GDPR

Data Processing Agreement

This Data Processing Agreement (DPA) and its applicable DPA Exhibits apply to the Processing of Personal
Data by Balinesse Impex SRL [BalinesseSpa] on behalf of Client (Client Personal Data) in order to provide Cloud
Services and other services agreed in the Agreement (Services). DPA Exhibits for each Service will be
provided in the applicable Agreement. This DPA is subject to the terms of the Agreement (capitalized terms
used and not defined herein have the meanings given them in the General Data Protection Regulation
2016/679 [GDPR]). In the event of conflict the DPA Exhibit prevails over the DPA which prevails over the
Agreement except where explicitly set out in the Agreement identifying the relevant Section of the DPA over
which it prevails.

1. Processing
1.1 Client (a) is the sole Controller of Client Personal Data or (b) has been instructed by and obtained the
authorization of the relevant Controller(s) to agree to the Processing of Client Personal Data by BalinesseSpa
as set out in this DPA. Client appoints BalinesseSpa as Processor to Process Client Personal Data. If there
are other Controllers, Client will identify and inform BalinesseSpa of any such other Controllers prior to
providing their Personal Data, as set out in the DPA Exhibit.
1.2 A list of categories of Data Subjects, types of Client Personal Data, Special Categories of Personal Data
and the processing activities is set out in the applicable DPA Exhibit for a Service. The duration of the
Processing corresponds to the duration of the Service, unless otherwise stated in the respective DPA
Exhibit. The nature, purpose and subject matter of the Processing is the provision of the Service as
described in the applicable Agreement.
1.3 BalinesseSpa will Process Client Personal Data according to Client’s written instructions. The scope of
Client’s instructions for the Processing of Client Personal Data is defined by the Agreement, this DPA
including the applicable DPA Exhibit, and, if applicable, Client’s and its authorized users’ use and
configuration of the features of the Service. Client may provide further instructions that are legally
required (Additional Instructions). If BalinesseSpa believes an Additional Instruction violates the GDPR or
other applicable data protection regulations, BalinesseSpa will inform Client without undue delay and may
suspend the performance until Client has modified or confirmed the lawfulness of the Additional
Instruction in writing. If BalinesseSpa notifies Client that an Additional Instruction is not feasible or Client
notifies BalinesseSpa that it does not accept the quote for the Additional Instruction prepared in accordance
with Section 10.2, Client may terminate the affected Service by providing BalinesseSpa with a written notice
within one month after notification. BalinesseSpa will refund a prorated portion of any prepaid charges for the
period after such termination date.
1.4 Client shall serve as a single point of contact for BalinesseSpa. As other Controllers may have certain direct
rights against BalinesseSpa, Client undertakes to exercise all such rights on their behalf and to obtain all
necessary permissions from the other Controllers. BalinesseSpa shall be discharged of its obligation to
inform or notify another Controller when BalinesseSpa has provided such information or notice to Client.
Similarly, BalinesseSpa will serve as a single point of contact for Client with respect to its obligations as a
Processor under this DPA.
1.5 BalinesseSpa will comply with all EEA data protection laws and regulations (Data Protection Laws) in
respect of the Services applicable to Processors. BalinesseSpa is not responsible for determining the
requirements of laws applicable to Client’s business or that BalinesseSpa’s provision of the Services meet
the requirements of such laws. As between the parties, Client is responsible for the lawfulness of the
Processing of the Client Personal Data. Client will not use the Services in conjunction with Personal
Data to the extent that doing so would violate applicable Data Protection Laws.

2. Technical and organizational measures
2.1 BalinesseSpa will implement and maintain technical and organizational measures set forth in the applicable
DPA Exhibit (TOMs) to ensure a level of security appropriate to the risk for BalinesseSpa’s scope of
responsibility. TOMs are subject to technical progress and further development. Accordingly, BalinesseSpa
reserves the right to modify the TOMs provided that the functionality and security of the Services are not
degraded.
2.2 Client confirms that the TOMs provide an appropriate level of protection for the Client Personal Data
taking into account the risks associated with the Processing of Client Personal Data.

3. Data Subject Rights and Requests
3.1 To the extent permitted by law, BalinesseSpa will inform Client of requests from Data Subjects exercising
their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to BalinesseSpa
regarding Client Personal Data. Client shall be responsible to respond to such requests of Data
Subjects. BalinesseSpa will reasonably assist Client in responding such Data Subject requests in accordance
with Section 10.2.
3.2 If a Data Subject brings a claim directly against BalinesseSpa for a violation of their Data Subject rights,
Client will indemnify BalinesseSpa for any cost, charge, damages, expenses or loss arising from such a
claim, to the extent that BalinesseSpa has notified Client about the claim and given Client the opportunity to
cooperate with BalinesseSpa in the defense and settlement of the claim. Subject to the terms of the
Agreement, Client may claim from BalinesseSpa amounts paid to a Data Subject for a violation of their Data
Subject rights caused by BalinesseSpa’s breach of its obligations under GDPR.

