GENERAL TERMS AND CONDITIONS FOR THE USE OF ROGERS QUESTIONNAIRES ON THE HABILMIND PLATFORM

The Habilmind platform is the property of the commercial company "Habilmind, S.L." (hereinafter, "Habilmind"), with its registered office at Calle Ferraz 28, 28008, Madrid, and Tax Identification Number (N.I.F.) B 85645703. The subject of this agreement is the Centre's access to the services of the Habilmind platform "Rogers Questionnaires for High Abilities".

A).- Obligations of Habilmind: To provide access to the tool "Rogers Questionnaires for High Abilities" free of charge for the Centre. To provide the necessary technological means for carrying out the tests. To supply the Centre with the necessary usernames and passwords. To provide access to all results of the measurements carried out on the platform. To comply with the regulations on data protection set out in Regulation (EU) 2016/679, General Data Protection Regulation, and in Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantees of Digital Rights.

B).- Obligations of the Centre: To protect the access credentials to the platform to prevent improper use. To apply the necessary security measures for the data processed on the platform. The agreement entered into between the parties is established on an academic year basis and will be automatically renewed unless either party expresses otherwise. However, access to the results will be maintained for a minimum period of two years after the termination of this contract, provided that the Centre so requests. Both parties undertake to maintain confidentiality regarding what has been agreed in this contract according to the conditions of Annex 1. 

Both parties inform each other about data protection in Annex 2, as well as adopt the measures of the data processing agreement contained in said annex. In addition to termination due to the expiration of the initially agreed duration or any subsequent extensions that may occur, the parties may terminate this contract early and in writing if there is just cause. For these purposes, just cause shall be considered to exist when the other party has totally or partially failed to comply with its legal or contractually established obligations in this document, provided that, once the breach has been notified, the defaulting party has not remedied it within fifteen (15) working days. Both parties generally agree to the provisions contained in Annex 3. This contract shall be governed by and interpreted in accordance with Spanish law. The Parties, expressly waiving their own jurisdiction, expressly and irrevocably submit any disputes that may arise from the interpretation, validity, and execution of this contract to the Courts and Tribunals of the city of Madrid. As evidence of the foregoing, the Parties sign the contract, in duplicate and for the same purpose, at the place and date indicated in the heading. 

Annex 1 - Confidentiality

The parties agree to keep secret and not disclose to third parties all information, documents, and data, regardless of their nature and physical medium, related to or derived from this contract, as well as the terms of the contract itself. The parties agree to adopt all necessary measures to maintain the confidentiality obligations agreed upon herein. Upon termination of the contract, each party shall deliver to the other all confidential and/or restricted information in its possession as a result of the development and execution of this contract, as well as all materials and documentation, regardless of their physical medium. This confidentiality commitment shall remain in force even after the termination of this contract. Confidential Information shall not include information that:

1. Has been authorised in writing for disclosure by the disclosing party.
2. Is generally available at the time of its disclosure or becomes so at a later date without such disclosure being due to a breach by the receiving party of its confidentiality obligations.
3. Was known to the receiving party prior to the disclosing party providing such information to the receiving party.
4. Is independently developed by the receiving party without recourse to the Confidential Information.

Annex 2 - Data Protection

1. Information on data protection regarding the signatory parties of this contract: HABILMIND, S.L., Calle Ferraz 28, 28008 Madrid (Spain). The Centre: according to the details in the heading of this contract. Purpose of processing: provision of services specified in the object of this contract. Contact details of HABILMIND’s Data Protection Officer: dsantos@santosasociados.com Legal basis: this agreement, legal obligations, legitimate interest in the case of contact persons. Recipients: none are foreseen, except public administrations, if applicable. Retention period: for the duration of this contract. Once it ends, data will be retained for the limitation periods of any claims. Rights: access, rectification, erasure, objection, restriction, portability, which may be exercised at the above address or at lopd@habilmind.com or by calling +34911014138. A complaint can also be filed with the Supervisory Authority.
2. Data Processing Agreement In the event that HABILMIND processes personal data of the Centre, its staff or teachers, or its students to fulfil the purpose of this contract, the Centre shall be the CONTROLLER, while HABILMIND, S.L. shall be the PROCESSOR. The processing of personal data is necessary for the provision of the service. The CONTROLLER has chosen this PROCESSOR because the latter provides sufficient guarantees to implement appropriate technical and organisational measures for the data provided, ensuring that the processing complies with Regulation (EU) 2016/679 on Data Protection (GDPR) and its implementing regulations, and ensures the protection of the rights of data subjects, in accordance with the following agreements:
3. Object, nature, purpose, and duration of the processing assignment The object and nature of this contract involve the assignment of a service that requires the processing of data provided by the CONTROLLER to the PROCESSOR to fulfil the contract, which is the access and validation of a specific instrument, test, or examination. The PROCESSOR shall only process the data in accordance with the documented instructions of the CONTROLLER and for the purpose of the contract, without disclosing them to any third party. Duration: the term of this contract. Access to services, as agreed. The type of personal data and categories of data subjects covered by this assignment are as follows: student data, staff data. The processing operations are: collection, recording, consultation, transmission, modification, retention, deletion, anonymisation, and destruction.
   
