Russia has invaded Ukraine, and started a brutal inhumane war in Europe. You can learn more and donate to help Ukraine win πΊπ¦
Support Ukraine
This Data Processing Agreement (the "DPA") is an Appendix to the Agreement, entered into by and between the Customer (the "Data Controller") and the Provider (the "Data Processor") as listed in the Agreement. Data Processor and Data Controller are hereinafter each referred to as the "Party" and together as the "Parties".
The Data Processor`s Affiliates and third parties engaged by the Data Processor, who have or potentially will have access to, or process Personal Data, hereinafter referred to as the "Sub-processors".
The Data Processor and the Data Controller agree as follows
1.1. "Applicable Privacy Law" means all laws, statues, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, transfer, and any other kind of processing of Personal Data.
1.2. All other terms that are used in the DPA including but not limited to "Data Protection Authority", "Data Subject", "Data Breach", "Personal Data", "Processing", shall be interpreted in accordance with the Applicable Privacy Law. If the Applicable Privacy Law does not contain the relevant definition of the respective terms, such terms shall be interpreted within the meaning provided in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
2.1. This DPA shall be applicable to processing of Personal Data defined in accordance with the Applicable Privacy Law conducted by the Data Processor in course of fulfilment of the Agreement. The subject matter, duration, nature and purpose(s) of the processing of Personal Data, as well as type of Personal Data and categories of Data Subjects are specified in Schedule A. The Data Processor shall refrain from processing Personal Data that is beyond the scope set forth in Schedule A.
2.2. The Data Processor shall process Personal Data only on documented instructions from the Data Controller and for no other purpose than the purpose(s) defined in Schedule A. The Data Processor shall inform the Data Controller if, in its opinion, an instruction infringes the Applicable Privacy Law. The processing of Personal Data required in said instruction shall be delayed.
2.3. The Data Processor shall fill-in Partner Privacy Compliance Questionnaire of the Customer provided in Schedule C prior to processing of Personal Data.
2.4. Data Processor shall obtain prior written authorization of the Data Controller for collection of Personal Data if the Applicable Privacy Law requires obtaining prior express/affirmative consent of data subjects for processing of their Personal Data. In such cases, the Data Processor shall obtain, and shall procure that the Sub-processors obtain the respective consent from data subjects, unless Data Controller collects Personal Data without involvement of the Data Processor and Sub-processors.
2.5. The Data Processor shall ensure placement and availability of disclosures, policies and other issues required under the Applicable Privacy Law on the resources used for processing of Personal Data.
2.6. In case the Data Processor receives additional information that is not needed to fulfil the Agreement, it must inform the Data Controller immediately and stop the processing of the additional Personal Data.
2.7. If the Data Processor is required to transfer Personal Data to a law enforcement agency, it shall inform the Data Controller of that legal requirement before processing Personal Data, unless that law prohibits such information on important grounds of public interest.
3.1. The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Technical and organizational security measures are listed in Schedule B.
3.2. In assessing the appropriate level of security, the Data Processor shall take into account the risks that are presented by Processing Personal Data, in particular, risks arising from a Data Breach.
4.1. The Data Processor shall ensure that all employees with access to Personal Data, are legally bound by confidentiality obligations during and after the termination of the DPA, including after the termination of their employment.
4.2. The Data Processor shall provide access to Personal Data to its employees on a need-to-know basis only and shall make sure that the employees are aware and compliant with the Agreement, the DPA, Data Controller's written instructions and the Applicable Privacy Law.
4.3. The Data Processor shall train its employees involved in the processing of the Personal Data to comply with the Applicable Privacy Law and with the requirements established in this DPA.
5.1. The Data Controller hereby grants general written authorization to the Data Processor to engage Sub-processors for the processing of the Personal Data under the Agreement. Upon request of the Data Controller, the Data Processor will provide a list of such Sub-processors. The Data Controller has the right to object to any Sub-processor. The objection shall be made by written communication within 10 (ten) business days after receipt of the requested list of Sub-processors. The Data Processor shall use reasonable efforts to replace the Sub-processor upon the respective request of the Data Controller.
