Standard Contractual Clauses (Processors)
Last updated: June 10, 2024 at 12 AM
According to Article 26(2) of Directive 95/46/EC on Data Transfers to Processors in Third Countries
Cordarium.com (the “Data Exporter,” “Us,” “Our”) and The Seller (the “Data Importer,” “You”)
(each a “Party”; collectively the “Parties”),
AGREE to the following provisions to ensure the safeguarding of privacy and the fundamental rights and freedoms of individuals concerning the transfer of personal data from the Data Exporter to the Data Importer, as detailed in Appendix 1.
By accepting these provisions during the registration or another relevant process, both Parties commit to be bound by them.
Clause 1 - Definitions
For these provisions:
(a) ‘Personal Data,’ ‘Special Categories of Data,’ ‘Processing,’ ‘Controller,’ ‘Processor,’ ‘Data Subject,’ and ‘Supervisory Authority’ follow the meanings in Directive 95/46/EC.
(b) ‘The Data Exporter’ is the Controller transferring the Personal Data.
(c) ‘The Data Importer’ is the Processor receiving the Personal Data from the Data Exporter.
(d) ‘The Sub-Processor’ is any Processor engaged by the Data Importer or another Sub-Processor.
(e) ‘The Applicable Data Protection Law’ means the legal framework that ensures the protection of individuals' privacy rights.
(f) ‘Technical and Organisational Security Measures’ are measures designed to protect Personal Data.
Clause 2 - Details of the Transfer
Details of the transfer, including special categories of Personal Data, are specified in Appendix 1, which is an integral part of these provisions.
Clause 3 - Third-Party Beneficiary Clause
(a) The Data Subject can enforce the following clauses against the Data Exporter: Clause 3, Clause 4(b) to (i), Clause 5(a) to (e) and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as a third-party beneficiary.
(b) The Data Subject can enforce the following clauses against the Data Importer: Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12 if the Data Exporter has ceased to exist or become insolvent, unless any successor entity has assumed the Data Exporter’s obligations.
(c) The Data Subject can enforce the following clauses against the Sub-Processor: Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12 if both the Data Exporter and the Data Importer have ceased to exist or become insolvent, unless a successor entity has assumed their obligations.
(d) The Parties do not object to a Data Subject being represented by an association or other body if the Data Subject so wishes and if permitted by national law.
Clause 4 - Obligations of the Data Exporter
The Data Exporter agrees and warrants:
(a) The processing, including the transfer, of Personal Data has been and will continue to be in compliance with applicable data protection laws.
(b) It has instructed, and will continue to instruct, the Data Importer to process Personal Data only on the Data Exporter’s behalf in accordance with these provisions and applicable data protection law.
(c) The Data Importer will provide sufficient guarantees regarding technical and organisational security measures as specified in Appendix 2.
(d) The security measures are adequate to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
(e) It will ensure compliance with the security measures.
(f) If the transfer involves special categories of data, the Data Subject has been or will be informed of the transfer and the lack of adequate protection in the third country.
(g) To forward any notification from the Data Importer or Sub-Processor to the supervisory authority if it decides to continue the transfer or lift the suspension.
(h) To make available to Data Subjects, upon request, a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as any sub-processing contract.
(i) If sub-processing occurs, the processing is carried out in accordance with Clause 11 by a Sub-Processor providing at least the same level of protection for the Personal Data and the rights of Data Subjects as the Data Importer.
(j) It will ensure compliance with Clause 4(a) to (i).
Clause 5 - Obligations of the Data Importer
The Data Importer agrees and warrants:
(a) To process Personal Data only on behalf of the Data Exporter and in compliance with its instructions and these provisions; it will inform the Data Exporter if it cannot comply.
(b) It has no reason to believe that legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under these provisions.
(c) It has implemented the technical and organisational security measures specified in Appendix 2 before processing Personal Data.
(d) It will promptly notify the Data Exporter about: (i) Any legally binding request for disclosure of Personal Data by a law enforcement authority unless otherwise prohibited. (ii) Any accidental or unauthorized access. (iii) Any request received directly from Data Subjects without responding to the request, unless authorized.
(e) To handle all inquiries from the Data Exporter regarding its processing of Personal Data promptly and properly and abide by the advice of the supervisory authority.
(f) At the Data Exporter’s request, to submit its data-processing facilities for audit of the processing activities covered by these provisions, conducted by the Data Exporter or an inspection body selected by the Data Exporter, where applicable, in agreement with the supervisory authority.
(g) To make available to Data Subjects upon request a copy of these provisions or any sub-processing contract, unless they contain commercial information, in which case it may remove such information, except for Appendix 2, which shall be replaced by a summary description of the security measures.
(h) In the event of sub-processing, it has informed the Data Exporter and obtained prior written consent.
(i) The processing services by the Sub-Processor will be in accordance with Clause 11.
(j) To promptly send a copy of any sub-processing agreement concluded under these provisions to the Data Exporter.