   

2.2. Obligations of the PROCESSOR 

The PROCESSOR and all its personnel assigned to provide services to the CONTROLLER agree to: 

2.2.1. Provide the services in accordance with the applicable personal data protection legislation, the provisions of this contract, and the documented instructions of the CONTROLLER, without the PROCESSOR being able to use such data for any purpose other than that set out in this contract or for its own purposes. If the PROCESSOR considers that any of the CONTROLLER’s instructions infringes or may infringe the applicable personal data protection regulations, and particularly Regulation (EU) 2016/679, it shall immediately inform the CONTROLLER in writing. 

2.2.2. Not transmit or communicate to third parties under any circumstances the personal data processed under the responsibility of the CONTROLLER, unless expressly and written instructed to do so. 

2.2.3. Ensure that persons who are part of the structure and human resources of the PROCESSOR, authorised by it to process the CONTROLLER’s personal data, have expressly and in writing committed to respecting confidentiality rules and complying with the corresponding security measures, which the PROCESSOR must inform them of in writing. Maintain the duty of confidentiality regarding personal data to which it will have access under this contract, even after the provision of the requested services has ended. 

2.2.4. Adopt and maintain the necessary security measures and guarantees of the rights of the affected individuals, as established in Article 32 of the GDPR, and establish, where applicable, among others, the following measures: 

1. the pseudonymisation and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident;
4. having established a process for regular verification, assessment, and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing;
5. other security measures that the PROCESSOR adopts through its proactive responsibility, taking into account the data received from the CONTROLLER and the processing required to be carried out with the data, with the PROCESSOR required to adopt the measures of Article 25 of the GDPR. In particular, and where applicable, the PROCESSOR guarantees that the personal data integrated into its processing systems, those stored, or those processed on automated media, accessible via Wi-Fi or otherwise, on behalf of the CONTROLLER, are hosted on its own servers or, if applicable, those of its subcontractors, and accessible via secure Internet access. The servers or data hosting equipment must be: Secure, in accordance with the requirements of the GDPR. Located within the European Union, unless the CONTROLLER has previously granted its written agreement and consent, provided that the location outside the European Union strictly respects and complies with the conditions set forth in this contract and the GDPR. The PROCESSOR will make available to the CONTROLLER all necessary information to demonstrate compliance with the obligations set out in this contract, allowing and contributing to audits or inspections by the CONTROLLER or an auditor authorised by the CONTROLLER.

2.2.5. Maintain, updated and in writing, a record of all categories of processing activities carried out on behalf of the CONTROLLER, containing: 

1. The name and contact details of the PROCESSOR and this CONTROLLER, and where applicable, the representative of the controller or processor and the DATA PROTECTION OFFICER.
2. The categories of processing carried out on behalf of this CONTROLLER.
3. International data transfers, including the identification of the third country recipient of the data, taking into account the possible hosting of data in cloud computing services, attaching documentation with the appropriate safeguards referred to in Article 30.2.c of the GDPR.
4. A general description of the technical and organisational security measures that the PROCESSOR applies in the processing of the data. 

2.2.6. If the PROCESSOR is required, by an obligation established by law, to transfer personal data to a third country or an international organisation, under Union or Member State law applicable to it, it shall inform the CONTROLLER in writing, in advance and in detail, of such legal requirement, unless such law prohibits it for reasons of public interest. 

2.2.7. In the event that the PROCESSOR decides to subcontract all or part of this service, it must obtain prior written authorisation from the CONTROLLER. Once sub-contracting is authorised, the SUB-PROCESSOR must be subject to the same conditions and written form as maintained between the PROCESSOR and the CONTROLLER, with the PROCESSOR being responsible to the CONTROLLER in the event of non-compliance by the SUB-PROCESSOR, requiring a written contract to be signed between the PROCESSOR and the SUB-PROCESSOR. 

2.2.8. Inform the CONTROLLER of any written request regarding the rights of data subjects that the PROCESSOR may receive through any means concerning the data being processed. 

2.2.9. Assist the CONTROLLER in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the PROCESSOR. The PROCESSOR shall notify the CONTROLLER without undue delay, and in any case within a maximum period of 24 hours, of any personal data breaches of which it becomes aware, providing all relevant information for the documentation and communication of the breach. Notification will not be mandatory if it is unlikely that such a security breach constitutes a risk to the rights and freedoms of natural persons. If available, at least the following information shall be provided: 

1. A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
2. The name and contact details of the PROCESSOR’s data protection officer or another contact person at the PROCESSOR in case further information is needed.
3. A description of the possible consequences for data subjects of the personal data breach.
4. A description of the measures taken or proposed to address the personal data breach, including, if applicable, measures taken to mitigate any possible adverse effects. 

It shall be the responsibility of the CONTROLLER, if applicable, to communicate the personal data breaches to the Data Protection Agency and to the affected individuals.

2.2.10. Appoint a data protection officer, if required by applicable regulations, and communicate their identity and contact details to the CONTROLLER. 

2.2.11. Once the contractual service has been completed, personal data must be returned to the CONTROLLER unless there is a legal requirement for its retention. The data must be returned in the same form in which it was obtained and within two months from the effective termination of the service, with the CONTROLLER ensuring that its receipt is not hindered. Whenever responsibilities may arise between the CONTROLLER and the PROCESSOR, the latter may retain the data in a properly blocked format. 

1. Obligations of the CONTROLLER 

The CONTROLLER agrees to provide personal data obtained lawfully, transparently, and informatively. It guarantees data subjects the rights to data protection afforded to them. It has a legal basis for processing, complying with consent conditions if necessary, and will inform the PROCESSOR if transmitting special categories of data under Article 9 of the GDPR. The CONTROLLER shall be liable for any damages caused to the data subject if the processing operation in which it participated did not comply with the GDPR, in accordance with Article 82.2 of the GDPR. It shall be exempt from liability if it demonstrates that it is in no way responsible for the event that caused the damages. When more than one controller or processor, or only one controller and one processor, have participated in the same processing operation and are responsible for any damage or harm caused by such processing, all of them shall be considered jointly liable for all damages, in accordance with Article 82.4 of the GDPR. 

Annex 3 - General Provisions 

1. Single Contract: This contract is considered the complete and final expression of what has been agreed between the parties, representing the sole obligatory document and valid agreement governing the relationships between them regarding its subject matter and incorporating all prior and current communications between the parties, whether verbal or written. Changes or modifications to this contract shall only be valid if made in writing through a document signed by both parties. 

2. Notices: All notices, authorisations, and requests issued by either party regarding compliance, validity, execution, or interpretation of this contract, as well as any disputes or disagreements related to it, shall be deemed delivered on the day of their receipt by the other party. All such communications shall be sent to the address of the recipient party as stated in the heading of this contract via fax or certified mail with acknowledgment of receipt. Address changes must be communicated to the other party in writing as provided for in this clause. If such address changes are not communicated, communications sent to the addresses listed in the heading of this document shall be considered valid. Notwithstanding the foregoing, any communication related to the normal development of the commercial relationship governed by this contract shall be deemed validly notified if sent via email with acknowledgment of receipt addressed to the usual contacts established at any given time by each party. 

3. Nullity: If any clause of this contract is declared wholly or partially null or ineffective, such nullity or ineffectiveness shall only affect the provision or part thereof that is ineffective or null, and the contract shall remain in effect in all other respects, with such provision or the affected part thereof being deemed unwritten. The parties agree to negotiate in good faith a new valid provision to replace the one declared null or ineffective, committing to ensure that the new clause respects the intent of the parties in the replaced clause, particularly, and in this Contract, generally. 

4. Force Majeure: Neither party shall be deemed to have breached this contract if the delay or non-compliance with its obligations arises, without fraudulent or negligent conduct, from any cause beyond its reasonable control, provided that the affected party notifies the other as soon as possible of the existence of a force majeure situation and uses all reasonable means to mitigate such a situation. 

5. Waiver: The waiver of enforcing the correction of a breach of any provision of this Contract shall not constitute a waiver of enforcing the correction of any prior, current, or subsequent breach of such provision or any other stipulation of this contract. The waiver shall only be valid if made in writing and accompanied by the signature of an authorised representative of the party waiving enforcement of the breach. 

6. Blog Subscription: By accepting the terms and conditions of this questionnaire, the user authorises the automatic inclusion of the provided email address in the blog subscription list. This subscription allows the user to receive updates, news, and other relevant content via email. If the user does not wish to continue receiving such communications, they may unsubscribe at any time by following the instructions provided in each email or contacting the appropriate support. Upon receiving the first email of the Habilmind blog subscription, you will have access to a link to unsubscribe at any time you wish.