DATA PROCESSING AGREEMENT (DPA)

Effective Date: January 2025
Between the Parties:

1. Data Controller:
Mirovia (Malta) Ltd.
30A Wilga Street, St. Julian’s, STJ 3113, Malta
Company No.: C58541
Email: office@mirovia.ltd

and

2. Data Processor:
(The “Processor”), defined as any external service provider or individual engaged by Mirovia (Malta) Ltd. who processes personal data on behalf of the Controller.)

1. Purpose of this Agreement

This Data Processing Agreement (“Agreement” or “DPA”) ensures that any personal data processed by the Processor on behalf of Mirovia (Malta) Ltd. is handled in compliance with:

  • the General Data Protection Regulation (EU) 2016/679 (GDPR)

  • the Maltese Data Protection Act (Chapter 586)

  • other applicable data protection laws

The Processor agrees to process personal data only for purposes defined by the Controller.

2. Subject Matter and Nature of Processing

The Processor may process personal data for the following purposes:

  • Website hosting and database storage

  • Email and communication services

  • Security monitoring (e.g., firewall, malware scanning)

  • Franchise application evaluation tools

  • CRM systems used to manage applicant information

  • Cloud storage and data backup

  • IT support and maintenance

The processing may include:

  • Collection

  • Storage

  • Transmission

  • Analysis

  • Retrieval

  • Deletion

No profiling or automated decision-making is permitted unless explicitly instructed by the Controller.

3. Categories of Personal Data

The following personal data may be processed:

A. Applicant Data

  • Full name

  • Contact details

  • Franchise application details

  • Business/financial suitability information (self-declared)

B. Website Users

  • IP addresses

  • Browser/device data

  • Cookie identifiers

  • Analytics data (if consented)

C. Communication Data

  • Email correspondence

  • Documents submitted voluntarily

The Controller does not require processing of special categories of data unless explicitly stated.

4. Categories of Data Subjects

Data subjects include:

  • Franchise applicants

  • Franchise prospects

  • Website visitors

  • Individuals communicating with the Controller

  • Employees or partners of the Controller (if applicable)

5. Duration of Processing

The Processor may process personal data only for the duration of the service agreement between the Parties.
Upon termination, all data must be deleted or returned unless EU/Maltese law requires retention.

6. Obligations of the Processor

The Processor shall:

✔ Only process data on documented instructions from the Controller

✔ Ensure confidentiality of all personnel

✔ Implement appropriate technical and organizational measures (TOMs), including:

  • encryption (at rest and/or in transit)

  • secure access controls

  • logging and monitoring

  • regular security updates

  • backup systems

✔ Assist the Controller in fulfilling GDPR obligations

✔ Notify the Controller immediately of any data breach

✔ Maintain proper documentation of processing activities

✔ Not engage sub-processors without approval

✔ Not transfer data outside the EEA without proper safeguards

✔ Allow audits by the Controller (with reasonable notice)

7. Sub-Processors

The Processor may only engage sub-processors with prior written authorization from the Controller.
Authorized sub-processors must:

  • operate under equivalent contractual obligations

  • comply with GDPR

  • ensure appropriate technical and organizational safeguards

Examples of acceptable sub-processors include:

  • Hosting providers (e.g., Hostinger)

  • Email and communication tools

  • Cloud storage providers

  • Security services (e.g., Wordfence)

  • CRM or application management systems

8. International Data Transfers

Data transfers outside the European Economic Area (EEA) must comply with GDPR Chapter V.
Permitted mechanisms include:

  • EU Commission adequacy decisions

  • Standard Contractual Clauses (SCCs)

  • Binding Corporate Rules (BCRs)

  • Additional technical safeguards for US or third-country providers

The Processor must not transfer data outside the EU/EEA without prior approval.

9. Data Breach Notification

The Processor must notify the Controller without undue delay (within 24–48 hours) if a personal data breach occurs.

Notification must include:

  • nature of the breach

  • categories and approximate number of affected individuals

  • likely consequences

  • proposed mitigation measures

10. Assistance to the Controller

The Processor shall support the Controller in:

  • responding to data subject requests

  • conducting Data Protection Impact Assessments (DPIAs)

  • demonstrating GDPR compliance

  • responding to supervisory authorities

11. Return or Deletion of Data

Upon termination of the processing activity or service agreement:

  • The Processor must delete or return all personal data

  • Backups must also be securely deleted

  • Written confirmation of deletion must be provided

Unless EU or Maltese law requires retention.

12. Confidentiality

The Processor shall maintain strict confidentiality and ensure that employees, contractors, or sub-processors:

  • have signed confidentiality agreements

  • are trained in data protection

  • only access data when necessary

Confidentiality persists after contract termination.

13. Liability

Each Party’s liability is governed by the underlying service contract.
The Processor is responsible for damages caused by:

  • non-compliance with GDPR

  • failure to follow Controller instructions

  • unauthorized processing

14. Governing Law & Jurisdiction

This Agreement is governed by the laws of Malta.
Any disputes shall be resolved exclusively by the courts of Malta.

Scroll to Top