Data processing agreement

1.1. Company Overview

Conseno Technology OÜ, also referred to as “Conseno,” “we,” “us,” or “our.” is a software as a service company specializing in consent and data compliance solutions. Our Service, named “Conseno,” is designed to help organizations adhere to the General Data Protection Regulation (GDPR) and other international privacy regulations. It focuses on streamlining processes related to obtaining consents for the collection, processing, transfer, storage, and archiving of personal data.

1.2. Role as Processor

In delivering its solutions, Conseno may occasionally serve as a Processor on behalf of its customers, managing data in accordance with customer instructions and legal requirements.

1.3. Purpose of this Data Processing Agreement (DPA)

This DPA specifically governs the responsibilities and obligations of Conseno and its customers under GDPR, particularly as outlined in Article 28, when Conseno acts as a Processor for the processing of data. It does not cover instances where Conseno serves as the Controller of Customer Data.

For clarity and legal precision within this document and any annexes, the following terms, when capitalized, carry the meanings outlined below, regardless of their use in singular or plural form:

• “Customer”: Any entity or individual that uses the Conseno Service.
• “Customer Data” means any information, content, or materials that you submit through the Service or Conseno collects on behalf of you to your Conseno Account, including from Third-Party Services.
• “Personal Data”: Also referred to as “Data,” this term is defined by Article 4.1 of the GDPR as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• “Entrusted Data”: Personal Data that is processed by Conseno on behalf of the Customer.
• “DPA”: Data Processing Agreement. This document sets out the terms under which personal data processing is carried out by the processor, Conseno, on behalf of the controller, the Customer.
• “Data Subject(s)”: Natural persons whose Personal Data is processed by the parties involved in this agreement.
• “General Data Protection Regulation (GDPR)”: Refers to Regulation (EU) 2016/679 by the European Parliament and of the Council dated 27 April 2016, concerning the protection of individuals with regard to the processing of personal data and on the free movement of such data, enforceable since 25 May 2018.
• “Inactive Account” means any Conseno Account and its associated users that are on a free trial plan and where none of the associated users under that Conseno Account have logged into the Service for a period of twenty-four (24) months or more.
• “Sub-processors”: Third-party service providers engaged by Conseno to help fulfill its contractual obligations, who are also required to process Data pursuant to the service agreement.
• “Service”: Conseno’s proprietary consent and data compliance platform, which encompasses systems, applications, tools, content, technical interfaces and related support activities, collectively known as the “Service”.
• “Processing”: Defined by Article 4.2 of the GDPR as any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data.
• “Violation”: Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

3.1. Role of Conseno as Processor: When the Customer utilizes the Service, Conseno may process personal data on behalf of the Customer, acting as a Processor as defined under the GDPR.

3.2. Scope and Compliance of the DPA: This DPA outlines the terms under which Conseno, adhering to applicable regulations, processes personal data on behalf of the Customer to facilitate the effective use of Conseno Service. This agreement specifies the obligations and responsibilities of Conseno to ensure compliance with the GDPR and other relevant data protection laws.

4.1. Role of the Customer as Controller: According to the General Data Protection Regulation (GDPR), the Customer acts as the Controller of the Data that is entrusted to Conseno for processing.

4.2. Determination of Data Purposes: The Customer has the authority to define the purposes for which the collected Data is processed.

4.3. Provision of Instructions: The customer is responsible for ensuring that Conseno’s method of processing data complies with their obligations.

5.1. Definition of Retention Period: The duration for which Conseno retains the entrusted data is outlined in Section 7 of this document. The Customer may further define this period through documented instructions, specifying exact terms for data retention.

5.2. Data Retrieval: At any time, the Customer has the ability to retrieve their entrusted data using the designated interface provided by Conseno. This ensures continuous access to their data as needed.

