CBAMOS DATA PROCESSING AGREEMENT
This Data Processing Agreement (DPA) establishes the terms for the processing of personal data between CBAMOS and customers.
1. Definitions
- Data Controller: The customer who determines the purposes and means of processing personal data
- Data Processor: CBAMOS processing personal data on behalf of the data controller
- Sub-Processor: Third parties used by CBAMOS for data processing activities
2. Processing Details
2.1 Processing Purpose
CBAMOS processes data only for purposes specified in the service agreement:
- CBAM compliance reporting
- Emission calculation and monitoring
- Verification process management
2.2 Data Categories
- Company information
- Employee contact information
- Production and emission data
2.3 Data Subjects
- Customer employees
- Supplier representatives
3. Processor Obligations
CBAMOS assumes the following obligations:
3.1 Processing Restrictions
- Data will only be processed according to documented instructions
- No unauthorized processing
3.2 Confidentiality
- Personnel accessing data are under confidentiality obligation
- Access is restricted on need-to-know basis
3.3 Security Measures
- Encryption (in transit and at rest)
- Access control
- Incident management procedures
- Proper backup
3.4 Sub-Processors
- Sub-processors undergo appropriate vetting
- Customers can access sub-processor list
- New sub-processors notified 30 days in advance
4. Data Subject Rights
CBAMOS, to process data subject requests:
- Notifies Data Controller within 10 business days
- Provides support for request fulfillment
- Offers necessary technical assistance
5. Data Breach Management
In case of data breach, CBAMOS:
- Informs Data Controller within 72 hours
- Reports breach details
- Assists with remediation
- Provides required documentation
6. Audit Rights
Data Controller has the following rights:
- Request compliance audits
- Review security documentation
- Submit questions and receive reports
7. Data Deletion
At contract termination, CBAMOS:
- Deletes all data upon request
- Provides deletion certificate
- May retain data only for legal requirements
8. International Transfers
For data transfers outside EEA:
- Standard Contractual Clauses apply
- Appropriate supplementary measures taken
- Transfer impact assessment conducted
9. Contact
For DPA questions: [email protected]