Clause 6 - Liability
(a) The Parties agree that any Data Subject who has suffered damage as a result of any breach of the obligations in Clause 3 or Clause 11 by any Party or Sub-Processor is entitled to receive compensation from the Data Exporter for the damage suffered.
(b) If a Data Subject is unable to claim compensation from the Data Exporter, arising out of a breach by the Data Importer or Sub-Processor, because the Data Exporter has ceased to exist or become insolvent, the Data Importer agrees the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the Data Exporter’s obligations.
(c) If a Data Subject cannot claim against the Data Exporter or Data Importer due to their cessation or insolvency, the Sub-Processor agrees the Data Subject may issue a claim against the Sub-Processor for its processing operations under these provisions as if it were the Data Exporter or Data Importer.
Clause 7 - Mediation and Jurisdiction
(a) The Data Importer agrees that if a Data Subject invokes third-party beneficiary rights and/or claims compensation under these provisions, the Data Importer will accept the decision of the Data Subject: (i) To refer the dispute to mediation by an independent person or the supervisory authority. (ii) To refer the dispute to the courts in the Member State in which the Data Exporter is established.
(b) The Parties agree the choice made by the Data Subject does not prejudice its rights to seek remedies in accordance with other national or international law provisions.
Clause 8 - Cooperation with Supervisory Authorities
(a) The Data Exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if required under the applicable data protection law.
(b) The Parties agree the supervisory authority has the right to conduct an audit of the Data Importer, and any Sub-Processor, which has the same scope and conditions as an audit of the Data Exporter under applicable data protection law.
(c) The Data Importer shall promptly inform the Data Exporter if legislation applicable to it or any Sub-Processor prevents the conduct of an audit pursuant to paragraph (b). In such a case, the Data Exporter shall be entitled to take necessary measures, including suspending the data transfer.
Clause 9 - Governing Law
The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.
Clause 10 - Variation of the Contract
The Parties undertake not to vary or modify the Clauses. This does not preclude the Parties from adding clauses on business-related issues where required, provided they do not contradict the Clauses.
Clause 11 - Sub-Processing
(a) The Data Importer shall not subcontract any of its processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, it shall do so only by way of a written agreement with the Sub-Processor which imposes the same obligations on the Sub-Processor as are imposed on the Data Importer under the Clauses. Where the Sub-Processor fails to fulfil its data protection obligations under such written agreement, the Data Importer shall remain fully liable to the Data Exporter for the performance of the Sub-Processor’s obligations under such agreement.
(b) The prior written contract between the Data Importer and the Sub-Processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to claim compensation for damages referred to in Clause 6(1) against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Sub-Processor shall be limited to its own processing operations under the Clauses.
(c) The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph (a) shall be governed by the law of the Member State in which the Data Exporter is established.
(d) The Data Exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection supervisory authority.
Clause 12 - Obligation after the Termination of Personal Data Processing Services
(a) The Parties agree that on the termination of the provision of data processing services, the Data Importer and the Sub-Processor shall, at the choice of the Data Exporter, return all the transferred Personal Data and the copies thereof to the Data Exporter or shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.
(b) The Data Importer and the Sub-Processor warrant that upon request of the Data Exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph (a).
Appendix 1
Data Exporter
The Data Exporter is Cordarium, a company providing an online platform for the sale of the digital products for client's gaming servers by using Partner Cryptocurrency Processor - Cryptomus.
Data Importer
The Data Importer is the Seller, a company or individual using Cordarium to sell products for their gaming webstores by using Cordarium as the processor between Partner Cryptocurrency Processor (Cryptomus) and Seller as the Merchant.
Data Subjects
The Personal Data transferred concern the following categories of Data Subjects:
- Customers of the Data Exporter
- Individuals acting on behalf of business customers
Categories of Data
The Personal Data transferred concern the following categories of data:
- Contact information (name, address, email, phone number)
- Transaction data (purchase history, payment information (i.e. email)
- Any other data submitted by Data Subjects in the context of a sale
Special Categories of Data
The Personal Data transferred do not include special categories of data.
Processing Operations
The Personal Data transferred will be subject to the following basic processing activities:
- Data Importer will process Personal Data to fulfill orders, manage customer relationships, and perform related business activities as instructed by the Data Exporter.
Appendix 2
Technical and Organisational Security Measures
The Data Importer will implement the following measures:
- Access Control of Processing Areas: Ensure only authorized personnel can access data processing facilities.
- Data Access Control: Prevent unauthorized persons from accessing data processing systems.
- Transmission Control: Ensure data cannot be read, copied, modified, or deleted without authorization during electronic transfer or transport.
- Input Control: Maintain a record of data entry, modification, and deletion to ensure accountability.
- Job Control: Ensure that data is processed strictly according to the Data Exporter’s instructions.
- Availability Control: Protect data against accidental destruction or loss.
- Data Separation: Ensure that data collected for different purposes can be processed separately.
For more information, contact us at [email protected].