Annotab Studio 2.0.0 is now live
Data Processing Addendum
Data Processing Addendum
Data Processing Addendum
Data Processing Addendum
Updated on 4th April, 2023.
Updated on 1st January, 2024.
Updated on 4th April, 2023.
Updated on 4th April, 2023.
This Data Processing Addendum (“DPA”) is incorporated into the Agreement between the Company (“Processor”) and the customer (“Controller”), and this DPA is effective from the effective date of the Agreement. In the event of any conflict between this DPA and the Agreement, the provisions outlined in this DPA shall prevail.
This Data Processing Addendum (“DPA”) is incorporated into the Agreement between the Company (“Processor”) and the customer (“Controller”), and this DPA is effective from the effective date of the Agreement. In the event of any conflict between this DPA and the Agreement, the provisions outlined in this DPA shall prevail.
This Data Processing Addendum (“DPA”) is incorporated into the Agreement between the Company (“Processor”) and the customer (“Controller”), and this DPA is effective from the effective date of the Agreement. In the event of any conflict between this DPA and the Agreement, the provisions outlined in this DPA shall prevail.
This Data Processing Addendum (“DPA”) is incorporated into the Agreement between the Company (“Processor”) and the customer (“Controller”), and this DPA is effective from the effective date of the Agreement. In the event of any conflict between this DPA and the Agreement, the provisions outlined in this DPA shall prevail.
TABLE OF CONTENTS
TABLE OF CONTENTS
TABLE OF CONTENTS
TABLE OF CONTENTS
1. DEFINITIONS
Unless expressly defined otherwise in the Terms and Conditions or elsewhere in this DPA, all capitalised words used in this DPA shall have the following meaning:
“Data Protection Law”
means all applicable privacy regulations and legislations within Europe, including the General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as it forms part of the UK law in accordance with the European Union (Withdrawal) Act 2018 (“UK GDPR”), and the national legislation implementing GDPR and, to the extent applicable, the privacy laws of any other country where the customer is located
“Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Processor,” “Supervisory Authority”
shall have the same meaning as defined in the GDPR.
“Data Subject Request”
means the exercise by a Data Subject of their rights in accordance with GDPR.
“EEA”
means the European Economic Area.
“Restricted Country”
refers to a country outside the EEA that the European Commission has not deemed to provide an adequate level of protection for Personal Data.
“Standard Contractual Clauses” or “SCC”
means the Standard Contractual Clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, available here
“Sub-processor”
means any third party appointed directly or indirectly by the Processor to process the data on behalf of the Controller pursuant to this DPA.
“Services”
means any service provided by the Company to the customer pursuant to the Agreement between the Parties.
1. DEFINITIONS
Unless expressly defined otherwise in the Terms and Conditions or elsewhere in this DPA, all capitalised words used in this DPA shall have the following meaning:
“Data Protection Law”
means all applicable privacy regulations and legislations within Europe, including the General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as it forms part of the UK law in accordance with the European Union (Withdrawal) Act 2018 (“UK GDPR”), and the national legislation implementing GDPR and, to the extent applicable, the privacy laws of any other country where the customer is located
“Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Processor,” “Supervisory Authority”
shall have the same meaning as defined in the GDPR.
“Data Subject Request”
means the exercise by a Data Subject of their rights in accordance with GDPR.
“EEA”
means the European Economic Area.
“Restricted Country”
refers to a country outside the EEA that the European Commission has not deemed to provide an adequate level of protection for Personal Data.
“Standard Contractual Clauses” or “SCC”
means the Standard Contractual Clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, available here
“Sub-processor”
means any third party appointed directly or indirectly by the Processor to process the data on behalf of the Controller pursuant to this DPA.
“Services”
means any service provided by the Company to the customer pursuant to the Agreement between the Parties.
1. DEFINITIONS
Unless expressly defined otherwise in the Terms and Conditions or elsewhere in this DPA, all capitalised words used in this DPA shall have the following meaning:
“Data Protection Law”
means all applicable privacy regulations and legislations within Europe, including the General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as it forms part of the UK law in accordance with the European Union (Withdrawal) Act 2018 (“UK GDPR”), and the national legislation implementing GDPR and, to the extent applicable, the privacy laws of any other country where the customer is located
“Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Processor,” “Supervisory Authority”
shall have the same meaning as defined in the GDPR.
