Data Processing Agreement (DPA)

1. Definitions

• "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR. In the context of this DPA, it refers to the "Seller Data" provided by the Controller.
• "Processing" means any operation or set of operations which is performed on Personal Data.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates (i.e., your sellers).

2. Roles and Responsibilities

Processor (getdac7.eu): We will process Personal Data only on behalf of the Controller and in accordance with the Controller's documented instructions.

Controller (You, the Customer): You are the Data Controller. You have the sole responsibility for the accuracy, quality, and legality of the Personal Data and the means by which you acquired it. You warrant that you have all necessary rights to provide the Personal Data to us for processing.

3. Details of Data Processing

• Subject Matter: The processing of seller data for the purpose of DAC7 compliance.
• Duration: For the term of the Customer's subscription to the Service, and as required for legal retention.
• Nature and Purpose: To collect, validate, store, and structure Personal Data to generate compliant DAC7 XML reports and seller notifications, as directed by the Controller through their use of the Service.
• Types of Personal Data: As specified in our Privacy Policy under "Customer Data," including but not limited to names, addresses, dates of birth, Tax Identification Numbers (TINs), and financial summaries.
• Categories of Data Subjects: The sellers, both individuals and entities, operating on the Controller's platform.

4. Obligations of the Processor

We, as the Processor, hereby commit to:

• Process data only on your instructions.
• Ensure confidentiality: All our personnel authorized to process Personal Data are committed to confidentiality.
• Implement robust security measures: We will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in our Privacy Policy and security documentation.
• Sub-processors: We will not engage any third-party sub-processors without your prior specific or general written authorization. If we do, we will ensure that the sub-processor is bound by data protection obligations equivalent to those in this DPA.
• Data Subject Rights: We will assist you, to the extent possible, in fulfilling your obligation to respond to requests from Data Subjects exercising their rights under GDPR.
• Data Breach Notification: We will notify you without undue delay after becoming aware of a Personal Data breach.
• Data Deletion: Upon termination of the Service, we will delete or return all Personal Data to you as requested, unless required by Union or Member State law to retain it.

5. Data Transfers

All Personal Data processed under this DPA will be stored and processed exclusively within the European Union (EU). There will be no transfers of Personal Data to any third country or international organization.

6. Audits

Upon reasonable request, we shall make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

7. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in our Terms of Service.