This Data Processing Agreement (hereinafter “DPA”) is entered into by and between Customer and Nova Tools from Nova 4 You PTY LTD (each a “Party” and collectively the “Parties”).
BACKGROUND
Customer and Mention have entered into an agreement regarding Mention’s provision of Services to the Customer (The “Main Agreement”, a s defined in Art.1 below). This DPA set out and describe different aspects and obligations of the Parties with regard to the Processing of Personal Data that may take place when the Customer uses these Services or otherwise as an effect of the Main Agreement.
Furthermore, the Parties may in respect of their relationship and in relation to the Processing of Personal Data take on different roles and responsibilities.
This DPA clarifies when one Party act as Data Controller and the other Party acts as Data Processor and Processes Personal Data on behalf of the Data Controller, the Parties’ obligations and responsibilities in relation hereto, as well as the written instructions given by the Data Controller as made mandatory by Applicable Data Protection Law.
With respect of the above, the Parties have agreed as follows.
DEFINITIONS
For the purposes hereof and notwithstanding any other definitions provided in the Data Processing Agreement, the following terms shall have the meanings set out below:
Applicable Data Protection Law
Means an administrator, employee or Sub-Processor that has a legitimate need to access Personal Data in connection with the performance of the Main Agreement.
Data
Refers to all types of information and/or data to which the Parties have access for the execution of the Main Agreement, whatever the format or medium, whether it is Personal Data or not (ex: financial data, customer data, strategic, technical, professional, administrative, commercial, legal, accounting data, etc.).
Data Controller
Means the Customer which determines the purposes and means of the Processing of Personal Data.
Data Processor
Means Mention, which Processes Personal Data on behalf of the Data Controller.
Data Subject
Refers to any natural person whose Personal Data is subject to Processing.
Data Processing Agreement or DPA
Refers to this Data Processing Agreement supplemented by Appendix 1: Processing Details: Accessing Data related to a selected mention and performing any action, including posting
Instructions
Refers to all written instructions given to the Data Processor by the Data Controller.
These instructions comply with strict formalism and may only be considered as such if they are formulated in writing in the form of this Data Processing Agreement, an electronic mail or an official paper mail from a duly authorized person.
Main Agreement
Refers to the agreement whereby Mention does provide its services to the Customer, to which this Data Processing Agreement is attached.
Personal Data
Refers to any information relating to an identified natural person or who can be identified as such, either directly or indirectly by grouping together information, by reference to an identification number or to elements specific to said person: name, address, telephone number, IP address, email address, vehicle registration number, professional registration number, identifier/login, password, logging data, etc.
Personal Data Breach
Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Processing
Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose
Refers to the purpose of the Personal Data Processing operations implemented by the Data Controller, in accordance with Appendix 1.
Regulatory Authority
Refers to any competent authority with regard to the Processing of Personal Data.
Sensitive Data
Refers to the special categories of Personal Data which Processing is prohibited on principle. These are Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Security Policy
Refers to Mention’s internal security policy which is updated regularly. This policy, detailing the security measures specifically implemented, may be forwarded upon request by the Customer.
Services
Refers to the services provided by Mention under the Main Agreement.
Third Countries
Refers to any State that is not a member of the GDPR Union.
This terminology also includes any international organization with countries that are not members of the GDPR Union.
DURATION AND CONTRACTUAL PRIORIZATION
This Data Processing Agreement comes into force upon the Customer’s consent to be bound by the Main Agreement and remains applicable throughout the duration of the Main Agreement.
The Data Processor shall delete, or at Data Controller’s request return to Data Controller, all Personal Data Processed under this Data Processing Agreement after such period of time set, including deleting existing copies, unless EU law (including the laws of its member states) requires storage of the Personal Data.
This Data Processing Agreement substitutes any applicable Personal Data protection clauses that may be contained in the Main Agreement. In case of contradiction, the Parties expressly agree that this Data Processing Agreement shall prevail over the Main Agreement.
APPOINTMENT AND ROLE OF MENTION
The Customer, in its capacity as Data Controller, designates Mention as Data Processor to process Personal Data in its name and on its behalf in order to achieve the authorized Purpose referred to in Appendix 1 to this Data Processing Agreement in connection with the performance of the Services.
