This Data Processing Agreement (“DPA”) is an addendum to the Agreement between the Company and the Customer, which describes the parties’ respective roles for the processing and control of the Personal Data that the Customer provides to the Company as part of the Subscription Service. Any capitalized term not defined herein shall have the meaning ascribed to it in the Agreement. This DPA will terminate automatically with the termination or expiration of the Agreement. Nothing in this DPA shall affect the application of the governing law and jurisdiction under the Agreement, which applies to all claims brought under the Agreement and this DPA.
1. DEFINITIONS
“Affiliate” means any legal entity that a party controls, that controls a party, or that is under its common control. For the purposes of this definition, “control” means more than 50% interest in an entity.
“Agreement” means the agreement between the Company and the Customer for the provision of Subscription Service.
“Company” means the Company legal entity identified in the relevant Order Form and/or SOW.
“Company Group” means Dilicheck S.L. and its Affiliates.
“Customer” means the customer legal entity identified in the relevant Order Form and/or SOW.
“Data Protection Legislation” shall mean any applicable laws, regulations, directives, or guidelines governing the protection, processing, storage, transfer, or security of personal data, privacy, or data subjects’ rights in any jurisdiction where the parties operate or provide services. This includes, but is not limited to, the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”), and any other applicable data protection or privacy laws of similar nature in any jurisdiction where Personal Data is processed under this Agreement, and any other current or future laws and regulations of similar nature (all as amended, updated or re-enacted from time to time).
“Data Subject” means any natural person who can be identified, directly or indirectly, through the use of personal data, including but not limited to individuals such as customers, employees, users, contractors, or any other identifiable persons.
“Personal Data” means any information, in any form, relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to one or more factors, including but not limited to a name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Standard Contractual Clauses” means the standard contractual clauses for data transfers from controllers in the European Economic Area to processors established outside the European Economic Area, issued by the European Commission in affect as at the date of this DPA, as provided in http s : / / e ur – l ex . eu r o p a . eu / l eg a l –c o n t e n t /EN / T X T /P D F /? u r i = C E L E X : 32021 D 0914
“Third Country” means any country without a system ensuring adequate protection.
2. SCOPE OF THE DPA
With respect to any Personal Data provided by the Customer to the Company as part of the Agreement, the Company acts as the Processor and the Customer acts as the Controller.
3. PROCESSING OF PERSONAL DATA
- To the extent that the Company is as a Processor acting on behalf of the Customer, for the purposes of the Agreement:
- the type of Personal Data and categories of Data Subjects are: first name, last names, email address, phone numbers, postal (mailing) address; and
- the nature/purpose of the Processing is to enable the Company to provide EU Representative services under Article 27 GDPR, including handling and facilitation of data subject requests and the duration of the Processing shall be the term of the Agreement.
- the Company shall comply with its obligations under the Data Protection Legislation and shall, in particular:
- process the Personal Data only to the extent necessary for the purposes specified herein, and in accordance with the Customer’s written instructions where applicable;
- implement appropriate technical and organisational measures in accordance with the Data Protection Legislation to ensure a level of security appropriate to the risks that are presented by such Processing;
- process any Personal Data in a Third Country through another the Company Group entity or subcontractors only subject to the terms of Standard Contractual Clauses;
- ensure that any employees or other persons authorized to Process the Personal Data are subject to appropriate obligations of confidentiality;
- not engage any third party to carry out its Processing obligations under this agreement without obtaining the Customer’s prior written consent, and for the purposes of this sub-section (v), the parties agree that the Licensor may engage its hosting partner to carry out its Processing obligations in accordance with the Agreement and a Company Group entity may also carry out Processing obligations in accordance with sub-section (ii) above;
- notify the Customer as soon as reasonably practicable, about any right to know request or complaint received from Data Subjects without responding to that request (unless authorized to do so by the Customer or as per applicable law) and assist the Customer by technical and organizational measures, insofar as reasonably possible, for the fulfilment of the Customer’s obligations in respect of such requests and complaints;
- on request by the Customer, and taking into account the nature of the Processing and the information available to the Company, assist the Customer in ensuring compliance with its obligations under the Data Protection Legislation (where applicable) with respect to: (a) implementing appropriate technical and organizational measures; (b) where relevant, notifying Personal Data breaches to the relevant supervisory authority and/or communicating such breaches to the Data Subject in accordance with applicable Data Protection Legislation; and (c) where necessary, carrying out and/or reviewing and, if applicable, consulting with the relevant supervisory authority with respect to data protection impact assessments;
- on request by the Customer, make available all information necessary to demonstrate the Company’s compliance with this paragraph 3; and
- on termination or expiry of the Agreement, destroy all Personal Data and delete all existing copies of such Personal Data, except as required by applicable law.
4. CUSTOMER OBLIGATIONS
The Customer confirms that it has the necessary authority (where required) from all relevant Data Subjects for the Company to use and process such Personal Data in accordance with the Agreement. The Customer shall comply with all applicable Data Protection Legislation, including: (i) providing all required notices and appropriate disclosures to all Data Subjects regarding the Customer’s, the Company’s, and any third parties acting on the Customer’s behalf, collection, use, Processing and transfer of Personal Data; (ii) obtaining all necessary rights and enforceable consents from the Data Subjects to permit Processing by the Company of Personal Data for the purposes of fulfilling the Company’s obligations, or as otherwise permitted, under the Agreement, and (iii) obtaining express consents from Data Subjects and complying with all applicable Data Protection Legislation, if the Customer collects or transfers any special categories of personal data. The Customer acknowledges that the Company’s Subscription Services are not designed to collect or process any special categories of personal data.
