GDPR - Data Processing Agreement (DPA)

Personal Data Processor Contract between Globe Id Ltd and the controller relating to the use of the PASSPORTSCAN platform.

Personal Data Processor Contract

On the one hand, the Customer, who acts as the controller (hereinafter,“Data Controller“or the „Controller“).

And, on the other hand, GLOBEID Ltd, as processor, with identification number 559612, and address at the Black Church, St Mary’s Place, Dublin, 7 (hereinafter referred to as „the Processor“ or „Processor“).

Hereinafter, both parties jointly as „the Parties“ or individually as „the Part“ are recognized sufficient capacity to carry out the procurement of this contract of processor (hereinafter, „Contract of Processor“) and for this purpose.


  1. That both Parties have entered into a contract for the use of the SaaS PassportScan owned by the Data Processor.
  2. That the Client is responsible for the processing of the data identified in the Fourth Stipulation, all in accordance with the provisions of Regulation (EU) 2016/679, of April 27 (hereinafter,“RGPD„),and in L.O. 3/2018, of December 5, on data protection and guarantee of digital rights (LOPDGDD).If, as a result of the execution of the contracted services, the Processor has access to and performs any type of processing of the personal data for which he is responsible, he will do so in his capacity as Data Processor, in accordance with the provisions of Article 28 of the RGPD.
  3. That, in compliance with the provisions of the RGPD, and in the rest of the applicable regulations on data protection, the MANAGER offers sufficient guarantees to implement appropriate technical and organizational policies to apply the security measures established by current regulations and protect the rights of the interested parties.
  4. Both parties agree to enter into this Data Processor Agreement, subject to the following,


  1. ObjectThrough these clauses, the Data Processor is enabled to process, on behalf of the Data Controller, the personal data necessary to provide the service that allows access to and use of the PASSPORTSCAN platform, in addition to ensuring the technical maintenance of the same, all based on the conditions agreed between the parties.
    The Manager will always act in accordance with the instructions of the Responsible, which are described in this DPA.
    The authorized processing operations will be those strictly necessary to achieve the purpose of the service, and may be:
    – consultation
    – conservation
    – limitation
    – Removal under client settings and guidelines
  2. DurationThis Data Processor Agreement shall enter into force at the time of its acceptance and shall have the same duration as the services contracted with the Processor.
  3. Purpose of the Treatment.
    The Data Processor undertakes that the data processing carried out is limited to what is necessary to carry out the provision of the regulated services between the parties, either by signing an express and written contract, or by accepting terms and conditions that in each case may be established by the Responsible.
  4. Typology of data processed.
    Categories of stakeholders:
    – Account details of the Data Controller. The employees and individuals of the Data Controller authorized by him to access the account.
    -Content of the Data Controller. Customers and end users of the Data Controller.
    -Data of use of the Data Controller. Customers and end users of the Data Controller.
    -Removal under client settings and guidelinesType of data processed:
    – Identification and contact data.
    – Professional data.
    – Application usage data.
    – Economic and banking data (if any)
    – Image data (if any)The Data Processor is not responsible for the information that the client enters or stores, being his sole responsibility both the type of data he enters, in particular data of special categories, where appropriate, and the treatment he makes of them.
  5. Prohibition of communication of personal data.
    The Data Processor undertakes to keep under his control and custody the personal data provided by the Data Controller to which he accesses in connection with the provision of the Services and not to disclose, transfer, or otherwise communicate them, not even for conservation to other persons outside the same and to the provision of the Service.However, the Data Processor will not incur liability when, upon express written indication of the Data Controller, he communicates the data to a third party designated by the Latter, to whom he has entrusted the provision of a service in accordance with the provisions of current regulations on data protection.Access by the Data Processor to personal data will not be considered communication or transfer of data, when such access is necessary for the correct provision of the Services.
  6. Subcontracting of the Services.
    The Responsible party agrees that the Processor may contract with sub-processors (hereinafter referred to as „Sub-Processors“ or „Sub-Processors“) to fulfil their obligations under this Agreement.The Responsible party provides general consent for the Processor to commit to the Sub-Chargers, in accordance with the following requirements:
    1. All Sub-uploader must ensure compliance with data protection regulations.2.The Manager will restrict the access of the Sub-processor to the Personal Data of the Responsible strictly necessary for the provision of its services.

    The Responsible accepts that the Manager may hire additional Sub-Uploaders to process the data within the services provided and for the permitted purposes, and will maintain an updated list of its Sub-Chargers, although in these cases, the Responsible will be informed of such changes so that, where appropriate, it can oppose them. In case of opposition, the Manager will decide whether to contract with said Sub-charger or not. In case of deciding to contract with the Sub-Charge with opposition of the Responsible, it will be automatically incurred due to termination of the Contract between the parties.

