Smart vCard customers trust the company with their data, and the Smart vCard team takes this responsibility seriously. Security and compliance remain at the forefront of Smart vCard priorities as they maintain customers’ confidence in their service. To this end, Smart vCard is dedicated to safeguarding customer data, mitigating system vulnerabilities, and guaranteeing uninterrupted service. Smart vCard employs robust measures to protect your data from unauthorized access, disclosure, use, and loss by utilizing best practices and industry-standard technologies and services.
1. Definitions:These terms will be defined as an addition to the definitions contained in the Agreement. These terms shall be interpreted according to the meaning they are given under GDPR, including:
Applicable Laws: This Agreement refers to all legislation that applies to the parties hereto (including regulations or Data Protection Laws to the absence of doubt).
Data Controller: Refers to an organization (legal person as defined in this agreement) which determines the purpose and the methods for processing PERSONAL Data.
Data Processor: Refers to the entity (legal person following this agreement), which is the one who processes PERSONAL data for the controller.
Data Protection Officer (DPO): A person who guarantees in an independent way that the company follows the laws that protect the privacy of individuals’ DATA.
Data Subject: The identifiable or identified natural person is the person to whom PERSONAL data is related as defined according to Data Protection Laws and Regulations.
GDPR: Refers to the EU General Data Protection Regulation (EU), which refers to the General Data Protection Regulation of 2016/679, which refers to the regulation in EU law on the protection of data and privacy of all persons in the European Union. It replaces the previous Data Protection Directive (95/46/EC) 1995.
Personal Data: Refers to any information related to an identifiable human being (‘data subject’); an identifiable natural person can be identified either directly or indirectly, primarily through an identifier like a name, identification number or location information or online identifier, to one or more of the factors specific to the physical, biological, genetic, mental economic, cultural, and social identification of the natural person.
Processing: Is any set of operations or combination of processes carried out is any operation or set of processes that are performed PERSONAL DATA or groups of PERSONAL DATA is any operation or set of operations performed on PERSONAL DATA, regardless of whether it is done using automated methods, like collecting, recording, storage, organization and modification, retrieval of information, consultation or disclosure through transmission and dissemination, or by making available alignment or combinations with restriction, erasure, or destruction.
Breach Of Personal Data: Refers to a breach in security that results in the accidental or illegal destruction, loss or alteration or disclosure or access to PERSONAL data that is transmitted, stored or otherwise processed.
Sub-Processor: Refers to a third party commissioned as a third party by a DATA PROCESSOR who is processing data from the DATA Controller’s PERSONAL DATA to fulfill a particular objective.
Party (PARTIES): Refers to the person who signs these Agreements.
Smart vCard Group: It is an entity that has been formed by a collection of businesses that are included in Annex 1.
PROCESSING PERSONAL DATA comprise the storage of PERSONAL DATA and processing of it to provide services related to digital business cards as specified in Annex 2 and for the sole reason of delivering support upon your DATA controller’s demand.
PERSONAL data is processed solely to provide customer services using web-based applications and Smart vCard mobile applications that include additional products and services, according to Annex 1. Any further usage of the DATA Controller’s PERSONAL DATA will be strictly forbidden unless it is requested otherwise through the DATA CONTROLLER.
PERSONAL DATA, which the DATA PROCESSOR processes to assist in providing services, is considered confidential, as per the Confidentiality and Non-Disclosure Agreement, signed by both parties.
The following categories of personal data are subject to processing within the framework of this agreement: Contact details (first name, last name, last name, phone number, email), profiles on social media, and additional information that may be provided through the data controller.
3. Data Controller Rights and Obligations:
On the general rights and obligations of a data controller under data protection laws, which would apply to any form of data processing, including using smart vCards if they involve personal data.
A data controller is an entity or individual determining the purposes and means of processing personal data. If a smart vCard is used to store or process personal data, the entity or individual operating it to process the data would be considered the data controller.
4. Data Processor Obligations:
The DATA PROCESSOR will process data PERSONAL DATA for the DATA CONTROLLER according to specific written directives from the DATA CONTROLLER, per APPLICABLE LAWS and the conditions and terms set out within the Agreement.
The DATA PROCESSOR will correct or modify, block or erase (as directed by the DATA CONTROLLER) any personal data processed through the DATA PROCESSOR if it isn’t possible for the DATA CONTROLLER to make the necessary changes.
