GDPR - Data Processing Agreement Addendum
DATA PROCESSOR AGREEMENT
This data processing agreement forms part of the [insert contract name] (“Principal Contract”) and is made effective from ____ day of _______________, 20___ between the undersigned parties: –
(i) Deltecs Infotech Private Limited, whose registered office address is 201, Agarwal Industrial estate, Dahisar East, Mumbai 400068 (“Processor”)
And
(ii) [Controller Name], whose registered office address is [Controller Address] (“Controller”)
1.1 This agreement supplements the Principal Contract and makes legally binding provisions for compliance with the Data Protection Laws as set forth in this agreement. As per the requirements of relevant Data Protection Law, all processing of personal data by a processor on behalf of a controller, shall be governed by a contract. The terms, obligations and rights set forth in this agreement relate directly to the data processing activities and conditions laid out in Schedule 1.
1.2 The terms used in this agreement have the meanings as set out in the ‘definitions’ part of the document
2.2 “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
2.3 “Data Protection Laws” means all applicable Data Protection Laws, including the General Data Protection Regulation (GDPR) (EU 2016/679), [Data Protection Bill] and, to the extent applicable, the data protection or privacy laws of any other country
2.4 “EEA” means the European Economic Area
2.5 “Effective Date” means that date that this agreement comes into force
2.6 “Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
2.7 “GDPR” means the General Data Protection Regulation (GDPR) (EU) (2016/679)
2.8 “Principal Contract” means the main contract between the parties named in this agreement
2.9 “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
2.10 “Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
2.11 “Third-party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
2.12 “Sub Processor” means any person or entity appointed by or on behalf of the Processor to process personal data on behalf of the Controller
2.13 “Supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the “GDPR”
- only act on the written instructions of the Controller
- ensure that people processing the data are subject to a duty of confidence
- ensure that any natural person acting under their authority who has access to personal data, does not process that data except on instructions from the Controller
- use its best endeavours to safeguard and protect all personal data from unauthorised or unlawful processing, including (but not limited to) accidental loss, destruction or damage and will ensure the security of processing through the demonstration and implementation of appropriate technical and organisational measures as specified in Schedule 1 of this agreement
- ensure that all processing meets the requirements of the GDPR and related Data Protection Laws and is in accordance with the Data Protection Principles
- ensure that where a Sub-Processor is used, they: –
- only engage a Sub-Processor with the prior consent of the data controller
- inform the controller of any intended changes concerning the addition or replacement of Sub-Processors
- they implement a written contract containing the same data protection obligations as set out in this agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Laws
- understand that where any Sub-Processor is used on their behalf, that any failure on the part of the sub-processor to comply with the Data Protection Laws or the relevant data processing agreement, the initial processor remains fully liable to the controller for the performance of the Sub-Processor’s obligations
- assist the Controller in providing subject access and allowing data subjects to exercise their rights under the Data Protection Laws
- assist the Controller in meeting its data protection obligations in relation to: –
- the security of processing
- data protection impact assessments
- the investigation and notification of personal data breaches
- delete or return all personal data to the Controller as requested at the end of the contract
- make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the relevant Data Protection Laws and allow for, and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller
- tell the Controller immediately if they have done something (or are asked to do something) infringing the GDPR or other Data Protection Law of the EU or a member state
- co-operate with supervisory authorities in accordance with GDPR Article 31
- notify the Controller of any personal data breaches in accordance with GDPR Article 33
- where applicable, employ a Data Protection Officer if required
- where applicable, appoint (in writing) a representative within the EU if required in accordance with GDPR Article 27
3.2 Nothing within this agreement relieves the processor of their own direct responsibilities, obligations and liabilities under the General Data Protection Regulation (GDPR) or other Data Protection Laws.
3.3 The Processor is responsible for ensuring that each of its employees, agents, subcontractors or vendors are made aware of its obligations regarding the security and protection of the personal data and the terms set out in this agreement.
3.4 The Processor shall maintain induction and training programs that adequately reflect the Data Protection Law requirements and regulations, and ensure that all employees are afforded the time, resources and budget to undertake such training on a regular basis.
3.5 Any transfers of personal data to a third country or an international organisation shall only be carried out on documented instructions from the controller; unless required to do so by Union or Member State law. Where such a legal requirement exists, the Processor shall inform the Controller of that legal requirement before processing.
3.6 The Processor shall maintain a record of all categories of processing activities carried out on behalf of the Controller, containing: –
- the name and contact details of the Processor(s) and of each Controller on behalf of which the Processor is acting, and, where applicable, the data protection officer
- the categories of processing carried out on behalf of each Controller
- transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards
- a general description of the technical and organisational security measures referred to in Article 32(1)
3.7 The Processor shall maintain records of processing activities in writing, including in electronic form and shall make the record available to the supervisory authority on request
3.8 When assessing the appropriate level of security and the subsequent technical and operational measures, the processor shall consider the risks presented by any processing activities, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
4.2 The Controller shall carry out adequate and appropriate onboarding and due diligence checks for all Processors, with a full assessment of the mandatory Data Protection Law requirements.
4.3 The Controller shall verify that the Processor has adequate and documented processes for data breaches, data retention and data transfers in place.
4.4 The Controller shall obtain evidence from the Processor as to the: –
- verification and reliability of the employees used by the Processor
- certificates, accreditations and policies as referred to in the due diligence/onboarding questionnaire
- technical and operational measures described in Schedule 1 of this agreement
- procedures in place for allowing data subjects to exercise their rights, including (but not limited to), subject access requests, erasure & rectification procedures and restriction of processing measures
4.5 Where the Controller has authorised the use of any Sub-Processor by the initial Processor, the controller must verify that similar data protection agreements are in place between the initial Processor and Sub-Processor.
4.6 Where the Controller has authorised the use of any Sub-Processor by the initial Processor, the details of the Sub-Processor must be added to Schedule 2 of this agreement.
- investigative and corrective powers of supervisory authorities under Article 58 of the GDPR
- an administrative fine under Article 83 of the GDPR
- a penalty under Article 84 of the GDPR
- pay compensation under Article 82 of the GDPR
5.2 The Controller or Processor can terminate this agreement by termination terms mentioned in terms & conditions
Signed: _______________________________
Name: _______________________________
Date: ________________
Company Name: _______________________________
Position: _______________________________
Signed on behalf of the Controller:
Signed: _______________________________
Name: _______________________________
Date: ________________
Company Name: Deltecs Infotech Private Limited
Position: _______________________________
- The Controller named in this agreement has appointed the Processor with regard to specific processing activity requirements. These requirements relate to Subject matter of processing customer data which is set out in Terms of use and in this DPA.
- The duration of the processing is for/until further notice.
- The processing activities relate to the customer personal data as per the services mentioned in the terms of use, or any project addendum or as per the Statement Of Work.
- The requirement for the named Processor to act on behalf of the Controller is with regard to the below type(s) of personal data and categories of data subjects: –
- Personal Data
- Name
- Email Id
- Phone Number
- Organisation Name
- Cookies
- IP Address
- Personal Data
- – Categories of data subjects
- Customers
- Prospects
iii. Customer’s App users
- The Processor can demonstrate and provide sufficient guarantees as to the implementation of appropriate technical and organisational measures taken to ensure data security and protection: –
- Encryption of data during transit (HTTPS)
- Encryption at data at rest
- Antimalware solution
- Restricted access to authorized people
- Network protection
- Data protection policy measures are implemented
- Information security policy is adhered to
- The obligations and rights of the Controller and Processor are set out in section (2) and (3) of this agreement.
- Authorised Sub-Processors