Phone
Facebook Messenger
Web Chat
Email and Ticketing
SMS
Viber Commercial
Schedule concerning
processing of personal data
to the General Terms and Conditions of Service,
offered by Price International EOOD
and available on the Omnilinx platform
This Schedule on Processing of Personal Data ("(the) Schedule") governs the processing of personal data of Omnilinx Customers in connection with and in the provision of the Omnilinx Services. This Schedule forms an integral part of the General Terms and Conditions for the use of the Services offered by Price International Ltd and available on the Omnilinx Platform ("General Terms and Conditions"). By accepting the General Terms and Conditions, the Customer represents that it has read and accepts this Schedule as part of the General Terms and Conditions.
The parties to this Schedule are Price International EOOD, UIC 131194611, with headquarters and registered address: 1784 Sofia 135, Tsarigradsko Shose blvd., floor 1 („Omnilinx“) and the person using the Services provided by Omnilinx under the General Terms and Conditions („the Customer“).
Omnilinx and the Customer are collectively referred to in this Schedule as the "Parties" and individually as the "Party".
INTRODUCTION:
(A) The Customer has appointed Omnilinx to provide services related to the right to use the Software that is developed and maintained by Omnilinx (the "Services"), pursuant to the General Terms and Conditions and Services Agreement included in Omnilinx’s subscription plan. All capitalized terms not defined herein shall have the meanings set forth in the General Terms and Conditions.
(B) This Schedule forms an integral part of the General Terms and Conditions and reflects the agreements between the Parties regarding the processing of Personal Data, including Customer Personal Data, in accordance with the requirements of the Data Protection Legislation.
(C) In the course of providing the Services to the Customer pursuant to the General Terms and Conditions, Omnilinx shall process Personal Data on behalf of the Customer.
(D) The types of Personal Data and categories of Data Subjects processed by Omnilinx when acting as a Processor under this Schedule are further specified in Annex 1 hereto.
DEFINITIONS:
1.1 The following definitions and rules of interpretation apply in this Schedule.
Data Controller", "Processor", "Data Subject", "Processing", "Processing" and "Processed" have the meanings set out in the Data Protection Legislation.
"Data Protection Legislation" means Regulation (EU) 2016/679 ("GDPR") and any national legislation; as amended or replaced from time to time or, in the absence of such laws, all legislation, regulation and mandatory guidance or binding codes of practice applicable to the Processing of Personal Data under the Agreement.
"European Commission Standard Contractual Clauses" means an agreement setting out the clauses contained in the standard agreement approved by the European Commission for the transfer of Personal Data outside the EEA pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as amended from time to time).
"Personal Data" has the meaning set out in the Data Protection Legislation and refers only to Personal Data, or any part of such Personal Data, that is:
(a) provided to Omnilinx by or on behalf of the Customer; and/or
(b) obtained by or created by Omnilinx on behalf of the Customer in the course of providing the Services,
and for which in each case the Customer is the Data Controller and Omnilinx is the Data Processor.
"Regulator" means a supervisory authority in the relevant jurisdiction with powers under the Data Protection Legislation in respect of all or any part of the Processing of Personal Data under the Annex.
"Security Breach" means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise Processed.
"Sub-Processor" means any Processor engaged by Omnilinx that Processes Personal Data on behalf of the Data Controller.
"Technical and Organisational Measures" means the technical and organisational measures considered by the Parties in accordance with Article 32 of the GDPR.
1.2 The Clauses, the Schedule and the paragraph headings are without prejudice to the interpretation of this Schedule.
1.3 Person includes a natural person, legal entity or unincorporated body (whether or not having separate legal personality).
1.4 The Annexes are a part of this Schedule and shall have effect as if fully incorporated herein. Any reference to this Schedule includes the Annexes.
1.5 The term company shall include any company, corporation or other corporate body, wherever and however formed or constituted.
1.6 Unless the context otherwise requires, words in the singular shall include the plural and the plural shall include the singular, and reference to one grammatical gender shall include reference to the other grammatical genders.