5.2. Where the Data Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this DPA shall be imposed on the Sub-processor by way of a written contract. The Sub-processor in particular shall provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Privacy Law.
5.3. The Data Processor shall provide to the Data Controller for review copies of the Processors' contracts with Sub-processors (which may be edited to remove confidential commercial information not relevant to the requirements of this DPA) as the Data Controller may request from time to time.
5.4. Where a Sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of Sub-processor's obligations.
6.1. The Data Processor shall assist the Data Controller in fulfilling its obligations concerning the requests to exercise Data Subject rights under the Applicable Privacy Law.
6.2. The Data Processor shall promptly (as soon as possible, but not later than within 24 hours of request receipt) transfer to the Data Controller any request received from the Data Subjects and shall inform the Data Subjects that they can direct their requests directly to the Data Controller. The Data Processor will only handle the requests of the Data Subjects according to the Data Controller's instructions.
7.1. The Data Processor shall notify the Data Controller on Data Breach without undue delay (as soon as possible, but not later than within twenty-four (24) hours of becoming aware of the incident). The notification shall include:
7.1.1. Description of the Data Breach, including, if possible, the categories of data and records concerned, the category and number of Data Subjects affected;
7.1.2. Likely consequences of the Data Breach;
7.1.3. Measures taken or proposed to address and/or mitigate the effects of the Data Breach.
7.2. The Data Processor shall, without undue delay, take all urgent measures as are agreed by the Parties or necessary under the Applicable Privacy Law, to investigate, mitigate and remedy the Data Breach and to protect the Personal Data.
7.3. A Party needs the prior approval of the other Party to include and identify them in the breach notifications. The other Party should not delay or withhold the approval without a reasonable cause.
7.4. If the Data Breach resulted from the Data Processor's failure to comply with the DPA or the Applicable Privacy Law, the Data Processor shall reimburse the Data Controller for all the expenses incurred as a result of the Data Breach (e.g. breach notifications, litigation costs, forensic investigations, etc.).
8.1. Upon request, the Data Processor shall assist the Data Controller to comply with its obligations under the Applicable Privacy Law when related to the processing of the Personal Data, including but not limited to:
8.1.1. Data Breaches;
8.1.2. Data Protection Impact Assessments;
8.1.3. Consultations with the Data Protection Authority;
8.1.4. Enquiries, complaints, audits, or claims from any court, government official, Data Protection Authority, third parties or individuals (including but not limited to the Data Subjects).
8.2. The Data Processor shall make available to the Data Controller all information necessary to comply with its obligations under the DPA and the Applicable Privacy Law.
8.3. The Data Processor shall notify the Data Controller of any requirements from an official authority as soon as possible, but not later than within twenty-four (24) hours of receiving said enquiry.
9.1. Upon prior notice and no more than once a year, the Data Controller has the right to conduct an audit to verify the Data Processor's compliance with the DPA.
9.2. The Data Processor shall make available to the Data Controller documentation necessary to demonstrate compliance with this DPA and the Applicable Privacy Law, in particular, to provide information about appropriate technical and organizational measures that have been implemented. Such documentation can be a current attestation, reports or expert reports from independent bodies (auditors, DPO, accountant), certifications from an IT security or data protection audit, or a certification approved by the Data Protection Authority.
9.2.1. The Data Controller can do more than one yearly audit in case of a Data Breach or a security incident.
9.2.2. The Data Controller shall schedule the audit with the Data Processor at least two (2) weeks in advance.
9.2.3. Both Parties shall agree upon the scope, the timing, and the duration of the audit.
9.3. The audit might be carried out by the Data Controller directly or by a third-party auditor appointed by the Data Controller.
9.4. The Data Controller has the right to object the use of a particular third-party auditor, if it could be considered a competitor of the Data Processor.
10.1. The Data Processor shall maintain a record of all categories of processing activities carried out on behalf of the Data Controller. The records shall be in writing, including in electronic form.