The DATA PROCESSOR warrants and affirms that it has put in place (and shall continue to implement throughout the duration of the Agreement and for the time legally required) the organizational and technical security measures to ensure the safety of PERSONAL DATA before taking care of the PERSONAL DATA that is transferred, and any additional security measures that are agreed upon with the DATA PROCESSOR and DATA CONTROLLER. The DATA PROCESSOR has been adopting security measures based on the best practices to safeguard the Data Controller’s, PERSONAL Data. All technical and organizational measures align with the appropriate security measures for information (e.g. ISO 27001) procedures and GDPR guidelines. An overview of the steps in use is available in Annex 2 to the document below.
The DATA PROCESSOR must test the effectiveness of measures at least twice every calendar year.
To ensure the precautions, the DATA PROCESSOR will allow the DATA CONTROLLER to periodically inspect its premises and implement security measures throughout regular working hours. The DATA CONTROLLER will give the DATA PROCESSOR an adequate (but in no case less than thirty days) prior notice of any inspection.
A DATA PROCESSOR is responsible for ensuring that the personnel involved with the process of PERSONAL DATA must comply with and comply at all times with data confidentiality requirements.
DATA PROCESSOR shall limit access to PERSONAL DATA on its employees or consultants when and in the event the entry is necessary to perform the services, and dependent on the fact that such employees and consultants sign an appropriate non-disclosure agreement.
In the event the DATA PROCESSOR finds out that a DATA CONTROLLER may violate any obligation as stipulated in the applicable laws on data protection, The DATA PROCESSOR must immediately inform the DATA CONTROLLER of the breach and cease the execution of the suspected processing until the violation is rectified.
The DATA PROCESSOR is required to notify the DATA CONTROLLER promptly of any concerns, requests or other messages received through its user’s privacy regulator(s) or any other third party in connection with data processing PERSONAL DATA through the DATA PROCESSOR and DATA CONTROLLER.
The DATA PROCESSOR will immediately inform the DATA CONTROLLER if instructions provided to the DATA CONTROLLER in the opinion of the DATA PROCESSOR violate the applicable LAWS.
DATA PROCESSOR must adhere to this Agreement at all times.
5. Data Controller Assistance:
1. In consideration of the nature of processing data, The DATA PROCESSOR is to aid the DATA CONTROLLER in fulfilling the requirements of the DATA CONTROLLER’s obligation to respond to any requests to exercise the DATA Subject’s rights as stipulated in the applicable LAWS.
2. THE DATA PROCESSOR will aid the DATA CONTROLLER in ensuring that the data controller complies with
it is the DATA CONTROLLER’s duty to, without delay and, when feasible, at least 72 hours after becoming aware of the breach, immediately report the PERSONAL DATA breach to an appropriate supervisory authority, except if the PERSONAL DATA breach is not likely to cause a threat for the rights or liberties of natural people;
The DATA CONTROLLER must immediately notify the PERSONAL DATA breach of the DATA SUBJECT if the PERSONAL DATA breach could result in a significant threat to the rights or liberties of the DATA SUBJECT
The DATA controller’s responsibility is to evaluate the effect of the proposed processing operation on the security of PERSONAL DATA (an impact assessment for data impact assessment of protection).
6. Reporting Procedures For PERSONAL DATA BREACHES:
DATA PROCESSOR is bound to immediately inform the DATA CONTROLLER in the event of a PERSONAL DATA breach and no later than one hour of the DATA PROCESSOR becoming aware of the violation for the DATA CONTROLLER to fulfil the DATA CONTROLLER’s requirement to report the PERSONAL DATA breach to a competent supervisory authority.
DATA CONTROLLER is bound to inform the PERSONAL DATA breach promptly to the DATA SUBJECT when the PERSONAL DATA breach is probable to result in a high threat to rights or liberties that are protected by the DATA SUBJECT.
THE DATA PROCESSOR will offer any assistance requested by the DATA CONTROLLER or supervisory authority to assist in the processing of any PERSONAL DATA breach in an efficient and compliant way.
In the event of a PERSONAL DATA breach, The DATA PROCESSOR must provide the following information about the PERSONAL DATA breach for the DATA CONTROLLER:
an explanation of what is the purpose of the PERSONAL DATA breach, and, if possible, the categories and estimates of the number of DATA SUBJECTS involved in addition to varieties and an estimate of the number of PERSONAL DATA records affected;
Name and contact details from the DEVELOPMENT DATA OFFICER or an alternative contact to make further questions;
The outline of the likely outcomes that could result from a personal data breach;
The explanation of the steps that are being or will be taken to deal with the PERSONAL data BREACH and, if necessary, measures to limit the negative consequences that could result from it.
