Data Protection Addendum

Last Updated: 05.01.2025

This Data Protection Addendum ("Addendum") is entered into by and between TRAGURIUM MEDIA, obrt za savjetovanje i usluge, operating as "Coma Partners" ("Coma Partners"), and the customer agreeing to this Addendum ("Customer").

This Addendum becomes effective as of the date the Customer accepts or opts in ("Addendum Effective Date") and supersedes any previous data protection agreements.

If you accept this Addendum on behalf of a legal entity, you confirm that:

You have read and understood this Addendum;

You have full authority to bind the entity;

You accept these terms on behalf of the entity.

If you lack such authority, do not accept this Addendum.

1. Introduction

This Addendum governs Coma Partners’ processing of Customer’s Personal Data under the terms of the Service Agreement between the parties.

2. Definitions

Unless otherwise defined in this Addendum, all terms shall have the meaning given to them under the EU General Data Protection Regulation ("GDPR"). The following key definitions apply:

"Addendum Effective Date": The date of Customer’s acceptance.

"Adequate Country": A jurisdiction approved by the European Commission as providing adequate data protection.

"Data Subject": Any identified or identifiable person whose Personal Data is processed.

"Personal Data": Data relating to a Data Subject that can be used to identify them.

"Processing": Any operation performed on Personal Data.

"Data Controller": Entity determining the purpose and means of processing.

"Data Processor": Entity processing data on behalf of a Data Controller.

"Data Transfer Mechanism": Lawful mechanism to transfer data outside the EEA.

"Data Protection Laws": All applicable data privacy and protection laws.

"Data Protection Authority": National or regional authority overseeing data protection law.

"EEA": European Economic Area including the EU, UK, and Switzerland.

"Model Contracts": EU-approved Standard Contractual Clauses.

"Security Incident": A breach of security leading to unauthorized access to Personal Data.

"Subprocessor": Any third party engaged by Coma Partners to process data.

Additional Definitions:

"Details of Processing Subject Matter": The processing of Customer Data under this Addendum.

"Duration of the Processing": Until termination of the Service Agreement and deletion of Customer Data.

"Nature and Purpose of the Processing": To provide the agreed Services.

"Categories of Data": Contact information, usage data, login data, and marketing interactions.

"Security Measures": Commercially reasonable protections against unauthorized access or disclosure.

3. Termination

This Addendum remains in effect as long as the Service Agreement is in force. If any conflict exists between this Addendum and the Agreement, this Addendum prevails regarding data processing.

4. Scope and Applicability

This Addendum applies where Coma Partners processes Customer Data subject to GDPR.

5. Role and Scope of Processing

The Customer is the Data Controller and Coma Partners is the Data Processor.

Coma Partners processes data only on documented instructions from Customer. Customer retains ownership of all Customer Data. Coma Partners will not use the data beyond what is permitted under the Agreement and this Addendum. Coma Partners may use Aggregated Anonymous Data for analytics purposes, as allowed in the Agreement.

6. Subprocessing

Coma Partners may engage Subprocessors under written agreements with equivalent data protection obligations. Coma Partners remains liable for its Subprocessors.

A list of current Subprocessors is available on request. Coma Partners will provide advance notice of changes.

7. Security

Coma Partners will implement and maintain appropriate technical and organizational security measures. Customer is responsible for assessing whether these meet their legal obligations. Security Measures may evolve but will not materially degrade.

8. International Transfers

Coma Partners may transfer and process data globally, subject to compliance with EU law. If required, parties agree to enter into Model Contracts.

9. Regulatory Compliance

At Customer’s written request and cost, Coma Partners will assist with regulatory compliance obligations and individual data subject rights requests, where legally required.

10. Reviews and Audits

Coma Partners will provide responses to reasonable Customer requests related to GDPR compliance.

Audits may be requested:

No more than once annually

During business hours

At Customer's expense

Without exposing systems of other customers or third-party infrastructure

11. Return or Deletion of Data

Upon termination or expiration, Customer may request that Coma Partners delete or return Personal Data within 90 days. Written confirmation of deletion will be provided. Retained data, if any, will be safeguarded under the terms of this Addendum.

12. Security Incident Notification

Coma Partners will notify Customer without undue delay upon discovering a confirmed Security Incident, unless prohibited by law.

Notice will include:

Description of the incident and discovery date

Types of data involved

Known or expected consequences

Measures taken to address the breach

13. Subprocessor Changes

Coma Partners will notify Customer at least 7 days before onboarding any new Subprocessor.

14. Further Cooperation

Coma Partners will maintain applicable data processing registrations and cooperate as needed with regulatory authorities. Coma Partners shall provide information required for data protection impact assessments, at Customer’s cost.

Contact Information:

TRAGURIUM MEDIA, obrt za savjetovanje i usluge

Draškovićeva ulica 46

10000 Zagreb, Croatia

Email: [email protected]