The undersigned:
- <BUSINESS NAME OTHER PARTY>
established in <ADDRESS>,
and registered with the <COUNTRY> Chamber of Commerce under the number <COC-NUMBER> represented by <NAME UNDERSIGNED A>, <POSITION UNDERSIGNED A>,
hereinafter referred to as `Controller`;
and
- Move Work Forward Pte Ltd,
established in 10 Anson Rd, #29-05A International Plaza, Singapore 079903,
and Registration No. / Unique Entity Number: 201626292E issued by Accounting And Corporate Regulatory Authority of Singapore:
hereinafter referred to as `Processor`;
hereinafter referred to individually as a “Party” and collectively as “the Parties”,
considering:
- Controller and Processor have entered into an agreement on <DATE ON WHICH THE AGREEMENT BECOMES EFFECTIVE> that includes <SPECIFIC DEFINITION OF THE SERVICES TO BE SUPPLIED BY PROCESSOR COMMISSIONED BY THE CONTROLLER>.
- The Service Agreement results in the fact that the Processor could have access to personal data of various clients of the Controller.
- The Parties seek to implement a Data Processing Agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Now therefore it has been agreed as follows:
- Definitions
In this DPA, the following capitalised terms with the following meaning are used, in addition to the terms as applied in the applicable legislation for the protection of personal data, regardless of whether they are used in plural or singular:
- Annex: an addition to this DPA, which forms an integral part of this DPA;
- Data Process Agreement or DPA: this Data Process Agreement, including Annexes;
- Data Subject: the person to whom the Personal Data relates to;
- GDPR: General Data Protection Regulation (REGULATION (EU) 2016/679);
- Personal Data Breach: a breach of security that (accidentally) results in the destruction, loss, modification or unauthorised disclosure of or unauthorised access to data transmitted, stored or otherwise processed;
- Service Agreement: the agreement between Controller and Processor, as attached in Annex 1;
- Sub-Processor: the party that is used by Processor as another processor for the Processing of the Personal Data in the context of this DPA and the Service Agreement;
- Written or in Writing: in writing shall also be understood to mean by fax or e-mail or any other means of communication which can, given the state of technology and conventional practices, be considered as equivalent thereto.
- Subject-matter and task
This DPA applies to the Processing of Personal Data in relation to the execution of the Service Agreement.
Controller contracts and instructs Processor to Process Personal Data on behalf of Controller. The instructions of Controller may be further specified in this DPA and the Service Agreement and can be supplemented in Writing.
- Allocation of tasks
- Controller has and maintains independent control over the purpose and means of the Processing of Personal Data.
- Processor has informed Controller about the service(s) provided by Processor, and the processes to be carried out as defined in the Service Agreement, prior to the conclusion of this DPA.
- The services referred to in the second paragraph, including any optional services, are described in Annex 2.
- Controller and Processor provide each other with all necessary information to enable proper compliance with the relevant privacy laws and regulations. If Processor is of the opinion that a processing instruction from Controller constitutes an infringement of the GDPR, he will inform Controller immediately.
- If Article 30 paragraph 5 GDPR requires so, Processor shall keep a record of all processing activities in accordance with Article 30, paragraph 2 GDPR.
- Engaging of third parties or Sub-Processors
- Controller is authorised to make use of the Sub-Processors of whose identity is specified in Annex 2. If Processor has the intention to add a Sub-Processor, prior Written permission must be requested from Controller. Controller will respond to the Processor proposal in writing within 5 working days.
- If Controller does not provide Processor with Written permission or does not respond within the set term, Processor is allowed to offer an alternative within a reasonable period of time to continue the relevant service. If Processor cannot offer an alternative, Controller is authorised to cancel the relevant service, which cannot be provided without switching on or replacing the intended other Sub-Processor. Any damage incurred to Processor as a result Controller shall be liable for.
