Annex 4. DATA PROCESSING AGREEMENT
by and between Variantum Ltd (“Supplier”)
and
Customer
By incorporating this document to an agreement concerning Supplier’s software as a service (VariSuite) and/or Supplier’s other services (“Services”) the Supplier and Customer agree to comply with this Data Processing Agreement.
1. ORDER FORM, THE AGREEMENT AND PURPOSE OF THIS DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) has been entered into in connection with the Agreement concerning the provision of Services entered into between the Parties (“Statement of Work” or ”Agreement”) and this DPA sets additional requirements and details regarding the Supplier’s handling of personal information relating to the Customer’s employees, contractors, partners or other parties (“Personal Data”) on behalf of the Customer in accordance with and as required by the Agreement. Subject-matter, nature and purpose of the Processing are defined and agreed under the Agreement.
The DPA shall form an integral part of the Agreement, meaning that applicable parts of the Agreement (including its provisions on governing law and dispute resolution) shall apply also to this DPA. However, in the event of a conflict, the provisions of this DPA shall prevail over the provisions of the Agreement.
2. Duration of the Processing
Personal Data will be processed by the Supplier for the duration of the Agreement unless a longer or shorter period is agreed between the Parties in the Agreement or elsewhere in writing.
2.1 Types of personal data processed
Customer shall define what personal data is to be collected by accessing and using the Service , Supplier shall collect and store the processed data as provided or defined by the Customer. This type of data may include, for example, person’s name, contact information, and as well as other necessary additional information needed for registration, using the service, and payment. The responsibility of defining this information is on Customer alone.
Details may be further specified under the Agreement.
2.2 Definitions
The capitalized terms used herein shall have the meaning ascribed to them below or in the text
“Affiliate”: Shall mean any legal entity which is directly or indirectly owned or controlled by a Party or directly or indirectly owning or controlling a Party or under the same direct or indirect ownership or control as a Party for so long as such ownership or control lasts.
“Data Protection Laws”: Shall mean EU Data Protection Regulation (2016/679) “GDPR” and the other data protection laws and regulations applicable to the Processing hereunder from time to time.
“Processing”: shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, of Personal Data.
“SCCs”: Standard Contractual Clauses issued by the European Commission by the decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the, or any subsequent legal instrument permitting the lawfull transfer of Personal Data to non-European Economic Area countries.
“Sub-Processor”: shall mean a processor contracted by the Data Processor to perform Processing hereunder, in part or in whole, on the Data Processor’s behalf.
3. Rights and obligations of Parties
In connection with the Processing, the Customer shall be regarded as Data Controller and the Supplier shall be regarded as Data Processor as defined in the GDPR.
Both Parties shall be responsible to ensure that Processing is made in accordance with the Data Protection Laws that apply to it.
The Data Controller shall
The Data Processor shall
4. Security Processing
Both Parties shall implement and maintain appropriate technical and organizational measures to protect the Personal Data, taking into account the following:
4.1 Details on security measures
Such measures include, inter alia as appropriate:
The Data Controller shall inform Data Processor of all issues (including but not limited to risk assessment and the inclusion of special categories of Personal Data) related to the Personal Data provided by the Data Controller which affect the technical data and organizational measures that should be employed under this DPA.
5. Sub-processors
The Data Processor is entitled to use Sub-Processors for the processing of Personal Data under this DPA.
The Data Processor will inform the Data Controller in advance on any intended changes concerning the addition or replacement of Sub-Processors. The companies listed on Supplier’s website /service description etc. are approved Sub-processors at the time of entering into Agreement.
Such use will be under written contract and the Data Processor will require the Sub-Processor to comply with the data protection obligations applicable to the Data Processor under this DPA or obligations which provide for the same level of data protection. The Data Processor will be liable for its Sub-Processor’s actions as for its own.
If the Data Controller does not accept an intended change, the Data Controller may terminate such part of the Main Agreement which the sub-processing would be related to by way of thirty (30) days’ prior written notice. Or The Data Processor will inform the Data Controller in advance on any indented changes concerning the addition or replacement of Sub-Processors
6. Transfer of personal data
6.1 Customer’s approval to transfer data outside of Approved Jurisdictions
The Data Processor will only transfer Personal Data out of the territory of the member states of the European Union, the European Economic Area, or other countries which the European Commission has found to guarantee an adequate level of data protection (collectively, the “Approved Jurisdictions”) with the Data Controller’s prior written approval. For purpose of clarity, such approval must be clearly indicated in the Agreement.
