DATA PROCESSING AGREEMENT

Similar documents
Learning Management System - Privacy Policy

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement

Data Processor Agreement

Data Processing Agreement

DATA PROCESSING AGREEMENT

German Data Processing Addendum MailChimp

Customer EU Data Processing Addendum

Data Processing Agreement

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

have concluded the following data processing agreement (hereinafter the Data Processing Agreement or this Agreement ):

EU Data Protection Agreement

Data Processing Clauses

HPE DATA PRIVACY AND SECURITY

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Eco Web Hosting Security and Data Processing Agreement

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

DATA PROCESSING TERMS

Motorola Mobility Binding Corporate Rules (BCRs)

Data Processing Agreement

DATA PROTECTION POLICY THE HOLST GROUP

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

Terms and Conditions for Allegion Data Processing and Transfer

EU Data Protection Agreement

Building Information Modeling and Digital Data Exhibit

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

UWTSD Group Data Protection Policy

Subject: Kier Group plc Data Protection Policy

REGISTRAR AGREEMENT. Domain Name means a domain name allocated under the.eu Top Level Domain and its variants in other scripts.

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

The use of Workbench Services and INFORM Services are governed by and subject to these Electronic Access Terms and Conditions ( EATCs ).

Schedule EHR Access Services

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Juniper Networks Data Subprocessing Agreement

Introductory guide to data sharing. lewissilkin.com

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

PS Mailing Services Ltd Data Protection Policy May 2018

HIGHSOFT SOLUTIONS AS STANDARD LICENSE TERMS AND CONDITIONS 2.2

DATA PROCESSING ADDENDUM

Privacy Policy Effective May 25 th 2018

Saba Hosted Customer Privacy Policy

Data Protection Policy

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

Data Processing Agreement DPA

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Data Processing Amendment to Google Apps Enterprise Agreement

Deloitte Audit and Assurance Tools

User Terms of Service

EU-US PRIVACY SHIELD POLICY (Updated April 11, 2018)

Data Breach Notification: what EU law means for your information security strategy

1 Privacy Statement INDEX

Keeper Data Processing Agreement

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Privacy Notice - General Data Protection Regulation ( GDPR )

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Data Breach Incident Management Policy

Rules for Commissioned Processing. (DDV Declaration of Conformity)

Privacy Shield Policy

Individual Agreement. commissioned processing

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Royal Mail Consultation: Changes to Postal Schemes to reflect new data protection legislation

ROYAL MAIL GROUP ADDRESS MANAGEMENT UNIT PAF DATA END USER TERMS ( End User Terms )

Online Ad-hoc Privacy Notice

Privacy Notice for Business Partners

Privacy Policy. Effective date: 21 May 2018

PRIVACY POLICY. Personal Information We Collect

ADIENT VENDOR SECURITY STANDARD

PERSONAL DATA PROTECTION POLICY

NOOTRY TERMS OF SERVICE

IBM Sterling B2B Services File Transfer Service

AGREEMENT FOR USE OF NORTHERN POWERGRID ELECTRONIC MAINS RECORDS

SURGICAL REVIEW CORPORATION Privacy Policy

CAPGEMINI BINDING CORPORATE RULES

Domain Hosting Terms and Conditions

1.3 Please follow the links below for further information. Where relevant, we have made a distinction between different categories of data subjects:

VIACOM INC. PRIVACY SHIELD PRIVACY POLICY

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

PRIVACY POLICY OF THE WEB SITE

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Entrust SSL Web Server Certificate Subscription Agreement

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

PRIVACY NOTICE. 1.2 We may obtain or collect your Personal Data from various sources including but not limited to:

As set out in the Hong Kong ID card, or any relevant identification document referred to in 1(g) above.

1. License Grant; Related Provisions.

END USER LICENSE AGREEMENT COMODO CLOUD ANTIVIRUS BROWSER EXTENSION (BETA VERSION)

TechTarget Event Sponsorship Terms and Conditions

CTI BioPharma Privacy Notice

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

OCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA)

DATA PROTECTION AND PRIVACY POLICY

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

mashreqmatrix Profile Form ( Form )

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

In the event of delayed payment, The Service Provider reserves the right to bar the Customer's access to the SMS Responder Service.