- If Processor engaged a Sub-Processor, Processor is, in principle, liable for the processing of Personal Data by this Sub-Processor, except for Sub-Processors of which the Controller required the Processor to cooperate with for the execution of the Service Agreement.
- Use of Personal Data
- Processor shall be obliged not to use the Personal Data obtained from the Controller for any other purpose or in any other way than for the execution of its obligations under the Service Agreement.
- An overview of the categories of Personal Data and use for which the Personal Data may be processed by Processor is set out in Annex 2.
- Processor shall refrain from providing Personal Information to a third party, other than a Sub-Processor, unless this exchange takes place on the instructions of Controller or when this is required to comply with any legal obligation. In the event of a legal obligation, Processor will verify the legal grounds of the request and the identity of the applicant in advance.
- Confidentiality
- Processor ensures that everyone, including its employees, representatives and / or Sub-Processors, involved in the Processing of Personal Data will treat this information as confidential.
- The confidentiality referred to in this article shall not apply if the Controller has expressly given permission to provide the Third Party with Personal Data, if the provision of Personal Data to a Third Party is necessary for the performance of the Service Agreement, or if there exists a legal obligation to Provide Personal Information to a Third Party.
- Technical and organisational measures (security)
- At their own expense and risk Processor and Controller shall ensure appropriate technical and organisational measures to protect the Personal Data against destruction, loss, alteration or unauthorised disclosure of or unauthorised access to transmitted, stored or otherwise processed data, either accidently or illegal. As well as preventing incorrect data from being stored and minimising the risk of errors and preventing discriminatory consequences.
- The measures referred to in this article will, with due observance of the state of the art and the costs involved with the implementation and execution of the measures, ensure an adequate level of protection, taking into account the risks and nature involved in the processing of Personal Data.
- The measures referred to in this Article shall at least include:
- measures to ensure that solely authorised personnel has access to the Personal Data that is processed within the framework of the DPA, for example by regularly setting up and changing passwords;
- measures to protect the Personal Data against unintentional or unlawful destruction, loss, unintentional alteration, unauthorised or unlawful storage, access or disclosure, for example by regularly making backups, encrypting files, the use of virus software and the careful handling of data carriers;
- measures to actively identify weak spots in the Processing of Personal Data in the systems that are used to provide services to the Controller;
- an appropriate information security policy and incident protocol for the Processing of Personal Data;
- the pseudonymisation of Personal Data as soon as reasonably possible.
- The parties will evaluate, tighten, supplement or improve the information security measures as the requirements or (technological) developments indicate it may be necessary.
- Annex 3 lists optional and additional agreements between the Parties about technical and organisational security measures, including the content, frequency and type of reports that Processor keeps for Controller.
- Processor enables Controller to comply with its legal obligation to monitor compliance of Processor with the technical and organisational security measures as and his obligations referred to in Article 8.
- In addition to Article 7, paragraph 3, Controller, in consultation with Processor, with due observance of a reasonable period and at its own expense, has the right to have the technical and organisational security measures taken by Processor checked by an independent auditor at all times.
- Data breaches
- Processor shall apply appropriate policies for the adequate handling of data breaches.
- If Processor or Sub-Processors engaged by Processor establishes a breach of data, they will inform the other Party immediately, and at least within 48 hours, (as well by telephone as by email). If a breach of data occurs, Processor shall provide all the relevant information in relation to the data breach to Controller, including information about possible developments regarding the data breach, and the actions that Processor shall take to limit the effects of the data breach and avoid reoccurrence.
- At Controller's first request Processor will furthermore provide all information that Controller deems necessary to assess the incident. Processor at least provides the information as described in Annex 4 to Controller.
- In addition, Parties will instantaneously inform each other if it is likely the breach of security will result in a high risk to the rights and freedoms of the Data Subject as referred to in Article 34 paragraph 1 GDPR.
- Processor enables Controller to take appropriate follow-up regarding the data breach. Parties shall take all reasonably necessary measures without undue delay to prevent or limit (further) violation or breaches concerning the Processing of the Personal Data, and more specifically (further) violation of the GDPR or other regulations concerning the processing of personal data.
- When a data breach occurs Controller complies with any legal obligations to report to the Data Subject and to the relevant supervisory authority.
- Procedures regarding the rights of the Data Subjects
- A complaint or request from a Data Subject in relation to the Processing of Personal Data will be forwarded by Processor to Controller without undue delay. Controller is responsible for the processing of the request.
- Processor provides Controller with full cooperation to comply with the rights of Data Subjects such as a request for access, correction, supplementation, removal or restriction of Personal Data within the time limits set in the GDPR.
- If a Data Subject submits a request for access to Controller, Processor will, if requested by Controller and if possible and reasonable, cooperate within 14 days.
- Processing outside the European Economic Area
- If Personal Data is processed outside the European Economic Area (hereinafter: EEA), Parties shall ensure this shall solely takes place in accordance with statutory regulations, and any obligations in this context that may be imposed on Controller. If data is going to be processed outside the EEA, this shall be specified in Annex 2, this shall include a list of the countries where the data is going to be processed.
- Retention periods and deletion of personal data
- In accordance with Article 28 paragraph 3 sub g, Processor is obliged to delete or return, and delete existing copies of the Processed Personal Data at the termination of the DPA, unless the Personal Data must or may be stored under (statutory) obligations or bases.
- Processor will confirm to Controller in writing that deletion of the Processed Personal Data has taken place.
- Processor shall notify all Sub-Processors involved of the termination of the DPA.
- Upon termination of the DPA, the obligations for Processor arising from this DPA shall remain in full force for as long as the Personal Data remains at the availability of the Processor.
- Inconsistencies and amendments of the DPA
- If the provisions of this DPA and the provisions of the Service Agreement conflict, the provisions of this DPA shall prevail, unless agreed otherwise in Writing.
- If the (additional) Services provided by Processor to Controller are altered in such a way that they affect the Processing of the Personal Data significantly, Controller will be informed in clear language about the consequences of these changes to the Processing of Personal Data before acceptance.
- Modifications in the Articles and Annexes of the DPA are solely binding and can only be agreed upon by Parties with an addendum to this DPA signed by both Parties.
- If any provision of this DPA is void, voidable, or otherwise unenforceable, the other provisions shall remain in full force. In that case, the Parties will consult with each other to replace the void, voidable or otherwise unenforceable provision with an enforceable alternative provision. The parties will, as much as possible, take into account the purpose and intent of the void, voidable or otherwise unenforceable provision as well as the spirit of this DPA.
- Liability
- Processor is only liable in the event of non-performance (attributable failure to perform) and/or a tort.
- The parties each take care of suitable professional liability and cybercrime insurance. Claims that the Parties may claim from the relevant insurer (or, in the event of a lack of reasonable cover, could have been able to claim) are not eligible for reimbursement by the other Party.
- Damage and/or penalty resulting from this provision is no part of any clause regarding the limitation of the liability and maximisation of the compensation in the Service Agreement.
- Processors liability for any other form of compensation is excluded, this includes additional compensation in any form whatsoever, as well as compensation for indirect damage, consequential loss, damage due to lost sales or profits, fines imposed on Controller, delay loss, damage due to loss data, damage due to exceeding deadlines because of changed circumstances, theft, loss or damage of data and objects.
- The liability of Processor is per event and at all times limited to the sum actually paid out by the Business Liability Insurance of Processor in the case concerned. If the insurance does not cover the damage, the liability of Processor shall be limited to a total maximum of € 10,000.00.
- Processor's liability for non-performance arises solely if Controller instantaneously and properly gives notice of default to Processor in Writing, setting a reasonable period to correct the shortcoming, and Processor remains in breach. The notice of default has to contain a detailed description of the shortcoming.
- The exclusion and limitation of liability, as referred to in the previous paragraphs, does not apply if the damage is the result of deliberate default or wilful misconduct of Processor.
- Controller indemnifies Processor against all claims from third parties that are related to the execution of the DPA.
- Duration and termination
- The duration of this DPA is equal to the term of the Service Agreement concluded between the Parties, including any extensions/renewals.
- This DPA terminates automatically upon the termination of the Service Agreement.
- The DPA cannot be terminated apart from the Service Agreement.
- The termination of this DPA shall not release the Parties from their obligations arising from this DPA which by their nature are deemed to continue after termination.
- Decline to sign this DPA
- Both parties have the rights to decline to sign this document without providing any reasons and explanations.
- Without signing this DPA the Controller can use the services of the Processor on its own risk.
- Applicable law
- This DPA shall be governed by Spanish law.
- If a dispute between the Parties arises regarding the interpretation or application of this DPA, the Parties shall seek a solution through negotiation.
- Disputes about or in relation to this DPA will be submitted to the competent court in the district where Processor is located, unless mandatory rules of jurisdiction stipulate otherwise. The procedure shall take place in the Spanish or English language.
Agreed and drawn up in duplicate, initialled on each page and signed by:
Controller
Processor
at ..........................................
at ..........................................
on ..........................................
on ..........................................
Name representative Controller
..............................................................
Name representative Processor
..............................................................
Autograph
..............................................................
Autograph
..............................................................
ANNEX 1
ENCLOSE SERVICE AGREEMENT
ANNEX 2
<The schedule below must be completed every time a Processor Agreement is concluded. It provides a complete overview of the Personal Data that will be processed. This makes it easier to show where, by whom and for what purpose Personal Data is processed.>
Description services / processing activities by Processor
- Remote security management (possibly via a virtual private network connection)
- Active monitoring through monitor tools
- System control and maintenance
Categories of personal data (general description of the categories of persons and personal data whereto the data processed is related).
- Customer data (name and address details)
- IP-data
- (Log-in) credentials
- Information about the use of services
- Location data
Nature and purpose (s) of processing
Move Work Forward will only process personal data if necessary for the execution of the service agreement.
Controller
<BUSINESS NAME OTHER PARTY>
Processor
Move Work Forward Pte Ltd
Sub-Processor(s)
https://trust.moveworkforward.com/subprocessors
Location of processing (including in/out EEA)
The United States
Retention period
Max. 1 year
ANNEX 3
ADDITIONAL AGREEMENTS REGARDING DATA PROTECTION (ARTICLE 7 PARAGRAPH 5)
If this annex is not filled in, no additional agreements apply.
- Standard systems <make a choice>
- Via the following code of conduct approved by the Spanish Data Protection Authority: https://www.aepd.es/documento/autocontrol-code-conduct-data-processing-advertising-activities-en.pdf.
- The information security is and shall remain at an adequate level, this is shown by:
- certification;
- periodic external checks such as audits;
- a report with conclusions about the findings of the auditor;
- own checks and/or own announcements.
ANNEX 4
INFORMATION NEEDED TO ASSESS DATA BREACH INCIDENTS (ARTICLE 8 PARAGRAPH 3 OF THIS DPA).
- Processor will provide all information that Controller deems necessary to assess the data breach incident. Processor shall provide at least the following information to Controller:
- what the (alleged) cause of the breach is;
- what the (known and/or expected) result is;
- what the (proposed) solution is;
- contact details for the follow-up of the report;
- number of persons whose data are involved in the breach (if no exact number is known: the minimum and maximum number of persons whose data are involved in the breach);
- a description of the category of persons whose data are involved in the breach;
- the type or types of personal data involved in the breach;
- the date on which the breach took place (if no exact date is known: the period in which the breach occurred);
- the date and time at which the breach became known to Processor or to a third party engaged;
- whether the data is encrypted, hashed, or otherwise incomprehensible or inaccessible to unauthorised persons;
- the measures already taken to end the breach and to limit the consequences of the breach.