데이터 처리 계약 (DPA)

1. 정의

본 데이터 처리 계약의 목적을 위해:

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion, as defined in Article 4(2) of the GDPR.
• "Controller" means the customer who determines the purposes and means of Processing Personal Data.
• "Processor" means Morlivo, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

2. 처리 세부사항

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject.

처리 세부사항은 다음과 같습니다:

• Subject matter: Provision of translation, transcription, and language processing services.
• Duration: For the term of the underlying service agreement.
• Nature and purpose: Processing Customer Content to deliver translations, transcriptions, and related language services.
• Categories of data subjects: End users and individuals whose data is contained within Customer Content.
• Types of personal data: Names, contact information, and any other personal data contained in materials submitted for processing.

3. 보안 조치

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures include:

• 휴지 상태의 개인 데이터 암호화(AES-256) 및 전송 중 암호화(TLS 1.2+).
• 처리 시스템 및 서비스의 지속적인 기밀성, 무결성, 가용성 및 복원력을 보장할 수 있는 능력.
• 물리적 또는 기술적 사고 발생 시 개인 데이터에 대한 가용성과 접근을 신속하게 복구할 수 있는 능력.
• 기술적 및 조직적 조치의 효과성을 정기적으로 테스트, 평가 및 검토합니다.
• 기술적으로 가능하고 적절한 경우 개인 데이터의 가명 처리.
• 최소 권한 원칙에 기반한 엄격한 접근 제어.
• 데이터 접근에 대한 포괄적인 감사 로그 및 모니터링.

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. 하위 처리자

The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall maintain an up-to-date list of Sub-processors and make it available to the Controller upon request. The current list of Sub-processors is published on our Privacy Policy page.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller a reasonable opportunity to object to such changes. Where the Processor engages a Sub-processor, the Processor shall impose on that Sub-processor, by way of contract, the same data protection obligations as set out in this DPA.

The Processor shall remain fully liable to the Controller for the performance of any Sub-processor's obligations under this DPA.

5. 데이터 주체의 권리

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

• 접근권 (제15조).
• 정정권 (제16조).
• 삭제권 (제17조).
• 처리 제한권 (제18조).
• 데이터 이동권 (제20조).
• 이의 제기권 (제21조).

If the Processor receives a request from a Data Subject directly, the Processor shall promptly forward the request to the Controller and shall not respond to the Data Subject directly unless authorized by the Controller.

6. 국제 전송

The Processor shall not transfer Personal Data to a third country or international organization unless appropriate safeguards are in place as required by Chapter V of the GDPR. Approved transfer mechanisms include:

• 유럽연합 집행위원회가 채택한 표준 계약 조항(Standard Contractual Clauses, SCCs) (집행 결정 (EU) 2021/914).
• GDPR 제45조에 따른 적정성 결정.
• 권한 있는 감독 기관이 승인한 Binding Corporate Rules.

Enterprise customers may configure data residency settings to restrict the processing and storage of Personal Data to specific geographic regions (EU, US, or APAC), minimizing the need for cross-border transfers.

7. 침해 통지

The Processor shall notify the Controller without undue delay, and in any event no later than forty-eight (48) hours after becoming aware of a Personal Data breach, as defined in Article 4(12) of the GDPR.

통지에는 다음이 포함됩니다:

• 개인 데이터 침해의 성격에 대한 설명(관련된 데이터 주체의 범주 및 대략적인 수와 관련 기록 포함).
• 처리자의 데이터 보호 담당자 이름 및 연락처.
• 침해의 예상 결과에 대한 설명.
• 침해를 해결하기 위해 취했거나 제안된 조치에 대한 설명(그 부정적 영향을 완화하기 위한 조치 포함).

8. 감사 및 검사

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice and confidentiality obligations.

9. 기간 및 데이터 삭제

This DPA shall remain in effect for the duration of the underlying service agreement. Upon termination of the service agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data and delete existing copies, unless Union or Member State law requires storage of the Personal Data. The Processor shall certify in writing that it has complied with this obligation upon the Controller's request.