Data processing agreement between
1. BACKGROUND AND PURPOSE
The parties have entered into a contract regarding distribution of content through Joymo («Main Agreement»).
For the purposes of fulfilling the Main Agreement, the Processor will process certain personal data on behalf of the Controller. This data processing agreement («DPA») shall be subject to the terms of the Main Agreement and shall set forth the terms and conditions pursuant to the Applicable law, in order to secure that personal data of data subjects are not unduly used or accessible by unauthorized persons.
The term “Applicable law” shall mean EU’s General Data Protection Regulation (“GDPR”) or other future EU legislation, national or internationally binding data protection laws or regulations that governs the Controller or the Processor. “Applicable law” includes any binding guidelines, opinions or decisions of regulatory bodies, courts, or other bodies.
All data privacy related terms used in this DPA shall have the same meaning as set out in GDPR article 4, and all other capitalized terms shall have the same meaning as set out in the Main Agreement. Any reference to “Controller” shall be construed as referring to “Customer” in the Main Agreement and references to “Processors” shall be construed as “Supplier”.
2. PROCESSING OF PERSONAL DATA
Obligations. The Processor shall process all personal data pursuant to this DPA at all times. Further, the Processor shall implement appropriate technical and organizational measures in such a manner that (i) the processing of personal data under this DPA meets the requirements of Applicable law and (ii) ensures the protection of the rights and freedoms of the data subjects.
Instructions. The Processor undertakes to only process personal data in accordance with documented instructions communicated by the Controller, unless required to do so pursuant to Applicable law. The Processor shall at any time be able to demonstrate specific instructions from the Controller. The Controller’s initial instructions to the Processor are set forth in Appendix 1. The Processor shall immediately inform the Controller if (i) the Processor believes that an instruction given by the Controller is violating Applicable law (ii) the Processor does not have an instruction for how to process personal data in a particular situation. The Processor accepts that the Controller may change its instructions to the Processor, as well as make any changes in this DPA due to changes in Applicable law.
Assistance. The Processor shall provide seasonable assistance to the Controller (at Controller’s expense where the scope, frequency or volume of requested assistance exceeds that which Processor could have reasonably foreseen or anticipated before entering into the Agreement, to be agreed in advance) to enable the Controller to: (a) respond to requests for exercising the data subject's rights under Applicable Law to request access, rectification, restriction of processing, erasure or to receive a copy of the personal data that is processed; (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Controller persona data. In the event that any such request, correspondence, enquiry or complaint is made directly to Processor, Processor shall promptly inform Controller providing full details of the same; and (c) conduct any data protection impact assessment that it is required to undertake under Applicable Law.
Third party requests. If data subjects, competent authorities or any other third parties request information from the Processor regarding the processing of personal data covered by this DPA, the Processor shall refer such request to the Controller. The Processor may not, without prior instructions from the Controller, transfer or in any other way disclose personal data or any other information relating to the processing of personal data to any third party except for as set out in this DPA and as required by Applicable law. In the event the Processor, according to Applicable law, is required to disclose personal data that the Processor processes on behalf of the Controller, the Processor shall, to the extent legally permitted, be obliged to inform the Controller thereof without undue delay and request confidentiality in conjunction with the disclosure of requested information. The Processor may not in any way act on behalf of, or as a representative of, the Controller.
Privacy by design and data portability. If the Processor designs the systems etc. that processes the personal data pursuant to this DPA, the Processor shall ensure that the systems etc. are designed in accordance with the requirements for privacy by design and data portability in accordance with Applicable law.
Transparency. The Processor undertakes to make available to the Controller all information and provide all assistance necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable law. The Processor shall, upon reasonable notice (no less than thirty (30) days) and not more than once a year (unless there is a material security breach) allow for and contribute to audits of its procedures and documentation, including on-site inspections, conducted by the Controller or a third party authorized by Controller (excluding a OneTrust Competitor) during business hours in order to ascertain compliance with the obligations set forth in this DPA. For the avoidance of doubt, the scope of such audit shall be limited to documents and records allowing the verification of Processor’s compliance with the obligations set forth in this DPA and shall not include financial documents or records of Processor or any documents or records concerning other customers of Processor.
