1. GENERAL
1.1 The Customer is the controller for all personal data processing using the Software, unless specified otherwise in this Agreement. Within the framework of the Services, the Supplier will process personal data on behalf of the Customer as the processor. The object of the processing, the duration, nature and purpose of the processing, the type of personal data and categories of data subject affected by the processing are described in further detail in the Appendix – Description of the processing of personal data in the Services. The Customer is liable to ensure that all such personal data processing takes place in compliance with the personal data legislation in force from time to time, including the General Data Protection Regulation (EU 2016/679) (‘Applicable Legislation’).
2. GENERAL OBLIGATIONS OF THE SUPPLIER
1.2 In its role as processor, the Supplier must only process personal data in accordance with written instructions from the Customer under this Agreement, and any other documented instructions given by the Customer from time to time. Other instructions may be given to the Supplier by email or on a separate form. Instructions should contain information equivalent to that in the appendix to this Data Processing Agreement.
1.3 If the Supplier lacks instructions which the Supplier considers essential to carry out its assignment, the Supplier must inform the Customer without delay and await further instructions. If the Supplier finds that instructions contravene the Applicable Legislation, the Supplier must inform the Customer without undue delay. If, in such case, the Customer fails to provide further instructions to the Supplier, the Supplier must ignore the instructions and notify the Customer that it has done so. If the Customer maintains the unlawful instructions, the Supplier is entitled to terminate the Agreement prematurely as specified in the General Terms and Conditions – Supplier Ease.
1.4 Notwithstanding the provisions in sub-section 2.1 above, the Supplier is entitled to process personal data to the extent necessary to permit the Supplier to perform the obligations incumbent on the Supplier under the Applicable Legislation in force from time to time, for
example to comply with orders by public authorities. However, before any such processing takes place, the Supplier must inform the Customer of the legal obligation unless mandatory legislation prevents the Supplier from providing such information.
1.5 If anyone requests information from the Supplier concerning the Customer’s processing of personal data, the Supplier must refer the request to the Customer by notifying the Customer’s System Administrator by email. The Supplier must not disclose personal data or other information on the processing of personal data without written instructions from the Customer. The Supplier is not entitled to represent the Customer or act on the Customer’s behalf in relation to any third party, including the supervisory authority.
3. TECHNICAL AND ORGANISATIONAL MEASURES
1.6 The Supplier must take the technical and organizational measures necessary under the Applicable Legislation to protect the personal data processed in the Services and at least the technical and organizational measures specified in the security appendix to this Agreement. The Customer’s prior consent is required if the Supplier wishes to make changes to the technical and organizational measures that would entail a lower level of security. The Parties agree that the technical and organizational measures taken must be subject to regular follow-up to ensure that they are appropriate to the risks associated with the processing of personal data.
1.7 At the request of the Customer, the Supplier must assist the Customer with information that the Supplier needs so that, where appropriate, the Customer is able to perform its obligations to carry out an impact assessment and prior consultation with the supervisory authorities concerned in respect of the processing that the Supplier performs on behalf of the Customer within the framework of the Services. The Supplier has prepared an impact assessment for the processing of personal data that the Supplier performs on behalf of the Customer and the Customer may receive a copy on request.
1.8 Where possible, the Supplier must assist the Customer by taking appropriate technical and organizational measures to permit the Customer to perform its obligation to respond to a request from a data subject to exercise their right under the Applicable Legislation. The Software has been designed to assist the Customer in this respect. Using special functionality, the Customer is able to manage requests from data subjects to exercise their rights under the Applicable Legislation itself.
1.9 The Supplier must ensure that access to personal data is limited only to the Supplier’s staff who need access so that the Supplier is able to meet its obligations to the Customer. Moreover, the Supplier must ensure that such authorised staff observe confidentiality as specified in Section 8 below through individual non-disclosure agreements.
4. PERSONAL DATA BREACHES
1.10 If a personal data breach (as defined in the Applicable Legislation) occurs, the Supplier must notify the Customer in writing via the Customer’s System Administrator without undue delay after the Supplier has learned of the breach and no later than within twenty-four (24) hours in accordance with the Supplier’s procedures from time to time. The notice must include information about the nature of the breach, the categories and number of data subjects and personal data items affected, the probable consequences of the breach and a description of the measures the Supplier has taken (where appropriate) to limit any negative effects of the breach to make it possible for the Customer to meet any obligation to notify the relevant supervisory authority of the personal data breach. If it is not possible, it is not necessary for all information to be provided at the same time. However, the Supplier must provide the Customer with the information as soon as it is available to the Supplier.
1.11 If it is probable that a personal data breach entails a risk to the privacy of the data subjects, the Supplier must, to the extent possible, take appropriate remedial action to prevent or limit any negative effects of the personal data breach immediately after the Supplier became aware of the personal data breach.
5. ACCESS TO INFORMATION, ETC.
1.12 The Supplier must continually document the measures taken by the Supplier to meet its obligations under this Data Processing Agreement. The Customer is entitled to receive the latest version of such documentation on request. For information on the processing of personal data within the framework of the Services, see the appendix to this Data Processing Agreement.