“Data Subject Request”
means the exercise by a Data Subject of their rights in accordance with GDPR.
“EEA”
means the European Economic Area.
“Restricted Country”
refers to a country outside the EEA that the European Commission has not deemed to provide an adequate level of protection for Personal Data.
“Standard Contractual Clauses” or “SCC”
means the Standard Contractual Clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, available here
“Sub-processor”
means any third party appointed directly or indirectly by the Processor to process the data on behalf of the Controller pursuant to this DPA.
“Services”
means any service provided by the Company to the customer pursuant to the Agreement between the Parties.
2. ROLES OF THE PARTIES
2.1 The customer acts as the Controller of all Personal Data it provides to the Company for Processing on its behalf during the provision of Services by the Company to the customer;
2.2 The Company acts as the Processor of Personal Data it receives from the customer for Processing on behalf of the customer.
2. ROLES OF THE PARTIES
2.1 The customer acts as the Controller of all Personal Data it provides to the Company for Processing on its behalf during the provision of Services by the Company to the customer;
2.2 The Company acts as the Processor of Personal Data it receives from the customer for Processing on behalf of the customer.
2. ROLES OF THE PARTIES
2.1 The customer acts as the Controller of all Personal Data it provides to the Company for Processing on its behalf during the provision of Services by the Company to the customer;
2.2 The Company acts as the Processor of Personal Data it receives from the customer for Processing on behalf of the customer.
3. CONTROLLER’S INSTRUCTIONS AND LAWFULNESS OF PROCESSING
3.1 The customer acts as the Controller of all Personal Data it provides to the Company for Processing on its behalf during the provision of Services by the Company to the customer;
3.2 The Company acts as the Processor of Personal Data it receives from the customer for Processing on behalf of the customer.
3. CONTROLLER’S INSTRUCTIONS AND LAWFULNESS OF PROCESSING
3.1 The customer acts as the Controller of all Personal Data it provides to the Company for Processing on its behalf during the provision of Services by the Company to the customer;
3.2 The Company acts as the Processor of Personal Data it receives from the customer for Processing on behalf of the customer.
3. CONTROLLER’S INSTRUCTIONS AND LAWFULNESS OF PROCESSING
3.1 The customer acts as the Controller of all Personal Data it provides to the Company for Processing on its behalf during the provision of Services by the Company to the customer;
3.2 The Company acts as the Processor of Personal Data it receives from the customer for Processing on behalf of the customer.
4. DETAILS OF PROCESSING OF PERSONAL DATA
4.1 The subject matter of Processing
The subject matter of Processing is the Personal Data provided/made available by the Controller to the Processor pursuant to the Agreement.
4.2 Purpose of Processing
The purpose of Processing is the provision of Service to the Controller, which requires the Processing of Personal Data on behalf of the Controller.
4.3 Types of Personal Data processed
Identification data such as name, sex, date of birth etc.;
Contact data such as email address or postal address, etc.;
Identification documents such as driver’s license, national identity card, or passport, etc.;
Medical data that is anonymised or pseudonymised such as medical images, scans, records, etc.;
Personally identifiable traits or facial images; and
Any other Personal Data contained in the Input Data of the Controller.
4.4 Categories of Data Subjects
The categories of Data Subjects whose Personal Data may be processed include:
Controller’s clients or users;
Controller’s prospective clients or users; and
Controller’s patients or participants in clinical trials.
4.5 Duration of Processing
Unless expressly agreed otherwise in writing, the Personal Data will be processed for the duration of the Agreement between the Parties.
4. DETAILS OF PROCESSING OF PERSONAL DATA
4.1 The subject matter of Processing
The subject matter of Processing is the Personal Data provided/made available by the Controller to the Processor pursuant to the Agreement.
4.2 Purpose of Processing
The purpose of Processing is the provision of Service to the Controller, which requires the Processing of Personal Data on behalf of the Controller.
4.3 Types of Personal Data processed
Identification data such as name, sex, date of birth etc.;
Contact data such as email address or postal address, etc.;
Identification documents such as driver’s license, national identity card, or passport, etc.;
Medical data that is anonymised or pseudonymised such as medical images, scans, records, etc.;
Personally identifiable traits or facial images; and
Any other Personal Data contained in the Input Data of the Controller.
