Effective June 12, 2025
Summary of changes
Added provisions and adjusted the document to support processing operations for the provision of Microblink Platform.
Data processing addendum for the use of Microblink technology and support services
This DATA PROCESSING ADDENDUM, including all annexes attached hereto, (“DPA”) is entered into between the Controller and Processor identified in Annex I (each, a “party” and together, the “parties”) and is incorporated by reference into the Microblink Terms of Use located at https://mb.wpstaging.uk/legal/#terms-of-use and any other agreement governing the provision of Microblink technology and support services executed by and between the parties (“Agreement”).
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
When the Controller uses the Processor’s technology, both in the testing and production phase, or when the Controller uses the Processor’s support services, the Processor processes personal data (defined below). The parties agree to comply with the following provisions with regard to any processing of personal data:
SECTION I – GENERAL
Article 1
Definitions
In this DPA, the following terms shall have the following meanings:
Article 2
Relationship of the parties
Article 3
Hierarchy
Article 4
Personal data processing under the EU GDPR
Article 5
Processing under the UK GDPR
In relation to transfers of personal data protected by the UK GDPR, the Intra-EU/EEA SCCs will apply with the following modifications:
Article 6
International transfers
6.1. Restricted transfers under the EU GDPR
6.2. International transfers under the UK GDPR
6.3. Onward transfers
SECTION II – OBLIGATIONS OF THE PARTIES
Article 7
Description of processing(s)
Annex II specifies the details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the Controller.
Article 8
Obligations of the Parties
8.1. Instructions
8.2. Purpose limitation
8.3. Duration of the processing of personal data
Processing by the Processor shall only take place for the duration specified in Annex II.
8.4. Security of processing
8.5. Sensitive data
If the processing involves “sensitive personal data,” “sensitive personal information,” or “special category data” as those terms are defined under Applicable Data Protection Law, including under Article 9 of the EU GDPR and the UK GDPR (“sensitive data”), the parties shall indicate which types of sensitive data are processed pursuant to this DPA in Annex II and Processor shall apply specific restrictions and/or additional safeguards to such processing.
8.6. Documentation and compliance
8.7. Use of Sub-Processors
8.8. Notifications to the Controller
8.9. Privacy by design and default
Processor shall integrate privacy considerations into its processing activities from the outset, encompassing the design, development, implementation, and ongoing maintenance of its systems, applications, and services. Processor’s default settings for systems, applications, and services shall prioritize the highest level of privacy protection, limiting the processing of personal data by default. The Processor shall provide mechanisms that allow the Controller and data subjects to easily manage their privacy preferences and exercise their rights.
8.10. De-identified data
With respect to any de-identified data that Processor processes under the Agreement, Processor shall: (a) take reasonable measures to ensure that such data cannot be associated with a data subject; (b) process such data only in a de-identified fashion and only for its internal business purposes; (c) not attempt to re-identify such data; (d) contractually obligate any recipients of such data to comply with this section of the DPA; and (e) publicly commit to complying with this section, such as through a prominent disclosure in its privacy policy, on its website, or similar means.
Article 9
Assistance to the Controller
Article 10
Notification of personal data breach
10.1 Notification of personal data breach
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available, and further information shall, as it becomes available, subsequently be provided without undue delay.
SECTION III – FINAL PROVISIONS
Article 11
Non-compliance with this DPA and termination
Article 12
Miscellaneous
ANNEX I:
LIST OF PARTIES
Controller:
Name: Customer
Address: As defined in the executed Agreement.
Contact person’s name, position, and contact details: As defined in the executed Agreement.
Processor:
Name: Microblink entity as defined in the executed Agreement.
Address: As defined in the executed Agreement.
Data protection Officer’s contact details: privacy@microblink.com.
ANNEX II:
DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data is processed
Controller’s end users, including, if applicable, Controller’s affiliates’ end users.
Applicable if the Controller uses the Processor’s identity verification service: Controller’s agents using and administrating the Processor’s identity verification platform.
Categories of personal data processed
Depending on the Controller’s configuration of the Processor’s technology, the Processor can process personal data present on the processed document including, but not limited to, first name, middle name, last name, date of birth, place of birth, home address, place of residence, sex, gender, nationality, citizenship, document number, social security number, personal identification number, card security code, card type, issuance date, expiration date, issuing authority, organ donor status, residency status, biometric data (in case of providing verification, extraction and support services, not processed for the purpose of uniquely identifying a natural person) such as face image, eye color, fingerprint, signature, weight or height, and other categories of data found on transferred identity documents, cards or other documents shared with Processor, as well as other data such as email, phone number, SSN, IP address or other end-user data, device identifiers including but not limited to MAC address, IMEI, browser type and version, Bluetooth address, serial number, Android ID.
Applicable if the Controller uses the Processor’s identity verification service: Account information about the Controller’s agent, first and last name, as well as business email address.
Sensitive data processed
Applicable if the Controller uses the Processor’s extraction, verification, and support services: It is possible that the Processor may process sensitive data, including biometric data or personal data revealing racial or ethnic origin, depending on the scanned document. If any sensitive data is transferred, the Controller will use their best efforts to notify the Processor and the Processor will apply needed restrictions and safeguards.
Applicable if the Controller uses the Processor’s identity verification service: Depending on the Controller’s configuration of the Processor’s technology, the Processor may process biometric data to uniquely identify a natural person, personal data revealing racial or ethnic origin, and data relating to criminal convictions and offenses.
Restrictions and Safeguards for sensitive data: When the Processor processes sensitive data, as indicated above, the Processor applies restrictions and safeguards to such processing that take into consideration the nature of the data and the risks involved.
Nature of the processing
Applicable if Controller uses Processor’s identity verification service: Using Controller’s application and Processor’s technology, end-users scan their identity document and (if necessary for further verification of their identity) capture a biometric element (face) and/or perform a liveness check applicable to both the document or biometric data captured or perform video liveness checks.
This information is sent to the Processor’s cloud infrastructure in the region the Controller chooses. Depending on the Controller’s configuration of the Processor’s technology, the data may be extracted from the scan, face matching may be performed, the presence of security features on the document may be checked, submitted data may be compared against Sub-Processors databases and watchlists, certain fields may be anonymized (if applicable) using AI/ML models.
The submitted data will be processed to create various usage reports for the Controller.
The Processor deletes the data in accordance with the Controller’s configuration of the Processor’s technology and this DPA.
Processor will process Controller’s agent’s personal data to create, maintain and delete their user account for Processor’s platform.
Applicable if the Controller uses the Processor’s verification service: Using the Controller’s Solution, the data subject scans the identity document’s front and/or back. The scans are sent to the Processor’s cloud infrastructure on a cloud platform, where, using the Processor’s technology, personal data is extracted from the scan, visual document properties and data properties on designated document types are validated and assessments are performed to determine whether the card is physically present during the session. Once the verification process is completed, the Processor returns the verification response to the Controller and, after the verification session has ended, personal data is deleted from the Processor’s cloud infrastructure.
Applicable if Controller uses Processor’s extraction service: Using Controller’s Solution, the data subject scans the identity document’s front and/or back. The scans are sent to the Processor’s cloud infrastructure on a cloud platform, where, using the Processor’s technology, personal data is extracted from the scan. The Processor sends the extraction results and/or scanned images to the Controller when the extraction process is completed, and personal data is deleted from the Processor’s cloud infrastructure.
Applicable if Controller uses Processor’s support services for the extraction and verification solutions: To securely transfer images of documents Controller to Processor, Controller will use Processor’s Secure Image Upload or other channel approved by Controller. Before transferring the images, Controller shall ensure that the data subjects have been informed of the intended sharing and that the appropriate lawful basis has been determined by the Controller. The Processor analyzes the issue in accordance with the Controller’s request for support to provide support services. Depending on the Controller’s support request, providing support services can include debugging issues on an already supported document type. Depending on the Controller’s support request, providing support services may include retraining of models and, in that case, Annex V shall apply.
Applicable if the Controller uses the Processor’s support services for the identity verification service: If the Controller reports a verification issue, authorized personnel from the Processor’s customer support team will provide assistance with the reported issue. The support team will have access to the Controller’s transaction(s) in order to troubleshoot and/or debug the verification issue. If necessary to provide support, authorized personnel from the Processor’s development team may have access to the Controller’s transactions for the purposes of providing complete support.
Purpose(s) for which the personal data is processed on behalf of the Controller
Applicable if the Controller uses the Processor’s identity verification service: The purpose of the processing is to perform real-time authenticity and validity checks using data extracted from identity documents, including personal data, to make a conclusion about the identity documents’ authenticity, in accordance with the Agreement and the configuration of Microblink’s technology by the Controller.
Applicable if Controller uses Processor’s verification service: The purpose of the processing is to validate the visual document properties and data properties on designated document types and perform assessments to determine whether the card is physically present during the session, in accordance with the Agreement.
Applicable if the Controller uses the Processor’s extraction service: The purpose of the processing is to extract the data from the identity document and send the extraction results to the Controller, in accordance with the Agreement.
Applicable if the Controller uses the Processor’s support services: The purpose of the processing is to provide support services to the Controller, in accordance with the Agreement.
Duration of the processing
Applicable if the Controller uses the Processor’s identity verification service: The Processor retains the submitted data in accordance with the Controller’s configuration of the Processor’s technology for a minimum of 3 (three) months. A longer retention period may be agreed upon and configured by the Controller.
Applicable if the Controller uses the Processor’s verification and/or extraction service: Processing is ongoing (for as long as Controller uses the technology or services). Processor retains input data during verification or extraction sessions, as applicable, but does not store processed data, unless a different retention period is agreed upon in writing with the Controller.
Applicable if the Controller uses the Processor’s support services: Processor retains the personal data until the issue is resolved.
Description of the processing for Sub-Processors is available on the link: https://mb.wpstaging.uk/subprocessors-list/
ANNEX III
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Processor has a defined policy on classified data handling, which defines data classification, disclosure, and protection. All Processor’s employees are required to sign confidentiality clauses that state trade secrets and confidential information have to remain confidential in perpetuity and turned in after contract termination, while each breach is considered a severe violation. Furthermore, the Processor will ensure that web endpoints and API’s are adequately protected and monitored with a Web Application Firewall and DDoS protection.
The Processor will apply the ‘least-privileged’ and ‘need-to-know’ concepts and ensure segregation of duties. The Processor will ensure that proper procedures are in place to register new users / additional access rights and to de-register users. The Processor will ensure that privileged access management is monitored closely and regularly reviewed, with access rights being withdrawn if not required anymore.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
In relation to the subject of this Agreement, the Processor will report any security-related (near) incident as soon as possible and according to the Agreement to the Controller’s contact including the protective measures taken to mitigate the impact of the incident, the preventive measures proposed to prevent the (near) incident in the future and an estimation of the impact incurred because of the incident. Processor has defined a policy on information security incident management which defines roles and responsibilities in the incident management process. The policy also describes the incident classification and steps the incident response team has to take, such as incident assessment, containment, threat eradication, recovery, reporting, and learning from the incidents. The Processor shall ensure the spread of knowledge and expertise to ensure the availability of skilled people even in case of a disaster.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing, and measures to ensure accountability
At the Processor’s complete discretion, a periodic self-certification process will be completed by the Processor to ensure that all security-related policies and procedures are still applied. Furthermore, the Processor will regularly conduct vulnerability assessments of related services through penetration and vulnerability testing. The Processor has internal policies, rulebooks and procedures in place to ensure the accountability of employees to process personal data responsibly. Processor ensures that its employees are informed about the Processor’s security requirements and policies and developments in the area of information security. The Processor is entirely responsible for the conduct of its employees.
Measures for ensuring physical security of locations at which personal data are processed
Sub-Processor’s measures for the security of physical premises, which provides private cloud infrastructure service, include multiple physical security layers to protect the data centers, such as biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems.
In case personal data is processed on the Processor’s or Processor’s Affiliated company’s infrastructure, the Processor will also ensure adequate physical security through the use of cameras, entry cards, and security guards.
Measures for ensuring events logging
All system and application logging functions related to provided services by the Processor are enabled and information security events are regularly reviewed.
Measures for ensuring system configuration, including default configuration
The Processor will apply system hardening for all Internet-facing services through centralized configuration management, regular vulnerability scanning, and configuration review.
Measures for internal IT and IT security governance and management
Processor maintains an efficient information security management system in place to ensure proper organisation of information security responsibilities and a security risk assessment is performed on a periodic basis to ensure the identification of new or changed risks.
The Processor shall allocate resources and employees with the required expertise for carrying out any specific task related to its security responsibilities under this Agreement.
The Processor will ensure proper protection of all assets containing personal data provided by the Controller in the context of this Agreement.
Measures for certification/assurance of processes and products
At the Processor’s complete discretion, a periodic self-certification process will be completed by the Processor to ensure that all security-related policies and procedures are still applied.
Measures for user identification and authorization
Applicable if Controller uses Processor’s identity verification, verification and/or extraction service: Access to the service is granted to only authorized users through unique client credentials which can be revoked and renewed at any time by the Controller.
Measures of pseudonymisation and encryption of personal data and for the protection of data during transmission
Applicable if Controller uses Processor’s identity verification, verification and/or extraction service: The Processor will use strong encryption methods such as TLS (latest supported versions) for data in transit.
Applicable if Controller uses Processor’s identity verification: The Processor shall implement hashing algorithms to pseudonymise personal information which will be used to form a unique data subject ID.
Applicable if Controller uses Processor’s support services: To securely transfer personal data to Processor, Controller shall use Processor’s Secure Image Upload, which includes additional encryption of images with symmetric encryption algorithm (AES).
Measures for ensuring data minimization, limited data retention, and erasure
Applicable if Controller uses Processor’s verification and/or extraction service: The Processor does not store personal data after the verification process has been carried out.
Applicable if Controller uses Processor’s identity verification and/or support service: The Processor shall implement data retention schedules and irreversibly delete the data according to the schedule.
Measures for ensuring data quality
Applicable if the Controller uses the Processor’s identity verification: The Controller is responsible for the data that is sent to the Processor, including its quality.
Applicable if the Controller uses the Processor’s verification and/or extraction service: The Controller is responsible for the data that is sent to the Processor, including its quality. The Processor will send to the Controller personal data extracted from the documents sent by the Controller, together with personally identifiable information (PII) data and metadata scraped from the documents.
Applicable if the Controller uses support services: The Controller and Processor will determine what quality of data needs to be shared to resolve the issue raised by the Controller.
Measures for the protection of data during storage
Applicable if Controller uses Processor’s support service: Microblink uses Key Management Service and strong mechanisms for encryption such as AES-256 for data at rest.
Measures for personal data breach notification
Processor shall have in place a policy ensuring quick detection of security events and weaknesses, and quick reaction and response to security incidents, including data breaches. This policy shall include a data breach response procedure to ensure prompt reaction and appropriate communication towards the Controller, affected data subjects or supervisory authority.
For transfers to the (Sub-) Processor, also describe the specific technical and organisational measures to be taken by the (Sub-) Processor to be able to provide assistance to the Controller.
The Processor shall have data processing agreements with Sub-Processors in place to ensure assistance to the Controller.
Description of the specific technical and organisational measures to be taken by the Processor to be able to provide assistance to the Controller.
Applicable if Controller uses Processor’s support services: Controller shall make sure that they can identify their end-users and, in case of a data subject’s request, deliver their identifiers to the Processor. The Processor shall provide assistance to the Controller in carrying out the data subject’s request in accordance with the procedure for data deletion.
ANNEX IV:
LIST OF SUB-PROCESSORS
The list of authorized Sub-Processors can be found on the link: https://mb.wpstaging.uk/subprocessors-list/.
ANNEX V
Data Sharing Agreement
Notwithstanding other provisions of this Agreement, this Annex V will govern the gathering and sharing of images described in the provision below. Definitions in this Annex V shall have the meaning assigned to them in the DPA or the Agreement.
Categories of data subjects whose personal data is transferred: Customer’s/Licensee’s end users, including, if applicable, Licensee’s Affiliates’ and Sublicensees’ end users. Customer shall not share personal data of underage end-users.
Categories of personal data processed: Depending on the documents shared, Microblink will process personal data present on the processed document including, but not limited to, first name, middle name, last name, date of birth, place of birth, home address, place of residence, sex, gender, nationality, citizenship, document number, social security number, personal identification number, card security code, card type, issuance date, expiration date, issuing authority, organ donor status, residency status, biometric data such as face image, eye color, fingerprint, signature, weight or height, and other categories of data found on transferred identity documents, cards or other documents, as well as other data such as email, phone number, SSN, IP address or other end-user data.
The frequency of the Processing: Continuous.
Purpose and nature of the processing by Microblink: Upon delivering the privacy notice to data subjects and gathering their consent to sharing, Customer shall transfer the personal data to Microblink in a secure way. Received personal data shall be processed for the purpose of improving and developing Microblink’s machine learning and computer vision technology that may include, but is not limited to, supporting a new version of a supported document, performing the evaluation of Microblink’s technology on behalf of the Customer, and sharing feedback on its performance, improving accuracy for an already supported document type (if the product does not work), supporting new (currently not supported) document types, improving accuracy on already supported document types, improving extraction accuracy by implementing additional result validation, and error correction, improving the OCR model accuracy and supporting new document fraud checks. Microblink shall implement all the necessary measures to protect the security and confidentiality of received personal data.
Data retention
Personal data on real documents shall be retained for six (6) months from receiving the images, or until data subject requests deletion, whichever comes first. Personal data on documents Microblink determined were fake, shall be retained for one (1) year.
Accuracy and data minimization
Microblink shall take every reasonable step to ensure that unnecessary personal data, having regard to the purpose(s) of processing, is erased or rectified without undue delay.
Transfers to (Sub-) processors
Microblink can share personal data with its affiliated companies for the permitted purpose and they shall be bound by these Clauses.
Microblink and the Customer shall provide reasonable assistance to one another (each at their own expense) to enable providing adequate responses to any request from a data subject to exercise their rights under Applicable Data Protection Law as well as any other correspondence, inquiry or complaint received from a data subject, regulator or other third parties in connection with the Processing.
In the event that any such request, correspondence, inquiry, or complaint is made directly to the Customer regarding processing under this Annex V, the Customer shall not respond to such communication before it promptly, but no longer than five (5) work days, informs Microblink of data subjects’ requests established by the Applicable Data Protection Law and their unique identifiers. If Customer is legally required to respond to such a request, Customer shall, before responding, notify Microblink and provide it with a copy of the request. Upon the data subject’s request to either Party, the Party that received a request shall, regarding personal data processing under this Annex V, free of charge, provide the other Party with relevant information related to the data processed for the purpose.
Each Party shall be liable to the other Party for any damages it causes the other Party by any breach of this Annex V. Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching their rights under these clauses. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these clauses, all responsible Parties shall be jointly and severally liable, and the data subject is entitled to bring an action in court against any of these Parties. The Parties agree that if one Party is held liable, it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to the other Party’s responsibility for the damage.
Annex V is in force until its termination. Parties may mutually agree to terminate this Annex V at any time. Microblink shall remain entitled to use and retain personal data according to the terms in the gathered consent, but no longer than required by Applicable Data Protection Law, or until receiving data subject deletion request, upon which personal data shall be erased or anonymized unless Microblink is required to retain some or all of the personal data by the applicable law. In the event of a breach of terms in this Annex V by either party, the non-breaching party shall have the right to terminate this agreement upon written notice to the breaching party. The breaching party shall have 30 days from receipt of the notice to remediate the breach. If the breach is not remediated within this time period, the non-breaching party may terminate this Annex V without further notice or liability. Termination of these clauses shall not relieve either party of any obligations or liabilities incurred prior to termination. Clauses related to execution of data subject’s rights will remain in effect.
Effective December 19, 2024
Summary of changes
Added provisions to support processing operations for the provision of identity verification service. Added Annex V. to regulate obligations related to sharing the data for the purposes of improvement and development of Microblink’s technology.
This DATA PROCESSING ADDENDUM (“DPA”) is incorporated into and is subject to the terms and conditions of the agreement executed between Controller and Processor, as defined in Annex I (together “the parties”), terms of use (available at the link https://mb.wpstaging.uk/legal/#terms-of-use) or terms and conditions for using Procesor’s technology accepted by the Controller, governing Controller’s use of Processor’s technology or support services (“Agreement”).
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
When the Controller uses the Processor’s technology, both in the testing and production phase, or when the Controller uses the Processor’s support services, the Processor processes personal data (defined below). The parties agree to comply with the following provisions with regard to any processing of personal data and it is agreed as follows:
Article 1
Definitions
In this DPA, the following terms shall have the following meanings:
a. “Controller”, “Processor”, “data subject”, “personal data”, “process”, and “processing” shall have the meanings given in European Data Protection Law;
b. “European Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); and (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”);
c. “Applicable Data Protection Law” means worldwide data protection and privacy laws and regulations, to the extent applicable to the parties and the nature of the personal data processed under the Agreement, including, where applicable, European Data Protection Law, California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively referred to as the “CPRA”), and applicable national data protection laws made under, pursuant to or that apply in conjunction with European Data Protection Law; in each case as may be amended or superseded from time to time;
d. “personal data” means, aside from the meaning given in European Data Protection Law, any information that identifies a person, that is scanned, uploaded and otherwise shared with the Processor using the Processor’s technology or pursuant to using support services by the Controller, Controller’s affiliated companies, their end-users or by third parties acting on the Controller’s behalf;
e. “personal data breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data disclosed and shared by the Controller and processed by Processor under this DPA;
f. “restricted transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Union or European Economic Area to a country outside of the European Union or European Economic Area that has not been recognized by the European Commission as adequate pursuant to Article 45 of EU GDPR (“third country”); and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to another country which is not based on adequacy regulations pursuant to Article 45 the UK GDPR;
g. “adequacy decision” means a formal decision made by the EU or UK that recognizes that another country, territory, sector, or international organization provides an equivalent level of protection for personal data as the EU or UK does;
h. “Standard Contractual Clauses” or “SCCs” means the contractual clauses adopted by the European Commission in their Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available on the link: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en);
i. “Intra EU/EEA Standard Contractual Clauses” or “Intra EU/EEA SCCs” means the contractual clauses adopted by the European Commission in their Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (available on the link: https://commission.europa.eu/publications/standard-contractual-clauses-controllers-and-processors-eueea_en);
j. “International Data Transfer Agreement” or “IDTA” means the agreement issued by the Information Commissioner for Parties making Restricted Transfers under UK GDPR (available on the link: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf);
k. “Sub-Processor” means any third-party Processor engaged by the Processor to process any personal data on its behalf in connection with the technology or services provided to the Controller.
Article 2
Relationship of the parties
1. The Processor, as defined in Annex I of this DPA, will process personal data on behalf of the Controller, as described in Annex II of this DPA. Where Microblink Ltd. (6th Floor, 9 Appold Street, London, United Kingdom, EC2A 2AP) or Microblink USA, LLC (10 Grand Street, STE 2400, Brooklyn, NY 11249) is the signatory of the Agreement and Processor, Microblink LLC (Trg Drage Iblera 10, 10000, Zagreb, Republic of Croatia) will be deemed affiliated company and a Sub-Processor.
2. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
Article 3
Hierarchy
1. In the event of a contradiction between this DPA and the provisions of related Agreements between the Parties existing at the time when this DPA is agreed or entered into thereafter, provisions of this DPA shall prevail.
2. Where applicable, provisions of SCCs or Intra EU/EEA SCCs or IDTA will supplement this DPA. In the event of a contradiction between this DPA and SCCs or Intra EU/EEA SCCs or IDTA, provisions of SCCs or Intra EU/EEA SCCs or IDTA shall prevail.
3. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) where applicable, SCCs or Intra EU/EEA SCCs or IDTA; then (b) this DPA; and then (c) the main body of the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.
4. This DPA applies to the processing of personal data as specified in Annex II.
5. Annexes I to IV are an integral part of this DPA.
Article 4
Personal data processing under EU GDPR
1. Where both parties are subject to EU GDPR and personal data is not transferred outside the European Union, Economic Area or countries without adequacy decisions under Article 45 of EU GDPR, Intra-EU/EEA SCCs apply completed as follows:
Article 5
Processing under UK GDPR
In relation to transfers of personal data protected by the UK GDPR, Intra-EU/EEA SCCs will apply with the following modifications:
Article 6
International transfers
6.1. Restricted transfers under EU GDPR
1. Where the transfer of personal data is considered a Restricted Transfer and EU GDPR requires that appropriate safeguards are put in place, such transfer shall be subject to the SCCs, which shall be incorporated by reference and form an integral part of this DPA. The applicable module of the SCCs shall be determined depending on the location of the Controller and Processor, and their roles as data exporter and data importer regarding the processed personal data.
2. In relation to personal data that is protected by the EU GDPR, when the Processor is located in the EU acting as a data exporter and the Controller acting as a data importer is located in a third country, the SCCs Module Four shall apply as follows:
3. In relation to personal data that is protected by the EU GDPR, when the Controller is located in the EU and is acting as a data exporter and the Processor is located in a third country and is acting as data importer, the SCCs Module Two shall apply as follows:
6.2. International transfers under UK GDPR
1. Where UK GDPR applies to the processing, and where the Processor initiates and agrees on the transfer of personal data to a sub-processor outside of the UK or to a country without an adequacy decision, the Processor will sign an International Data Transfer Agreement with such Sub-Processor and will comply with the transfer rules.
2. Where UK GDPR applies to the Controller, the Controller remains responsible for all transfers of personal data they initiate or agree upon.
3. In relation to transfers of personal data protected by the UK GDPR, the parties acknowledge that a transfer in which the Processor returns the processed personal data back to the Controller, provided that it has been initiated and agreed upon by the Controller, is not considered a Restricted Transfer under the UK GDPR.
6.3. Onward transfers
1. Processor shall not participate in (nor permit any Sub-Processor to participate in) any other Restricted Transfers of personal data (whether as an exporter or an importer of the personal data) unless the Restricted Transfer is made in compliance with Applicable Data Protection Law and provisions of this DPA.
2. Such measures may include (without limitation) transferring the personal data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or pursuant to SCCs implemented between the relevant exporter and importer of the personal data.
Article 7
Description of processing(s)
Annex II specifies the details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the Controller.
Article 8
Obligations of the Parties
8.1. Instructions
1. The Processor shall process personal data only on documented instructions from the Controller unless required to do so by applicable legal requirements to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Controller throughout the duration of the processing of personal data. These instructions shall always be documented.
2. The Processor shall immediately inform the Controller if, in the Processor’s opinion, instructions given by the Controller infringe provisions of the Applicable Data Protection Law.
8.2. Purpose limitation
The Processor shall process the personal data, in accordance with the Controller’s documented instructions, only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the Controller, receives personal data directly from the data subject based on their relationship separate from the Controller or if additional data processing documentation is signed between the parties.
8.3. Duration of the processing of personal data
Processing by the Processor shall only take place for the duration specified in Annex II.
8.4. Security of processing
1. The Processor shall at least implement the technical and organizational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to the data (personal data breach). In assessing the appropriate level of security, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks involved for the data subjects.
2. The Processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring the contract. The Processor shall ensure that persons authorized to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that all authorized persons process personal data only as necessary for the purpose of the processing.
8.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life, or sexual orientation, or data relating to criminal convictions and offenses (“sensitive data”), the parties shall update categories of processed personal data in Annex II and Processor shall apply specific restrictions and/or additional safeguards.
8.6. Documentation and compliance
1. The Parties shall be able to demonstrate compliance with this DPA.
2. The Processor shall maintain records of processing activities performed under this DPA containing the categories of data subjects involved in the processing and the categories of personal data processed, the nature, duration, and purpose of processing, a list of technical and organizational measures, and a data protection impact assessment.
3. The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of data in accordance with this DPA.
4. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and stem directly from the Applicable Data Protection Law. At the Controller’s request, the Processor shall also permit and contribute to audits of the processing activities covered by this DPA at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Controller shall take into account relevant certifications held by the Processor.
5. The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections of the Processor’s premises or physical facilities and shall, where appropriate, be carried out with reasonable notice at least 30 days prior.
6. The Parties shall make the information referred to in this Article, including the results of any audits, available to the competent supervisory authority/ies on request.
8.7. Use of Sub-Processors
1. The Processor has the Controller’s general authorization for the engagement of Sub-Processors from an agreed list. The Processor shall specifically inform in writing the Controller of any intended changes to that list through the addition or replacement of Sub-Processors at least 30 days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned Sub-Processor(s). The Processor shall provide the Controller with the information necessary to enable the Controller to exercise the right to object.
2. Where the Processor engages a Sub-Processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Sub-Processor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with these clauses. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject pursuant to this DPA and to the Applicable Data Protection Law.
3. At the Controller’s request, the Processor shall provide a copy of such a Sub-Processor agreement and any subsequent amendments to the Controller. To the extent necessary to protect business secret or other confidential information, including personal data, the Processor may redact the text of the agreement prior to sharing the copy.
4. The Processor shall remain fully responsible to the Controller for the performance of the Sub-Processor’s obligations in accordance with its contract with the Processor. The Processor shall notify the Controller of any failure by the Sub-Processor to fulfill its contractual obligations.
5. The Processor shall agree to a third-party beneficiary clause with the Sub-Processor, whereby—in the event the Processor has factually disappeared, ceased to exist in law, or has become insolvent—the Controller shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return the personal data.
8.8. Notifications to the Controller
1. In addition to other notifications envisaged by this DPA, the Processor will inform the Controller, without undue delay, but no longer than fifteen business days, if the Processor becomes aware of:
a. Any non-compliance by the Processor or its employees with the obligations under this DPA or the Applicable Data Protection Law requirements relating to the protection of personal data processed under this DPA;
b. Any legally binding request for disclosure of personal data by a law enforcement authority such as courts, tribunals, or administrative authorities, unless the Processor is otherwise forbidden by law to inform the Controller (e.g. to preserve the confidentiality of an investigation by law enforcement authorities). Processor shall be able to provide information on the possible legally binding disclosure of personal data;
c. Any notice, inquiry, or investigation by a Supervisory Authority with respect to personal data shared by the Controller; or
d. Any complaint or request received directly from data subjects of the Controller. The Processor will not substantively respond to any such request without the Controller’s prior written authorization.
2. Before making any disclosures of personal data or providing other information regarding personal data, the Processor shall consult with the Controller unless in situations described in provision 1. b of this Article.
8.9. Privacy by design and default
Processor shall integrate privacy considerations into its processing activities from the outset, encompassing the design, development, implementation, and ongoing maintenance of its systems, applications, and services. Processor’s default settings for systems, applications, and services shall prioritize the highest level of privacy protection, limiting the processing of personal data by default. The Processor shall provide mechanisms that allow the Controller and data subjects to easily manage their privacy preferences and exercise their rights.
Article 9
Assistance to the Controller
1. The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing.
2. The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (1) and (2), the Processor shall comply with the Controller’s instructions.
3. In addition to the Processor’s obligation to assist the Controller pursuant to Clause 9.2, the Processor shall furthermore assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor:
a. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’), where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The Processor shall provide assistance to the Controller to enable them to conduct the data protection impact assessment. When providing assistance, the Processor may redact information to the extent necessary to protect business secret or other confidential information;
b. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
c. the obligation to ensure that personal data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
d. the obligations to implement and maintain appropriate technical and organisational measures to ensure a level of personal data security appropriate to the risk. Such measures shall have regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and include as appropriate:
i. the pseudonymisation and encryption of personal data;
ii. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
iii. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
iv. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing.
4. The Parties shall set out the appropriate technical and organisational measures in Annex III by which the Processor is required to assist the Controller in the application of this Article as well as the scope and the extent of the assistance required. The Controller acknowledges that the security measures are subject to technical progress and development and that the Processor may update or modify the security measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the processing.
Article 10
Notification of personal data breach
In the event of a personal data breach, the Processor shall cooperate with and assist the Controller for the Controller to comply with its obligations under Applicable Data Protection Law, where applicable, taking into account the nature of processing and the information available to the Processor.
10.1. Data breach concerning data processed by Controller
In the event of a personal data breach concerning data processed by the Controller, the Processor shall assist the Controller:
1. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the Controller has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
2. in obtaining the following information which, shall be stated in the Controller’s notification, and must at least include:
i. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
ii. the likely consequences of the personal data breach;
iii. the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available, and further information shall, as it becomes available, subsequently be provided without undue delay.
3. in complying with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
10.2. Data breach concerning data processed by Processor
1. In the event of a personal data breach concerning data processed by the Processor, the Processor shall notify the Controller without undue delay after the Processor has become aware of the breach. Such notification shall contain, at least:
a. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
b. the details of a contact point where more information concerning the personal data breach can be obtained;
c. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available, and further information shall, as it becomes available, subsequently be provided without undue delay.
2. The Parties shall set out in Annex III other elements to be provided by the Processor when assisting the Controller in compliance with the Controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
Article 11
Non-compliance with this DPA and termination
1. Without prejudice to any provisions of Applicable Data Protection Law, in the event that the Processor is in breach of its obligations under this DPA, the Controller may instruct the Processor to suspend the processing of personal data until the latter complies with this DPA or the Agreement is terminated. The Processor shall promptly inform the Controller in case it is unable to comply with this DPA, for whatever reason.
2. The Controller shall be entitled to terminate the Agreement insofar as it concerns the processing of personal data in accordance with this DPA if:
a. the processing of personal data by the Processor has been suspended by the Controller pursuant to provision 1. of this Article and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
b. the Processor is in substantial or persistent breach of this DPA or its obligations under Applicable Data Protection Law;
c. the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or Applicable Data Protection Law.
3. The Processor shall be entitled to terminate the Agreement insofar as it concerns the processing of personal data under this DPA where, after having informed the Controller that its instructions infringe applicable legal requirements in accordance with Article 8.1.2, the Controller insists on compliance with the instructions.
4. Following termination of the Agreement, the Processor shall, at the choice of the Controller, delete all personal data processed on behalf of the Controller and certify to the Controller that it has done so, or, return all the personal data to the Controller and delete existing copies unless Applicable Data Protection Law requires storage of the personal data. To protect the customer from losing personal data through an accidental lapse of the contract, deletion shall be delayed for 60 days after the Agreement has been terminated. Until the data is deleted or returned, the Processor shall continue to ensure compliance with this DPA.
Article 12
Miscellaneous
1. This DPA is an integral part of the Agreement executed between the parties and becomes effective when both parties sign it.
2. If Applicable Data Protection Law or other applicable regulation requires the Controller to sign the DPA or to sign the SCCs, Intra-EU SCCs or IDTA applicable to a particular processing or restricted transfer of personal data to the Processor as a separate agreement, the Processor will, on Controller’s request, promptly execute such document.
3. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Processor’s technology and services.
4. Controller grants Microblink a free, perpetual, irrevocable, non-exclusive, worldwide, transferable, and royalty-free license for the purpose of the development and enhancement of Microblink technology and products, over images shared, with the right to sublicense, reproduce, distribute, transmit, modify, create derivative works of, incorporate into other works and otherwise use and commercially exploit any images in any media now existing or hereafter developed. To the extent allowed by applicable law, the Controller agrees to permanently waive any claims and declarations of moral rights or attribution with respect to shared images.
5. Notwithstanding anything to the contrary in the Agreement and without prejudice to Section 8.2 (“Purpose limitation”), the Processor may periodically make modifications to this DPA as may be required to comply with Applicable Data Protection Law and to improve the level of security of personal data. Modifications to this DPA will be published on Processor’s legal center (available on the link: https://mb.wpstaging.uk/dpa-for-the-use-of-microblink-technology-and-support-services/) and Processor will inform the Controller of any substantial changes to this DPA in writing.
Controller:
Name: Customer
Address: As defined in the executed Agreement.
Contact person’s name, position, and contact details: As defined in the executed Agreement.
Processor:
Name: Microblink entity as defined in the executed Agreement.
Address: As defined in the executed Agreement.
Data protection Officer’s contact details: privacy@microblink.com.
Categories of data subjects whose personal data is processed
Natural persons – Controller’s end users, including, if applicable, Controller’s affiliates’ end users.
(Applicable if the Controller uses the Processor’s identity verification service) Natural persons – Controller’s agents using and administrating the Processor’s identity verification platform.
Categories of personal data processed
Depending on the Controller’s configuration of the Processor’s technology, the Processor can process personal data present on the processed document including, but not limited to, first name, middle name, last name, date of birth, place of birth, home address, place of residence, sex, gender, nationality, citizenship, document number, social security number, personal identification number, card security code, card type, issuance date, expiration date, issuing authority, organ donor status, residency status, biometric data (in case of providing verification, extraction and support services, not processed for the purpose of uniquely identifying a natural person) such as face image, eye color, fingerprint, signature, weight or height, and other categories of data found on transferred identity documents, cards or other documents shared with Processor, as well as other data such as email, phone number, SSN, IP address or other end-user data.
Applicable if the Controller uses the Processor’s identity verification service): Account information about the Controller’s agent, first and last name, as well as business email address.
Sensitive data processed
Applicable if the Controller uses the Processor’s extraction, verification, and support services: No sensitive data is intended for processing. It is possible that the Processor may process personal data revealing racial or ethnic origin depending on the scanned document. If any sensitive data is transferred, the Controller will use their best efforts to notify the Processor and the Processor will apply needed restrictions and safeguards.
Applicable if the Controller uses the Processor’s identity verification service: Depending on the Controller’s configuration of the Processor’s technology, the Processor may process biometric data to uniquely identify a natural person, personal data revealing racial or ethnic origin, and data relating to criminal convictions and offenses.
Nature of the processing
Applicable if Controller uses Processor’s identity verification service: Using Controller’s application and Processor’s technology, end-users scan their identity document and (if necessary for further verification of their identity) capture a biometric element (face)” and/or perform a liveness check applicable to both the document or biometric data captured or perform video liveness checks.
This information is sent to the Processor’s cloud infrastructure in the region the Controller chooses. Depending on the Controller’s configuration of the Processor’s technology, the data may be extracted from the scan, face matching may be performed, the presence of security features on the document may be checked, submitted data may be compared against sub-processors databases and watchlists, certain fields may be anonymized (if applicable) using AI/ML models.
The submitted data will be processed to create various usage reports for the Controller.
The processor deletes the data in accordance with the Controller’s configuration of the Processor’s technology and this DPA.
Processor will process Controller’s agent personal data to create, maintain and delete their user account for Processor’s platform.
Applicable if the Controller uses the Processor’s verification service: Using the Controller’s Solution, the data subject scans the identity document’s front and/or back. The scans are sent to the Processor’s cloud infrastructure on a cloud platform, where, using the Processor’s technology, personal data is extracted from the scan, visual document properties and data properties on designated document types are validated and assessments are performed to determine whether the card is physically present during the session. Once the verification process is completed, the Processor returns the verification response to the Controller and, after the verification session has ended, personal data is deleted from the Processor’s cloud infrastructure.
Applicable if Controller uses Processor’s extraction service: Using Controller’s Solution, the data subject scans the identity document’s front and/or back. The scans are sent to the Processor’s cloud infrastructure on a cloud platform, where, using the Processor’s technology, personal data is extracted from the scan. The Processor sends the extraction results and/or scanned images to the Controller when the extraction process is completed, and personal data is deleted from the Processor’s cloud infrastructure.
Applicable if Controller uses Processor’s support services for the extraction and verification solutions: To securely transfer images of documents Controller to Processor, Controller will use Processor’s Secure Image Upload or other channel approved by Controller. Before transfering the images, Controller shall ensure that the data subjects have been informed of the intended sharing and that the appropriate lawful basis has been determined by the Controller. The Processor analyzes the issue in accordance with the Controller’s request for support to provide support services. Depending on the Controller’s support request, providing support services can include debugging issues on an already supported document type. Depending on the Controller’s support request, providing support services may include retraining of models and, in that case, Annex V. shall apply.
Applicable if the Controller uses the Processor’s support services for the identity verification service: If the Controller reports a verification issue, authorized personnel from the Processor’s customer support team will provide assistance with the reported issue. The support team will have access to the Controller’s transaction(s) in order to troubleshoot and/or debug the verification issue. If necessary to provide support, authorized personnel from the Processor’s development team may have access to the Controller’s transactions for the purposes of providing complete support.
Purpose(s) for which the personal data is processed on behalf of the controller
Applicable if the Controller uses the Processor’s identity verification service: The purpose of the processing is to perform checks in accordance with the Agreement and the configuration of Microblink’s technology by the Controller.
Applicable if Controller uses Processor’s verification service: The purpose of the processing is to validate the visual document properties and data properties on designated document types and perform assessments to determine whether the card is physically present during the session, in accordance with the Agreement.
Applicable if the Controller uses the Processor’s extraction service: The purpose of the processing is to extract the data from the identity document and send the extraction results to the Controller, in accordance with the Agreement.
Applicable if the Controller uses the Processor’s support services: The purpose of the processing is to provide support services to the Controller, in accordance with the Agreement.
Duration of the processing
Applicable if the Controller uses the Processor’s identity verification service: The Processor retains the submitted data in accordance with the Controller’s configuration of the Processor’s technology for, a minimum of 6 (six) months. A longer retention period may be agreed upon and configured by the Controller.
Applicable if Controller uses Processor’s verification and/or extraction service: Processing is ongoing (for as long as Controller uses the technology or services). Processor retains input data during verification or extraction sessions, as applicable, but does not store processed data, unless a different retention period is agreed upon in writing with the Controller.
Applicable if Controller uses Processor’s support services: Processor retains the personal data until the issue is resolved.
Description of the processing for sub-processors is available on the link: https://mb.wpstaging.uk/subprocessors-list/
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Processor has a defined policy on classified data handling, which defines data classification, disclosure, and protection. All Processor’s employees are required to sign confidentiality clauses that state trade secrets and confidential information have to remain confidential in perpetuity and turned in after contract termination, while each breach is considered a severe violation. Furthermore, the Processor will ensure that web endpoints and API’s are adequately protected and monitored with a Web Application Firewall and DDoS protection.
The Processor will apply the ‘least-privileged’ and ‘need-to-know’ concepts and ensure segregation of duties. The Processor will ensure that proper procedures are in place to register new users / additional access rights and to de-register users. The Processor will ensure that privileged access management is monitored closely and regularly reviewed, with access rights being withdrawn if not required anymore.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
In relation to the subject of this Agreement, the Processor will report any security-related (near) incident as soon as possible and according to the Agreement to the Controller’s contact including the protective measures taken to mitigate the impact of the incident, the preventive measures proposed to prevent the (near) incident in the future and an estimation of the impact incurred because of the incident. Processor has defined a policy on information security incident management which defines roles and responsibilities in the incident management process. The policy also describes the incident classification and steps the incident response team has to take, such as incident assessment, containment, threat eradication, recovery, reporting, and learning from the incidents. The Processor shall ensure the spread of knowledge and expertise to ensure the availability of skilled people even in case of a disaster.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing, and measures to ensure accountability
At the Processor’s complete discretion, a periodic self-certification process will be completed by the Processor to ensure that all security-related policies and procedures are still applied. Furthermore, the Processor will regularly conduct vulnerability assessments of related services through penetration and vulnerability testing. The Processor has internal policies, rulebooks and procedures in place to ensure the accountability of employees to process personal data responsibly. Processor ensures that its employees are informed about the Processor’s security requirements and policies and developments in the area of information security. The Processor is entirely responsible for the conduct of its employees.
Measures for ensuring physical security of locations at which personal data are processed
Sub-processor’s measures for the security of physical premises, which provides private cloud infrastructure service, include multiple physical security layers to protect the data centers, such as biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems.
In case personal data is processed on the Processor’s or Processor’s Affiliated company’s infrastructure, the Processor will also ensure adequate physical security through the use of cameras, entry cards, and security guards.
Measures for ensuring events logging
All system and application logging functions related to provided services by the Processor are enabled and information security events are regularly reviewed.
Measures for ensuring system configuration, including default configuration
The Processor will apply system hardening for all Internet-facing services through centralized configuration management, regular vulnerability scanning, and configuration review.
Measures for internal IT and IT security governance and management
Processor maintains an efficient information security management system in place to ensure proper organisation of information security responsibilities and a security risk assessment is performed on a periodic basis to ensure the identification of new or changed risks.
The Processor shall allocate resources and employees with the required expertise for carrying out any specific task related to its security responsibilities under this Agreement.
The Processor will ensure proper protection of all assets containing personal data provided by the Controller in the context of this Agreement.
Measures for certification/assurance of processes and products
At the Processor’s complete discretion, a periodic self-certification process will be completed by the Processor to ensure that all security-related policies and procedures are still applied.
Measures for user identification and authorization
Applicable if Controller uses Processor’s identity verification, verification and/or extraction service: Access to the service is granted to only authorized users through unique client credentials which can be revoked and renewed at any time by the Controller.
Measures of pseudonymisation and encryption of personal data and for the protection of data during transmission
Applicable if Controller uses Processor’s identity verification, verification and/or extraction service: The Processor will use strong encryption methods such as TLS (latest supported versions) for data in transit.
Applicable if Controller uses Processor’s identity verification: The Processor shall implement hashing algorithms to pseudonymise personal information which will be used to form a unique data subject ID.
Applicable if Controller uses Processor’s support services: To securely transfer personal data to Processor, Controller shall use Processor’s Secure Image Upload, which includes additional encryption of images with symmetric encryption algorithm (AES).
Measures for ensuring data minimization, limited data retention, and erasure
Applicable if Controller uses Processor’s verification and/or extraction service: The Processor does not store personal data after the verification process has been carried out.
Applicable if Controller uses Processor’s identity verification and/or support service: The Processor shall implement data retention schedules and irreversibly delete the data according to the schedule.
Measures for ensuring data quality
Applicable if the Controller uses the Processor’s identity verification: The Controller is responsible for the data that is sent to the Processor, including its quality.
Applicable if the Controller uses the Processor’s verification and/or extraction service: The Controller is responsible for the data that is sent to the Processor, including its quality. The Processor will send to the Controller personal data extracted from the documents sent by the Controller, together with personally identifiable information (PII) data and metadata scraped from the documents.
Applicable if the Controller uses support services: The Controller and Processor will determine what quality of data needs to be shared to resolve the issue raised by the Controller.
Measures for the protection of data during storage
Applicable if Controller uses Processor’s support service: Microblink uses Key Management Service and strong mechanisms for encryption such as AES-256 for data at rest.
Measures for personal data breach notification
Processor shall have in place a policy ensuring quick detection of security events and weaknesses, and quick reaction and response to security incidents, including data breaches. This policy shall include a data breach response procedure to ensure prompt reaction and appropriate communication towards the Controller, affected data subjects or supervisory authority.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller
The Processor shall have data processing agreements with sub-processors in place to ensure assistance to the Controller.
Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller.
Applicable if Controller uses Processor’s support services: Controller shall make sure that they can identify their end-users and, in case of a data subject’s request, deliver their identifiers to the Processor. The Processor shall provide assistance to the Controller in carrying out the data subject’s request in accordance with the procedure for data deletion.
The list of authorized sub-processors can be found on the link: https://mb.wpstaging.uk/subprocessors-list/
ANNEX V – Data Sharing Agreement
Notwithstanding other provisions of this Agreement, this Annex V. will govern the gathering and sharing of images described in provision below. Definitions in this Annex V. shall have the meaning assigned to them in the DPA or the Agreement.
1. Relationship of the Parties
1. 1. Microblink and Customer have entered into the Agreement where Microblink processes personal data of data subjects through the use of Microblink’s technology hosted on Microblink’s and/or Customer’s infrastructure; or by Customer integrating Microblink Product or Service into its Application and processesing personal data of data subjects or Customer tests Microblink’s technology.
1.2. Customer may share personal data for the development and advancement of Microblink’s technology or allow Microblink to use personal data, previously shared for another purpose, for the stated purpose by gathering consent from data subjects on behalf of Microblink. In such cases, each Party individually determines the purposes and means of its processing of personal data and, therefore, shall be considered an independent controller or together joint controllers under Applicable Data Protection Law. Microblink may process the personal data for another purpose where it has obtained the data subject’s prior consent, where necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or where necessary in order to protect the vital interests of the data subject or of another natural person. Microblink’s processing in fulfillment of the purpose shall, in turn, benefit Customer and its data subjects by making Microblink’s products and services less biased, discriminatory and better at preventing fraud, by improving their accuracy and broadening the scope of supported document types.
1.3. Microblink shall process personal data shared by the Customer to achieve purpose, described in more detail in Article 2. of this Annex V. and shall be considered Controller accordingly.
1.4. Parties acknowledge that Microblink may share personal data with its affiliated companies to pursue the fulfillment of the urpose described in Article 2. of this Annex V. Each Party shall comply with the obligations applicable to it under Applicable Data Protection Law with respect to processing of personal data.
1.5. Each Party shall be able to demonstrate compliance with its obligations under these clauses.
2. Description of the sharing and processing
2.1. Enabling the processing and description of sharing by the Customer
2.1.1. Customer agrees to share personal data with Microblink to enable further processing of personal data by Microblink as described in this Article 2. and shall take necessary steps to transfer personal data to Microblink.
2.1.2. Microblink shall inform the Customer in writing of the quantity, variety and type of documents necessary to achieve the purpose of the processing and/or the Customer shall, on behalf of Microblink, gather consent from data subjects by implementing a consent gathering mechanism into their Application, in accordance with Microblink’s instructions. When gathering consent on behalf of Microblink, Customer shall present data subjects with Microblink’s privacy notice (available at the link https://mb.wpstaging.uk/privacy-notice-for-microblink-customers-end-users) or another privacy notice with adequate level of transparency under Applicable Data Protection Law.
2.1.3. Customer shall assign a unique identifier to each data subject that matches the identifier of the shared personal data. Customer shall make the unique identifier available to Microblink if necessary to execute the data subject’s rights request in accordance with Article 3.
2.1.4. The Customer warrants and represents that it shall implement the consent gathering mechanism in accordance with Microblink’s instructions. Customer will inform Microblink if consent is not the appropriate lawful basis, under Applicable Data Protection Law, to achieve the purpose of intended processing.
2.1.5. At Microblink’s request, the Customer shall be able to demonstrate compliance with this provision. The Customer shall allow Microblink to perform an audit, at its own expense, on the implementation of consent-gathering mechanism to ensure adherence to this warranty, upon reasonable notice and during regular business hours.
2.2. Description of processing by Microblink
Categories of data subjects whose personal data is transferred Customer’s/Licensee’s end users, including, if applicable, Licensee’s Affiliates’ and Sublicensees’ end users. Customer shall not share personal data of underage end-users.
Categories of personal data processed: Depending on the documents shared, Microblink will process personal data present on the processed document including, but not limited to, first name, middle name, last name, date of birth, place of birth, home address, place of residence, sex, gender, nationality, citizenship, document number, social security number, personal identification number, card security code, card type, issuance date, expiration date, issuing authority, organ donor status, residency status, biometric data such as face image, eye color, fingerprint, signature, weight or height, and other categories of data found on transferred identity documents, cards or other documents, as well as other data such as email, phone number, SSN, IP address or other end-user data.
The frequency of the Processing: Continuous.
Purpose and nature of the processing by Microblink: Upon delivering the privacy notice to data subjects and gathering their consent to sharing, Customer shall transfer the personal data to Microblink in a secure way. Received personal data shall be processed for the purpose of improving and developing Microblink’s machine learning and computer vision technology that may include, but is not limited to, supporting a new version of a supported document, performing the evaluation of Microblink’s technology on behalf of the Customer, and sharing feedback on its performance, improving accuracy for an already supported document type (if the product does not work), supporting new (currently not supported) document types, improving accuracy on already supported document types, improving extraction accuracy by implementing additional result validation, and error correction, improving the OCR model accuracy and supporting new document fraud checks. Microblink shall implement all the necessary measures to protect the security and confidentiality of received personal data.
Data retention
Personal data on real documents shall be retained for six (6) months from receiving the images, or until data subject requests deletion, whichever comes first. Personal data on documents Microblink determined were fake, shall be retained for one (1) year.
Accuracy and data minimization
Microblink shall take every reasonable step to ensure unnecessary personal data, having regard to the purpose(s) of processing, is erased or rectified without undue delay.
Transfers to (sub-) processors
Microblink can share personal data with its affiliated companies for the permitted purpose and they shall be bound by these Clauses.
3. Data subject rights
Microblink and Customer shall provide reasonable assistance to one another (each at their own expense) to enable providing adequate responses to any request from a data subject to exercise their rights under Applicable Data Protection Law as well as any other correspondence, inquiry or complaint received from a data subject, regulator or other third parties in connection with the Processing.
In the event that any such request, correspondence, inquiry, or complaint is made directly to the Customer regarding processing under this Annex V., the Customer shall not respond to such communication before it promptly, but no longer than five (5) work days, informs Microblink of data subjects’ requests established by the Applicable Data Protection Law and their unique identifiers. If Customer is legally required to respond to such a request, Customer shall, before responding, notify Microblink and provide it with a copy of the request. Upon data subject’s request towards either Party, the Party that received a request shall, regarding personal data processing under this Annex V., free of charge provide the other Party with relevant information related to the data processed for the purpose.
4. Liability
Each Party shall be liable to the other Party for any damages it causes the other Party by any breach of this Annex V. Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching their rights under these clauses. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these clauses, all responsible Parties shall be jointly and severally liable, and the data subject is entitled to bring an action in court against any of these Parties. The Parties agree that if one Party is held liable, it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to the other Party’s responsibility for the damage.
5. Termination of data sharing
Annex V is in force until its termination. Parties may mutually agree to terminate this Annex V at any time. Microblink shall remain entitled to use and retain personal data according to the terms in the gathered consent, but no longer than required by Applicable Data Protection Law, or until receiving data subject deletion request, upon which personal data shall be erased or anonymized unless Microblink is required to retain some or all of the personal data by the applicable law. In the event of a breach of terms in this Annex V by either party, the non-breaching party shall have the right to terminate this agreement upon written notice to the breaching party. The breaching party shall have 30 days from receipt of the notice to remediate the breach. If the breach is not remediated within this time period, the non-breaching party may terminate this Annex V without further notice or liability. Termination of these clauses shall not relieve either party of any obligations or liabilities incurred prior to termination. Clauses related to execution of data subject’s rights will remain in effect.
Effective September 26, 2024
Summary of changes
Added applicable module of EU standard contractual clauses to Article 6.1. Updated categories of personal data in Annex II.
This DATA PROCESSING ADDENDUM (“DPA”) is incorporated into and is subject to the terms and conditions of the agreement executed between Controller and Processor, as defined in Annex I (together “the parties”), terms of use or terms and conditions for using Procesor’s technology accepted by the Controller, governing Controller’s use of Processor’s technology or support services (“Agreement”).
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
When the Controller uses Processor’s technology, both in the testing and production phase, or when Controller uses Processor’s support services, Processor processes personal data (defined below). The parties agree to comply with the following provisions with regard to any processing of personal data and it is agreed as follows:
Article 1
Definitions
In this DPA, the following terms shall have the following meanings:
a. “Controller”, “Processor”, “data subject”, “personal data”, “process”, and “processing” shall have the meanings given in European Data Protection Law;
b. “European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); and (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”);
c. “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations, to the extent applicable to the parties and the nature of the personal data processed under the Agreement, including, where applicable, European Data Protection Law, California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively referred to as the “CPRA”), and any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with European Data Protection Law; in each case as may be amended or superseded from time to time;
d. “personal data” means, aside from the meaning given in European Data Protection Law, any information that identifies a person, that is scanned, uploaded and otherwise shared with the Processor using Processor’s technology or pursuant to using support services by the Controller, Controller’s affiliated companies, or by third parties acting on the Controller’s behalf;
e. “personal data breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data disclosed and shared by the Controller and processed by Processor under this DPA;
f. “restricted transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Union or European Economic Area to a country outside of the European Union or European Economic Area that has not been recognized by the European Commission as adequate pursuant to Article 45 of EU GDPR (“third country”); and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to another country which is not based on adequacy regulations pursuant to Article 45 the UK GDPR;
g. “adequacy decision” means a formal decision made by the EU or UK which recognizes that another country, territory, sector, or international organisation provides an equivalent level of protection for personal data as the EU or UK does;
h. “Standard Contractual Clauses” or “SCCs” means the contractual clauses adopted by the European Commission in their Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available on the link: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en);
i. “Intra EU/EEA Standard Contractual Clauses” or “Intra EU/EEA SCCs” means the contractual clauses adopted by the European Commission in their Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (available on the link: https://commission.europa.eu/publications/standard-contractual-clauses-controllers-and-processors-eueea_en);
j. “International Data Transfer Agreement” or “IDTA” means the agreement issued by the Information Commissioner for Parties making Restricted Transfers under UK GDPR (available on the link: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf);
k. “Sub-Processor” means any third-party Processor engaged by Processor to process any personal data on its behalf in connection with the technology or services provided to Controller.
Article 2
Relationship of the parties
1. Processor, as defined in Annex I of this DPA, will process personal data on behalf of Controller, as described in Annex II of this DPA. Where Microblink Ltd. (6th Floor, 9 Appold Street, London, United Kingdom, EC2A 2AP) or Microblink USA, LLC (10 Grand Street, STE 2400, Brooklyn, NY 11249) is the signatory of the Agreement and Processor, Microblink LLC (Trg Drage Iblera 10, 10000, Zagreb, Republic of Croatia) will be deemed affiliated company and a Sub-Processor.
2. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
Article 3
Hierarchy
1. In the event of a contradiction between this DPA and the provisions of related Agreements between the Parties existing at the time when this DPA is agreed or entered into thereafter, provisions of this DPA shall prevail.
2. Where applicable, provisions of SCCs or Intra EU/EEA SCCs or IDTA will supplement this DPA. In the event of a contradiction between this DPA and SCCs or Intra EU/EEA SCCs or IDTA, provisions of SCCs or Intra EU/EEA SCCs or IDTA shall prevail.
3. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) where applicable, SCCs or Intra EU/EEA SCCs or IDTA; then (b) this DPA; and then (c) the main body of the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.
4. This DPA applies to the processing of personal data as specified in Annex II.
5. Annexes I to IV are an integral part of this DPA.
Article 4
Personal data processing under EU GDPR
1. Where both parties are subject to EU GDPR and personal data is not transferred outside the European Union, Economic Area or countries without adequacy decisions under Article 45 of EU GDPR, Intra-EU/EEA SCCs apply completed as follows:
a. wherever there is an option to choose a regulation, Regulation (EU) 2016/679 shall apply;
b. the optional Clause 5 (Docking clause) shall apply;
c. in Clause 7.7. Option 2: General written authorization shall apply with a specified time period of thirty days;
d. Annex I of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex I to this DPA;
e. Annex II of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex II to this DPA;
f. Annex III of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex III to this DPA; and
g. Annex IV of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex IV to this DPA.
Article 5
Processing under UK GDPR
In relation to transfers of personal data protected by the UK GDPR, Intra-EU/EEA SCCs will apply with the following modifications:
a. wherever there is an option to choose a regulation, UK GDPR shall apply;
b. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “UK”, or “domestic law”;
c. references to the “competent courts” shall be replaced with references to the “competent courts of the UK”;
d. the optional Clause 5 (Docking clause) shall apply;
e. in Clause 7.7. Option 2: General written authorization shall apply with a specified time period of thirty days;
f. Annex I of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex I to this DPA;
g. Annex II of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex II to this DPA;
h. Annex III of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex III to this DPA; and
i. Annex IV of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex IV to this DPA.
Article 6
International transfers
6.1. Restricted transfers under EU GDPR
1. Where the transfer of personal data is considered a Restricted Transfer and EU GDPR requires that appropriate safeguards are put in place, such transfer shall be subject to the SCCs, which shall be incorporated by reference and form an integral part of this DPA. The applicable module of the SCCs shall be determined depending on the location of the Controller and Processor, and their roles as data exporter and data importer regarding the processed personal data.
2. In relation to personal data that is protected by the EU GDPR, when the Processor is located in the EU acting as data exporter and the Controller acting as data importer is located in the third country, the SCCs Module Four shall apply as follows:
a. the optional Clause 7 (Docking clause) shall apply;
b. In Clause 9, Option 2: General written authorization shall apply with a specified time period of thirty days;
c. In Clause 11, the option clause shall not apply;
d. In Clause 17, the governing law shall be the law of the Republic of Croatia;
e. In Clause 18, for resolving disputes arising from these Clauses shall be resolved by the courts of the Republic of Croatia;
f. Annex I.A and I.B of the EU SCCs shall be deemed completed with the information set out in Annex I and II to this DPA and Annex I.C shall have Croatian Personal Data Protection Agency as the competent supervisory authority;
g. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex III to this DPA; and
h. Annex III of the EU SCCs shall be deemed completed with the information set out in Annex IV to this DPA.
3. In relation to personal data that is protected by the EU GDPR, when the Controller is located in the EU and is acting as data exporter and the Processor is located in a third country and is acting as acting as data importer, the SCCs Module Two shall apply as follows:
a. the optional Clause 7 (Docking clause) shall apply;
b. In Clause 9, Option 2: General written authorization shall apply with a specified time period of thirty days;
c. In Clause 11, the option clause shall not apply;
d. In Clause 17, the governing law shall be the law of the Republic of Croatia;
e. In Clause 18, for resolving disputes arising from these Clauses shall be resolved by the courts of the Republic of Croatia;
f. Annex I.A and I.B of the SCCs shall be deemed completed with the information set out in Annex I and II to this DPA and Annex I.C shall have Croatian Personal Data Protection Agency as the competent supervisory authority;
g. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex III to this DPA; and
h. Annex III of the EU SCCs shall be deemed completed with the information set out in Annex IV to this DPA.
6.2. International transfers under UK GDPR
1. Where UK GDPR applies to the processing, and where the Processor initiates and agrees on the transfer of personal data to a sub-processor outside of the UK or to a country without an adequacy decision, the Processor will sign an International Data Transfer Agreement with such Sub-Processor and will comply with the transfer rules.
2. Where UK GDPR applies to the Controller, the Controller remains responsible for all transfers of personal data they initiate or agree upon.
3. In relation to transfers of personal data protected by the UK GDPR, the parties acknowledge that the transfer where the Processor returns the processed personal data back to the Controller, provided that it has been initiated and agreed upon by the Controller, is not considered a Restricted Transfer under the UK GDPR.
6.3. Onward transfers
1. Processor shall not participate in (nor permit any Sub-Processor to participate in) any other Restricted Transfers of personal data (whether as an exporter or an importer of the personal data) unless the Restricted Transfer is made in compliance with Applicable Data Protection Law and provisions of this DPA.
2. Such measures may include (without limitation) transferring the personal data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or pursuant to SCCs implemented between the relevant exporter and importer of the personal data.
Article 7
Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the Controller, are specified in Annex II.
Article 8
Obligations of the Parties
8.1. Instructions
1. The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by applicable legal requirements to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Controller throughout the duration of the processing of personal data. These instructions shall always be documented.
2. The Processor shall immediately inform the Controller if, in the Processor’s opinion, instructions given by the Controller infringe provisions of Applicable Data Protection Law.
8.2. Purpose limitation
The Processor shall process the personal data, in accordance with the Controller’s documented instructions, only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the Controller or if additional data processing documentation is signed between the parties.
8.3. Duration of the processing of personal data
Processing by the Processor shall only take place for the duration specified in Annex II.
8.4. Security of processing
1. The Processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks involved for the data subjects.
2. The Processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring of the contract. The Processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Processor shall ensure that all authorized process personal data only as necessary for the Permitted Purpose.
8.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“sensitive data”), the parties shall update categories of processed personal data in Annex II and Processor shall apply specific restrictions and/or additional safeguards.
8.6. Documentation and compliance
1. The Parties shall be able to demonstrate compliance with this DPA.
2. The Processor shall maintain records of processing activities performed under this DPA containing categories of data subjects involved in the processing and categories of personal data processed, nature, duration and purpose of processing, list of technical and organizational measures, and data protection impact assessment.
3. The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of data in accordance with this DPA.
4. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from Applicable Data Protection Law. At the Controller’s request, the Processor shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Controller shall take into account relevant certifications held by the Processor.
5. The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor and shall, where appropriate, be carried out with reasonable notice, at least 30 days prior.
6. The Parties shall make the information referred to in this Article, including the results of any audits, available to the competent supervisory authority/ies on request.
8.7. Use of Sub-Processors
1. The Processor has the Controller’s general authorisation for the engagement of Sub-Processors from an agreed list. The Processor shall specifically inform in writing the Controller of any intended changes to that list through the addition or replacement of Sub-Processors at least 30 days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned Sub-Processor(s). The Processor shall provide the Controller with the information necessary to enable the Controller to exercise the right to object.
2. Where the Processor engages a Sub-Processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Sub-Processor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with these clauses. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject pursuant to this DPA and to Applicable Data Protection Law.
3. At the Controller’s request, the Processor shall provide a copy of such a Sub-Processor agreement and any subsequent amendments to the Controller. To the extent necessary to protect business secret or other confidential information, including personal data, the Processor may redact the text of the agreement prior to sharing the copy.
4. The Processor shall remain fully responsible to the Controller for the performance of the Sub-Processor’s obligations in accordance with its contract with the Processor. The Processor shall notify the Controller of any failure by the Sub-Processor to fulfill its contractual obligations.
5. The Processor shall agree a third party beneficiary clause with the Sub-Processor whereby – in the event the Processor has factually disappeared, ceased to exist in law or has become insolvent – the Controller shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return the personal data.
8.8. Notifications to the Controller
1. In addition to other notifications envisaged by this DPA, Processor will inform the Controller, without undue delay, but no longer than five business days, if Processor becomes aware of:
a. Any non-compliance by Processor or its employees with the obligations under this DPA or the Applicable Data Protection Law requirements relating to the protection of personal data processed under this DPA;
b. Any legally binding request for disclosure of personal data by a law enforcement authority such as courts, tribunals, or administrative authorities, unless the Processor is otherwise forbidden by law to inform Controller (e.g. to preserve the confidentiality of an investigation by law enforcement authorities). Processor shall be able to provide information on the possible legally binding disclosure of personal data;
c. Any notice, inquiry, or investigation by a Supervisory Authority with respect to personal data shared by the Controller; or
d. Any complaint or request received directly from data subjects of Controller. Processor will not substantively respond to any such request without Controller’s prior written authorization.