4. Third Party Requests and Confidentiality
4.1 BalinesseSpa will not disclose Client Personal Data to any third party, unless authorized by the Client or
required by law. If a government or Supervisory Authority demands access to Client Personal Data,
BalinesseSpa will notify Client prior to disclosure, unless prohibited by law.
4.2 BalinesseSpa requires all of its personnel authorized to Process Client Personal Data to commit themselves
to confidentiality and not Process such Client Personal Data for any other purposes, except on
instructions from Client or unless required by applicable law.

5. Audit
5.1 BalinesseSpa shall allow for and contribute to audits, including inspections, conducted by the Client or
another auditor mandated by the Client of BalinesseSpa companies Processing of Client Personal Data in
accordance with the following procedures:
a. Upon Client’s written request, BalinesseSpa will provide Client or its mandated auditor with the most
recentcertifications and/or summary audit report(s), which BalinesseSpa has procured to regularly test,
assess and evaluate the effectiveness of the TOMs.
b. BalinesseSpa will reasonably cooperate with Client by providing available additional information
concerning the TOMs, to help Client better understand such TOMs.
c. If further information is needed by Client to comply with its own or other Controllers audit obligations
or a competent Supervisory Authority’s request, Client will inform BalinesseSpa in writing to enable
BalinesseSpa to provide such information or to grant Client access to it.
d. To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law,
only legally mandated entities (such as a governmental regulatory agency having oversight of Client’s
operations), the Client or its mandated auditor may conduct an onsite visit of the facilities used to
provide the Service, during normal business hours and only in a manner that causes minimal
disruption to BalinesseSpa’s business, subject to coordinating the timing of such visit and in accordance
with any audit procedures described in the DPA Exhibit in order to reduce any risk to BalinesseSpa’s other
customers.
5.2 Each party will bear its own costs in respect of paragraphs a. and b. of Section 5.1. Any further
assistance will be provided in accordance with Section 10.2.

6. Return or Deletion of Client Personal Data
6.1 Upon termination or expiration of the Agreement BalinesseSpa will either delete or return Client Personal
Data in its possession as set out in the respective DPA Exhibit, unless otherwise required by applicable
law.

7. Subprocessors
7.1 Client authorizes BalinesseSpa to engage subcontractors to Process Client Personal Data (Subprocessors).
A list of the current Subprocessors is set out in the respective DPA Exhibit. BalinesseSpa will notify Client in
advance of any changes to Subprocessors as set out in the respective DPA Exhibit. Within 30 days after
BalinesseSpa’s notification of the intended change, Client can object to the addition of a Subprocessor on the
basis that such addition would cause Client to violate applicable legal requirements. Client’s objection
shall be in writing and include Client’s specific reasons for its objection and options to mitigate, if any. If
Client does not object within such period the respective Subprocessor may be commissioned to Process
Client Personal Data. BalinesseSpa shall impose substantially similar data protection obligations as set out in
this DPA on any approved Subprocessor prior to the Subprocessor Processing any Client Personal
Data.
7.2 If Client legitimately objects to the addition of a Subprocessor and BalinesseSpa cannot reasonably
accommodate Client’s objection BalinesseSpa will notify Client. Client may terminate the affected Services by
providing BalinesseSpa with a written notice within one month of BalinesseSpa’s notice. BalinesseSpa will refund a
prorated portion of any pre-paid charges for the period after such termination date.

