Standard terms and conditions
Pursuant to article 28 (3) of regulation (EU) 2016/679 of the European Parliament and the Council on the processing of personal data by data processors (the General Data Protection Regulation),
the customer (the Controller), having signed the IWMAC Subscription Agreement (the Agreement),
IWMAC AS (the Data Processor), co. org. no.: 984699980,
have agreed on the following standard terms and conditions (the Conditions) in order to comply with the General Data Protection Regulation (GDPR) and ensure the protection of natural persons’ basic rights and freedoms.
This document sets out the main principles for the processing of Personal Data under the existing service agreement between the Parties (the Agreement), of which it is an integral part. The present document is the Data Processing Agreement between the Parties.
In this document, IWMAC refers to IWMAC AS and all its subsidiaries.
2. MAIN PRINCIPLES FOR PROCESSING PERSONAL DATA
2.1 Protection of Personal Data
The Data Processor is to take the protection and security of Personal Data seriously and is to process said data in compliance with the applicable Data/Privacy Protection Legislation and the Agreement. To provide the Service set out in the Agreement, the Data Processor is to process Personal Data about users and others who have access to the Service. To the extent allowed by the Agreement, the Data Processor can disclose Personal Data.
3. PURPOSE OF THE DATA PROCESSING AGREEMENT
The purpose of the Data Processing Agreement is to regulate rights and duties in regard to the applicable Data/Privacy Protection Legislation as it relates to the Data Processor’s processing of Personal Data on behalf of the Controller.
Data/Privacy Protection Legislation here relates to national data/privacy protection legislation that, enacted to comply with article 28 (3) of regulation (EU) 2016/679 of the European Parliament and the Council (27 April 2016), is in force at any given time in the country in which the Controller is established (legislation implementing or supplementing the GDPR included therein).
Personal Data is any data about an identified or identifiable natural person (the Data Subject). The Data Processing Agreement shall ensure that Personal Data: is processed in compliance with the Data/Privacy Protection Legislation; is not used in an unlawful manner; and, is not accessible to unauthorised parties.
4. SCOPE OF THE PROCESSING
The Conditions of the Data Processing Agreement have precedence over any equivalent provisions in other agreements between the Parties.
The Controller is to determine the purpose of processing and which aids shall be used. Unless otherwise set out in applicable legislation, the Data Processor, its Subcontractors and others carrying out assignments on behalf of the Controller and having access to the Personal Data shall process said data solely on behalf of the Controller and in compliance with the Agreement, the Controller’s written instructions and this Data Processing Agreement.
The Data Processor shall immediately inform the Controller if the Data Processor believes an instruction is in conflict with the Data/Privacy Protection Legislation.
4.2 Scope of the processing
The Data Processing Agreement applies to the Data Processor’s processing of Personal Data on the Controller’s behalf in connection with the Controller’s delivery of the Service (as detailed in the Agreement).
4.3 Purpose of the processing
The character and purpose of the processing are linked to delivery of the Service (as detailed in the Agreement).
4.4 Categories of Personal Data and Data Subject
The processing is processing of Personal Data about the Controller’s end users, customers, suppliers, partners or employees dependent on the Controller’s use of the Service. Dependent on the Controller’s concrete use of the Service, the processing covers the following categories of Personal Data:
- General Personal Data such as name, postal address, email address, telephone number, firm, position/role, department and cost centre.
- Location data such as GPS and Wi-Fi location data as well as location data collected from the Data Processor’s/customer’s network.
- Traffic data such as Personal Data processed in relation to mediating communications via an electronic communication network or invoicing of such services.
- Data related to the content of communications such as emails, telephone responses, SMS/MMS messages, browser data, views about our products/services in the form of customer surveys and minutes of meetings.
5. THE CONTROLLER’S DUTIES
The Controller is responsible for ensuring: that the processing of Personal Data is in accordance with the GDPR (see article 24 thereof), applicable data/privacy protection provisions in EU law or the member states’ national laws and these Conditions; and, that the Data Processor does not process Personal Data to an extent greater than that necessary for achieving the stated purpose.
