Personal Data Transmission Agreement

Between the signatories: 

This agreement binds the Customer (also referred to as “Controller”) and The Cocktail América, S.A.S (referred to as “Provider” or “Manager”) for the services rendered by the Provider that imply access to Customer data. 

Purpose

The purpose of this agreement is to establish the conditions that apply to the transmission of personal data in the provision of services by the Provider to the Customer. All this in accordance with the Customer’s instructions and with the purposes and instructions indicated by them for the processing of personal data by the Provider in rendering the service. 

Both parties agree to be bound by the terms of this agreement and will process the data in accordance with the principles established in Statutory Law 1581 of 2012, which establishes the general provisions for personal data protection, the regulations contained in Law 1581 of 2012 and other regulations that regulate or modify it.  

Purpose of the transmission of personal data

The personal data will be processed by the Manager for the purpose set forth in the service proposal or agreement signed between both parties. Under the scope of this proposal, the Manager is authorised to process personal data on behalf of the Controller for the time necessary to undertake the service. 

Obligations of the Treatment Manager

The Treatment Manager will be obliged to: 

- Treat and keep Personal Data for and on behalf of the Controller, applying the appropriate levels of security and confidentiality in accordance with the Controller’s instructions and, in particular, complying with the Controller's Information Treatment Policy, applicable law and any additional instruction from the Controller, without the personal data being used for any purpose other than that established by the Controller.  
- Maintain absolute confidentiality over the processed personal data; said confidentiality shall include all employees and any personnel who may intervene in the processing of the Controller’s personal data, and said persons must sign a confidentiality agreement. 
- Train the personnel involved in the treatment on the security measures that must be applied to the processed data.
- Support the Controller to guarantee the data subject the full and effective exercise of their right to have them. The Manager will not respond directly to the data subject unless required to do so by the law applicable to their management or the parties expressly agree that it is the Manager who must respond.
- Update and rectify the data in the Controller's database when they provide specific instructions for this purpose. 
- Notify the Controller of any security incident that may put the data processed by the Manager at risk and support the Controller in any notification that must be made to the data subjects and/or the data protection authority. Said notification must be made to the Controller within a maximum period of 48 hours and it must indicate a description of the incident, the personal data affected and the security measures adopted to mitigate the incident. 
- Guarantee the conducting of audits by the Controller so that they can verify that the security measures are applied appropriately by the Manager. 
- Notify the Controller of any requirement it receives from the competent authorities that imply the disclosure of personal data in accordance with the applicable laws. The Manager will not be obliged to give notice to the Controller about the aforementioned requirements when the applicable laws prevent them from doing so. 
- Respond in a timely and appropriate manner to the requests made by the Controller in relation to the Treatment of Personal Data subject to Transmission and comply with the recommendations, instructions and orders of the Data Protection Authority in compliance with Law 1581 of 2012 , on Personal Data Processing. 
- The Manager must cooperate and send the Controller all the pertinent information that is required through it by the Data Protection Authority, within the terms and conditions reasonably established by the Controller. 

Obligations of the Treatment Controller

The Treatment Controller is responsible for: 

- Processing Personal Data applying the highest standards of confidentiality and in compliance with the Treatment Policy, Law 1581 of 2012, all regulations that regulate or modify it and this Agreement.
- Suitably notifying the Manager about any change in the legislation that the Controller considers may affect the processing of personal data or this agreement. 
- Timely and appropriately resolving all requests made by the Controller in relation to the Treatment of Personal Data subject to the Transmission and abiding by the recommendations, instructions and orders of the Data Protection Authority in compliance with Law 1581 of 2012. 
- Guaranteeing the Manager that all the personal data in the database subject to treatment have been obtained in a lawful manner and in accordance with current legislation.

Prohibition on passing on data to third parties and subcontracting

The passing on of personal data held by the Controller to third parties is prohibited, even for the purposes of data conservation or for making backup copies thereof.
 
It is similarly forbidden to subcontract the services to be rendered by the Manager without the express written authorisation of the Controller. 

For said authorisation to be granted, the Manager must inform the Controller, prior to subcontracting, of the services that have to be subcontracted, with whom and the purpose of said subcontracting. 
Subcontractor processing of data shall comply with the instructions provided by the Controller in the terms provided in this agreement. 

If subcontracting is authorised, it will be the responsibility of the Manager to sign the mandatory agreements for access to personal data with the subcontracted entities or persons.

At the time of signing this agreement, the subcontracting provided for in Annex 1 in the section “Providers of system infrastructure” is authorised.  

International transmissions

The Data Controller must provide the Manager with instructions for treatment under international transmission and declare whether they correspond and are authorised with the purposes that have been authorised by the data subject. 
If it is necessary to require prior authorisation for international transmission, the Data Controller declares that they have sufficient capacity and have obtained the corresponding authorisation from the data subject. 

Security measures

By signing this agreement, the Manager undertakes to adopt the necessary technical, human and organisational measures to guarantee the security of the personal data being processed, thus avoiding their adulteration, loss, consultation, use or unauthorised or fraudulent access. 
The security measures must avoid the risks to which the data are exposed, taking into account the probability that these might occur and the impact that they may have on the data subjects. These security measures must be recorded in writing, both by the Manager and the Controller, in security policies that must apply to the processing of data. 
The Manager will periodically evaluate the effectiveness of the security measures to verify whether new security measures are necessary based on the risks to which the personal data may be exposed. 

Termination of the agreement 

This agreement will be terminated at the end of the provision of the service from which it derives. 
Once the agreement is concluded, the Manager must finish all its activities associated with the processing of personal data derived from the service. 

Furthermore, the Manager must follow the Controller’s instructions to immediately return or delete all the information with personal data that they processes on behalf of the Controller. 

Responsibility

If the Manager fails to comply with the conditions established in this agreement and transfers the data provided by the Controller for the provision of the contracted services to third parties, the Treatment Manager will be considered liable and shall answer for all infractions incurred personally. 

For their part, the Controller declares and understands that it is the subject obliged to comply with the applicable law and that this agreement complies with the applicable legal mandates. If the competent authority should require a review of this agreement, the Controller will hold the Manager harmless from any claim or complaint that may arise from it. 

 

Annex 1 - Default security measures on the information systems from which data are processed

Providers that facilitate systems infrastructure

The data being located within the European Economic Area, the Provider contracts the services of Google WorkSpace for its systems infrastructure.

Security measures on communications

All communications with the Provider's platforms are made with the secure HTTPS protocol to maintain data privacy at all times.

Logical access controls

Authentication systems through credential verification at different levels, with one sole credential per user. 

The systems are designed to detect unauthorised access to them.

Employee confidentiality

All the Provider's personnel accept a code of conduct based on the company's policies, in which they undertake to maintain certain levels of ethics, confidentiality and professional behaviour, as well as proper treatment of personal data.