This policy applies to all contractors and subcontractors/collaborators of Coera BC SRL, a company registered with the Cluj Trade Registry under no. J12/3471/2013, with registered offices in (400325) Cluj-Napoca, str. Giuseppe Garibaldi nr. 18, Romania (hereinafter referred as “Coera”), whenever Coera acts as a Data Controller in relation to data processing and within the scope of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the further applicable legal framework regarding data processing. Coera and its contractors and/or subcontrators/collaborators are hereinafter collectively referred as the „Parties”.
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Policy shall have the following
1.1.2 "Company Personal Data" means any Personally identifiable Information (PII) processed by a Contracted Processor on behalf of Coera pursuant to or in connection with the Principal Agreement;
1.1.3 "Contracted Processor" means a Subprocessor/Collaborator;
1.1.4 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 "EEA" means the European Economic Area;
1.1.6 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679 and any Regulation that completes or superseeds the former
1.1.8 "Data Transfer" means:
22.214.171.124 a transfer of Company Personal Data from Coera to a Contracted Processor; or
126.96.36.199 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9 "Services" means the services Coera provides.
1.1.10 "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of Coera in connection with the Policy.
1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processor", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2.1 Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 not Process Company Personal Data other than on the relevant Coera’s documented instructions.
2.2 Coera instructs Processor to process Company Personal Data.
3.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor
of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access
is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly
necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that
individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality
undertakings or professional or statutory obligations of confidentiality.
3.2 The Processor will provide a copy of this Policy to all his employees, including its workers, representatives, agents, contractors and subcontractors (collectively, “Personnel”) and will ensure that any of its Personnel understands, accepts and complies with this Policy. The Processor is also obliged to provide (within the corresponding agreements with its Personnel) means for Coera to act and obtain relief directly against the Personnel within the scope of this Policy.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and
purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of
natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and
organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the
measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
4.3 Within the scope of this Policy, the Processor shall take appropriate technical and organisational measures to encrypt and pseudonymise personal data which is to be transferred to its Personnel or third parties. The Processor shall also ensure regularly testing and assessing the effectiveness of the measures, as well as that its Personnel is instructed and abides to the said encryption and pseudonymised protocols.
4.4 All costs related to these measures which are due by Coera are included within the costs of the services/goods provided to Coera by the Processor. Any other expenses shall be incurred by the Processor, including costs which shall be incurred by its Personnel to comply with the scope of this Policy.
5.1 Taking into account the nature of the Processing, Processor shall assist Coera by implementing appropriate
technical and organisational measures, insofar as this is possible, for the fulfilment of Coera’s obligations,
as reasonably understood by Coera, to respond to requests to exercise Data Subject rights under the Data Protection
5.2 Processor shall:
5.2.1 promptly notify Coera if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
5.2.2 ensure that it does not respond to that request except on the documented instructions of Coera or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Coera of that legal requirement before the Processor or the Contracted Processor responds to the request.
6.1 Processor shall notify Coera without undue delay upon Processor becoming aware of a Personal Data Breach
affecting Company Personal Data, providing Coera with sufficient information to allow Coera to meet any obligations
to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
6.2 Processor shall co-operate with Coera and take reasonable commercial steps as are directed by Coera to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
6.3 In particular, the Processor will restore access to personal data and take first measures to ensure the mitigation of the incident as soon as possible, without waiting for any instruction from Coera. The Processor shall also notify the relevant authorities if this falls within his duties in accordance with the GDPR regulation, or to assist Coera in notifying the event to the relevant authorities if this shall fall within the duties of Coera in accordance to the Applicable Laws.
7.1 Processor will comply with the terms of this Policy and any of the further Data Protection Policies
implemented by Coera. Processor acknowledges that any material breach of this Policy or of the further Data
Protection Policies would cause Coera irreparable harm. Accordingly, Coera is entitled to receive substantial
damages for any such breach without having to prove the fraudulent use of data and rights assigned to Coera.
Such damages will amount at least for the amounts incurred by Coera in order to mitigate the breach, i.e. damages
due to third parties, fines and taxes related to such payments, and the Proccesor hereby relinquishes any right
to dispute that the prejudice is any lower than these costs.
