Hereafter referred to as the "Controller"
Hereafter referred to collectively as the "Parties"
(A) This Agreement is supplemental to any other separate agreement entered into between the Parties and introduces further contractual provisions to ensure the protection and security of personal data passed from the Controller to the Processor for processing.
(B) The Controller may be acting as a data processor for another entity. It is only acting as a Controller for the purpose of the transfer of personal data passed from it to the Processor for processing under the terms of this Agreement.
(C) Following the entry into force of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) the Parties wish to lay down their rights and obligations.
It is agreed as follows:
(i) "Agreement" - this Data Processing Agreement;
(ii) "personal data" - any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(iii) "processing" - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(iv) "Controller" - the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by law, the controller or the specific criteria for its nomination may be provided for by law;
(v) "Processor" - a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
(vi) "Sub-processor" - any data processor engaged by the Processor
(vii) "confidential information" – all information disclosed by a Party to the other Party pursuant to this Agreement, including (but not limited to): any trade secret, know-how, invention, concept, software program, source code, object code, application, documentation, schematic, procedure, contract, information, knowledge, data, database, process, technique, design, drawing, program, formula or test data, work in progress, engineering, manufacturing, marketing, financial, sales, supplier, technical, scientific, customer, employee, investor, or business information, whether in oral, written, graphic, or electronic form; any non-public business information, including personnel data, correspondence with any Governmental Authority, historical customer information and data, historical cost information such as budgets, operating expenses, and capital costs, and projected capital additions, operating cost information, and other business, and financial reports and forecasts; any document, diagram, photograph, drawing, computer program, or other communication that is either conspicuously marked "confidential", or is known or reasonably should have been known by the receiving Party to be confidential;
(viii) "Service" – the provision of maintenance and support services, consultancy or professional services and the provision of software as a service or any other services provided under the Agreement where the Processor processes personal data of the Controller.
1. Object of this Agreement
1.1 In the course of providing the Services to the Controller pursuant to this Agreement, the Processor may process personal data on behalf of the Controller. The Processor agrees to comply with the following provisions with respect to any personal data processed for the Controller in connection with the provision of the Services.
1.2 The Processor shall process personal data it receives from the Controller solely for purposes stemming from usage of the Service and for no other purpose except with the express written consent of the Controller.
1.3 The Processor shall process categories of data subjects which are provided to the Service by the Controller. The Processor is not entitled to process any category of data without prior demand or consent of the Controller.
1.4 Types of personal data. Contact information, the extent of which is determined and controlled by the Controller in its sole discretion, and other personal data such as navigational data (including website usage information), email data, system usage data, application integration data, internet protocol (IP) and other electronic data submitted, stored, sent, or received by end users via the Service.
2. Data protection
2.1 As the performance of this Agreement implies the processing of personal data, both Parties shall comply with the applicable data protection legislation and regulations including the European General Data Protection Regulation (GDPR).
2.2 The Controller will ensure that its instructions for the processing shall comply with applicable data protection legislation and regulations including the GDPR. The Controller shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which the Controller acquired personal data.
2.3 The Controller agrees that with regard to the processing the Processor may engage Sub-processors compliant with data protection legislation and regulations including the GDPR. Where the Processor engages another Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on that Sub-processor by way of a contract or other legal act under applicable data protection legislation and regulations including GDPR.
2.4 The Processor shall ensure that any personal data that it processes are kept confidential. All persons authorized by the Processor to process the personal data are under an appropriate obligation of confidentiality and not disclose the personal data to any person other than to its personnel.
2.5 The Processor shall ensure that it implies appropriate technical and organisational measures in such a manner that processing will meet the requirements of applicable data protection legislation and regulations including the protection of the rights of the data subject.
2.6 In accordance with the GDPR as the performance of this Agreement the Processor shall in particular:
- create and maintain a record of its processing activities in relation to this Agreement;
- the Processor shall make the record available to the Controller, any auditor appointed by it and/or the supervisory authority on first request;
- assist the Controller in ensuring compliance with the monitoring of the personal data breach obligations resulting from applicable data protection legislation and regulations including GDPR, taking into account the nature of processing and the information available to the Processor;
- promptly notify the Controller about (i) any legally binding request for disclosure of the personal data by a data subject, a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry, and to assist the Controller therewith (ii) any accidental or unauthorized access, and more in general, any unlawful processing and to assist the Controller therewith;
- at the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of Service relating to processing, and delete existing copies unless applicable data protection legislation and regulations requires storage of the personal data;
- make available to the Controller all information necessary to demonstrate compliance with the obligations resulting from this Agreement; inform the Controller immediately if it believes that any instruction from the Controller infringes applicable data protection legislation and regulations;
- at the request and costs of the Controller, submit its data processing facilities for audits or control of the processing activities including inspections, conducted by the Controller or another auditor mandated by the Controller.
2.7 Personal data processed in the context of this Agreement may be transferred to the U.S. The Controller shall agree to transfer personal data to the U.S. by the Processor without further written consent.
2.8 As the transfer of personal data is necessary for the performance of the Service provided by the Processor the Parties shall ensure that the personal data are adequately protected as set forth in Article 49 of the GDPR. In particular the Processor collects and transfers personal data subject to this Agreement by the Controller to fulfil a compelling legitimate interest of the Processor in a manner that does not outweigh Controller’s nor end users rights and freedoms.
2.9 In order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer of personal data outside the EU by the Controller to the Processor agrees and warrants:
- to process the personal data only on behalf of the Controller and in compliance with its instructions;
- if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Controller of its inability to comply, in which case the Controller is entitled to suspend the transfer of data and/or terminate this Agreement;
- that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Controller and its obligations under the Agreement and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Agreement, it will promptly notify the change to the Controller as soon as it is aware, in which case the Controller is entitled to suspend the transfer of data and/or terminate this Agreement;
3.1 Both Parties acknowledge that during this Agreement, a Party may become privy to Confidential information which is disclosed by the other Party.
3.2 The receiving Party shall keep all confidential information confidential, in particular the receiving Party shall not disclose any confidential information to any third party and shall not use these information for purposes not resulting from this Agreement.
3.3 Any violation of this section by either of the Parties shall be deemed a material breach of this Agreement.
4.1 The Parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Section 2 by any Party or Sub-processor is entitled to receive compensation from the Controller for the damage suffered.
4.2 Neither Party shall be liable for any indirect or consequential damages, such as (but not limited to) loss of revenue, loss of profit, loss of opportunity, loss of goodwill and third-party claims.
5. General provisions
5.1 This Agreement shall apply to all personal data disclosed to the Processor or otherwise obtained from the Controller from the date of this Agreement until the expiry of the subscription of the Service.
5.2 Where individual provisions of this Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement shall not be affected.