Promoción Black Friday Try it free without obligation. APIs and integrations available.

Trustpilot
360NRS
  • English
    Español Español Português Português Italiano Italiano Français Français Română Română
  • (+34) 964 52 33 31
Request DEMO Access
  • Services
    • Bulk SMS
      • SMS Marketing
      • Transactional SMS
      • Google verified SMS
      • Certified SMS
      Email
      • Email marketing
      • Certified email
      • Transactional email
      Automated calls
      • Promotional voice
      • Transactional Voice
      • IVR
      • Text to Speech
      Conversational channels
      • WhatsApp Business API
      • Bulk RCS messages
      • Bulk WhatsApp
      • Chatbot
  • Solutions
      • Two-factor authenticator 2FA
      • AI Marketing
      • SMS Surveys
      • Multimedia Campaigns
      • CPaaS
      • 360nrs Partners New
      • Landing pages
      • Event ticket booth entries
      • Marketing Agencies
      • Financial sector
      • eCommerce Sector
      • Technology Sector
      • Service sector
  • Resources
    • Marketing resources
      • 360nrs Academy
      • Success stories
      • SMS, WhatsApp, and RCS templates
       
      • Marketing Calendar
      • URL shortener
      • UTM Generator
      • RCS vs SMS
      Messaging API
      • SMS API
      • WhatsApp API
      • Email API
      • Voice API
      • Technical documentation
      Plugins and modules
      • SMS HubSpot
      • SMS Salesforce
      • Klaviyo SMS Integration
      • SMS Zapier
      • SMS Magento
  • Prices
  • Get to know us
  • FREE TRIAL
SIGN UP FREE

Data Processing Agreement

Data Processing Agreement

Data Processing Agreement for the provision of messaging services by LINK Mobility (hereinafter, LINK)

1. Introduction

This Data Processing Agreement (“DPA”) is entered into by and between LINK and the Client. This DPA is an integral part of the Service Agreement entered into between the parties (“Agreement”), together with the Scope Appendix, the Security Appendix, and any other appendix agreed upon.

"Data Protection Legislation" refers to the EU General Data Protection Regulation 2016/679 ("GDPR") and the EU Directive on data protection and electronic communications (ePrivacy Directive), as well as the national provisions on privacy protection of the country where the Controller or the Processor is established, in their version in force at any time, including laws that apply or supplement the GDPR and the ePrivacy Directive.

The terms used in this document shall have the same meaning as assigned to them in Article 4 of the GDPR.

2. Scope and Commitment

The Parties agree and acknowledge that in the provision of services by LINK under the Contract, personal data will be processed on behalf of the Client. Accordingly, the Client appoints LINK as processor and this DPA sets out the terms and conditions governing the processing of data. LINK guarantees that it will implement appropriate technical and organisational measures so that the processing carried out by LINK complies with the requirements of the Data Protection Legislation and ensures the protection of the Data Subject’s rights.

This DPA governs the processing of personal data by LINK on behalf of the Customer as the data processor (Article 28.3 of the GDPR) or, when the Customer itself acts as a processor, as a sub-processor (Article 28.4 of the GDPR).

For the purposes of this DPA, the Client shall assume the obligations of the Data Controller and shall be fully liable to any controller on whose behalf it processes Personal Data using LINK's services. Any reference herein to the “Controller” shall therefore be understood as referring to the Client.

LINK, as processor, its Sub-processors and other persons acting under LINK’s authority who have access to Personal Data shall process such data only on behalf of the Controller and in accordance with the Contract and the Controller’s written instructions, as well as in compliance with the DPA, unless otherwise provided by the Data Protection Legislation.

LINK must inform the Controller if, in LINK’s opinion, an instruction breaches the Data Protection Legislation.

Information about the personal data processing carried out by LINK as data controller can be found in the privacy notice available at the following link: Privacy Policy | 360NRS

3. Obligations of the Data Controller

The Controller guarantees that the Personal Data will be processed lawfully and for objective, specific, and legitimate purposes and that the Controller will not instruct LINK to process more Personal Data than necessary to fulfill those purposes.