8. Transborder Data Processing
8.1 By agreeing to this DPA, Client is entering into the EU Standard Contractual Clauses as referred to in
the respective DPA Exhibit, with the Subprocessors established outside either the European Economic
Area or countries considered by the European Commission to have adequate protection (Data
Importers). Data Importers that are BalinesseSpa companies are “BalinesseSpa Data Importers”.
8.2 If Client notifies BalinesseSpa about another Controller and BalinesseSpa does not object within 30 days after
Client’s notification, Client agrees on behalf of such other Controller(s), or if unable to agree, will procure
agreement of such Controller(s), to be additional data exporter(s) of the EU Standard Contractual
Clauses concluded between BalinesseSpa Data Importers and Client. BalinesseSpa has procured that the
BalinesseSpa Data Importers accept the agreement of such other Controllers. Client agrees and, if
applicable, procures the agreement of other Controllers that the EU Standard Contractual Clauses,
including any claims arising from them, are subject to the terms set forth in the Agreement, including the
exclusions and limitations of liability. In case of conflict, the EU Standard Contractual Clauses shall
prevail.
8.3 If BalinesseSpa engages a new Subprocessor in accordance with Section 7 that is an BalinesseSpa Data
Importer, BalinesseSpa will procure such new BalinesseSpa Data Importer’s agreement with the EU Standard
Contractual Clauses and Client on its behalf and/or on behalf of other Controllers, if applicable, agrees
in advance to such BalinesseSpa Data Importer being an additional data importer under the EU Standard
Contractual Clauses. If Client is unable to agree for a Controller, Client will procure the agreement of
such Controller. If the new Data Importer is not an BalinesseSpa company (Third Party Data Importer), at
BalinesseSpa’s discretion, (i) Client shall either enter into separate EU Standard Contractual Clauses as
provided by BalinesseSpa or (ii) an BalinesseSpa Data Importer shall enter into a written agreement with such
Third Party Data Importer which imposes the same obligations on the Third Party Data Importer as are
imposed on the BalinesseSpa Data Importer under the EU Standard Contractual Clauses.

9. Personal Data Breach
9.1 BalinesseSpa will notify Client without undue delay after becoming aware of a Personal Data Breach with
respect to the Services. BalinesseSpa will promptly investigate the Personal Data Breach if it occurred on
BalinesseSpa infrastructure or in another area BalinesseSpa is responsible for and will assist Client as set out in
Section 10.

10. Assistance
10.1 BalinesseSpa will assist Client by technical and organizational measures, insofar as possible, for the
fulfillment of Client’s obligation to comply with the rights of Data Subjects and in ensuring compliance
with Clients obligations relating to the security of Processing, the notification of a Personal Data Breach
and the Data Protection Impact Assessment, taking into account the information available to BalinesseSpa.
10.2 Client will make a written request for any assistance referred to in this DPA. BalinesseSpa will charge Client
no more than a reasonable charge to perform such assistance or Additional Instructions, such charges
to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change
control provision of the Agreement.

Custom Services DPA Agreement
This Agreement modifies the BalinesseSpa Data Processing Agreement (DPA) at http://BalinesseSpa.ro/gdpr for the
Services. The following changes to the DPA do not apply to those parts of the Service that are generally
available standard BalinesseSpa Services.
Section 2 of the DPA (Technical and organizational measures) shall be amended by adding the
following new paragraph:
2.3 If compliance with the applicable Data Protection Laws requires changes to the TOMs or to the manner
in which BalinesseSpa implements these TOMs, such changes will be provided in accordance with Section
10.2.
Section 5 of the DPA (Audit) shall be replaced in its entirety with the following sections:
5.1 BalinesseSpa shall allow for and contribute to audits, including inspections, conducted by the Client or
another auditor mandated by the Client of BalinesseSpa companies Processing Client Personal Data to
demonstrate compliance with BalinesseSpa’s obligations set out in this DPA and the Data Protection Laws
applicable to BalinesseSpa in the performance of the Services. In fulfillment of BalinesseSpa’s audit obligations,
BalinesseSpa may provide proof of the adherence to an approved code of conduct or an approved
certification mechanism, or otherwise provide information to the Client. BalinesseSpa will provide Client with
access to the Client Personal Data and to the extent necessary BalinesseSpa will provide Client with access
to its business premises involved in the Processing of Personal Data so that the Client may reasonably
assure itself of BalinesseSpa’s compliance during BalinesseSpa’s normal business hours after prior notification
and without disruption to BalinesseSpa’s operational processes. If Client mandates another auditor, such
auditor shall not be a direct competitor of BalinesseSpa with regard to the Services and shall be bound to an
obligation of confidentiality. The Client will document the results of such inspections after prior
consultation with BalinesseSpa
5.2. Each party will bear its own costs, except for inspections at BalinesseSpa’s business premises. Any further
assistance will be provided as set out in Section 10.2.
Section 7 of the DPA (Subprocessor) shall be replaced in its entirety with the following sections:
7.1 BalinesseSpa will engage subcontractors to Process Client Personal Data (Subprocessors) and Client
hereby approves these Subprocessors listed in the DPA Exhibit. The engagement of new
Subprocessors requires Client’s prior written approval. Therefore, BalinesseSpa will notify Client in advance
of any intended changes to Subprocessors as set out in the DPA Exhibit. Client generally approves the
engagement of Subprocessors that are BalinesseSpa companies. Client shall only object new Subprocessors
that are BalinesseSpa companies if such addition would cause Client to violate applicable legal requirements.
With regard to other intended new Subprocessors, Client shall either approve or object them within 30
days after BalinesseSpa’s notification of an intended change. Client shall not unreasonably object to any
intended change. Any objection shall be within 30 days after BalinesseSpa’s notification of the intended
change, in writing and shall include Client’s specific reasons for its objection and options to mitigate, if
any. If Client neither approves nor objects within such period the respective Subprocessor will be
deemed as approved. BalinesseSpa shall impose substantially similar data protection obligations as set out
in the DPA on any approved Subprocessor prior to the Subprocessor Processing any Client Personal
Data.
7.2 If Client legitimately objects to the addition of a Subprocessor, Client and BalinesseSpa shall cooperate to
find a technically feasible solution to address Client’s objection by an alternative solution. In case no
alternative solution can be agreed between the Parties, Client may terminate the affected (part of the)
Service by providing BalinesseSpa with a written notice within one month the parties cannot agree. BalinesseSpa
will refund a prorated portion of any prepaid charges for the period after such termination date.
Section 8 of the DPA (Transborder Data Processing) shall be replaced in its entirety with the
following sections:
8.1 In case a Subprocessor is established outside either the European Economic Area (EEA) or countries
considered by the European Commission to have adequate protection (Data Importer) BalinesseSpa and the
Client shall cooperate to ensure an adequate level of data protection before transferring Client Personal
Data to such Data Importer.

