Data Processing Addendum
This Data Processing Addendum (the “Addendum”) is made to the [add name of agreement] (the “Agreement”) by and between [LEGAL ENTITY] (“[LEGAL ENTITY]” or “we”) and [Insert data processor’s name] (“Vendor”).
Any capitalized term not defined in this Addendum has the meaning given in the Agreement. This Addendum applies with respect to the Processing of [LEGAL ENTITY] Personal Data subject to the GDPR, only to the extent [LEGAL ENTITY] is a Controller of [LEGAL ENTITY] Personal Data and Vendor is a Processor. This Addendum is intended to satisfy the requirements of Article 28(3) of the GDPR and shall be effective for the term of the Agreement.
1. Defined Terms
For the purposes of this Addendum:
(a) “Data Protection Legislation” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
(b) “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data;
(c) “Personal Data”, “Personal Data Breach”, “Process/Processing”, “Controller”, “Processor”, “Data Subject” and “Supervisory Authority” have the same meanings as in GDPR; and
(d) “[LEGAL ENTITY] Personal Data” means the Personal Data described in Section 2 of this Addendum with respect to which [LEGAL ENTITY] is the Controller.
2. Description of Processing Activities
2.1. Categories of Data Subjects: This Addendum applies to the Processing of [LEGAL ENTITY] Personal Data relating to [LEGAL ENTITY]’s employees, consultants and independent contractors.
2.2. Types of Personal Data. [LEGAL ENTITY] Personal Data includes personal data relating to the Data Subjects under Section 2.1 and data associated with providing technical support services under the Agreement.
2.3. Subject-Matter, Nature and Purpose of the Processing. Vendor will Process [LEGAL ENTITY] Personal Data for purposes of providing the Services to [LEGAL ENTITY] as set out in the Agreement.
2.4. Duration of the Processing. Vendor will Process [LEGAL ENTITY] Personal Data for the duration of the Agreement in accordance with the provisions of this Addendum.
3. Processing activities
The parties acknowledge and agree that with respect to [LEGAL ENTITY] Personal Data, [LEGAL ENTITY]is the Controller and Vendor is the Processor. Vendor shall only Process [LEGAL ENTITY] Personal Data on behalf of [LEGAL ENTITY] and in accordance with [LEGAL ENTITY]’s prior written instructions (including as set out in this Addendum and the Agreement) and for no other purpose. Vendor is hereby instructed to Process [LEGAL ENTITY] Personal Data to the extent necessary to enable Vendor to provide the Services in accordance with the Agreement. In case the Processing is required by the Data Protection Legislation to which Vendor is subject, Vendor shall (i) promptly notify [LEGAL ENTITY] of that legal requirement and/or of the inability to comply with any instructions before the relevant Processing, to the extent permitted by the Data Protection Legislation; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected [LEGAL ENTITY] Personal Data) until such time as [LEGAL ENTITY] issues new instructions.
4. Confidentiality and security measures
4.1. Vendor shall ensure that [LEGAL ENTITY] Personal Data is not made accessible to its personnel who do not need to have access to the data in order to carry out their roles in the performance of Vendor’s obligations under the Agreement and that persons authorized to Process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2. Vendor shall implement and maintain throughout the term of the Addendum at all times in accordance with then current good industry practice technical and organizational measures to protect against unauthorized or unlawful Processing of, or accidental loss, destruction or damage to [LEGAL ENTITY] Personal Data, including all measures required by Article 32 of the GDPR. These measures will, at a minimum, include:
a) treating and handling all [LEGAL ENTITY] Personal Data as the most sensitive category of data within Vendor’s data classification program;
b) providing for the encryption of [LEGAL ENTITY] Personal Data in electronic format when required by[LEGAL ENTITY]’s policies, the Agreement, regulatory requirements or [LEGAL ENTITY]’s security standards;
c) if encryption of [LEGAL ENTITY] Personal Data is not required under [LEGAL ENTITY]’s policies, the Agreement, regulatory requirements or [LEGAL ENTITY]’s security standard, Vendor will implement appropriate and necessary controls to secure such [LEGAL ENTITY] Personal Data; and
d) notifying [LEGAL ENTITY] immediately in the event that any password or encryption key is compromised.
4.3. Vendor shall provide [LEGAL ENTITY] with assistance necessary for the fulfilment of [LEGAL ENTITY]’s obligation to keep [LEGAL ENTITY] Personal Data secure.
5.1. During the term of the Agreement, Vendor shall:
a) provide all assistance required by [LEGAL ENTITY] to enable [LEGAL ENTITY] to address anyrequest or complaint received from Data Subjects or any applicable Supervisory Authority or similar authority. Vendor shall notify [LEGAL ENTITY] as soon as reasonably practicable and in any event no less than 48 hours following receipt of any request or complaint Vendor receives from Data Subjects or from an applicable Supervisory Authority or similar authorities regarding [LEGAL ENTITY] Personal Data. Vendor shall not respond to any such request except on the documented instructions of the [LEGAL ENTITY]; and
b) provide [LEGAL ENTITY] with full and prompt cooperation and assistance in order for [LEGAL ENTITY] to ensure compliance with [LEGAL ENTITY]’s obligations under Data Protection Legislation, including: (i) to give effect to the rights of Data Subjects under the Data Protection Legislation; and (ii) in relation to any data protection impact assessments and consultation with Supervisory Authorities, if [LEGAL ENTITY] is required to do so under the Data Protection Legislation.