The Controller must ensure that there is a valid legal basis for the processing as defined in the Data Protection Legislation (see Article 6.1 of the GDPR) at the time of transferring the Personal Data to LINK. If the legal basis is consent (see Article 6.1(a) of the GDPR), the Controller guarantees that the consent has been given explicitly, freely, unequivocally and in an informed manner.

Likewise, the Controller guarantees that the Data Subjects to whom the personal data belong have been provided with the information required by the Data Protection Legislation (see Articles 13 and 14 of the GDPR) regarding the processing of their Personal Data.

All instructions concerning the processing of Personal Data carried out under this DPA shall be addressed primarily to LINK. In the event that the Controller gives instructions directly to a Sub-processor appointed under clause 10, the Controller shall immediately inform LINK thereof. LINK shall in no way be held liable for the processing carried out by the Sub-processor as a result of the instructions received directly from the Controller which cause a breach of this DPA, the Contract or the Data Protection Legislation.

4. Confidentiality

LINK shall take the necessary measures to ensure that its employees, Sub-processors, and other persons authorized by LINK to process personal data are bound by a duty of confidentiality or are subject to an appropriate statutory confidentiality obligation.

The Controller is subject to the duty of confidentiality with respect to any documentation and information received from LINK relating to the security measures, both technical and organisational, implemented by LINK and its Sub-processors or information that LINK’s Sub-processors have defined as confidential. However, the Controller may at any time share such information with supervisory authorities if necessary for compliance with its obligations under the Data Protection Legislation or other legal obligations.

5. Security

The security requirements applicable to the processing of Personal Data by LINK are governed by the Security Appendix of the DPA.

6. Access to Personal Data and Fulfillment of Data Subject Rights

Unless otherwise agreed or otherwise required by applicable law, the Data Controller shall have the right to request access to the Personal Data that LINK is processing on its behalf.

If LINK or a Sub-processor receives a request from a Data Subject regarding the processing of Personal Data carried out on behalf of the Controller, LINK shall forward the request to the Controller for handling, unless otherwise provided by legal provisions.

Taking into account the nature of the processing, LINK shall assist the Controller by implementing appropriate technical and organisational measures, where possible, in fulfilling the Controller’s obligation to respond to Data Subjects’ requests to exercise their rights, as provided in the Data Protection Legislation, including the rights of Data Subjects to (i) access their Personal Data; (ii) rectify inaccurate Personal Data; (iii) erase their Personal Data; (iv) restrict or object to the processing of their Personal Data; and (v) the right to receive their Personal Data in a structured, commonly used and machine-readable format (data portability). In the event that the Client’s requests for assistance exceed the obligations of processors under the GDPR, LINK shall receive compensation for such assistance in accordance with LINK’s current rates.

7. Other Assistance to the Controller

If LINK or a Sub-processor receives a request for access or information from the relevant supervisory authority regarding the registered Personal Data or processing activities subject to this DPA, LINK shall notify the Controller so that they may handle it, unless LINK is entitled to handle such request directly.

If the Controller is required to carry out a Data Protection Impact Assessment or a prior consultation with the supervisory authority regarding the processing of Personal Data subject to this DPA, LINK shall assist the Controller, taking into account the nature of the processing and the information available to LINK. If the Client requests assistance beyond the obligations established under the GDPR for processors, the Client shall bear all costs incurred by LINK in providing such assistance.

8. Notification of a Personal Data Security Breach

LINK must immediately notify the Controller if it becomes aware that a Personal Data Security Breach has occurred. The Controller shall be responsible for notifying such Breach to the relevant supervisory authority in accordance with Article 33 of the GDPR.

The notification to the Controller must be sent to the email address indicated in this DPA and must describe at least (i) the nature of the Personal Data Security Breach, including, where possible, the categories and approximate number of Data Subjects affected, and the categories and approximate number of records of Personal Data concerned; (ii) the possible consequences of the Personal Data Security Breach; (iii) the measures taken or proposed by LINK to remedy the Breach, including, where applicable, measures to mitigate its possible adverse effects.

In the event that the Controller is obliged to communicate a Personal Data Security Breach to the Data Subjects, LINK shall assist the Controller in identifying the affected Data Subjects, taking into account the nature of the processing and the information available to LINK. The Controller shall bear all costs related to such communication to the Data Subjects.

