BACKGROUND
This Agreement is part of the subscription agreement between the Processor and the Controller (the “Service Agreement”). The Controller is the data controller in relation to the processing of the personal data. The Processor is a data processor, processing the personal data on behalf of the Controller.
1. DOCUMENTS
This Agreement consists of this main document and the following appendices:
Appendix 1: Instructions to the Processor
Appendix 2: Security Measures
Appendix 3: Approved Sub-Processors
2. DEFINITIONS AND INTERPRETATION
In this Agreement, capitalized terms shall have the meanings set out below or if not defined herein, the meanings set forth in Applicable Legislation.
“Applicable Legislation” means the GDPR and any applicable supplementary legislation.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council as amended, supplemented and/or varied from time to time.
“Data” means the information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as specified in Appendix 1 hereto.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Data transmitted, stored or otherwise processed.
“Data Protection Laws” means Applicable Legislation and, to the extent applicable, the data protection or privacy laws of any other country, as amended, supplemented and/or varied from time to time.
The Parties shall negotiate in good faith and agree on any relevant and necessary amendments and updates to this Agreement and the processing carried out hereunder to ensure that it complies with applicable Data Protection Laws at all times during the term of this Agreement.
3. INSTRUCTIONS
3.1 The Processor shall process the Data in accordance with the Controller’s written instructions set forth in Appendix 1. The instructions shall at least include the following information: the purpose(s) of the processing; the character of the processing activities; the duration of the processing activities; the categories of Data; and the categories of data subjects included in the processing activities.
3.2 The Processor may not process the Data for any other purposes or in any other way than as instructed by the Controller from time to time. The Parties shall update Appendix 1 in the event of new or amended instructions and should therefore be immediately forwarded to all the relevant employees working for the Processor as the new instructions of the Controller.
3.3 If the Processor considers that any instruction violates applicable Data Protection Laws, the Processor shall refrain from acting on such instructions and shall promptly notify the Controller and await amended instructions.
3.4 The Processor has developed a methodology to ensure that the GDPR principle of privacy by design is implemented in all the projects where it intervenes as a processor. In this process, various steps are undertaken together with the Controller, including a more detailed definition of the information set forth in Appendix 1, which occurs after signature of this Agreement.
4. THE CONTROLLER’S OBLIGATION TO PROCESS DATA LAWFULLY
4.1 The Controller shall obtain explicit and legally valid consents from each data subject for the processing of the Data or ensure that another legal ground recognized under applicable Data Protection Laws applies for processing of the Data. The Controller shall further meet all other obligations of a controller under applicable Data Protection Laws (including requirements to properly inform the data subjects of the processing of the Data).
4.2 The Controller’s instructions for the processing of the Data shall comply with applicable Data Protection Laws. The Controller shall have sole responsibility for the quality and legality of the Data and how it acquired the Data.
5. THE PROCESSOR’S OBLIGATION TO PROCESS DATA LAWFULLY
5.1 The Processor agrees that it will (a) comply at all times with all requirements of applicable Data Protection Laws in its provision of services to the Controller and in its processing of the Data and (b) provide all reasonable assistance (both proactively and in response to our instructions) to ensure that, while working together, the Controller and the Processor remain in compliance with applicable Data Protection Laws.
6. SECURITY MEASURES
6.1 The Processor shall maintain adequate security measures to ensure that the Data is protected against destruction, modification, and proliferation. The Processor shall further ensure that Data is protected against unauthorized access and that access events are logged and traceable. The security measures are described in Appendix 2.
6.2 The Processor shall ensure (i) that only authorized employees have access to the Data, (ii) that the authorized employees process the Data only in accordance with this Agreement and the Controller’s instructions and (iii) that each authorized employee is bound by a confidentiality undertaking towards the Processor in relation to the Data.
6.3 The Processor shall notify the Controller immediately after becoming aware of a Data Breach. The Processor shall cooperate with the Controller and take reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation, and remediation of such Data Breach. Furthermore, the Processor shall assist the Controller in ensuring compliance with the Controller’s obligations to (i) document any Data Breach, (ii) notify the applicable supervisory authority of any Data Breach and (iii) communicate such Data Breach to the data subjects, in accordance with applicable Data Protection Laws.
