Preamble
By subscribing to any Verifacti plan, the client (hereinafter, “the Controller”) accepts and agrees to comply with this Personal Data Processing Agreement. By virtue thereof, BILBABIT S.L., acting as the data processor (hereinafter, “the Processor”), shall provide data processing services in accordance with the provisions of Regulation (EU) 2016/679 (GDPR) and the applicable Spanish legislation.
1. Purpose and Scope
1.1. Purpose: The purpose of this Agreement is to establish the conditions under which the Processor shall carry out the processing of personal data provided by the Controller, exclusively for the provision of services contracted through Verifacti plans.
1.2. Scope: The processing shall be carried out solely for the purposes defined in the Terms and Conditions of Use and in any individual contracts that may be entered into between the client and BILBABIT S.L., with its use for purposes other than those stated being expressly prohibited without the prior written consent of the Controller.
2. Definitions
For the purposes of this Agreement, the following terms shall mean:
3. Obligations and Responsibilities of the Controller
3.1. The Controller warrants that it has the legal basis for the processing of any personal data it provides and undertakes to duly inform the data subjects thereof.
3.2. The Controller declares that the purpose of the processing consists of: i) submitting invoices and other tax information to the AEAT and/or regional tax authorities; ii) storing such information for the period required by law. These purposes are detailed in the Terms and Conditions of Use.
4. Obligations and Responsibilities of the Processor
4.1. Processing in Accordance with the Contracted Purposes: The Processor undertakes to process personal data solely and exclusively for the purposes set out in the Terms and Conditions of Use and in accordance with the contracted services, that is, to submit tax information to the AEAT and/or regional tax authorities, and to store the information submitted.
4.2. Data Security: The Processor shall adopt the necessary technical and organisational measures to ensure the security, confidentiality, integrity and availability of personal data, in compliance with the GDPR.
4.3. Confidentiality: The Processor undertakes that all personnel involved in the processing shall be bound, whether contractually or by law, to maintain the confidentiality of the information to which they have access during the contractual relationship and for the additional period during which BILBABIT S.L. retains the data.
4.4. Incident Notification: The Processor shall notify the Controller, within a maximum period of 48 hours, of any security incident that may affect the integrity or confidentiality of the personal data.
4.5. Assistance to the Controller: The Processor shall assist in handling requests for the exercise of data subject rights (access, rectification, erasure, restriction, portability and objection), and in complying with legal obligations related to security, notification and auditing.
5. Sub-processors
5.1. The Processor may sub-contract all or part of the data processing only with the prior written authorisation of the Controller.
5.2. In the event of sub-contracting, the Processor shall ensure that the sub-processor complies with the same obligations set out in this Agreement, and shall be jointly liable for the sub-processor’s actions.
6. Security Measures
6.1. The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, loss, processing or any other form of unlawful processing.
6.2. Such measures shall include, without limitation: - TLS encryption (HTTPS) for data transmission. - Access controls and robust authentication.
7. Audits and Oversight
7.1. The Controller shall have the right to audit, internally or through third parties, the Processor’s compliance with the obligations under this Agreement.
7.2. The Processor undertakes to provide the Controller with all the information and means necessary for the conduct of such audits.
8. International Transfers
8.1. In the event that personal data is transferred outside the European Economic Area, the Processor shall ensure that such transfers are carried out in compliance with the GDPR, adopting the necessary security measures or using valid transfer mechanisms (such as Standard Contractual Clauses).
9. Duration and Termination
9.1. This Agreement shall enter into force at the time the Controller subscribes to a Verifacti plan and shall remain in effect for the duration of the contractual relationship between the Controller and Verifacti.
9.2. Upon termination of the contractual relationship, the Processor shall, at the Controller’s choice, destroy all personal data, unless there is a legal obligation to retain it.
10. Data Destruction
10.1. Upon completion of the provision of services, the Processor shall securely destroy all personal data and any copies thereof.
11. Applicable Law and Jurisdiction
11.1. This Agreement shall be governed by and construed in accordance with the laws of Spain in force at the time.
11.2. For the resolution of any dispute arising from this Agreement, the parties submit to the courts and tribunals of the city of Bilbao, expressly waiving any other jurisdiction that may apply.
12. Miscellaneous
12.1. Amendments: Any amendment to this Agreement must be formalised in writing and with the express consent of both parties; any unilateral change shall be void.
12.2. Severability: If any provision of this Agreement is deemed null or unenforceable, the remaining provisions shall remain in full force and effect.
12.3. Notices: All notices relating to this Agreement shall be sent through the communication channels established in the Terms and Conditions of Use.
Acceptance and Automatic Binding Subscribing to any Verifacti plan implies full and unconditional acceptance of this Personal Data Processing Agreement, and the Controller is bound to comply with all its clauses from the moment of subscription.