INSTRUCTIONS AND COMPLIANCE
The Data Processor guarantees the Data Controller that it:
Only processes Personal Data that is necessary for the authorized Purposes, in accordance with the Instructions referred to in Appendix 1, and shall not process Personal Data for other purposes;
Complies with Applicable Data Protection Laws as well as the Instructions issued by the Data Controller, and oversees compliance with it by Authorized Recipients and Sub-Processors;
Ensures that all systems, services and products used in connection with the Processing of Personal Data comply with Applicable Data Protection Laws;
Cooperates and complies with the instructions or decisions of any Regulatory Authority within a deadline that would allow the Data Controller to comply with the deadlines imposed by such Authority; and
Does not do or fail to do or permit anything to be done that would cause the Data Controller to violate Applicable Data Protection Laws;
Uses the Services in accordance with Applicable Data Protection Law.
COOPERATION AND ASSISTANCE
The Data Processor commits to:
Designate a contact to the Data Controller. This contact must have the necessary experience, competence, authority and resources to carry out his mission;
Adhere to and actively participate in a logic of cooperation in order to ensure compliance with Applicable Data Protection Laws and the good practices recommended by the Data Controller under said Applicable Data Protection Laws. As such, the Data Processor commits to provide the Data Controller with all reasonable means to ensure full cooperation, information about the Processing operations and assistance in the event of a complaint, request for advice, communication, or actual or suspected breach of security affecting Personal Data;
Raise awareness of its staff on issues related to the protection of Personal Data;
Modify, transfer and/or remove Personal Data held by him or on behalf of the Data Controller by a Sub-Processor, in accordance with any written Instruction of the Data Controller;
Immediately inform the Data Controller:
If the Instructions issued by the Data Controller relating to Processing are illegal or appear to be contrary to the doctrine and recommendations of a Regulatory Authority;
If a Personal Data Breach occurs, or in the event of the occurrence of a security breach affecting the Data Processor’s information system or that of one of its Sub-Processors, immediately after having become aware of it under the conditions provided for in Article 6 of this Data Processing Agreement;
If the Data Processor or a Sub-Processor receives a complaint, opinion or communication from a Regulatory Authority that directly or indirectly concerns the Processing operations or the compliance of either Party with Applicable Data Protection Laws;
If the Data Processor or a Sub-Processor receives a complaint, opinion or communication from a Data Subject in connection with the exercise of their rights.
Assist the Data Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the Processing operation and the information made available to the Data Processor. This assistance may include the provision of information and the performance of data protection impact assessment in relation to the Processing operations implemented by the Data Processor.
SECURITY
The Data Processor commits to:
Ensure that appropriate technical and organizational measures have been set up against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data held or processed by the Data Processor, including all measures necessary to ensure compliance with the security requirements of the Personal Data provided by Applicable Data Protection Laws;
Implement the Security Policy;
Ensure that Authorized Recipients and Sub-Processors comply with the provisions of its Security Policy, and incorporate all reasonable requests from the Data Controller relating to security and the Processing of Personal Data.
If an actual or potential Personal Data Breach occurs, affecting the Data Processor’s Services or those of a Sub-Processor, the Data Processor commits to:
Notify the Data Controller of any security breach that may result in a Personal Data Breach as soon as possible, no later than one (1) business day after becoming aware of the breach, by electronic mail;
Accompany the notification with all relevant documentation to enable the Data Controller to notify the Personal Data Breach to the competent Supervisory Authority or to Data Subjects. The Data Processor will specify the following as much as possible:
A description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned by the Personal Data Breach;
The name and contact details of the Data Protection Officer and/or another contact point from which further information can be obtained;
A description of the consequences of the Personal Data Breach; and
(iv) A description of the measures taken by the Data Processor to remedy the Personal Data Breach, including measures to mitigate any negative consequences.
The information mentioned above may be provided in a staggered manner and without undue delay if it is not possible for the Data Processor to provide all the information at the same time, or if clarifications can be made on elements already provided.
The Data Processor will perform an annual review of its Security Policy and update it regularly to include:
Changes in technological progress and best practices;
Any changes or suggested changes to the Data Processor procedures, sites and systems, Services and/or associated processes;
Any new perceived or modified threats to the Data Processor’s procedures, sites and systems; and
Any reasonable request to modify the practices transmitted by the Data Controller.
