Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions and other agreements between egypet ("we," "our," "us," "Data Controller") and users who provide services through our platform ("Service Provider," "Data Processor") that involve the processing of personal data of EU/EEA residents.

This DPA is designed to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), and to establish appropriate safeguards for the protection of personal data.

2. Definitions

The terms "personal data," "data subject," "processing," "controller," "processor," and "supervisory authority" shall have the meanings given to them in the GDPR.

• Data Controller: egypet, which determines the purposes and means of processing personal data.
• Data Processor: The Service Provider (veterinarian, pet shop, or other service provider) that processes personal data on behalf of the Data Controller.
• Sub-processor: Any processor engaged by the Data Processor to assist in fulfilling its obligations with respect to providing services to the Data Controller.
• Personal Data: Any information relating to an identified or identifiable natural person.

3. Scope and Purpose of Processing

The Data Processor shall process personal data only for the purpose of providing the services specified in the Terms and Conditions or other service agreements between the parties. The categories of personal data processed and the categories of data subjects are as follows:

3.1 Categories of Personal Data

• User account information (name, email address, phone number, etc.)
• Pet information (pet profiles, health records, photos, etc.)
• Transaction data (service bookings, purchases, etc.)
• Communication data (messages, reviews, etc.)
• Location data (when permitted by users)

3.2 Categories of Data Subjects

• egypet users (pet owners)
• Service providers' customers
• Service providers' employees or representatives

4. Obligations of the Data Processor

The Data Processor shall:

• Process personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organization.
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
  • The pseudonymization and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Data Controller.
• Assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
• At the choice of the Data Controller, delete or return all the personal data to the Data Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data.
• Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

5. Sub-processors

The Data Processor shall not engage any sub-processor without prior written authorization from the Data Controller. When a sub-processor is engaged, the Data Processor shall:

• Impose the same data protection obligations as set out in this DPA on the sub-processor by way of a written contract.
• Remain fully liable to the Data Controller for the performance of the sub-processor's obligations.
• Inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Data Controller the opportunity to object to such changes.

6. Data Subject Rights

The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising the data subject's rights under the GDPR, including:

• Right of access
• Right to rectification
• Right to erasure ('right to be forgotten')
• Right to restriction of processing
• Right to data portability
• Right to object
• Rights related to automated decision making, including profiling

7. Data Breach Notification

In the event of a personal data breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of the breach. The notification shall at least:

• Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
• Describe the likely consequences of the personal data breach;
• Describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Data Protection Impact Assessment

The Data Processor shall provide reasonable assistance to the Data Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Data Controller is required to carry out under the GDPR.

9. International Data Transfers

The Data Processor shall not transfer personal data to a third country or an international organization unless authorized by the Data Controller and in compliance with the GDPR's requirements for such transfers, including:

• Transfers based on an adequacy decision;
• Transfers subject to appropriate safeguards, such as standard data protection clauses;
• Transfers based on binding corporate rules;
• Transfers based on derogations for specific situations.

10. Audit Rights

The Data Controller has the right to conduct audits or inspections of the Data Processor's data processing activities to verify compliance with this DPA and the GDPR. The Data Processor shall contribute to such audits by:

• Providing the Data Controller with information necessary to demonstrate compliance;
• Allowing for and contributing to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller;
• Making available to the Data Controller all information regarding the processing of personal data under this DPA.

11. Duration and Termination

This DPA shall remain in effect for as long as the Data Processor processes personal data on behalf of the Data Controller. Upon termination of the service agreement, the Data Processor shall, at the choice of the Data Controller, delete or return all personal data to the Data Controller and delete existing copies unless Union or Member State law requires storage of the personal data.

12. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the country where the Data Controller is established, without regard to its conflict of law provisions. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of that country.

13. Modifications to this DPA

This DPA may only be modified by a written amendment signed by both parties or by an updated version published by the Data Controller with prior notice to the Data Processor.

14. Contact Information

For questions regarding this DPA, please contact:

• Data Protection Officer: dpo@egypet.com
• By visiting this page on our website: https://egypet.site/pages/contact.php