Data Processing Agreement (Business)
Last updated: 30/09/20
Version number: 1.0
There are no previous versions to view.
Jump to section
The Customer (“Data Controller”) and NordPass (“Data Processor”);
Data Controller and Data Processor are hereinafter collectively referred to as the “Parties”;
- The Data Processor provides Services to the Data Controller under the NordPass Terms of Service (Business) (“Terms”) available at the Data Processor’s website;
- While providing the Services Data Processor Processes the Personal Data on behalf and under instructions of the Data Controller;
- The Parties wish to lay down their rights and obligations related to the above-described Personal Data Processing;
Concluded this data processing agreement (the “Agreement”).
Unless expressly otherwise provided in this Agreement, definitions and (or) capitalized words used in this Agreement shall have the meaning as defined in Terms or as indicated below:
Applicable data protection laws means all applicable privacy and data protection laws and regulations anywhere in the world, including, where applicable, the GDPR;
EEA means European Economic Area (all EU Member States, UK and Iceland, Norway and Liechtenstein);
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Processing means any operation or set of operations carried out using Personal Data or Personal Data sets, regardless of whether it is performed by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination and access, coordination, restriction, deletion or destruction;
Person means a natural person whose Personal Data are processed;
Personal Data means any information relating to an identifiable Person;
Standard Contractual Clauses (SCC) means standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, as up-dated or replaced from time to time;
Sub-processor means an entity engaged by the Data Processor which agrees to receive Personal Data from the Data Processor exclusively intended for the Processing activities to be carried out as part of the Services.
Application of this Agreement
- This Agreement applies if the Processing of Personal Data is governed by the GDPR. If the Agreement applies, it shall be legally binding between the Parties and constitute an integral part of the Terms.
- Except as otherwise agreed in this Agreement (including the SCC, if applicable) Terms are applied between the Parties in their entirety.
General provisions and obligations
- The Data Processor undertakes to only Process Personal Data in accordance with documented instructions communicated from time to time by the Data Controller. The Data Controller’s initial instructions to the Data Processor regarding the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Persons are set forth in this Agreement.
- When Processing Personal Data under this Agreement, the Data Controller shall comply with all Applicable data protection laws and recommendations of the competent supervisor authorities.
- Data Controller will not take any action that would cause the Data Processor to violate Applicable data protection laws.
- By signing the Agreement Data Controller confirms that:
- All the Personal Data Processed under this Agreement is collected lawfully;
- All the conditions allowing Personal Data transfers to the Data Processor outside EEA are fulfilled;
- All the Persons were properly informed about the use of the Data Processor`s Services and all the information as it is required under the Applicable data protection laws was submitted to the Persons by the Data Controller.
- All the instructions as set out in this Agreement are comprehensive and reflect the Data Controller`s will. Any additional or alternate instructions by the Data Controller shall be agreed between the Parties separately in writing.
- The Data Processor:
- Shall not evaluate any instructions of the Data Controller which shall be held responsible and liable for any given instructions to be fully lawful and compliant with the Applicable data protection laws. If in the Data Processor`s reasonable opinion, an instruction undoubtedly infringes the Applicable data protection laws, the Data Processor shall notify the Data Controller;
- Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller, at the Data Controller`s costs, to ensure Data Controller`s compliance with the obligations pursuant to the Applicable data protection laws by providing information requested by the Data Controller;
- With regard to unlikely security breach the Data Processor shall inform the Data Controller without undue delay after becoming surely aware of any security breaches concerning Personal Data Processed under this Agreement.
Instructions for Processing
- The Personal Data under this Agreement shall be Processed in order to provide Services to the Data Controller as per the Terms.
- The Data Processor shall Process the Personal Data of the Data Controller`s end users.
- The Processing by the Data Processor shall concern the following categories of Personal Data:
- Other information necessary for the provision of Services.
- The Personal Data under this Agreement shall be Processed in order to provide Services to the Data Controller as per the Terms.
- The Processing by the Data Processor is not intended to concern the special categories of Personal Data.
- The Personal Data Processed under this Agreement shall be subject to the basic processing activities as provided in Terms or as necessary for the provision of Services.
Personal Data disclosure
- The Data Processor undertakes not to disclose any Personal Data Processed to any third party, other than through the use of Sub-processors as specified in this Agreement, except if the Personal Data is disclosed under third parties’ request of information in accordance with applicable legal acts or under legitimate requests from law enforcement or other competent authorities.
- The Data Controller authorizes the Data Processor to use Sub-processors to fulfil its obligations as set forth in this Agreement (provides general authorization) provided that the Data Processor maintains a list of Sub-processors and, upon receiving a written request from the Data Controller, provides the Data Controller with such list. In case of a new Sub-processor, the Data Processor will inform the Data Controller thereof. The Data Processor shall enable the Data Controller to object, by way of providing the Data Processor with a reasoned, specific and written objection, to changes concerning the addition or replacement of Sub-processors to the afore-mentioned list.
- The Data Processor shall ensure that Sub-processors assume similar obligations in writing as those agreed in this Agreement. Data Processor remains fully liable to the Data Controller for the performance of its Sub-processors’ data protection obligations where the Sub-processors fail to fulfil such obligations.
