Entered into by and between
Packet Host Inc.
30 Vesey Street, 9th Floor
New York, NY 10007 USA
[Name of Data Controller]
[Address of Data Controller]
Data Processor and Data Controller are hereinafter referred to individually as the “Party” or jointly as the “Parties”.
- The Parties have entered into a Master Services Agreement relating to the provision of bare metal server storage capacities through the Data Processor (hereinafter referred to as the “MSA”). Under the MSA, the Data Processor may as data controller upload and store data, including personal data originating from EU data subjects, on the bare metal servers provided by the Data Processor.
- Whilst a processing of personal data in the narrow sense of the word does not form part of the contractual obligations of the Data Processor under the MSA (i.e. due to its mainly infrastructure related offering), it cannot be excluded that the Data Processor may have, on the occasion of operating the relevant bare metal servers, access to such personal data. This may also apply where central US based functions of the Data Processor may have remote access to data stored in EU based data centers.
- Against this background the Parties wish to enter, as a precautionary measure with a view to comply with potential requirements under Art. 28 of the EU General Data Protection Regulation (hereinafter referred to as “GDPR”), into the following data processing agreement (hereinafter referred to as the “Agreement”). Unless otherwise stipulated herein, the Agreement shall also be governed by the provisions of the MSA. Defined terms used in this Agreement shall have the same meaning as in the MSA.
Therefore, the Parties agree as follows:
- Subject matter and duration of the Agreement
- This Agreement relates to any potential data processing activities conducted by the Data Processor on behalf of the Data Controller (hereinafter also referred to as the “Order”) as part of its obligation to provide the Services under the MSA. A detailed description of such Services is attached hereto as Annex 1.1.
- On the basis of this Agreement, the Data Processor shall process personal data (if any) on behalf of the Data Controller within the meaning of Art. 4 No. 2 and Art. 28 GDPR.
- Unless the Data Controller provides its Services exclusively in a Member State of the EU or in a state which is a party to the Agreement on the EEA, any performance of Services in whole or in part in a third country requires the prior consent of the Data Controller and may only take place if the specific requirements of Art. 44 et seq. GDPR (e.g. EU Commission adequacy decision or standard contractual clauses, binding corporate rules) are met. With a view to fulfill the prerequisites of an extra-EU/EEA data processing according to sentence 1, the Parties have also agreed to the EU Commission standard contractual clauses attached hereto as Annex 1.3.
- Duration of the Agreement:
- The Agreement shall have the same term as the MSA and be coterminous to the MSA (see termination provisions under Section 3.1 of the MSA).
- The Data Controller may also terminate the Agreement at any time without notice if the Data Processor (i) commits a serious breach of data protection regulations or provisions of this Agreement, (ii) is unable or unwilling to comply with instructions as to data processing given by the Data Controller or (iii) refuses to comply with audit rights of the Data Controller in breach of the Agreement. In particular, the non-compliance with the terms of Art. 28 GDPR constitutes a serious breach.
- Nature and purpose of the processing, nature of personal data and categories of data subjects
- Type of processing (as defined in Art. 4 No. 2 GDPR)
* Storage of personal data
- Type of personal data (as defined in Art. 4 Nos. 1, 13, 14 and 15 GDPR)
[To be specified by Data Controller]
- Categories of persons concerned (as defined in Art. 4 No. 1 GDPR)
[To be specified by Data Controller]
- Type of processing (as defined in Art. 4 No. 2 GDPR)
- Rights and obligations of the Data Controller including the authority to issue instructions
- Any assessment whether or not the data processing is admissible according to Art. 6 para. 1 GDPR and as to the protection of the rights of the data subjects under Art. 12 to 22 GDPR is the sole responsibility of the Data Controller. Nevertheless, the Data Processor is obliged to forward without undue delay any such inquiries of data subjects to the Data Controller provided that they are obviously directed exclusively to the Data Controller.
- Changes to the object of processing and changes to procedures shall be agreed jointly between the Data Controller and the Data Processor and specified in writing or in electronic form.
- The Data Controller places all Orders and instructions in writing or in electronic form. Oral instructions must be confirmed without undue delay in writing or in electronic form.
- The Data Controller is entitled to audit, as stipulated under Section 5 before the start of the processing and regularly thereafter in an appropriate manner, the Data Processor’s compliance with the agreed technical and organisational measures as well as Data Processor’s obligations set out in this Agreement.
- The Data Controller shall inform the Data Processor without undue delay if it detects errors or irregularities in the audit of the results of the processing.
- The Data Controller is obliged to treat confidentially all business secrets and data security measures of the Data Processor of which the Data Controller becomes aware throughout the contractual relationship. This obligation shall survive termination of this Agreement.
