Overview of the Legentic DPA
GENERAL
This data processing agreement (the "Data Processing Agreement") governs Legentic’s processing of Personal Data in the role of a data processor ("Data Processor") on behalf of the Client in the role of a data controller ("Data Controller") and forms an integral part of the Agreement. Its purpose is to ensure that Personal Data is not used improperly or disclosed without prior authorisation or otherwise in contravention to the applicable data protection law. The Data Processing Agreement may be amended due to requirements by supervisory or governmental authorities or due to changes in applicable data protection law. The subject matter of the processing of the Personal Data under this Data Processing Agreement is the provision of the Solution and the fulfilment of other contractual obligations by the Data Processor to the Data Controller as set forth in the Agreement. The categories of Data subjects and Personal Data will be those that are contained in the Solution and that the Data Controller access when utilising the same, as well as any Personal Data belonging to the Data Controller’s users or which is generated by the same.
THE DATA CONTROLLER’S OBLIGATIONS
The Data Controller is responsible for ensuring a lawful basis for its processing of Personal Data and for determining the purposes for and the means by which the Data Processor shall process Personal Data in accordance with this Data Processing Agreement. The Data Controller warrants that it is entitled to transfer or provide access to the Personal Data to the Data Processor and/or the Data Processor's sub-processors in accordance with applicable data protection law.
THE DATA PROCESSOR’S OBLIGATIONS
The Data Processor shall only process Personal Data for the purpose of fulfilling the Agreement and in accordance with the Data Controller's documented instructions and the applicable data protection law. Unless mandated by applicable data protection law, the Data Controller acknowledges that this Data Processing Agreement constitutes its complete and final instructions to the Data Processor with respect to the processing of Personal Data. The Data Processor may claim compensation for time spent and reasonable and documentable expenses incurred by the Data Processor as a result of new or amended documented instructions or routines from the Data Controller. The Data Processor shall only process Personal Data for the duration of the Agreement.
The Processor shall only grant access to Personal Data to persons who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need-to-know basis. The Processor shall at the request of the Controller demonstrate that the concerned persons under the Processor’s authority are subject to the abovementioned confidentiality.
The Data Processor shall implement all requirements for security measures imposed by the at all times applicable data protection law, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.
At the request of the Data Controller and upon reasonable notice, the Data Processor shall assist the Data Controller with its obligations pursuant to Article 32 to 36 of the GDPR and applicable data protection law, including information security, personal data breach notifications and impact assessments. The Data Processor may claim compensation for time spent and reasonable and necessary expenses incurred as a result of such assistance.
The Data Processor shall notify the Data Controller without undue delay if the Data Processor is of the opinion that the Data Controller's documented instructions are contrary to applicable data protection law.
The Data Processor shall assist the Data Controller in safeguarding the rights of the data subjects in accordance with Chapter III of the GDPR. This applies to, but is not limited to, providing information on how the Personal Data is processed, handling inquiries concerning access to Personal Data and fulfilling the data subjects’ rights to demand correction or deletion of the Personal Data.
If the Data Processor receives a request from a supervisory authority or a Data Subject concerning the processing of Personal Data under this Data Processing Agreement, it shall forward such request to the Data Controller without undue delay. The Data Processor will not respond to such requests without prior instruction from the Data Controller unless compelled by law, in which case the Data Processor will notify the Data Controller of this unless legally prohibited. The Data Processor may claim compensation for time spent and reasonable and necessary expenses incurred as a result of such assistance.
PERSONAL DATA BREACH
The Data Processor is obliged to notify the Data Controller without undue delay if the Processor discovers that Personal Data is or has been exposed to unauthorised access, dissemination, alteration, damage, destruction or inaccessibility or another form of security breach or otherwise
used in an unauthorised manner or handled in violation of the data protection law and/or the terms of this Data Processing Agreement.
The notification shall, as far as possible, contain the following information:
A description of the nature of the breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned. The name and contact details of the data protection officer or other contact point with the Data Processor. A description of the likely consequences of the personal data breach. A description of the measures taken or proposed to be taken in order to handle the Personal Data breach, including, where appropriate, measures to mitigate any adverse effects resulting from the breach. If all information under above cannot be provided on the first notice, the information shall be given successively as soon as it is available.
In the event of a personal data breach, the Data Processor shall cooperate with the Data Controller in order to detect, mitigate and rectify the breach. The Data Processor agrees and understands that, except when the Data Processor is required to do so by applicable law, the Data Controller has the sole right to determine: whether to provide notice of the breach to any data subjects or to the Data Protection Authority, as required by law or regulation or at the Data Controller’s discretion, including the contents and delivery method of the notice; and whether to offer any type of remedy to affected data subjects, including the nature and extent of such remedy.
