Privacy Policy

This Data Processing Addendum ("Addendum") is is made by and between the users and subscribers of Host Color Europe (HCE), "The Client" and FifthRev (also FifthR OÜ) an entity which operates HCE website, its data and services, which is incorporated in Republic of Estonia, with registration number 16372117 and corporate address Harju maakond, Tallinn, Kesklinna linnaosa, Pärnu mnt 41a-303, 10119, "The Company".
a) The Client and the Company are parties to an agreement(s) ("Agreement") under which the Company provides various services to the Client, including IT Consulting, Intelectual Property Consulting, Trademark Preparation, Patent Preparation, Cloud Infrastructure, Infrastructure Management and other IT services;
b) Under such Agreement the Company may process personal data on behalf of the Client; and
c) Pursuant to art. 28 of the GDPR the parties wish to set out their roles and responsibilities with respect to the processing of the personal data and hereby agree the following:
The terms used in this Addendum shall have the meanings set forth in this Addendum. The terms "processing" (and its derivatives), "personal data", "data controller", "data processor", "international organisation", "data subject", "representative" and "Member State" where used in this Addendum shall have the meaning given to them in the Data protection laws. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
"Data protection laws" means all applicable European Union or Member State laws concerning the processing of personal data, including, but not limited to The General Data Protection Regulation (EU) 2016/679 ("GDPR") and, to the extent applicable and not in conflict, the data protection laws of another country, with all their amendments or replacements. "Controller-to-Processor SCCs" means the Standard Contractual Clauses (Processors) in the Annex to the European Commission Decision of February 5, 2010 - available here at the date of this Addendum: - as may be amended or replaced from time to time by the European Commission.
. Roles
The Client is the data controller and the Company is the data processor with respect to the personal data that the Company may process on behalf of the Client in the provision of services under the Agreement.
2. Details of processing
The data subjects affected, the type of data and the purposes of processing include, but may not be limited to:
Data subjects: Data subjects may include Client's representatives, end users, employees, job applicants, contractors, collaborators, partners, suppliers, customers, clients, visitors and others as defined by the Client.
Nature and purposes of processing: The Company (and any persons acting under the authority of the Company) will process personal data solely for the purpose of (i) providing the services in accordance with the Agreement and this Addendum (ii) complying with Client's documented written instructions in accordance with the Data protection laws, or (iii) complying with Company's obligations under the Data protection laws.
Type of data: The processed data is the personal data provided by the Client to the Company in connection with its use of the services under the Agreement. Such personal data may include name, email address, contact information, home address, home telephone or mobile number, fax number, email address, and passwords, age, date of birth, marital status, number of children, job title and function, employment history, salary, identification number, prices, goods and services provided, IDs of customers, IP addresses, online behaviour and interest data, etc. address or phone number.
3. Company's obligations and responsibilities
When processes personal data on behalf of the Client the Company shall:
3.1. Scope of processing: process only personal data in accordance with the provisions of this Addendum, to the extent necessary for the performance of the Agreement and on documented instructions from the Client, unless required to do so by Union or Member State law to which the Company is subject. If the Company believes, in its opinion, that an instruction infringes any Data protection law, the Company shall inform the Client and may suspend the implementation of such instruction until the Client changes or confirms it. The Company shall not disclose personal data except as provided under this Addendum.
3.2. Authorised persons: takes commercially reasonable steps to ensure that persons authorised to process the personal data are strictly limited to only those Company's personnel who need to know/access such personal data and have committed themselves (in writing) to confidentiality with respect to such personal data. The Company also represents and warrants that the persons authorised to process the personal data are made aware of the terms of this Addendum, are not allowed to process personal data outside of the scope of this Addendum and have contractually undertaken to comply with the data privacy and confidentiality, including after termination of their relationship with the Company.
3.3. Security measures: take technical and organisational measures with respect to security of the personal data. In particular that include measures and controls as defined in Schedule A to this Addendum.
3.4. Sub-processing: The Company uses sub-processors for the provision of its services, including those under the Agreement. The Company maintains a list of its sub-processors as provided in Schedule B to this Addendum. The Client agrees that the Company may replace its sub-processors or engage another sub-processors for the provision of the services under the Agreement. In such case the Company shall inform the Client of any intended changes in the sub-processors and shall give the Client the opportunity to object to that sub-processing. The Client may object to the proposed sub-processing within 14 days of receipt of the notice and providing in writing reasonable justifiable grounds on the objection, including, where applicable related to the ability of the proposed new sub-processor to adequately protect personal data in accordance with this Addendum or Data protection laws. In the event the objection of the Client is justified the parties may work together in good faith to make mutually acceptable change in the provision of services that will allow to avoid the proposed sub-processing or to replace proposed sub-processing with more appropriate one. In the event that such change cannot be made within reasonable time from the objection and if the Company insists on the use of the proposed sub-processing in the provision of services under the Agreement the Client may terminate the Agreement by written notice to the Company.