9. Transfer to Third Countries

The transfer of Personal Data to countries located outside the European Union (EU) or the European Economic Area (EEA) by means of communication or access granting may only occur in accordance with the written instructions of the Controller.

Regarding the transfer to sub-processors, the written instructions are described in clause 10 below and are subject to the EU Standard Contractual Clauses between the Controller and the relevant organization at such location, or other legal bases for the Transfer as described in Chapter V of the GDPR.

The Client agrees and understands that transfers to operators in third countries, which are necessary to transmit messages to recipients located in those countries, are not covered by the requirements set forth herein.

10. Use of Sub-processors

The Controller accepts that LINK may appoint another processor (hereinafter, Sub-processor) to assist in the provision of services and the processing of Personal Data under the Contract, provided that LINK ensures that the data protection obligations set out in this DPA and in the Data Protection Legislation are imposed on the Sub-processor through a written agreement and that the appointed Sub-processor offers sufficient guarantees for the implementation of appropriate technical and organisational measures to comply with the Data Protection Legislation and this DPA and provides the Controller and the relevant supervisory authorities with the necessary access and information to verify such compliance.

LINK shall remain fully liable to the Controller for the acts of any Sub-processor.

The appointed Sub-processors are specified in the Security Appendix. LINK may update this list to reflect any new addition or replacement of Sub-processors and will notify the Client at least three (3) months before such Sub-processor begins processing Personal Data. Any objection to such changes must be notified to LINK within 3 weeks of receiving such notice or publication on the website. In case of objection by the Client regarding the addition or replacement of a Sub-processor, LINK may terminate the Contract and this DPA with one (1) month’s notice.

By entering into this DPA, the Client authorizes LINK to enter, on its behalf, into EU Standard Contractual Clauses or to seek other legal grounds for the Transfer to Third Countries for any approved Sub-processors, in accordance with the procedure described above. If the Client is not itself the controller, it shall ensure that such authorization is granted by the acting controller. Upon request, LINK shall provide the Controller with a copy of such Standard Contractual Clauses or a description of such other legal grounds for the Transfer.

LINK shall provide all reasonable assistance and documentation to enable the Controller to conduct its independent risk assessment in relation to the use of Sub-processors or the transfer of personal data to a third country.

11. Audits

When required, LINK shall provide the Client with documentation of the technical and organisational measures applied to ensure an appropriate level of security, as well as any other information necessary to demonstrate that LINK complies with its obligations under the DPA and the relevant Data Protection Legislation.

The Controller and the supervisory authority under the Data Protection Legislation shall have the right to carry out audits, including on-site inspections and evaluations of the Personal Data processed, the systems and equipment used for that purpose, the technical and organisational measures implemented, including security policies and the like, and the Sub-processors. The Controller will not be granted access to information concerning other LINK clients or to information subject to confidentiality obligations.

The Controller shall have the right to carry out such audits once a year, each lasting one (1) day, with at least two (2) weeks’ prior notice. If the Controller engages an external auditor to perform the audits, such external auditor shall be subject to the duty of confidentiality. The Controller shall bear all costs of the audits initiated by it or arising in connection with its audits, including the compensation payable to LINK if the Controller requires a level of assistance beyond the obligations set out in the GDPR. However, such costs shall be borne by LINK if an audit reveals non-compliance with this DPA or the Data Protection Legislation.

12. Term and Termination

This DPA shall remain in effect for as long as LINK processes Personal Data on behalf of the Controller.

In the event of a breach of the DPA or a violation of Data Protection Legislation by LINK, the Controller may (i) order LINK to cease processing the Personal Data with immediate effect or (ii) terminate the DPA with immediate effect.

13. Effects of Termination

At the choice of the Controller, LINK shall delete or return all Personal Data to the Controller upon termination of the DPA, unless otherwise required by applicable law. The Client agrees and understands that it may access the Personal Data until termination, should it require copies of such data prior to deletion.

At the Client's request, LINK shall confirm in writing to the Controller that such deletion has been carried out in accordance with the DPA.

