- The Data Controller and the Data Processor have entered into the above-mentioned Service Agreement (“Agreement”) under which the Data Processor shall provide certain services to the Data Controller. Within the scope and for the purpose of the performance of the services defined in the Agreement, the Data Processor will process, besides other, potentially Personal Data on behalf of the Data Controller.
- The Data Controller and the Data Processor have entered into this DPA in order to fulfil the requirement of a written agreement between a data controller and a data processor of Personal Data as set out in Applicable Data Protection Legislation. In addition to what may be set out in the Agreement, the following shall apply in relation to the Data Processor’s processing of Personal Data on behalf of the Data Controller. Data Subjects, data categories as well as the extent, nature, and purpose of data processing are determined by the Agreement, Appendix 1 to this DPA, and the Data Controller’s instructions.
All terms used in this DPA are to be understood in accordance with the EU General Data Protection Regulation ((EU) 2016/679 “GDPR”), unless otherwise expressly agreed. The following terms and expressions in this DPA shall have the meaning set out below:
“Agreement” as set forth in Article 1;
“Applicable Data Protection Legislation” means any national or internationally binding data protection laws or regulations (including but not limited to the GDPR and the Estonian Personal Data Protection Act) including any requirements, guidelines and recommendations of the competent data protection authorities applicable at any time during the term of this DPA to, as the case may be, the Data Controller or the Data Processor;
“Audit” as set forth in Article 7.1;
“Countries with Adequate Protection” as set forth in Article 5.
“Data Controller” means the legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data under this DPA;
“Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller under this DPA;
“DPA” means this this Data Processing Agreement;
“Sub-processor” means any legal or natural person, including any agents and intermediaries, processing Personal Data on behalf of the Data Processor as set forth in Art 28 (2) and (4) GDPR and section 4.1 below;
“Personal Data” means any information relating to an identified or identifiable living, natural person
“Personal Data Breach” as set forth in Article 6.2
“Data Subject” as set forth in Article 4 (1) GDPR;
“Processing” means any operation or set of operations which are performed on Personal Data or on sets of Personal Data, whether or not by automated means as set forth in Art 4 (2) GDPR.
3. Processing of Personal Data
- If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change.
- When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation.
- The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject’s rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation.
- The Data Controller at its own discretion may object to any such changes within 2 weeks after the Data Processor’s notice.
- The Data Processor shall impose by a written agreement, which includes an electronic form, on all Sub-processors processing Personal Data under this DPA (including inter alia its agents, intermediaries and sub-contractors) the same obligations as apply to the Data Processor, in particular the obligations defined in section 4.1 (in particular, the procedure of notification to Data Controller and Data Controller’s right to issue direct instructions to Sub-processors) and section 4.2 of this DPA (such obligation shall not be required with respect to the Sub-processors that have a similar obligation under either the agreement they made with Data Processor or have declared these similar obligations through their website).
5. Transfer to Third Countries
6. Security of Processing
- Data Processor guarantees to implement and uphold appropriate technical and organizational measures according to the current state of the art to ensure an appropriate level of security for the Personal Data and shall continuously review and improve the effectiveness of its security measures. The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful loss, alteration or access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, the technical and organizational measures to be implemented by the Data Processor shall include, as appropriate:
- the pseudonymization and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- The Data Processor shall, without undue delay, notify the Data Controller of any accidental or unauthorized access or supposed access to Personal Data or any other actual security incidents (“Personal Data Breach”) after becoming aware of such incidents. The notification shall be in written form and shall at least:
- describe the nature of the Personal Data breach including where possible, the categories and the approximate number of data subjects concerned and the categories and the approximate number of Personal Data records concerned;
- communicate the name and contact details of the data protection officer or other contact points where more information can be obtained;
- describe the likely consequences of the Personal Data Breach;
- describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
- include any other information available to the Data Processor that the Data Controller is required to notify the Data Protection Authorities and/or the data subjects.
- The Data Processor will furthermore provide reasonable assistance requested by the Data Controller for the Data Controller to investigate the Personal Data Breach and notify the Data Protection Authorities and/or the data subjects as required by Applicable Data Protection Legislation.
- In addition, the Data Processor shall at its own expense immediately take necessary measures to restore and/or reconstruct Personal Data that has been lost, damaged, destroyed or corrupted as a result of the Personal Data Breach. The Data Controller shall provide reasonable assistance requested by the Data Processor to take such measures. The Data Controller shall also be liable for any additional costs of measures or costs of the additional measures that need to be taken or imposed penalties and fines caused by or derived from the Data Controller’s inability (except cases where such inability is not Data Controller’s fault) or unwillingness to provide requested reasonable assistance.
- The Data Processor undertakes to not disclose or otherwise make the Personal Data processed under this DPA available to any third party, without the Data Controller’s prior written approval. This section 6.5 shall not apply if the Data Processor is required by applicable laws and regulations to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, in which case what is set out in section 3.5 shall apply.