ACCOUNTABILITY
In a logic of accountability, the Data Processor commits to:
Regularly update its record of Processing activities in accordance with Article 30 of the GDPR, and to keep a written record of any Processing operations and Instructions relating to the Processing carried out on behalf of the Data Controller;
Regularly update its security breach record, which is filled by the Data Processor as soon as a Personal Data Breach occurs, whether or not such Personal Data Breach has been notified to the Regulatory Authority;
Build and keep documentation relating to the training or awareness-raising of the Data Processor’s staff with regard to the protection of Personal Data;
Regularly update its Security Policy, as provided for in article 6.
RECIPIENTS OF PERSONAL DATA
The Data Processor commits to:
Restrict access to Personal Data to the Authorized Recipients and Sub-Processors needing access to Personal Data. If any Data Processor’s employee has access to Personal Data, the Data Processor will ensure that such access is relevant with regard to that employee’s duties;
Ensure that the Authorized Recipients are aware of Applicable Data Protection Laws and are aware of the Data Processor’s duties and their personal duties and obligations under Applicable Data Protection Laws as well as this Data Processing Agreement;
Impose on the Authorized Recipients and Sub-Processors legally binding confidentiality and security obligations equivalent to those contained in this Data Processing Agreement; and
Ensure that the Authorized Recipients and Sub-Processors comply with Applicable Data Protection Laws and document this obligation in writing.
As part of the performance of the Services, the Data Processor is expressly authorized by the Data Controller to appoint one or more Sub-Processors in order to perform Processing operation on Personal Data:
Provided that the Data Processor first notifies the Data Controller who may object to such measures within ten (10) days. The Data Controller’s objection must be based on reasonable grounds, for example if the Data Controller can show that the use of the intended Sub-Processor causes significant risks in relation to the protection of the Personal Data. If the Data Controller and the Data Processor are unable to settle the objection, the Data Processor has the right to immediately terminate the Main Agreement, including for the sake of clarity this DPA, by giving the Data Controller written notice to that effect.
Provided that a sub-processing agreement is entered into with the Sub-Processor prior to transfer of or access to Personal Data, and that the agreement includes the same obligations relating to the Processing as those set out in this Data Processing Agreement; and
Provided that the Data Processor ensures that the Sub-Processor complies with the Personal Data protection and confidentiality obligations set forth in the sub-processing agreement.
Any further sub-contracting relating to the Services does not relieve the Data Processor of its responsibilities and obligations to the Data Controller under this Data Processing Agreement. The Data Processor shall remain fully responsible for the acts and omissions of its sub-processors.
DATA SUBJECTS
The Data Processor undertakes, in relation with a request to exercise a Data Subject’s rights:
To notify the Data Controller within five (5) business days of any request from a Data Subject wishing to exercise his/her rights under Applicable Data Protection Laws, including in particular requests for access, rectification, erasure of Personal Data as well as requests for portability of Personal Data and opposition to Processing;
To fully cooperate with the Data Controller in order to answer Data Subjects’ requests to exercise their rights under Applicable Data Protection Laws within reasonable time limits in consideration of their nature and number; and
Not to disclose to Data Subjects any Personal Data without consulting and obtaining the prior written consent of the Data Controller.
Any operation carried out by the Data Processor in the context of a request to exercise a right may, if necessary, give rise to additional invoicing with regard to the technical investigations carried out.
TRANSFERS TO THIRD COUNTRIES
The Data Processor may Process Personal Data in a country outside of the EU/EEA provided that the Data Processor first notifies the Data Controller who may object to such measures within ten (10) days. The Data Controller’s objection must be based on reasonable grounds, for example if the Data Controller can show that the destination country causes significant risks in relation to the protection of the Personal Data.
In any case, transfer of Personal Data shall be achieved by establishing a binding agreement, in accordance with the applicable EU Commission Model Contracts for the transfer of Personal Data to third countries, between the Data Processor and any Sub-Processors. Processing in a country outside the EU/EEA may also take place on the basis of a valid adequacy decision or on the basis of binding corporate rules that have been approved by the relevant supervisory authorities, to the extent the Data Processor and the relevant sub-processors have adopted the same binding corporate rules.