14. Breach of the DPA and Limitation of Liability

Each party’s non-compliance with the requirements set forth in this DPA shall be deemed a breach of contract by that party, and the party must take the necessary steps to remedy such breach without delay. The breaching party shall keep the other party informed of the measures taken to address the non-compliance. Neither party shall be liable to the other for errors caused by that other party’s systems or actions, negligence or omissions, or for delays caused by the Internet or line failures, power outages, or other errors beyond the parties’ reasonable control.

The liability limitations set forth in the Service Agreement signed between the parties shall apply to the liability under this DPA.

15. Notices and Amendments

All notices relating to the DPA shall be submitted in writing to the email address stated on the first page of the DPA.

In the event that a change in the Data Protection Legislation or a ruling or opinion from another authority results in a different interpretation of the Data Protection Legislation, or that a change in the services stipulated in the Contract requires a change in this DPA, LINK shall propose the application of those changes to the DPA.

Any change or modification to this DPA shall only be effective if agreed in writing and signed by both parties.

16. Governing Law and Jurisdiction

The provisions of the Service Agreement relating to applicable law, method of dispute resolution, and jurisdiction shall apply if the place of performance of the DPA is within the EU or the EEA. Otherwise, Norwegian law shall apply and jurisdiction shall be with the courts of Oslo.



Security Appendix and Technical and Organizational Measures

This document describes the technical and organisational measures implemented at LINK Mobility. The document is also an Appendix to LINK’s Data Processing Agreement.

Information security requirements

LINK, which processes Personal Data on behalf of the Controller under the Agreement, shall implement appropriate technical and organizational measures as stipulated by Data Protection Law and/or the measures imposed by the relevant supervisory authority in accordance with Data Protection Law or any other applicable statutory law to ensure an adequate level of security.

LINK will assess the appropriate level of security and consider the risks related to the processing in connection with the services under the Agreement, including the risk of destruction, loss, alteration, unauthorized disclosure of, or accidental or unlawful access to personal data transmitted, stored, or otherwise processed.

All transmissions of Personal Data between LINK and the Controller or between LINK and any third party shall be carried out with a sufficient level of security, or otherwise as agreed between the Parties.

This Appendix contains a general description of the technical and organizational measures that LINK must implement to ensure an adequate level of security.

To the extent that LINK has access to such information, LINK shall provide the Controller with general descriptions of the technical and organizational measures implemented by its Sub-processors to ensure an appropriate level of security.

Technical and organizational measures

Physical access control

LINK must take appropriate measures to prevent unauthorized physical access to LINK’s facilities containing Personal Data.

Measures must include:

  • Physical and/or procedural access control systems.
  • Door locks or other electronic access control measures.
  • Alarm system, video/CCTV monitor or other surveillance facilities.
  • Logging of facility entries/exits.
  • ID, key or other access requirements.
  • Procedures for visitors.

System access control

LINK must take appropriate measures to prevent unauthorized access to systems containing Personal Data. The measures must include:

  • Password procedures, including requirements for:
    • Length,
    • Use of special characters, alphanumeric characters, uppercase and lowercase letters,
    • Frequent forced password change,
    • Multifactor authentication,
    • Use of unique passwords,
    • Resistance to dictionary attacks.
  • Access to the systems is subject to the approval of the system owner.
  • There is no system access for guest users or anonymous accounts.
  • Centralized system access management.
  • Remote access procedures, including requirements for:
    • Use secure protocols for remote access,
    • Use strong user authentication,
    • Ensure user accountability,
    • Termination of remote access sessions after a fixed period of time.
  • Privileged access rights procedures, including requirements for:
    • Approval from the asset owner for granting privileged access rights,
    • Separate standard user accounts from privileged access accounts,
    • Manual lock routines when workstations are left unattended, and automatic lock within a maximum of 5 minutes.
    • Restrictions on the use of removable media, such as memory cards, CD/DVDs or portable hard drives, and encryption requirements.