1.7 A reference to writing or written shall include email.
1.8 In the event of any conflict or ambiguity between any of the provisions of this Annex and the provisions of the General Terms and Conditions, the provisions of this Annex shall prevail.
2. PROCESSING OF PERSONAL DATA
(a) The Parties represent and agree that with respect to the Processing of Personal Data, Customer is the Data Controller, Omnilinx is the Data Processor and that Omnilinx has the right to engage Sub-Processors in accordance with the requirements set forth in Section 4 below.
(b) If, as a result of Omnilinx’s provision of the Services, either Party considers that the relationship between the Parties is no longer consistent with the qualities of the Parties set out in clause 2.1(a) above, it shall notify the other Party and the Parties shall discuss and take such action as may be necessary to determine the qualities, roles and relationship between the Parties.
2.2 Processing of Personal Data by the Customer
(a) Customer’s instructions to Process Personal Data shall comply with the Data Protection Legislation and shall not require Omnilinx to take unlawful Processing Actions in order to comply with such instructions.
(b) Customer shall be solely responsible for the accuracy, quality and legality of the Personal Data.
(c) The Customer, as the Data Controller, shall ensure and secure during the Processing of Personal Data by the Processor the existence of a valid and documented legal basis for the Processing of the Personal Data entered into by the Customer, its employees and/or agents, and any person to whom the Customer has granted access to the Services. The legal basis for processing may be any of the grounds set out in Art. 6(1) of the GDPR.
(d) The Customer represents and warrants that all Personal Data of individuals provided to Omnilinx has been obtained from such individuals and has been provided by the Data Controller to the Processor for Processing in a manner consistent with the requirements of the Data Protection Legislation, including the GDPR, and is truthful in content.
(e) To the extent that Customer, as the Data Controller, determines all aspects of the Processing of Personal Data, the Parties agree that Omnilinx, as the Data Processor, has no control over the Personal Data other than to perform storage activities and obtain access in connection with maintenance of the Software, and therefore the Data Processor shall not be responsible for compliance with the legal requirements of the Data Protection Legislation for any other activities relating to the Personal Data, including no responsibility for the manner in which the Personal Data is collected. The Processor has no role in the decision making process of the Controller to Process Personal Data, what the processing is for and whether it is protected. Accordingly, the Processor’s responsibility in this case is limited to compliance with the General Terms and Conditions, but the Processor has no control over and no responsibility for the Personal Data that the Controller processes.
(f) The Processor shall have the right to refuse to comply with an order of the Controller if, in its opinion, such order breaches the Data Protection Legislation and the Processor shall notify the Controller in a timely manner.
(g) The Customer represents and warrants that:
(i) Omnilinx’s disclosure of Personal Data is limited to what is necessary for Omnilinx to provide the Services to Customer;
(ii) the Personal Data is accurate and current at the time it is provided to Omnilinx, and Customer will promptly notify Omnilinx of any necessary corrections, modifications, deletions or restrictions; and
(iii) possesses and maintains the lawful grounds for Processing, including that it has obtained all necessary consents and made all necessary notifications to enable Omnilinx to lawfully Process the Personal Data for the duration and purposes of providing the Services.
2.3 Processing of Personal Data by Omnilinx
(a) Omnilinx shall Process Personal Data in strict compliance with the requirements of the Data Protection Legislation only for the purposes of performing the General Terms and Conditions and providing the Services to the Customer and in accordance with the Customer’s instructions and to protect the legitimate interests of the Parties in the event of a default.
(b) Omnilinx will process Personal Data on behalf of and in accordance with Customer’s written instructions, in each case to the extent permitted by law, and if Omnilinx is unable to do so, Omnilinx shall promptly notify Customer.
(c) The Customer shall instruct Omnilinx to Process Personal Data for the purposes set out in Annex 1, which may be amended or supplemented from time to time, provided that the Customer’s instructions do not increase or modify the scope of the Services.
(d) The Customer agrees that it will reimburse Omnilinx for any costs incurred or payments made as a result of any claim by a Data Subject arising in connection with Omnilinx’s compliance with Customer’s instructions.
