Data Processing Agreement

This Data Processing Agreement (this “Agreement”) shall enter into force at the moment of its acceptance by the «Responsible», user of CIRCULAR PLACE

On the one hand,
the User Entity of CIRCULAR PLACE duly constituted in accordance with Spanish law, acting in its capacity as «Responsible Party». (the “Controller”).

On the other hand,
Mr. Juan Carlos Enrique Moreno, of legal age, of Spanish nationality, with bearer of passport of his nationality number 22711060-D, in the name and on behalf of AMBI WASTE SERVICES, S.L. («AMBI WASTE»), with NIF B10700300 and having its registered office at Avenida de Burgos, 17, 9º derecha, Madrid, CP 28036, in his authority as general manager of AMBI WASTE, pursuant to the deed executed on May 18, 2022, with number 770 before the Notary of Madrid Mr. Antonio Huerta Trolez. (the “Data Processor”).

The Controller and the Data Processor shall be hereinafter jointly referred to as the “Parties” and each of them, individually, as a “Party”.


  1. Whereas the Parties entered into a Participation Agreement in the Marketplace «Circular Place» (the «Services Agreement«), whereby the Data Processor renders services on behalf of the Controller related to hosting and maintenance services concerning the Marketplace (the “Service”).
  2. Whereas the Controller is the sole owner of the personal data of the adhered producers who access «Circular Place», as well as of any third parties (employees, collaborators, external consultants and suppliers, producers of EEA adhered to the Controller and users of the Marketplace beneficiaries of the donations of EEA made therein, etc.) that may have been legitimately collected by it in such condition.
  3. In the development of the activities foreseen for the provision of the Service, the Data Processor, even though it has this role in accordance with the applicable regulations, shall not have access to the aforementioned data nor shall it carry out any processing of the same since the hosting of the software or IT platform supporting the «CIRCULAR PLACE» social Marketplace, the conservation and custody of the information contained therein and the material management of all personal data existing therein shall be the exclusive task of the third party service provider who shall act as Sub-processor.
  4. Whereas the Sub-Processor in charge of the data processing will be the only one to access the hardware and software where such information is stored, preventing any access to any other third party other than this one.
  5. Whereas the Parties undertake to fully comply with the obligations set out in Regulation EU 2016/679 of the European Parliament and of the Council, of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”)In particular, the Parties shall apply the security measures required by GDPR, being personally liable for any sanctions, fines or damages that might be imposed to any party because of a failure to comply with the obligations provided in the applicable law on data protection.
  6. Whereby Articles 28 of GDPR, the Controller and the Data Processor have agreed on the terms and conditions of this Agreement, in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, which shall be governed by the following


1. Data processing

1.1. The data Processor shall comply with the requirements and obligations set forth in articles 28 of the GDPRin order to provide the Service.

1.2. This is without prejudice to the provisions of personal data that may be included in the Services Agreement entered by the Parties.

2. Data processor’s obligations

2.1. According to the obligations set forth in Article 28.3 of GDPR, the Data Processor shall fulfil the obligations and the security measures to guarantee the data protection standards legally required. In particular, the Data Processor shall comply with the following obligations:

    • Handle and process the personal data only following the instructions given by the Controller. If the Data Processor considers that the instructions given by the Controller infringe the rules established by the GDPR, or any other data protection applicable legislation, the Data Processor shall immediately inform the Controller about the infringement.
    • Refrain from applying or using the personal data for any purpose other than for fulfilment of this Agreement and the rendering of the Service agreed by the Services Agreement.
    • Refrain from disclosing, assigning, transferring or communicating the data in any way to third parties, whether orally or in writing, through electronic media, paper or IT access without the express authorization of the Controller.In order to communicate personal data to another Data Processor acting on behalf of the same Controller, the Data Processor must follow the instructions given by the Controller who has to previously identify, in writing, the destination, categories of data and the security measures required in order to conduct the communication.
    • The Data Processor shall only allow access to the data by its employees when strictly necessary for the rendering of the Service and provided that the employees are subject to the same confidentiality and personal data protection obligations as those set forth in this provision.
    • If the Data Processor should need to outsource the provision of its services to comply with the obligations arising from this Agreement, it shall inform the Controller within fifteen (15) days of that outsourcing requirement and provide the information of the outsourcing company and shall require the authorisation from the Controller when the outsourcing company is to handle the data.

