Agreement on the processing of personal data (DPA)

This agreement binds the  CLIENT and the  company of the THE COCKTAIL group with which the CLIENT has signed the proposal or commercial offer and is an addendum to said proposal with the aim of regulating the rights and obligations that apply to both Parties, in terms of regulatory compliance with data protection,  as of May 25, 2018, with the application of the GENERAL DATA PROTECTION REGULATION ("GDPR"). 

Purpose of the processing order

The services provided by THE COCKTAIL to the CLIENT will be those indicated in the commercial proposal and/or service contract accepted by the CLIENT.

THE COCKTAIL is configured in front of the CLIENT, as the processor of the personal data, to which it will have access on behalf of the Client, as the Controller of the data. 

Identification of the information processed

THE COCKTAIL will access personal data relating to a series of groups of people for whom the CLIENT is the Controller. These groups will be identified in a document relating to the record of operations of the treatment carried out by THE COCKTAIL for the CLIENT.

Duration

The obligations established in this document have the same duration as the service provided to the CLIENT established in the commercial proposal.  

Destination of the data after the end of the contract

When this contract ends, THE COCKTAIL must return to the CLIENT the personal data that have been processed for the provision of the service or transmit them to a third party designated by the CLIENT at the request of the latter. Likewise,  THE COCKTAIL must delete any copy of the CLIENT's data that remain on its servers, systems and information storage devices (digital or paper). However, THE COCKTAIL may keep the data blocked as long as responsibilities for the execution of the service can be derived.

Obligations of THE COCKTAIL

THE COCKTAIL undertakes that all its employees process personal data for the provision of the service in accordance with the following obligations:

1. Using the processed personal data, or those which may be collected and included, only for the purpose of the assignment. Accordingly, the data which may be known, obtained or accessed by the provisions of this contract, may not be used for any other different purpose from the execution of it, they shall be treated as “confidential” and they shall not be published or shared with third parties without the prior written authorization of the Controller, except from the specific cases provided by the law. 

2. Processing the data according to the instructions of the Controller. This compromise is extended to the International Data Transfers to a third state or international organization.

3. Keeping a record of processing activities carried out on behalf of the Controller. The register will contain:

- Name and contact data of the Processor or Processors and the Controller on whose behalf the Processor is carrying out the processing of the data.

- The categories of data processed on behalf of each Controller.

- In case International Data Transfers to a third state or international organization are being carried out, the identification of the third state or international organization and the documentation which certify the proper guarantees.

A general description of the appropriate technical and organizational security measures which you are, applying, concerning, among others:

        - The pseudo anonymization and encryption of personal data.

        - The ability to assure the permanent confidentiality, integrity, availability and resilience of treatment systems and services.

        - The ability to restore the quick disponibility and access to personal data, in case of a physical or technical incidence.

        - The process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to ensure the safety of the processing.

4. Not to communicate personal data to third parties, unless it has the specific authorization of the Controller, in the legally admissible cases. If the Processor wants to subcontract any service that involves personal data processing, the Processor will have to inform the Controller of that and to request its prior authorization by email, reporting who will be the new Processors and the purpose of the services that the Processor wants to contract.

In addition, the Processor shall enforce its subcontracted Processors to ensure the same obligations and security requirements as set forth in this clause and required for the kind of service provided to the Controller. For this purpose, the Processor must sign in a contract with the subcontracted Processors.

5. To safeguard the professional secrecy regarding the personal data to which the Processor will have access under this contract and after the end of it, whichever may be the cause of the termination.

6. To ensure that the persons authorized to process personal data commit themselves, expressly and in writing, to respect their professional secrecy and confidentiality regarding personal data processing, and to comply with the corresponding security measures, of which they shall be accordingly informed.

7. To keep the documentation proving the compliance with the obligation established in the previous clause available for the Controller.

8. To ensure the necessary training regarding personal data protection of the persons authorized to process personal data.

9. The Processor will help the Controller, through the application of the appropriate technical and organizational measures, and in accordance with the nature of the personal data processed, related to the requests whose purpose is the exercise of the rights of the data subjects and, particularly, their rights of access, rectification or erasure (“right to be forgotten”), restriction of processing or to object to processing, as well as the right to object the processing of their data for automated decision-making, including profiling.

Likewise, in the event that the data subject exercise their rights of access, rectification, deletion and opposition, limitation of processing and portability of data, the Processor will be responsible for managing said rights on behalf of the Controller or will notify within the maximum period of 24 hours to the Controller for the joint coordination of rights management.

10. To keep available for the Controller all the necessary information to demonstrate the compliance with its obligations, as well as to collaborate in the audits or inspections that the Controller or an authorized auditor may carry out.

11. To implement the necessary technical and organizational security measures to ensure the permanent confidentiality, integrity, availability and resilience of the processing systems and services.

12. The Processor will help the Controller to comply with its obligations regarding the Data Protection Impact Assessment and prior consultation included in articles 35 and 36 of the General Data Protection Regulation.

Obligations of the CLIENT

It is the Client responsibility to comply with the following obligations to ensure that the processing of personal data on behalf of the Processor is carried out in compliance with the legislation in force:

- To ease the right to be informed and, in its case, the consent, at the time of the personal data collection. The Processor shall provide the necessary technical means for this to the Controller when the Processor's service also implies the configuration of said means.

- To keep available for the Processor the personal data which may be necessary to provide the service.

- To ensure, previously and during the whole processing, the Processor’s compliance with the data protection regulation, which includes, but not limited to:

     - To indicate the Processor the deadlines for the retention of personal data reported to the subject of the data, mainly if said deadlines end during the providing of the service.

      - To communicate the Processor the cases in which he has to carry out the exercise of rights of the data subjects.

- To supervise the processing.

Notification of data security breaches

The Cocktail will notify the Client, through the email indicated for such purposes, breaches from which he is concerned. In this notification it must be included all the relevant information to the documentation and communication of the incident.

The information referred to previously shall at least:

1. Describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.

2. Communicate the name and contact details of the Processor to obtain further information.

3. Describe the likely consequences of the personal data breach.

4. Describe the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The Processor, with the prior, express and in writing request by the Controller, will notify those data breaches to the data subjects, when the personal data breach is likely to result in high risk to the rights and freedoms of natural persons.

The communication to the data subject shall be carried out in clear and plain language and describe the elements that in each case stipulates the Controller and, at least:

1. The nature of the personal data breach

2. The name and contact details of the Processor or the Controller where further information can be obtained.

3. The likely consequences of the personal data breach.

4. The measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Data Protection Officer

The CLIENT can contact the Data Protection Officer at the following email address  dpo@the-cocktail.com

Jurisdiction and applicable law

The jurisdiction established and the applicable law in the contract for the provision of services signed between the parties or, failing that, the Courts and Tribunals of Madrid and Spanish legislation will apply. 

Security measures by default and by design for all our customers

The Cocktail Group  has among its highest priorities to guarantee regulatory compliance and the security of the data we process for the provision of our services, for which we have developed and have in continuous maintenance a GDPR Compliance program. 

Participants and roles involved in the processing activities carried out by The Cocktail Group  

Services

Systems Administration

Roles and responsibilities

Hosting of outsourced applications in cloud infrastructure providers  with security guarantees.

Administration of the systems hosted in the infrastructures.

Position vis-à-vis the data subject as data controllers or data processors

The Cocktail is configured as the Processor. 
Infrastructure providers are sub-processors.

Services

Consulting

Roles and responsibilities

Strategy and design projects in which we analyze information of our clients with guarantees of confidentiality for all the data accesses we make.

Position vis-à-vis the data subject as data controllers or data processors

The Cocktail is configured as the Processor.

Services

Ecommerce

Roles and responsibilities

Definition, design and construction of digital products focused on the sale of products.

Position vis-à-vis the data subject as data controllers or data processors

The Cocktail is configured as the Processor.

Services

Lead Capture

Roles and responsibilities

Definition, design and construction of digital products focused on capturing emails.

Position vis-à-vis the data subject as data controllers or data processors

The Cocktail is configured as the Processor.

Services

Programmatic & advanced analytics

Roles and responsibilities

Definition and construction of customer profiling models and monetization of advertising on sites.

Position vis-à-vis the data subject as data controllers or data processors

The Cocktail is configured as the Processor.

Services

Salesforce

Roles y responsabilidades

Position vis-à-vis the data subject as data controllers or data processors

The Cocktail is configured as the Processor.

Services

Market research

Roles and responsibilities

Market studies based on qualitative and quantitative market analysis. 

Position vis-à-vis the data subject as data controllers or data processors

The Cocktail is configured as the Processor.
 

Consent or other legitimizing bases for the processing of data

Based on the table in point 1 above, the consent or any other legitimizing basis that justifies the processing of the data of the holders, must be obtained by the Clliente of The Cocktail Group  in its own terms and conditions as responsible for the processing of said data, who must provide said privacy policies to The Cocktail  Group    so that you can implement them in the developments, if applicable.
The technological developments carried out by The Cocktail in the elaboration of its products, allow to collect, validate and store the consent, on behalf of the client, to generate evidence of the express consent of the owner of the data.

Exercise of rights by data subjects

In order to guarantee these rights to the owners of the data that use The Cocktail technologies, our developments incorporate implementations and processes that allow the exercise of them. The key requirements of these processes involve: 
 - Guarantee the exercise of revocation of consent through simple technical means. 
-  Guarantee the periods of conservation of the data committed by the clients of The Cocktail with their clients and / or end users who own the data.   

Transfer of data outside the European Economic Area

The Cocktail trata y almacena datos de ciudadanos europeos en la Unión Europea. Cualquier transferencia que pueda realizarse fuera del Espacio Económico Europeo se llevará a cabo exclusivamente mediante las correspondientes garantías que implicarán, en cualquier caso, la suscripción de los adecuados acuerdos o Cláusulas Contractuales Tipo (SCC)con aquellos terceros a los que puedan transferirse datos.

Medidas de seguridad por defecto sobre los sistemas de información desde los que se tratan datos por cuenta del cliente

Proveedores que facilitan la infraestructura de sistemas

The Cocktail processes and stores data of European citizens in the European Union. Any transfer that may be made outside the European Economic Area will be carried out exclusively by means of the corresponding guarantees that will imply, in any case, the signing of the appropriate agreements or Standard Contractual Clauses (SCC) with those third parties to whom data may be transferred.

Security measures by default on the information systems from which data is processed on behalf of the client

Vendors that facilitate systems infrastructure

The Cocktail contracts the services of Amazon Web Services, Google Cloud and Azure for the  deployment of the systems infrastructures that are carried out for our customers and whose data is stored within the EEA. These providers are recognized for their guarantees in the implementation of security measures and have updated their own contracts through Data Processing Amendment and / or SCC to comply with the GDPR.  
Likewise, The Cocktail contracts the services of Google WorkSpace and the data is also located within the EEA.

Communications security measures

All communications with The Cocktail platforms  are made with secure HTTPS protocol to maintain data privacy at all times.

Data

The data hosted in The Cocktail systems, hosted on Google Cloud, has encryption at rest by default. More information can be found at this link.

Logical access controls

Authentication systems through verification of credentials of different levels, with a single credential per user. 
The systems are designed to detect non-consensual access to them.

Backups

Backups are made following a policy of daily backups and procedures that ensure data restoration. 

Confidentiality on the part of workers

All The  Cocktail staff  accepts a code of conduct based on the company's policies, in which they undertake to maintain levels of ethics, confidentiality and professional behavior, as well as adequate treatment with respect to personal data.