Data Processing Agreement

2.1 As data controller it is the Controller’s responsibility that personal data is processed in accordance with Applicable Law. In its capacity as data processor, Processor shall process all personal data on behalf of Controller in accordance with the (i) Main Agreement, (ii) Applicable Law, and (iii) Controller’s documented instructions (the “Instructions”). In addition, the DPA constitutes the Controller’s instructions. Processor shall not take any measures in respect of personal data received from Controller or collected on behalf of Controller for purposes other than those set out in the Instructions, unless required to do so by Applicable Law in which case Processor shall give Controller prior written notice thereof (unless prevented to do so by Applicable Law). The Parties shall update the Instructions, where necessary, to reflect new or amended instructions.

2.2 Processor may refuse adhering to the Instructions provided by Controller if it would involve processing of personal data in conflict with Applicable Law, provided that Processor promptly notifies Controller thereof (unless prevented to do so by Applicable Law).

3.1 Controller and Processor shall take appropriate technical and organizational measures to protect personal data which it processes pursuant to the DPA, in particular protection from accidental or unlawful destruction, alteration, unauthorized disclosure, unauthorized access, and other types of unauthorized processing.

3.2 The measures shall be adapted to a level which is appropriate, taking into consideration the degree of sensitivity of the personal data, the particular risks which exist, existing technical possibilities, and the costs for carrying out the measures. At a minimum, Controller and Processor shall maintain the same level of protection as those imposed by Applicable Law.

3.3 Processor shall only allow access to the personal data to personnel on a need-to-know basis. Processor shall ensure that all personnel having access to the personal data are subject to adequate secrecy obligations.

3.4 Taking into account the nature of the processing and the information available to Processor, Processor shall assist Controller by appropriate technical and organizational measures, for the fulfilment of Controller’s obligation to respond to requests for exercising a data subject’s rights laid down in Applicable Law.

3.5 Controller and Processor shall comply with any decisions from a supervisory authority with jurisdiction over Controller or Processor. Processor shall also allow any supervisory authority to supervise the processing under this DPA.

5.1 Processor shall keep written records (including in electronic form) of the processing activities performed for Controller, in accordance with Applicable Law.

5.2 Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, Processor shall reasonably assist Controller, prior to the processing, in carrying out an assessment of the impact of the envisaged processing operations on the protection of personal data (including assisting Controller in consulting the supervisory authority). In accordance with Applicable Law such assistance shall take into account the nature of processing and the information available to Processor.

7.1 Upon prior written notice, Controller is entitled to perform audits of Processor, through a reputable external auditor, in order to review that Processor’s processing of personal data is in compliance with this DPA. The audit shall be performed during office hours with minimal disruption to Processor’s business. The audit shall not grant the auditor access to trade secrets or proprietary information, unless required to comply with Applicable Law.

7.2 Controller shall ensure that the external auditor’s personnel conducting such audit are subject to adequate secrecy obligations. Processor shall give the assistance needed for performance of such audits and shall, upon written request from the auditor, provide all reasonably available information regarding the processing of personal data. Both Parties shall be entitled to receive a copy of the audit report.

8.1 Processor will in the provision of the Service engage certain third parties, (“Sub-processors”) which will act as sub-processors in accordance with this DPA. Controller confirms that it has no objections to the Sub-processors currently engaged by Processor, which are listed in on Processor’s web page, and that Processor may engage new Sub-processors (including to replace current Sub-processors). Processor shall however inform Controller in writing (e-mail sufficient) of any intended changes concerning the addition or replacement of Sub-processors. Upon receipt of such information, Controller shall make a decision swiftly and in any event within 10 days of receipt. Failure by Controller to notify Processor of its decision within such time frame shall constitute an approval of the sub-processor. An objection by Controller must be based on reasonable grounds (e.g. that engaging the sub-processor would increase the risks for the data subject).

8.2 Where Processor engages a sub-processor in accordance with Section Error! Reference source not found. above, it shall do so only by way of written agreement with the sub-processor which imposes adequate data protection obligations on the sub-processor that in all material respects are similar to those in this DPA. Processor remains responsible for the sub-processor’s obligations under such agreement.