SDL Privacy Policy Cloud Services

UWC International Data Protection Policy

Transcription:

DATA PROCESSING AGREEMENT This Data Processing Agreement ( DPA ) is entered into between: A. The company stated in the Subscription Agreement (as defined below) ( Data Controller ) and B. Umbraco A/S Haubergsvej 1 5000 Odense, Denmark Reg. no. (cvr) 35 86 65 82 ( Data Processor ) 1. BACKGROUND 1.1 The Data Controller determines the purposes and methods of the processing of Personal Data (as defined below). 1.2 The Data Processor has agreed to provide the Services (as defined below) on the terms set out in the Subscription Agreement (as defined below). 1.3 The Parties wish to supplement the Subscription Agreement with this DPA to formalize the terms and conditions applicable to the processing of Personal Data. 1.4 The purpose of this DPA is to secure adequate safeguards with the respect to the protection of privacy and to ensure that the processing of Personal Data is in accordance with the Data Controller s and Data Processor s legal obligations. 2. AGREEMENT 2.1 In addition to this main body of the agreement, this DPA incorporates the following documents: 1

Annex 1 Instructions for processing 2.2 In the event that any provision of this DPA is inconsistent with any term(s) of the Subscription Agreement, this DPA shall prevail. 3. DEFINITIONS 3.1 For the purposes of this DPA, the expressions set out below have the following meanings: Approved Purpose. Means the processing i) required to fulfil the purpose of the Subscription Agreement or ii) as otherwise agreed between the Data Controller and the Data Processor in writing. Approved Territory. Means the territory or territories identified in Annex 1 where the Personal Data can be processed. Data Subject. Means the living individual about whom the Data Controller holds Personal Data. Personal Data. Has the same meaning as in Regulation 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Personal Data Breach. Means any loss, destruction, damage, alteration or unauthorised access or disclosure of Personal Data or any other non-conformity with this DPA. Services. Means the services to be supplied by the Data Processor under the Subscription Agreement. Subscription Agreement. Means the subscription agreement for Umbraco Cloud, which becomes effective upon the Data Controller s placement of an order and the acceptance of the terms and conditions. 2

Technical Contact Point. Means the parties technical representatives identified in Annex 1. 4. GENERAL 4.1 This DPA governs the Data Processor s processing of the Personal Data it processes on behalf of the Data Controller to perform its Services under the Subscription Agreement. The Data Processor shall process the Personal Data only for the Approved Purpose and in accordance with applicable laws and this DPA. 4.2 The Data Controller retains the formal control of, and all ownership and rights to the Personal Data. The Data Processor shall have no rights in or to the Personal Data other than the non-exclusive, revocable and time limited right to process the Personal Data for the Approved Purpose. 5. APPROVED PURPOSE OF PROCESSING 5.1 The Data Processor shall process the Personal Data only for the Approved Purpose. Any processing of the Personal Data for any other purpose is strictly forbidden and will be considered a material breach of this DPA. 6. APPROVED LOCATIONS OF PROCESSING 6.1 The processing of the Personal Data shall only take place in technological environments controlled by the Data Controller, the Data Processor and subcontractors in the Approved Territory. For the avoidance of doubt, processing includes accessing the Personal Data from remote locations. 7. USE OF SUBCONTRACTORS 7.1 The Data Controller accepts that the Date Processor is entitled to use subcontractors. The Data Processor shall ensure that any processing of the Personal 3

Data by a subcontractor complies with the requirements set out under this DPA. This includes verifying that the security measures implemented by the subcontractor ensures at least the equivalent level of protection to that required of the Data Processor under this DPA. 7.2 The Data Processor shall ensure that a data processor agreement is entered into between the Data Processor and any subcontractor before such subcontractor processes any Personal Data. 8. PROCESSING OF PERSONAL DATA IN CERTAIN JURISDICTIONS 8.1 Where the processing of Personal Data in Approved Territories does not take place within the European Economic Area; or a territory that has been designated by the European Commission as ensuring an adequate level of protection pursuant to the Data Protection Directive of 1995 (or its successor) such processing of Personal Data shall be carried out in accordance with the applicable EU standard clauses for the transfer of Personal Data ( EU Model Clauses ). Prior to any processing in such territories, the Data Processor shall, as applicable, enter into and/or shall procure that the subcontractor enter into (each a "data importer" under the EU Model Clauses), the EU Model Clauses with the Data Controller ("data exporter under the EU Model Clauses), in addition to this DPA. In case of conflict between such EU Model Clauses entered into between the parties and this DPA, the EU Model Clauses will prevail. 8.2 The Data Processor is hereby authorized by the Data Controller to enter into the EU model Clauses agreements with any relevant subcontractor on Data Controller s behalf for the above mentioned purpose and for any relevant Approved Territory. 4

