Data Protection

I. Introduction

This Data Processing Agreement (“Agreement”) is concluded by and between: (i) “COMPANY NAME” (“Customer” or “Controller”) and (ii) Interactio UAB, or one of its subsidiaries or affiliates (“Interactio" or “Processor”) acting on its own behalf and as agent for each or its subsidiaries or affiliates.  

Customer and Interactio acknowledge and agree that Customer is a Controller and Interactio is a Processor of Personal Data provided to Interactio by the Customer as it is defined in the EU General Data Protection Regulation 2016/679, except when Customer acts as a Processor of Personal Data, in which case Interactio is a Subprocessor.

Customer and Interactio acknowledge and agree that Customer may request Interactio to perform data Processing services with respect to the Personal Data of data subject(s). Regardless if the Data Subject is in European Union or not, such Personal Data will be subject to Data Protection Laws requiring Customer and Interactio each to treat Personal Data securely, confidentially and in accordance with the principles of the GDPR.

Accordingly, in consideration of the mutual obligations set out herein, Customer and Interactio hereby agree as follows.

II. Definitions

In this Agreement the following terms shall have the meanings set out below:

• "Applicable Laws" means (a) European Union or EU Member State laws with respect to any Personal Data that is subject to EU Data Protection Laws; and (b) any other applicable laws with respect to any Personal Data;
• "Personal Data" means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
• "EU" means the European Union;

“EEA” means the European Economic Area;

• "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
• "GDPR" means EU General Data Protection Regulation 2016/679;
• "Services" means the services and other activities to be supplied to or carried out by Interactio for Customer;
• "Sub processor" means any person (including Interactio), appointed by or on behalf of Interactio to Process Personal Data on behalf of Customer.

III. Authority

Customer warrants and represents that, before Interactio processes any Personal Data on behalf of Customer, Customer and Interactio has entered into this Agreement, and Customer authorizes Interactio to Process Personal Data.

IV. Processing of Personal Data

Interactio shall:

• Comply with all applicable Data Protection Laws in the Processing of Personal Data; and
• Not Process Personal Data other than on the Customers instructions unless Processing is required by Applicable Laws to which the relevant Interactio is subject, in which case Interactio shall to the extent permitted by Applicable Laws inform the Customer of that legal requirement before the relevant Processing of that Personal Data.

Customer shall:

• Instruct Interactio to process Personal Data; and
• Warrant and represent that Customer is and will at all relevant times remain duly and effectively authorized to give the instruction and Customer is compliant to all legal obligations set by GDPR and other Applicable Laws that are subject to data controllers

Annex 1 to this Agreement sets out certain information regarding the Processors' Processing of Personal Data as required by article 28(3) and 28(4) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Interactio may make reasonable amendments to Annex 1 by written notice to the Customer from time to time as Interactio reasonably considers necessary to meet those requirements.  

V. International transfers of personal data

Interactio shall take reasonable steps to restrict access to Personal Data from any third person as strictly necessary for the purposes of the Agreement and to comply with Applicable Laws.  Interactio acknowledges that Interactio and persons authorized to Process the Personal Data is subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

VI. Security

Interactio shall, in relation to the Personal Data, implement appropriate technical and physical measures to ensure a level of security appropriate to security risks, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Interactio may, from time to time, update or modify security measures.

In assessing the appropriate level of security, Interactio shall take account in particular of the risks that are presented by the Processing of Customer Personal Data.

The customer acknowledges and agrees that:

• The customer is solely responsible for its use of the Services, including:
• making appropriate use of the Services and adding additional security measures to ensure a level of security appropriate to the risk in respect of the Personal Data;
• securing the account authentication credentials, systems and devices Customer uses to access the Services; and
• Customer is solely responsible for reviewing and evaluating whether the Services will meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Laws.
• Customer acknowledges and agrees that (taking into account state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing of Customer’s Personal Data as well as the risks to individuals) security measures implemented and maintained by Interactio provide a level of security appropriate to the risk in respect of the Personal Data that will be Processed.

VII. Data Subject Rights

During the applicable term of the Agreement, if Interactio receives any request from a data subject in relation to Personal Data, Customer acknowledges and agrees that it will be responsible for responding to any such request.

Interactio shall promptly notify Customer if Interactio receives a request from a Data Subject under any Data Protection Law in respect of the Data Subject’s Personal Data.

Taking into account the nature of the Processing, Interactio shall assist Customer by implementing appropriate technical and organizational measures for the fulfilment of the Customer’s obligations to respond to requests to exercise Data Subject rights (Access; Rectification; Restricted Processing; Portability) under the Data Protection Laws.
‍

VIII. Personal Data Breach

Interactio shall notify Customer without undue delay upon Interactio becoming aware of a Personal Data Breach affecting Personal Data received from Customer, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform other Controllers, Data Subjects and/or relevant authorities of the Personal Data Breach under the Data Protection Laws.

