Data processing addendumAs of February 4, 2019
1. Subject matter of this Data Processing Agreement
1.1. This Data Processing Addendum applies to the processing of personal data that is subject to EU Data Protection Law due to the services provided to Race Roster by the Data Processor in accordance with an agreement entered into (hereinafter to be referred to as the “Service Agreement”).
1.2. The term EU Data Protection Law shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.4. Insofar as the Data Processor will be processing Personal Data subject to EU Data Protection Law, the terms of this Data Processing Addendum shall apply.
2. The Data Controller and the Data Processor
2.1. The Data Controller determines the amount and type of Personal Data that is accessible or processed by the Data Processor. The Data Processor will process the Personal Data only as set forth in the Service Agreement.
2.2. In the event that certain processing of Personal Data by the Data Processor is required due to a legal obligation, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law explicitly prohibits the furnishing of such information to the Data Controller. The Data Processor shall never process the Personal Data in a manner inconsistent with the EU Data Protection Law.
2.3. The Data Controller and the Data Processors (the “Parties) have entered into a Service Agreement in order to benefit from the expertise of the Controller in securing the Personal Data for the purposes set out in the Service Agreement. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this Data Processing Addendum.
2.4. Data Controller warrants that it has all necessary rights to provide the Personal Data to Data Processor for the processing to be performed in relation to the Services. To the extent required by EU Data Protection Law, Data Controller is responsible for ensuring that any necessary data subject consents to this processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and Data Processor remains responsible for implementing any Data Controller instruction with respect to the further processing of that Personal Data.
3.1. Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, the Data Controller and Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include as appropriate:
- measures to ensure that the Personal Data can be accessed only by authorized personnel for the purposes of fulfilling the Service Agreement;
- in assessing the appropriate level of security, account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Personal Data;
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data; and
- measures to identify vulnerabilities with regard to the processing of Personal Data in systems used to provide services to the Data Controller.
4.2. The Data Processor shall at all times have in place an appropriate written security policy with respect to the processing of Personal Data, outlining in any case the measures set forth in Section 4.1.
4.3. At the request of the Data Controller, the Data Processor shall demonstrate the measures it has taken pursuant to this Section 4 and shall allow the Data Controller to audit and test such measures. The Data Controller shall be entitled on giving at least 14 days’ notice to the Data Processor to carry out, or have carried out by a third party who has entered into a confidentiality agreement with the Data Processor, audits of the Data Processor’s premises and operations as these relate to the Personal Data. The Data Processor shall cooperate with such audits carried out by or on behalf of the Data Controller and shall grant the Data Controller´s auditors reasonable access to any premises and devices involved with the processing of the Personal Data. The Data Processor shall provide the Data Controller and/or the Data Controller’s auditors with access to any information relating to the processing of the Personal Data as may be reasonably required by the Data Controller to ascertain the Data Processor’s compliance with this Data Processing Addendum.
5. Improvements to Security
5.1. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Section 4 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Section 4.
5.2. Where an amendment to this Data Processing Addendum is necessary in order to execute an additional Data Controller instruction to the Data Processor, or to improve security measures as may be required by changes in EU Data Protection Law or by data protection authorities of competent jurisdiction from time to time, the Parties shall negotiate any such amendment in good faith.
6. Data Transfers
6.1. The Data Processor shall immediately notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area, other than those who have been deemed adequate by the EU Commission under the EU Data Protection Directive 95/46/EC or who comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.
7. Information Obligations and Incident Management
7.1. When the Data Processor becomes aware of an incident that impacts the processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to formulate a correct response, and to take suitable further steps in respect of the incident.
7.2. The term “incident” used in Section 7.1 shall be understood to mean in any case:
- a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law;
- an investigation into or seizure of Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent;
- any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data;
- any breach of the security and/or confidentiality as set out in Sections 3 and 4 of this Data Processing Addendum leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; or
- where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject.
7.3. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under the EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident.
7.4. Any notifications made to the Data Controller pursuant to this Section 7 shall be addressed to the Data Controller and shall contain:
- a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
- the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained;
- a description of the likely consequences of the incident; and
- a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
8. Contracting with Sub-Processors
8.1. Any third parties (sub-processors) that process Personal Data on behalf of the Data Controller or the Data Processor must adhere to the same obligations as set out in this Addendum. A general authorization to engage third parties in connection with the Services and to continue to use such sub-processors is hereby granted provided such sub-processors are confirmed to meet the requirements of the EU Data Protection Law.
8.2. Notwithstanding any authorization by the Data Controller within the meaning of the preceding paragraph, the Data Processor shall remain fully liable vis-à-vis the Data Controller for the performance of any such sub-processor that fails to fulfil its data protection obligations.
8.3. The Data Processor shall ensure that the sub-processor is bound by the same data protection obligations of the Data Processor under this Data Processing Addendum, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of EU Data Protection Law.
8.4. The Data Controller may request that the Data Processor audit a third party sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist the Data Controller in obtaining a third party audit report concerning the sub-processor’s operations) to ensure compliance with its obligations imposed by this Addendum.
9. Returning or Destruction of Personal Data
9.1. Upon termination of the Service Agreement, or upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required, the Data Processor shall at the discretion of the Data Controller, either delete, destroy or return all Personal Data to the Data Controller and destroy or return any existing copies.
9.2. The Data Processor shall notify all third parties supporting its own processing of the Personal Data of the termination of the Services and shall ensure that all such third parties either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.
10. Assistance to Data Controller
10.1. The Data Processor shall assist the Data Controller by instituting appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the GDPR.
10.3. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
11.1. The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Controller and arising directly or indirectly out of or in connection with a breach of this Data Processing Addendum and/or the EU Data Protection Law by the Data Processor.
11.2. The Data Controller indemnifies the Data Processor and holds the Data Process harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Data Processor and arising directly or indirectly out of or in connection with a breach of this Data Processing Addendum and/or the EU Data Protection Law by the Data Controller.
For instructions on how to execute this DPA, please contact our Data Protection Officer at firstname.lastname@example.org