Recitals
- You (the “Controller”) and Social Plus Holdings Ltd with registered office at Innovation House, Ramsgate Road, Sandwich, Kent, United Kingdom, CT13 9FF (the “Processor”) have concluded an agreement according to which the Processor is obliged to process the Controller’s user data due to the Controller’s use of the Social+ on behalf of the Controller (the “Agreement”);
- the fulfilment of the Agreement requires the Processor to process personal data of several data subjects on behalf of the Controller as further described in Annex I (respectively, “Personal Data” and “Data Subjects”);
- Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Data Protection Law”) requires to regulate the processing activities carried out by the Processor through a legal act binding on the processor and providing specific instructions as to the processing of the personal data;
- the Processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Data Protection Law and ensure the protection of the rights of the Data Subjects;
- with this data processing agreement (the “Data Processing Agreement”), the Controller and the Processor intend to regulate the processing of Personal Data necessary to execute the Agreement according to the applicable Data Protection Law.
Now, Therefore,
the Controller and the Processor have entered into this Data Processing Agreement as follows.
- Purpose of the regulation
The purpose of this Data Processing Agreement is to govern the processing activities that the Processor will carry out on behalf of the Controller to execute the Agreement and to establish the conditions under which the Processor may process the Personal Data relating to the Data Subjects.
- Obligations of the processor
The Processor undertakes to:
- process the Personal Data exclusively on behalf of the Controller, only as long as necessary to execute the Agreement, and in accordance with the Data Protection Law and the instructions and conditions provided by the Controller with this Data Processing Agreement;
- ensures that the persons processing the Personal Data under its authority, including its employees, interns, and consultants have committed themselves to confidentiality and have received proper instructions to process the Personal Data in accordance with the Data Protection Law and the instructions provided for by the Controller;
- implement all technical and organisational measures to ensure a level of security appropriate to the risk presented by the nature, scope, context, and purposes of the processing of Personal Data;
- when engaging another processor (the “Sub-processor”), some text
- appoint only Sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures to respect the requirements of the Data Protection Law;
- impose on the Sub-processor, by way of a contract, the same obligations imposed on the Processor under this Data Processing Agreement;
- inform the Controller of such appointment;
- notify to the Controller any request received by Data Subjects and assist the Controller to fulfil such requests;
- assist the Controller to:some text
- identify and implement the adequate technical and organisational measures;
- identify and notify a data breach to the competent supervisory authority without undue delay after having become aware of it;
- notify a data breach to the Data Subjects when it is likely to result in a high risk to the rights and freedoms of natural persons;
- carry out a data protection impact assessment and consult the authority on its results when it indicates that the processing would result in a high risk for the Data Subjects;
- upon termination of this Data Processing Agreement, at the choice of the Controller, delete or return to the Controller all Personal Data, except where retaining Personal Data is required to comply with an obligation upon the Processor, in which case it shall inform the Controller of such obligation;
- upon request of the Controller, made it available all information necessary to demonstrate compliance with the instructions provided for in this Data Processing Agreement. The Processor also undertakes to allow the Controller to carry out audit activities by itself or, at its own cost, through an independent auditor to verify the compliance with the instructions set out in this Data Processing Agreement. In any case, the Controller undertakes to:some text
- keep all the information collected during the audit as confidential;
- inform the Processor at least 10 days before the audit;
- conduct the audit only to the extent strictly necessary to verify compliance with this Data Processing Agreement and the Data Protection Law, during normal working hours and in a manner that does not unreasonably disrupt the normal activities of the Processor;
- bear any cost related to the audit;
- when required by the Data Protection Law, the Processor shall maintain and keep updated a record of processing activities according to the requirements set forth by the applicable Data Protection Law;
- when necessary under the applicable Data Protection Law, the Processor shall appoint a Data Protection Officer and communicate its contacts to the Controller; and
- transfer, or cause to be transferred, Personal Data from one country to another country with the Controller’s prior written consent, except only the country as stated in the Annex I. Where the Controller consents to such transfer (including the country stated in the Annex I), the transfer shall be in accordance with Data Protection Law. The Processor shall provide an adequate level of protection for the Controller Personal Data wherever processed in accordance with Data Protection Law and this Data Processing Agreement.
- Duration
This Data Processing Agreement has the same duration of the Agreement signed between the Controller and the Processor and will cease should the Agreement expire or be terminated for any reason.
- Processor Liability
The Processor undertakes to indemnify and hold harmless the Controller for any damage or sanction resulting to the Controller for its failure to comply with this Data Processing Agreement or with the applicable Data Protection Law and from any damage, expense, cost or charge arising out of a violation of the data protection obligations imposed to any Sub-processor.
- Changes to Data Protection Law
In the event of any change to the applicable Data Protection Law that may affect the responsibilities and obligations imposed under this Data Processing Agreement, the Controller and the Processor undertake to discuss and negotiate in good faith any possible amendment necessary to comply with the amended Data Protection Law.
- Severability
Whenever a provision of this Data Processing Agreement be or becomes invalid or not applicable, such provision will be considered autonomously in respect thereto and, if possible, it will be replaced by a lawful provision which truthfully reflects the intention of the Parties pursuant to this Data Processing Agreement and, if applicable, does not affect the validity and/or applicability of any further provisions thereof.
- Order of precedence
In the event of any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Agreement on data protection, the provisions of this Data Processing Agreement shall prevail.
- Applicable Law and Jurisdiction some text
- This Data Processing Agreement is regulated by the England and Wales Law.
- Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of London.
Annexes
Annex I: Description of the processing
Annex II: SCC
ANNEX I: Description of the processing
- Purpose(s) for which the Personal Data is processed on behalf of the Controller:
- the Personal Data transferred is processed by the Processor to (i) provide the services pursuant to the Agreement (usage of the Social+ by the Controller) (ii) guarantee the effectiveness and maintenance of the Product as per the Services Level Agreement under Schedule 1 (iii) provide on Customer's request: (a) ongoing users’ traction and activities data; and (b) consulting services thanks to a data driven dashboard on how to leverage the Product to increase the users’ engagement and achieve business goals;
- Duration of the processing:
- Contract Term;
- Categories of Data Subjects whose personal data is processed:
- User Data;
- Categories of Personal Data processed:
- User ID, User Personal Info (name, position, organization) and User Activity (querying newsfeed, updating user profile, create and update a post and add comment to the post);
- Special categories of Personal Data processed (if applicable):
- Not applicable;
- Place of storage and processing of the Personal Data:
- EU, Germany.
ANNEX II: SCCs
Where the Parties are required to implement the SCCs, those clauses shall form part of this Agreement and shall be deemed completed as follows:
https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en
(a) Module Two (controller to processor) of the 2022 SCCs shall apply to transfers of Personal Data from Controller to Processor;
(b) Clause 7 (the optional docking clause) is not included;
(c) Under Clause 9(a) (use of sub-processors), OPTION 2 (general authorisation) is selected.
(d) Under Clause 11 (redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
(e) Under Clause 17 (governing law), OPTION 1 is selected. The Parties select the laws of the Netherlands;
(f) Under Clause 18, (choice of forum and jurisdiction), the Parties select the courts of the Netherlands.