1.13 Moreover, the Supplier must enable and help the Customer or a third party appointed by the Customer to carry out an audit, including an inspection, of the technical and organizational measures taken by the Supplier to perform its obligations under this Data Processing Agreement. The Supplier must be given at least thirty (30) days’ notice of any such audit. All costs of the audit must be borne by the Customer, including any costs for the Supplier’s participation in the audit. The Customer must ensure that any third party that conducts the audit on behalf of the Customer observes confidentiality that is no less restrictive than that specified in Section 8 below. Corresponding provisions apply to the Customer’s request for an audit of a Sub-processor engaged by the Supplier in connection with the Services. See Section 6 below.
6. ENGAGING SUB-PROCESSORS
1.14 The Customer hereby accepts that the subcontractors engaged by the Supplier that are specified on the website indicated by the Supplier from time to time may process personal data on behalf of the Customer in connection with the Services (‘Sub-processors’). The sub-processors engaged by the Supplier at the time at which this Agreement is made are also specified in the appendix to this Data Processing Agreement. The Customer also grants the Supplier general prior acceptance to engage new Sub-processors, provided that the Supplier ensures that the Sub-processors provide adequate guarantees that they will take appropriate technical and organizational measures to ensure that the processing meets the requirements of the Applicable Legislation.
1.15 The Supplier must make a Data Processing Agreement with each Sub-processor. Such a Data Processing Agreement must contain provisions equivalent to those in this agreement and the Applicable Legislation.
1.16 If the Supplier intends to engage a new Sub-processor, the Supplier must notify the Customer of this intention by email to the Customer’s Contracts Officer. Such notice must include the Sub-processor’s identity (including the full company name, corporate identity number and address), the (geographical) location at which the Sub-processor will process personal data, the type of service the Sub-processor performs and the safeguards that will be applied by the Sub-processor to protect the personal data processed. The Customer is entitled, within two (2) weeks from the date of the notice, to object to the Supplier engaging the Sub-processor to process personal data on behalf of the Customer, in which case the Supplier and the Customer must jointly attempt to reach consensus. If they are unable to do so, the Agreement may be terminated prematurely as specified in the General Terms and Conditions.
7. TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA AND PROCESSING OUTSIDE THE EU/EEA
1.17 The Customer hereby accepts that the Supplier may, where appropriate, transfer the Customer’s personal data outside the EU/EEA. However, any such transfer is permissible only if (i) the country has an adequate level of protection for personal data in accordance with a decision announced by the EU Commission that covers the processing of personal data, (ii) the Supplier ensures that there are appropriate safeguards in place such as standard data protection clauses, as adopted by the EU Commission, in light of the recipient country’s legislation or (iii) any other exemption in the Applicable Legislation permits the transfer.
1.18 If the Supplier transfers personal data outside the EU/EEA on the basis of standard data protection clauses, the Customer hereby grants the Supplier power of attorney to agree such standard clauses on behalf of the controller.
8. CONFIDENTIALITY
1.19 The following will also apply without any impact on the undertaking of confidentiality in Section 17 of the Agreement.
1.20 The Supplier must observe strict confidentiality about the personal data processed on behalf of the Customer. Consequently, the Supplier may not, directly or indirectly, disclose any personal data to any third party unless the Customer has approved this in writing, except where the Supplier is under a statutory obligation to disclose personal data or this is necessary for the performance of the Agreement. The Supplier accepts that this undertaking of confidentiality will continue to apply after the termination of the Agreement.
1.21 The Customer undertakes to observe strict confidentiality about all information that the Customer receives concerning the Supplier’s safeguards, procedures and IT systems or that is otherwise of a confidential nature, and also undertakes not to disclose to any third party any confidential information that originates from the Supplier or its Sub-processors. However, the Customer is entitled to disclose information that the Customer has an obligation to disclose by law or under the Agreement. The Customer accepts that this undertaking of confidentiality will continue to apply after the termination of the Agreement.
9. LIABILITY
1.22 If the Supplier suffers any loss or receives a claim as a consequence of the Supplier’s processing of personal data in accordance with the Customer’s instructions or as a consequence of the Customer having been in breach of sub-section 1.2, the Customer must indemnify the Supplier for any loss arising as a consequence of this. However, the Supplier is liable for performance of a Sub-processor’s obligations to the Customer if a Sub-processor fails to perform its obligations. No limitation of liability under this Agreement will be applied to the Customer’s liability under this appendix.
1.23 If the Customer’s further documented instructions for the processing of personal data are not supported by the Services or do not match the Supplier’s undertakings under the rest of the Agreement and the Supplier could not reasonably have expected them, and these requirements cause the Supplier to incur additional expenses, the Supplier is entitled to choose between terminating the Agreement with immediate effect or receiving compensation from the Customer for these expenses.
10. TERMINATION OF THE AGREEMENT
On termination of the Agreement, the Supplier must, at the Customer’s discretion, either return or erase all personal data that the Supplier has processed on behalf of the Customer. If the Customer does not make any such request within fourteen (14) days after the end of processing, the Supplier must securely erase the personal data. If the Customer has requested a backup in accordance with sub-section 18.5 of the General Terms and Conditions – Supplier Ease, the Supplier must, however, store backups for the period specified there, subject to the provisions in this Agreement. When the time limit specified in sub-section 18.5 of the General Terms and Conditions – Supplier Ease has been reached, the Supplier must securely erase the backups unless agreed otherwise with the Customer.