Vendor is hereby granted general authorization to hire sub-Processors. Vendor shall notify [LEGAL ENTITY]of all sub-Processors that Process any [LEGAL ENTITY] Personal Data and any intended changes concerning the addition or replacement of sub-Processors (including the categories of [LEGAL ENTITY]Personal Data processed, details of the Processing they perform or will perform, and the location of such processing). [LEGAL ENTITY] reserves the right to object to a sub-Processor, or the appointment of a new sub-Processor who Processes any [LEGAL ENTITY] Personal Data. If [LEGAL ENTITY] refuses to consent to Vendor’s appointment of a third party sub-Processor, then either Vendor will not appoint the sub-Processor or either party may terminate this Addendum and the Agreement without penalty. If the Addendum and the Agreement are so terminated, [LEGAL ENTITY] will be entitled to receive a refund of any prepaid fees under the Agreement attributable to the period following the date of termination through the expiration of the then-current term. Prior to allowing a sub-Processor, authorized in accordance the above, to Process any [LEGAL ENTITY] Personal Data, Vendor shall enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Vendor under the Addendum. Vendor remains fully liable to [LEGAL ENTITY] for any acts or omissions of any sub-Processors as if such acts and omissions were conducted by Vendor. Upon request, Vendor shall to promptly send a copy of any agreement it concludes with a sub-Processor relating to [LEGAL ENTITY] Personal Data to [LEGAL ENTITY].
7. Data Exports
Vendor must not transfer the [LEGAL ENTITY] Personal Data (nor permit the [LEGAL ENTITY] Personal Data to be transferred) outside of the European Economic Area (EEA), Switzerland, or a country approved by the European Commission pursuant to Article 25(6) of Directive 95/46/EC or, as applicable, Article 45(1) of the GDPR, unless (i) for transfers from the EEA or Switzerland to the United States, Vendor is certified to the EU-U.S. or Swiss-U.S. Privacy Shield frameworks administered by the U.S. Department of Commerce and, in advance of such transfers, has provided [LEGAL ENTITY] with details of Vendor’s certification under the Privacy Shield. If this provision applies, Vendor commits to comply with its obligations for [LEGAL ENTITY] Personal Data transferred under the Privacy Shield throughout the term of the Agreement; (ii) if Vendor is not certified to the Privacy Shield, Vendor provides [LEGAL ENTITY] with prior written notice of the countries to which the data will be transferred and evidence to [LEGAL ENTITY]’s satisfaction of appropriate safeguards, as required by Data Protection Legislation and [LEGAL ENTITY] provides its written consent to such transfer (which consent it may give or withhold in its absolute discretion). In either case, Vendor must take such measures as are necessary to ensure the transfer is in compliance with the Data Protection Legislation, including entering into standard contractual clauses adopted or approved by the European Commission.
8. Audits; Information
Vendor shall make available to [LEGAL ENTITY] all information necessary to demonstrate compliance with the obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by [LEGAL ENTITY] or an auditor mandated by [LEGAL ENTITY]. Vendor shall immediately inform [LEGAL ENTITY] if, in its opinion, an instruction infringes the Data Protection Legislation.
9. Personal Data Breach
9.1. If Vendor becomes aware of any Personal Data Breach affecting any [LEGAL ENTITY] Personal Data, Vendor must inform [LEGAL ENTITY] without undue delay and in any event no later than twenty-four (24) hours after it becomes aware of the Personal Data Breach by email and shall:
9.1.1. provide [LEGAL ENTITY] with a detailed description of the Personal Data Breach, including the type of [LEGAL ENTITY] Personal Data concerned, the approximate number of Data Subjects concerned, the categories and approximate number of [LEGAL ENTITY] Personal Data records concerned and the likely consequences of the Personal Data Breach;
9.1.2. take such actions as may be necessary or required by [LEGAL ENTITY] to minimize the effects of the Personal Data Breach; and
9.1.3. provide all such timely information and cooperation as [LEGAL ENTITY] may require in order for [LEGAL ENTITY] to fulfil its data breach reporting obligations under the Data Protection Legislation, including with respect to reporting or informing Data Subjects or the relevant Supervisory Authorities of the Personal Data Breach.
9.2. Vendor will ensure that all personnel (including sub-Processors) fully understand the process under which they are required to notify [LEGAL ENTITY]. Vendor acknowledges that records of system activity and of handling of Personal Data may be evidence in the event of a Personal Data Breach or other inappropriate activity.
10. Deletion of [LEGAL ENTITY] Personal Data
Vendor shall, at [LEGAL ENTITY]’s election, delete or return [LEGAL ENTITY] Personal Data to [LEGAL ENTITY] after the end of the provision of Services, and delete all existing copies unless European Union or Member State law requires storage of the data.
11. General Provisions
With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.