6.1. Personal Data Processed About Users to Customer Websites and Applications:

• Consent ID: A randomly generated and unique identifier for each end-user.
• Consent record: A randomly generated and unique identifier for each consent decision made by the end-user.
• Masked IP Address: Partial IP address to identify the country or region of the end-user.
• Consent Data: Information related to the user’s consent choices concerning cookies and similar technologies usage, including the date and time of choice, consent status (accepted all, accepted partially or accepted necessary), and the types of cookies, similar technologies and services involved.
• Device and Browser Information: Details such as the type of device or browser used by the end-user.
• Browsing Data: Information such as the date and time of page views generated by end-users, UTM parameters associated with end-users, and document referrer related to the end-user..

6.2. Type of Processing: Conseno provides a consent and data compliance management platform that facilitates the request and collection of consent for the processing of personal data.

6.3. Purpose of Processing:

• Consent Management: Creation, storage, and provision of a consent register to document user choices.
• Usage Statistics: Compilation of aggregate statistics concerning the interaction with the consent banner and overall website usage by visitors.

6.4. Data Subjects:

• Website or Application Users: Individuals visiting the customer’s sites or applications.
• Customer Employees: Personnel who manage or interact with the Conseno platform.

6.5. Processing Duration: The data is processed and retained for the duration of the business relationship (as long as the customer maintains a service plan). If the Conseno account has been deleted, the Customer Data will also be permanently deleted with no possibility of restoration.

6.6. Sub-processors:

Primary sub-processors that are processing personal data included in data uploaded by Customer or its users to the Conseno Platform, as part of the Services.

Infrastructure:

Affiliates:

7.1. Accessibility to Policies: As part of its transparency efforts, Conseno ensures easy access to its Terms of Service and Privacy Policy by providing a link on its website. This enables Customers to readily review the policy and understand the measures in place to protect their data.

8.1. Provision of Compliance Information: Conseno commits to providing the Customer with all necessary information to demonstrate compliance with relevant obligations and to facilitate audits and inspections.

8.2. Advance Notification for Data Protection Audits: Customers planning to conduct data protection audits must notify Conseno 15 working days in advance via registered post with acknowledgment of receipt. This notice period allows Conseno to prepare adequately for the audit.

8.3. Agent Approval: Conseno reserves the right to refuse any agent proposed by the Customer to conduct the data protection audits.

8.4. Selection of an Alternate Agent: Should there be a refusal, both parties will collaborate to select another agent who meets all necessary criteria to conduct a quality audit while maintaining the confidentiality of the information accessed during the audit.

8.5. Customer’s Responsibility for Confidentiality: The Customer is responsible for ensuring the confidentiality of all information obtained, documents reviewed, and observations made during the audit at Conseno. This information may only be used for purposes explicitly outlined in the contract.

8.6. Support for Data Protection Audit Procedures: Conseno pledges to actively support such procedures and will grant the Customer or its authorized representative access to resources involved in the processing of Entrusted Data. This access is granted under the conditions agreed upon and is intended to facilitate monitoring of compliance with the terms of the contract.

9.1. Subcontractor Engagement and Data Transfer: Conseno may engage subsequent subcontractors under conditions that comply with Article 14 of the DPA. This may involve transferring personal data to subcontractors located outside the European Union, which the Customer acknowledges and accepts. The current list of these subcontractors is detailed in Section 7 of this document.

10.1. Confidentiality and Security Measures: Conseno is committed to maintaining the confidentiality of all documents, information, and Personal Data it processes. To this end, Conseno will implement all necessary technical and organizational measures.

10.2. Specific Obligations of Conseno:

• Document and Data Handling: Conseno will not create copies of documents and data carriers beyond what is essential for fulfilling its contractual obligations.
• Restricted Use: Conseno will only use documents, information, and Personal Data for purposes directly related to the operation of Conseno, except as otherwise provided in the DPA.
• Third-Party Disclosure: No documents, information, or Personal Data will be disclosed to third parties other than Conseno’s personnel and Sub-processors who are engaged in compliance with the DPA.
• Controlled Transfer: No documents, information, or Personal Data will be transferred to third parties without the explicit prior written consent of the Customer.
• Access Limitation: Access to documents, information, and Personal Data will be strictly limited to individuals who require it to perform their duties in relation to Conseno’s operations.
• Prevention of Misuse: Conseno will take all necessary measures to prevent misappropriation or unauthorized access to computer files during the contractual relationship.
• Access Control: Access to the Entrusted Data will be strictly limited to those who need it to fulfill Conseno’s contractual obligations.
• Legal Disclosure Requirements: These provisions do not preclude the disclosure of documents, information, and Data Entrusted to Conseno when required by applicable law. In all such cases, the Customer will be notified in advance of any disclosure.

10.3. Business Secrecy: Information exchanged between the Parties during their contractual relationship is considered confidential and subject to business secrecy.

10.4. Preservation of Confidentiality: Both Parties shall employ all necessary means to preserve the confidentiality of information exchanged during their contractual relationship, ensuring that such information remains secure and protected.

10.5. Implementation of Security Measures: Conseno implements appropriate technical and organizational measures to ensure a level of data security that corresponds to the associated risks. These measures are designed to protect Personal Data from unauthorized access, alteration, disclosure, or destruction and ensure its integrity and availability.

10.6. Maintenance and Updating of Security Measures: Conseno commits to regularly reviewing and updating its security measures to adapt to new security challenges and to maintain effective protection of Personal Data. This ongoing process helps ensure that the safeguards remain robust and appropriate in light of evolving threats and vulnerabilities.

11.1. Acceptance of Sub-processors: By agreeing to the Data Processing Agreement (DPA), the Customer acknowledges and consents that the service providers listed in Section 7 are authorized as sub-processors to facilitate the operation of Conseno.

11.2. Notification of New Sub-processors: Should Conseno wish to engage additional sub-processors in the future, it will provide prior notification to the Customer. This ensures transparency and maintains compliance with the DPA.

11.3. Objections to New Sub-processors: Upon receiving notification of a new sub-processor, the Customer has the right to object within 15 working days. Any objection must be substantiated with a reasoned and sufficiently detailed written explanation. This process allows the Customer to have control over who is processing their data.

12.1. Notification of Data Subject Requests: Conseno commits to promptly forwarding any requests from data subjects to exercise their rights under data protection laws to the Customer. These requests, along with all pertinent information, will be communicated via email to the address specified by the Customer.

12.2. Support in Responding to Requests: If required, Conseno will provide assistance to the Customer in addressing and responding to these requests from data subjects, ensuring compliance with relevant data protection regulations.

13.1. Legal Compliance Alert: If Conseno receives an instruction from the Customer that contradicts legal regulations for the protection of Personal Data, Conseno is obligated to promptly notify the Customer of this conflict.

13.2. Notification of Data Breaches: In the event of a Violation involving Entrusted Data, Conseno will take the following actions:

• Immediate Notification: Inform the Customer as soon as possible after discovering the breach, using the quickest means available.
• Provision of Documentation: Provide the Customer with all relevant and documented information necessary to report the breach to the appropriate supervisory authority and to notify affected individuals.

13.3. Contact Information: For legal inquiries or issues, Conseno’s legal team can be reached at legal@conseno.com.

13.4. Governing Version of Documents: In the event of any discrepancies between the Data Processing Agreement (DPA) versions drafted in multiple languages, the English version shall always be considered the authoritative and controlling document. This policy ensures uniformity and clarity in the interpretation of our agreements. Translations into other languages are provided solely for convenience and may not capture the nuances of the English text. In cases of conflict or ambiguity, the English version prevails. Users are advised to consult the English version if in doubt, as Conseno is not responsible for any errors, omissions, or ambiguities that may arise from the translations.

If you have any questions or comments about this DPA, how we collect and use your information, your choices or rights regarding such use, or wish to exercise your rights, please do not hesitate to contact us at legal@conseno.com.

The entity responsible for data processing in compliance with the General Data Protection Regulation (GDPR), the data protection laws of EU member states, and other privacy regulations is:

Company: Conseno Technology OÜ
Address: Pärnu maantee 148, 11317, Tallinn, Estonia
Email: legal@conseno.com
Registration number: 14946146