7. Personal Data Liquidation and Retention Period:
The DATA PROCESSOR retains PERSONAL DATA to carry out the services for the specified period specified by the DATA CONTROLLER. In all cases, no more than what is necessary to allow the DATA PROCESSOR to (i) offer the services requested, (ii) perform the processing of PERSONAL DATA in conformity to the terms of this Agreement, and (iii) depending on what the case may be, to comply with any legal obligation (in particular, the statutory archival or retention requirements).
In the event of any legal requirements or demand of the DATA CONTROLLER to store or archive PERSONAL DATA or upon request from the DATA CONTROLLER, the DATA PROCESSOR will complete the destruction of all or any PERSONAL DATA without delay once the reasons that they were processed PERSONAL DATA are processed are no longer in existence or upon receiving a Written inquiry by the DATA CONTROLLER.
Under the directives from the DATA CONTROLLER, the DATA PROCESSOR will ensure that PERSONAL DATA processed under the terms of this Agreement is delivered to the DATA CONTROLLER for destruction or return in conformity to the DATA CONTROLLER’s instructions if those guidelines are not in violation of the law applicable to them. The DATA CONTROLLER retains the power to issue directions on behalf of the DATA PROCESSOR under the provisions of this paragraph at any point. If the directives do not comply with the APPLICABLE LAW, the APPLICABLE LAW will prevail.
After the deletion of PERSONAL DATA under clause 7.4, the DATA PROCESSOR must inform the DATA CONTROLLER that it has been confirmed that PERSONAL DATA in the dispute has been erased. If appropriate, the DATA PROCESSOR will be able to verify that PERSONAL DATA was deleted in conformity with any directions given by the DATA CONTROLLER, provided those directives do not contradict the applicable LAW. If the guidelines do not comply with the APPLICABLE LAW, The APPLICABLE LAW is the law to be followed.
8. Record Keeping:
The DATA PROCESSOR agrees to maintain the records on every PERSONAL DATA processed under the Agreement and the processing activities it engages in. The CONTROLLER OF DATA CONTROLLER retains the right to review the records kept by the data PROCESSOR under the clause in question at any point and with an appropriate (but in no event less than 30 days) in advance of any inspection.
If the DATA SUBJECT, in any circumstance, requires details to the DATA CONTROLLER regarding the subject of which type of DATA SUBJECT’s personal DATA is processing under this Agreement and if it is determined that the DATA CONTROLLER is not capable of providing this kind of information with the DATA PROCESSOR’s assistance, it is the DATA PROCESSOR is bound to give any reasonable service.
The records must be in writing and electronic format.
9. Confidentiality:
DATA PROCESSOR will only allow access to PERSONAL DATA that are processed for the benefit of DATA CONTROLLER to those who are under the DATA PROCESSOR’s supervision who have pledged their confidentiality to themselves or are legally bound by an obligation of confidentiality, and only based on ne
DATA PROCESSOR will, at the request of the DATA CONTROLLER, prove that the persons concerned under the authority of the DATA Processor’s jurisdiction are bound by the confidentiality clause mentioned above.
10. Subprocessor:
To provide the customer’s services (DATA CONTROLLER), the DATA PROCESSOR could engage additional companies belonging to that part of the Smart vCard GROUP. Each member of Smart vCard is governed by identical information security and data protection policies, procedures, and organizational safeguards in place. In signing this Agreement, the DATA CONTROLLER accepts that all other Smart vCard members are considered SUB-PROCESSORS per the guidelines provided in Annex 1.
In signing this Agreement, the DATA CONTROLLER acknowledges that the DATA PROCESSOR may engage another DATA PROCESSOR that should be considered a SUB-PROCESSOR.
11. The DATA CONTROLLER’s Rights to Monitor and Audit the DATA PROCESSOR:
Alongside the oversight and audit rights laid out in the Agreement, The DATA CONTROLLER is authorized to conduct any checks (including those on DATA PROCESSOR’s site(s)) during regular working hours if the DATA CONTROLLER can provide an adequate (but in any event no less than 30 days) advance notice in writing in writing to the DATA PROCESSOR.
The DATA PROCESSOR must quickly cooperate with DATA CONTROLLER at the inquiry from the DATA CONTROLLER by providing access to all documents, infrastructure premises, or information and personnel that the DATA CONTROLLER reasonably requests to ensure that the processing of data is conforming to this Agreement.