4.4 Categories of Data Subjects
The categories of Data Subjects whose Personal Data may be processed include:
Controller’s clients or users;
Controller’s prospective clients or users; and
Controller’s patients or participants in clinical trials.
4.5 Duration of Processing
Unless expressly agreed otherwise in writing, the Personal Data will be processed for the duration of the Agreement between the Parties.
4. DETAILS OF PROCESSING OF PERSONAL DATA
4.1 The subject matter of Processing
The subject matter of Processing is the Personal Data provided/made available by the Controller to the Processor pursuant to the Agreement.
4.2 Purpose of Processing
The purpose of Processing is the provision of Service to the Controller, which requires the Processing of Personal Data on behalf of the Controller.
4.3 Types of Personal Data processed
Identification data such as name, sex, date of birth etc.;
Contact data such as email address or postal address, etc.;
Identification documents such as driver’s license, national identity card, or passport, etc.;
Medical data that is anonymised or pseudonymised such as medical images, scans, records, etc.;
Personally identifiable traits or facial images; and
Any other Personal Data contained in the Input Data of the Controller.
4.4 Categories of Data Subjects
The categories of Data Subjects whose Personal Data may be processed include:
Controller’s clients or users;
Controller’s prospective clients or users; and
Controller’s patients or participants in clinical trials.
4.5 Duration of Processing
Unless expressly agreed otherwise in writing, the Personal Data will be processed for the duration of the Agreement between the Parties.
5. SECURITY OF PROCESSING
5.1 Considering state of the art, cost of implementation, nature, and purpose of Processing, and the risks/impact of any Data Breaches on the rights of the Data Subjects, the Processor will implement all appropriate technical and organisational measures to protect the Personal Data against any Personal Data Breach including any measures expressly specified in the GDPR, the Agreement and the Processor’s Security Policy.
5.2 The Processor may update and modify any of its security measures unilaterally provided such updates or modifications do not result in degradation of the security measures implemented by the Processor.
5. SECURITY OF PROCESSING
5.1 Considering state of the art, cost of implementation, nature, and purpose of Processing, and the risks/impact of any Data Breaches on the rights of the Data Subjects, the Processor will implement all appropriate technical and organisational measures to protect the Personal Data against any Personal Data Breach including any measures expressly specified in the GDPR, the Agreement and the Processor’s Security Policy.
5.2 The Processor may update and modify any of its security measures unilaterally provided such updates or modifications do not result in degradation of the security measures implemented by the Processor.
5. SECURITY OF PROCESSING
5.1 Considering state of the art, cost of implementation, nature, and purpose of Processing, and the risks/impact of any Data Breaches on the rights of the Data Subjects, the Processor will implement all appropriate technical and organisational measures to protect the Personal Data against any Personal Data Breach including any measures expressly specified in the GDPR, the Agreement and the Processor’s Security Policy.
5.2 The Processor may update and modify any of its security measures unilaterally provided such updates or modifications do not result in degradation of the security measures implemented by the Processor.
6. SUB-PROCESSORS
6.1 The Controller hereby authorises the Processor to engage Sub-processors as additional Processors of Personal Data for the provision of Services under the Agreement, provided that:
6.2 Whenever any Sub-processors is engaged in the Processing of the Personal Data provided by the Controller, the same data protection obligations shall be imposed to the Sub-processor as outlined in this DPA to the Processor by way of a contract.
6.3 The Processor agrees to be responsible for the actions and omissions of such Sub-Processors.
6.4 The Processor shall make the list of all current Sub-processors available on the Website and send an email notification about the involvement of any new Sub-processors to the Controller. The Controller may object to any proposed new Sub-processors by sending the objection in writing to the Processor at privacy@annotab.com within seven days from the date of receipt of the Processor’s email notification. If the Parties are unable to reach a consensus on the introduction of a new Sub-processor, either Party may terminate the Agreement. If the Controller does not raise any written objection within seven days of receipt of the Processor’s email notification regarding the new Sub-processor, the Controller’s continued use of the Service will be deemed as the Controller’s authorisation on the use of the new Sub-processor.
