeing data protection law.

"EEA": European Economic Area including the EU, UK, and Switzerland.

"Model Contracts": EU-approved Standard Contractual Clauses.

"Security Incident": A breach of security leading to unauthorized access to Personal Data.

"Subprocessor": Any third party engaged by Concepta Digital to process data.

Additional Definitions:

"Details of Processing Subject Matter": The processing of Customer Data under this Addendum.

"Duration of the Processing": Until termination of the Service Agreement and deletion of Customer Data.

"Nature and Purpose of the Processing": To provide the agreed Services.

"Categories of Data": Contact information, usage data, login data, and marketing interactions.

"Security Measures": Commercially reasonable protections against unauthorized access or disclosure.

3. Termination

This Addendum remains in effect as long as the Service Agreement is in force. If any conflict exists between this Addendum and the Agreement, this Addendum prevails regarding data processing.

4. Scope and Applicability

This Addendum applies where Concepta Digital processes Customer Data subject to GDPR.

5. Role and Scope of Processing

The Customer is the Data Controller and Concepta Digital is the Data Processor.

Concepta Digital processes data only on documented instructions from Customer. Customer retains ownership of all Customer Data. Concepta Digital will not use the data beyond what is permitted under the Agreement and this Addendum. Concepta Digital may use Aggregated Anonymous Data for analytics purposes, as allowed in the Agreement.

6. Subprocessing

Concepta Digital may engage Subprocessors under written agreements with equivalent data protection obligations. Concepta Digital remains liable for its Subprocessors.

A list of current Subprocessors is available on request. Concepta Digital will provide advance notice of changes.

7. Security

Concepta Digital will implement and maintain appropriate technical and organizational security measures. Customer is responsible for assessing whether these meet their legal obligations. Security Measures may evolve but will not materially degrade.

8. International Transfers

Concepta Digital may transfer and process data globally, subject to compliance with EU law. If required, parties agree to enter into Model Contracts.

9. Regulatory Compliance

At Customer’s written request and cost, Concepta Digital will assist with regulatory compliance obligations and individual data subject rights requests, where legally required.

10. Reviews and Audits

Concepta Digital will provide responses to reasonable Customer requests related to GDPR compliance.

Audits may be requested:

No more than once annually

During business hours

At Customer's expense

Without exposing systems of other customers or third-party infrastructure

11. Return or Deletion of Data

Upon termination or expiration, Customer may request that Concepta Digital delete or return Personal Data within 90 days. Written confirmation of deletion will be provided. Retained data, if any, will be safeguarded under the terms of this Addendum.

12. Security Incident Notification

Concepta Digital will notify Customer without undue delay upon discovering a confirmed Security Incident, unless prohibited by law.

Notice will include:

Description of the incident and discovery date

Types of data involved

Known or expected consequences

Measures taken to address the breach

13. Subprocessor Changes

Concepta Digital will notify Customer at least 7 days before onboarding any new Subprocessor.

14. Further Cooperation

Concepta Digital will maintain applicable data processing registrations and cooperate as needed with regulatory authorities. Concepta Digital shall provide information required for data protection impact assessments, at Customer’s cost.

Contact Information:

MISS obrt za usluge

Kolhiđanska ulica 10

52100 Pula, Croatia

Email: [email protected]