Data access control

LINK must take appropriate measures to prevent unauthorized users from accessing data beyond their authorized access rights, and to prevent unauthorized access to or deletion, modification, or disclosure of Personal Data. The measures must include:

  • Differentiated access rights defined by roles.
  • Automated logging of user access via IT systems.
  • Data encryption and masking.
  • Grant access on a need-to-know basis.
  • Performing access rights reviews.

Input data control

LINK must take appropriate measures to verify and determine whether Personal Data has been entered, modified, or deleted in the systems, and by whom. The measures shall include:

  • Differentiated access rights based on roles.
  • Automated logging of user access, and frequent review of security logs to identify and track any potential incident.
  • Ensure that it is possible to verify and determine to which entities the Personal Data has been or may be transmitted or made available using data communication equipment.
  • Ensure that it is possible to verify and determine which Personal Data has been entered into the data processing systems, modified, or deleted, and when and by whom the Personal Data was entered, modified, or deleted.

Disclosure control

LINK will take proportionate measures to prevent unauthorized access, alteration, or deletion of Personal Data during the transfer of such data. Measures must include:

  • Use of state-of-the-art encryption in all electronic transfers of personal data
  • Encryption via VPN or HTTPS for remote access, transfer, and communication of personal data
  • Audit trail of all data transfers

Availability control

LINK will take proportionate measures to ensure that Personal Data is protected against accidental destruction or loss. Measures must include:

  • Frequent backup of personal data
  • Remote storage
  • Use of antivirus/firewall protection.
  • System monitoring for the purpose of detecting viruses, etc.
  • Ensure that stored personal data cannot be corrupted through a system malfunction.
  • Ensure that, in the event of an interruption, the installed systems can be restored.
  • Uninterruptible Power Supply system (UPS).
  • Business continuity procedures.

Separation control

LINK must take appropriate measures to ensure that Personal Data collected for different purposes is processed separately. The measures shall include:

  • Restrictions on access to stored Personal Data for different purposes based on roles.
  • Segregation of the company’s IT systems.

Control of works/subcontractors

LINK must implement measures to ensure that, in the case of commissioned processing of Personal Data, the Personal Data is processed strictly in accordance with the Controller’s instructions. The measures shall include:

  • Unambiguous drafting of contractual instructions.
  • Monitoring of contract performance.

Training and awareness

LINK must ensure that all employees are aware of security and confidentiality routines through:

  • Clear rules in employment contracts regarding confidentiality, security and compliance with internal routines.
  • Internal routines and training courses on Personal Data processing requirements to raise awareness.


Scope Appendix

Scope of processing

The DPA refers to the processing of personal data by LINK on behalf of the Data Controller in connection with the provision of messaging services, as well as services related to the web experience of end users.

Messaging Services include the Controller’s access to LINK’s solutions for managing messaging to end users (recipients or senders) selected by the Controller, including services related to the web user experience, for the purposes and frequency chosen by the Controller through use of the service.

The Contract will provide further details regarding the specific type of messaging services to be provided to the Controller under the Contract.

Categories of Data Subjects

The categories of Data Subjects whose personal data may be processed under this DPA are defined by the Data Controller.

The processing involves the processing of Personal Data relating to the end users of the Controller (recipients and/or senders of messages depending on the use of the services by the Controller under the main contract).

Types of personal data

The Processing refers to the following types of Personal Data, subject to the specific use of the services by the Data Controller:

  • Basic personal data, such as name, contact data such as email address, phone number, etc.
  • Location data such as GPS, Wi-Fi location data, and location data derived from the LINK network (other than traffic data as defined below).
  • Traffic data: personal data processed in connection with the transmission of communications through an electronic communications network or the billing thereof.
  • Personal data included in the content of the communication, such as emails, voice messages, SMS/MMS, RCS, OTT messages, browsing data, etc.
  • Special categories of Personal Data, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or health data, shall not be processed under this DPA unless otherwise agreed in writing.

Purpose of the processing

The purpose of the processing of personal data by LINK on behalf of the Client is the provision of services to the Client that require the processing of personal data.

Personal data shall be subject to the processing activities specified in the main contract.

Processing of opt-out messages

  • (i) The Client is solely responsible for handling opt-out messages, particularly the updating of its contact databases to stop sending messages to Users who have requested to opt out of communications via LINK Platforms.
  • (ii) LINK will only forward to the Client (or to the provider designated by the Client for this purpose) the opt-out Messages it receives via LINK Platforms. LINK will not filter or block any list of end Users who have opted out of communications (phone numbers, email addresses, etc.).
  • (iii) Notwithstanding paragraph (ii) above, when the Client uses the 360NRS and/or WAUSMS Platforms, and unless otherwise agreed in writing between the Parties, LINK will collect and store opt-out Messages received from end Users in lists categorized by channel and by Client. LINK will provide these opt-out Message lists in campaign reports available to the Client in the Client's dedicated area of the 360NRS and/or WAUSMS Platforms.

Monitoring

LINK is authorised by the Controller to open any Message transmitted under the terms of this Contract if necessary to verify the existence of a possible fraud or to investigate any complaint filed by an End User, an Operator or a Regulatory Body in relation to a Message, as well as to forward to the Controller any unsubscribe message or request from Data Subjects relating to the rights set out in the GDPR.

Duration of processing

The processing will continue for the duration of the agreement between the Customer and LINK.

LINK will retain Personal Data for as long as necessary to fulfill the purposes of the processing, subject to applicable compliance control laws governing traffic data.

Nature of the processing

Personal data will be processed by the Client by entering the data into the LINK platform, either via SaaS access or through an API.

Full campaign

LINK will only process Personal Data collected by the Client and sent to Operators if the Client subscribes to this service and signs a Service Order delegating to LINK the delivery of the Messages designated by the Client to the end users selected by the Client.

LINK will receive all necessary information (including Personal Data) directly from the Client using a secure File Transfer Protocol (FTP) for delivery to end users.

The Client must use the secure protocol recommended by LINK, which allows the encryption of the data contained in the file and, under no circumstances, may transfer the data by email.

Additional services

Hosting of landing pages sent to end users through LINK platforms

Purpose of the processing

The purpose of engaging LINK to process personal data on behalf of the Client is to enable the Client to fulfil its communication obligations towards end users.

Sub-processors

The approved Sub-processors under this DPA can be found in the list available at LINK Mobility sub-processors list - LINK Mobility International

This DPA is understood as an order by the Client for the transfer of Personal Data to the sub-processors listed.

Sign up now
Test the platform completely for free

SIGN UP FREE NOW

Request your DEMO

Leave us your information and our commercial support will contact you to arrange a demo of our platform

Responsible: Net Real Solutions S.L.U. Purpose: Management of the requests done via the website and/or sending you commercial communications. Legitimization: Consent of the interested party. Addressees: Except legal obligations, data will only be provided to suppliers that have contractual link. Rights: Access, rectification, supression, limitation, portability and forget, for more information access to the privacy policy.

Link Mobility
  • Bulk SMS
  • SMS marketing
  • Transactional SMS
  • Email marketing
  • Bulk email
  • Transactional mailing
  • IVR
  • Transactional calls
  • WhatsApp Business API
  • Bulk RCS messages

Developers

  • Messaging APIs
  • SMS API
  • WhatsApp API
  • Plugins and modules
  • SMS HubSpot
  • SMS Salesforce
  • Klaviyo integration
  • SMS Zapier
  • Technical documentation
  • Contact
  • Academy / Video-tutorials
  • About us?
  • Advantages
  • Multichannel marketing solutions
  • Partners
360NRS Trustpilot info@360nrs.com

(+34) 964 52 33 31

Certifications

ISO 27001
PYME innovadora
Google partners
cnmc

© Copyright 2025 - Contact | Privacy policy | Legal Warning | Security policy | Anti-fraud policy | Report abuse




SIGN UP FREE 360NRS
Enjoy your FREE BALANCE without obligation
Only for companies

Are you sure that this is your best e-mail address?
Only corporate e-mails can enjoy the free test credits.

Responsible: Net Real Solutions S.L.U. Purpose: Management of the requests done via the website and/or sending you commercial communications. Legitimization: Consent of the applicant. Addressees: Except legal obligations, data will only be provided to suppliers that have contractual link. Rights: Access, rectification, elimination, limitation, portability and forget, for more info access the privacy policy.