Auditor’s statement. At the request of the Controller the Processor shall provide an ISO27001 or equivalent auditor’s statement to the Controller. This auditor’s statement shall, unless otherwise stated by the Controller, provide a detailed statement regarding the extent to which the Processor’s technical and organizational measures are in line with the ISO27001 standards. The Auditor’s statement must be delivered to the Controller as soon as possible, and no later than 1 month after the Processor has received the Controller’s request. If the auditor’s statement reveals discrepancies, the statement shall also state implemented or proposed measures to correct the discrepancies.
Correction, erasure, and return. Following termination or expiry of the Main Agreement, the Processor shall, in accordance with the Controller’s request or instruction, erase or return all personal data that the Processor has processed on behalf of the Controller pursuant to this DPA. This applies unless Applicable law requires further storage of the personal data or to the extent it has archived such data on back-up and support systems, provided that Processor shall securely protect such data in accordance with this DPA. Back-ups shall not be kept for more than sixty (60) days.
3. SUB PROCESSORS
Consent. The Processor may not engage sub-processors without prior written notice to the Controller. The same applies if the Processor wants to change sub-processors. Any approvals given by the Controller pursuant to this DPA are set out below.
Sub-processor agreements. Liability. The Controller consents to the Processor engaging subprocessors to process personal data described in this DPA for the purposes described in the Main Agreement (or as otherwise agreed in writing by the parties) (“Permitted Purpose”) provided that the Processor (i) maintains an up-to-date list of its subprocessors on the Processor Support Portal at support.onetrust.com (or any future support website used by Processor), which it shall update with details of any change in subprocessors at least 30 days' prior to any such change (except to the extent shorter notice is required due to an emergency) and notify Controller of such change via Processor’s support e-mail notification process; (ii) shall ensure that all sub-processors are bound by written agreements that require them to protect the personal data to the standard required by Applicable Law and this DPA and (iii) shall remain fully liable to the Controller for the performance of the sub- processor's obligations.
Controller may object to Processor's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Controller may suspend or terminate the Main Agreement and this DPA (without prejudice to any fees incurred by Controller prior to suspension or termination). For the purposes of providing the Subscription Services and Software, Controller agrees to processing by Processor and its Affiliates and the use by Processor of the subprocessors identified in Appendix 1 to this DPA.
4. TRANSFER TO THIRD COUNTRIES
Requirement for consent.If any personal data originates from the European Economic Area ("EEA") under this DPA, Processor shall not transfer the data outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable law. Such measures may include (without limitation) transferring the data to a recipient (a) in a country that the European Commission has decided provides adequate protection for personal data, (b) that has achieved binding corporate rules authorization in accordance with Applicable law, or (c), that has executed standard contractual clauses adopted or approved by the European Commission.
If any data originates from any country (other than an EEA country) with one or more laws imposing data transfer restrictions or prohibitions and Customer has informed Processor of such data transfer restrictions or prohibitions, Controller and Processor shall ensure appropriate transfer mechanism (satisfying the country’s data transfer requirement(s)) is in place, as reasonably requested by Controller and mutually agreed upon by both Parties, before transferring or accessing the data outside of such country.
5. INFORMATION SECURITY AND CONFIDENTIALITY
General. The Processor shall take appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect the personal data which is processed under this DPA.
Adequate security. The Processor shall maintain adequate security for the personal data appropriate to the risk of the processing (as specified in Article 32 of the EU General Data Protection Regulation) to protect the personal data against destruction, modification, unlawful dissemination, and unlawful access. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the Processor shall implement the following technical and organizational measures:
a) Pseudonymization and encryption of personal data;
b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data;
c) The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
The Processor shall always maintain a level of security in accordance with best industry practice.
Records. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller to the extent notified to it by the Controller or as included as part of the Subscription Services. The Processor shall prepare and keep updated a description of its technical, organizational, and physical measures to be, and maintain, compliant with Applicable law.
