DATA PROCESSING AGREEMENT -CLOSEOUT CLOUD
This Data Processing Agreement (DPA) regulates the legal relations between the Parties with regard to the processing of Client Data entrusted to the Enetel (Processor) by the Controller. This DPA is an integral part of the applicable End User License agreement (EULA). Both this DPA and EULA constitutes the consensus reached by the Parties in respect of Client Data processing during Processor’s provision of the relevant services.
All capitalized words shall have the same meaning as defined in the EULA.
“Controller” – means the legal person who determines the purposes and means of the processing of Client Data.
“Processor” – means Enetel the legal person who processes Client Data on behalf of the Controller.
“Processing” – means any operation or set of operations which are performed on Client Data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“GDPR” – means General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016. years.
Other terms used in this DPA shall be construed in accordance with the definitions given in GDPR.
1. The Scope and Purpose of the DPA
1.1. The DPA concerns the usage of the Processors’ Software Solution by Controller and related Support services as defined in the EULA.
1.2. In respect of the provision of the Hosted Service and related Support services and on behalf of the Controller, the Processor processes Client Data i.e. performs commissioned data processing in the sense of the GDPR Art. 4(2). The Controller warrants to the Processor that it has legal right to disclose all Client Data that it does in fact disclose to the Processor under or in connection with this DPA or the EULA.
1.3. This DPA governs processing of Client Data. Hence, the objective of the DPA is to ensure compliance with GDPR and other applicable regulations, including the safeguards for the protection of privacy and the fundamental human rights and freedoms in connection with processing performed by the Processor.
1.4. The tasks performed and supported by the Processor involves storing and processing of Client Data for the purpose of providing services defined in the EULA. The processing relates to Client Data of registered individuals, which act as Controllers and Client Data of the companies, i.e. their authorized representatives, employees and business partners acting as natural persons or Authorized third parties. Hence, the Processor is responsible for the correct and appropriate safeguards for the protection of the storage, database, networking, and the infrastructure necessary for the security of its Software Solution.
2. Data Covered by the DPA
2.1. The Processor shall only process the Client Data for the purposes defined under the EULA. The Processor shall only process the Client Data on the documented instruction of the Controller. The DPA covers different type of standard data as defined by Article 4 paragraph 1 item 1 of GDPR provided by Controller to Processor for the purpose of their storage and processing in its Hosted Service.
2.2. The processing does not include personal data, which under the GDPR constitute sensitive personal data/special categories of personal data.
3. General Security and Safeguards on Processing of Client Data
3.1. The Processor shall not use or disclose Client Data without Controllers’ written authorization or request.
3.2. The Controller gives to the Processor general authorisation to transfer the Client Data to a third country provided that such transfer is in compliance with relevant procedures that should provide appropriate security measures as defined in the GDPR.
3.3. The Processor shall process the Client Data in accordance with the GDPR or other regulation regarding personal data. If the Processor deems an instruction to be in breach of such legislation, the Processor shall promptly inform the Controller. However, this shall not apply if the law in question prohibits such notification for reasons of substantial public interest.
3.4. The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller. The record shall include the following:
● The name and contact information of Processor, any Sub-Processor as referred to in Art. 7 of this DPA, the data protection officer and, where relevant, EU representative of the Processor;
● Where applicable, transfers of Client Data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Art. 49(1) in the GDPR, the documentation of suitable safeguards;
● General description of the technical and organizational security measures undertaken by the Processor to safeguard the Client Data, as defined by Art. 32(1) in the GDPR.
3.5. The Processor shall participate in discussions, if any, with the Controller or/and Competent Supervisory Authority and/or and implement any recommendations and/or improvement notices, etc., from the Controller or/and the Competent Supervisory Authority regarding the processing of the Client Data. The Processor shall promptly inform the Controller if the Competent Supervisory Authority contacts the Processor regarding the Hosted Services and related Support services covered by this DPA.
3.6. The Processor furthermore undertakes to promptly notify the Controller of:
● Any request by a public authority for transfer of Client Data stored in the Hosted Services, unless the notification of the Controller is explicitly prohibited by law, e.g., pursuant to rules designed to ensure the non-disclosure of investigations performed by a law-enforcement authority.
● Any request for access received directly from the data subject or from a third party unless such procedure has been approved.
3.7. The Parties undertake, for the duration of the DPA, to obtain and maintain the registrations and approvals, which the Party is obliged to obtain and maintain in accordance with the law in force at any given time.
4. Technical and Organizational Measures
4.1. To ensure the protection of the Client Data and in order to comply with the GDPR, the Processor shall take the technical and organizational measures necessary pursuant to Art. 28 (3) of the GDPR.
4.2. The Processor must implement and thus safeguard the Client Data with the necessary technical and organizational measures (inter alia with regard to storage, computing, networking access, transfer, input, order and availability control). Protective measures include using state-of-the-art software, computers and encryption methods as well as the use of adequate access controls, password procedures, automatic blocking, case specific authorization concepts, logging and documentation of processes and the implementation of a data security concept in accordance with ISO 27001 standard and GDPR principles. The measures taken shall be adequate for the protection of Client Data against accidental or unlawful destruction, loss or alteration and against unauthorized disclosure, abuse or other processing in breach of the law in force at any time.
4.3. If the Processor processes personal data of EU residents, the Processor shall comply with the security requirements laid down in GDPR.
5. Monitoring of Information Security and Data Protection
5.1. At the Controller’s request, the Processor shall give the Controller the necessary information for the Controller’s monitoring and documentation of the Processor’s implementation of the necessary technical and organizational security measures.
5.2. The determination of the necessary technical and organizational security measures shall be with due observance of:
● The requirements of information security principles and best practices (i.e. ISO 27001) applied in the processes of software development, support and administration including Hosted Service security
● Data privacy impact assessment in force at Controller or Processor at any time pursuant to Article 35 of the GDPR and this DPA.
5.3. The Processor shall each year perform an internal audit regarding compliance with GDPR and the requirements of this DPA.
5.4. In addition, the Controller shall be entitled to audit whether the Processor fulfills its obligations in accordance with this DPA, during usual business hours where the Controller gives reasonable (but in any event no less than 15 days) prior written notice to the Processor. The Controller shall bear all costs resulting from the audit and compensate the Processor for all costs incurred as a result of the audit.
5.5. The Processor is obliged to give access to its physical facilities to the Controller and the authorities, which under applicable law have access to the Processor’s facilities or to representatives acting on behalf of such authorities. The costs and consequences of the monitoring and audits shall be borne by the Controller including support costs.
6. Information Security Breach and Data breach
6.1. The Processor shall inform the Controller immediately and in writing of any infringements of GDPR or any of the obligations specified in this DPA. This shall also apply if there are substantive disruptions of the normal course of operations and if there are actual grounds to suspect data privacy infringements. The Processor shall be obliged to provide the Controller with all information necessary for compliance with the Controller’s obligations pursuant to the GDPR.
6.2. The Processor shall without undue delay, but no later than 24 hours after the information security breach, report to the Controller. In this connection, the Processor shall notify the Controller of the background of the security and data breach and the extent thereof as well as information about initiatives to safeguard against future breaches. Upon the request of Controller, Processor shall engage, at the choice of the Controller, independent auditor to investigate the background of the breach and shall provide the Controller with the report of the auditor.
7. Agreement with other Data Processor (Sub-Processor)
7.1. The Processor is authorized to enter into agreements with another data processor, e.g. a Sub-Processor, regarding the processing of Client Data covered by this DPA. The engaging of such Sub-Processor shall take place in accordance with the provisions stipulated below. The Controller should be informed about currently engaged Sub-Processors and Processor is obligated to inform Controller about any additional change of engaged Sub-Processors in the future.
7.2. The Processor shall draw up a written sub-processing agreement with another Sub-Processor. In its agreement with another data processor, the Processor shall ensure that the other data processor as a minimum accepts the same data protection obligations as those undertaken by the Processor in this DPA as regards the processing of the Client Data handled by the other data processor.
7.3. The Processor shall guarantee the lawfulness of another data processors’ processing of Client Data. If another data processor fails to fulfill its data protection obligations, the Processor shall remain fully liable towards the Controller for the fulfillment of such other data processor’s obligations. The fact that the Controller has consented to the Processor entering into an agreement with another data processor shall be of no consequence to the Processor’s obligation to comply with the DPA. When an agreement with another data processor regarding the processing of Client Data comprised by the DPA terminates, the Processor shall notify the Controller thereof.
7.4. The Controller agrees that Processor may engage the following sub-processors:
– Amazon Web Service (AWS) https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf
8. Transfer of Data
8.1. The Processor may not transfer or authorize the transfer of Client Data to countries outside the EU and/or the European Economic Area (EEA) if not specifically requested by Controller. When requested Client Data should be transferred only if appropriate security measures and safeguards are applied.
8.2. For the purposes of providing appropriate support, Processor might transfer the Client Data to its premises when/if requested by Controller. In any other case, Client Data is stored and processed on an available public cloud providers’ infrastructure or Client’s private cloud infrastructure.
9. Further Obligations of the Processor
9.1. For the performance of the obligations in relation to this DPA, the Processor shall only appoint such employees who were informed about all relevant data privacy obligations and instructed to comply with data secrecy pursuant to the GDPR, prior to performing their duties. The employees shall be sufficiently trained to be able to comply with their data protection and contractual obligations. The Processor shall ensure an adequate level of training by implementing suitable controls.
10. The Controller’s rights of control
10.1. The Controller has the right to monitor the technical and organizational measures taken by the Processor at any time, including by on-the-spot-checks, as defined in Art. 5 of this DPA. Upon request, the Processor shall provide the Controller with the necessary information as well as facilitate and permit any controls. A third party appointed by the Controller may also conduct the controls. The Processor shall also support the Controller in cases of inquiries and controls conducted by the responsible supervisory authority. The Processor is entitled to charge the Controller for all costs regarding this article.
11. Return and deletion of the Client Data
11.1. Upon instruction by the Controller and pursuant to the relevant provisions of statutory law and regulations, the Processor shall facilitate the correction, deletion and blocking of Client Data processed on behalf of the Controller until these Client Data are ultimately deleted.
11.2. Upon termination of this DPA, the Processor shall regardless of the legal reasons of the termination, within 90 days delete or transfer all Client Data to the Controller, unless before the end of the provision of services Controller instruct Processor to act otherwise in connection with the Client Data. This requirement shall not apply to the extent that the Processor is required by applicable data protection laws to retain Client Data.
12. Duty of confidentiality
12.1. The Processor and the Processor’s personnel shall observe unconditional confidentiality as regards the processing of Client Data, and the Processor and the Processor’s personnel are thus only entitled to process Client Data in the performance of the EULA, including this DPA.
12.2. The Processor warrants that the Processor’s personnel, any other data processor, and the personnel of such other data processor authorized to process Client Data under this DPA will be subject to the duty of confidentiality as regards Client Data, which may come to their knowledge in connection with the performance of the EULA.
13.1. The DPA shall remain in force for as long as the Processor processes Client data on behalf of the Controller in accordance the EULA.
14. Final provisions
14.1. Each Party may propose variations to this DPA which such Party reasonably considers to be necessary to address the requirements of any applicable data protection laws.
14.2. Should any provision of this DPA be invalid or unenforceable, the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to
ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained.
14.3. This DPA is construed in accordance with the GDPR.
14.4. All disputes arising from this DPA or in connection herewith shall be interpreted, construed and enforced in accordance with the laws applicable to the EULA. Any disputes and claims under this DPA shall be adjudicated by courts specified in the EULA.
14.5. The Parties hereby agree that this DPA will become an integral part of the EULA. This DPA will apply to all services provided by Processor to the Controller in the future unless the Parties agree otherwise.