6.1. Mystery Review is entitled to use and include the personal data of client which are required for its administration and management purposes in the internal registration system of Mystery Review.
6.2. On the basis of the GDPR and applicable laws and regulations and within the context of the processing of personal data, parties recognize and distinguish the following roles (including the associated responsibilities): the Client is the controller, Mystery Review is considered as processor, a third party contracted by Mystery Review that processes the personal data will be considered as a sub-processor.
6.3. Mystery Review will in the context of the execution of an Agreement process personal data on behalf and in accordance with instructions of client. Therefore, Mystery Review is not allowed to process personal data for its own purposes and/or provide it to third parties. Mystery Review will insofar possible follow up the directions of client regarding the processing of personal data of client.
6.4. Client warrants that the contents, the agreed upon use and the assignment to process personal data is not unlawful and will not infringe any right of third parties. Client shall in particular ensure that by the use of services special categories of personal data will not be processed. Client indemnifies and holds Mystery Review harmless for all claims related hereto.
6.5. Client takes appropriate technical and organizational measures in accordance with GDPR to protect personal data against loss or against any form of unlawful processing. These measures ensure, taking into account the current state of the technology and the cost of implementation, a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. The measures are also aimed at unnecessary collection and further processing of personal data.
6.6. Mystery Review takes appropriate technical and organizational measures to secure the personal data against any illegal processing. These measures warrant, taking the current state of technology and the costs of implementing those measures into account, an adequate level of protection, considering the risks of processing, and the nature of, the personal data. The measures are also aimed at preventing unnecessary processing of personal data.
6.7. Client is for the duration of this agreement allowed to audit the aforementioned measures, which audit can be executed by Client an independent third party. Mystery Review hereby warrants to cooperate with such an audit, provided that: (i) the costs for the audit itself are borne by Client; (ii) the costs and/or time of Mystery Review regarding the cooperation (including time of staff), are borne by Client; (iii) the audit is not executed more than once a calendar year; (iv) there is a valid reason for the audit, such as loss of data; and (v) the scope of the audit is provided by client and the audit is limited to the aforementioned scope. Points (iii), (iv) and (v) do not apply in case the audit is due to investigation of a supervisory authority. Mystery Review cannot guarantee that an audit can take place by a subcontractor of Mystery Review which processes personal data.
6.8. Mystery Review is allowed to use a sub-contractor in the process of rendering its services. Upon first request of client Mystery Review will provide a list of sub-processors. Mystery Review may at its own discretion and judgment change and/or extend the list. In case Mystery Review expands or changes the list with new sub-processors, client will be notified at least two (2) weeks prior to using the intended sub-contractor and given the opportunity to object to the proposed new sub-processors.
6.9. In case Mystery Review suspects or knows that personal data of client is compromised, due to a data or security breach, Mystery Review notifies Client without delay. In response to this notification client assess independently whether it should notify data subjects and/or supervisory authorities. Client is and remains responsible for any legal obligation to notify. However, Mystery Review is willing to support client to fulfill its obligations under the applicable laws and regulations regarding the processing of personal data.
6.10. In case a data subject invokes his or her rights under the General Data Protection Regulation, it will forward the request to client. Client will follow up the request of the data subject. Mystery Review will inform data subject about the forward and will await further instructions of client.
6.11. After the expiry of the duration of the agreement / order or the stated processing period of the personal data or termination of the agreement / assignment Mystery Review will give client the opportunity to obtain the personal data before deleting the personal data.
6.12. The foregoing paragraphs of this article are deemed to be a basic data processing agreement in accordance with the GDPR.