6.5 The Controller authorises the Processor to appoint the Subprocessors listed at https://annotab.com/.
6. SUB-PROCESSORS
6.1 The Controller hereby authorises the Processor to engage Sub-processors as additional Processors of Personal Data for the provision of Services under the Agreement, provided that:
6.2 Whenever any Sub-processors is engaged in the Processing of the Personal Data provided by the Controller, the same data protection obligations shall be imposed to the Sub-processor as outlined in this DPA to the Processor by way of a contract.
6.3 The Processor agrees to be responsible for the actions and omissions of such Sub-Processors.
6.4 The Processor shall make the list of all current Sub-processors available on the Website and send an email notification about the involvement of any new Sub-processors to the Controller. The Controller may object to any proposed new Sub-processors by sending the objection in writing to the Processor at privacy@annotab.com within seven days from the date of receipt of the Processor’s email notification. If the Parties are unable to reach a consensus on the introduction of a new Sub-processor, either Party may terminate the Agreement. If the Controller does not raise any written objection within seven days of receipt of the Processor’s email notification regarding the new Sub-processor, the Controller’s continued use of the Service will be deemed as the Controller’s authorisation on the use of the new Sub-processor.
6.5 The Controller authorises the Processor to appoint the Subprocessors listed at https://annotab.com/.
6. SUB-PROCESSORS
6.1 The Controller hereby authorises the Processor to engage Sub-processors as additional Processors of Personal Data for the provision of Services under the Agreement, provided that:
6.2 Whenever any Sub-processors is engaged in the Processing of the Personal Data provided by the Controller, the same data protection obligations shall be imposed to the Sub-processor as outlined in this DPA to the Processor by way of a contract.
6.3 The Processor agrees to be responsible for the actions and omissions of such Sub-Processors.
6.4 The Processor shall make the list of all current Sub-processors available on the Website and send an email notification about the involvement of any new Sub-processors to the Controller. The Controller may object to any proposed new Sub-processors by sending the objection in writing to the Processor at privacy@annotab.com within seven days from the date of receipt of the Processor’s email notification. If the Parties are unable to reach a consensus on the introduction of a new Sub-processor, either Party may terminate the Agreement. If the Controller does not raise any written objection within seven days of receipt of the Processor’s email notification regarding the new Sub-processor, the Controller’s continued use of the Service will be deemed as the Controller’s authorisation on the use of the new Sub-processor.
6.5 The Controller authorises the Processor to appoint the Subprocessors listed at https://annotab.com/.
7. RESTRICTED TRANSFER OF PERSONAL DATA
7.1 The Controller agrees that the Processor may Process Personal Data outside of the EEA, including in the Republic of Singapore. The Parties agree that the Controller’s transfer of Personal Data to the Processor in a Restricted Country is effecting a Restricted Transfer of Personal Data. To allow such Restricted Transfer of Personal Data in compliance with the Data Protection Laws, the Parties agree that the Parties shall comply with their respective obligations as set out in the SCCs, which are hereby deemed to be completed in accordance with Section 7.2 below and made part of this DPA;
7.2 The Standard Contractual Clauses are incorporated into this DPA and shall apply as required by the Data Protection Law for the Restricted Transfer of Personal Data from the Controller to the Processor. As the customer is the Controller and the Provider is the Processor, Module 2 of the Standard Contractual Clauses applies. The SCCs shall be completed as follows:
7.2.1 Clause 7 Docking clause
The optional docking clause is excluded.
7.2.2 Clause 9 Use of Sub-processors
The Parties select Option 2: General Written Authorisation with a notice period of any changes with regards to the list of Sub-processors being at least seven days in advance of such change, and such notice will be given by email.
7.2.3 Clause 11 Redress
The option provided shall not apply.
7.2.4 Clause 13 Supervision
The text within the brackets is included.
7.2.5 Clause 17 Governing Law
The Parties select Option 1: The laws of Ireland shall govern the Restricted Transfer under these Standard Contractual Clauses.
7.2.6 Clause 18 Choice of Forum and Jurisdiction
The Parties agree that any dispute arising from these SCCs in relation to any Restricted Transfer shall be resolved by the courts of Ireland under clause 18 of the Standard Contractual Clauses.
7.2.7 Annex I of the Standard Contractual Clauses shall be deemed completed by Section 4 of this DPA.
7.2.8 Annex II of the Standard Contractual Clauses shall be deemed completed by Section 5 of this DPA.
7.2.9 Annex III of the Standard Contractual Clauses shall be deemed completed by the list of Sub-processors published on the Website https://annotab.com/.
7. RESTRICTED TRANSFER OF PERSONAL DATA
7.1 The Controller agrees that the Processor may Process Personal Data outside of the EEA, including in the Republic of Singapore. The Parties agree that the Controller’s transfer of Personal Data to the Processor in a Restricted Country is effecting a Restricted Transfer of Personal Data. To allow such Restricted Transfer of Personal Data in compliance with the Data Protection Laws, the Parties agree that the Parties shall comply with their respective obligations as set out in the SCCs, which are hereby deemed to be completed in accordance with Section 7.2 below and made part of this DPA;
7.2 The Standard Contractual Clauses are incorporated into this DPA and shall apply as required by the Data Protection Law for the Restricted Transfer of Personal Data from the Controller to the Processor. As the customer is the Controller and the Provider is the Processor, Module 2 of the Standard Contractual Clauses applies. The SCCs shall be completed as follows:
7.2.1 Clause 7 Docking clause
The optional docking clause is excluded.
7.2.2 Clause 9 Use of Sub-processors
The Parties select Option 2: General Written Authorisation with a notice period of any changes with regards to the list of Sub-processors being at least seven days in advance of such change, and such notice will be given by email.
7.2.3 Clause 11 Redress
The option provided shall not apply.
7.2.4 Clause 13 Supervision
The text within the brackets is included.
7.2.5 Clause 17 Governing Law
The Parties select Option 1: The laws of Ireland shall govern the Restricted Transfer under these Standard Contractual Clauses.
7.2.6 Clause 18 Choice of Forum and Jurisdiction
The Parties agree that any dispute arising from these SCCs in relation to any Restricted Transfer shall be resolved by the courts of Ireland under clause 18 of the Standard Contractual Clauses.
7.2.7 Annex I of the Standard Contractual Clauses shall be deemed completed by Section 4 of this DPA.
7.2.8 Annex II of the Standard Contractual Clauses shall be deemed completed by Section 5 of this DPA.
7.2.9 Annex III of the Standard Contractual Clauses shall be deemed completed by the list of Sub-processors published on the Website https://annotab.com/.
7. RESTRICTED TRANSFER OF PERSONAL DATA
7.1 The Controller agrees that the Processor may Process Personal Data outside of the EEA, including in the Republic of Singapore. The Parties agree that the Controller’s transfer of Personal Data to the Processor in a Restricted Country is effecting a Restricted Transfer of Personal Data. To allow such Restricted Transfer of Personal Data in compliance with the Data Protection Laws, the Parties agree that the Parties shall comply with their respective obligations as set out in the SCCs, which are hereby deemed to be completed in accordance with Section 7.2 below and made part of this DPA;
7.2 The Standard Contractual Clauses are incorporated into this DPA and shall apply as required by the Data Protection Law for the Restricted Transfer of Personal Data from the Controller to the Processor. As the customer is the Controller and the Provider is the Processor, Module 2 of the Standard Contractual Clauses applies. The SCCs shall be completed as follows:
7.2.1 Clause 7 Docking clause
The optional docking clause is excluded.
7.2.2 Clause 9 Use of Sub-processors
The Parties select Option 2: General Written Authorisation with a notice period of any changes with regards to the list of Sub-processors being at least seven days in advance of such change, and such notice will be given by email.
7.2.3 Clause 11 Redress
The option provided shall not apply.
7.2.4 Clause 13 Supervision
The text within the brackets is included.
7.2.5 Clause 17 Governing Law
The Parties select Option 1: The laws of Ireland shall govern the Restricted Transfer under these Standard Contractual Clauses.
7.2.6 Clause 18 Choice of Forum and Jurisdiction
The Parties agree that any dispute arising from these SCCs in relation to any Restricted Transfer shall be resolved by the courts of Ireland under clause 18 of the Standard Contractual Clauses.
7.2.7 Annex I of the Standard Contractual Clauses shall be deemed completed by Section 4 of this DPA.
7.2.8 Annex II of the Standard Contractual Clauses shall be deemed completed by Section 5 of this DPA.
7.2.9 Annex III of the Standard Contractual Clauses shall be deemed completed by the list of Sub-processors published on the Website https://annotab.com/.