3. Before making any disclosures of personal data or providing other information regarding personal data, Processor shall consult with Controller unless in situations described in provision 1.b of this Article.
8.9. Privacy by design and default
Processor shall integrate privacy considerations into its processing activities from the outset, encompassing the design, development, implementation, and ongoing maintenance of its systems, applications, and services. Processor’s default settings for systems, applications, and services shall prioritize the highest level of privacy protection, limiting the processing of personal data by default. Processor shall provide mechanisms that allow the Controller and data subjects to easily manage their privacy preferences and exercise their rights.
Article 9
Assistance to the Controller
1. The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing.
2. The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (1) and (2), the Processor shall comply with the Controller’s instructions.
3. In addition to the Processor’s obligation to assist the Controller pursuant to Clause 9.2, the Processor shall furthermore assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor:
a. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’), where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The Processor shall provide assistance to the Controller to enable them to conduct the data protection impact assessment. When providing assistance, Processor may redact information to the extent necessary to protect business secret or other confidential information;
b. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
c. the obligation to ensure that personal data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
d. the obligations to implement and maintain appropriate technical and organisational measures to ensure a level of personal data security appropriate to the risk. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and include as appropriate:
i. the pseudonymisation and encryption of personal data;
ii. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
iii. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
iv. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
4. The Parties shall set out the appropriate technical and organisational measures in Annex III by which the Processor is required to assist the Controller in the application of this Article as well as the scope and the extent of the assistance required. Controller acknowledges that the security measures are subject to technical progress and development and that Processor may update or modify the security measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the processing.
Article 10
Notification of personal data breach
In the event of a personal data breach, the Processor shall cooperate with and assist the Controller for the Controller to comply with its obligations under Applicable Data Protection Law, where applicable, taking into account the nature of processing and the information available to the Processor.
10.1. Data breach concerning data processed by Controller
In the event of a personal data breach concerning data processed by the Controller, the Processor shall assist the Controller:
a. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the Controller has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
b. in obtaining the following information which, shall be stated in the Controller’s notification, and must at least include:
i. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
ii. the likely consequences of the personal data breach;
iii. the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
c. in complying with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
10.2. Data breach concerning data processed by Processor
1. In the event of a personal data breach concerning data processed by the Processor, the Processor shall notify the Controller without undue delay after the Processor having become aware of the breach. Such notification shall contain, at least:
a. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
b. the details of a contact point where more information concerning the personal data breach can be obtained;
c. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
2. The Parties shall set out in Annex III all other elements to be provided by the Processor when assisting the Controller in the compliance with the Controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
Article 11
Non-compliance with this DPA and termination
1. Without prejudice to any provisions of Applicable Data Protection Law, in the event that the Processor is in breach of its obligations under this DPA, the Controller may instruct the Processor to suspend the processing of personal data until the latter complies with this DPA or the Agreement is terminated. The Processor shall promptly inform the Controller in case it is unable to comply with this DPA, for whatever reason.
2. The Controller shall be entitled to terminate the Agreement insofar as it concerns the processing of personal data in accordance with this DPA if:
a. the processing of personal data by the Processor has been suspended by the Controller pursuant to provision 1. of this Article and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
b. the Processor is in substantial or persistent breach of this DPA or its obligations under Applicable Data Protection Law;
c. the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or Applicable Data Protection Law.
3. The Processor shall be entitled to terminate the Agreement insofar as it concerns processing of personal data under this DPA where, after having informed the Controller that its instructions infringe applicable legal requirements in accordance with Article 8.1.2, the Controller insists on compliance with the instructions.
4. Following termination of the Agreement, the Processor shall, at the choice of the Controller, delete all personal data processed on behalf of the Controller and certify to the Controller that it has done so, or, return all the personal data to the Controller and delete existing copies unless Applicable Data Protection Law requires storage of the personal data. Until the data is deleted or returned, the Processor shall continue to ensure compliance with this DPA.
Article 12
Miscellaneous
1. This DPA represents an integral part of the Agreement executed between the parties and becomes effective when both parties sign the Agreement.
2. If Applicable Data Protection Law or other applicable regulation requires the Controller to sign the DPA or to sign the SCCs, Intra-EU SCCs or IDTA applicable to a particular processing or restricted transfer of personal data to the Processor as a separate agreement, Processor will, on Controller’s request, promptly execute such document.
3. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Processor’s technology and services.
4. Notwithstanding anything to the contrary in the Agreement and without prejudice to Section 8.2 (“Purpose limitation”), Processor may periodically make modifications to this DPA as may be required to comply with Applicable Data Protection Law and to improve the level of security of personal data. Modifications to this DPA will be published on Processor’s legal center (available on the link: https://mb.wpstaging.uk/dpa-for-the-use-of-microblink-technology-and-support-services/) and Processor will inform the Controller of any substantial changes to this DPA in writing.
Controller:
Name: Licensee
Address: As defined in the executed Agreement.
Contact person’s name, position and contact details: As defined in the executed Agreement.
Processor:
Name: Microblink entity as defined in the executed Agreement.
Address: As defined in the executed Agreement.
Data protection Officer’s contact details: privacy@microblink.com.
Categories of data subjects whose personal data is processed
Natural persons – Controller’s end users, including, if applicable, Controller’s affiliates’ end users.
Categories of personal data processed
Personal data present on the processed document including, but not limited to, first name, middle name, last name, date of birth, place of birth, home address, place of residence, sex, gender, nationality, citizenship, document number, social security number, personal identification number, card security code, card type, issuance date, expiration date, issuing authority, organ donor status, residency status, biometric data (not processed for the purpose of uniquely identifying a natural person) such as face image, eye color, fingerprint, signature, weight or height, and other categories of data found on transferred identity documents, cards or other documents shared with Processor.
Sensitive data processed
No sensitive data is intended for processing. If any sensitive data is transferred, Controller will notify the Processor and Processor will apply needed restrictions and safeguards.
Nature of the processing
Applicable if Controller uses Processor’s verification service: Using Controller’s Solution, the data subject scans the identity document’s front and/or back. The scans are sent to Processor’s cloud infrastructure on Google Cloud Platform, where, using Processor’s technology, personal data is extracted from the scan, and the presence of security features is checked and/or the analysis of physical attributes of the scanned document is performed. Once the verification process is completed, Processor returns the verification response to the Controller and, after the verification session has ended, personal data is deleted from Processor’s cloud infrastructure.
Applicable if Controller uses Processor’s extraction service: Using Controller’s Solution, the data subject scans the identity document’s front and/or back. The scans are sent to Processor’s cloud infrastructure on Google Cloud Platform, where, using Processor’s technology, personal data is extracted from the scan. Processor sends the extraction results and/or scanned images to the Controller when the extraction process is completed, and personal data is deleted from Processor’s cloud infrastructure.
Applicable if Controller uses Processor’s support services: To securely transfer images of documents Controller has issues with to Processor, Controller uses Processor’s Secure Image Upload. Processor analyzes the issue in accordance with Controllers’s request for support to provide support services. Depending on the Controller’s support request, providing support services can include debugging issues on an already supported document type, supporting a new version of a supported document, and improving accuracy for an already supported document type, if the product does not work. Providing support services may, depending on the Controller’s support request, include retraining of models.
Purpose(s) for which the personal data is processed on behalf of the controller
Applicable if Controller uses Processor’s verification service: Purpose of the processing is to check the presence of security features on the identity document and to return the verification response to the Controller, in accordance with the Agreement.
Applicable if Controller uses Processor’s extraction service: Purpose of the processing is to extract the data from the identity document and send the extraction results to the Controller, in accordance with the Agreement.
Applicable if Controller uses Processor’s support services: Purpose of the processing is to provide support services to the Controller, in accordance with the Agreement.
Duration of the processing
Applicable if Controller uses Processor’s verification and/or extraction service: Processing is ongoing (for as long as Controller uses the technology or services). Processor retains input data during verification or extraction sessions, as applicable, but does not store processed data, unless a different retention period is agreed upon in writing with the Controller.
Applicable if Controller uses Processor’s support services: Processor retains the images until the issue is resolved.
For processing by (sub-) processors, also specify subject matter, nature and duration of the processing
Google Cloud Platform – Microblink LLC’s cloud infrastructure on Google Cloud Platform will be used for running Processor’s technology. Processing of personal data shall be performed continuously, as long as the Controller uses the technology.
Microblink LLC is a support-providing Microblink entity and acts as a sub-processor when it is not a contract-signing entity. The data shall be processed as described above, and security measures shall be applied as described in Annex III.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Processor has defined policy on classified data handling, which defines data classification, disclosure and protection. All Processor’s employees are required to sign confidentiality clauses that state trade secrets and confidential information have to remain confidential in perpetuity and turned in after contract termination, while each breach is considered a severe violation. Furthermore, the Processor will ensure that Application Programming Interface is adequately protected and monitored with Web Application Firewall and DDoS protection.
The Processor will apply the ‘least-privileged’ and ‘need-to-know’ concepts and ensure segregation of duties. The Processor will ensure that proper procedures are in place to register new users/ additional access rights and to de-register users. The Processor will ensure that privileged access management is monitored closely and based on a regular review of the access rights, with access rights being withdrawn if not required anymore.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
In relation to the subject of this Agreement, the Processor will report any security related (near) incident as soon as possible and according to the Agreement to the Controller’s contact including the protective measures taken to mitigate the impact of the incident, the preventive measures proposed to prevent the (near) incident in the future and an estimation of the impact incurred because of the incident. Processor has defined a policy on information security incident management which defines roles and responsibilities in the incident management process. The policy also describes incident classification and steps the incident response team has to take, such as incident assessment, containment, threat eradication, recovery, reporting and learning from the incidents. The Processor shall ensure the spread of knowledge and expertise to ensure the availability of skilled people even in case of a disaster.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing, and measures to ensure accountability
At Processor’s complete discretion, a periodic self-certification process will be completed by the Processor to ensure that all security-related policies and procedures are still applied. Furthermore, Processor will regularly conduct vulnerability assessments of related services through penetration and vulnerability testing. Processor has internal policies, rulebooks and procedures in place to ensure the accountability of employees to process personal data responsibly. Processor ensures that its employees are informed about the Processor’s security requirements and policies and developments in the area of information security. Processor is entirely responsible for the conduct of its employees.
Measures for ensuring physical security of locations at which personal data are processed
Sub-processor’s (Google Cloud Platform) measures for security of physical premises, which provides private cloud infrastructure service, include multiple physical security layers to protect the data centers, such as biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems. (https://www.google.com/about/datacenters/data-security/)
In case processing of personal data occurs on the Processor’s or Processor’s Affiliated company’s infrastructure, Processor will also ensure adequate physical security through use of cameras, entry cards and security guards.
Measures for ensuring events logging
All system and application logging functions related to provided services by the Processor are enabled and information security events are regularly reviewed.
Measures for ensuring system configuration, including default configuration
Processor will apply system hardening for all Internet-facing services through centralised configuration management, regular vulnerability scanning and configuration review.
Measures for internal IT and IT security governance and management
Processor maintains an efficient information security management system in place to ensure proper organisation of information security responsibilities and a security risk assessment is performed on a periodic basis to ensure the identification of new or changed risks.
Processor shall allocate resources and employees that have the required expertise for carrying out any specific task in relation to its security responsibilities under this Agreement.
Processor will ensure that there is proper protection of all assets containing personal data provided by the Controller in the context of this Agreement.
Measures for certification/assurance of processes and products
At Processor’s complete discretion, a periodic self-certification process will be completed by the Processor to ensure that all security-related policies and procedures are still applied.
Measures for user identification and authorisation
Applicable if Controller uses Processor’s verification and/or extraction service: Access to the service is granted to only authorized users through unique client credentials which can be revoked and renewed at any time by the Controller.
Measures of pseudonymisation and encryption of personal data and for the protection of data during transmission
Applicable if Controller uses Processor’s verification and/or extraction service: The Processor will use strong encryption methods such as TLS (latest supported versions) for data in transit.
Applicable if Controller uses Processor’s support services: To securely transfer personal data to Processor, Controller shall use Processor’s Secure Image Upload.
Measures for ensuring data minimisation, limited data retention and erasure
Applicable if Controller uses Processor’s verification and/or extraction service: The Processor does not store personal data after the verification process has been carried out.
Applicable if Controller uses Processor’s support service: Processor shall implement data retention schedules and irreversibly delete the data according to the schedule.
Measures for ensuring data quality
Applicable if Controller uses Processor’s verification and/or extraction service: Controller is responsible for data that is sent to the Processor, including its quality. The Processor will send to the Controller personal data extracted from the documents sent by the Controller together with personally identifiable information (PII) data and metadata scraped from the documents.
Applicable if Controller uses support services: Controller and Processor will determine what quality of data needs to be shared to resolve the issue raised by the Controller.
Measures for the protection of data during storage
Applicable if Controller uses Processor’s support service: Microblink uses Key Management Service for encryption of data at rest.
Measures of pseudonymisation and encryption of personal data and for the protection of data during transmission
Applicable if Controller uses Processor’s verification and/or extraction service: The Processor will use strong encryption methods such as TLS (latest supported versions) for data in transit.
Applicable if Controller uses Processor’s support services: To securely transfer Personal Data to Microblink, Licensee shall use Microblink’ Secure Image Upload.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller
The Processor shall have data processing agreements with sub-processors in place to ensure assistance to the Controller.
Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller.
Applicable if Controller uses Processor’s support services: Controller shall make sure that they can identify their end-users and, in case of a data subject’s request, deliver their identifiers to the Processor. Processor shall provide assistance to the Controller in carrying out the data subject’s request in accordance with the procedure for data deletion.
The controller has authorised the use of the following sub-processors:
1. Name: Microblink LLC (if the signatory is Microblink Ltd. or Microblink USA LLC)
Address: Trg Drage Iblera 10, 10000 Zagreb, Croatia
Contact person’s name, position and contact details: Ena Oršić, Legal Associate and Data Protection Officer
Description of the processing: Providing support services.
2. Name: Google Cloud Platform
Address: As specified on the following link.
Contact person’s name, position and contact details: As specified on the following link.
Description of the processing: Sub-processor’s platform will be used for running Processor’s technology for processing the personal data during the extraction and/or verification session. After the finished session, the data will not be stored.
Effective January 3,1, 2024
Download
This DATA PROCESSING ADDENDUM (“DPA”) is incorporated into and is subject to the terms and conditions of the agreement executed between Controller and Processor, as defined in Annex I (together “the parties”), terms of use or terms and conditions for using Procesor’s technology accepted by the Controller, governing Controller’s use of Processor’s technology or support services (“Agreement”).
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
When the Controller uses Processor’s technology, both in the testing and production phase, or when Controller uses Processor’s support services, Processor processes personal data (defined below). The parties agree to comply with the following provisions with regard to any processing of personal data and it is agreed as follows:
Article 1
Definitions
In this DPA, the following terms shall have the following meanings:
a. “Controller”, “Processor”, “data subject”, “personal data”, “process”, and “processing” shall have the meanings given in European Data Protection Law;
b. “European Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); and (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”);
c. “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations, to the extent applicable to the parties and the nature of the personal data processed under the Agreement, including, where applicable, European Data Protection Law, California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively referred to as the “CPRA”), and any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with European Data Protection Law; in each case as may be amended or superseded from time to time;
d. “personal data” means, aside from the meaning given in European Data Protection Law, any information that identifies a person, that is scanned, uploaded and otherwise shared with the Processor using Processor’s technology or pursuant to using support services by the Controller, Controller’s affiliated companies, or by third parties acting on the Controller’s behalf;
e. “personal data breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data disclosed and shared by the Controller and processed by Processor under this DPA;
f. “restricted transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Union or European Economic Area to a country outside of the European Union or European Economic Area that has not been recognized by the European Commission as adequate pursuant to Article 45 of EU GDPR (“third country”); and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to another country which is not based on adequacy regulations pursuant to Article 45 the UK GDPR;
g. “adequacy decision” means a formal decision made by the EU or UK which recognizes that another country, territory, sector, or international organisation provides an equivalent level of protection for personal data as the EU or UK does;
h. “Standard Contractual Clauses” or “SCCs” means the contractual clauses adopted by the European Commission in their Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available on the link: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en);
i. “Intra EU/EEA Standard Contractual Clauses” or “Intra EU/EEA SCCs” means the contractual clauses adopted by the European Commission in their Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (available on the link: https://commission.europa.eu/publications/standard-contractual-clauses-controllers-and-processors-eueea_en);
j. “International Data Transfer Agreement” or “IDTA” means the agreement issued by the Information Commissioner for Parties making Restricted Transfers under UK GDPR (available on the link: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf);
k. “Sub-Processor” means any third-party Processor engaged by Processor to process any personal data on its behalf in connection with the technology or services provided to Controller.
Article 2
Relationship of the parties
1. Processor, as defined in Annex I of this DPA, will process personal data on behalf of Controller, as described in Annex II of this DPA. Where Microblink Ltd. (6th Floor, 9 Appold Street, London, United Kingdom, EC2A 2AP) or Microblink US (10 Grand Street, STE 2400, Brooklyn, NY 11249) is the signatory of the Agreement and Processor, Microblink LLC (Trg Drage Iblera 10, 10000, Zagreb, Republic of Croatia) will be deemed affiliated company and a Sub-Processor.
2. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
Article 3
Hierarchy
1. In the event of a contradiction between this DPA and the provisions of related Agreements between the Parties existing at the time when this DPA is agreed or entered into thereafter, provisions of this DPA shall prevail.
2. Where applicable, provisions of SCCs or Intra EU/EEA SCCs or IDTA will supplement this DPA. In the event of a contradiction between this DPA and SCCs or Intra EU/EEA SCCs or IDTA, provisions of SCCs or Intra EU/EEA SCCs or IDTA shall prevail.
3. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) where applicable, SCCs or Intra EU/EEA SCCs or IDTA; then (b) this DPA; and then (c) the main body of the Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect.
4. This DPA applies to the processing of personal data as specified in Annex II.
5. Annexes I to IV are an integral part of this DPA.
Article 4
Personal data processing under EU GDPR
1. Where both parties are subject to EU GDPR and personal data is not transferred outside the European Union, Economic Area or countries without adequacy decisions under Article 45 of EU GDPR, Intra-EU/EEA SCCs apply completed as follows:
a. wherever there is an option to choose a regulation, Regulation (EU) 2016/679 shall apply;
b. the optional Clause 5 (Docking clause) shall apply;
c. in Clause 7.7. Option 2: General written authorization shall apply with a specified time period of thirty days;
d. Annex I of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex I to this DPA;
e. Annex II of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex II to this DPA;
f. Annex III of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex III to this DPA; and
g. Annex IV of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex IV to this DPA.
Article 5
Processing under UK GDPR
In relation to transfers of personal data protected by the UK GDPR, Intra-EU/EEA SCCs will apply with the following modifications:
a. wherever there is an option to choose a regulation, UK GDPR shall apply;
b. references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “UK”, or “domestic law”;
c. references to the “competent courts” shall be replaced with references to the “competent courts of the UK”;
d. the optional Clause 5 (Docking clause) shall apply;
e. in Clause 7.7. Option 2: General written authorization shall apply with a specified time period of thirty days;
f. Annex I of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex I to this DPA;
g. Annex II of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex II to this DPA;
h. Annex III of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex III to this DPA; and
i. Annex IV of the Intra EU/EEA SCCs shall be deemed completed with the information set out in Annex IV to this DPA.
Article 6
International transfers
6.1. Restricted transfers under EU GDPR
1. Where the transfer of personal data is considered a Restricted Transfer and EU GDPR requires that appropriate safeguards are put in place, such transfer shall be subject to the SCCs, which shall be incorporated by reference and form an integral part of this DPA. The applicable module of the SCCs shall be determined depending on the location of the Controller and Processor, and their roles as data exporter and data importer regarding the processed personal data.
2. In relation to personal data that is protected by the EU GDPR, when the Processor is located in the EU acting as data exporter and the Controller acting as data importer is located in the third country, the SCCs Module Four shall apply as follows:
a. the optional Clause 7 (Docking clause) shall apply;
b. In Clause 9, Option 2: General written authorization shall apply with a specified time period of thirty days;
c. In Clause 11, the option clause shall not apply;
d. In Clause 17, the governing law shall be the law of the Republic of Croatia;
e. In Clause 18, for resolving disputes arising from these Clauses shall be resolved by the courts of the Republic of Croatia;
f. Annex I.A and I.B of the EU SCCs shall be deemed completed with the information set out in Annex I and II to this DPA and Annex I.C shall have Croatian Personal Data Protection Agency as the competent supervisory authority;
g. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex III to this DPA; and
h. Annex III of the EU SCCs shall be deemed completed with the information set out in Annex IV to this DPA.
6.2. International transfers under UK GDPR
1. Where UK GDPR applies to the processing, and where the Processor initiates and agrees on the transfer of personal data to a sub-processor outside of the UK or to a country without an adequacy decision, the Processor will sign an International Data Transfer Agreement with such Sub-Processor and will comply with the transfer rules.
2. Where UK GDPR applies to the Controller, the Controller remains responsible for all transfers of personal data they initiate or agree upon.
3. In relation to transfers of personal data protected by the UK GDPR, the parties acknowledge that the transfer where the Processor returns the processed personal data back to the Controller, provided that it has been initiated and agreed upon by the Controller, is not considered a Restricted Transfer under the UK GDPR.
6.3. Onward transfers
1. Processor shall not participate in (nor permit any Sub-Processor to participate in) any other Restricted Transfers of personal data (whether as an exporter or an importer of the personal data) unless the Restricted Transfer is made in compliance with Applicable Data Protection Law and provisions of this DPA.
2. Such measures may include (without limitation) transferring the personal data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or pursuant to SCCs implemented between the relevant exporter and importer of the personal data.
Article 7
Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the Controller, are specified in Annex II.
Clause 8
Obligations of the Parties
8.1. Instructions
1. The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by applicable legal requirements to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Controller throughout the duration of the processing of personal data. These instructions shall always be documented.
2. The Processor shall immediately inform the Controller if, in the Processor’s opinion, instructions given by the Controller infringe provisions of Applicable Data Protection Law.
8.2. Purpose limitation
The Processor shall process the personal data, in accordance with the Controller’s documented instructions, only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the Controller or if additional data processing documentation is signed between the parties.
8.3. Duration of the processing of personal data
Processing by the Processor shall only take place for the duration specified in Annex II.
8.4. Security of processing
1. The Processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks involved for the data subjects.
2. The Processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing, and monitoring of the contract. The Processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Processor shall ensure that all authorized process personal data only as necessary for the Permitted Purpose.
8.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (“sensitive data”), the parties shall update categories of processed personal data in Annex II and Processor shall apply specific restrictions and/or additional safeguards.
8.6. Documentation and compliance
1. The Parties shall be able to demonstrate compliance with this DPA.
2. The Processor shall maintain records of processing activities performed under this DPA containing categories of data subjects involved in the processing and categories of personal data processed, nature, duration and purpose of processing, list of technical and organizational measures, and data protection impact assessment.
3. The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of data in accordance with this DPA.
4. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from Applicable Data Protection Law. At the Controller’s request, the Processor shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Controller shall take into account relevant certifications held by the Processor.
5. The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor and shall, where appropriate, be carried out with reasonable notice, at least 30 days prior.
6. The Parties shall make the information referred to in this Article, including the results of any audits, available to the competent supervisory authority/ies on request.
8.7. Use of Sub-Processors
1. The Processor has the Controller’s general authorisation for the engagement of Sub-Processors from an agreed list. The Processor shall specifically inform in writing the Controller of any intended changes to that list through the addition or replacement of Sub-Processors at least 30 days in advance, thereby giving the Controller sufficient time to be able to object to such changes prior to the engagement of the concerned Sub-Processor(s). The Processor shall provide the Controller with the information necessary to enable the Controller to exercise the right to object.
2. Where the Processor engages a Sub-Processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Sub-Processor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with these clauses. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject pursuant to this DPA and to Applicable Data Protection Law.
3. At the Controller’s request, the Processor shall provide a copy of such a Sub-Processor agreement and any subsequent amendments to the Controller. To the extent necessary to protect business secret or other confidential information, including personal data, the Processor may redact the text of the agreement prior to sharing the copy.
4. The Processor shall remain fully responsible to the Controller for the performance of the Sub-Processor’s obligations in accordance with its contract with the Processor. The Processor shall notify the Controller of any failure by the Sub-Processor to fulfill its contractual obligations.
5. The Processor shall agree a third party beneficiary clause with the Sub-Processor whereby – in the event the Processor has factually disappeared, ceased to exist in law or has become insolvent – the Controller shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return the personal data.
8.8. Notifications to the Controller
1. In addition to other notifications envisaged by this DPA, Processor will inform the Controller, without undue delay, but no longer than five business days, if Processor becomes aware of:
a. Any non-compliance by Processor or its employees with the obligations under this DPA or the Applicable Data Protection Law requirements relating to the protection of personal data processed under this DPA;
b. Any legally binding request for disclosure of personal data by a law enforcement authority such as courts, tribunals, or administrative authorities, unless the Processor is otherwise forbidden by law to inform Controller (e.g. to preserve the confidentiality of an investigation by law enforcement authorities). Processor shall be able to provide information on the possible legally binding disclosure of personal data;
c. Any notice, inquiry, or investigation by a Supervisory Authority with respect to personal data shared by the Controller; or
d. Any complaint or request received directly from data subjects of Controller. Processor will not substantively respond to any such request without Controller’s prior written authorization.
3. Before making any disclosures of personal data or providing other information regarding personal data, Processor shall consult with Controller unless in situations described in provision 1.b of this Article.
8.9. Privacy by design and default
Processor shall integrate privacy considerations into its processing activities from the outset, encompassing the design, development, implementation, and ongoing maintenance of its systems, applications, and services. Processor’s default settings for systems, applications, and services shall prioritize the highest level of privacy protection, limiting the processing of personal data by default. Processor shall provide mechanisms that allow the Controller and data subjects to easily manage their privacy preferences and exercise their rights.
Article 9
Assistance to the Controller
1. The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing.
2. The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (1) and (2), the Processor shall comply with the Controller’s instructions.
3. In addition to the Processor’s obligation to assist the Controller pursuant to Clause 9.2, the Processor shall furthermore assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor:
a. the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’), where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. The Processor shall provide assistance to the Controller to enable them to conduct the data protection impact assessment. When providing assistance, Processor may redact information to the extent necessary to protect business secret or other confidential information;
b. the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
c. the obligation to ensure that personal data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the personal data it is processing is inaccurate or has become outdated;
d. the obligations to implement and maintain appropriate technical and organisational measures to ensure a level of personal data security appropriate to the risk. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons and include as appropriate:
i. the pseudonymisation and encryption of personal data;
ii. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
iii. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
iv. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
4. The Parties shall set out the appropriate technical and organisational measures in Annex III by which the Processor is required to assist the Controller in the application of this Article as well as the scope and the extent of the assistance required. Controller acknowledges that the security measures are subject to technical progress and development and that Processor may update or modify the security measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the processing.
Clause 10
Notification of personal data breach
In the event of a personal data breach, the Processor shall cooperate with and assist the Controller for the Controller to comply with its obligations under Applicable Data Protection Law, where applicable, taking into account the nature of processing and the information available to the Processor.
10.1. Data breach concerning data processed by Controller
In the event of a personal data breach concerning data processed by the Controller, the Processor shall assist the Controller:
a. in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the Controller has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
b. in obtaining the following information which, shall be stated in the Controller’s notification, and must at least include:
i. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
ii. the likely consequences of the personal data breach;
iii. the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
c. in complying with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
10.2. Data breach concerning data processed by Processor
1. In the event of a personal data breach concerning data processed by the Processor, the Processor shall notify the Controller without undue delay after the Processor having become aware of the breach. Such notification shall contain, at least:
a. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
b. the details of a contact point where more information concerning the personal data breach can be obtained;
c. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
2. The Parties shall set out in Annex III all other elements to be provided by the Processor when assisting the Controller in the compliance with the Controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
Article 11
Non-compliance with this DPA and termination
1. Without prejudice to any provisions of Applicable Data Protection Law, in the event that the Processor is in breach of its obligations under this DPA, the Controller may instruct the Processor to suspend the processing of personal data until the latter complies with this DPA or the Agreement is terminated. The Processor shall promptly inform the Controller in case it is unable to comply with this DPA, for whatever reason.
2. The Controller shall be entitled to terminate the Agreement insofar as it concerns the processing of personal data in accordance with this DPA if:
a. the processing of personal data by the Processor has been suspended by the Controller pursuant to provision 1. of this Article and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
b. the Processor is in substantial or persistent breach of this DPA or its obligations under Applicable Data Protection Law;
c. the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or Applicable Data Protection Law.
3. The Processor shall be entitled to terminate the Agreement insofar as it concerns processing of personal data under this DPA where, after having informed the Controller that its instructions infringe applicable legal requirements in accordance with Article 8.1.2, the Controller insists on compliance with the instructions.
4. Following termination of the Agreement, the Processor shall, at the choice of the Controller, delete all personal data processed on behalf of the Controller and certify to the Controller that it has done so, or, return all the personal data to the Controller and delete existing copies unless Applicable Data Protection Law requires storage of the personal data. Until the data is deleted or returned, the Processor shall continue to ensure compliance with this DPA.
Article 12
Miscellaneous
1. This DPA represents an integral part of the Agreement executed between the parties and becomes effective when both parties sign the Agreement.
2. If Applicable Data Protection Law or other applicable regulation requires the Controller to sign the DPA or to sign the SCCs, Intra-EU SCCs or IDTA applicable to a particular processing or restricted transfer of personal data to the Processor as a separate agreement, Processor will, on Controller’s request, promptly execute such document.
3. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Processor’s technology and services.
4. Notwithstanding anything to the contrary in the Agreement and without prejudice to Section 8.2 (“Purpose limitation”), Processor may periodically make modifications to this DPA as may be required to comply with Applicable Data Protection Law and to improve the level of security of personal data. Modifications to this DPA will be published on Processor’s legal center (available on the link: https://mb.wpstaging.uk/dpa-for-the-use-of-microblink-technology-and-support-services/) and Processor will inform the Controller of any substantial changes to this DPA in writing.
Controller:
Name: Licensee
Address: As defined in the executed Agreement.
Contact person’s name, position and contact details: As defined in the executed Agreement.
Processor:
Name: Microblink entity as defined in the executed Agreement.
Address: As defined in the executed Agreement.
Data protection Officer’s contact details: privacy@microblink.com.
Categories of data subjects whose personal data is processed
Natural persons – Controller’s end users, including, if applicable, Controller’s affiliates’ end users.
Categories of personal data processed
Name and last name, address, date, and place of birth, gender, sex, nationality, country of residence, signature, passport number, social security number, driver’s license number, state or national ID card number, other ID card number, personal identification number, face image, eye color, weight, height, organ donor status, other categories of data found on transferred identity documents, and biometric data (not used to undeniably identify an individual).
Sensitive data processed
No sensitive data is intended for processing. If any sensitive data is transferred, Controller will notify the Processor and Processor will apply needed restrictions and safeguards.
Nature of the processing
Applicable if Controller uses Processor’s verification service: Using Controller’s Solution, the data subject scans the identity document’s front and/or back. The scans are sent to Processor’s cloud infrastructure on Google Cloud Platform, where, using Processor’s technology, personal data is extracted from the scan, and the presence of security features is checked and/or the analysis of physical attributes of the scanned document is performed. Once the verification process is completed, Processor returns the verification response to the Controller and, after the verification session has ended, personal data is deleted from Processor’s cloud infrastructure.
Applicable if Controller uses Processor’s extraction service: Using Controller’s Solution, the data subject scans the identity document’s front and/or back. The scans are sent to Processor’s cloud infrastructure on Google Cloud Platform, where, using Processor’s technology, personal data is extracted from the scan. Processor sends the extraction results and/or scanned images to the Controller when the extraction process is completed, and personal data is deleted from Processor’s cloud infrastructure.
Applicable if Controller uses Processor’s support services: To securely transfer images of documents Controller has issues with to Processor, Controller uses Processor’s Secure Image Upload. Processor analyzes the issue in accordance with Controllers’s request for support to provide support services. Depending on the Controller’s support request, providing support services can include debugging issues on an already supported document type, supporting a new version of a supported document, and improving accuracy for an already supported document type, if the product does not work. Providing support services may, depending on the Controller’s support request, include retraining of models.
Purpose(s) for which the personal data is processed on behalf of the controller
Applicable if Controller uses Processor’s verification service: Purpose of the processing is to check the presence of security features on the identity document and to return the verification response to the Controller, in accordance with the Agreement.
Applicable if Controller uses Processor’s extraction service: Purpose of the processing is to extract the data from the identity document and send the extraction results to the Controller, in accordance with the Agreement.
Applicable if Controller uses Processor’s support services: Purpose of the processing is to provide support services to the Controller, in accordance with the Agreement.
Duration of the processing
Applicable if Controller uses Processor’s verification and/or extraction service: Processing is ongoing (for as long as Controller uses the technology or services). Processor retains input data during verification or extraction sessions, as applicable, but does not store processed data, unless a different retention period is agreed upon in writing with the Controller.
Applicable if Controller uses Processor’s support services: Processor retains the images until the issue is resolved.
For processing by (sub-) processors, also specify subject matter, nature and duration of the processing
Google Cloud Platform – Microblink LLC’s cloud infrastructure on Google Cloud Platform will be used for running Processor’s technology. Processing of personal data shall be performed continuously, as long as the Controller uses the technology.
Microblink LLC is a support-providing Microblink entity and acts as a sub-processor when it is not a contract-signing entity. The data shall be processed as described above, and security measures shall be applied as described in Annex III.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Processor has defined policy on classified data handling, which defines data classification, disclosure and protection. All Processor’s employees are required to sign confidentiality clauses that state trade secrets and confidential information have to remain confidential in perpetuity and turned in after contract termination, while each breach is considered a severe violation. Furthermore, the Processor will ensure that Application Programming Interface is adequately protected and monitored with Web Application Firewall and DDoS protection.
The Processor will apply the ‘least-privileged’ and ‘need-to-know’ concepts and ensure segregation of duties. The Processor will ensure that proper procedures are in place to register new users/ additional access rights and to de-register users. The Processor will ensure that privileged access management is monitored closely and based on a regular review of the access rights, with access rights being withdrawn if not required anymore.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
In relation to the subject of this Agreement, the Processor will report any security related (near) incident as soon as possible and according to the Agreement to the Controller’s contact including the protective measures taken to mitigate the impact of the incident, the preventive measures proposed to prevent the (near) incident in the future and an estimation of the impact incurred because of the incident. Processor has defined a policy on information security incident management which defines roles and responsibilities in the incident management process. The policy also describes incident classification and steps the incident response team has to take, such as incident assessment, containment, threat eradication, recovery, reporting and learning from the incidents. The Processor shall ensure the spread of knowledge and expertise to ensure the availability of skilled people even in case of a disaster.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing, and measures to ensure accountability
At Processor’s complete discretion, a periodic self-certification process will be completed by the Processor to ensure that all security-related policies and procedures are still applied. Furthermore, Processor will regularly conduct vulnerability assessments of related services through penetration and vulnerability testing. Processor has internal policies, rulebooks and procedures in place to ensure the accountability of employees to process personal data responsibly. Processor ensures that its employees are informed about the Processor’s security requirements and policies and developments in the area of information security. Processor is entirely responsible for the conduct of its employees.
Measures for ensuring physical security of locations at which personal data are processed
Sub-processor’s (Google Cloud Platform) measures for security of physical premises, which provides private cloud infrastructure service, include multiple physical security layers to protect the data centers, such as biometric identification, metal detection, cameras, vehicle barriers, and laser-based intrusion detection systems. (https://www.google.com/about/datacenters/data-security/)
In case processing of personal data occurs on the Processor’s or Processor’s Affiliated company’s infrastructure, Processor will also ensure adequate physical security through use of cameras, entry cards and security guards.
Measures for ensuring events logging
All system and application logging functions related to provided services by the Processor are enabled and information security events are regularly reviewed.
Measures for ensuring system configuration, including default configuration
Processor will apply system hardening for all Internet-facing services through centralised configuration management, regular vulnerability scanning and configuration review.
Measures for internal IT and IT security governance and management
Processor maintains an efficient information security management system in place to ensure proper organisation of information security responsibilities and a security risk assessment is performed on a periodic basis to ensure the identification of new or changed risks.
Processor shall allocate resources and employees that have the required expertise for carrying out any specific task in relation to its security responsibilities under this Agreement.
Processor will ensure that there is proper protection of all assets containing personal data provided by the Controller in the context of this Agreement.
Measures for certification/assurance of processes and products
At Processor’s complete discretion, a periodic self-certification process will be completed by the Processor to ensure that all security-related policies and procedures are still applied.
Measures for user identification and authorisation
Applicable if Controller uses Processor’s verification and/or extraction service: Access to the service is granted to only authorized users through unique client credentials which can be revoked and renewed at any time by the Controller.
Measures of pseudonymisation and encryption of personal data and for the protection of data during transmission
Applicable if Controller uses Processor’s verification and/or extraction service: The Processor will use strong encryption methods such as TLS (latest supported versions) for data in transit.
Applicable if Controller uses Processor’s support services: To securely transfer personal data to Processor, Controller shall use Processor’s Secure Image Upload.
Measures for ensuring data minimisation, limited data retention and erasure
Applicable if Controller uses Processor’s verification and/or extraction service: The Processor does not store personal data after the verification process has been carried out.
Applicable if Controller uses Processor’s support service: Processor shall implement data retention schedules and irreversibly delete the data according to the schedule.
Measures for ensuring data quality
Applicable if Controller uses Processor’s verification and/or extraction service: Controller is responsible for data that is sent to the Processor, including its quality. The Processor will send to the Controller personal data extracted from the documents sent by the Controller together with personally identifiable information (PII) data and metadata scraped from the documents.
Applicable if Controller uses support services: Controller and Processor will determine what quality of data needs to be shared to resolve the issue raised by the Controller.
Measures for the protection of data during storage
Applicable if Controller uses Processor’s support service: Microblink uses Key Management Service for encryption of data at rest.
Measures of pseudonymisation and encryption of personal data and for the protection of data during transmission
Applicable if Controller uses Processor’s verification and/or extraction service: The Processor will use strong encryption methods such as TLS (latest supported versions) for data in transit.
Applicable if Controller uses Processor’s support services: To securely transfer Personal Data to Microblink, Licensee shall use Microblink’ Secure Image Upload.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller
The Processor shall have data processing agreements with sub-processors in place to ensure assistance to the Controller.
Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller.
Applicable if Controller uses Processor’s support services: Controller shall make sure that they can identify their end-users and, in case of a data subject’s request, deliver their identifiers to the Processor. Processor shall provide assistance to the Controller in carrying out the data subject’s request in accordance with the procedure for data deletion.
The controller has authorised the use of the following sub-processors:
1. Name: Microblink LLC (if the signatory is Microblink Ltd. or Microblink USA LLC)
Address: Trg Drage Iblera 10, 10000 Zagreb, Croatia
Contact person’s name, position and contact details: Ena Oršić, Legal Associate and Data Protection Officer
Description of the processing: Providing support services.
2. Name: Google Cloud Platform
Address: As specified on the following link.
Contact person’s name, position and contact details: As specified on the following link.
Description of the processing: Sub-processor’s platform will be used for running Processor’s technology for processing the personal data during the extraction and/or verification session. After the finished session, the data will not be stored.
Exploring our solutions is just a click away. Try our products or have a chat with one of our experts to delve deeper into what we offer.
Among all participating vendors, Microblink was the only provider to meet RIVR “high performing” system benchmarks across every measured accuracy metric.
Continue Reading