DATA PROCESSOR AGREEMENT
This Data Processor Agreement (the “DPA”) is entered into between:
- Customer [insert full company name], a company incorporated under the laws of [country] with corporate identity number [XXXXXX-XXXX], having its registered office at [address] [city], [country] (the “Data Controller”); and
- [Insert full trade name of Supplier], a company incorporated under the laws of [country] with corporate identity number [XXXXXX-XXXX], having its registered office at [address] [city], [country] (the “Data Processor”),
and shall form a part of the [insert name of agreement] (“Agreement”) between the Data Controller and Data Processor.
1. BACKGROUND
The Data Controller and the Data Processor have entered into the Agreement under which the Data Processor shall provide certain services to the Data Controller. Within the scope and for the purpose of the performance of the services defined and detailed in the Agreement, the Data Processor will process personal data on behalf of the Data Controller.
The Data Controller and the Data Processor have entered into this DPA in order to fulfill the requirement of a written agreement between a data controller and a data processor of personal data as set out in applicable data protection legislation. In addition to what may be set out in the Agreement, the following shall apply in relation to the Data Processor’s processing of personal data on behalf of the Data Controller.
2. DEFINITIONS
The following terms and expressions in this DPA shall have the meaning set out below:
| “applicable data protection legislation” | means any national or internationally binding data protection laws or regulations (including but not limited to the European Data Protection Regulation 2016/679) applicable at any time during the term of this DPA on, as the case may be, the Data Controller or the Data Processor; |
| “Data Controller” | means the legal entity which, under this DPA, determines the purposes and means of the processing of personal data; |
| “Data Processor” | means the legal entity processing personal data on behalf of the Data Controller under this DPA; |
| “personal data” | means any information relating to an identified or identifiable living, natural person; |
| “processing” | means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and |
| “Data Protection Authorities” | means any national data protection authority responsible for enforcing data privacy laws as well as supervising, as the case may be, the Data Controller or the Data Processor. |
3. PROCESSING OF PERSONAL DATA
The Data Processor undertakes to only process personal data in accordance with documented instructions communicated from time to time by the Data Controller. The Data Controller’s initial instructions to the Data Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set forth in this DPA and in Appendix 1.
If the services are altered during the term of the Agreement and such altered services involve new or amended processing of personal data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change.
When processing personal data under this DPA, the Data Processor shall comply with any and all applicable data protection legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under applicable data protection legislation.
The Data Processor shall assist the Data Controller in fulfilling its legal obligations under applicable data protection legislation, including but not limited to the Data Controller’s obligation to respond to requests for exercising the data subject’s rights to information regarding the processing of their personal data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of applicable data protection legislation.
The Data Processor shall immediately inform the Data Controller if the Data Processor does not have sufficient instructions for how to process personal data in a particular situation or if instructions provided under this DPA, in theData Processor’s reasonable opinion, violates applicable data protection legislation.
If data subjects, competent authorities or any other third parties request information from the Data Processor regarding the processing of personal data covered by this DPA, the Data Processor shall refer such request to the Data Controller. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose personal data or any other information relating to the processing of personal data to any third party. In the event the Data Processor, according to applicable laws and regulations, is required to disclose personal data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately and shall request confidentiality in conjunction with the disclosure of requested information.
4. SUB-PROCESSORS
The Data Processor will engage the sub-processors set out in Appendix 1 for the purposes specified therein. The Data Processor undertakes to ensure that all sub-processors are bound by written agreements that require them to comply with corresponding data processing obligations to those contained in this DPA.
In the event the Data Processor wants to engage a sub processor other than those specified in Appendix 1, the Data Processor shall without undue delay and at the latest 8 weeks prior to transferring any Personal Data to such sub-processor, inform the Data Controller, in writing, of the identity of such sub processor as well as the purpose for which it will be engaged. The information shall also include information about the location of sub-processor and may not involve transfer of the Personal Data outside of the European Economic Area unless approved by the Data Controller according to section 5 below.
The Data Processor shall be fully liable to the Data Controller for the performance of any sub-processor.
5. TRANSFER TO THIRD COUNTRIES
The location(s) of the personal data is set out in Appendix 1. The Data Processor may not transfer, or otherwise directly or indirectly disclose, personal data outside the European Economic Area without the prior written consent of the Data Controller (which may be refused or granted subject to such conditions as the Data Controller deems necessary) and provided that adequate protection of the Personal Data in the receiving country is secured. Unless otherwise agreed between the Parties, adequate protection in the receiving country shall be secured through an agreement incorporating the European Commission’s Standard Contractual Clauses (processors), Appendix 2.
