Data Processing Agreement

Last updated: 11 October 2025

Article 1 – Parties and Purpose

This Data Processing Agreement (“Agreement”) is concluded between the Relativity Team – the robotics team of Liceul Teoretic de Informatică „Alexandru Marghiloman” Buzău (the “Controller”) and EssenByte Solutions (the “Processor”), collectively referred to as “the Parties.”

The purpose of this Agreement is to define the rights and obligations of the Parties regarding the processing of personal data performed by the Processor on behalf of the Controller, in compliance with Article 28 of Regulation (EU) 2016/679 (the “GDPR”).

Article 2 – Subject Matter and Duration

1. Subject matter: The Processor processes personal data for the purpose of hosting, maintaining, and supporting the challenge.relativity.ro website and its related competition systems. Categories of data may include participants’ names, contact information, team details, project documentation, and media submitted via the platform.
2. Duration: This Agreement remains in effect for as long as the Processor processes personal data for the Controller. After termination, confidentiality and data-deletion obligations remain in force until all personal data are erased or returned.

Article 3 – Obligations of the Processor

1. Processing on documented instructions: The Processor acts only on documented instructions from the Controller, including regarding data transfers. Where law requires additional processing, the Processor must notify the Controller unless prohibited by law.
2. Confidentiality: Personnel authorised to process data are bound by confidentiality agreements or statutory obligations.
3. Security measures: The Processor implements appropriate technical and organisational measures consistent with Article 32 GDPR to ensure security and confidentiality.
4. Sub-processors: The Processor may engage sub-processors only with prior written authorisation from the Controller. Any authorised sub-processor must be bound by equivalent contractual obligations. The Processor remains fully liable for their performance.
5. Assistance with data subject rights: The Processor assists the Controller, where possible, in fulfilling requests from data subjects under Chapter III GDPR.
6. Assistance with compliance: The Processor assists the Controller in ensuring compliance with Articles 32–36 GDPR, including breach notifications, DPIAs, and prior consultations.
7. Notification of personal data breaches: The Processor notifies the Controller without undue delay upon becoming aware of a personal data breach and provides sufficient information for the Controller to meet its obligations under Articles 33–34 GDPR.
8. Deletion or return of data: At the Controller’s choice, the Processor deletes or returns all personal data after processing ends and deletes existing copies unless law requires retention.
9. Documentation and audit: The Processor provides documentation proving compliance and cooperates with audits or inspections by the Controller or an authorised auditor.
10. Objection to unlawful instructions: If the Processor believes an instruction violates the GDPR or national law, it will immediately notify the Controller.

Article 4 – Obligations of the Controller

1. Lawful basis: The Controller confirms that all personal data provided are lawfully collected and that a valid legal basis exists for processing.
2. Instructions: The Controller provides documented processing instructions and maintains an up-to-date list of authorised sub-processors, if applicable.
3. Data subject rights: The Controller manages and responds to data subject requests, with support from the Processor when required.
4. Data protection contact: The Controller’s data protection contact point is privacy@essenbyte.com and dpa@essenbyte.com.

Article 5 – International Transfers

1. The Processor will not transfer personal data outside the European Union without prior written instructions from the Controller. When authorised, transfers will comply with Chapter V GDPR using appropriate safeguards such as Standard Contractual Clauses.

Article 6 – Liability and Indemnity

1. Each Party is liable for damages resulting from non-compliance with GDPR obligations applicable to it. The Processor is liable only for breaches of its own obligations or for acting contrary to lawful instructions.
2. Liability for intentional misconduct or gross negligence cannot be excluded or limited under Romanian Civil Code provisions.

Article 7 – Term and Termination

1. This Agreement enters into force upon execution and remains effective for the duration of the processing services.
2. Upon termination of the underlying service contract or upon the Controller’s request, the Processor will cease all processing and delete or return personal data as described above. Provisions on confidentiality, audit, and liability survive termination.

Article 8 – Governing Law and Jurisdiction

This Agreement is governed by Romanian law. Any disputes shall be subject to the competent courts of Buzău, Romania, unless otherwise agreed in writing.