DATA PROCESSING AGREEMENT

1. BACKGROUND AND PURPOSE

1.1 This Data Processing Agreement is an Appendix to the Agreement between the Supplier and the Customer. This Data Processing Agreement covers all processing of personal data under and in connection with the Agreement.

1.2 This Data Processing Agreement is an integral and inseparable part of the Agreement and is subject to the terms and conditions of the Agreement.

2. DEFINITIONS

2.1 The terms used in this Data Processing Agreement shall have the meaning given to them in the General Data Protection Regulation (679/2016) of the European Union, as well as any applicable national data protection regulation.

2.2 “Agreement” means the Agreement between the Customer and the Supplier concerning the provision of the Service.

2.3 “Data Protection Regulation” means the General Data Protection Regulation (679/2016) of the European Union (“GDPR”), any other applicable national data protection provisions, and any regulations and instructions issued by the data protection authorities.

2.4“Service” shall mean the Service defined in the Agreement as well as any other services agreed to be supplied to the Customer by the Supplier under the Agreement.

3. ROLES

3.1 Unless expressly agreed otherwise, the Customer is the controller of personal data processed under this Data Processing Agreement and the Supplier is a processor of such personal data.

3.2 The Supplier is never a controller of any personal data processed under this Data Processing Agreement. For clarity, the Supplier may be a controller for personal data it has collected under its applicable privacy policy, but such personal data is processed solely subject to the Supplier’s privacy policy. 

4. NATURE AND PURPOSE OF PROCESSING

4.1 Nature and Purpose

4.1.1 The Supplier processes the controller’s personal data to provide the Service. During the provision of the Service the Supplier will process personal data for the purpose of supplying the Service to the controller.

4.2 Scope and Duration

4.2.1The Supplier processes the controller’s personal data to the extent such processing is necessary for the purpose set out above. In any case, the Supplier will process the personal data for as long as the Agreement is in force and for as long as the Supplier’s obligation to store data for the controller remains in force after the term of the Agreement.

4.3 Types of personal data and categories of data subjects

4.3.1 Categories of data subjects may include controller’s or its end-customers’ or their service providers’ contact persons, employees, users, and clients.

4.3.2 Types of personal data include personal data that the controller or its users have submitted, stored, sent or received via the Service such as names, contact information, received services and data subject’s other attributes, the extent of which is determined by the controller.

5. RESPONSIBILITIES AND RIGHTS OF THE CONTROLLER

5.1 The controller shall take all necessary measures to ensure that the controller acts in full compliance of the Data Protection Regulation when controller uses the Supplier to process personal data.

5.2 The controller has the right to give binding written instructions to Supplier on the processing of personal data. The Parties note that the Agreement, and in particular this Data Processing Agreement constitute the controller’s exhaustive binding instructions as regards the processing of personal data under the Agreement.

5.3 The controller shall be solely liable for having all the necessary rights, consents and agreements for the processing of personal data as described in the Agreement. The controller shall be responsible for the documentation of the processing. The controller shall also be responsible for communicating with the data protection authorities as well as providing them with all the necessary notifications. The controller is responsible for drafting necessary privacy notices and providing them to data subjects.

6. RESPONSIBILITIES AND RIGHTS OF THE PROCESSOR

6.1 The Supplier shall process personal data in compliance with the Data Protection Regulation and in accordance with the Agreement and the controller’s binding written instructions. The Supplier shall notify the controller without undue delay if the Supplier considers that the controller’s instructions infringe the Data Protection Regulation. In such event, the Supplier also retains the right to immediately stop following the controller’s instructions and cease all processing activities. The Supplier is entitled to postpone the processing until the controller either changes the instructions or until the Parties have otherwise reached an agreement on the relevant processing.

6.2 The Supplier shall keep the controller’s personal data confidential and shall not disclose such personal data to any third parties other than in accordance with the Agreement or use the personal data in any other way in contradiction with the Agreement. The Supplier shall also ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 

6.3 The Supplier shall implement all appropriate technical and organizational measures necessary to protect the personal data against unauthorized or unlawful processing and protect the personal data against unintentional loss, change, destruction or damage. During the provision of the Service, the sensitivity of the personal data as well as the costs of the obtainable technical options will be taken into consideration in proportion to the special risks related to the processing. The controller shall notify the Supplier about all such information related to the personal data, that could affect the organizational and technical measures pursuant to this Data Processing Agreement.

6.4 The Supplier shall assist the controller (taking into consideration the nature of processing) by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to and to fulfil requests from data subjects exercising their rights in accordance with the Data Protection Regulation.

6.5 The Supplier shall assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (implement security measures, manage personal data breaches, conduct data privacy impact assessments and participate in prior consultations with the supervisory authority) taking into account the nature of the processing and the information available to Supplier.

6.6 The Supplier shall make available to the controller all information reasonably necessary for the controller to demonstrate its compliance with the obligations of a controller.

6.7 The Supplier shall inform the controller without delay of all requirements and inquiries made by data subjects or data protection authorities concerning the controller’s personal data. The Supplier shall have no obligation to represent the controller nor to act on behalf of the controller with respect to data protection authorities. 

7. PERSONAL DATA BREACHES

7.1 The Supplier shall inform the controller of all personal data breaches related to the Service without undue delay after receiving such information.

7.2 The Supplier shall without undue delay provide the controller with all relevant information related to the relevant personal data breach. If available, the following information shall be attached to the notification: 

7.2.1 a description of the data breach and the circumstances leading to the breach;

7.2.2 a description of the nature of the personal data breach, including, when possible, the sets of data subjects and the estimated number affected by the breach as well as the sets of personal data types and the estimated number affected by the breach;

7.2.3 a description of the likely consequences caused by the personal data breach; and

7.2.4 a description of the reparative measures taken or planned to be taken to avoid such personal data breaches in the future, and when necessary, the measures taken to minimize the harmful effect of the data breach.

7.3 The Supplier shall examine all the circumstances that lead to the personal data breach and enact reparative measures to minimize the harmful effects of the personal data breach and to prevent personal data breaches in the future. The Supplier shall document this process and report the results and measures carried out to the controller. The controller is responsible for providing all the necessary notifications to data protection authorities. 

8. AUDIT RIGHTS

8.1 The controller has the right, at its own cost, to audit the Supplier’s and its sub-processor’s compliance with this Data Processing Agreement. Unless otherwise agreed, the controller shall appoint an independent third-party expert as an auditor. The auditor cannot be a competitor of the Supplier. The Supplier has the right to reject an auditor that does not meet this criterion.

8.2 The controller shall notify the Supplier of the audit no less than two (2) weeks in advance. The controller and the Supplier shall agree on the specifications and time of the auditing ahead of time and no later than fourteen (14) workdays before the audit. The auditor shall commit to confidentiality prior commencement of the audit. The level of confidentiality obligations shall be at least the same as those agreed in the Agreement.

8.3 The auditing shall be performed in a way that does not disrupt the performance of the Service by the Supplier, or the business operations of the Supplier or its subcontractors and does not impede upon the obligations that they might have towards third parties.

8.4 The Supplier shall participate in the audit at its own cost.

9. LOCATION OF PERSONAL DATA

9.1 The Supplier shall be entitled to transfer personal data freely within the European Union and the European Economic Area. The controller shall have the right to receive information regarding the location where the controller’s personal data is processed at any time upon request.

9.2 The Supplier shall not transfer the controller’s personal data outside the European Union and the European Economic Area without the controller’s prior written consent unless expressly agreed otherwise in the Agreement. 

9.3 The Supplier and its sub-processors are entitled to process personal data in third countries, if the controller gives its consent for such processing. In this case, the Supplier shall be responsible for determining the proper transfer mechanism in accordance with the Data Protection Regulation.

9.4 AI features on the Service are disabled by default. Notwithstanding the above restrictions, when the Customer proactively enables AI features on the Service, the Customer expressly consents to the transfer of personal data outside the European Union and the European Economic Area to third-party AI service providers for the sole purpose of providing such AI functionality. Such consent can only be provided after the Customer has acknowledged and agreed to explicit prompts and warnings displayed on the platform regarding the nature and implications of such data transfers. The Customer retains the right to disable AI features at any time, thereby ceasing any such data transfers to third-party AI service providers.

10. SUB-PROCESSORS

10.1 The controller grants the Supplier a general pre-authorization to engage sub-processors located within the European Union or the European Economic Area. The Supplier undertakes to agree on the processing of personal data with each sub-processor in writing so that the sub-processor is bound by restrictions regarding processing that are at least as restrictive than those set out in this Data Processing Agreement.

10. 2 The controller shall have the right to receive information regarding sub-processors used by the Supplier from time to time and any changes that the Supplier makes to the sub-processors used. If the controller has reasonable grounds to oppose the use of a new sub-processor, the controller shall notify the Supplier of its opposition without delay and no later than fourteen (14) days after receiving the notification from the Supplier. If the controller and the Supplier do not reach a consensus on the use of a new sub-processor, either party shall have the right to terminate the Agreement with thirty (30) days’ notice.

11. . MAINTENANCE, DELETION AND RETURN OF PERSONAL DATA

11.1 During the term of the Agreement, the controller shall be responsible for the maintenance of its personal data and for the deletion of any unnecessary personal data. During the term of the Agreement, the Supplier may not delete the controller’s personal data other than as set out in the Agreement without the controller’s explicit request for such deletion.

11.2 Upon the termination of the Agreement for any reason, the Supplier shall retain the controller’s personal data for thirty (30) days after the effective date of the termination and make such personal data available to the controller. After the thirty (30) days' period, the Supplier shall have the right to destroy the personal data of the controller from the Service.

12. RECORDS OF PROCESSING ACTIVITIES

12.1 The Supplier shall keep records of processing activities available to the controller.

13. SERVICE FEES

13.1 The Supplier shall have the right to invoice the controller in accordance with the Supplier’s price list as in force from time to time for the tasks the Supplier has performed at the controller’s request pursuant to this Data Processing Agreement.

14. LIMITATION OF LIABILITY

14.1 The Data Processing Agreement and all processing of personal data hereunder shall be subject to the limitation of liability set out in the Agreement. The liability of the Parties for the damages payable to a data subject based on the Article 82 of the GDPR shall however be determined based on the said Article.

15. OTHER PROVISIONS

15.1 This Data Processing Agreement enters into force when both Parties have signed the Agreement. This Data Processing Agreement shall remain in force for as long as the Agreement is in force or for as long as Parties have obligations that concern the processing of personal data towards each other. 

15.2 If the Parties have obligations that are meant to remain in force after the expiration of the Agreement and this Data Processing Agreement, such obligations remain in force even after the termination of this Data Processing Agreement.