(e) If Omnilinx reasonably believes that the instructions provided by Customer in connection with the Processing are contrary to applicable Data Protection Law, then Omnilinx will notify Customer and may suspend the Processing of Personal Data until such time as Customer provides new written instructions to Omnilinx that do not require it to violate applicable law and Omnilinx will be entitled to:
(i) amend the Services so that they can be performed without requiring the relevant Processing and without materially affecting the overall performance of the Services; and/or
(ii) discontinue providing the relevant portion of the Services that is dependent on the Processing, and Omnilinx shall not be liable for any delay or failure to perform Services that are dependent on such Processing.
(f) Omnilinx warrants to the Customer that the persons within its entity authorized to Process Personal Data have committed to confidentiality by signing a confidentiality document or are required by law to maintain confidentiality.
(g) Omnilinx has the right to disclose Personal Data to Sub-Processors engaged as described in Section 4.
3. RIGHTS OF DATA SUBJECTS
3.1 Correction, Blocking and Erasure
(a) Omnilinx will, to the extent permitted by law, notify Customer upon receipt of a complaint or request (other than Data Subject Requests described in Section 3.2 or Regulator Inquiries described in Section 6) relating to (a) Customer’s obligations under Data Protection Legislation; or (b) the Personal Data being Processed.
(b) Omnilinx will, for the account of the Customer, comply with any commercially reasonable written instructions from the Customer to secure any actions required under section 3.1(a) within agreed timescales and to the extent Omnilinx is legally entitled to do so.
3.2 Requests from Data Subjects
(a) Omnilinx shall, to the extent permitted by law, promptly notify Customer if it receives a request from a Data Subject to access, correct, amend, restrict or erase that person’s Personal Data.
(b) Omnilinx will provide Customer with reasonable assistance and support in connection with the processing of requests from Data Subjects, within the agreed timeframes, to the extent permitted by law, and to the extent Customer does not have access to or the ability to correct, amend, restrict or delete such Personal Data. Customer shall be responsible for all costs arising from Omnilinx’s provision of such assistance.
4.1 Appointment of Sub-processor
(a) Customer represents and agrees that Omnilinx has general permission to engage third party Sub-Processors in connection with the provision of the Services. Omnilinx shall provide Customer with a current list of Sub-Processors engaged for the relevant Services, constituting Annex 2 to the Schedule (the "Sub-Processor List"). Omnilinx will notify Customer in advance of any planned change to the Sub-Processor List.
(b) Where Omnilinx engages a Sub-Processor with whom the same terms cannot reasonably be imposed or negotiated (for example, but not limited to, where the Sub-Processor is operating on fixed terms that are not subject to renegotiation), but such terms are consistent with the obligations for the Sub-Processor under Article 28 of the GDPR, such Sub-Processor’s terms:
(i) will apply to the Processing carried out by the Sub-processor;
(ii) will be deemed to represent the entire set of obligations and responsibilities of Omnilinx with respect to the relevant Processing as if Omnilinx were performing that Processing under those Sub-Processor Terms instead of the Sub-Processor; and
(iii) will be deemed by the Customer to have provided adequate safeguards and adequate protection in relation to the Processing.
4.2 Liability of Sub-Processor
(a) The Customer may (provided that it has reasonable grounds to do so) object to the engagement of a new Sub-Processor after it has received notice in accordance with section 4.1 above. The Customer will notify Omnilinx in writing, setting out the reasons for the objection, within 5 Business Days of receipt of the notice. The Customer’s failure to object in writing within the specified time period will be deemed approval to use the new Sub-Processor.
(b) In the event that Customer objects to Omnilinx’s notification in accordance with Section 4.2(a) above, Customer acknowledges and agrees that failure to use a particular Sub-Processor may result in delay in performance of the Services, inability to perform the Services and/or an increase in costs and Omnilinx shall not be liable for any delay or failure to provide the affected Services. Omnilinx will notify Customer in writing of any change in Services or costs resulting from Omnilinx not using a particular Sub-Processor to which Customer has objected.
5. SECURITY AND BREACH NOTIFICATIONS
5.1 Omnilinx takes Technical and Organizational Measures against accidental or unlawful damage, loss, alteration, unauthorized disclosure or access. The measures shall include: measures to ensure the ongoing protection of the confidentiality, integrity, availability and resilience of Omnilinx’s systems and services; assist in the timely restoration of access to Personal Data following an incident; perform regular performance audits/testing. Omnilinx may update or modify the Technical and Organizational Measures at specified intervals provided that such operations and modifications will not result in a decrease in the overall security and safety of the Services.
5.2 Omnilinx shall take appropriate steps to ensure compliance with the Technical and Organizational Measures by its employees, contractors and Sub-Processors to the extent necessary to perform their jobs, including ensuring that all persons authorized to process Personal Data are bound by confidentiality obligations or have a legal obligation to maintain confidentiality.
5.3 The Customer has assessed the level of security appropriate to the Processing in the context of its obligations under the Data Protection Legislation and agrees that the Technical and Organisational Measures are consistent with the assessment.
5.4 Omnilinx shall, without undue delay, notify Customer upon becoming aware of a Security Breach and provide Customer with information regarding such breach.
5.5 The Parties agree to coordinate in good faith the development of the content of any public statements and any required notices relating to affected Data Subjects and/or the relevant Regulator(s) in connection with a Security Breach. Customer will make all notifications to Regulator(s) in accordance with its obligations under the GDPR.
5.5 Omnilinx will, at Customer’s expense and without unreasonable delay, take all reasonable steps to mitigate the effects of the Security Breach.
6.1 Omnilinx will notify Customer in a timely manner of any lawful request it receives for disclosure of Personal Data from a Regulator, law enforcement agency or other governmental authority relating to the Processing of Personal Data, the provision or receipt of the Services, or either party’s obligations under this Schedule, unless prohibited by law or by a Regulator.
6.2 Unless the Regulator requests in writing to engage Omnilinx directly, or the Parties (acting reasonably and taking into account the subject matter of the request) agree that Omnilinx, at the Customer’s expense, will process the Regulator’s request itself, then the Customer: (I) will be liable for all communications or correspondence relating to the Processing of Personal Data and the provision or receipt of the Services; (ii) will inform Omnilinx of such communications or correspondence to the extent permitted by law; and (iii) will fairly represent Omnilinx in all communications or correspondence.
7. RETURN AND ERASURE OF CUSTOMER DATA
Upon termination or expiration of the Services, or upon written request by Customer, Omnilinx (at Customer’s option) shall erase or return all Personal Data, unless necessary to retain it to comply with legal or regulatory obligations. If Customer elects erasure, Personal Data will be deleted within 30 days of termination or expiration of the Services. In other cases, Omnilinx will stop retaining any documents containing Personal Data when it determines that (a) the purpose for which such Personal Data was collected is no longer served by retaining the Personal Data; and (b) retention is no longer necessary for any business purpose or is not required by law. The parties agree that evidence of erasure of Personal Data shall be provided by Omnilinx to Customer only upon Customer’s request. The Customer acknowledges and agrees that Omnilinx shall not be liable for any loss resulting from Omnilinx’s inability to provide the Services as a result of a erasure request made by the Customer pursuant to this clause during the term of the General Terms and Conditions.
8.1 Omnilinx shall permit the Customer (or a third party appointed by the Customer as auditor) to audit Omnilinx’s compliance with this Schedule and to provide the Customer with any information required by the Customer for such audit, provided that, that the Customer gives Omnilinx reasonable notice of its intention to audit, and that the audit itself will be conducted during business hours and all reasonable steps will be taken to prevent interruption and/or disruption to the operations performed by Omnilinx. Customer will not exercise its audit rights more than once every twelve (12) calendar months unless and when required by a Regulatory Instruction.
9. PERSONAL DATA PROTECTION IMPACT ASSESSMENT
9.1 In the event that Omnilinx considers and determines that the Processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, it shall inform the Customer and provide reasonable cooperation to the Customer in connection with any data protection impact assessment that may be required under the Data Protection Legislation.
