GENERAL CONDITIONS OF USE OF THE ROGERS QUESTIONNAIRES OF THE HABILMIND PLATFORM

The Habilmind platform is owned by the commercial company “Habilmind, SL”, (hereinafter, “Habilmind”), with registered office at Calle Ferraz 28, 28008, Madrid, and with NIF B 85645703. The subject of this agreement is the access by the Center to the services of the Habilmind platform "Rogers High Abilities Questionnaires".

A).- Habilmind's obligations: Offer access to the "Rogers High Ability Questionnaires" tool at no cost to the center. Offer the technological means necessary to carry out the tests. Provide the Center with the necessary users and passwords. Provide access to all the results of the measurements carried out with the platform. Comply with the data protection regulations established in Regulation (EU) 2016/679, General Data Protection, and in Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantees of Digital Rights.

B).- Obligations of the Center: Protect the access keys to the platform to avoid improper use. Apply the necessary security measures for the data processed on the platform. The agreement signed by both parties is established for the academic year and will be automatically renewed if neither party states otherwise. However, access to the results will be maintained for a minimum period of two years after the end of this contract as long as the Center so requests. Both parties agree to maintain confidentiality regarding what is agreed in this contract according to the conditions of Annex 1. Both parties inform each other about data protection in Annex 2, as well as adopt the measures of the data processing agreement contained in said annex. In addition to the causes of termination due to the expiration of the initially agreed duration or any of the eventual extensions that may occur, the parties may terminate this contract early and in writing if there is just cause. For these purposes, just cause shall be considered when the other party has totally or partially breached its legal obligations or those contractually established in this document, provided that, after being notified of the breach, the offending party has not rectified it within fifteen (15) business days. Both parties agree in general terms to the provisions contained in Annex 3. This contract shall be governed and interpreted in accordance with Spanish law. The Parties, expressly waiving their own jurisdiction, expressly and irrevocably submit any discrepancies that may arise from the interpretation, validity and execution of this contract to the Courts and Tribunals of the city of Madrid. And as proof of the foregoing, the Parties sign the contract, in two copies and with a single effect, in the place and date indicated in the heading.

Annex 1 - Confidentiality

The parties undertake to keep secret and not disclose to third parties all information, documents and data, whatever their nature and physical medium, concerning or derived from this contract, as well as the terms thereof. The parties undertake to adopt all measures necessary to maintain the obligation of confidentiality agreed herein. Upon termination of the contract, each party shall be obliged to deliver to the other all confidential and/or reserved information in its possession as a result of the development and execution of this contract, as well as all material and documentation, whatever its physical medium. This commitment to confidentiality shall remain in force even after termination of this contract. Confidential Information shall not include information that:

1. Its disclosure has been authorized in writing by the Reporting Party.
2. That is generally available at the time of disclosure or at a later time without disclosure having occurred due to a breach by the receiving party of its confidentiality obligation.
3. It is known to the receiving party before the disclosing party provides such information to the receiving party.
4. It is developed independently by the receiving party without recourse to Confidential Information.

Annex 2 - Data protection

1. Information on data protection with respect to the parties signing this contract: HABILMIND, SL, Calle Ferraz 28, 28008 Madrid (Spain). The Center: according to the data in the heading of this contract. Purpose of the treatment: provision of services specified in the object of this contract. Contact details of the Data Protection Officer of HABILMIND: dsantos@santosasociados.com Legal basis: this agreement, legal obligations, legitimate interest in the case of contact persons. Recipients: not foreseen, except public administrations, where applicable. Conservation period: for the duration of this contract. Once it ends, they will be kept for the periods of prescription of the actions. Rights: access, rectification, deletion, opposition, limitation, portability, which you can exercise at the address indicated above or at lopd@habilmind.com or by calling 34911014138. You can file a claim with the Control Authority.

2. Data processing agreement In the event that HABILMIND processes personal data of the Center, its staff or teachers, or its students to fulfill the purpose of this contract, the Center will be the DATA CONTROLLER OR CONTROLLER, while HABILMIND, SL will be the DATA PROCESSOR OR PROCESSOR. The processing of personal data is necessary for the provision of the service. The CONTROLLER has decided to choose this PROCESSOR because the latter offers sufficient guarantees to apply appropriate technical and organizational measures to the data provided, guaranteeing that the processing ordered complies with Regulation (EU) 2016/679, on Data Protection (RGPD) and regulations that develop it, and guarantees the protection of the rights of the interested parties, according to the following agreements:

2.1. Object, nature, purpose and duration of the contract. The object and nature of this contract is the ordering of a service that involves the necessary processing of the data provided by the CONTROLLER to the PROCESSOR in order to fulfil the contract, which is the access and validation of a specific instrument, test or trial. The PROCESSOR will only process the data in accordance with the documented instructions of the CONTROLLER, and for the purpose of the contract, not communicating them to any third party. Duration: the term of this contract. Access to services, as agreed. The type of personal data and categories of interested parties subject to this order are the following: student data, staff data. The processing operations are: collection, recording, consultation, sending, modification, conservation, deletion, anonymisation and destruction.