      The Data Processor shall impose to the sub processor the same data protection obligations as the ones set out in this Agreement, providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements established in the GDPR. Where that sub processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Controller for the performance of that sub processor’s obligations.

      By virtue of this Agreement, the Controller authorizes the Processor to outsource the technical management services needed with regard to the platform so as to fulfil the provision of Services to the Controller. Personal data of such sub processor is listed below:

Avenida de Alfonso XIII n° 151
28016 Madrid

    • The Data Processor shall maintain, in writing, a record of processing activities carried out on behalf of the Controller. That record shall contain all of the following information:
    1. The name and contact details of each Data Processor and Data Controller who he acts on behalf of, as well as the Controller’s or Data Processor’s representative, if any, and the data protection officer;
    2. The purposes of the processing and the categories of data subjects and personal data carried out on behalf of each Controller;
    3. The transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards.
    4. A general description of the technical and organisational security measures.


    • The Data Processor guarantees the Controller that there is full compliance with the security measures related to the type of data obtained. In particular, the security measures included in Schedule I.
    • Assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights, such as the right to access, rectification, erasure, restriction of processing, data portability and right to object and automated individual decision-making.

      If the Data Processor is required to fulfil with the right to access, rectification, erasure, restriction of processing, data portability and right to object and automated individual decision-making, it shall inform the Controller immediately including any relevant information in order to respond to the request.

    • The Data Processor shall ensure appropriate training on data protection for employees who have permanent or regular access to personal data, who are involved in the development of tools used to process personal data or who are involved in the collection or processing of personal data.
    • Assist the Controller in the implementation of a data protection impact assessment.
    • Assist the Controller in the consultations with the supervisory authority.
    • Make available to the Controller all information necessary to demonstrate compliance with the obligations established by data protection legislation and allow for and contribute to audits, including inspections conducted by the Controller or another auditor engaged by the Controller.
    • The Data Processor shall designate a data protection officer in the situations set out in Article 37 of the GDPR and notify his/her contact information to the Controller.
    • Upon termination of this Agreement, the Data Processor shall return the data to the Controller or destroy it, unless there is a legal provision requiring that it be kept, as well as any copy or support on which such data was contained and shall duly certify such return or destruction in writing to the Controller.

3. Level of data security

3.1 In accordance with Article 32 of the GDPR, the Data Processor shall implement the appropriate technical and organizational measures in order to ensure (i) pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process of regular testing, assessing and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the processing.

3.2 The Data Processor guarantees the adoption of the security measures required in accordance with GDPR, being personally liable for any sanctions, fines or damages which might be imposed for non-compliance with the obligations undertaken in this Agreement or for those set forth in the applicable law on data protection. In particular, Data Processor shall be liable for any sanctions, fines or damages that may arise from the use of the personal data for a different purpose than those authorized by the Controller, the data transfer to non-authorized third parties or the irregular use of personal data, as well as if it fails to adopt the corresponding security measures to store, maintain, process and custody the data.

3.3 In particular, the Data Processor is committed to implement the security measures set out in Schedule I.

4. Personal data breach notification

4.1 The Data Processor shall inform the Controller without undue delay and in any case not later than 48 hours, through the established email for notification purposes, the personal data breaches which he has been aware of along with all relevant information for the appropriate documentation and notification of the incident.

Notification shall not be required when a breach of security is unlikely to result in a high risk to the rights and freedoms of natural persons

If available, the following information must be provided:

    • Description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
    • The name and contact details of the data protection officer, the privacy manager, or other point of contact where additional information can be obtained;
    • Description of the potential effects of the personal data breach;
    • Description of the measures taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If it is not possible to provide the information simultaneously, the information shall be provided in a phased manner without undue delay.

5. Data controller’s obligations

5.1 The Controller shall ensure that Data Processor guarantees the effective implementation of the GDPR.

5.2 The Controller shall implement a data protection impact assessment regarding the processing activities carried out by the Data Processor.

