Data Processing Agreement
This Data Processing Agreement ("DPA") and its Appendix apply to the GROUP MEMBER's processing of personal data (acting as "Processor") on behalf of the Customer under Art 28 General Data Protection Regulation ("GDPR"). This DPA is subject to the terms of the Agreement. In the event of conflict, the order of precedence is: 1. DPA Appendix, 2. this DPA, 3. the Agreement. Capitalized terms under data protection law used and not defined herein (e.g. “Processing”, “Data Subject”) have the meanings given to them in the GDPR.
Subject matter, nature and purpose of the Processing determined by Processor's deliverables as described in the Order Document including any applicable SOW and as supplemented in the DPA Appendix. Unless otherwise provided for in the Order Document or in the DPA Appendix, the duration of the Processing is linked to the duration of the Agreement as defined in the Order Document and ends simultaneously.
2. Rights and obligations of the Processor towards the Controller
Customer is the sole controller in the meaning of Art 4 lit 7 GDPR with respect to any kind of information relating to data subjects who are identified or identifiable as defined in Art 4 lit 1 GDPR that is processed by Processor in order to provide the Services as defined above. Insofar as further controllers exist, such controllers have instructed and authorised Customer to agree to the Processor's processing of Customer's personal data.
Processor is obliged to process personal data and any processing results in compliance with Controller's documented instructions as well as the applicable (data protection) laws and only to the extent necessary for the performance of the deliverables. Changes to the agreed Processing shall be settled between the parties (particularly as set forth in an applicable change request procedure). To the extent such changes require significant increases in Processor's Processing, Sec 2.11 applies.
Controller is responsible for the lawfulness of the Processing. If Processor, irrespective of the foregoing, considers an instruction to violate the GDPR or other applicable data protection regulations, it will inform Controller without undue delay and may suspend the performance of the instruction until Controller has modified or confirmed its lawfulness via email to email@example.com. Processor is entitled to conduct non-personal and statistical evaluations based on the personal data provided by the Controller for the own purposes of the Processor as well as for the purposes of third parties.
Processor confirms that all persons engaged in any processing of data have been bound to confidentiality obligation pursuant to Sec 6 DSG 2018 and Art 28 Para 3 lit b GDPR prior to accessing the data.
Processor declares that preventive measures in particular as prescribed in Art 32 GDPR appropriate to the risk for Processor’s scope of responsibility have been implemented, particularly to prevent data from being used unlawfully or that data is disclosed to third parties without Controller’s prior written authorization. Processor has implemented and maintains technical and organizational security measures ("TOMs") in its scope of responsibility. However, the specific data security measures may - depending on the processing activity - be adapted and updated by the Processor on its own behalf and in line with the applicable statutory provisions provided that the security and functionality of the processing are not degraded. Controller can request the current TOMs from the Processor at any time via email to firstname.lastname@example.org.
Controller confirms to have implement and to maintain appropriate TOMs in its own scope of responsibility.
Hereby Controller provides Processor a general written authorization in accordance with Art 28 Para 2 GDPR to engage third parties for processing ("Subprocessor"). Processor shall inform Controller in due time of any engagement of a Subprocessor in order to enable Controller to object to its engagement pursuant to Art 28 Para 2 GDPR via email to email@example.com. Controller may only object on legitimate grounds, to be laid down in its objection together with any options to mitigate. Processor shall enter into a written agreement with Subprocessor pursuant to Art 28 Para 4 GDPR and shall impose on each Subcontractor substantially similar data protection obligations as set out in this DPA.
Processor assists Controller by technical and organisational measures, insofar as this is possible, enabling it to secure the Data Subject's rights (e.g. right of access, to rectification, erasure or to object). Processor will provide Controller with the information required for this purpose upon request via email to firstname.lastname@example.org. In case Processor is directly contacted by Data Subjects concerning their rights resulting from data protection laws, it will forward the respective request to Controller without undue delay. Controller is responsible for answering the request. Processor will handle requests of Data Subjects only upon Controller's prior documented instruction via email to email@example.com.
If a Data Subject brings a claim directly against Processor for a violation of its Data Subject Rights which is not solely in Processor's responsibility, Controller shall indemnify Processor for any damages, particularly cost, charge, expenses or loss, arising in connection with such a claim. Corresponding to Processor's part of responsibility for a damage and subject to the terms of the Agreement including its limitations of liability, Controller may claim back from Processor compensation paid to a Data Subject for a violation of their Data Subject rights caused by Processor’s breach of its obligations under GDPR.
Claims for reimbursement under this Section require that the party against which the Data Subject's claim is brought has informed the other party of the claim and given it the opportunity to cooperate in its defense and settlement.
Processor shall assist Controller in ensuring compliance with the obligations pursuant to Art 32 to 36 GDPR to a reasonable extent taking into account the nature of the Processing and the information available to Processor.
In particular, Processor shall notify Controller without undue delay after becoming aware of a personal data breach with respect to the Processing for which Processor has implemented a data breach notification management system. Controller shall remain solely responsible towards Supervisory Authorities and Data Subjects under Art 33, 34 GDPR and, based on the information provided by Processor, shall decide at its sole discretion whether a notification to a Supervisory Authority and/or Data Subjects is required. Any liability of Processor is excluded if Controller fails to submit (in due time) a legally required notification despite Processor's timely information.
After termination of the Services, Processor shall, in principle, delete all respective personal data in its possession. At Controller’s choice and upon its timely instruction, Processor will return a copy of such personal data in a reasonable format. However, subject to prior anonymization, Processor is entitled to conduct non-personal evaluations concerning the data provided by the Controller for the own purposes of the Processor or third parties.
Pursuant to Art 28 Para 3 lit h GDPR, Processor assists Controller and provides it or another auditor mandated by Controller (if under an appropriate statutory or contractual obligation of confidentiality towards Processor) with any information necessary to control the adherence to the duties set out in this DPA as follows:
(i) Processor primarily provides Controller or its auditor with the most recent security documentation, certifications and/or summary third party audit reports conducted to assess and evaluate the effectiveness of the TOMs and, if requested by Controller, will further cooperate by providing additional information for Controller’s better understanding of such documentation.
(ii) If necessary for Controller's compliance with its own audit obligations or with a competent Supervisory Authority’s request, Processor will, upon Controller’s written notification of such necessity, undertake all efforts to provide Controller with such further information.
(iii) Insofar as it is impossible to comply with mandatory audit obligations by all other means, Controller or its mandated auditor may conduct an onsite visit restricted to the facilities used to provide the Service, during Processor’s ordinary business hours and in a manner that causes minimal disruption to Processor’s business. In advance of such visit, the Parties shall coordinate a reasonable date as well as security and confidentiality measures in order to reduce any risk to Processor's other customers. For that purpose, Processor reserves the right to impose reasonable limitations and/or require additional assurances from Controller on a case-by-case basis.
The Parties will bear their own costs with regards to subparagraph (i) above. Sec 2.11 applies to any further assistance under subparagraphs (ii) and (iii).
Processor is entitled to an appropriate remuneration for any assistance and rendering of services under this DPA based on the hourly rates most recently agreed upon in writing. Controller shall submit all instructions, requests for assistance, enquires and other communication towards Processor under this DPA via email to firstname.lastname@example.org.
This DPA shall be governed by the laws of the Republic of Austria by explicitly excluding its conflict of law provisions.