Duty of confidentiality. The Processor may not, without prior written approval from the Controller, transfer or in any other way disclose personal data or any other information relating to the processing of personal data to any third party. This applies with the exception of sub processors engaged pursuant to this DPA.
The Processor shall be obliged to ensure that only persons that directly require access to personal data in order to fulfil the Processor’s obligations in accordance with the Main Agreement have access to such information. The Processor shall ensure that any person involved in the processing of personal data are committed to confidentiality or are under proper statutory obligation of confidentiality.
The above-mentioned duty of confidentiality towards the personal data processed under this DPA shall survive the expiry or termination of the DPA.
6. HANDLING OF PERSONAL DATA BREACH
In case of a personal data breach involving personal data processed on behalf of the Controller, the Processor shall assist the Controller in ensuring compliance with the Controller’s data breach reporting obligations pursuant to Applicable law, including article 33 in the GDPR. The Processor shall notify the Controller in writing without undue delay after becoming aware of such a personal data breach. The notification shall as a minimum:
a) Describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
b) Contain the name and contact details of the contact point where more information can be obtained;
c) Describe the likely consequences of the personal data breach;
d) Describe the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The contact details for notification of a personal data breach are set forth in clause 11 in this DPA.
7. TERM AND TERMINATION
Term. Unless otherwise stated, this DPA applies as long as the Processor processes personal data on behalf of the Controller under the Main Agreement.
Termination. If a party materially breaches its obligations under the DPA, the non-breaching party may terminate this DPA in accordance with the Main Agreement. The party seeking termination shall provide the other party with a prior written notice with details of the breach, and a 30 (thirty) days deadline to resolve the breach. If the breach is not corrected within the time limit stated in the written notice, this DPA is deemed terminated upon expiry of the said deadline. The Processor’s non-fulfilment of Applicable law and the Processor’s non-fulfilment of the obligations in clause 2 shall always be deemed a material breach of this DPA. A material breach of this DPA shall also be deemed a material breach of the Main Agreement.
Cease of further processing. Regardless of the termination clauses, the Controller may instruct the Processor and any sub processor to cease all its processing activities with immediate effect when the Processor has breached Applicable law, this DPA or instructions pursuant to this DPA.
8. EFFECT OF TERMINATION
Upon termination of this DPA the Processor shall (i) cease all its processing activities and (ii) according to the Controller’s choice, delete and/or return all personal data or copies thereof which are processed on behalf of the Controller pursuant of this DPA. The duty to delete applies as long as Applicable law does not require the personal data to be stored and it shall not apply to the extent the Processor has archived such data on back-up and support systems, provided that Processor shall securely protect such data in accordance with this DPA..
Regardless of the reason for the termination of this DPA the Processor shall, upon the Controller’s written request, accept to postpone the effective termination of this DPA so that the Controller may secure its data before they are returned and/or deleted.
The Processor shall within 2 (two) weeks after the termination of this DPA, on its own initiative, provide the Controller with written documentation confirming that deletion and/or destruction has been made in accordance with the above.
The Processor's right to compensation is fully regulated in the Main Agreement. The Processor will not be entitled to any additional compensation for carrying out its obligations under this DPA.
The liability of the parties for damage suffered by data subjects or other third parties and which results from breach of Applicable law, follows from the provisions of Article 82 of the GDPR.
Any limitations of liability in the Main Agreement shall not apply to liability arising out of Article 82 of the GDPR. The parties' liability for administrative fines follows from the provisions of Article 83 of the GDPR.
Except as set forth above, each party's liability for one or more breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Main Agreement. In no event shall either party's liability for a breach of this DPA exceed the liability cap set out in the Main Agreement. Neither party limits or excludes any liability that cannot be limited or excluded under applicable law (such as for fraud).
All notices under this DPA shall be sent in writing to: Processor: firstname.lastname@example.org
Notification of a personal data breach cf. Clause 6 in this DPA, shall be directed to: email@example.com