5.3 The Controller will be responsible for providing the information right at the time when personal data are obtained.

5.4 Consulting the supervisory authority prior to processing when necessary.

5.5 The Controller is entitled to carry out monitoring controls and audit to check that the Data Processor is complying with its obligations.

5.6 In this regard, the Data Processor, if requested, shall provide with the documentation or information to the Controller so that the Controller can verify such compliance. The Controller may, therefore, request the Data Processor, in a timely manner sufficient for their preparation (which shall be at least seven days in advance), a certificate of the compliance on data protection and/or a copy of the last audit report or the implementation of any action that may be required to prove that the Data Processor fully fulfills the applicable laws on data protection.

6. Processing of personal data of representatives, contact information and other employees of the parties

The Parties hereto declare:

    • That the Personal Data included in this Agreement and those which may be collected during the rendering of the Service, will be processed under the responsibility of each Party for the execution and control of this Agreement and the fulfilment of their legal obligations.
    • That they may exercise, at any time, their rights of access, rectification, erasure, object, portability and restriction of processing (or any others recognised by law) by means of written notification to each party, to the addresses established in this Agreement and to the attention of the data protection officer or the privacy manager.
    • That the data protection officer or the privacy manager is the figure in charge of ensuring the fulfilment of the data protection law.
    • That the Personal Data will be processed during the term of the Agreement and, after the conclusion, will remain blocked for the limitation period of any legal or contractual actions that may be enforceable hereinafter.
    • That they can lodge a claim related to the protection of Personal Data before the relevant data protection authority.Likewise, the Parties undertake to inform the contact persons or other employees whose Personal Data are collected within the framework of this Agreement of the above-mentioned features.

7. Confidentiality

7.1 The Data Processor undertakes to keep the duty of confidentiality in respect to all personal data contained in the Data Files to which the Data Processor may access through any IT means, documents or/and visual means as a result of this Agreement and the Services Agreement.

7.2 The Data Processor shall require all its employees and its contractors’ employees the duty of confidentiality as indicated herein and be able facilitate the Data Controller any supporting documents in order to ensure the fulfilment of the mentioned confidentiality duty.

7.3 The above confidentiality obligations shall survive after the termination of expiration of this Agreement or the Services Agreement for any reason. Nevertheless, said obligations shall not affect the information which (i) have been independently developed by the Data Processor without access to or use of the confidential information; (ii) becomes publicly available through no default of the Data Processor or (iii) is required to be disclosed by law.

8. Liability

8.1 The Parties agree that, notwithstanding any investigation conducted by or on behalf of the Controller or any knowledge acquired by the Controller at any time, whether before or after the execution and completion of this Agreement or on the date hereof, the Data Processor shall be liable and shall indemnify and hold the Controller harmless for any sanctions, fines and damages arising directly or indirectly from or in connection with any breach, falsehood, inaccuracy, incompleteness, error or omission of any of its legal obligations as data processor or included in this Agreement or, as the case may be, in the Services Agreement, whether voluntarily or not, attributable to ordinary or gross negligence or fraud (“culpa, negligence grave o dole”) (the “Damages”).

8.2 The amount of the Damages shall be calculated applying the principle of full and total indemnification of all the Damages. In the event that the indemnification to be paid by the Data Processor has a tax cost for the Controller, the relevant tax cost shall be borne by the Data Processor, and consequently the amount of the indemnification to be paid to the Controller shall be increased as necessary to neutralize such tax cost.

9. Term and termination of the agreement

9.1 The term of this Agreement is subject to the term of the Services Agreement. Consequently, once the Services Agreement is terminated or expired, this Agreement shall automatically terminate.

10. Governing law and jurisdiction

10.1 This Agreement shall be governed by and shall be construed in accordance with Spanish law.

10.2 Any dispute arising from this Agreement, or concerning the validity, interpretation and/or enforcement of this Agreement, shall be referred to the Courts of the city of Madrid, whose award shall be binding on both Parties, as final and conclusive.

IN WITNESS WHEREOF the Parties have executed this Agreement on the date first above written.