This section concerns Clients and Distributors of Vendon and processing of Personal Data that they submit to Vendon by using the System and the Services. The Client and Distributor are the Controllers in respect of data they provide to Vendon via the System.
If your Vendon account was created by our Client or Distributor, you should consult the privacy policy of the respective Client or Distributor. And in such case, any inquiry that you as a Data Subject may have should be addressed to and resolved by the Client or Distributor.
For the avoidance of doubt, this Privacy Policy contains data processing terms that govern data processing carried out by Vendon on behalf of Clients and Distributors and therefore it constitutes a binding data processing agreement.
Details of processing
Categories of Data Subjects. Vendon on behalf of the Client and Distributor processes Personal Data of their employees, representatives and other persons related to the respective Client and Distributor that are registered in the System under the Client’s and Distributor’s account or whose data are otherwise entered in the System.
Type of Personal Data. Vendon processes Personal Data that include name, last name, telephone number, e-mail address, password for the System account, language, working hours, position and other information that relate to Data Subjects shared with Vendon by the Clients and Distributors.
Nature and purpose of processing. Vendon processes Personal Data on behalf of the Client and Distributor in accordance with their instructions, and only stores and accesses the data for the purpose of providing the Client with the Services or otherwise executing our obligations under contract concluded with the Client or the Distributor.
Duration of processing. Vendon will process the aforementioned data for as long as Vendon has existing contractual relationship with the respective Client or Distributor. After termination of contractual relationship, we may continue to store some Personal Data, but limited to the minimum amount necessary for us to comply with our legal obligations.
Rights and obligations of Controller and Processor
By accepting the terms of this Privacy Policy and by using the System or the Services, the Client and Distributor instructs Vendon to process Personal Data entered into the System or otherwise transferred to Vendon by the Client and Distributor.
The Client and Distributor confirms that the data transferred to Vendon has been acquired on a lawful basis and that Data Subjects have been informed about the fact that their Personal Data may be provided to Vendon and other third parties engaged by Vendon for the provision of the Services and maintaining the System.
Vendon shall not be liable for any claims or complaints from Data Subjects regarding any action taken by Vendon as a result of acting in accordance with instructions received from the Client and the Distributor.
Vendon will always process all Personal Data on behalf of the Client or Distributor following their instructions and in compliance with the applicable data protection laws and regulations including requirements of GDPR where applicable.
Sub-processors
The Client and Distributor hereby authorizes Vendon to engage sub-processors, including sub-processors that are located outside EEA, for the purpose of administering and providing the Services, maintaining the System or otherwise executing the contractual relationship between Vendon and the Client or Distributor.
Vendon uses sub-processors that provide us services such as hosting and server co-location, communication delivery, product delivery, customer support, legal and financial advisors, among others.
Vendon ensures that it only uses sub-processors that comply with the same data protection obligations as set out in this Privacy Policy and guarantees that they have implemented appropriate technical and organizational measures and otherwise comply with the requirements of GDPR where applicable. If such sub-processor fails to fulfil its data protection obligations, Vendon shall remain liable towards the Client or the Distributor.
Assistance to the Controller
Taking into account the nature of the processing, Vendon will assist the Client and Distributor with the provision of technical or organizational measures, insofar as possible, for the fulfilment of the Controller’s obligations in relation to:
- Any requests from the Data Subjects in respect of access to or the rectification, erasure, restriction, portability, and objection to the processing of their Personal Data that Vendon processes on behalf of the Client or Distributor. In the event that a Data Subject sends such a request directly to Vendon, Vendon will promptly forward such request to the respective Client or Distributor; and
- The investigation of Personal Data breaches and the notification to the Supervisory Authority and Data Subjects regarding such breaches; and
- Where appropriate, the preparation of data protection impact assessments and, if necessary, carrying out consultations with any Supervisory Authority.
Security
When processing Personal Data on behalf of the Clients and Distributors Vendon always applies the implemented security measures as described below in Section 8 of this Privacy Policy.
Return and deletion of data
Unless otherwise required by applicable law, Vendon has no obligation to store the Client’s and Distributor’s data after termination of the contractual relationship and deletion of the Client’s and Distributor’s account and all accounts associated with it.
At the choice of the Client and Distributor, Vendon will delete or return all the Personal Data to the Client and Distributor after the end of the contractual relationship relating to processing and shall delete existing copies, unless applicable law requires Vendon to store such Personal Data.
Data Processing Audit
Upon the Client’s or Distributor’s written request, Vendon shall provide sufficient information to demonstrate compliance with obligations laid down in this Privacy Policy and applicable laws and regulations. This information shall be provided to the extent that such information is within Vendon’s control and Vendon is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
If information provided upon the Client’s or Distributor’s request in its reasonable judgement is not sufficient to confirm Vendon’s compliance, then Vendon agrees to allow for and contribute to data processing audit.
Such audits are allowed to be carried out by independent third party with good market reputation, provided that it has sufficient experience and competence to carry out data processing audits, and election of such auditor must be mutually agreed by both the Client or Distributor and Vendon.
The timing and other practicalities related to any such audit or inspection are determined by us and any such information and assistance are provided at exclusively the cost and expense of the Client or Distributor, and we reserve the right to charge the Client or Distributor for any additional work or other costs incurred by us in connection with the Client using such rights. The rights to request the audit may be used once every 2 years.
The auditor will have to sign a confidentiality agreement, which includes the obligation not to disclose business information in its audit report, and the final report will also have to be provided to Vendon.