9.2 Notwithstanding the foregoing, Omnilinx shall, at the Customer’s expense, provide the Customer with such assistance and information as may be reasonably necessary to enable the Customer to comply with any obligation to carry out a Data Protection Impact Assessment or to consult a Regulator under the Data Protection Legislation.
10. TRANSFER OF DATA OUTSIDE THE EEA
10.1 Omnilinx will not process, store or disclose Personal Data outside the European Economic Area ("EEA") without prior written permission from the Customer. Omnilinx will be deemed to have permission to transfer Data to a Sub-Processor outside the EEA, provided that there is a European Commission decision on the adequate level of data protection or other valid legal mechanism for the transfer (including European Commission Standard Contractual Clauses), should it be necessary for the provision of the Services.
10.2 Where a transfer takes place outside the EEA, if the applicable delivery mechanism ceases to be valid, Omnilinx may, at its option:
(a) implement or procure that the Sub-Processor implements an appropriate alternative data transfer mechanism;
(b) modify the Services so that they may be performed without requiring the relevant transmission, without materially detracting from the overall performance of the Services; or
(c) discontinue providing the relevant portion of the Services that is dependent on the transmission,
and Omnilinx will not be liable for any delay or failure to provide Services dependent on such Processing, except to the extent that it is responsible for the failure to implement the Non-EEA Transmission Mechanism.
10.3 If Personal Data transferred between Customer and Omnilinx requires the application of the European Commission Standard Contractual Clauses to ensure compliance with the Data Protection Legislation, the Parties undertake to complete all necessary details in the European Commission Standard Contractual Clauses and to perform any other actions necessary for the validity of the transfer. The Customer shall authorize Omnilinx to enter into European Commission Standard Contractual Clauses with Sub-Processors on Customer’s behalf and for Customer’s account where necessary to justify an authorized transfer of or access to Personal Data outside the EEA.
11. LIABILITY AND INDEMNIFICATION
11.1 The parties agree that the provisions of this Schedule shall not be subject to any limitations and/or exclusions of liability and other terms and conditions set forth in the General Terms and Conditions and applicable to the Services.
11.2 Nothing in this Schedule shall exclude or in any way limit the liability of any Party for fraud or for death or personal injury caused by its negligence or other liability to the extent that such liability cannot be excluded or limited by law.
11.3 Subject to section 11.2, neither Party shall be liable under this Schedule for any loss of actual or anticipated income or profit, loss of contracts or for any indirect, consequential or indirect loss or damage of any kind arising out of and caused by tort (including negligence), breach of contract or otherwise, whether such loss or damage is foreseeable, foreseen or known. Omnilinx’s liability with respect to any breach of this Application shall be the direct losses incurred by the Customer, but in no event more than the total fees for the Services used actually paid by the Customer.
11.4 Subject to section 11.3. Omnilinx shall indemnify the Customer against all damages, liabilities, claims, demands, actions, penalties, fines, costs and expenses (including reasonable legal and other professional expenses) and sanctions that Customer may incur as a result of any claim, action, proceeding or proceeding by a Regulator against Customer directly arising out of Omnilinx’s breach of this Application, except:
(a) where Omnilinx has acted in accordance with the Customer’s instructions, this Schedule, the Data Protection Legislation or other applicable laws; and
(b) where the Customer or any third party acting on the Customer’s behalf has breached this Schedule or applicable Data Protection Legislation.
11.5 In the event that a Data Subject suffers damages from Personal Data unlawfully provided by the Customer, collected by the Customer without a legal basis or for other reasons at the Customer’s sole discretion for which Omnilinx’s Processing of Personal Data may be considered a violation of the Data Subject’s rights, and Omnilinx compensates the Data Subject for the damages suffered, then the Customer shall owe Omnilinx a penalty equal to the full amount paid by Omnilinx to the Data Subject.
11.6 In the event that Omnilinx is subject to a fine or other sanction by a competent governmental authority relating to unlawful Processing of Personal Data done by Omnilinx as a result of unlawful provision of Personal Data by the Customer, collected by the Customer without lawful basis or for other reasons at the Customer, then the Customer shall owe Omnilinx a penalty in the amount of the value of the entire penalty imposed and paid by Omnilinx and/or in the amount of the value of the damage suffered by Omnilinx as a result of the other penalty.