- Persons authorized to issue instructions on behalf of the Data Controller, recipients of instructions to the Data Processor
- Persons authorized to issue instructions on behalf of the Data Controller:
[Name, organizational unit, telephone number of contact person to be specified by Data Controller]
- Recipient of instructions at Data Processor level:
Head of GDPR Compliance, Tel. +1 212-933-9785
- Communication channels to be used for instructions:
Packet Host Inc., Attention of: Head of GDPR Compliance, 30 Vesey Street, 9th Floor, New York, NY 10007 USA, email: firstname.lastname@example.org.
- In the event of a change of a contact person or if a contact person is prevented from exercising his or her duties for a longer period of time, the other Party must be informed with undue delay and regularly in writing or electronic form of the relevant successors or stand-ins. The instructions must be kept for their period of validity and subsequently for three full calendar years.
- Persons authorized to issue instructions on behalf of the Data Controller:
- Obligations of the Data Processor
- The Data Processor shall process personal data only in accordance with the Agreement and the instructions of the Data Controller, unless the Data Processor is obliged to proceed otherwise by applicable law of the EU or a Member State to which the Data Processor is subject (e.g. investigations by law enforcement or state protection authorities), in which case the Data Processor shall inform the Data Controller of such legal requirements before processing, unless the relevant applicable law prohibits such communication on account of an important public interest (Article 28 para. 3 subpara. 2 lit. a GDPR).
- The Data Processor must not use the personal data provided for processing for any other purposes, in particular not for its own purposes. Copies or duplicates of personal data will not be made without the knowledge of the Data Controller.
- With regard to the processing of personal data in accordance with the instructions, the Data Processor ensures that all agreed measures are carried out in accordance with the Agreement. The Data Processor also ensures that the data processed on behalf of the Data Controller is strictly separated from other stored data.
- The data carriers that originate from the Data Controller or that are used for the Data Controller are specially marked. Data input and data output as well as the current use of such data carriers are documented.
- The Data Processor must carry out inspections in its area of responsibility and comply with additional obligations throughout the term as per the following:
- The result of any inspections shall be documented.
- The Data Processor must cooperate and support the Data Controller to the necessary extent with regard to the fulfilment of the rights of the data subjects stipulated under Art. 12 to 22 GDPR through the Data Controller, the preparation of lists of processing activities and in the case of a necessary privacy impact assessment by the Data Controller (Art. 28 para. 3 sentence 2 lit. e and f GDPR). Upon request, the Data Processor will provide without undue delay the necessary information to the contact person designated by the Data Controller in Section 4.1 above.
- The Data Processor will indicate to the Data Controller's without undue delay if it considers that an instruction given by the Data Controller violates applicable law (Art. 28 para. 3 sentence 3 GDPR). The Data Processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed after verification by the person responsible for acting on behalf of the Data Controller.
- The Data Processor must correct, delete or restrict the processing of in scope personal data if the Data Controller demands this by means of instructions and the Data Processor's legitimate interests are not opposed to this.
- The Data Processor may only provide information on personal data covered by the Agreement to third parties or data subjects after the prior instruction or approval by the Data Controller.
- The Data Processor agrees that the Data Controller is entitled – in principle only after prior agreement on an appointment to that effect – to audit the Data Processor’s compliance with the provisions of applicable law as to data protection and data security as well as the Agreement to an appropriate and necessary extent by itself or a representative of the Data Controller, in particular by obtaining information and inspecting the stored data and the data processing programs as well as on-site checks and inspections (Art. 28 para. 3 sentence 2 lit. h GDPR).
- The Data Processor agrees that, where necessary, it will assist in these inspections. The following is agreed until further notice:
- The processing of data in private homes (telework or home office of employees of the Data Processor) is only permitted with the consent of the Data Controller. If the data is processed in a private home, access to the employee's home must be contractually ensured for the employer's control purposes. The measures according to Art. 32 GDPR must also be ensured in this case.
- The Data Processor confirms that it is aware of the relevant data protection regulations of GDPR for data processing. It also undertakes to observe applicable rules of secrecy protection (e.g. banking secrecy, telecommunications secrecy, professional secrecy) relevant to the Order which are incumbent on the Data Controller as agreed between the Parties and attached hereto:
* Intentionally left blank
- The Data Processor undertakes to maintain confidentiality when processing the Data Controller's personal data in accordance with the Order. This shall continue to apply even after termination of the Agreement.
- The Data Processor warrants that it will familiarize its employees involved in carrying out the data processing with the data protection provisions applicable to them prior to commencing the work and that it will undertake to maintain appropriate confidentiality for the duration of their work and after termination of their employment (Art. 28 para. 3 sentence 2 lit. b and Art. 29 GDPR). The Data Processor shall monitor compliance with data protection regulations in its company.
