DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) supplements the nOps Terms of Service available at https://www.nops.io/terms-of-service, as updated from time to time , or other agreement between Customer and nOps governing Customer’s use of the Service Offerings (the “Agreement”) when the GDPR applies to your use of the nOps Services to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and nOps and the nOps Contracting Party or nOps Contracting Parties (as applicable) under the Agreement (together “nOps”). Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in this DPA. For the purpose of this addendum nOps is both the controller and processor of data.
1. Background and objective
- The Parties entered a contractual relationship that this contract is an extract to (the “Agreement”). Within the scope of its assignment, Processor will/may gain access to and process personal data for which Controller is the data controller. This means that Processor is a data processor for Controller [, or another company in Controller's Group,] in accordance with the applicable data protection legislation.
- The objective of the DPA is to comply with the requirements in the Data Protection Legislation for a written agreement between Controller and Processor.
The terms used in the DPA shall have the same meaning as assigned to them below and in the Data Protection Legislation, which inter alia imply that:
- The term personal data means any information that, directly or indirectly, can identify a living natural person;
- The term processing means any operation or set of operations performed with regard to personal data, whether or not performed by automated means, for example collection, recording, organisation, storage, adaptation or alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction;
- The term data controller means anyone who alone or jointly with others determines the purposes and means of the processing of personal data;
- The term data processor means anyone who processes personal data on behalf of the data controller;
- The term sub-processor means a sub-contractor that is engaged by Processor. The sub-processor processes personal data on behalf of Controller in accordance with the sub-processor’s obligation to provide its services to Processor;
- The term standard data protection clauses adopted by the EU-Commission means standard contractual clauses regulating the transfer of personal data to third countries and that have been adopted by the EU Commission in accordance with Commission Decision C(2010)593 of 5 February 2010 or corresponding decision replacing such decision; and
- The term Data Protection Legislation means applicable data protection legislation. As from 25 May 2018, Regulation (EU) 2016/679 of the European Parliament of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; the “GDPR”) and such national legislation implementing the GDPR is the applicable data protection legislation.
3. Undertaking and instruction
Processor undertakes to process the personal data that it has access to under the Agreement on behalf of Controller, for the purpose of fulfilling the Agreement and during the term of the Agreement. Processor further undertakes:
- To process the personal data in accordance with the Data Protection Legislation, the Agreement and any other documented instructions from Controller. Processor may, however, without instructions process information required by laws of the European Union or national legislation in a member state to which Processor is subject, but shall inform Controller of such requirement prior to processing, provided that Processor is not prohibited to give such information with reference to important grounds of public interest;
- Not to use or utilize personal data transferred to or transferred by Processor, collected to or collected by Processor, produced to or produced by Processor or any other way processed personal data under this DPA in its business.
- To keep the personal data confidential and not to disclose the personal data to any third parties or in any other way use the personal data in contradiction with the Agreement and the DPA. Processor shall also ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- To assist Controller, taking into account the nature of the processing, by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller's obligation to respond to and to fulfil requests from data subjects exercising their rights laid down in Chapter III of the GDPR; and
- To assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (implement security measures, manage personal data breaches, conduct data privacy impact assessments and participate in prior consultations with the supervisory authority) taking into account the nature of the processing and the information available to Processor.
- Not to transfer personal data to a third country or to an international organization outside EU/EEA (together “Third countries”), unless Controller has specifically requested or approved to do so. Such written approval should be requested and provided in writing to every entity and/or transmission receiver separately.
4. Information security
Processor implements all appropriate technical and organisational measures necessary in order to ensure a level of security, as required pursuant to the Data Protection Legislation (Article 32 of the GDPR (32 § Data Protection Act (523/1999)) and other measures necessary in order for Processor to comply with the security requirements set out in the Agreement or that are otherwise required by Controller with reference to the DPA);
Processor undertakes to inform Controller of the technical and organisational measures, which it will implement in order to protect the personal data processed on behalf of Controller. If Processor makes changes that could affect the protection of personal data, Controller shall be informed of this well in advance before such changes are implemented.
In the event of data breach or any potential violation of information security, Processor shall notify Controller without delay after becoming aware of the infringement of information security of personal data or any other violation of Data Protection Legislation, this DPA or the instructions of Controller. As a part of the notification, Processor must inform Controller without delay and in writing all the necessary information about the disturbance and the related measures, especially:
- a description of the nature of the infringement of information security, including the information of registered groups and estimated amount of registered persons affected by the infringement along with the information required by Data Protection Legislation
- necessary information regarding to the statutory obligations and fulfillment of the contractual obligations of Controller. These obligations shall be based, inter alia, Data Protection Legislation, agreements made with third parties and/or a request, a guidance and/or a ruling made by the supervisory authority or a tribunal
- necessary information for preventing similar infringements of the information security and information required for the notifications made for the registered persons and possible third parties.
- Processor shall grant Controller access to all information required in order to verify that the obligations set out in the DPA are complied with. Processor shall facilitate and participate in audits, including inspections, carried out by Controller or a governmental authority or by a third party authorised by Controller. If Controller uses a third party to carry out the audit, that third party shall not be a competitor of Processor and shall undertake confidentiality in relation to Processor's information.
- Processor shall immediately inform and consult with Controller in the event that a supervisory authority initiates or takes any action in relation to Processor with regard to the processing of personal data under the Agreement or the DPA.
6. Engaging sub-processors
- Processor may not engage or replace a sub-processor for the performance of Processor's processing of personal data under the DPA, without obtaining a written approval from Controller in advance.
7. Damages and compensation
- Processor shall, without limitation, hold harmless and indemnify Controller in the event of damage that is attributable to Processor's processing of personal data in breach of the DPA or the Data Protection Legislation. For the avoidance of doubt, administrative fines are imposed on the Party in breach of its obligations and, in consequence, neither party will bear the other Party’s administrative fines.
- Processor's compensation under the Agreement includes compensation for Processor's undertakings under the DPA unless otherwise stated in writing by Parties.
8. Order of validity of contract documents
This DPA is irremovable part of the Agreement. If the terms of the Agreement and terms of this DPA are divergent or otherwise in contradiction, this DPA shall prevail.
- The DPA is effective from its signing and for as long as Processor processes personal data on Controller's behalf.
- In the event that Processor is in breach of its obligations under the DPA or Data Protection Legislation, and fails to remedy the deficiency within thirty (30) days of Processor being notified of the breach, or within the time period agreed between the Parties, Controller has the right to terminate the Agreement with immediate effect or the longer period of notice notified by Controller.
When the Agreement expires or terminates, Processor shall, based on Controller's instructions, delete or return to Controller without any additional cost, in a manner acceptable to Controller, all personal data, and delete existing copies unless storage of personal data is required pursuant to European Union law or the Member State's national law. Processor undertakes to actively seek instructions from Controller without delay.
10. Governing law and Dispute resolution
- The DPA shall be governed by and construed in accordance with EU and US law (GDPR and CCPA), with the exception of conflict of law rules.
- Disputes regarding interpretation and application of the DPA shall be settled in accordance with the provisions in the Agreement regarding dispute resolution.
- In the absence of provisions regarding dispute resolution in the Agreement, this section shall apply. Disputes arising in connection with the DPA shall be finally settled in arbitration in accordance with the applicable laws of the jurisdiction in which nOps operates or intends to operate. The arbitration shall be held by one arbitrator and the arbitral proceedings shall be conducted in the English language and submissions and evidence may be provided and witnesses heard in English. Confidentiality shall apply to the arbitration and the arbitration ruling.