DATA PROCESSING AGREEMENT (DPA)

Effective Date: June 23, 2025
Last Updated: June 23, 2025

1. INTRODUCTION AND SCOPE

This Data Processing Agreement (“DPA”) forms part of the service agreement between MICRO DIGITAL ELECTRONICS CORP S.R.L. (“Processor,” “we,” “us,” or “our”) and the contracting party (“Controller,” “you,” or “your”) for the provision of information services related to the VENDOR energy project through https://vendor.energy.

This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with:

  • Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”)
  • Law No. 190/2018 implementing GDPR in Romania
  • Romanian Law No. 506/2004 on personal data processing
  • Other applicable data protection laws

2. PROCESSOR INFORMATION

Legal Entity:
MICRO DIGITAL ELECTRONICS CORP S.R.L.
Registration Number: 50047468
Address: Splaiul Unirii nr. 16, office 705, Bucharest, Sector 4, Romania
EUID: ROONRC.J2024009262405

Data Protection Contact:
Vitaly Peretyachenko
Email: vp@vendor.energy
Address: Splaiul Unirii nr. 16, office 705, Bucharest, Sector 4, Romania

3. DEFINITIONS

For the purposes of this DPA:

3.1 GDPR Definitions

  • “Controller” means the natural or legal person that determines the purposes and means of processing personal data
  • “Processor” means the natural or legal person that processes personal data on behalf of the Controller
  • “Personal Data” means any information relating to an identified or identifiable natural person
  • “Processing” means any operation performed on personal data
  • “Data Subject” means the identified or identifiable natural person
  • “Supervisory Authority” means the independent public authority responsible for monitoring GDPR compliance

3.2 Service-Specific Definitions

  • “Service Agreement” means the main agreement for information services
  • “Authorized Personnel” means employees and contractors authorized to access personal data
  • “Security Incident” means any breach of security leading to destruction, loss, alteration, or unauthorized disclosure of personal data

4. SUBJECT MATTER AND DURATION

4.1 Subject Matter

The subject matter of this DPA is the processing of personal data necessary for:

  • Managing business communications and inquiries
  • Providing project information and updates
  • Facilitating investor relations and communications
  • Maintaining contact databases and communication preferences
  • Processing newsletter subscriptions and marketing communications

4.2 Duration

This DPA remains in effect for the duration of the Service Agreement and continues until all personal data has been deleted or returned to the Controller as specified herein.

4.3 Nature and Purpose of Processing

Processing is limited to activities necessary for providing information services about the VENDOR energy project and maintaining business relationships with potential investors and partners.

5. CATEGORIES OF DATA AND DATA SUBJECTS

5.1 Categories of Data Subjects

Personal data may relate to:

  • Business Contacts: Representatives of partner companies, investors, and stakeholders
  • Newsletter Subscribers: Individuals who have subscribed to project updates
  • Inquiry Contacts: Individuals who have submitted contact forms or inquiries
  • Website Visitors: Individuals accessing our website (analytics data only)

5.2 Categories of Personal Data

The Processor may process the following categories of personal data:

Contact Information:

  • Full name and title
  • Email address
  • Phone number
  • Company name and position
  • LinkedIn profile URL

Communication Data:

  • Inquiry content and messages
  • Communication preferences
  • Subscription status and preferences
  • Response and engagement data

Technical Data (Website Analytics):

  • IP address (anonymized where possible)
  • Browser and device information
  • Website usage patterns
  • Access logs and timestamps

6. PROCESSOR OBLIGATIONS

6.1 Processing Instructions

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Not process personal data for any other purpose without prior written authorization
  • Immediately inform the Controller if instructions appear to violate applicable data protection law
  • Maintain records of all processing activities as required by Article 30 GDPR

6.2 Confidentiality

The Processor ensures that:

  • All persons authorized to process personal data are bound by confidentiality obligations
  • Confidentiality obligations survive termination of employment or engagement
  • Access to personal data is limited to authorized personnel only
  • Regular training is provided on data protection requirements

6.3 Security Measures

The Processor implements appropriate technical and organizational measures including:

Technical Measures:

  • Encryption of personal data in transit and at rest
  • Regular security updates and patch management
  • Access controls and authentication systems
  • Network security and firewall protection
  • Regular security monitoring and incident detection

Organizational Measures:

  • Data protection policies and procedures
  • Regular staff training on data protection
  • Incident response procedures
  • Vendor management and due diligence
  • Regular security assessments and audits

7. SUB-PROCESSING

7.1 General Authorization

The Controller provides general authorization for the Processor to engage sub-processors, subject to the conditions set out in this section.

7.2 Current Sub-Processors

The Processor currently engages the following sub-processors:

Sub-ProcessorServiceLocationSafeguards
Google LLCAnalytics ServicesUSA/EUEU-US DPF, SCCs
EU Hosting ProviderWeb HostingEUAdequacy Decision
Email Service ProviderEmail CommunicationsEUAdequacy Decision

7.3 New Sub-Processors

Before engaging new sub-processors, the Processor shall:

  • Conduct appropriate due diligence
  • Ensure adequate data protection safeguards
  • Notify the Controller with at least 30 days’ notice
  • Allow the Controller to object to the engagement

7.4 Sub-Processor Requirements

All sub-processors must:

  • Provide sufficient guarantees of technical and organizational measures
  • Be bound by written agreements with data protection obligations equivalent to this DPA
  • Allow for audits and inspections by the Processor and Controller
  • Notify the Processor immediately of any security incidents

8. DATA SUBJECT RIGHTS

8.1 Assistance with Data Subject Requests

The Processor shall assist the Controller in responding to data subject requests by:

  • Providing technical and organizational measures to enable rights exercise
  • Promptly forwarding any data subject requests received directly
  • Providing necessary information and assistance within 10 business days
  • Implementing measures to facilitate automated rights exercise where possible

8.2 Specific Rights Support

The Processor provides support for:

Right of Access (Article 15):

  • Providing copies of personal data processed
  • Confirming processing activities and purposes
  • Identifying sub-processors and data recipients

Right of Rectification (Article 16):

  • Correcting inaccurate personal data
  • Completing incomplete personal data
  • Notifying relevant sub-processors of changes

Right of Erasure (Article 17):

  • Securely deleting personal data when required
  • Ensuring deletion by sub-processors
  • Providing confirmation of deletion

Right to Restrict Processing (Article 18):

  • Implementing processing restrictions
  • Marking restricted data appropriately
  • Ensuring restrictions are observed by sub-processors

Right to Data Portability (Article 20):

  • Providing data in structured, machine-readable format
  • Facilitating direct transfer to other controllers where technically feasible

9. PERSONAL DATA BREACHES

9.1 Incident Detection and Response

The Processor shall:

  • Implement systems to detect security incidents promptly
  • Respond immediately to contain and assess any incident
  • Investigate the cause, scope, and impact of incidents
  • Document all incidents and response measures taken

9.2 Notification Requirements

Upon becoming aware of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay and no later than 24 hours
  • Provide all available information about the incident
  • Cooperate fully in breach assessment and response
  • Assist with regulatory notifications if required

9.3 Breach Information

Breach notifications shall include:

  • Nature of the breach and categories of data affected
  • Number of data subjects and personal data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact information for further information

9.4 Remediation

The Processor shall:

  • Take immediate measures to mitigate harm
  • Implement additional safeguards to prevent recurrence
  • Provide regular updates on remediation progress
  • Bear costs of remediation unless caused by Controller’s actions

10. DATA TRANSFERS

10.1 Permitted Transfers

Personal data may be transferred to:

  • EU/EEA Countries: Adequacy decisions apply
  • Third Countries with Adequacy Decisions: As determined by European Commission
  • Third Countries with Appropriate Safeguards: Using SCCs, BCRs, or certification schemes

10.2 Transfer Safeguards

For transfers to third countries without adequacy decisions:

  • Standard Contractual Clauses (SCCs): EU-approved contract terms
  • Transfer Impact Assessments: Evaluation of local laws and practices
  • Additional Safeguards: Technical measures for data protection
  • Regular Reviews: Ongoing assessment of transfer conditions

10.3 Restricted Transfers

The Processor shall not transfer personal data to:

  • Countries without adequate protection or safeguards
  • Organizations that cannot provide equivalent protection
  • Jurisdictions where local laws may undermine protection

11. AUDITS AND COMPLIANCE

11.1 Audit Rights

The Controller has the right to:

  • Conduct audits of Processor’s data protection compliance
  • Inspect relevant documentation and systems
  • Interview authorized personnel about data protection practices
  • Engage qualified third-party auditors

11.2 Audit Procedures

Audits shall be conducted:

  • With reasonable advance notice (minimum 30 days)
  • During normal business hours
  • Without disrupting normal business operations
  • Under appropriate confidentiality arrangements

11.3 Audit Costs

  • Controller bears costs of audits conducted annually
  • Additional audits may be at Processor’s expense if non-compliance is found
  • Emergency audits following security incidents are at Processor’s expense

11.4 Compliance Monitoring

The Processor maintains:

  • Regular self-assessment of compliance
  • Documentation of all data protection measures
  • Records of staff training and awareness programs
  • Evidence of technical and organizational measures

12. DATA RETENTION AND DELETION

12.1 Retention Periods

Personal data shall be retained only for the period necessary to fulfill the purposes for which it was collected:

  • Contact Data: 3 years from last interaction or until deletion requested
  • Newsletter Subscriptions: Until unsubscribed or deletion requested
  • Investor Communications: 7 years for legal compliance
  • Website Analytics: 26 months (Google Analytics default)

12.2 Secure Deletion

Upon expiry of retention periods or upon Controller’s instruction, the Processor shall:

  • Securely delete all personal data from all systems
  • Ensure deletion by all sub-processors
  • Provide written confirmation of deletion
  • Maintain records of deletion for compliance purposes

12.3 Legal Holds

Deletion may be suspended if:

  • Legal proceedings are pending or anticipated
  • Regulatory investigations are ongoing
  • Mandatory legal retention periods apply
  • Controller provides specific written instructions

13. RETURN OF DATA

13.1 Data Return Procedures

Upon termination of the Service Agreement or upon request, the Processor shall:

  • Return all personal data to the Controller in a structured, commonly used format
  • Delete all copies from Processor systems and sub-processor systems
  • Provide certification of deletion within 30 days
  • Maintain backup copies only if required by law

13.2 Data Format

Returned data will be provided in:

  • Machine-readable format (CSV, JSON, XML)
  • Encrypted format for security
  • Organized structure for easy import
  • Complete documentation of data fields and formats

14. LIABILITY AND INDEMNIFICATION

14.1 Processor Liability

The Processor shall be liable for damage caused by processing only where:

  • It has not complied with GDPR obligations specifically directed to processors
  • It has acted outside or contrary to lawful instructions from the Controller

14.2 Limitation of Liability

Processor’s total liability under this DPA shall not exceed the total fees paid under the Service Agreement in the 12 months preceding the claim.

14.3 Indemnification

The Processor shall indemnify the Controller against:

  • Regulatory fines resulting from Processor’s non-compliance
  • Third-party claims arising from Processor’s breach of this DPA
  • Costs of mandatory data breach notifications caused by Processor

14.4 Insurance

The Processor maintains appropriate professional liability and cyber insurance coverage to support its obligations under this DPA.

15. TERMINATION

15.1 Termination Events

This DPA terminates:

  • Upon expiry or termination of the Service Agreement
  • Upon completion of all data return and deletion obligations
  • By mutual written agreement of the parties
  • Upon material breach that is not cured within 30 days

15.2 Survival

The following provisions survive termination:

  • Data return and deletion obligations
  • Confidentiality requirements
  • Liability and indemnification provisions
  • Audit rights for ongoing compliance verification

16. GOVERNING LAW AND DISPUTES

16.1 Governing Law

This DPA is governed by Romanian law and EU regulations, including the GDPR.

16.2 Dispute Resolution

Disputes shall be resolved through:

  • Primary Jurisdiction: Competent courts of Bucharest, Romania
  • Alternative Dispute Resolution: Mediation through recognized ADR bodies
  • Emergency Relief: Either party may seek injunctive relief for data protection violations

16.3 Regulatory Cooperation

Both parties agree to cooperate fully with:

  • Supervisory authorities in their investigations
  • Data subject complaint procedures
  • Regulatory enforcement actions

17. AMENDMENTS AND UPDATES

17.1 Amendment Procedures

This DPA may be amended:

  • By mutual written agreement of the parties
  • To comply with changes in applicable law
  • To reflect changes in processing activities or technology

17.2 Regulatory Updates

The Processor will notify the Controller of:

  • Changes in data protection legislation
  • New guidance from supervisory authorities
  • Industry best practice developments

18. CONTACT INFORMATION

For DPA-related matters:

Data Protection Officer:
Vitaly Peretyachenko
MICRO DIGITAL ELECTRONICS CORP S.R.L.
Email: vp@vendor.energy
Address: Splaiul Unirii nr. 16, office 705, Bucharest, Sector 4, Romania

General Contact:
Email: info@vendor.energy

Romanian Supervisory Authority:
ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal)
Website: anspdcp.ro
Email: anspdcp@dataprotection.ro

This Data Processing Agreement is effective from the date first set forth above and shall remain in effect in accordance with its terms.

By engaging our services, the Controller acknowledges and agrees to the terms of this DPA.

MICRO DIGITAL ELECTRONICS CORP S.R.L.
Data Processor
Date: June 23, 2025

_____________________
Controller Signature
Company: ________________
Name: ________________
Title: ________________
Date: ________________