ADDITIONAL REQUIREMENTS
Throughout the Main Agreement’s duration, the Data Controller may identify additional requirements, other than those identified in this Data Processing Agreement, in order to comply with its obligations under Applicable Data Protection Laws.
Where the Data Controller identifies additional requirements, the Parties shall cooperate in good faith to amend the Main Agreement in order to allow the Processing activities to comply with such additional requirements. The costs associated with the implementation of such additional requirements shall be borne by the Data Controller.
LIABILITY
The Data Processor shall indemnify the Data Controller for all and any direct damages suffered by the Data Controller in connection with a breach, by the Data Processor, its employees, representatives, agents or Sub-Processors (including Authorized Recipients) of its obligations under this Data Processing Agreement.
The Data Processor commits to implement all necessary and reasonable means to ensure the security of the Processing operations and shall be liable for damages related to a security failure attributable to the Data Processor resulting in the unavailability, loss of traceability, doubt as to the integrity or lack of confidentiality of the Personal Data. It is expressly agreed between the Parties that the absence of risks in terms of computer security does not exist and that the Data Processor is bound in this respect to a strict means obligation, excluding any result obligation.
Each Party shall within reasonable time notify the other Party in writing if it receives a claim for damages or other liability and provide the other Party with sufficient insight to the documentation in order for such Party to prepare its defense and/or limit the damage.
In any event, the Data Processor’s liability for costs, expenses, losses, damages or other liabilities arising out of or in connection with the breach of this Data Processing Agreement (whether by the Data Processor or its employees, representatives, agents or Sub-Processors, the Authorized Recipients) may only be search for one (1) year from knowledge of the damage.
AUDIT AND CONTROL
The Data Controller may commission audits aimed at ensuring the proper level of the Data Processor compliance. Said audit will cover the elements referred to in Article 7 of this Data Processing Agreement.
The Data Controller may commission impartial audits for compliance with the Data Protection Regulation to be carried out on the Processing operations implemented for the purpose of performing the Services under the conditions defined below:
The audit shall be carried out by an external auditor selected together by the Parties for its expertise, independence and impartiality;
The selected auditor shall be bound by a confidentiality agreement and/or by professional secrecy;
The Data Controller shall notify the Data Processor in writing, minimum of fifteen (15) working days in advance, of its intention to have a compliance audit conducted;
In no way, the audit carried out shall deteriorate or slow down the Services offered by the Data Processor or affect the Data Processor’s organizational management. The audit shall not include any actions that could potentially damage the infrastructure hosting the Personal Data or interfere with other Services provided by the Data Processor to other providers;
A copy of the audit report shall be provided to the Data Controller as well as to the Data Processor, reporting the results of the audit mission and for which comments may be made by the Parties. This report may, if necessary, be the subject of an in-depth review by a steering committee;
The costs of the compliance audit shall be exclusively borne by the Data Controller;
The Data Controller may only commission compliance audits up to a maximum of one (1) audit per year; and
The Data Processor will have a period of three (3) months from the communication of the audit report to correct, at its own expense, the shortcomings and/or non-compliances observed.
The Data Processor undertakes to allow the selected auditors access to its sites, facilities, documents and information necessary to evaluate its good level of compliance and to cooperate fully with them for the proper performance of their mission.
In the event of a control carried out by a competent Regulatory Authority that may be of interest to the Data Controller’s Processing, the Data Processor commits to cooperate fully with the Regulatory Authority.
In the event of a control carried out by a competent Regulatory Authority with regard to the Data Controller, the Data Processor commits to fully assist the Data Controller with regard to the Processing operations carried out under this Data Processing Agreement.
All Personal Data collected for the purposes of audits and controls is considered as “Confidential Information” within the meaning of the Main Agreement.
MODIFICATION OF THE DATA PROCESSING AGREEMENT
This Data Processing Agreement may not be amended except in writing signed by the duly authorized representatives of each of the Parties.
If Applicable Data Protection Laws are amended, it is agreed that the Parties may revise the provisions of this Data Processing Agreement and negotiate in good faith with the aim to comply with the updated Applicable Data Protection Laws.