12. Transfer Of Data:
A transfer of PERSONAL DATA is to be done only at the DATA Controller’s request to deliver the requested assistance.
13. Notices:
Any notification or other type of communication that is made under the terms of this Agreement towards the opposing partner will be addressed and delivered to that other person at the address stated in this Agreement or at any different address notified by the other Party (including to avoid doubt in the statement about work).
The DATA CONTROLLER should contact the DATA PROCESSORS’ DPO for security and privacy-related questions or concerns.
14. Changes To Application Law:
If the laws governing laws and regulations regarding data protection alter in an area where the Agreement is insufficient to control legitimate data-sharing practices, the parties will modify the Agreement. In such a case, the DATA PROCESSOR agrees to implement any modifications to its processing processes as required to comply with the new provisions in the Agreement.
15. Final Provisions:
Additionally, the DATA CONTROLLER may end this Agreement by giving 30 days prior notification to the DATA PROCESSOR with no termination charges or penalty.
This Agreement is the contract between these parties about the matter described.
The Agreement may be amended or amended only in written form. And if the appointed representatives from both parties execute the modification.
16. Annexes:
The following Annexes constitute an integral component of the Agreement:
Annex 1 – Smart vCard
Annexe 2 – Service description
Annexe 3 – Measures to improve organizational and technical efficiency
Smart vCard is operating as a collective of businesses governed by the same mission, vision, and purpose goals. Smart vCard Group Members are strategic and technological partners governed by the same regulations, rules and policies for data security, information security and privacy. The group members can participate in the service-providing lifecycle for the clients. Smart vCard GROUP Members are as follows:
C-812, Manubhai Tower, opp. faculty Of Arts, Near Kala Ghoda, Maharaja Sayajirao University, Sayajiganj, Vadodara, Gujarat 390005
The entire range of Smart vCard items and services are offered and maintained by Smart vCard (A Division of Byteweb IT Solution Pvt Ltd) GROUP Members and their employees. Notes on security and privacy and proper diligence inside Smart vCard Group:
The data can be accessible only by a few Smart vCard GROUP employees, based on the rule of least privilege. Every employee has signed an NDA, and all other employees adhere to the same strict guidelines and regulations regarding the security and privacy of data in accessing PERSONAL information.
Data is stored on AWS and is not transferable outside the cloud environment. It means that the data will not be shared across Smart vCard GROUP entities unless specified by the user. Any downloading or saving of data to local computers is forbidden.
The members of all Smart vCard GROUP participants sign DPA.
Smart vCard for Business provides digital tools for networking to its customers to ensure that they can provide their contact information for professional use in a contemporary, efficient and enjoyable manner.
Digital profiles of individuals are built and customized using the Smart vCard platform on the web or by using Smart vCard mobile apps, which means that every digital profile can be personalized with personal or professional contact details as well as social profiles and other web-based links that are custom-made for each user.
The end product is the online business card which can be managed with previously mentioned platforms and apps. The Smart vCard electronic company card can be shared in various ways. One way is sharing the Smart vCard digital profile through a reusable NFC smart card or any different NFC accessory (such as wristbands, key tags or others).
The NFC Smart cards, also known as accessories, are linked to the respective online profiles. The Smart vCard owner gives their NFC card, or NFC accessory, to a person who can follow the NFC tag using their mobile. Another method of sharing and scanning the Smart vCard digital business card is through the QR code. A QR code can be printed onto the NFC smart card. It is saved in the online profile of the Smart vCard digital business card’s owner.
In addition to the previously mentioned capabilities, Smart vCard Enterprise provides an efficient and robust website-based system for business clients to control, automate and analyze information on the Smart vCard profile of digital cards for Business.
The Contractor develops and implements appropriate controls to ensure the integrity, confidentiality and availability of information as well as Personal Data using best practice standards and frameworks and implements appropriate measures, including:
The definition of security policies for information and procedures
Implementing the proper asset management system and access control
Incorporating the security of the organization and the human resources into consideration
Implementing physical and environmental security
As well as the mentioned security measures, other measures have been taken that are specifically connected to G DPR’s requirements:
The appointment of the position of Data Protection Officer, as mentioned above
Examining and defining the Privacy Policy properly, as well as other related privacy documents and taking appropriate action to ensure that the websites and all systems are compatible
Processing personal data and establishing a complete listing of processing activities which is checked regularly