The Controller is responsible for there being valid legal grounds for processing at the time the Personal Data is transmitted to the Data Processor, this including each instance of consent being with full knowledge and given explicitly, unambiguously and voluntarily. At the Data Processor’s request, the Controller shall provide a written explanation of and/or document the legal grounds for the processing.
The Controller is responsible for the Data Subjects having received sufficient information about the processing of their Personal Data. As a general rule, instructions for processing of Personal Data under this Data Processing Agreement shall be given to the Data Processor. If the Controller directly instructs a Subcontractor engaged as per point 12 hereof, the Controller shall immediately inform the Data Processor of this. The Data Processor cannot be held liable for processing that, carried out by a Subcontractor following instructions received directly from the Controller, results in a breach of this Data Processing Agreement, the Agreement or the Data/Privacy Protection Legislation.
6. DUTY OF CONFIDENTIALITY
The Data Processor, its Subcontractors and others carrying out assignments on behalf of the Data Processor and having access to the Personal Data are subject to a duty of confidentiality and shall observe this when processing Personal Data and security documentation in accordance with the applicable Data/Privacy Protection Legislation. The Data Processor is responsible for subjecting Subcontractors and others acting on the Data Processor’s behalf to such a duty of confidentiality.
The Controller is subject to a duty of confidentiality as regards: documentation and information received from the Data Processor and linked to the Data Processor’s and its Subcontractors’ implementation of technical and organisational security measures; and, information that the Data Processor otherwise wishes to remain confidential. However, insofar as it is necessary to comply with the Controller’s duties, the Data/Privacy Protection Legislation or other statutory duties, the Controller can always share such information with relevant supervisory authorities. If there is a requirement to disclose such information to relevant supervisory authorities, the Parties shall mutually inform each other. The duty of confidentiality applies even after the cessation of the Data Processing Agreement.
The security requirements applying to the Data Processor’s processing of Personal Data are to be regulated via internal procedures.
Article 32 of the GDPR sets out that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks (of varying likelihood and severity) it presents for natural persons’ rights and freedoms, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks.
The Controller shall evaluate the risks that the processing presents for natural persons’ rights and freedoms and implement measures to answer these risks. Depending on relevance, the measures may include:
- pseudonymisation and encryption of Personal Data;
- an ability to ensure the ongoing confidentiality, integrity, accessibility and resilience of processing systems and services;
- an ability to restore, in a timely manner, the accessibility and availability of Personal Data in the event of physical or technical incidents;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Under article 32 of the GDPR, the Data Processor shall, independently of the Controller, also evaluate the risks that the processing presents for natural persons’ rights and freedoms and implement measures to answer these risks. As regards this evaluation, the Controller shall make available to the Data Processor the information necessary for enabling this latter to identify and evaluate said risks.
The Data Processor shall also help the Controller to comply with the Controller’s duties under article 32 of the GDPR by, inter alia, making available to the Controller: necessary information about the technical and organisational security measures that the Data Processor has already implemented in relation to article 32 of the GDPR; and, all other information necessary for the Controller to comply with its duties under article 32 of the GDPR.
8. ACCESS TO PERSONAL DATA AND FULFILMENT OF DATA SUBJECTS’ RIGHTS
Unless otherwise agreed or following from applicable legislation, the Controller shall be entitled to require access to Personal Data being processed by the Data Processor on the Controller’s behalf.
If the Data Processor or a Subcontractor receives a Personal Data processing related request from a Data Subject, the Data Processor shall forward the request to the Controller unless the Data Processor, under applicable legislation or in line with the Controller’s instructions, is itself entitled to handle the request.
The Data Processor shall help the Controller to fulfil the Controller’s duty to respond to enquiries submitted by Data Subjects wishing to exercise their rights set out in the Data/Privacy Protection Legislation. These include the rights to:
- restrict or oppose processing;
- receive own Personal Data in a structured, commonly used and machine-readable format (data portability).
Unless otherwise agreed, the Data Processor shall, in line with the Data Processor’s then current prices, be compensated for such help.
9. OTHER HELP FOR THE CONTROLLER
If, from a relevant supervisory authority, the Data Processor or a Subcontractor receives a request for access to Personal Data or for information about Data Subjects or processing activities under this Data Processing Agreement, the Data Processor shall notify the Controller of this request unless the Data Processor, under applicable legislation or in line with the Controller’s instructions, is itself entitled to handle the request.
If, in connection with the processing of Personal Data under this Data Processing Agreement, the Controller is obliged to carry out a data privacy impact assessment and/or hold preliminary discussions with relevant supervisory authorities, the Data Processor shall help the Controller. The Controller shall cover the costs incurred by the Data Processor as a result of such help.
10. NOTIFICATION OF SECURITY BREACHES
Without undue delay, the Data Processor shall inform the Controller when the former has become aware of any Security Breach in the processing of Personal Data.
The Controller is responsible for notifying Security Breaches to the relevant supervisory authority. As a minimum, the information to the Controller shall detail:
- The nature of the Security Breach, this including, where possible, the categories and approximate numbers of affected Data Subjects and Personal Data.
- The probable consequences of the Security Breach.
- The measures the Data Processor has implemented, or proposes to implement, to handle the Security Breach, this including, where relevant, measures to reduce any damage resulting from the Security Breach.
If the Controller is obliged to inform Data Subjects of a Security Breach, the Data Processor shall help the Controller accordingly, this including providing access to, if available, necessary contact details for the affected Data Subjects. Unless the Security Breach is attributable to circumstances for which the Data Processor is responsible, the Controller shall cover the costs linked to such communication with Data Subjects.
Personal Data Transmission (i.e. disclosure/transmission of said data and/or giving of access to said data) to a Third Country (i.e. a country outside the EU/EEA) may only take place: after documented approval from the Controller (see point 13 below); and, either as per the EU’s standard terms and conditions or based on other legal grounds for such Transmission.
12. USE OF SUBCONTRACTORS
The Controller assents to the Data Processor possibly engaging another data processor (Subcontractor) to help in providing the Service and processing Personal Data under the Agreement, provided that the Data Processor ensures that:
- The Data Processor’s obligations set out in the Data Processing Agreement and the Data/Privacy Protection Legislation are imposed on Subcontractors in a written agreement.
- Each Subcontractor gives sufficient guarantees regarding implementation of technical and organisational measures to ensure that the processing fulfils the requirements in the Data/Privacy Protection Legislation and the Data Processing Agreement and gives the Controller and relevant supervisory authorities the access and information necessary to verify such guarantees.
The Data Processor shall, vis-à-vis the Controller, be fully responsible for Subcontractors fulfilling their obligations.
13. PROCEDURE FOR USE OF SUBCONTRACTORS
The Data Processor shall, at all times, have an up-to-date list giving an overview of names and contact details for all Subcontractors and places where Subcontractors process Personal Data on the Controller’s behalf. The list is to be available on request. The Data Processor shall update the list to reflect each addition or replacement of Subcontractors and notify the Controller no later than 2 months before each Subcontractor is to begin the processing of Personal Data. Each objection to such changes must be presented to the Data Processor no later than 14 days after receiving the email notification. If the Controller opposes such change or replacement of a Subcontractor, the Data Processor can terminate the Agreement and the Data Processing Agreement with 1 month’s notice.
By entering into this Data Processing Agreement, the Controller authorises the Data Processor to enter into, as regards Transmission to a Third Country Subcontractor approved as per the above procedure, the EU’s standard terms and conditions or to ensure other legal grounds. On request, the Data Processor shall give the Controller a copy of said EU standard terms and conditions or details of other legal grounds for the Transmission.
The Data Processor shall provide reasonable help and documentation for use in the Controller’s independent risk evaluation of the use of Subcontractors or Transmission of Personal Data to a Third Country.
The Data Processor is obliged to give the Controller documentation of: technical and organisational measures implemented to ensure an appropriate security level; and, other information necessary for documenting that the Data Processor is fulfilling its obligations under this Data Processing Agreement and the Data/Privacy Protection Legislation.
The Controller and relevant supervisory authorities are entitled to carry out audits, these including inspections and evaluations of: Personal Data that is being processed; the systems used for this purpose; implemented technical and organisational security measures (security instructions, etc. included therein); and, Subcontractors. The Controller shall not be given access to: information concerning the Data Processor’s other customers; and, information that is subject to confidentiality obligations.
The Controller is entitled to carry out such audits once a year. If the Controller appoints an external auditor to carry out an audit, the auditor shall be bound by a duty of confidentiality. The Controller shall cover costs linked to audits initiated by the Controller or which are incurred in audits by the Controller, these including compensation to the Data Processor for time that the Data Processor and its employees reasonably spend helping in the audit concerned.
15. DURATION AND CESSATION
The Data Processing Agreement applies on entering into of the Agreement and for as long as the Data Processor processes Personal Data on the Controller’s behalf.
Both Parties can require renegotiation of the Conditions if changes in law or shortcomings in the Conditions provide a basis for this.
If the Data Processor breaches the Data Processing Agreement or does not fulfil its obligations under the Data/Privacy Protection Legislation, the Controller may:
- order the Data Processor to implement necessary measures/improvements for further processing of Personal Data; and/or,
- order the Data Processor to stop, with immediate effect, processing of Personal Data.
16. CONSEQUENCES ON CESSATION
On cessation of the Data Processing Agreement, the Data Processor shall, in line with the Controller’s instructions, either erase/anonymise or return all Personal Data to the Controller, this including, unless otherwise stipulated in applicable legislation, copies and backups.
The Data Processor shall document in writing to the Controller that erasure has taken place in compliance with the Data Processing Agreement and as stated by the Controller.
17. LIMITATION OF LIABILITY
Regardless of the basis of liability (be it contract, tort, product liability or anything else), neither Party shall be liable to the other for indirect loss or consequential damage of any nature (including, but not limited to, loss as a result of operational disruption, loss of data, loss of profit or similar), even if a Party has been informed of the possibility of such damage (collectively referred to as Indirect Loss). Neither Party shall be liable to the other for:
- errors or delays outside the Party’s reasonable control, this including general internet or communication line delays, power outages or machine faults; or,
- errors caused by the other Party’s systems or actions, negligence or omissions, all these being the sole responsibility of said other Party.
Under or in relation to this Data Processing Agreement, the total and maximum liability of each Party to the other for each period of twelve (12) months shall in no circumstances whatsoever exceed a sum equating to the total sum paid for the Service under the Agreement in the course of the twelve (12) months preceding the damage-causing action. The above-mentioned limitations shall not apply to damage attributable to fraud, gross negligence or intent.
18. NOTIFICATIONS AND CHANGES
All written notifications linked to the Data Processing Agreement shall, for the Data Processor, be sent to firstname.lastname@example.org. For the Controller they shall be sent to the email address stated in the Agreement. In the event of changes in the Data/Privacy Protection Legislation, or if a court judgement or a statement from a competent authority or other authoritative source entails an altered interpretation of the Data/Privacy Protection Legislation, or if changes made in the delivery of the Service under the Agreement require changes in the Data Processing Agreement, the Parties shall cooperate to update the Data Processing Agreement correspondingly. Any change or addition to this Data Processing Agreement shall be in writing and signed by both Parties.
19. CHOICE OF LAW AND LEGAL VENUE
Choice of law, legal venue and dispute resolution mechanism are regulated by the Agreement.
20. SIGNING OF THE DATA PROCESSING AGREEMENT
Unless a separate data processing agreement has been entered into, the present Data Processing Agreement is regarded as accepted and signed on signing of the Agreement.