7. THE PROCESSOR’S OBLIGATIONS TO ASSIST
7.1 The Processor shall assist the Controller with the fulfilment of the Controller’s obligation to ensure that the data subjects may exercise their rights under applicable Data Protection Laws by ensuring appropriate technical and organizational measures. The data subjects’ rights include (i) rights to object to the processing and have the Data erased, (ii) rights to request information about and access to the Data, (iii) if technically viable, rights to move Data from one controller to another, and (iv) rights to request correction of Data.
7.2 The Processor shall further assist the Controller in relation to the Controller’s obligations under Articles 32-36 of the GDPR (such obligations include (i) ensuring security of the processing, (ii) impact assessments regarding data protection and (iii) prior consultations).
7.3 The Processor will provide the Controller with a point of contact within its organization who will respond to inquiries regarding the processing of the Data, and will cooperate in good faith with the Controller, the data subject, and if applicable the relevant authority, to take all necessary actions in a prompt timeframe.
7.4 In the event that a person makes a request concerning their personal data that may be included in the Data processed pursuant to this Agreement, the Processor agrees to cooperate with the Controller in understanding, actioning and responding to such request. In the event that the request is made directly to the Processor, the Processor agrees to notify the Controller immediately in writing. For the avoidance of doubt, any reference to “writing” or “written” in this Agreement includes email.
8. SUB-PROCESSORS
8.1 The Processor may engage third parties to process the Data or any part thereof on its behalf (“Sub-Processor”), provided that the Controller has been informed thereof in writing and not objected in writing 10 days after such information was provided (in which event they are “Approved Sub-Processors”). Approved Sub-Processors are listed in Appendix 3 hereto (which shall be updated in the event of changes to the Approved Sub-Processors). Appendix 3 shall list the following information regarding each Approved Sub-Processor:
8.2 The Processor shall enter into a written agreement with every Sub-Processor, in which each Sub-Processor undertakes obligations at least as stringent as those undertaken by the Processor under this Agreement.
8.3 The Processor shall remain fully liable for all acts or omissions of any Sub-Processors.
9. TRANSFERS TO THIRD COUNTRIES
9.1 The Processor may not transfer Data outside the EU/EEA, or engage a Sub-Processor to process Data outside of the EU/EEA, without the Controller’s consent and upon such consent only if at least one of the following prerequisites is fulfilled, and provided that the Processor has otherwise complied with all applicable Data Protection Laws in relation to such transfers:
10. AUDIT
10.1 Upon the Controller’s request, the Processor will provide to the Controller information necessary to demonstrate the Processor’s compliance with its obligations under applicable Data Protection Laws.
10.2 The Controller shall be entitled on five (5) workdays written notice to carry out an audit of the Processor’s processing of the Data and information relevant in that respect. The Processor shall assist the Controller and disclose any information necessary for the Controller to carry out such audit. The Controller shall carry the costs for such audit.
10.3 The Processor will pay any outstanding fees or charges revealed by an audit within thirty (30) calendar days of receipt of an invoice from the Controller.
10.4 If a Data Protection Authority carries out an audit of the Processor which may involve the processing of Data, the Processor shall promptly notify the Controller thereof.
11. LIMITATION OF LIABILITY
11.1 The Processor’s liability arising out of or related to this Agreement shall not be subject to any limitation or exclusion in the event of (i) gross negligence, wilful misconduct, fraud, (ii) personal injury, (iii) breach by the Processor of its confidentiality obligations or (iv) breach of Data protection obligations.
11.2 Under no circumstances will the Controller, its affiliates or its representatives be liable to the Processor, whether in contract, misrepresentation (whether tortious or statutory), tort (including negligence), breach of statutory duty or otherwise, for (a) any indirect, special, or consequential loss; or (b) any loss of revenues, loss of profits, loss of contracts, anticipated savings or loss of business of any kind or nature arising under or in connection with this Agreement or otherwise. The total liability of the Controller, its affiliates and its representatives to the Processor in respect of any liability, including under law, contract, misrepresentation (whether tortious or statutory), tort (including negligence), breach of statutory duty, or otherwise, will in no circumstances exceed the fees paid by the Controller for the services in the twelve months preceding the event in respect of which such liability is alleged to arise.
