DATA PROCESSING AGREEMENT (DPA)
Последна актуализация: [DATE]
Версия: 1.0
PARTIES
This Data Processing Agreement (“DPA”) is entered into between:
Обработващ лични данни:
[COMPANY NAME] EOOD, UIC [UIC], with registered office and management address: [ADDRESS], represented by [MANAGER’S NAME] (“Magi”)
Администратор на лични данни:
The User registered on the Magi platform — a legal or natural person engaged in accounting activities (“the Firm”)
Collectively referred to as the “Parties”.
PREAMBLE
The Firm uses the Magi platform to generate SAF-T files. In the course of using the platform, the Firm may upload data containing personal data of third parties — employees, clients, and counterparties of the companies it serves.
Pursuant to Regulation (EU) 2016/679 (GDPR), Article 28, when a data processor processes data on behalf of a controller, this must be governed by a contract. This DPA fulfills that requirement.
1. DEFINITIONS
1.1. “Personal Data” — any information relating to an identified or identifiable natural person within the meaning of Article 4(1) of the GDPR.
1.2. “Processing” — any operation performed on personal data: collection, storage, reading, transformation, deletion, etc.
1.3. “Controller” — the Firm, which determines the purposes and means of the processing.
1.4. “Processor” — Magi, which processes the data on behalf of and under the instructions of the Firm.
1.5. “Data Subject” — the natural person whose personal data is being processed (employees, clients, counterparties).
1.6. “Personal Data Breach” — a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
2. SUBJECT MATTER AND SCOPE OF PROCESSING
2.1. Subject Matter: Magi processes personal data on behalf of the Firm solely for the purpose of providing the service — transformation of accounting data and generation of SAF-T files.
2.2. Categories of personal data:
- Names of natural persons (employees, partners, counterparties)
- Bulgarian Personal ID Number / Foreigner ID Number (if present in the accounting files)
- Адреси
- Банкови сметки на физически лица
- Data on employment remuneration
- Any other personal data contained in the uploaded accounting files
2.3. Categories of data subjects:
- Employees of the companies served by the Firm
- Natural persons — counterparties
- Partners and managers who are natural persons
2.4. Purpose of processing: Solely the technical generation of SAF-T files in accordance with the requirements of the National Revenue Agency (NRA). Magi does not process the data for any other purpose.
2.5. Duration: The processing lasts for the term of the subscription agreement between the parties.
3. OBLIGATIONS OF MAGI (PROCESSOR)
Magi undertakes to:
3.1. Process personal data only on documented instructions from the Firm and solely for the purposes specified in this DPA.
3.2. Ensure that persons authorized to process the data have undertaken a confidentiality obligation.
3.3. Implement appropriate technical and organizational measures for security in accordance with Article 32 of the GDPR, including:
- Encryption of data in transit (TLS/HTTPS)
- Encryption of data at rest
- Access control and authentication
- Regular backups
- Incident response procedure
3.4. Not engage sub-processors without the prior written consent of the Firm — general or specific. The list of current sub-processors is set out in Annex A.
3.5. Upon request, assist the Firm in fulfilling its obligations to data subjects (rights of access, rectification, erasure, portability).
3.6. Notify the Firm without undue delay and no later than 72 hours after becoming aware of a personal data breach.
3.7. At the choice of the Firm — delete or return all personal data after termination of the service and delete existing copies, unless a legal obligation requires their retention.
3.8. Provide the Firm with all information necessary to demonstrate compliance with this DPA and assist with audits.
4. OBLIGATIONS OF THE FIRM (CONTROLLER)
The Firm undertakes to:
4.1. Upload to the Magi platform only data for which it has a valid legal basis for processing in accordance with the GDPR.
4.2. Ensure that data subjects are duly informed about the processing of their data, including the use of Magi as a tool.
4.3. Notify Magi immediately upon becoming aware of any breach of data subject rights related to processing on the platform.
4.4. Bear full responsibility for the lawfulness of the data uploaded to the platform.
5. SUB-PROCESSORS
5.1. The Firm gives general prior consent for Magi to engage sub-processors, provided that:
- they are listed in Annex A to this DPA
- they are bound by contractual obligations equivalent to those in this DPA
5.2. Magi shall notify the Firm of any planned change in sub-processors with at least 30 days’ notice. The Firm may object within 14 days.
6. TRANSFERS OF DATA OUTSIDE THE EU
6.1. Magi processes the data within the EU/EEA as far as possible.
6.2. When transferring data to sub-processors outside the EU (e.g. Stripe), Magi ensures the existence of appropriate safeguards in accordance with Chapter V of the GDPR — standard contractual clauses or an adequacy decision by the Commission.
7. RIGHTS OF DATA SUBJECTS
7.1. Upon receipt of a request from a data subject concerning processing on the Magi platform, each party shall notify the other within 5 business days.
7.2. Magi shall provide technical assistance to fulfill the request (e.g. providing data in machine-readable format, deletion of specific records).
7.3. The Firm is responsible for the final response to the data subject.
8. PERSONAL DATA BREACHES
8.1. Upon becoming aware of a personal data breach, Magi shall:
- Notify the Firm within 72 hours
- Provide a description of the nature of the breach, the affected data, and the measures taken
- Assist in risk assessment and notification to the CPDP and data subjects
8.2. The Firm shall determine whether notification to the CPDP is mandatory in accordance with Article 33 of the GDPR.
9. SECURITY
9.1. Magi implements the security measures described in the Privacy Policy and in Annex B to this DPA.
9.2. Magi carries out periodic assessment and updating of the security measures.
10. TERM AND TERMINATION
10.1. This DPA enters into force upon acceptance of the Terms of Service and remains in force for the entire term of the subscription agreement.
10.2. Upon termination of the subscription, Magi shall delete all personal data of the Firm within 30 days, unless a legal obligation requires longer retention.
10.3. Magi shall provide written confirmation of the deletion upon request.
11. LIABILITY
11.1. Each party is liable for breaches of the GDPR caused by its actions or omissions.
11.2. If the Firm suffers damages due to Magi’s breach of this DPA, Magi’s liability is limited to the amount of the subscription fees paid for the last [X] months.
12. GOVERNING LAW
This DPA is governed by the legislation of the Republic of Bulgaria and Regulation (EU) 2016/679.
ANNEX A — LIST OF SUB-PROCESSORS
| Субобработващ | Държава | Purpose | Safeguards |
|---|---|---|---|
| Stripe, Inc. | САЩ | Обработка на плащания | Standard contractual clauses |
| [HOSTING PROVIDER NAME] | [COUNTRY] | Hosting and storage | [MECHANISM] |
| [EMAIL PROVIDER NAME] | [COUNTRY] | Транзакционни имейли | [MECHANISM] |
ANNEX B — TECHNICAL AND ORGANIZATIONAL MEASURES
| Мярка | Описание |
|---|---|
| Encryption in transit | TLS 1.2 / 1.3 for all connections |
| Encryption at rest | AES-256 for stored data |
| Контрол на достъпа | Role-based access, two-factor authentication |
| Архивиране | [FREQUENCY] automatic backups, stored for [X] days |
| Мониторинг | Access and anomaly logs |
| Incident response | Процедура за уведомяване до 72 часа |
| Обучение | Staff are familiar with data protection requirements |
This DPA has been prepared as a working draft and should be reviewed and finalized by a licensed attorney before publication. It is recommended that the DPA be accepted electronically by each new user upon registration via a checkbox with a link to this document.