- The Data Processor requires all of its personnel (employees and Sub-processors) authorized to process Personal Data not to process Personal Data for any other purpose, except on instructions from the Data Controller or unless required by applicable law. The Data Processor shall ensure that this confidentiality obligation extends beyond the termination of employment contracts, Sub-processor contracts, service contracts or the termination of this DPA. This confidentiality obligation shall remain in force after the expiry or termination of the DPA.
- The Data Processor appoints the following person responsible for data protection matters: Neslihan Büşra Emikoğlu - firstname.lastname@example.org.
7. Audit Rights
- The Data Processor shall allow the Data Controller or an external auditor mandated by the Data Controller to conduct audits, investigations and inspections on data protection and/or data security (“Audit”) in order to ensure that the Data Processor or Sub-processors are able to comply with the obligations under this DPA and Applicable Data Protection Legislation and that the Data Processor or Sub-processors have undertaken the required measures to ensure such compliance.
- The Data Processor makes available all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Legislation and assists the Data Controller in the performance of Audits.
The Data Processor shall indemnify and hold harmless the Data Controller upon the Data Controller’s first demand insofar as third parties (Data subjects in particular) make claims against the Data Controller on the grounds of an infringement of their personal rights or of data protection law where such infringement is caused by actions of the Data Processor in intentional or gross negligent violation of this DPA. The obligation to indemnify is – except in cases of willful intent or in relation to personal injuries or death – capped with the amount of fees paid by the Controller in the 12 months immediately before the infringing incidence.
- The term of this DPA follows the above-mentioned Agreements.
- In case of a termination of the Agreement, this DPA shall remain in force as long as the Data Processor processes Personal Data for the Data Controller.
- The Data Controller may terminate the Agreement without notice as a result of a breach of the obligations under this DPA by the Data Processor or one of its Sub-processors.
- A notice or other communication to be provided by one party to the other party under this DPA shall be provided in accordance with the notices provision of the Agreement.
- In case the Data Processor determines that any instruction to process data of the Data Controller violates Applicable Data Protection Legislation or substantial provisions of this DPA (including technical and organizational measures), it will immediately inform the Data Controller thereof.
11. Measures upon Completion of Processing of Personal Data
- Upon expiration or termination of this DPA, the Data Processor shall delete or return all Personal Data (including any copies thereof) to the Data Controller, as instructed by the Data Controller, and shall ensure that any Sub-processors do the same unless otherwise required by applicable law. When returning the Personal Data, the Data Processor shall provide the Data Controller with all necessary assistance.
- Upon request by the Data Controller, the Data Processor shall provide written notice of the measures taken by itself or its Sub-processors with regard to the deletion or return of the Personal Data upon the completion of the processing.
12. Final Provisions
- This DPA is governed by the law of the Republic of Estonia to the exclusion of the conflict law rules under private international law. In the event of all disputes arising from a contract – including disputes about its existence or non-existence – the courts with subject-matter jurisdiction at the registered seat of the Data Processor shall be the exclusive forum.
- If a provision or parts of a provision in this DPA is or becomes ineffective under applicable legislation, this will not affect the effectiveness and validity of the remaining provisions. The contracting parties will replace it with a provision that, in terms of content, is as close as possible to the ineffective provision.
Appendix 1 – Data Processing Instructions
Specify all purposes for which the personal data will be processed by the Data Processor.
Provide Data Controller access to and benefit from Data Processor’s services as set forth in the Agreement.
Categories of data
Specify the different types of Personal Data that will be processed by the Data Processor
Special categories of Personal Data
Specify the different special categories of Personal Data that will be processed by the Data Processor.
The Controller does not intend to and will not instruct the Processor to process any special categories of Personal Data.
In the event that the Data Controller instructs the Data Processor to process special categories of Personal Data on its behalf, the Data Controller shall ensure that all legal requirements for the processing of such special categories of Personal Data by the Data Processor (esp. those set forth in art. 9 (2) GDPR) are met at all times.
Specify the categories of data subjects whose personal data will be processed by the Data Processor.
The following categories of data subjects are affected by the data processing operations by default. If the Data Controller intends to process Personal Data of other categories of data subjects with the services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded.
- Users, customers, and/or visitors of Data Controller
Specify all processing activities to be conducted by the Data Processor
Collect, store, and process data to enable Data Controller access to the Data Processor’s Application Services.
Specify the Sub-processors engaged by the Data Processor (if any) and the purposes for which the personal data is processed by such Sub-processor
Location of Processing Operations
Specify all locations where the Personal Data will be processed by the Data Processor and any Sub-processor (if applicable)
With respect to the services of the Data Processor:
- If the Data Controller is based in the EU, the data will be hosted on servers located in a data center in the EU or Countries with Adequate Protection.