6. INFORMATION SECURITY AND CONFIDENTIALITY
The Data Processor shall be obliged to take appropriate technical and organizational measures to protect the personal data which is processed and shall thereby, inter alia, follow any written information security requirements or policies communicated by the Data Controller from time to time. The measures shall at least result in a level of security which is appropriate taking into consideration:
- existing technical possibilities;
- the costs for carrying out the measures;
- the particular risks associated with the processing of personal data; and
- the sensitivity of the personal data which is processed.
The Data Processor shall maintain adequate security for the personal data and shall continuously review and improve the effectiveness of its security measures. The Data Processor shall protect the personal data against destruction, modification, unlawful dissemination, or unlawful access. The personal data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by the Data Processor shall include, as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The Data Processor shall immediately notify the Data Controller of any accidental or unauthorized access to personal data or any other actual, threatened or potential security incidents (personal data breach) upon becoming aware of such incidents. The notification shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact pointwhere more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the Data Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- include any other information available to the Data Processor which the Data Controller is required to notify to the Data Protection Authorities and/or the data subjects.
The Data Processor will furthermore provide the reasonable assistance requested by the Data Controller in order for the Data Controller to investigate the personal data breach and notify it to the Data Protection Authorities and/or the data subjects as required by applicable data protection legislation. This includes inter alia an obligation to document the personal data breach (e.g. circumstances, impacts and remedial actions).
The Data Processor undertakes to not disclose or otherwise make the personal data processed under this DPA available to any third party, without the Data Controller’s prior written approval. Notwithstanding the above, disclosure to a sub-processor listed in Appendix 1 or subsequently notified to the Data Controller in accordance with section 4.2 above is permitted. This section 6.4 shall not apply if the Data Processor is required by applicable laws and regulations to disclose personal data that the Data Processor processes on behalf of the Data Controller, in which case what is set out in section 3.5 shall apply.
The Data Processor undertakes to ensure that access to personal data under this DPA is restricted to those of its personnel who directly require access to the personal data in order to fulfill the Data Processor’s obligations in accordance with this DPA and the Agreement. The Data Processor shall ensure that such personnel (whether employees or others engaged by the Data Processor) (i) has the necessary knowledge of and training in the applicable data protection legislation to perform the contracted services; and is bound by a confidentiality obligation concerning the personal data to the same extent as the Data Processor in accordance with this DPA.
The duties of confidentiality set forth in this section 6 shall survive the expiry or termination of the DPA.
7. AUDIT RIGHTS
The Data Controller shall be entitled to take measures necessary to verify that the Data Processor is able to comply with its obligations under this DPA, and that the Data Processor has undertaken the required measures to ensure such compliance. The Data Processor undertakes, at its own cost, to make available to the Data Controller all information and all assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
8. PENETRATION TEST
The Data Controller will, at any time and subject to reasonable advance written notice to the Data Processor, be entitled to conduct an audit of the solutions supplied by the Data Processor under the Agreement (“Penetration Test”). Such Penetration Test can be carried out either directly by the Data Controller or through an independent auditor.
If the result of the Penetration Test reveals any security violation, the Data Processor shall assume the costs derived from installing patches for the security applications and operating systems related to solving the vulnerable points based on the latest available security updates, as well as those costs derived from audits subsequent to the installation of patches for the security applications and operating systems, to the extent that said Penetration Test revealed the existence of any violation of information security.
The compensation under 8.2 shall be in addition to any other remedy that may be available to the Data Controller pursuant to this DPA, the Agreement and/or applicable law.
9. INDEMNIFICATION
Liability under this DPA shall be settled in accordance with the provisions of the Agreement.
10. TERM
The provisions in this DPA shall apply as long as the Data Processor processes personal data for which the Data Controller is the data controller.
11. NOTICES
Any notice or other communication to be provided by one Party to the other Party under this DPA, shall be provided in accordance with the notices provision of the Agreement.
12. MEASURES UPON COMPLETION OF PROCESSING OF PERSONAL DATA
Upon expiry of this DPA, the Data Processor shall delete or return all personal data (including any copies thereof) to the Data Controller, as instructed by the Data Controller, and shall ensure that any sub-processor does the same.
Upon request by the Data Controller, the Data Processor shall provide a written notice of the measures taken with regard to the deletion or return of the personal data upon the completion of the processing.
13. COMPENSATION
The Data Processor shall not be entitled to any separate compensation for carrying out its obligations under this DPA. The fees for the services provided by the Data Processor are set forth in the Agreement.
________________
This DPA has been executed in two (2) identical copies of which the parties have taken one each.