8.3 If the Data Controller is required to submit a copy of the executed EU Model Clauses to its local Data Protection Authority, the Data Processor will submit a copy of the executed contract to Data Controller for its submission. 8.4 For the avoidance of doubt, the requirement to ensure that the subcontractors enters into a data processor agreement using the EU Model Clauses where so required under this Section 8 does not relieve the Data Processor from its obligations set out under Section 7, including the obligation to ensure that the security measures adopted by the relevant subcontractor offer at least an equivalent level of protection to the Data Controller and the Data Subjects as the requirements imposed on the Data Processor as set out in this DPA. 9. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES 9.1 The Data Processor shall perform its obligations and actions under this DPA with all due skill, care and diligence. 9.2 The Data Processor shall use technical and organizational security measures appropriate to prevent the harm which might result from any unauthorized or unlawful processing, loss, destruction, damage, alternation to or disclosure of the Personal Data and having regard to the nature of the Personal Data which is to be protected. 9.3 Should the Data Processor become aware of any non-conformity with the security requirements set out above, either within its own or within the subcontractor s organization, such non-conformity shall be notified to the Data Controller in accordance with the Personal Data Breach procedure set out in Section 11. 10. SECRECY 10.1 The Data Processor shall ensure that it and its employees maintain secrecy and security about any and all Personal Data and that the Personal Data is accessed by the Data Processor s employees on a need to know basis only. 10.2 The Personal Data shall be considered as confidential information belonging to the Data Controller and/or the Data Subject and shall be subject to confidential 5

handling in accordance with the confidentiality undertakings agreed between the parties in this DPA or elsewhere. 11. NOTIFICATION OF PERSONAL DATA BREACH 11.1 If the Data Processor becomes aware of any Personal Data Breach, the Data Processor shall without undue delay and within 24 hours at the latest, notify the Data Controller and fully cooperate to remedy the issue as soon as reasonably practicable. The notice shall contain the following information (if available): description of the Personal Data Breach including; the categories and number of Data Subjects concerned; summary of the incident that caused the Personal Data Breach; date and time of the relevant incident; the categories and number of data records concerned and the nature and content of the Personal Data affected; description of the circumstances of the Personal Data Breach (e.g. loss, theft, copying); description of recommended measures to mitigate any adverse effects of the Personal Data Breach; description of the likely consequences and potential risk that the Personal Data Breach may have towards the affected Data Subject(s); and description of the measures proposed or taken by the Data Processor and/or the sub-contractor, as applicable, to address the Personal Data Breach. 11.2 Notice must be sent by email to the Data Controller s Technical Contact Point identified in Annex 1. The Data Processor s Technical Contact Point shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller may have. 11.3 Depending of the nature of the Personal Data Breach the Data Controller may be obliged to make a report to the Data Protection Authority in the country it resides. The 6

Data Processor shall, therefore, at the Data Controller s request, provide any other information reasonably requested by the Data Controller to comply with the relevant data protection regulation and/or inquiries from the Data Protection Authority. 12. OTHER NOTIFICATIONS 12.1 The Data Processor shall: without undue delay and in writing, notify the Data Controller of any planned changes in the technical, organisational or financial aspects of the Data Processor s provision of the Services or the organisation of the Data Processor or its subcontractors and which might have an adverse effect on the Data Processor s or its subcontractors ability or willingness to process the Personal Data in accordance with the instructions of the Data Controller or the requirements set out in this DPA. within five (5) calendar days and in writing, notify the Data Controller if it receives: (i) a request from a Data Subject to have access to that person's Personal Data; or (ii) a complaint or request relating to the Data Controller s and/or its customers obligations under relevant data protection laws. without undue delay, notify the Data Controller if it receives a request from the competent data protection authority or other competent governmental body requiring the Data Processor or any of its subcontractors to grant the data protection authority or other applicable governmental body access to Personal Data. Such notice shall wherever possible, and to the extent permitted by applicable laws, be given prior to any disclosure by the Data Processor. 12.2 If the Data Processor is required or requested by any law, regulation, or government or regulatory body to retain any documents or materials that it would otherwise be required to return or destroy under Section 14, it shall, to the extent permitted by law, notify the Data Controller in writing of that retention, giving details of the documents or materials that it must retain. The Data Processor shall not be in 7

