GDPR EXHIBIT GDPR Data Processing Agreement
This Exhibit will be subject to the terms and conditions of the Evolphin Hosted Cloud Services Agreement (the “Agreement”). Capitalized terms used but not defined herein will have the meanings given to them in the Agreement. In the event of a conflict between this Exhibit and the other terms of the Agreement, this Exhibit will prevail.
Evolphin may be required to process Personal Data on behalf of Customer in order to provide the Services under one or more Product Exhibits or Support Exhibits. In order to ensure that such Personal Data is processed by Evolphin in compliance with the GDPR, Evolphin and Customer have decided to outline under this Exhibit the terms and conditions applicable to such processing.
This Exhibit consists of the following: (i) its main body and (ii) its Attachment 1 (Description of the Processing Activities Template).
For the purposes of this Exhibit, the following terms will have the meaning given to them below:
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;
- “Data Protection Laws” have the meaning ascribed to them in the Agreement;
- “Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- “EEA” has the meaning ascribed to it in the Agreement;
- “Processed Personal Data” means any Personal Data (including but not limited to those related to the Customer’s employees, customers, suppliers and/or target companies, as applicable) for which Evolphin carries out a Processing under the Agreement and Product Exhibit or Support Exhibit;
- “Personal Data” means any information relating to Data Subjects;
- “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Processed Personal Data transmitted, stored or otherwise processed;
- “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “Processing Activities” refers to the processing activities to be described by the parties in the Agreement and the Product Exhibit or Support Exhibit;
- “Processor” means the entity acting on behalf of the Controller;
- “Sub-processors” means any third party (including Evolphin’s affiliates) engaged by Evolphin to carry out its obligations under the Agreement and the Service Level Agreement.
- Evolphin acknowledges that the protection of the Processed Personal Data is of high importance to Customer, in particular considering the impact that Evolphin’s breach of its obligations in relation to the Processed Personal Data could have on Customer’s image, reputation and assets,
- Each party will comply with its respective obligations under Data Protection Laws. Evolphin will act as a Processor. Evolphin will thus carry out any Processing of the Processed Personal Data only in accordance with Customer’s documented instructions and for no other purposes than the ones expressly defined and approved by Customer, unless required to do so by European Union or Member State law. In such a case, Evolphin will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
- Evolphin guarantees to Customer that it has in place, and will implement and maintain throughout the term of the Agreement and the term of each Product Exhibit or Support Exhibit appropriate technical, organizational and contractual measures, including (as the case may be) but not limited to those provided for in the Agreement, to ensure the security of the Processed Personal Data and to prevent unauthorized or unlawful Processing of the Processed Personal Data and against accidental loss or destruction of, or damage to, the Processed Personal Data.
- Such technical, organizational and contractual measures to be defined by Evolphin will (a) take into account the nature of the Processed Personal Data, the risks that are presented by the Processing Activities, the harm that might result from unauthorized or unlawful Processing or accidental loss or destruction of, or damage to, the Processed Personal Data, as well as the state of the art, the best practices and the highest technical standards; (ii) be designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the Processing in order to meet the requirements of Data Protection Laws; and (iii) ensure that, by default, only the Processed Personal Data which are necessary are processed for the purposes defined by Customer. On request, Evolphin will provide Customer with a then current written description of the security measures being taken. In any event, Evolphin will not decrease the security level during the term of the Agreement and the term of the Service level agreement.
Evolphin will also:
- Notify Customer about any request of communication of the Processed Personal Data it may receive from third parties, public authorities or jurisdictions, as well as about any action and/or measures instigated by such third parties, authorities or jurisdictions regarding the Processing of the Processed Personal Data;
- Promptly notify Customer about any Data Subject’s request and/or complaint it may receive in relation to the Processed Personal Data and assist Customer to investigate and deal with such request and/or complaint. In any case, Evolphin will not revert to or otherwise communicate with Data Subjects about the Processed Personal Data unless otherwise instructed by Customer;
- Comply with any request of Customer in relation to the Processed Personal Data’s access, rectification, erasure, blocking, restoring, deletion and objection, and ensure the portability and the right to be forgotten of the Processed Personal Data;
- Immediately notify Customer of any change that may impact the Processing of the Processed Personal Data;
- Actively cooperate with Customer to enable it to comply with Data Protection Laws and to assess and document the compliance of the Processing of the Processed Personal Data with Data Protection Laws and this clause, including by providing to Customer any information that Customer may need or that may be necessary; and
- Immediately inform Customer in writing if it believes that Customer’s instructions with respect to the Processing of the Processed Personal Data infringes any EU Data Protection Laws and include sufficient details for Customer to assess the basis of such belief.
3. SHARING OF THE PROCESSED PERSONAL DATA
Evolphin will not share the Processed Personal Data with any third party (including but not limited to Sub processors) without Customer’s prior written consent, and, if such sharing is authorized by Customer,
- In any event, Evolphin will remain fully liable to Customer for the performance of the Sub-processors as if any act or omission of the Sub-processors were conducted by Evolphin
- Ensure that persons authorized to carry out Processing of the Processed Personal Data are bound by confidentiality obligations equivalent to those set out in the Agreement;
- Ensure that its personnel and the Sub-processors are duly trained on their obligations when Processing the Processed Personal Data;
- Ensure that the Sub-processors which carry out Processing of the Processed Personal Data are committed to the same data protection obligations as the ones applying to Evolphin, in particular providing sufficient guarantees to implement appropriate measures in such a manner that the Processing will meet the requirements of Data Protection Laws; and
- Provide to Customer a copy of the contract with the Sub-processors, which carry out Processing of the Processed Personal Data or, failing that, a description of the essential elements of the contract, including the obligations related to the protection of the Processed Personal Data.
- Evolphin undertakes not to transfer the Processed Personal Data out of the EEA without Customer’s prior written consent. Evolphin will request such prior consent by notifying Customer with a reasonable prior notice and with all relevant information relating to the purpose of such transfer and the country where the Processed Personal Data would be transferred.
- In light of the information provided by Evolphin, if Customer agrees to consider such transfer, Evolphin will facilitate the implementation of the measures defined by Customer to ensure an adequate level of protection to the transferred Processed Personal Data, including, if decided by Customer, the execution of the standard contractual clauses (processors) (Commission Decision C(2010)593).
- In any case, Evolphin will be entitled to proceed with a transfer only as and when (i) the transfer has been expressly approved by Customer and (ii) the above-mentioned measures have been duly implemented to the satisfaction of Customer. For the avoidance of doubt, Evolphin will not bear any cost arising from such transfer, including in relation to the implementation of the above-mentioned measures.
- Evolphin will allow Customer to perform audits in relation to the Processing of the Processed Personal Data. Such audit may be carried out by Customer or by an independent third party appointed by Customer. In this respect, Evolphin undertakes, at its expense, to provide full access to Customer’s internal or external auditors to the relevant resources (including but not limited to premises, employees and information, as well as those of its Sub-processors) and all reasonable assistance in carrying out the audit. Customer will be responsible for any fees charges by any auditor appointed by Customer to perform such audit.
- Evolphin also commits to audit on a regular basis its Sub-processors in relation to the Processing of the Processed Personal Data. Evolphin will then provide to Customer a complete report of the conducted audits to demonstrate that the Processed Personal Data are processed in accordance with the obligations defined in this clause and with the conditions defined and approved by Customer.
6. PERSONAL DATA BREACH
In addition to the requirements set forth in the Agreement, in the event Evolphin identifies or believes that there has been any Personal Data Breach, Evolphin will promptly notify Customer by providing notice by email to firstname.lastname@example.org (or to such other address (es) as Customer will designate to Evolphin in writing from time to time), and in any event, will inform Customer within twenty-four (24) hours after becoming aware of such Personal Data Breach. In such circumstances, Evolphin will at least share the following information with Customer:
- The name and contact details of the data protection officer or other contact point where more information can be obtained;
- The nature of the Personal Data Breach, including but not limited to the categories and number of Data Subjects and the Processed Personal Data concerned by the Personal Data Breach;
- A description of the measures Customer could take to mitigate the possible adverse effects of the Personal Data Breach and to prevent from another potential Personal Data Breach;
- The consequences of the Personal Data Breach;
- The measures proposed or taken by Evolphin following the Personal Data Breach, including preventing any new occurrence. In any case, both parties will actively cooperate, and Customer will first approve any public communication and/or official notification to competent authority or to Data Subjects regarding such potential or actual Personal Data Breach.
7. RETURN OR DESTRUCTION OF THE PROCESSED PERSONAL DATA
- Upon Customer’s request and at any time during the term of the Agreement and the term of each Product Exhibit or Support Exhibit, Evolphin will promptly provide to Customer a copy of the Processed Personal Data it processes in an industry standard format.
- Upon termination or expiry of the Agreement and each Product Exhibit or Support Exhibit, Evolphin will cease immediately any Processing of the Processed Personal Data and will, upon Customer’s request, return and/or delete the Processed Personal Data no later than one (1) month following Customer’s request. In case of return to Customer, following Customer’s issuance of a receipt of acknowledgement of the restitution, Evolphin will destroy all Processed Personal Data (including but not limited to any file containing the Processed Personal Data) within forty-eight (48) hours after the issuance of the above-mentioned Customer’s receipt and prove to Customer that such destruction did take place. Should the law prevent Evolphin from deleting all or part of the Processed Personal Data, Evolphin will inform Customer of such requirements and implement, at its costs, the relevant anonymization or pseudo- anonymization measures.
Evolphin agrees to indemnify, defend and hold harmless Customer and its affiliates and their respective officers, directors, managers, members, shareholders, partners, owners, employees, contractors, customers, suppliers, agents, representatives, successors and assigns (collectively, the “Indemnified Parties”) from and against any and all claims, lawsuits, damages, costs and expenses, including, without limitation, actual attorneys’ fees and costs, arising from or in connection with (a) Evolphin’s breach of this Exhibit; (b) Evolphin’s violation of the Data Protection Laws; (c) Evolphin’s or the Sub-processors’ Processing of the Processed Personal Data; or (d) any claims from any Data Subjects or authorities against the Indemnified Parties arising from or in connection with (a), (b) or (c) of this clause.