12. CONFIDENTIALITY
12.1 The Processor undertakes not to disclose, copy, or provide any Data, or any information related to the Data, to any third party. For the avoidance of doubt, any approved Sub-Processor shall not be considered a third party for the purposes of this Section 12.
12.2 Notwithstanding Section 12.1above, the Processor may disclose such information if the Processor is obliged hereto by law, judgement by court or by decision by a competent authority. When such obligation arises, the Processor shall promptly notify the Controller in writing before disclosure, unless restricted from doing so under applicable Data Protection Laws.
12.3 The confidentiality obligation will continue to apply also after the termination of this Agreement without limitation in time.
12.4 The Processor has implemented and maintains administrative, technical and organisational measures appropriate to the Data it collects and subject to the terms and conditions set out in the applicable Data Protection Laws and regulations, for the purpose of protecting the Data provided to the Processor against unauthorised or unlawful access and accidental loss, damage, alteration or destruction of Data. Only authorised staff may access the Data and they may only do so for the permitted business purposes and they are obligated to keep all Data confidential.
13. RETURN AND DELETION OF DATA
13.1 The Controller shall upon termination of the Services Agreement instruct the Processor in writing whether or not to transfer the Data to the Controller (such transfer to be made in a mutually agreed format). The Processor will erase the Data from its systems no earlier than 30 days and no later than 40 days after the effective date of termination of the Services Agreement.
14. TERM
14.1 This Agreement shall, notwithstanding the term of the Service Agreement, enter into effect when the Processor commences to process Data on behalf of the Controller and shall terminate when the Processor has erased the Data in accordance with Section 12.1 above.
15. GOVERNING LAW
15.1 This Agreement is governed by English law.
15.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the English courts.
Any processing carried out by the Processor shall be carried out in accordance with the following instructions. If the Processor processes Data in violation with these instructions, the Processor will be deemed data controller and will be liable for breach of its obligations as the Processor.
Types of Data that Processor may collect and process:
Purposes:
Duration: the processing will be carried out while the Service Agreement remains in force between the Parties and no later than 40 days after its termination.
Categories of data subjects: Controller’s end-users (members, job candidates, employees, and/or others).
The Processor must have in place all of the following security measures in order to conduct any processing. If the Processor fails to maintain such security measures and processes the Data without such security measures in place, the Processor will be liable for breach of its obligations as the Processor.
Technical and organizational measures
As a minimum, the appropriate technical and organizational precautions are as follows (but not limited to):
When processing Data, the Processor must put the following security measures into practice:
Data transmission to non-EU/EEA countries
The Data processing is only to be handled by the Processor or Approved Sub-processors located within the EU/EEA. The Controller gives Processor or Approved Sub-processors explicit permission to the transmission of Data to non-EU/EEA countries in accordance with legal requirements under the EU General Data Protection Regulation paragraph 44- 50 for the following countries, provided that the Processor has ensured that there are sufficient safeguards in place by adding additional measures when needed:
Non-Eu and EEA contries processing data | Legal framework |
USA | EU Standard Contractual Clauses |
Pursuant to section 8, the Controller hereby accepts and authorises the Processor to engage the Sub- Processors in the processing of Data, provided that the Controller has been informed in writing and not objected in writing within 10 days.
However, the listed Sub-processors below are considered as authorized from the commencement of this Agreement:
Company | Corporate headquarters | Server location | Service | Purpose |
Amazon, Inc. | USA | Germany | Amazon Web Services (AWS) | FirstMind is built on the Amazon Web service which hosts all production data, and systems that process this data. |
Mailgun Technologies, Inc. | USA | EU (EEA) | Email Processing | Automated/transactional outgoing email is processed by the Mailgun messaging engine. Emails are stored 3 days |
Stripe | USA | EU (EEA) | Payment provider | FirstMind uses Stripe’s economic infrastructure to process payments from its customers |