8. RIGHTS OF DATA SUBJECTS
8.1 The Processor will promptly notify the Controller if it receives a request directly from a Data Subject invoking its rights under the Data Protection Law. The Processor will not respond to any Data Subject’s requests without the Controller’s written consent except to refer the Data Subject to the Controller.
8.2 If the Data Subject invokes its privacy rights under the Data Protection Law and the Controller is unable to carry out the request, the Processor shall, to the extent commercially viable, offer such assistance to the Controller as required to enable the Controller to fulfill its obligations.
8. RIGHTS OF DATA SUBJECTS
8.1 The Processor will promptly notify the Controller if it receives a request directly from a Data Subject invoking its rights under the Data Protection Law. The Processor will not respond to any Data Subject’s requests without the Controller’s written consent except to refer the Data Subject to the Controller.
8.2 If the Data Subject invokes its privacy rights under the Data Protection Law and the Controller is unable to carry out the request, the Processor shall, to the extent commercially viable, offer such assistance to the Controller as required to enable the Controller to fulfill its obligations.
8. RIGHTS OF DATA SUBJECTS
8.1 The Processor will promptly notify the Controller if it receives a request directly from a Data Subject invoking its rights under the Data Protection Law. The Processor will not respond to any Data Subject’s requests without the Controller’s written consent except to refer the Data Subject to the Controller.
8.2 If the Data Subject invokes its privacy rights under the Data Protection Law and the Controller is unable to carry out the request, the Processor shall, to the extent commercially viable, offer such assistance to the Controller as required to enable the Controller to fulfill its obligations.
9. DELETION OF PERSONAL DATA
Upon the termination of the Agreement, the Processor will cease all Processing of Personal Data related to the Services except as outlined herein. The Controller hereby acknowledges and agrees that due to the nature of Personal Data processed by the Processor, the return of Personal Data may require exceptional effort by the Processor, and therefore the Controller agrees that it is hereby deemed (at the date of termination of the Agreement), to have irrevocably selected deletion, instead of return, of such Personal Data. Accordingly, the Processor shall delete all relevant Personal Data processed on behalf of the Controller within 30 days of the termination of the Agreement, except such Personal Data that the Processor is required to retain by applicable law.
9. DELETION OF PERSONAL DATA
Upon the termination of the Agreement, the Processor will cease all Processing of Personal Data related to the Services except as outlined herein. The Controller hereby acknowledges and agrees that due to the nature of Personal Data processed by the Processor, the return of Personal Data may require exceptional effort by the Processor, and therefore the Controller agrees that it is hereby deemed (at the date of termination of the Agreement), to have irrevocably selected deletion, instead of return, of such Personal Data. Accordingly, the Processor shall delete all relevant Personal Data processed on behalf of the Controller within 30 days of the termination of the Agreement, except such Personal Data that the Processor is required to retain by applicable law.
9. DELETION OF PERSONAL DATA
Upon the termination of the Agreement, the Processor will cease all Processing of Personal Data related to the Services except as outlined herein. The Controller hereby acknowledges and agrees that due to the nature of Personal Data processed by the Processor, the return of Personal Data may require exceptional effort by the Processor, and therefore the Controller agrees that it is hereby deemed (at the date of termination of the Agreement), to have irrevocably selected deletion, instead of return, of such Personal Data. Accordingly, the Processor shall delete all relevant Personal Data processed on behalf of the Controller within 30 days of the termination of the Agreement, except such Personal Data that the Processor is required to retain by applicable law.
10. PERSONAL DATA BREACH
10.1 The Processor shall notify the Controller, without undue delay, upon becoming aware of any Personal Data Breach and provide sufficient information to enable the Controller to fulfil its obligations under the Data Protection Law, including:
The nature of the Personal Data Breach;
The name and contact details of the contact point within the Company who can provide more information;
The likely consequences of the Personal Data Breach;
The measures already taken or proposed to be taken by the Company to address the Personal Data Breach.
