This section concerns Clients and Distributors of Vendon and processing of Personal Data that they submit to Vendon by using the System and the Services. The Client and Distributor are the Controllers in respect of data they provide to Vendon via the System.
Details of processing
Categories of Data Subjects. Vendon on behalf of the Client and Distributor processes Personal Data of their employees, representatives and other persons related to the respective Client and Distributor that are registered in the System under the Client’s and Distributor’s account or whose data are otherwise entered in the System.
Type of Personal Data. Vendon processes Personal Data that include name, last name, telephone number, e-mail address, password for the System account, language, working hours, position and other information that relate to Data Subjects shared with Vendon by the Clients and Distributors.
Nature and purpose of processing. Vendon processes Personal Data on behalf of the Client and Distributor in accordance with their instructions, and only stores and accesses the data for the purpose of providing the Client with the Services or otherwise executing our obligations under contract concluded with the Client or the Distributor.
Duration of processing. Vendon will process the aforementioned data for as long as Vendon has existing contractual relationship with the respective Client or Distributor. After termination of contractual relationship, we may continue to store some Personal Data, but limited to the minimum amount necessary for us to comply with our legal obligations.
Rights and obligations of Controller and Processor
The Client and Distributor confirms that the data transferred to Vendon has been acquired on a lawful basis and that Data Subjects have been informed about the fact that their Personal Data may be provided to Vendon and other third parties engaged by Vendon for the provision of the Services and maintaining the System.
Vendon shall not be liable for any claims or complaints from Data Subjects regarding any action taken by Vendon as a result of acting in accordance with instructions received from the Client and the Distributor.
Vendon will always process all Personal Data on behalf of the Client or Distributor following their instructions and in compliance with the applicable data protection laws and regulations including requirements of GDPR where applicable.
The Client and Distributor hereby authorizes Vendon to engage sub-processors, including sub-processors that are located outside EEA, for the purpose of administering and providing the Services, maintaining the System or otherwise executing the contractual relationship between Vendon and the Client or Distributor.
Vendon uses sub-processors that provide us services such as hosting and server co-location, communication delivery, product delivery, customer support, legal and financial advisors, among others.
Assistance to the Controller
Taking into account the nature of the processing, Vendon will assist the Client and Distributor with the provision of technical or organizational measures, insofar as possible, for the fulfilment of the Controller’s obligations in relation to:
- Any requests from the Data Subjects in respect of access to or the rectification, erasure, restriction, portability, and objection to the processing of their Personal Data that Vendon processes on behalf of the Client or Distributor. In the event that a Data Subject sends such a request directly to Vendon, Vendon will promptly forward such request to the respective Client or Distributor; and
- The investigation of Personal Data breaches and the notification to the Supervisory Authority and Data Subjects regarding such breaches; and
- Where appropriate, the preparation of data protection impact assessments and, if necessary, carrying out consultations with any Supervisory Authority.
Return and deletion of data
Unless otherwise required by applicable law, Vendon has no obligation to store the Client’s and Distributor’s data after termination of the contractual relationship and deletion of the Client’s and Distributor’s account and all accounts associated with it.
At the choice of the Client and Distributor, Vendon will delete or return all the Personal Data to the Client and Distributor after the end of the contractual relationship relating to processing and shall delete existing copies, unless applicable law requires Vendon to store such Personal Data.
Data Processing Audit
If information provided upon the Client’s or Distributor’s request in its reasonable judgement is not sufficient to confirm Vendon’s compliance, then Vendon agrees to allow for and contribute to data processing audit.
Such audits are allowed to be carried out by independent third party with good market reputation, provided that it has sufficient experience and competence to carry out data processing audits, and election of such auditor must be mutually agreed by both the Client or Distributor and Vendon.
The timing and other practicalities related to any such audit or inspection are determined by us and any such information and assistance are provided at exclusively the cost and expense of the Client or Distributor, and we reserve the right to charge the Client or Distributor for any additional work or other costs incurred by us in connection with the Client using such rights. The rights to request the audit may be used once every 2 years.
The auditor will have to sign a confidentiality agreement, which includes the obligation not to disclose business information in its audit report, and the final report will also have to be provided to Vendon.