10.2. The Data Processor shall provide a record to the Data Controller upon his request within ten (10) business days after receipt of the respective request.
11.1. The Data Processor shall promptly and in any event within ninety (90) days of the date of this DPA termination, return or irrevocably delete or remove the Personal Data, unless storage of the Personal Data is required by law.
11.2. In cases of collection of the Personal Data by the Data Processor for its subsequent transfer to the Data Controller, the Data Processor shall irrevocably delete the Personal Data after its transfer to the Data Controller within ten (10) business days after the respective transfer or not less than once in one (1) month when the respective transfer is regular or ongoing, unless the Data Controller authorizes other kinds of the Personal Data Processing by the Data Processor after the respective transfer.
11.3. The Data Processor may retain Personal Data to the extent required by the Applicable Privacy Law and only to the extent and for such period as required by the Applicable Privacy Law and always provided that Data Processor shall ensure the confidentiality of such Personal Data and shall ensure that such Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Privacy Law requiring its storage and for no other purpose.
11.4. The Data Processor shall provide evidence of the deletion, removal or return of the Personal Data. Return of Personal Data shall be made in a generally acceptable, structured data format by electronic means.
12.1. The Data Processor shall not transfer or otherwise process Personal Data of the European Economic Area ("EEA") nationals outside the EEA without obtaining the Data Controller's prior written consent.
12.2. If the transfer requires execution of the Standard Contractual Clauses established by the European Commission concerning the international transfer of Personal Data, its current unchanged version shall be deemed incorporated by reference hereto as Schedule C.
13.1. The Data Processor is liable for and shall indemnify, keep indemnified and hold the Data Controller, its affiliates, their officers, agents, employees and customers harmless against all liability, losses, costs, claims (including fines and penalties of the Data Protection Authority), expenses (including legal expenses) and demands which the Data Controller may incur, howsoever directly or indirectly arising from any failure by the Data Processor and/or its Sub-processors to comply with the DPA and/or the Applicable Privacy Law.
13.2. Any failure of a Sub-processor shall be deemed as own failure of the Data Processor and therefore entitle the Data Controller to the foregoing indemnity in the same manner as under Section
13.1.
13.3. Damages which a person or legal entity that is not a party to an IO but is controlling, controlled by or under common control with, or otherwise affiliated one with the Customer incurs as a result of a breach of this DPA by the Data Processor or any of its Sub-processors shall be deemed own damages of the Data Controller.
14.1. This DPA shall be effective as of the effective date of the Agreement.
14.2. This DPA will remain in force and effect so long as the Agreement remain in effect. Termination of this DPA shall not affect Parties' accrued rights and obligations at the date of termination and the provisions of Sections 7, 11 and 13 hereof.
14.3. The Data Processor's failure to comply with the obligations of this DPA is a material breach of the Agreement. In such event the Data Controller has the right to terminate the Agreement effective immediately on written notice to the Data Processor without further liability or obligation.
15.1. The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
16.1. The Data Controller does not provide any Personal Data to the Data Processor for monetary or other valuable consideration.
16.2. The Data Processor shall refrain from selling the Personal Data, as the term "sell" is defined in the California Consumer Privacy Act of 2018, as amended from time to time ("CCPA"). The Data Processor shall refrain from taking any action that would cause any transfer of Personal Data to qualify as "selling personal information" under the CCPA.
17.1. In the case of conflict or ambiguity between:
17.1.1. any provision of the DPA and any provision of the Agreement, the provisions of the DPA shall prevail;
17.1.2. any provision contained in the body of this Agreement and any provision contained in the Schedules, the provisions in the body of this Agreement shall prevail;
17.1.3. any provision of this Agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses shall prevail.
18.1. The following Schedules shall be integral part of the DPA:
β
Schedule A: Details of Personal Data Processing
Schedule B: Technical and Organizational Security Measures
Schedule C: Partner Privacy Compliance Questionnaire.