8.2 If a Data Importer is an BalinesseSpa company (BalinesseSpa Data Importer), Client on its own behalf and/or on
behalf of all other Controllers, if applicable, shall enter into EU Standard Contractual Clauses, optional
clause removed, with such BalinesseSpa Data Importers. If Client is unable to agree for a Controller, Client
will procure the agreement of such Controller for becoming an additional data exporter of such EU
Standard Contractual Clauses. BalinesseSpa has procured that the BalinesseSpa Data Importer accept the
agreement of such other Controllers. Client agrees and, if applicable, procures the agreement of other
Controllers that the EU Standard Contractual Clauses, including any claims arising from them, are
subject to the terms set forth in the Agreement, including the exclusions and limitations of liability. In
case of conflict, the EU Standard Contractual Clauses shall prevail. Same applies, if there will be any
new Controller notified to BalinesseSpa during the provision of Services.
8.3 If a Data Importer is not an BalinesseSpa company (Third Party Data Importer), at BalinesseSpa’s discretion, (i)
the Third Party Data Importer shall become an additional Data Importer of the EU Standard Contractual
Clauses set out in Section 8.2 and Client on its behalf and/or on behalf of other Controllers, if applicable,
agrees to such additional Data Importer or (ii) Client on its own behalf and/or on behalf of all other
Controllers, if applicable, shall enter into separate EU Standard Contractual Clauses, optional Clause
removed, as provided by BalinesseSpa or (iii) BalinesseSpa or an BalinesseSpa Data Importer shall enter into a written
agreement with such Third Party Data Importer which imposes the same obligations on the
Subprocessor as are imposed on the Data Importer under the EU Standard Contractual Clauses. If
Client is unable to agree for a Controller, Client will procure the agreement of such Controller.

Data Processing Agreement Exhibit
This Data Processing Agreement Exhibit (DPA Exhibit) specifies the DPA for the identified Service.
1. Processing
BalinesseSpa will process Client Personal Data for the Service, as described in the Agreement and as
supplemented and specified by this DPA Exhibit.
1.1 Processing Activities
The processing activities with regard to Client Personal Data are:
• Copies
• Deletes
• Reads
• Receives
• Sends
• Shares
• Stores
2. Client Personal Data
2.1 Categories of Data Subjects
Personal Data related to physical access control to the Client infrastructure in DC, including:
• Client’s employees (including temporary or casual workers, volunteers, assignees, trainees, retirees,
pre-hires and applicants)
• Client’s affiliates employees (including temporary or casual workers, volunteers, assignees, trainees,
retirees, pre-hires and applicants)
• Client’s (potential) customers (if those (potential) customers are individuals)
• Employees of Client’s (potential) customers
• Client’s business partners (if those business partners are individuals)
• Employees of Client’s business partners
• Client’s visitors
• Client’s suppliers and subcontractors (if those suppliers and subcontractors are individuals)
• Employees of Client’s suppliers and subcontractors
• Client’s agents, consultants and other professional experts (contractors)
The list set out above is information about the Categories of Data Subjects whose Personal Data generally
can be processed within the Service.
Given the nature of the Services, Client acknowledges that BalinesseSpa is not able to verify or maintain the
above list of Categories of Data Subjects. Therefore, Client will notify BalinesseSpa about any required changes
of the list above by using BalinesseSpa data center email address. BalinesseSpa will process Personal Data of all
Data Subjects listed above in accordance with the Agreement. If changes to the list of Categories of Data
Subjects require changes of the agreed Processing, Client shall provide Additional Instructions to BalinesseSpa
as set out in the DPA.
2.2 Types of Personal Data and Special Categories of Personal Data
2.2.1 Types of Personal Data
The following list sets out what Types of Client Personal Data generally can be processed within the Service:
• Identity of the Individual
• Identification Number
• Person Name
• Technology Identifiers
• Telephony
• Location of the Individual
• Appointments, Schedules, Calendar Entries

