Annex C: Data Processing Agreement Terms

These Data Processing Agreement Terms ("DPA") form an integral part of the AGREEMENT to the extent PROVIDER processes personal data of the CUSTOMER based on CUSTOMER's instructions under the Agreement. As per this DPA, CUSTOMER is acting as the controller of personal data as defined in the General Data Protection Regulation ("CONTROLLER") whilst the PROVIDER is acting as the processor as stipulated in the General Data Protection Regulation ("PROCESSOR"). Both are hereinafter collectively referred to as the "PARTIES" and individually a "PARTY".

Unless otherwise defined in this DPA, the definitions of the AGREEMENT apply to this DPA.

1. General Provisions

1.1 The PROCESSOR shall process personal data only on behalf of and in accordance with the documented instructions of the CONTROLLER, under and for the purposes of the AGREEMENT and in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any other applicable data protection laws.

1.2 The CONTROLLER has selected the PROCESSOR as a supplier in accordance with the duty of care under applicable data protection laws. This DPA constitutes the data processing agreement within the meaning of Art. 28 GDPR, governing the rights and obligations of the PARTIES with respect to data processing.

1.3 "PERSONAL DATA" or "DATA" means any information relating to an identified or identifiable natural person (hereinafter referred to as "DATA SUBJECT").

1.4 The term "PROCESSING" shall be understood in a broad sense and includes any operation carried out in connection with PERSONAL DATA such as collection, organization, storage, retrieval, use, disclosure, restriction, deletion or destruction.

1.5 "INSTRUCTION" means a documented instruction by the CONTROLLER to the PROCESSOR to perform a specific action regarding PERSONAL DATA.

1.6 The CONTROLLER retains all rights in the DATA. Upon termination, the PROCESSOR shall return or delete the DATA in accordance with this DPA.

 

2. Scope and Purpose of PROCESSING

2.1 The purpose of this DPA is to set out the scope and subject matter of the DATA PROCESSING carried out by the PROCESSOR on behalf of the CONTROLLER.

2.2 The PROCESSOR shall process PERSONAL DATA solely to the extent necessary for providing and operating the SOFTWARE under the Agreement and only in accordance with the CONTROLLER's INSTRUCTIONS.

2.3 The categories of DATA SUBJECTS and PERSONAL DATA are specified in Appendix 1.

2.4 Special categories of PERSONAL DATA under Art. 9 GDPR may only be processed where lawfully collected and instructed.

 

3. CONTROLLER's Rights and Obligations

3.1 The CONTROLLER determines the admissibility of PROCESSING.

3.2 The CONTROLLER may issue amended INSTRUCTIONS at any time.

3.3 DATA SUBJECTS’ rights are exercised towards the CONTROLLER.

3.4 The CONTROLLER may inform the PROCESSOR of irregularities.

 

4. PROCESSOR's Obligations and Responsibilities

4.1 The PROCESSOR shall process DATA only within the scope of this DPA and the Agreement.

4.2 No copies shall be made except where necessary for service provision or legal compliance.

4.3 The PROCESSOR shall support supervisory authority inspections.

4.4 A Data Protection Officer shall be appointed where required by law.

4.5 The PROCESSOR shall inform the CONTROLLER if an INSTRUCTION is deemed unlawful.

4.6 Assistance shall be provided under Art. 32–36 GDPR.

4.7 DATA shall be corrected, deleted or blocked upon instruction.

4.8 Compliance procedures shall be implemented.

4.9 The CONTROLLER shall be informed if DATA becomes endangered.

 

5. Data Breach Notification

5.1 In the event of a breach of PERSONAL DATA, the PROCESSOR shall notify the CONTROLLER without undue delay and no later than 48 hours after becoming aware of the breach.

5.2 The notification shall include:

5.2.1 Description of the breach;
5.2.2 Categories and approximate number of DATA SUBJECTS concerned;
5.2.3 Contact details of the data protection officer;
5.2.4 Likely consequences;
5.2.5 Measures taken or proposed.

5.3 The PROCESSOR shall cooperate under Art. 33 and 34 GDPR.

 

6. DATA SUBJECTS' Rights

6.1 Requests shall be forwarded immediately to the CONTROLLER.

6.2 The PROCESSOR shall support the CONTROLLER in fulfilling such claims.

 

7. Sub-Processors

7.1 The PROCESSOR may engage sub-processors with general written authorization.

7.2 Sub-processors must provide sufficient guarantees.

7.3 The PROCESSOR remains fully liable.

7.4 International transfers require safeguards under Art. 44 GDPR.

7.5 The CONTROLLER may object within fifteen (15) days.

 

8. Audit Rights

8.1 Audits shall primarily be conducted remotely.

8.2 On-site audits only where justified.

8.3 Audits no more than once per year unless required.

8.4 Necessary compliance information shall be provided.

 

9. Data Secrecy

9.1 Confidentiality obligations apply.

9.2 Personnel must be appropriately trained.

 

10. Technical and Organizational Measures

10.1 Appropriate technical and organizational measures shall be implemented.

10.2 Measures may be updated provided protection levels are not reduced.

10.3 Documentation shall be provided upon request.

10.4 Significant changes shall be communicated.

 

11. Term

11.1 This DPA terminates automatically with the AGREEMENT.

 

12. Destruction, Deletion and Return of Data

12.1 Upon termination, no further use of DATA is permitted.

12.2 DATA shall be securely deleted (e.g., DIN 66399, NIST SP 800-88).

12.3 Deletion shall be documented upon request.

Appendices

Appendix 1: DATA SUBJECTS and Data Categories
Appendix 2: Sub Processors
Appendix 3: Technical and Organizational Measures