Interactio shall cooperate with Customer and take such commercially reasonable steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

‍
IX. Data Protection Impact Assessment and Prior Consultation

Interactio shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Interactio by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to Interactio.
‍

X. Deletion or return of Personal Data

After the end of the provision of services relating to Processing, Customer instructs Interactio to delete all Personal Data received from Customer (including existing copies) from Interacio’s systems in accordance with Applicable Laws. Interactio will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 day.

At the choice of the return of all the Personal Data to Customer after the end of the provision of services relating to Processing, Customer acknowledges and agrees that Customer will be responsible for exporting, before the applicable term expires, any Personal Data it wishes to retain afterwards. Interactio shall comply with this section unless Applicable Laws require storage.

‍
XI. Audit rights

If GDPR applies to the Processing of Personal Data, Interactio shall make available to Customer on request all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, required by the Customer or another auditor mandated by the Customer.

Following a request by Customer, Interactio will contribute to audit of security measures provided by Services.

For any inquiries in full capacity regarding this Agreement or Processing of Personal Data contact our Data Protection Officer at dpo@interactio.io

‍
XII. Changes to this Data Processing Agreement

If at any time Interactio makes a change to this Agreement, Interactio will update this document to reflect such change. Interactio will inform Customer at least 30 days (or shorter period as may be required to comply with Applicable Laws) before the change will take effect by sending an email to Customer contact email.

‍

I. Details of processing personal data

This Annex 1 includes certain details of the Processing of Personal Data by Interactio as required by Article 28(3) GDPR.

The subject matter of the Processing of Customer’s Personal Data

The subject matter of the Processing of Personal Data is: proper execution of all contractual obligations, identification of users when they connect to the system, possibility to inspect any problems in real-time, identification of the user during event or user management or communication tasks, stream control, remote stream establishment, local streaming, chat, and remote broadcaster control, identification call in users and troubleshooting audio problems.

Duration of the Processing

The duration of the Processing is the applicable term for SERVICE AGREEMENT and the period from expiry of such until deletion of all Customer Personal Data by Interactio in accordance with the Data Processing Agreement.

The nature and purpose of the Processing of Personal Data

Interactio will process Personal Data submitted, stored, sent or received by Customer, its Affiliates, or End Users via the Services to provide the Services, related technical support to Customer, research, and analytics of Services to improve the Service quality by the Data Processing Agreement.

The types of Personal Data to be Processed

The types of Personal Data to be Processed include Name, surname,  audio (voice)  recordings, unique ID issued by Interactio, technical information from the Data Subject device, technical information related to streaming quality, event information (Time, date, topic, duration) and other data of Data Subjects that may be contained within the content that Customer submits to Interactio to Process using Services.

The categories of Data Subject to whom the Customer's Personal Data relates

The categories of Data Subject to whom the Customer Personal Data relates include, but are not limited to, employees (event organizers, participants) clients and their clients, and any other third party involved in Services.

The obligations and rights of the Data Controller

The data Controller shall have such obligations and rights as are outlined in this Annex and in the GDPR, including Articles 24-43.

Information processing description can be found in Table I at the end of this document.

II. Processing records and contacts

GDPR requires our organization to appoint a data protection officer ("DPO"),

‍

"Interactio" UAB (Company Registration code: 303303137, Lithuania, EU), Paupio str. 50, Vilnius, Lithuania, Phone nr.: +37061806726

Email. dpo@interactio.io.
‍

III. Access to personal data

List of Interactio units who might have access to Controllers users data is shown in Table II at the end of this document.
‍

IV. Sub-processing

Customer specifically authorizes Interactio in the engagement of following Sub processors to Process Personal Data provided by Customer. 

The list of data sub-processors is shown in Table III at the end of this document.

‍

In the case of any addition of Sub-processor engagement Interactio will inform Customer prior in written form thereby giving Customer the opportunity to object to such changes.

Interactio will remain fully liable for all obligations subcontracted to, and all acts and omissions of the Subprocessor. All engagements of Subprocessors will be compliant with GDPR.

‍

V. Technical and organizational measures

Access control to Personal Data. Interactio  commits that the persons entitled to use any data processing system in relation to the Personal Data are only able to access the Personal Data within the scope and to the extent covered by the respective access permission (authorization).

This shall, in particular, be accomplished by:

• Establishing access authorizations for employees and third parties, including the respective documentation.
• Identification of the persons having access authority.
• Securing any and all data processing equipment and personal computers.
• Regulations for user authorization.
• Obligation to comply with data secrecy.
• Differentiated access regulations (e. g. partial blocking);
• Regulations for the organization of files.
• Controlled destruction of Personal Data when relevant.
• Work instructions for templates for the registration of Personal Data.
• Checking, adjusting, and controlling systems.

Last Updated: Jun-15, 2024

‍

Table I. Information Processing Table

Table II. Access to personal data

Table III. List of data sub-processors