2.2. Obligations of the CONTROLLER

The CONTROLLER and all of its personnel assigned to the provision of services to THE CONTROLLER are obliged to:

2.2.1. Provide the services in accordance with the provisions of current legislation on the protection of personal data, the provisions of this contract and according to the documented instructions of the CONTROLLER, and the PROCESSOR may not use said data for any purpose other than that stated in this contract or use the data for its own purposes. If the PROCESSOR considers that any of the instructions of the CONTROLLER infringes or may infringe current legislation on the protection of personal data and, in particular, Regulation (EU) 2016/679, it will immediately inform the CONTROLLER in writing.

2.2.2. Not to transmit or communicate to third parties under any circumstances the personal data of the treatments for which the CONTROLLER is responsible, except for express and written instructions.

2.2.3. Ensure that the persons who form part of the structure and as human resources of the CONTROLLER, authorized by the latter to process the CONTROLLER's personal data, have expressly and in writing committed themselves to respect confidentiality standards and to comply with the security measures corresponding to their functions, of which the CONTROLLER must inform them in writing. Maintain the duty of confidentiality with respect to the personal data to which they will have access by virtue of this contract, even once the provision of the requested services has ended.

2.2.4. It shall adopt and maintain the necessary security measures and guarantee the rights of the affected persons, as established in Art. 32 of the GDPR, and shall establish, where appropriate, the following measures, among others:

1. pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore availability and access to personal data quickly in the event of a physical or technical incident;
4. having established a process of regular verification, evaluation and assessment of the efficiency of the technical and organisational measures to ensure the security of the processing;
5. other security measures that the processor adopts through its proactive responsibility taking into account the data received by the CONTROLLER and the processing that needs to be carried out with the data, with the CONTROLLER having to adopt the measures of Art. 25 of the GDPR. In particular and where applicable, the CONTROLLER guarantees that the personal data that it integrates into its processing systems, that it stores, or that it processes on automated media, accessible via Wi-Fi or otherwise, on behalf of the CONTROLLER, are hosted on its own servers or, where applicable, those of its subcontractors, and accessible through its own and secure Internet access. The servers or data hosting equipment must be: Secure, in accordance with the requirements of the GDPR. Located in the European Union, unless the CONTROLLER has previously given its written agreement and consent and subject to the condition that the location outside the European Union strictly respects and complies with the conditions provided for in this regard in this contract and in the GDPR. The CONTROLLER shall make available to the CONTROLLER all information necessary to demonstrate compliance with the obligations established in this contract, allowing and contributing to the performance of audits or inspections by the controller or another auditor authorized by said controller.

2.2.5. Maintain an up-to-date, written record of all categories of processing activities carried out on behalf of the CONTROLLER containing:

1. The name and contact details of the CONTROLLER and this DATA CONTROLLER and, where applicable, of the controller's or processor's representative and the DATA PROTECTION OFFICER.
2. The categories of treatments carried out on behalf of this CONTROLLER.
3. International data transfers, including the identification of the third country to which the data is to be sent, taking into account the possible hosting of data in cloud computing services, attaching documentation with the appropriate guarantees referred to in Art. 30.2.c of the GDPR.
4. A general description of the technical and organisational security measures that the CONTROLLER applies when processing the data.

2.2.6. If the CONTROLLER must, by obligation established by law, transfer personal data to a third country or to an international organization, by virtue of the Law of the Union or of the Member States applicable to it, it will inform THE CONTROLLER in writing, in advance and in detail, of this legal requirement, unless such Law prohibits it for reasons of public interest.

2.2.7. In the event that the DATA PROCESSOR decides to subcontract all or part of this service, it must have prior written authorization from the DATA CONTROLLER. Once the subcontracting has been authorized, the SUB-PROCESSOR must be subject to the same conditions and the same written form that the PROCESSOR maintains with the CONTROLLER, the PROCESSOR being liable to the CONTROLLER in the event of non-compliance by the SUB-PROCESSOR, and a written contract must be concluded between the PROCESSOR and the SUB-PROCESSOR.

2.2.8. Communicate to the CONTROLLER any written request that refers to the rights of interested parties, which the DATA PROCESSOR may receive by any means regarding the data subject to processing.