3.5. Transfer to third countries: The services the Company provides (and respectively the Client's data) are hosted in data centres on the territory as provided in the Agreement. In some events transfer of personal data to jurisdictions outside European Union or to an international organisation may take place ("transfer to third countries"), including for IT security purposes, maintenance and performance of the services and infrastructure, adding functionalities to the services, etc. In the event of such transfer to third countries of personal data of EU data subjects the Company shall: i) make such transfer always a) on the basis of an adequacy decision by the European Commission (art. 45 of the GDPR) or b) subject to appropriate safeguards as provided under art. 46 of the GDPR, including to rely on Controller-to-Processor SCCs; ii) impose the same data protection obligations as set out in this Addendum on each sub-processor by way of a contract; and iii) remain fully liable to the Client if the sub-processor fails to fulfil its data protection obligations.
3.6. Data subject's rights: taking into account the nature of the processing, assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR or in the applicable Data protection laws. In particular the Company agrees that if a data subject makes a written request to the Company requesting information concerning the processing of, or copies of their personal data, the Company shall promptly notify the Client of that request (including a copy of the request, if appropriate) and shall not respond to that request except in accordance with the prior written instructions of the Client or as required by the Data protection law (for which the Company shall promptly inform the Client).
3.7. Assistance to the Client: assist the Client in ensuring compliance with the obligations pursuant to art. from 32 to 36 of the GDPR including, taking into account the nature of processing and the information available to the Company. The Company shall also make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
3.8. Return or deletion of data: at the choice of the Client, delete or return all existing personal data to the Client after the end of the provision of services relating to processing, and delete all existing copies unless Union or Member State law requires storage of the personal data.
3.9. Data breach notification: The Company shall, without undue delay and in reasonable time notify the Client after becoming aware of any loss, alteration, unauthorised disclosure of, or access to the personal data of the Client.
4. Client's obligations and responsibilities
The Client shall be responsible for compliance with its obligations as a data controller under the Data protection laws, in particular for processing only data that has been lawfully and validly collected, for the justification of any transmission of personal data to the Company, including providing any required notices and obtaining any required consents and/or authorizations, where applicable, the data are relevant and proportionate to the respective uses, the provision of the data does not violate the privacy rights, publicity rights, copyrights, contract rights, intellectual property rights, or any other rights of any person, and/or otherwise compiling with the Data protection laws.
5. General provisions
5.1. Amendments of the Data protection laws: The parties, acting in good faith and as soon as is reasonably possible will may make variations to this Addendum to ensure compliance of this Addendum and of the processing of personal data with any changes in the Data protection laws or as a result of a decision or act of any supervisory authority, the EU Commission, the European Data Protection Board, the Court of Justice or other similar body or organisation, which decision or act affects the Data protection laws and their application. The Company shall ensure that equivalent variations are made to any agreement put in place with any sub-processor affected.
5.2. Contact information: Contact points for data protection enquiries:
The Company:
Office Address:
FifthR OÜ
Harju maakond, Tallinn, Kesklinna linnaosa, Pärnu mnt 41a-303, 10119, Estonia:
Each party will also provide the other information on its representative in the EU (as per article 27 of the GDPR) where applicable.
5.3. Survival: This Addendum shall remain in force and shall survive the termination or expiry of the Agreement, where applicable.:
5.4. Severability: If any provision of this Addendum is adjudged by a court of competent jurisdiction to be invalid, void, or unenforceable this shall not affect the validity of the remaining provisions which shall remain valid and enforceable. 5.5. Precedence: In the event of inconsistencies between the provisions of this Addendum and the Agreement, including any further agreements to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail, except if otherwise explicitly agreed in writing between the parties. 5.6. Law and Jurisdiction: This Addendum shall be governed by the law of and shall be subject to the exclusive jurisdiction of the courts of Estonia. 5.7. With the submission of an Online Services Order or printed Service Order the Client accepts this Addendum.
The date of the last revision of this Addendum is 22 November 2021.
SCHEDULE A - List of sub-processors
Accounting Firm Arithmetic OÜ: The entity has access to bank statements of FifthR OÜ and is aware of the Clients' bank account number, BIC, invoice amounts paid, first name, last name, entity name, and entity details such as registration number, VAT number, incorporation address and other details in order to comply with the Accountancy Law.