11.7 In order to claim the damages set forth in this Schedule, the party making the claim shal:
(a) notify the other party in writing of its claim, the proceeding, the proceedings or the Regulator’s action as soon as reasonably practicable;
(b) assume no liability in connection with the Regulator’s claim, suit, proceeding or action without the prior written consent of the other party;
(c) permit the other party to conduct the defense of the Regulator’s claim, suit, proceeding or action; and
(d) at the other party’s expense, reasonably assist and assist in the defense of the Regulator’s claim, action, proceeding or action.
12.1 This Schedule, together with the General Terms and Conditions to which it is an integral part, constitutes the entire agreement regarding the Processing of Personal Data between the Parties.
12.2 This Schedule and any dispute or claim arising out of or in connection with it or its subject matter or conclusion (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the Republic of Bulgaria.
12.3 Each Party irrevocably agrees that the courts of the Republic of Bulgaria shall have jurisdiction to settle any dispute or claim arising out of or in connection with this Annex or its subject matter or conclusion (including non-contractual disputes or claims).
12.4 In the event of any inconsistency or conflict between the provisions of the General Terms and Conditions and the provisions of this Annex, the latter shall prevail.
ANNEX No. 1 Description of Processing of Personal Data
1. Subject matter
The provision of Services in accordance with the General Terms and Conditions and/or the Agreement entered into between Omnilinx and the Customer, including:
The right to use the Software, which is developed and maintained by Omnilinx, through an internet platform owned by Omnilinx.
2. Nature
In using the Services, the Customer shal grant Omnilinx the right to collect, record, store, organize, structure, adapt, process, use, disclose Personal Data obtained from the Customer.
3. Objectives
– Provision of services.
– Provision of communications products and services to business customers via a cloud-based communications platform, including the transmission of communications from or to Customer’s software application (API) or through Omnilinx’s web-based interface;
– Storing Customer Data on the Omnilinx platform on behalf of the Customer;
– Reporting, analysis and processing of queries, data and activities performed.
4. Categories of Data Subjects
Customers, contractors, employees of the Customer (hereinafter referred to as "End Users").
In each individual case and depending on the product/functionality used, the specific categories of Data Subjects shall be determined solely by the Customer.
5. Categories of Personal Data
In each case and depending on the product/functionality used, the exact categories of Personal Data shall be determined solely by Customer, including but not limited to:
– Customer’s communication content (text messages, voice, video and audio, documents, images) and related communication logs;
– Reports and analytics (to the extent they contain Personal Data);
– Customer databases stored on the Omnilinx Platform containing personal data of Customer End Users, including but not limited to names, contact details and any other information identified, entered into the Platform and controlled solely by Customer or collected on Customer’s behalf in the provision of the Services by Omnilinx;
– Social Media Data (End Users’ social media IDs, username, photos, video and audio, comment IDs, post IDs, content and posting times of comments/posts, social media page IDs);
– Communication and chat information (e.g., URL from which chat was initiated by End User, IP address, End User session location, browser/mobile device system information, time period).
6. Sensitive information
Omnilinx may not intentionally collect or process special categories of Personal Data unless Customer or its End Users include such types of Personal Data in the content provided to Omnilinx and/or while using the Omnilinx Services.
ANNEX No. 2 List of Sub-Processors
|
Name |
Description of the service provided |
Country |
|
Bulgarian Telecommunication Company EAD, Yettel Bulgaria EAD, A1 Bulgaria EAD, VMobile AD, NTH Media Bulgaria EOOD |
For data transmission, internet connectivity and voice services |
Bulgaria |
|
Daticum AD, Telepoint OOD |
For colocation of telecommunication equipment |
Bulgaria |
|
Bul Software Solutions EOOD |
For technical support |
Bulgaria |
|
CONEXUM INC |
For rental of cloud server for customers outside Bulgaria |
USA |