2.2.2 Special Categories of Personal Data
none
2.2.3 General
The lists set out in sections 2.2.1 and 2.2.2 above are information about the Types of Client Personal Data
and Special Categories of Client Personal Data are processed within the Service.
Given the nature of the Services, Client acknowledges that BalinesseSpa is not able to verify or maintain the
above lists of Types of Client Personal Data and Special Categories of Client Personal Data. Therefore,
Client will notify BalinesseSpa about any required changes of the lists above by using BalinesseSpa data center email
address. BalinesseSpa will process all Types of Client Personal Data and Special Categories of Client Personal
Data listed above in accordance with the Agreement. If changes to the lists of Types of Client Personal Data
and Special Categories of Client Personal Data require changes of the agreed Processing, Client shall
provide Additional Instructions to BalinesseSpa as set out in the DPA.
Client is responsible to provide BalinesseSpa with, and keep updated, a list of Types of Personal Data and
Special Categories of Personal Data that BalinesseSpa can have access to during the Service.
Given the nature of the Services, Client acknowledges that BalinesseSpa is not able to review data provided by
Client to determine if it contains Types of Personal Data or Special Categories of Personal Data outside the
list Client provided to BalinesseSpa. However, if BalinesseSpa becomes aware of any such Types of Personal Data or
Special Categories of Personal Data in the data provided by Client, Client instructs BalinesseSpa to delete or
return the Types of Personal Data, at Client’s request.
In the absence of other instructions from Client, BalinesseSpa will assume that during the Services it can have
access, even incidentally, to all types of data provided by Client, which data may include all Types of
Personal Data and Special Categories of Personal Data. BalinesseSpa has put in place its own technical and
organization measures to safeguard all Client Types of Personal Data, as set out below.
3. Technical and Organizational Measures
The technical and organizational measures (TOMs), including each party’s area of responsibility, applicable
to the Service are the following:
Incident response:
[Controls Description] – Maintain an information technology incident investigation and response capability
sufficient to comply with applicable laws, including regard to notification of data
breaches
[Responsible Party] – Balinesse Impex SRL
[Addressed by] – The control is addressed by Balinesse Impex SRL internal security policy and incident
reporting procedure
[Control explanation] – The GDPR mandates disclosure of data breach within 72 hours of detection.
BalinesseSpa is obligated under GDPR to report breaches to our controller clients
“without undue delay”. In order to meet the time frame, the client needs to have a
capability to quickly suspended breaches to determine whether a disclosure may
be required.
[Threat statement] – Failure to maintain incident investigation and response capability may cause
inability to the obligation to report breaches in proper time frame
Client confirms its obligation to implement appropriate TOMs within its own area of responsibility as set out
above or as required by applicable Data Protection Laws.
4. Deletion and return of Client Personal Data
BalinesseSpa will delete Client Personal Data at the end of the Service. However, if instructed by Client in
writing prior to the termination or expiration, BalinesseSpa will return a copy of Client Personal Data that is
accessible to BalinesseSpa within a reasonable period and in a reasonable format.

5. Subprocessors
BalinesseSpa may use the following Subprocessor(s) in the Processing of Client Personal Data:
Third Party Subprocessors located in the European Economic Area or countries considered by the European
Commission to have adequate protection
BalinesseSpa will notify Client of any intended changes to Subprocessors by submitting a “Request for Contract
Change”
6. Data Privacy Officer and Other Controllers
Client is responsible for providing complete, accurate and up-to-date information about its data privacy
officer and each other Controllers (including their data privacy officer) by using BalinesseSpa data center email
address – office@balinessespa.ro
7. BalinesseSpa Privacy Contact
The BalinesseSpa privacy contact can be contacted at office@balinessespa.ro.

Any scheduled session can be canceled with at least 4 hours before it begins. Thank you for understanding.

Balinesse Spa

Intrarea Bitolia 27, București 011675
0733 126 423
office@balinessespa.ro