7.2. An updated copy of this policy is available at the following link: Data Protection Policy. While Coera is doing constant effort to inform its partners about such changes, the Processor shall verify (ans ensure that its Personnel also verifies) changes to this policy on regular basis and implement them readily without further notification from Coera.
8.1 These provisions do not apply whereas the applicable law requires the Processor or Coera to act differently.
In particular, the provisions regarding the deletion of the personal data do not apply where the applicable law
requests for data to be stored by the Processor a certain time after the termination of the Principal Agreement
or after the instruction for deletion is issued by Coera.
8.2 However, in case of this Policy is contradicted by other data protection agreements entered into by the Processor, its Personnel or the Contracted Processor (as is the case of combining data controlled by Coera with that controlled by third parties), this policy shall take precedence over any other policies or agreements concluded with third parties. In this respect, such third parties will be assymilated to the Processor’s Personnel, subject to the same obligations as indicated above.
9.1. Processor shall provide reasonable assistance to Coera with any data protection impact assessments, and
prior consultations with Supervising Authorities or other competent data privacy authorities, which Coera reasonably
considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law,
in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the
Processing and information available, to the Contracted Processors.
9.2 Processor hereby releases and will defend, hold harmless, and indemnify Coera, and/or its subsidiaries, affiliates, directors, officers, employees, agents, successors and assigns, from and against any allegation or claim based on, or any loss, damage, settlement, cost, expense and any other liability (including but not limited to reasonable legal fees incurred and/or those necessary to successfully establish the right to indemnification) (collectively, "Claims"), arising from any act or omission by Processor and/or its Personnel and/or the Contracted Procesor, including without limitation any breach of this Policy or allegation or claim of negligence, liability or misconduct.
9.3 In all relations with public authorities or private bodies in connection with this Policy, the Processor/its Personnel/the Contracted Processor will not consent to the entry of a judgment which might indirectly affect Coera or settle without Coera’s prior written consent, to the extent this can be reasonably withheld. Processor and/or its Personnel and/or the Contracted Processor will use counsel reasonably satisfactory to Coera, and Coera reserves the right to cooperate in the defence.
10.1 Subject to this section 10 Processor shall promptly and in any event within 10 business days of the date of
cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure
the deletion of all copies of those Company Personal Data.
10.2 Processor shall provide written certification to Coera that it has fully complied with this section 10 within 10 business days of the Cessation Date.
11.1 Subject to this section 11, Processor shall make available to Coera on request all information necessary
to demonstrate compliance with this Policy, and shall allow for and contribute to audits, including inspections,
by Coera or an auditor mandated by Coera in relation to the Processing of the Company Personal Data by the
11.2 Information and audit rights of the Coera only arise under section 11.1 to the extent that the Policy does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11.3 Each Party shall hold records of data collected and processed pursuant to provisions of GDPR. Coera may upon reasonable notice and during normal business hours examine and make copies of all books and records held by the Data Processor or by the Contracted Process subject to this policy.
11.4 At the sole instruction of Coera, the Processor shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
11.5. The Processor shall notify the relevant authorities whenever this falls within its duties in accordance with the GDPR Regulation. The Processor shall also readily inform Coera whenever it asserts that an obligation to notify the authorities within the scope of thi Policy shall fall within the duties of Coera.
12.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the
European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under
this Policy is transferred from a country within the European Economic Area to a country outside the European
Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the
Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of
12.2 Data procesed in the United Kingdom and its dependencies will be considered data transferred outside of the EU, irrespective of the date when such transfer started and irrespective of the applicability of the General Data Protection Regulation (EU 2016/679) within the United Kingdom.
13.1 Confidentiality. Each Party must keep information it receives about the other Party and its business
in connection with this Policy (“Confidential Information”) confidential and must not use or disclose that
Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
13.2 Notices. All notices and communications given under this Policy must be in writing and will be delivered personally, sent by post or sent by email to the addresses set out in this Policy or at another address, as notified from time to time by the Parties changing address.
13.3 For any inquires or reports concerning this policy or related policies at Coera please refer to the following contact address details:
14.1 This Policy is governed by the laws of Romania.
14.2 All disputes arising out of or in connection with the present Policy shall be finally settled under the Rules of Arbitration of Arbitration Court of the Cluj Chamber of Commerce and Industry. The arbitral award is final and binding.
Last updated: 10 May 2021