Data Processing Agreement ‘DPA’
1. BACKGROUND AND PURPOSE
1.1 The service and/or product supplier (“Processor”) and Client group company (“Controller”) have concluded a supply agreement regarding certain services and/or products provided to the Controller by the Processor (“Agreement”). For the purposes of fulfilling the obligations under the Agreement, the Processor has access to or is otherwise processing the Controller‘s data relating to an identifiable natural person(s) (“Personal Data”) on behalf of the Controller. This DPA sets out the terms and conditions for the processing of Personal Data under the Agreement and is an integral part of the Agreement. In the event of any conflict between the terms of the Agreement and the terms of this DPA, this DPA shall prevail.
1.2 If the Processor is also providing services and/or products under the Agreement to the Controller’s affiliates, or otherwise gains access to the affiliates’ data relating to identifiable natural person(s) for the purposes of fulfilling the Agreement, such data shall be regarded as Personal Data and this DPA shall be applicable to the Processor’s processing of such Personal Data. The affiliates have the same rights and obligations as the Controller under this DPA.
1.3 If the Controller is also purchasing services and/or products under the Agreement from the Processor’s affiliates, or the Processor’s affiliates otherwise gain access to the Controller’s or its affiliates’ data relating to identifiable natural person(s) for the purposes of fulfilling the Agreement, such data shall be regarded as Personal Data and this DPA shall be applicable to the Processor’s affiliates’ processing of such Personal Data. The Processors’ affiliates have the same rights and obligations as the Processor under this DPA.
1.4 Any reference made to data protection regulation in this DPA shall be understood to include the EU General Data Protection Regulation (2016/679) (“GDPR”) starting 25 May 2018.
2. RIGHTS AND RESPONSIBILITIES OF THE PARTIES
2.1 The Controller shall
(a) process the Personal Data in compliance with applicable data protection regulation and good data processing practice;
(b) be entitled to give documented instructions to the Processor on the processing of Personal Data. Instructions shall be in accordance with the applicable data protections regulation and binding on the Processor unless in contradiction with the applicable law;
(c) retain control, authority and title as well as all proprietary and intellectual property rights and other rights, howsoever arising, to Personal Data.
(d) have the right and obligation to specify the purpose and means of processing of Personal Data and ensure that all the data subjects of the Personal Data have been provided with all appropriate notices and information;
(e) establish and maintain for the relevant term the necessary legal grounds for transferring the Personal Data to the Processor and allowing the Processor to perform the processing contemplated hereunder; and
(f) ensure that if the Controller represents its affiliates or third parties under this DPA, it has the legal grounds to enter into this DPA with the Processor and allowing Processor to process the Personal Data according to the terms of this DPA and the Agreement.
2.2 The Processor shall
(a) process Personal Data with all due care and skill, diligence and prudence, in a professional manner in accordance with good data processing practices and high professional standards and in compliance with data protection regulation applicable to the Processor;
(b) process the Personal Data on documented instructions from the Controller, unless required to do otherwise by law to which the Processor is subject to. In such case, the Processor shall immediately inform the Controller of such requirement under law before processing of the Personal Data, unless the law prohibits such notification;
(c) implement appropriate technical and organisational measures to protect Personal Data. Such measures include, inter alia as appropriate:
(i) measures agreed between the parties in the Agreement;
(ii) the pseudonymisation and encryption of the Personal Data as agreed between the parties;
(iii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iv) the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
(v) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The Processor shall provide the Controller with more detailed information of the security measures taken for the applicable processing by the Processor under this DPA on Controller’s request;
(d) be entitled to use subcontractors for processing of the Personal Data after notifying the Controller of the use of such subcontractors. The Controller is entitled to prohibit a use of a specific subcontractor for justified reason. In order to avoid any adverse effects to the provision of the services and/or products under the Agreement, the Controller shall give the Processor a reasonable time to find a replacing subcontractor. The Processor shall be at all times responsible for the subcontractors’ obligations as for its own and shall enter into similar contractual obligations with its subcontractors as provided in this DPA. For the avoidance of doubt, the Processor’s affiliates are regarded as subcontractors for the purposes of this DPA;
(e) assist the Controller in fulfilment of the Controller’s obligations (including but without limitation, to respond to requests for exercising the data subject’s rights), as reasonably may be expected from a party in the role of a data processor and only in respect of the processing by Processor under the Agreement;
(f) upon termination of this DPA immediately stop active use of the Personal Data and either destroy or return all Personal Data, as requested by the Controller and destroy all copies thereof, unless otherwise required by law;
(g) document the procedures in relation to the processing of Personal Data by the Processor itself and its subcontractors and make available to the Controller all information necessary and reasonable to demonstrate compliance with the Processor’s obligations set out in this DPA and in the applicable data protection regulation, and allow for and contribute to audits, including inspections, conducted by the Controller and/or a third party auditor appointed by the Controller in order to verify compliance of the Processor with the DPA and especially with the technical and organizational security measures required to be implemented; and
(h) in the event of an audit request from a supervisory authority, assist the Controller in answering the request and organizing the audit.
2.3. Each party shall bear its own costs in connection with an audit up to one (1) audit per contractual year. Regarding any further audits during the same contractual year, the Controller shall bear the costs. Notwithstanding to what has been said above in this Clause, each party shall always bear its own costs in relation to audits initiated by a competent supervisory authority. If any audit reveals that the Processor has materially breached this DPA, relevant provisions of the Agreement and/or data protection regulation applicable to the Processor, the Processor shall bear all costs of the respective audit.
3. NATURE, PURPOSE AND CATEGORIES
The nature and purpose of data processing are defined in the Agreement. Parties shall in co-operation compile and update, as necessary, a list of the categories of Personal Data and thereto related data subjects. The Processor shall provide initial list to the Controller after signing this agreement.
4. PERSONAL DATA BREACHES
4.1 In case Personal Data is accidentally, unlawfully or without proper authorization destroyed, lost, altered, disclosed or accessed, or the confidentiality or integrity of the Personal Data is endangered by any other event (“Personal Data Breach”), the Processor shall, without undue delay after having become aware of the Personal Data Breach, notify the Controller of the Personal Data Breach in writing.
4.2 The notification must, to the extent such information is available to the Processor: (i) describe the nature of the Personal Data Breach including the categories and number of data subjects concerned and the categories and number of data records concerned; (ii) communicate the identity and contact details of the data protection officer or other contact point where more information can be obtained; (iii) recommend measures to mitigate the possible adverse effects of the Personal Data Breach; (iv) describe the consequences and potential risk to the data subjects due to the Personal Data Breach; (v) describe the measures proposed or taken by the Processor to address the Personal Data Breach; and (v) any other information reasonably required in order for the Controller to comply with its own data protection requirements, including duties of notification and disclosure in relation to public authorities.
4.3 The Processor shall supplement the notification described above in Clause 4.2 whenever it becomes aware of details surrounding the Personal Data Breach not mentioned in the original notification. The Parties may agree on a more detailed breach notification process in separate.
4.4 The Processor shall document Personal Data Breaches, comprising the facts surrounding the breach, its effects and the remedial actions taken. This Documentation must enable the supervisory authority to verify compliance with this Clause. The Documentation will only include information necessary for such purpose.
The confidentiality obligations of the Agreement shall also be applied to Personal Data. The Processor shall ensure that all of its personnel having access to the Personal Data are bound by corresponding confidentiality obligations.
6. TRANSFERS OF PERSONAL DATA
6.1 The Processor shall not transfer Personal Data outside of the EU/EEA without the prior written consent of the Controller. If the Controller gives such consent, the Processor shall be obliged to implement applicable safeguards to ensure a high level of data protection in such transfers, e.g. European Commission’s Standard Contractual Clauses, as requested and instructed by the Controller.
Notwithstanding any limitations of liability in the Agreement, the Data Processor shall, at its own expense, defend, indemnify and hold the Data Controller and its affiliates harmless against any and all loss, cost and/or damage incurred by the Data Controller or by affiliates resulting from the Data Processor’s breach of this DPA or the work of its subcontractors.
8. TERM AND TERMINATION
8.1 This DPA shall remain in force for the term of the Agreement. This DPA shall automatically terminate upon any termination or expiration of the Agreement.
8.2 If the Processor materially breaches its obligations under this DPA and fails to remedy such breach within thirty (30) days from the Controller’s notification of the breach to the Processor, or within thirty (30) days from the date when the Processor should have noticed the breach, the Controller shall have the right to terminate with immediate effect any and all services and other agreements which the breach affects or relates to.
8.3 Termination or expiration of this DPA shall not discharge the Processor from its confidentiality or other obligations pursuant to the Agreement and the Processor agrees to, even after the termination or expiry of this DPA, to perform any and all of its legal obligations as the Processor and to assist the Controller in its performance of its legal obligations pursuant to the applicable data protection regulation.
8.4 Any amendment to this DPA shall be in writing and shall have no effect before signed by duly authorised representatives of both Parties.