This Data Processing Agreement ("Agreement") is entered into between:
[George Zaverdas]
[Baknana 17 Athens 11745 Greece]
hereinafter referred to as the "Controller"
and
[George Zaverdas]
[Cloud Platform / https://filesgr.gr]
[Baknana 17 Athens 11745 Greece]
(hereinafter referred to as the "Processor")
Effective Date: [29/07/2025]
1.1 This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of the cloud file transfer and storage services provided by the Processor.
1.2 The purpose of the processing is to allow the Controller and its authorized users to upload, store, manage, and share files via the Processor’s platform.
GDPR: General Data Protection Regulation (EU) 2016/679.
Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, whether or not by automated means.
Sub-processor: A third-party processor engaged by the Processor to assist in fulfilling specific processing tasks.
International Transfer: Any transfer of personal data to a third country or international organization outside the EEA.
3.1 The Processor shall:
Process personal data only on documented instructions from the Controller.
Ensure that persons authorized to process personal data are bound by confidentiality.
Implement appropriate technical and organizational measures (as per Article 32 GDPR).
Assist the Controller in fulfilling its obligations under Articles 32–36 of the GDPR.
Upon termination, delete or return all personal data, unless legal obligations require otherwise.
Nature: Storage, hosting, transmission, and backup of files.
Purpose: Provide secure file transfer and cloud storage services.
Categories of Data Subjects: End-users, employees, collaborators, clients.
Types of Personal Data: Names, contact details, email addresses, file metadata, IP addresses, user IDs.
5.1 The Processor may engage sub-processors for hosting, backup, security, or analytics, under the following conditions:
The sub-processor complies with the same data protection obligations as set out in this Agreement.
The Processor shall inform the Controller of any intended changes to the list of sub-processors.
The Controller has the right to object within a reasonable timeframe.
5.2 A current list of sub-processors (including location and purpose) is available upon request or at [Insert URL].
6.1 The Processor may transfer personal data to third countries outside the European Economic Area (EEA) only under one of the following conditions:
The country has been deemed to provide an adequate level of data protection by the European Commission.
Standard Contractual Clauses (SCCs) approved by the European Commission are in place.
Appropriate safeguards are implemented, and data subjects have enforceable rights.
6.2 The Controller consents to such transfers, provided they are compliant with Chapter V of the GDPR.
7.1 The Processor shall assist the Controller in responding to requests from data subjects under Chapter III of the GDPR.
7.2 If a data subject submits a request directly to the Processor, the Processor shall forward it to the Controller without undue delay.
8.1 The Processor shall notify the Controller without undue delay and, where feasible, within 48 hours after becoming aware of a personal data breach.
8.2 The notification shall include all information reasonably required to assist the Controller in complying with its own breach obligations.
9.1 The Controller has the right to audit the Processor’s compliance with this Agreement, with reasonable notice and during business hours.
9.2 The Processor shall make available all necessary information to demonstrate compliance and shall cooperate fully with such audits.
10.1 The Processor shall be liable for damages caused by processing only where it has not complied with its legal obligations or acted outside the instructions of the Controller.
10.2 Both parties agree to indemnify each other against any third-party claims resulting from a breach of this Agreement or applicable data protection laws.
11.1 This Agreement shall remain in force for as long as the Processor processes personal data on behalf of the Controller.
11.2 Upon termination, the Processor shall, at the Controller’s choice, delete or return all personal data, unless Union or Member State law requires retention.
12.1 This Agreement shall be governed by and construed in accordance with the laws of the European Union and the laws of Greece.
12.2 Any disputes arising from this Agreement shall be submitted to the competent courts of Athens, Greece.
This DPA is part of and subject to the [Terms of Service] between the parties.
In the event of a conflict between the DPA and the Terms of Service, the DPA shall prevail in matters relating to data protection.
Any amendments must be in writing and mutually agreed.
IN WITNESS WHEREOF, the parties have executed this Agreement as of the Effective Date.
[Controller Name]
[George Zaverdas]
Title: [Owner]
Date: [29/07/2025]
[Processor Name]
Name: [George Zaverdas]
Title: [Owner]
Date: [29/07/2025]