• +255676477499
  • Office Number 7, Ground Floor, Renaissance Plaza, Haile Selassie Rd, Dar es Salaam, Tanzania 12106

Office Address

Office Number 7, Ground Floor, Renaissance Plaza, Haile Selassie Rd, Dar es Salaam, Tanzania 12106

Phone Number

+255-676-477-499

Email Address

akshat@sistl.co.tz

Data Protection Agreement

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Data Protection Law” means all applicable laws, regulations, and other legal requirements relating to:

  1. privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications;
  2. the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.

“the Company Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with the Company. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

“Services” means any of the following services provided by the Company:

  1. Company-branded product offerings made available via the website of the Company,
  2. consulting or training services provided by the Company either remotely via the Internet or in person, and
  3. any support services provided by the Company, including access to Company’s help desk;

The terms “data controller,” “data processor,” “data subject,” “personal data,” “processing” and “appropriate technical and organisational measures” shall have the meanings given to them under applicable Data Protection Law.

2. Subject Matter, Nature and Purpose of Company’s Processing of Personal Data

The subject matter, nature, and purpose of the processing of Personal Data under this DPA is the Company performance of the Services as further instructed in writing by the Customer in its use of the Services unless required to do so otherwise by the Data Protection Law, in which case to the extent permitted by the Data Protection Law, the Company shall inform the Customer of this legal requirement prior to carrying out the processing. The Company shall only collect or process Personal Data for the period of rendering of the Services to the extent, and in such a manner, as is necessary for the provision of the Services and in accordance with the DPA and the Data Protection Law applicable to the Company.

3. Duration

The processing of Personal Data will be carried out by the Company while the Services Account of the Customer is in existence or as needed for the performance of the obligations and rights between the Company and the Customer unless otherwise agreed upon in writing.

4. Type of Personal Data Processed

The Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • Account Information: When the Customer signs up for a Services Account, certain information such as the name and email is required. The Customer may update or correct his/her information and email preferences at any time by visiting the Services Account.
  • Additional Profile Information: The Customer may choose to provide additional information as part of its profile. Profile information helps the Customer to get more from the Services.
  • Other Information: The Customer may otherwise choose to provide the Company information when the Customer fills in a form, conducts a search, updates or adds information to its Services Account, responds to surveys, posts to community forums, participates in promotions, or uses other features of the Services platform.

5. Company Obligations

The Company agrees and/or warrants:

  1. To process the Personal Data only on behalf of the Customer and in compliance with its instructions and the DPA;
  2. That all Personal Data processed on behalf of the Customer remains the property of the Customer and/or the relevant Data subjects;
  3. That it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Customer and its obligations under the DPA;
  4. That it has implemented the technical and organizational security measures specified in Appendix 1 before processing the Personal Data transferred;
  5. That it will promptly notify the Customer about:
    1. Any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited;
    2. Any accidental or unauthorized access;
    3. Any request received directly from the data subjects without responding to that request unless authorized;
  6. To deal promptly and properly with all inquiries from the Customer relating to its processing of the Personal Data subject to the transfer and to abide by the advice of the supervisory authority;
  7. To appoint a data protection officer who performs duties in compliance with the Data Protection Law.

6. Customer Obligations

The Customer agrees and/or warrants:

  1. That the processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Law;
  2. That it has instructed and will instruct the Company to process the Personal Data transferred only on the Customer’s behalf and in accordance with the Data Protection Law and the DPA;
  3. That the Company will provide sufficient guarantees in respect of the technical and organizational security measures;
  4. that after assessment of the requirements of the Data Protection Law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  5. that it will ensure compliance with the security measures;
  6. To access and use the Services only for legal, authorized, and acceptable purposes. The Customer will not use (or assist others in using) the Services in ways that violate or infringe the rights of the Company, its users, or others, including privacy, publicity, intellectual property, or other proprietary rights;
  7. that it will ensure that any Personal Data provided to the Company has been collected and transferred in accordance with applicable Data Protection Law, and that the relevant data subjects have been informed of the processing and transfer of their Personal Data pursuant to this DPA and, if applicable, have given their consent;
  8. that it will respond promptly to inquiries from data subjects and will ensure that it has the necessary procedures in place to deal promptly and effectively with such inquiries;
  9. that it will respond promptly to inquiries from supervisory authorities regarding the processing of Personal Data under this DPA;
  10. that it will notify the Company of any requests or complaints from data subjects regarding the processing of their Personal Data under this DPA and will cooperate with the Company in handling such requests or complaints in accordance with the Data Protection Law;
  11. that it will ensure that its instructions to the Company regarding the processing of Personal Data comply with applicable Data Protection Law and do not require the Company to violate any applicable laws or regulations;
  12. that it will notify the Company promptly if it becomes aware of any breach of this DPA or any unauthorized or unlawful processing of Personal Data in connection with the Services.

7. Technical and Organizational Measures

The Company shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, described under Appendix 1. Such measures include but are not limited to:

  • The prevention of unauthorized persons from gaining access to Personal Data processing systems (physical access control);
  • The prevention of Personal Data processing systems from being used without authorization (logical access control);
  • Ensuring that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to access;
  • Ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport, or storage;
  • Establishing an audit trail to document whether and by whom Personal Data have been entered into, modified, or removed from systems (entry control);
  • Ensuring that Personal Data is protected against accidental destruction or loss (availability control).

The technical and organizational measures are subject to technical progress and further development. In this respect the Company may implement the alternative adequate measure, however, the security level of the defined measures must never be reduced. Major changes must be documented.

8. Sub-Processors

The Customer agrees that the Company may engage Company Affiliate or third parties to process Personal Data in order to assist the Company to deliver the Services on behalf of the Customer (“Sub-processors”). The Company has or will enter into written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor. If the Sub-processor processes the Services outside the EU/EEA, the Company shall ensure that the transfer is made pursuant to European Commission approved standard contractual clauses for the transfer of Personal Data which the Customer authorizes the Company to enter into on its behalf, or that other appropriate legal data transfer mechanisms are used.

The current Sub-processors for the Services are set out at website of the Company (“Sub-processor List”) and the Customer agrees and approves that the Company has engaged such Sub-processors to process Personal Data as set out in the list. The Company shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Personal Data in connection with the provision of the applicable Service.

The Company shall notify the Customer thirty (30) days’ in advance of any intended changes concerning the addition or replacement of any Sub-processor during which period the Customer may raise objections to the Sub-processor’s appointment. Any objections must be raised promptly (and in any event no later than fourteen (14) days following Company’s notification of the intended changes). Should the Company choose to retain the objected to Sub-processor, the Company will notify the customer at least fourteen (14) days before authorizing the Sub-processor to process Personal Data and then the Customer may immediately discontinue using the relevant portion of the Services and may terminate the relevant portion of the Services.

For the avoidance of doubt, where any Sub-processor fails to fulfill its obligations under any sub-processing agreement or under applicable law the Company will remain fully liable to the Customer for the fulfillment of its obligations under this DPA.

9. Audit

In order to confirm compliance with this DPA, the Customer shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit must occur during Company’s normal business hours and will be permitted only to the extent required for the Customer to assess Company’s compliance with this DPA. In connection with any such audit, the Customer will ensure that the auditor will: (a) review any information on Company’s premises; (b) observe reasonable on-site access and other restrictions reasonably imposed by the Company; (c) comply with Company’s policies and procedures, and (d) not unreasonably interfere with Company’s business activities. The Company reserves the right to restrict or suspend any audit in the event of any breach of the conditions specified in this Section 8.

In the event that the Customer, a regulator or data protection authority requires additional information or an audit related to the Services, then, the Company agrees to submit its data processing facilities, data files and documentation needed for processing Personal Data to audit by the Customer (or any third party such as inspection agents or auditors, selected by Customer) to ascertain compliance with this DPA, subject to being given notice and the auditor entering into a non-disclosure agreement directly with the Company. The Company agrees to provide reasonable cooperation to Customer in the course of such operations including providing all relevant information and access to all equipment, software, data, files, information systems, etc. used for the performance of Services, including processing of Personal Data. Such audits shall be carried out at the Customer’s cost and expense.

The audit may only be undertaken when there are specific grounds for suspecting the misuse of Personal Data, and no earlier than two weeks after the Customer has provided written notice to the Company.

The findings in respect of the performed audit will be discussed and evaluated by the parties and, where applicable, implemented accordingly as the case may be by one of the parties or jointly by both parties. The costs of the audit will be borne by the Customer.

10. Notification of A Data Breach

In the event of the Company aware of any breach of security that results in the accidental, unauthorized or unlawful destruction or unauthorized disclosure of or access to Personal Data the Company shall to the best of its ability, notify the Customer thereof with undue delay, after which the Customer shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. The Company will endeavour that the furnished information is complete, correct and accurate.

If required by law and/or regulation, the Company shall cooperate in notifying the relevant authorities and/or Data subjects. The Customer remains the responsible party for any statutory obligations in respect

The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding: the (suspected) cause of the leak; the (currently known and/or anticipated) consequences thereof; the (proposed) solution; the measures that have already been taken.

11. Deletion and Return of Personal Data

The parties agree that on the termination of the provision of data-processing services, the Company and its subcontractors shall, at the choice of the Customer, return all the Personal Data transferred and the copies thereof to the Customer or shall destroy all the Personal Data and certify to the Customer that it has done so, unless legislation imposed upon the Company prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Company warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred The Company and its subcontractors warrant that upon request of the

12. Governing Law/Forum

This DPA shall be governed by and interpreted in accordance with the laws of any and all claims, disputes, or controversies arising under, out of, or in connection with this DPA, breach, termination, or validity thereof, which have not been resolved by good faith negotiations between the Company and the Customer within period of thirty (30) calendar days after receipt of a notice from one party to the other requesting negotiations shall be resolved by final and binding arbitration in the Vilnius Court of Commercial Arbitration in accordance with its Rules of Arbitration as in force and effect on the date of the DPA. Disputes shall be settled by a single arbitrator. Arbitration proceedings shall be held in Vilnius, Lithuania. The place of arbitration shall be Vilnius, Lithuania. The language of arbitration shall be English. Relevant documents in other languages shall be translated into English if the arbitrators so direct. All expenses and costs of the arbitrators and the arbitration in connection therewith will be shared equally, except that the Company and the Customer will each bear the costs of its own prosecution and defense, including without limitation attorney’s fees and the production of witnesses and other evidence. Any award rendered in such arbitration shall be final and may be enforced by either party.

The parties agree to keep all details of the arbitration proceedings and arbitral award strictly confidential and shall not disclose to any non-party any such information, except as may be required by law or as may be necessary for the enforcement of such arbitral award.

40+

Consulting
farm

Connecting You To Smarter Solutions

Empower your fleet with revolutionary IoT solutions. Gain valuable insights from on-board footage with our AI vehicle camera. Optimize operations with real-time GPS vehicle tracking system. Enhance communication with instant Push-to-Talk functionality for your team, wherever they are.

Apexa
Apexa


Request A Call Back

Ever find yourself staring at your computer screen a good consulting slogan to come to mind? Oftentimes.

Apexa