2.2.9. It will assist the controller in ensuring compliance with the obligations set out in Art. 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the PROCESSOR. The PROCESSOR shall notify THE CONTROLLER, without undue delay and in any case before the maximum period of 24 hours, of any breaches of security of the personal data under its control of which it becomes aware, with all relevant information for the documentation and communication of the bankruptcy. Notification shall not be mandatory when such breach of security is unlikely to constitute a risk for the rights and freedoms of natural persons. If available, the following information shall be provided as a minimum:

1. Description of the nature of the personal data breach, including where possible the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
2. The name and contact details of the DATA PROTECTION OFFICER of the CONTROLLER or another contact person of the CONTROLLER in case further information is required.
3. Description of the possible consequences for data subjects of a breach of personal data security.
4. Description of the measures taken or proposed to mitigate or resolve the personal data breach, including, where applicable, the measures taken to mitigate any potential negative effects.

THE CONTROLLER will be the one who, where appropriate, will communicate any data security breaches to the Data Protection Agency and the affected persons.

2.2.10. Designate a data protection officer, if required by current regulations, and communicate his or her identity and contact details to the CONTROLLER.

2.2.11. Once the contractual service has been fulfilled, the personal data must be returned to the CONTROLLER, unless there is a legal provision requiring their retention. The data must be returned in the same way in which they were obtained and within two months from the effective end of the service, and the CONTROLLER must not hinder their reception. Whenever responsibilities may arise between the CONTROLLER and the PROCESSOR, the latter may keep the data duly blocked.

1. Obligations of the CONTROLLER

The CONTROLLER is obliged to provide personal data obtained in a lawful, transparent and informed manner. It guarantees the interested parties their data protection rights. It has a legal basis for the processing, complying with the conditions of consent where necessary, and will inform the PROCESSOR in the event of transmitting special categories of data under Art. 9 of the GDPR. The CONTROLLER shall be liable for any damages caused to the interested party in the event that the processing operation in which it has participated has not complied with the GDPR, pursuant to the provisions of Art. 82.2 GDPR. It shall be exempt from liability if it proves that it is in no way responsible for the event that caused the damages. When more than one controller or processor or only one controller and one processor have participated in the same processing operation and are responsible for any damages caused by said processing, all of them shall be considered liable for all damages, pursuant to Art. 82.4 GDPR.

Annex 3 - General Provisions.

1. Single Contract: This contract is considered the complete and definitive expression of what has been agreed between the parties, representing the only binding document and valid agreement that regulates the relations between them in relation to the object of the same and integrates all previous and current communications between the parties, whether verbal or written. Changes or modifications to this contract will only be valid if made in writing by means of a document signed by both parties.

2. Notifications: All notifications, authorizations and requests issued by any of the parties in relation to the compliance, validity, execution or interpretation of this contract, as well as any discrepancy or dispute in relation to it, shall be deemed to have been delivered on the day of receipt by the other party. All communications described above must be sent to the address of the recipient party as stated in the heading of this contract by burofax or certified letter with acknowledgment of receipt. Changes of address must be notified to the other party in writing in the manner provided for in this clause. In the event that said changes of address are not communicated, communications made to the addresses listed in the heading of this document shall be considered valid. Without prejudice to the foregoing, any communication related to the normal development of the commercial relationship subject to this contract shall be considered validly notified if it is made by email with acknowledgment of receipt addressed to the usual interlocutors established at any time by each of the parties.

3. Nullity: If any clause of this contract is declared totally or partially null or ineffective, such nullity or ineffectiveness will affect only such provision or part thereof that is ineffective or void, and the contract will subsist in all other respects, such provision or the part thereof that is affected being considered as not included. The parties undertake to negotiate in good faith a new valid provision to replace the one declared null or ineffective, the parties committing that the new clause will respect the intention desired by the parties in the replaced clause, in particular, and in this Contract, in general.

4. Force Majeure: Neither party shall be deemed to have breached this contract if the delay or failure to perform its obligations hereunder arises, without any wilful or negligent action, from any cause beyond its reasonable control, provided that the affected party notifies the other party as soon as possible of the existence of a situation of force majeure and uses all reasonable means to alleviate said situation.

5. Waiver: No waiver of a breach of any provision of this Agreement shall constitute a waiver of any prior, current or subsequent breach of such provision or any other provision of this Agreement. A waiver shall be effective only if in writing and signed by an authorized representative of the party waiving the breach.

6. Blog subscription: By accepting the terms and conditions of this questionnaire, the user authorizes that the email provided be automatically included in the blog subscription list. This subscription allows the user to receive updates, news, and other relevant content via email. If the user does not wish to continue receiving such communications, he or she may unsubscribe at any time by following the instructions provided in each email or by contacting the corresponding support. Once you receive the first email from the Habilmind blog subscription, you will have a link to unsubscribe at any time.