5. INTERNATIONAL TRANSFER OF DATA
- The parties acknowledge that the provision of the Services may involve the transfer of Personal Data from the European Economic Area (“EEA”) to jurisdictions outside the EEA that do not provide an adequate level of data protection within the meaning of applicable Data Protection Legislation (“Third Countries”). The Processor shall ensure that any such transfers are carried out in compliance with applicable Data Protection Legislation and are subject to appropriate safeguards designed to ensure that Personal Data remains protected to a standard substantially equivalent to that required under the GDPR.
- Transfers from Processor to Controller
To the extent that the Processor transfers Personal Data to the Controller in a Third Country in connection with the Services:
(a) the parties agree that such transfers shall be governed by the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914);
(b) the parties specifically agree that Module 4 (Processor to Controller) of the Standard Contractual Clauses shall apply;
(c) the Processor shall act as the data exporter and the Controller shall act as the data importer for the purposes of the Standard Contractual Clauses;
(d) the Standard Contractual Clauses are hereby incorporated into this DPA by reference and are set out in full in Annex IV and shall form an integral part of this Agreement.
- Transfers to Sub-processors
Where the Processor engages Sub-processors located in Third Countries:
(a) the Processor shall ensure that such transfers are subject to appropriate safeguards in accordance with Data Protection Legislation;
(b) where applicable, such safeguards shall include the execution of the Standard Contractual Clauses, including Module 3 (Processor to Processor), between the Processor and the relevant Sub-processor;
(c) the Processor shall impose on all Sub-processors contractual obligations that are no less protective than those set out in this DPA;
(d) the Processor shall remain fully liable to the Controller for the performance of its Sub-processors’ obligations.
- Additional Safeguards and Transfer Impact Assessments
The Processor shall:
(a) implement appropriate technical and organisational measures to protect Personal Data during transfer and subsequent processing, including, where appropriate such as encryption in transit; access controls; data minimisation measures;
(b) assess, on a case-by-case basis where required, whether the laws and practices of the Third Country may affect the effectiveness of the safeguards implemented, including the Standard Contractual Clauses;
(c) upon reasonable request, provide the Controller with information reasonably necessary to demonstrate compliance with this Clause, including relevant aspects of any transfer impact assessment.
- Changes in Legal Framework
If (a) the Standard Contractual Clauses are invalidated, amended, or replaced; or (b) a competent supervisory authority or court determines that the safeguards relied upon are no longer adequate, the parties shall cooperate in good faith to implement alternative transfer mechanisms or supplementary measures required to ensure compliance with Data Protection Legislation; and if no such mechanism can be implemented, the Controller may suspend or terminate the affected transfers without penalty.
- Priority of Safeguards
In the event of any conflict between this DPA; and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail to the extent required to ensure compliance with applicable Data Protection Legislation.
6. SUB-PROCESSOR
- The Customer agrees that the Company may engage third party sub-processors (collectively, “Sub-processors”), as well as the Company Group entities, to process the Personal Data on the Company’s behalf. The Company’s current Sub-Processors are listed herein and will be updated from time to The Company will make reasonable efforts to notify the Customer with any material changes to its Sub-processors, thereby giving the Customer the opportunity to raise any reasonable objection to such changes. If Customer can reasonably show that the appointment of a new Sub-processor will have a material adverse effect on the Company’s ability to comply with applicable Data Protection Legislation, then Company must promptly notify the Company in writing within fifteen (15) business days thereafter of its reasonable basis for objection to the use of a new Sub-processor.
- Upon receipt of the Customer’s written objection to a material change to the Company’s Sub-processors, the Customer and the Company will work together without unreasonable delay to recommend an alternative arrangement. If all the following conditions apply, a) a mutually acceptable and reasonable alternative arrangement is not found; b) the Customer has a termination right under applicable Data Protection Legislation, and c) the Customer has provided prompt written notice under this Section, then the Customer may terminate the Agreement only with respect to those services that cannot be provided by the Company without the use of the new Sub- processor. Unless prohibited by applicable Data Protection Legislation, in the event of such early termination by the Customer, the Company can retain or require payment for services through the end of the Customer’s current contract term of the Agreement for the terminated services.
- The Company shall impose similar data protection terms on such Sub-processor and shall remain liable for any breach of the DPA caused by a Sub-processor to the extend such breach is caused due to any negligent acts or omissions of the Company.
7. AUDIT
Upon written request and subject to reasonable prior notice (not less than thirty days), the Company shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and to allow for and contribute to reasonable audits of its Processing facilities, including inspections, conducted by Customer, another independent auditor mandated by Customer, or by a supervisory authority. The Customer may conduct one audit or inspection of the Company’s Processing activities per twelve (12) month period, via a questionnaire followed by follow-up call as required, unless otherwise required by applicable Data Protection Legislation or in the event of a confirmed Personal Data Breach affecting the Customer’s Personal Data. The Company agrees that supervisory authorities have the right to conduct an audit of the Company’s Processing facilities in the same scope and subject to the same conditions as the supervisory authority would apply to an audit of a Controller under applicable Data Protection Legislations. The Company shall promptly inform the Customer about the existence of legislation applicable to it or any approved Sub-Processor preventing the conduct of an audit pursuant to this paragraph. In such case, the Customer shall be entitled to suspend the transfer of any Personal Data.
8. LIABILITY
Each Party’s liability under this DPA shall be subject to the limitations and exclusions set out in the Master Subscription and Services – Standard Terms or such similar agreements executed between the Parties.
9. GOVERNING LAW
This DPA shall be governed by the laws specified in the Subscription and Services – Standard Terms or such similar agreement executed between the Parties.