10.2 The Processor shall take all commercially reasonable steps to limit the effects of the Personal Data Breach.
10.3 The Controller is solely responsible for complying with data breach notification laws applicable to the Controller and fulfilling its obligations. The Processor’s obligation to report a Personal Data Breach incident shall not be construed as an acknowledgement of liability by the Processor for such a Personal Data Breach incident.
10. PERSONAL DATA BREACH
10.1 The Processor shall notify the Controller, without undue delay, upon becoming aware of any Personal Data Breach and provide sufficient information to enable the Controller to fulfil its obligations under the Data Protection Law, including:
The nature of the Personal Data Breach;
The name and contact details of the contact point within the Company who can provide more information;
The likely consequences of the Personal Data Breach;
The measures already taken or proposed to be taken by the Company to address the Personal Data Breach.
10.2 The Processor shall take all commercially reasonable steps to limit the effects of the Personal Data Breach.
10.3 The Controller is solely responsible for complying with data breach notification laws applicable to the Controller and fulfilling its obligations. The Processor’s obligation to report a Personal Data Breach incident shall not be construed as an acknowledgement of liability by the Processor for such a Personal Data Breach incident.
10. PERSONAL DATA BREACH
10.1 The Processor shall notify the Controller, without undue delay, upon becoming aware of any Personal Data Breach and provide sufficient information to enable the Controller to fulfil its obligations under the Data Protection Law, including:
The nature of the Personal Data Breach;
The name and contact details of the contact point within the Company who can provide more information;
The likely consequences of the Personal Data Breach;
The measures already taken or proposed to be taken by the Company to address the Personal Data Breach.
10.2 The Processor shall take all commercially reasonable steps to limit the effects of the Personal Data Breach.
10.3 The Controller is solely responsible for complying with data breach notification laws applicable to the Controller and fulfilling its obligations. The Processor’s obligation to report a Personal Data Breach incident shall not be construed as an acknowledgement of liability by the Processor for such a Personal Data Breach incident.
11. DEMONSTRATION OF COMPLIANCE
11.1 Provided the Controller gives reasonable prior notice, the Processor agrees to make available to the Controller all such information as may be reasonably required to demonstrate the Processor’s compliance with its processing obligations.
11.2 If the Controller, bona fide, considers the information provided under Section 11.1 to be insufficient to demonstrate the Processor’s compliance with the obligations outlined in this DPA, the Controller may, at its own expense, perform an on-site audit of the Processor’s processing facilities subject to the following:
11.2.1 Any requests for on-site audit must be made in writing by the Controller with at least 90 days’ notice, and the Controller must inform the Processor of the scope of information sought and the purpose of the audit;
11.2.2 The on-site audit scope will be limited to the Processor’s compliance with this DPA;
11.2.3 The Controller may only carry out an on-site audit once per calendar year during the normal business hours of the Processor and lasting no more than one business day;
11.2.4 The audit cannot include any security testing to be performed by the Controller or on Controller’s behalf;
11.2.5 Any information shared during such audits or inspections shall be treated as confidential by the Controller’s nominated auditor (whether internal employees or a third-party auditor).
11. DEMONSTRATION OF COMPLIANCE
11.1 Provided the Controller gives reasonable prior notice, the Processor agrees to make available to the Controller all such information as may be reasonably required to demonstrate the Processor’s compliance with its processing obligations.
11.2 If the Controller, bona fide, considers the information provided under Section 11.1 to be insufficient to demonstrate the Processor’s compliance with the obligations outlined in this DPA, the Controller may, at its own expense, perform an on-site audit of the Processor’s processing facilities subject to the following:
11.2.1 Any requests for on-site audit must be made in writing by the Controller with at least 90 days’ notice, and the Controller must inform the Processor of the scope of information sought and the purpose of the audit;
11.2.2 The on-site audit scope will be limited to the Processor’s compliance with this DPA;
11.2.3 The Controller may only carry out an on-site audit once per calendar year during the normal business hours of the Processor and lasting no more than one business day;
11.2.4 The audit cannot include any security testing to be performed by the Controller or on Controller’s behalf;
11.2.5 Any information shared during such audits or inspections shall be treated as confidential by the Controller’s nominated auditor (whether internal employees or a third-party auditor).
11. DEMONSTRATION OF COMPLIANCE
11.1 Provided the Controller gives reasonable prior notice, the Processor agrees to make available to the Controller all such information as may be reasonably required to demonstrate the Processor’s compliance with its processing obligations.
11.2 If the Controller, bona fide, considers the information provided under Section 11.1 to be insufficient to demonstrate the Processor’s compliance with the obligations outlined in this DPA, the Controller may, at its own expense, perform an on-site audit of the Processor’s processing facilities subject to the following:
11.2.1 Any requests for on-site audit must be made in writing by the Controller with at least 90 days’ notice, and the Controller must inform the Processor of the scope of information sought and the purpose of the audit;
11.2.2 The on-site audit scope will be limited to the Processor’s compliance with this DPA;
11.2.3 The Controller may only carry out an on-site audit once per calendar year during the normal business hours of the Processor and lasting no more than one business day;
11.2.4 The audit cannot include any security testing to be performed by the Controller or on Controller’s behalf;
11.2.5 Any information shared during such audits or inspections shall be treated as confidential by the Controller’s nominated auditor (whether internal employees or a third-party auditor).
12. TERMINATION
This DPA will terminate on the date of termination of the Agreement between the Parties.
12. TERMINATION
This DPA will terminate on the date of termination of the Agreement between the Parties.
12. TERMINATION
This DPA will terminate on the date of termination of the Agreement between the Parties.
13. PROCESSOR’S OBLIGATIONS
In addition to the other obligations contained in this DPA, the Processor undertakes the following:
13.1 The Processor agrees to comply with the Data Protection Law for all Personal Data provided to the Processor by the Controller;
13.2 The Processor shall ensure that all persons it involves in the Processing of Personal Data are:
13.2.1 aware of the confidential nature of the Personal Data and have a contractual obligation to maintain confidentiality,
13.2.2 have received appropriate training and obligations as a Processor in accordance with the Data Protection Law,
13.2.3 bound by this DPA;
13.3 The Processor agrees that the Processor will not:
13.3.1 Sell or rent any Personal Data,
13.3.2 Retain the Personal Data for longer than specified in this DPA.
13. PROCESSOR’S OBLIGATIONS
In addition to the other obligations contained in this DPA, the Processor undertakes the following:
13.1 The Processor agrees to comply with the Data Protection Law for all Personal Data provided to the Processor by the Controller;
13.2 The Processor shall ensure that all persons it involves in the Processing of Personal Data are:
13.2.1 aware of the confidential nature of the Personal Data and have a contractual obligation to maintain confidentiality,
13.2.2 have received appropriate training and obligations as a Processor in accordance with the Data Protection Law,
13.2.3 bound by this DPA;
13.3 The Processor agrees that the Processor will not:
13.3.1 Sell or rent any Personal Data,
13.3.2 Retain the Personal Data for longer than specified in this DPA.
13. PROCESSOR’S OBLIGATIONS
In addition to the other obligations contained in this DPA, the Processor undertakes the following:
13.1 The Processor agrees to comply with the Data Protection Law for all Personal Data provided to the Processor by the Controller;
13.2 The Processor shall ensure that all persons it involves in the Processing of Personal Data are:
13.2.1 aware of the confidential nature of the Personal Data and have a contractual obligation to maintain confidentiality,
13.2.2 have received appropriate training and obligations as a Processor in accordance with the Data Protection Law,
13.2.3 bound by this DPA;
13.3 The Processor agrees that the Processor will not:
13.3.1 Sell or rent any Personal Data,
13.3.2 Retain the Personal Data for longer than specified in this DPA.
14. LIABILITY
The Controller and Processor are each individually liable towards authorised Supervisory Authorities and/or Data Subjects for any fines or claims resulting from their own breach or non-compliance with this DPA, the Data Protection Law or other applicable law. Each Party hereby indemnifies the other in this regard.
14. LIABILITY
The Controller and Processor are each individually liable towards authorised Supervisory Authorities and/or Data Subjects for any fines or claims resulting from their own breach or non-compliance with this DPA, the Data Protection Law or other applicable law. Each Party hereby indemnifies the other in this regard.
14. LIABILITY
The Controller and Processor are each individually liable towards authorised Supervisory Authorities and/or Data Subjects for any fines or claims resulting from their own breach or non-compliance with this DPA, the Data Protection Law or other applicable law. Each Party hereby indemnifies the other in this regard.