6.2 Data protection during data transfer
If required by the Data Protection Laws, the Data Processor shall enter relevant contractual arrangements with required parties (including with the Data Controller itself and/or any of the Data Controller’s Affiliates, as applicable) for the lawful transfer of Personal Data from the Approved Jurisdiction to third countries.
Such contractual arrangements shall be carried out in accordance with the standard data protection clauses adopted or approved by the European Commission attached herein (“SCCs”). As an alternative to entering into the SCCs, the Data Processor may rely upon an alternative transfer safeguard permitting and providing for the lawful transfer of Personal Data outside of the Approved Jurisdictions, provided that such safeguard is in compliance with the Laws.
Where the SCCs are used as a contractual arrangement in the transfer from by the Data Processor or its Sub-Processor in an Approved Jurisdiction to Sub-Processor not in an Approved Jurisdiction, the following shall be applied:
7. Notification of Personal Data Breach
7.1 Personal Data Breach notification process
The Data Processor shall without undue delay notify the Data Controller if it, or one of its Sub-Processors, becomes aware of a Personal Data Breach. Information shall be provided to the contact person named by the Data Controller, if not otherwise agreed between the Parties.
8.2 Personal Data Breach notification content
The Data Processor shall without undue delay inform the Data Controller of the circumstances giving rise to the Personal Data Breach, and any other related information reasonably requested by the Data Controller and available to the Data Processor.
Additionally, to the extent it is available, the Data Processor shall provide to the Data Controller the following information:
8. Auditing
8.1 General
The Data Controller shall be entitled to audit the Data Processor's performance of its Processing obligations under this DPA ("Audit").
The Data Controller is obligated to use external auditors who are not competitors of the Data Processor, to conduct such an Audit.
The Parties shall agree well in advance on the time and other details relating to the conduct of such Audits.
The Audit shall be conducted in such a manner that the Data Processor's undertakings towards third parties (including but not limited to the Data Processor's customers, partners and vendors) are in no way jeopardized. All the Data Controller's representatives or external auditors participating in the Audit shall execute customary confidentiality undertakings towards the Data Processor.
8.2 Authorities' right to audit
The Data Processor shall always allow any relevant regulatory authority supervising the Data Controller's business to conduct Audits of the Data Processor's operations, in which case relevant parts of the Parties' agreement hereunder shall apply.
8.3 Cost of auditing
The Data Controller shall bear all Audit expenses and compensate the Data Processor for any and all costs incurred as a result of the Audit.
However, if the Audit reveals material deficiencies in the Data Processor's performance, the Data Processor shall bear its own costs for the Audit.
9. Confidentiality
9.1 Data Processor's undertakings
The Data Processor shall
9.2 Disclosure
In case data subjects or governmental authorities make a request concerning Personal Data, the Data Processor shall, as soon as reasonably possible, inform the Data Controller about such requests before providing any response or taking other action concerning the Personal Data.
In case any applicable authority prescribes an immediate response to a disclosure request, the Data Processor shall inform the Data Controller as soon as reasonably possible, unless the Supplier is prohibited by mandatory law or authority order to disclose such information
10. Limitation of liability
10.1 General
The limitations of liability set out under the Main Agreement shall apply also to this DPA.
10.2 Liability
The Parties agree that the general principle of division of responsibilities between the Parties relating to administrative fines imposed by any relevant supervisory authority or claims by data subjects under this DPA is based on the principle that the respective Party needs to fulfil its own obligations under the Laws. Hence, any administrative fines imposed or damages ordered should be paid by the Party that has failed in its performance of its legal obligations under the Laws, as decided by the relevant supervisory authority or competent court authorized to impose such fines or damages.
11 Term and Termination
11.1 General
This DPA shall enter into force at the last signature date of the Agreement referring to this DPA. This DPA shall be in effect for the term of the Agreement
11.2 Surviving clauses
All provisions which by nature are intended to survive the termination of this DPA shall remain in full force and effect regardless of the termination of this DPA.
11.3 Changes and amendments
The Supplier has the right to change this DPA from time to time. However, the version of the DPA which was applicable at the time the Agreement entered into force shall govern the Processing between the Parties until terminated as set out under this DPA and relevant Processing Specification. The Supplier will upkeep change history of the DPA. Customer is also encouraged to download this DPA when signing the Agreement.
Please see also other Variantum Legal Documents: