MEDIA DESIGN Studio Laborator Colaborari Contact
Acceseaza programul ANTREPRENOR START pentru avantaje comerciale exclusive.
Ai nevoie de suport? Suna: +40 744 933 131

Media Design Legal

Data Processing Agreement (DPA)

Standard data processing agreement (template) between Media Design S.R.L. as Processor and the client as Controller, under GDPR Art. 28.

This document is a template. Fields marked with must be completed for each client before signing.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

CONTROLLER: (hereinafter "the Controller"), and
PROCESSOR: MEDIA DESIGN S.R.L., VAT id RO22252840, Trade Register no. J31/624/2007, Str. Lt. Col. Pretorian Nr. 3, Bl. N116, Sc. A, Ap. 7, Zalău, Sălaj county, postal code 450131, Romania (hereinafter "the Processor").

This DPA forms an integral part of the service agreement concluded between the Controller and the Processor and enters into force on the date of its signing: .

2. Definitions

Terms used in this DPA have the meaning assigned by the GDPR (Regulation (EU) 2016/679):

  • Personal data: any information relating to an identified or identifiable natural person;
  • Processing: any operation or set of operations performed on personal data;
  • Controller: the entity that determines the purposes and means of processing;
  • Processor: the entity that processes personal data on behalf of the Controller;
  • Data subject: the natural person whose data are processed;
  • Sub-processor: any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.

3. Subject-matter of processing

The Processor processes personal data on behalf of the Controller solely for the provision of the contracted services, as detailed below:

  • Duration: for the term of the service agreement + a maximum of 90 days after termination (for return / deletion);
  • Nature of processing: storage, transmission, processing, display, analysis, integration with third parties authorised by the Controller;
  • Purpose of processing: provision of contracted services (web design, development, digital marketing, SEO, hosting, technical support);
  • Categories of personal data: ;
  • Categories of data subjects: .

4. Processor obligations

The Processor undertakes, under GDPR Art. 28(3), to:

  • (a) process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organisation, unless required to do so by Union or Member State law;
  • (b) ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • (c) take all measures required pursuant to GDPR Art. 32 (security of processing);
  • (d) respect the conditions referred to in GDPR Art. 28(2) and (4) for engaging another processor (sub-processor);
  • (e) taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights;
  • (f) assist the Controller in ensuring compliance with GDPR Art. 32–36, taking into account the nature of processing and the information available to the Processor;
  • (g) at the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data;
  • (h) make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Sub-processors

The Processor maintains a public list of authorised sub-processors available at /legal/subprocessors. The Controller grants general authorisation to engage the sub-processors on this list at the time of signing the DPA.

The Processor will notify the Controller at least 30 days before any addition or replacement of a sub-processor. The Controller has the right to object in writing within this period. Failure to object within the deadline shall be deemed acceptance. If the Controller objects with justification and the Processor cannot provide the services without that sub-processor, either party may terminate the contract with 30 days' notice.

The Processor ensures that any sub-processor is bound by the same level of data protection as this DPA, via written contract.

6. Technical and organisational measures

The Processor implements and maintains, under GDPR Art. 32, at least the following technical and organisational measures:

  • Encryption in transit: HTTPS with TLS 1.3 for all publicly exposed surfaces;
  • Password encryption: bcrypt hash with minimum cost factor 12;
  • Two-factor authentication (2FA): mandatory for all system administrators;
  • Web Application Firewall: Cloudflare WAF active on all managed domains;
  • Encrypted backup: daily encrypted backups, 30-day retention, tested quarterly;
  • Least-privilege principle: data access granted based on role and demonstrated need; access reviewed quarterly;
  • Internal policies: annual training for collaborators with access to personal data, clean-desk policy, automatic session lock.

7. Assistance with data subject rights

At the Controller's request, the Processor will assist in the exercise of data subjects' rights (GDPR Art. 15–22), by:

  • providing an export of relevant data in structured format (JSON/CSV) within 5 business days of the request;
  • applying deletion or pseudonymisation of the data subject's data at the Controller's written instruction;
  • providing written confirmation of the actions taken.

8. Assistance in case of a security incident

Upon detecting a security incident involving data processed on behalf of the Controller, the Processor will:

  • notify the Controller without undue delay and within a maximum of 24 hours of detection;
  • provide all available information to enable the Controller to assess the risk and fulfil the ANSPDCP notification obligation within 72 hours under GDPR Art. 33;
  • cooperate fully in the investigation of the incident and implementation of remediation measures.

9. Deletion or return of data

Upon termination of the contract or at the Controller's written request, the Processor will:

  • return all personal data to the Controller in portable format (JSON or CSV) within 30 days;
  • irrevocably delete all copies of personal data from its own systems and those of sub-processors, including backups, within 90 days of contract termination;
  • provide written confirmation of deletion at the Controller's request.

Exception: data that must be retained under a legal obligation (e.g., accounting documents) will be retained for the legally required period, isolated and inaccessible for any other processing.

10. Audit

The Processor allows the Controller or an independent auditor mandated by the Controller to carry out a maximum of 1 audit per year, with written notice of at least 30 days, at the Processor's premises or remotely, respecting the confidentiality of third-party information. Audit costs are borne by the Controller, unless the audit reveals significant non-conformities, in which case the Processor bears the costs. As an alternative, the Processor may provide a recognised independent audit report (ISO 27001, SOC 2 or equivalent) covering the relevant period, and the Controller may waive the own audit on that basis.

11. International transfers

Any transfer of personal data outside the European Economic Area (EEA) made by the Processor or its sub-processors is protected by:

  • Standard Contractual Clauses (SCCs) approved by EU Commission Decision 2021/914 or 2021/915, as applicable;
  • Transfer Impact Assessment (TIA) performed for each extra-EEA transfer in accordance with EDPB Recommendations 01/2020;
  • sub-processor certification under the EU-US Data Privacy Framework, where applicable.

12. Term and termination

This DPA enters into force on the date of signing and remains in force for the entire duration of the service agreement. Upon termination of the agreement, the DPA remains applicable until completion of the data deletion / return process described in section 9.

13. Governing law and jurisdiction

This DPA is governed by Romanian law. Any dispute arising from or in connection with this DPA shall be resolved by the competent courts at the Processor's registered seat, namely Zalău, Sălaj county, Romania, unless applicable consumer law provides otherwise.

14. Signatures

By signing this DPA, the parties confirm they have read, understood and accepted all its provisions.

CONTROLLER PROCESSOR
MEDIA DESIGN S.R.L.
Signature: ___________________ Signature: ___________________
Name: ___________________ Name: Dumitrescu Radu
Title: Title: Administrator
Date: Date:

Template last updated: 1 June 2026.

Newsletter

By submitting this form your data is processed by Media Design SRL to send you our occasional newsletter + share relevant updates, on the basis of GDPR Article 6(1)(a) + Article 12 Law 506/2004 -- explicit consent, for a period of until you unsubscribe (one click in any email). Your GDPR rights + full details in our Privacy Policy.

*

Aboneaza-te la newsletter-ul nostru si fii la curent cu cele mai recente tendinte in design digital.

"Sunt aici sa preiau greutatea organizarii de pe umerii tai. Rolul meu este sa armonizez munca tuturor acestor specialisti pentru ca proiectul tau sa fie livrat la timp si la standardele promise. Iti ofer garantia unei comunicari transparente si a unui parteneriat in care nu exista surprize neplacute."
Radu Project Manager