breach of Section 14 with respect to the retained documents or materials; however Section 10 shall continue to apply to them. 12.3 Any notifications shall be deemed to be delivered when submitted via email to the Data Controller s Technical Contact Point. The Data Processor s Technical Contact Point shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller might have. 13. BREACH OF AGREEMENT 13.1 The Data Processor shall ensure that any material breach is remedied as soon as possible. 13.2 Notwithstanding the above, the Data Controller can with immediate effect instruct the Data Processor to suspend or terminate any further processing of the Personal Data upon the occurrence of any material breach of this DPA. 14. OBLIGATION TO DELETE DATA 14.1 Personal Data shall not be stored for a longer period than it is necessary to carry out the original purpose for the processing. 14.2 The application permits the Data Controller to migrate Personal Data held by the application and the Data Controller agrees to migrate any and all Personal Data prior to termination of the Subscription Agreement. The Data Processor shall use reasonable commercial endeavors to permit the Data Controller to use the migrate function until expiry of the Subscription Agreement. Where the Subscription Agreement is terminated with immediate effect due to the Data Controller s breach of this DPA, the Data Processor shall use reasonable commercial endeavors to permit the Data Controller to use the migrate function in the period of 10 days after such termination. 14.3 The Data Processor is not obligated to store any of the Data Controller s Personal Data after expiry of the Subscription Agreement. The Data Processor shall no later than 30 days after expiry of the Subscription Agreement effectively delete all Personal Data. For the purposes of this provision to effectively delete shall mean that the data is 8

deleted in accordance with best practice industry standards so that Personal Data cannot be reconstructed using any known technology. 14.4 Without limiting the aforementioned, at any given time during the term of this DPA the Data Processor shall effectively delete Personal Data to the extent requested by the Data Controller s Technical Contact Point or as stated in Annex 1. 15. TERM 15.1 This DPA is entered into when the Data Controller accepts this DPA. The acceptance of this DPA is made in connection with the Data Controller s acceptance of the Subscription Agreement. However, the provisions of this DPA will not become applicable before 25 May 2018. This DPA will remain in force until termination of the Subscription Agreement. 16. SURVIVAL OF CLAUSES 16.1 Any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after termination of this DPA shall remain in full force and effect. 16.2 To the extent the Data Controller needs to respond to enquiries from Data Protection Authorities or Data Subjects concerning how Personal Data has been processed under the Subscription Agreement and this DPA, the Data Processor shall provide necessary assistance also after the expiry of this DPA. 16.3 For the avoidance of doubt the secrecy and security obligations set out in Section 10 herein, including the employees, consultants etc. obligation to keep Personal Data secret, shall survive the expiry or termination of this DPA. 9

17. CHOICE OF LAW AND DISPUTE RESOLUTION 17.1 This DPA shall be governed and construed in accordance with the law of Denmark. Any dispute, controversy or claim arising out of or in connection with this DPA shall be subject to the exclusive and final jurisdiction of the courts of Denmark. 17.2 In the event that the Data Controller is located in a jurisdiction where judgments rendered by the above mentioned courts cannot be enforced, any dispute, controversy or claim arising out of or in connection with this DPA shall be exclusively and finally settled by arbitration in accordance with the Arbitration Rules of The Danish Institute of Arbitration (Copenhagen Arbitration). The arbitral tribunal shall be composed of one arbitrator, who shall be appointed in accordance with the above arbitration rules. The language to be used in the arbitral proceedings shall be English. ANNEX 1 INSTRUCTIONS FOR PROCESSING Personal Data to be processed Categories of Personal Data to be processed under this DPA includes the following categories of data: All legal categories of Personal Data which is in accordance with the Approved Purpose. The Data Controller is responsible for and warrants that the Personal Data that the Data Controller s instructs the Data Processor to process can be lawfully processed by the Data Processor. Approved Territory The Approved Territory/Territories for processing of Personal Data are the following regions/countries: 10

Microsoft data centres in the EU Technical Contact Point The following persons will be the Technical Contact Point between the parties for the purposes of this DPA: Data Processor s Technical Contact Point: Umbraco service and support contact@umbraco.com Data Controller s Technical Contact Point: The E-mail address stated in the application. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback