This DATA PROCESSING AGREEMENT (the "Agreement") is entered into by and between:
Each of Data Processor and the Customer is referred to as a "Party" and together as the "Parties".
"Applicable Laws" shall mean all acts, laws, regulations, including but not limited to Data Protection Laws, applicable to each Party.
"Data Protection Laws" shall mean the applicable national laws concerning data protection and, if applicable, the national laws implementing Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of Personal Data and the protection of privacy in the electronic communications sector (ePrivacy Directive) and the subsequent directives and regulations such as the General Data Protection Regulation (Regulation no. 2016/679) and their national implementations and related national legislation.
"EEA" shall mean the European Economic Area.
"Personal Data" shall mean all information that is directly or indirectly referable to a natural living person such as name, email address, IP-address, location data etc.
"Personal Data Breach" shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Data Processor may under this Agreement process Personal Data on behalf of the Customer according to the instructions of the Customer. The Personal Data is and shall remain the property of the Customer, and the Customer takes full responsibility for the Personal Data, including that such data does not infringe any third-party rights or in any other way violate Applicable Laws.
This Agreement is intended to constitute and shall be interpreted as a written data processing agreement between the Customer and Data Processor pursuant to applicable Data Protection Laws.
Data Processor shall process the Personal Data relating to the categories of data subjects and shall consist of the processing operations as set out in Schedule 1.
Data Processor shall process the Personal Data for the purpose of providing the Service to the Customer.
The Customer shall hold Data Processor harmless and indemnify for third party claims, damages as well as administrative penalties or fines issued by courts or authorities if and to the extent Data Processor is held liable by a competent court, authority or any other dispute resolution body for processing of personal that is contrary to the applicable Data Protection Laws, unless such liability has arisen as a consequence of Data Processor’s failure to perform its obligations under this Agreement.
Data Processor is entitled to remuneration on the basis of the provisions of this Agreement and shall, unless otherwise explicitly set out in this Agreement, charge the Customer under this Agreement in accordance with the Service Agreement.
When the provisions of this Agreement cease to be effective, the Data Processor shall, upon and in accordance with Controller's request, delete all Personal Data or delete and return all Personal Data to the Customer, unless Applicable Laws require the Data Processor to store Personal Data.
Types of Personal Data
Personal Data processed by the Data Processor on behalf of the Customer under the Service Agreement may include, but is not limited to, the following types of Personal Data:
Categories of data subjects
The processed Personal Data concerns the following categories of data subjects:
Processing operations
The following processing operations shall be carried out for the below specified purposes by the Data Processor under this Agreement:
Processing operations: Storage and transfer of Personal Data provided by the Customer.
Purposes: Fulfilment of the Service Agreement.
Data Processor may not process the Personal Data for any other purposes under this Agreement and its schedules.
Data Processor shall process the Personal Data for the purpose of providing the Service to the Customer in accordance with the Service Agreement and comply with the instructions set forth below with respect to the processing of the Personal Data under this Agreement.
Security
The premises used by Data Processor shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. Data Processor shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.
Data Processor should possess an updated and implemented security policy which states for example the manner in which the Personal Data shall be processed, to whom Data Processor’s personnel shall turn in the event of a burglary or other incident, which personnel are authorized as regards which type of information, back-up procedures, contingency plans, etc.
Data Processor should create a safe IT-environment, which includes, but is not limited to (i) necessary safety routines for avoiding virus attacks or other threats that could be harmful to the IT-environment; (ii) an encryption system and/or other security measures with the purpose of avoiding tapping or revealing signals; (iii) necessary security routines for IT-equipment; (iv) a control system based on user authorization, which enables identification of user identity (through the usage of passwords or such) and prevents unauthorized use of or access to the processed Personal Data; (v) storage of processing history (log data), which shall be sorted out in accordance with Customer’s instructions; (vi) automatic back-up routines, including storage of back-up copies, which shall be sorted out in accordance with Customer’s instructions; as well as (vii) destruction or other means of eradication of all media that has contained Personal Data that no longer is used.
Data Processor shall make it possible to log and trace processing of the Personal Data, including the disclosure and transfer of the Personal Data.
Customer authorizes Data Processor to, subject to the provisions of this Agreement, directly fulfil the requests of data subjects.
Subject to the above, Data Processor undertakes to inform the Customer of any rectification, erasure, or restriction of processing of Personal Data performed by a direct request of a data subject, unless this proves impossible or involves disproportionate effort. Customer shall reasonably assist the Data Processor in fulfilling the request of the data subject. Such assistance does not entitle the Customer to any reimbursement.
Data Processor shall have routines to provide Personal Data concerning a data subject in a structured, commonly used and machine-readable format, at the Customer’s request.
Subject to the provisions of this Agreement, Data Processor shall not maintain the processed Personal Data for longer than is necessary taking into consideration the purpose of the processing.