Transfer to third countries
- The Data Processor is allowed to transfer the Personal Data to a country outside the EEA as reasonably necessary to provide the Services, provided that the Data Processor ensures an adequate level of protection and complies with other obligations to which it is subject pursuant to this Agreement.
- Where the Parties are required to enter into the SCC under the Applicable data protection laws, the SCC shall be hereby incorporated by this reference to this Agreement as legally binding and duly executed agreement between the Parties, and:
- Data Controller shall be considered as the ‘data exporter’ and Data Processor shall be considered as the ‘data importer’;
- Section 4 of this Agreement shall be considered as Appendix 1 to the SCC;
- Section 7 of this Agreement shall be considered as Appendix 2 to the SCC.
Personal Data security principles
- In order to assist the Data Controller in complying with legal obligations, including but not limited to the implementation of adequate Personal Data security measures, the Data Processor shall take appropriate technical and organizational measures to protect the Personal Data. The measures shall ensure an adequate level of security, taking into account:
- particular risks associated with the Processing of Personal Data;
- costs of the measures;
- existing technical capabilities.
- Data Processor shall implement sufficient technical and organization means to ensure the security level consistent with risks, including, where appropriate:
- the ability to ensure the continuing integrity, availability and resilience of systems and services of Personal Data Processing;
- the possibility to restore conditions and access to Personal Data in a timely manner in case of a physical or technical incident; and
- regular assessment of the efficiency of technical and organizational measures to ensure the security, verification, evaluation and performance of the Processing of Personal Data.
- The Data Processor shall ensure that Sub-processors authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Processing of the Persons requests
- Data Controller shall process and respond to every Person’s inquiry or request for exercising its rights under the Applicable data protection laws, including but not limited to an access to information held on the Person, and requests to delete or correct the Personal Data or restrict the Processing related to the Person.
- Every Person’s inquiry or request for exercising their rights directly addressed to the Data Processor shall be forwarded by the Data Processor to the Data Controller.
- When the Data Controller is not able to exercise Person’s rights, the Data Controller may ask the Data Processor for assistance in providing the information related to the Processing of the Personal Data under this Agreement.
Right to carry out an audit
- When reasonably necessary, the Data Controller shall have the right to take the measures to verify the Data Processor’s compliance with the terms of this Agreement. The Data Controller shall have a right to request for an audit performed by the independent, accredited and reputable third party audit firm agreed by both Parties.
- This audit will only take place where there is a specific and well-founded suspicion of misuse of Personal Data, and only after the Data Controller has requested and assessed similar existing reports from the Data Processor and has made reasonable arguments to justify an audit being initiated by the Data Controller. Such an audit is justified if the similar reports that the Data Processor has available provide insufficient, or inconclusive answers regarding compliance with this Agreement by the Data Processor.
- For the avoidance of doubt, neither Data Controller nor appointed auditor shall be a competitor of Data Processor`s business and, under no circumstances may the Data Controller, or the selected auditor, have access to Data Processor`s confidential information, information of Data Processor’s other clients, nor to any information of third-parties to whom the Data Processor owes a duty of confidentiality.
- Any such audit conducted by the Data Controller shall take place during regular business hours in a manner that is not disruptive to the Data Processor`s business, upon reasonable no less than 2-month advance notice to the Data Processor and subject to maximum capacity of confidentiality undertaking as provided below. Data Controller is responsible for all costs and fees related to such audit, including all costs and fees for any and all time Data Processor expends for any such audit, in addition to the rates for support services performed by the Data Processor and any expenses incurred by the Data Processor. Before the commencement of any such audit, the Parties shall mutually agree upon the timing, duration and scope of the audit, which shall not involve physical access to the servers from which the Data Processing Services are provided. The Data Controller shall promptly notify the Data Processor regarding any non-compliance discovered during the course of an audit. The Data Controller may not audit the Data Processor more than once annually.
- Information discovered in the course of an audit shall be treated as “Confidential information” and shall be subject to the ‘Confidentiality” Section of the Terms.
- This Agreement shall apply for the whole term the Data Processor Processes Personal Data on behalf of Data Controller.
- Following termination of the Agreement, Data Processor shall delete or return to Data Controller the Personal Data as provided in the Terms. Personal Data shall be deleted or otherwise made unrecoverable and/or anonymized, other than such copies, as authorized under the Terms or this Agreement, or required to be retained in accordance with applicable laws.
- The Data Processor shall have the right to any reimbursement of reasonable expenses, costs and fees which were incurred as a result of Data Controller`s inaccurate, incomplete or unlawful instructions or as a result of absence of the Data Controller`s instructions.
- The Data Processor’s liability, taken together in the aggregate, arising out of or related to this Agreement, whether contractual, tort, or under any other theory of liability, shall be subject to the limitations and exclusions set out in the Terms. Liability of the Data Processor shall mean the aggregate liability of Data Processor under the Terms and this Agreement together.
- All notices between the Parties shall be given following the provisions of the Terms.
- This Agreement shall be governed and any disputes or claims arising from this Agreement shall be settled according to the provisions of the Terms.
- In case of any discrepancies between this Agreement, Terms and any other contracts which regulate data protection matters between the Parties, the provisions of this Agreement shall prevail over any other contractual provisions.