    When the Processor has recourse to a Sub-Processor, both shall respect the conditions set out in Article 28(2) and (4) of the GDPR. Specifically, the Manager undertakes that the Sub-chargers respect the same data protection obligations as those indicated in this contract.
    The Manager will make available to the Responsible a list of the sub-charges of treatment that will always be updated. Currently, the hosting and storage services of the PassportScan platform are outsourced to the company Amazon Web Services ( )

  7. International data transfers.
    The Data Processor does not plan to make international transfers of the data under the responsibility of the Data Controller outside the European Economic Area, necessary for the provision of the contracted services. The hosting of information contracted with AWS is defined regionally, so customers in the EU zone have their data stored in the EU and so it is in other regions. In the case of transfers outside the EEA, these will be carried out in accordance with articles 44 to 49 of the GDPR.
  8.  Security of personal data.
    The Data Processor ensures the application of appropriate technical and organisational measures so that the processing complies with the legal requirements, in accordance with the provisions of Article 32 of the GDPR.In the event that the Manager requests the Responsible, by the means indicated in the Sixteenth Clause, an explanatory document of such measures, he will be provided with a Security Document that collects the main information in this matter, the security measures applied and the procedures implemented or in place at the time of the request.
  9. Collaboration in the notification of security violations.
    9.1. Notification of security breaches
    In the event of a breach of security in the systems of the Data Processor, which may affect the data responsibility of the Data Controller, the Data Processor, within a maximum period of 48 hours, always after having become aware of the personal data breach, undertakes to notify the Data Controller through the email address designated by the Controller. , together with all the relevant information for the documentation and communication of the incident.9.2. Assistance to the Responsible
    The Manager will make available to the Responsible the information required by the Responsible to demonstrate compliance with the obligations indicated in Article 28 of the RGPD. It will also allow audits, including inspections, to be carried out by the Controller or another auditor authorised by the Controller. The Processor is not adhering to any Code of Conduct approved under Article 40 of the GDP
  10. Rights of access, rectification, deletion, limitation, opposition and portability of the data.
    In the case of exercise of rights by third-party clients or workers of the Data Controller, the Person in Charge will immediately transfer to the Responsible and, at the latest, 7 working days, so that he attends and gives, where appropriate, a due response.
  11. Confidentiality.
    The duty of secrecy and confidentiality that derives from this Contract obliges the Data Processor during the term of the relationship maintained with the Data Controller.The Data Processor ensures that his or her dependent persons, who are authorised to process personal data under the responsibility of the Data Controller, will assume a commitment to confidentiality and that they will be subject to appropriate legal confidentiality obligations, even after the termination of the Contract.The Data Processor undertakes to allow access to such data only to those employees who must know them for the correct execution of their functions within the framework of the provision of Services.
  12. Period of conservation and return of information.
    The Manager will provide the possibility to obtain a copy or delete the data through your system. This is the way in which the Responsible may exercise its right of access, portability and deletion of data. The Responsible party agrees to be solely responsible for obtaining a copy of your data and for deleting it after the end of the deletion period indicated below. Once the contract ends, the Manager1.You will provide the Responsible during the 30 days after the expiration date of the contract, the possibility of obtaining a copy of your data through your system.2.It will automatically delete the data of the person in charge within 30 days after the termination of the contract.

    3.It will automatically delete the data of the person in charge in the backup systems within 60 days after the termination of the contract.

    Any data controller content archived in the Processor’s backup systems shall be securely and protected from any further processing, except as required by applicable law.

    Without prejudice to the foregoing, the Data Processor may retain the information of the Data Controller or any part thereof if required to do so by applicable law. Thus, the Data Processor will process the data of the Account of the Data Controller for as long as necessary to provide the services to the Data Controller. Data from the Data Controller’s account stored in the administration system(s) must be kept at a minimum for a period of six years after the termination of the relationship for accounting, tax and auditing purposes, in accordance with and in accordance with applicable law. The data of the Account of the Data Controller stored in communications with the customer service teams of the Data Processor may be retained up to three years after the termination of the Contract.
    In any case, the data kept for the reasons indicated, once the contractual relationship between the parties has ended, will remain blocked at all times.

  13. Responsibilities of the parties.
    THE PERSON IN CHARGE OF THE TREATMENT will be liable for the infractions that may be incurred in the case of processing the personal data of the Responsible for another purpose other than that contained in this contract, as well as when it does not adopt the corresponding security measures.THE DATA CONTROLLER will be liable for any infractions, penalties and/or fines that may be imposed on him for non-compliance with his obligations arising from the regulations on Data Protection.
  14.  Data protection.
    Each of the Parties is informed that their personal data will be processed by the other party, in accordance with the provisions of General Regulation 2016/679, on data protection in order to allow the development, compliance and control of the provision of services, the basis of the treatment being compliance with the contractual relationship. The data will be kept for the duration of the contract and subsequently, by legal obligation, until the obligations and / or responsibilities derived from it expire. The data of the parties may be transferred to banks, insurers and public administrations, in the cases provided for in the Law and for the purposes defined therein. The parties may request access to personal data, its rectification, its deletion, its portability and the limitation of its treatment, as well as oppose it, at the address of the other party that appears in the heading of this Contract.
  15.  Legislation and applicable jurisdiction.
    The Responsible and the Data Processor claim to know and accept the terms of use and / or written agreements reached between the parties.
    This Data Processor Contract will be governed by European regulations on the Protection of Personal Data, as well as the resolutions and guidelines of the Control Authority and other competent bodies in the matter.
    To resolve any discrepancy with respect to the interpretation and /or execution of the provisions of this Treatment Manager Contract, the Parties submit to the jurisdiction of the Courts and Tribunals of Valencia Capital, expressly waiving any other legislation or jurisdiction that may correspond to t
  16. Notifications.
    The parties undertake to communicate, preferably and habitually, by e-mail to the following addresses:
    – The Manager:
    – The Responsible: the email of the main administrator of the contracted product or that of habitual use between the parties.
  17.  Acceptance.
    The Parties agree that they may make use of the simple electronic signature to sign this Contract of Processor and consequently accept and recognize that the use of the simple electronic signature will have the same validity as the handwritten signature on paper for the perfection of the same.