SUB-PROCESSING
The Data Processor is entitled to use sub-processors to process Personal Data on behalf of the Data Controller. The Data Processor shall ensure that all sub-processors are informed of and bound by substantially the same requirements for information security, confidentiality, use and other requirements set forth in this Data Processing Agreement, and at a minimum, the requirements in the applicable data protection law. If the Data Processor wishes to engage a new sub-processor, the Data Processor must notify the Data Controller of this at least one month before the sub-processor begins processing the Personal Data. The Data Controller may deny the use of such a sub-processor only if the Data Controller has well-grounded doubts about the ability of the sub-processor to comply with the applicable data protection law. If the Data Controller has not opposed the intended sub-processor within 10 days of the Data Processor's notice, the sub-processor shall be deemed approved by the Data Controller. If the Data Controller opposes the use of the sub-processor, the Parties shall negotiate in good faith on how to resolve this issue. If the negotiations do not resolve the issue, the Data Processor may terminate the Agreement with reasonable notice. The Data Controller shall be entitled to receive a copy of any sub-processing agreement between the Data Processor and a sub-processor. The Data Processor is entitled to redact such parts of relevant contract documents that are irrelevant for the control purposes of this Data Processing Agreement (e.g. financial conditions).
The Data Processor remains fully liable to the Data Controller for the performance of the sub-data processors' obligations. At the conclusion of this Data Processing Agreement, the Data Controller has approved the sub-processors listed in Appendix A below.
TRANSFER
Where the Data Processor’s processing concerns personal data about data subjects in the EU/EEA, the Data Processor shall not transfer or provide access to Personal Data to countries outside the EU/EEA or to countries other than those considered by the European Commission to have an adequate level of protection, unless such transfer is authorised by the Data Controller or the Data Processor is obligated to carry out the transfer in accordance with applicable law. If the Data Processor is obligated by law to transfer Personal Data, the Data Controller shall be informed of this to the extent legally permitted. If the Data Controller has authorised the transfer of Personal Data to sub-processors located in countries outside the EU/EEA or other countries than the EU Commission has deemed to have an adequate level of protection, the transfer shall be carried out using the EU Standard Contractual Clauses (SCC). The Data Controller authorises the Data Processor to enter into EU Standard Contractual Clauses on behalf of the Data Controller.
AUDITS
The Data Processor shall, as far as necessary to demonstrate compliance with the obligations under Article 28 of the GDPR, allow and assist the Data Controller or an independent third party appointed by the Data Controller to carry out audits, including inspections.
The Data Controller shall, insofar as possible, give the Data Processor notice in reasonable time when requiring access and control, normally at least 30 days. For request for access to documents at least 14 days’ notice should be given. Audits shall not impair the confidentiality, integrity and access to Personal Data, nor shall it impair the confidentiality, integrity and access to the Data Processor’s internal reports, prices or other clients’ information.
The Data Processor is obliged to give the supervisory authorities or representatives acting on behalf of such authorities’ access to the Data Processor's physical facilities after presentation of appropriate identification and basis for the access. The Data Controller shall cover its own costs in carrying out the audit and the Data Processor may claim compensation for time spent and necessary expenses incurred in connection with the audit. If the audits reveal defects, the Data Processor shall promptly rectify such deficiencies at no cost to the Controller. Any material deficiencies that constitute an obvious threat to information security should be corrected immediately.
TERM AND TERMINATION
This Data Processing Agreement shall apply for as long as the Data Processor processes personal data on behalf of the Data Controller.
In the event of a breach of this Data Processing Agreement or the data protection law, the Data Controller may instruct the Data Processor to discontinue further processing of the Personal Data with immediate effect. Upon termination of the Data Processing Agreement, the Data Processor shall cease the processing of all Personal Data and, in accordance with the Data Controller's documented instructions, return or destroy any data containing information covered by the Data Processing Agreement unless it is required to retain some or all of the Personal Data, in which case the Data Processor will be considered a data controller for the same. If shared infrastructure is used where direct erasure is not directly possible, the Data Processor shall ensure that Personal Data is rendered unavailable until such data is overwritten by the system. If the Data Controller requires the Data Processor to provide the Personal Data to a third party, the Data Processor may claim compensation for time spent and necessary expenses incurred as a result of such assistance.