- An in-house data protection officer pursuant to Art. 37 GDPR has not been appointed by the Data Processor as there is no legal requirement for such an appointment.
- Duties of the Data Processor to notify in the event of processing disruptions and data breachesbr The Data Processor shall inform the Data Controller without undue delay of any disruptions, breaches of data protection regulations or agreed stipulations through the Data Processor or the persons employed by it as well as of any suspected data protection breaches or irregularities in the processing of personal data. This applies in particular with regard to potential notification obligations of the Data Controller in accordance with Art. 33 and Art. 34 GDPR. The Data Processor undertakes to appropriately support the Data Controller, if necessary, in its duties according to Art. 33 and 34 GDPR (Art. 28 para. 3 sentence 2 lit. f GDPR). Notifications according to Art. 33 or 34 GDPR for the Data Controller may only be carried out by the Data Processor after prior instruction in accordance with Section 4 of this Agreement.
- Subcontracts with sub-processors (Art. 28 para. 3 sentence 2 lit. d GDPR)
- The Data Processor may only commission sub-processors to process the Data Controller's data with the permission of the Data Controller, Art. 28 para. 2 GDPR, which must be effected by one of the above-mentioned communication channels (see Section 4), however, oral permission being excluded. Consent may only be given if the Data Processor informs the Data Controller of the sub-processor's name and address as well as the intended activity. In addition, the Data Processor must ensure that it selects the sub-processor carefully in taking particular regard to the suitability of the technical and organisational undertaken by the sub-processor within the meaning of Art. 32 GDPR. The relevant test documents shall be made available to the Data Controller on request.
- Sub-processors may only be commissioned in third countries if the specific requirements of Art. 44 et seq. GDPR (e.g. EU Commission adequacy decision or standard contractual clauses, binding corporate rules) are met.
- The Data Processor must contractually ensure that the provisions agreed between Data Controller and Data Processor also apply to sub-processors. The sub-processing agreement with the sub-processor shall specify the obligations in such detail that the mutual responsibilities of the Data Processor and the sub-processor are clearly defined. If several sub-processors are engaged, this also applies to the delimitation of responsibilities between these sub-processors. In particular, the Data Controller must be entitled, if necessary, to carry out appropriate inspections and audits, also on site, at sub-processor premises or have them carried out by third parties commissioned by the Data Controller.
- The sub-processing agreement with the sub-processor must be made in writing, which can also be in electronic form (Art. 28 para. 4 and para. 9 GDPR).
- The forwarding of data to the sub-processor is only permitted if the sub-processor meets the obligations under Art. 29 and Art. 32 para. 4 GDPR with regard to its employees.
- The Data Processor shall check compliance of any sub-processor with its obligations as follows:
- The result of the inspections shall be documented and made available to the Data Controller upon request.
- The Data Processor shall be liable to the Data Controller for the sub-processor's compliance with the data protection obligations contractually imposed on it by the Data Processor in accordance with this Section of the Agreement.
- At present, the sub-processors that are engaged by the Data Processor in the processing of personal data are specified in Annex 7.6 with name, address and subject matter of the Order to the extent specified therein. The Data Controller herewith approves such engagement.
- The Date Processor always notifies the Data Controller of any intended change in relation to the use of new sub-processors or a replacement of existing sub-processors, giving the Data Controller the possibility to object to such changes (Art. 28 para. 2 sentence 2 GDPR). If the Data Controller does not object within a period of two weeks after notification, the Data Processor shall be entitled to effect the relevant change.
- Technical and organisational measures in accordance with Art. 32 GDPR (Art. 28 para. 3 sentence 2 lit. c GDPR)
- A level of protection which is adequate to the risk to the rights and freedoms of the natural persons concerned by the data processing shall be ensured for data processing. For this purpose, the protection goals of Art. 32 para. 1 GDPR, such as confidentiality, integrity and availability of systems and services and their resilience with regard to the type, scope, circumstances and purpose of the processing in such a way that the risk is permanently contained by appropriate technical and organisational measures.
- The security concept set out in Annex 8.2 describes in detail the technical and organisational measures appropriate implemented by the Data Processor, based on the relevant protection goals in accordance with state of the art and taking special account of the IT systems and processing methods used by the Data Processor.
- The Data Processor will carry out a review, evaluation and evaluation of the effectiveness of the technical and organisational measures to ensure the security of processing (Art. 32 para. 1 lit. d GDPR) as appropriate, but at least once a year. The Data Controller must be informed of the result including the complete audit report.
- Decisions on the organization of data processing and the procedures used which are important for security must be agreed between the Data Processor and the Data Controller.
- If the measures taken by the Data Processor do not meet the Data Controller's requirements, it shall notify the Data Controller without undue delay.
- The measures taken by the Data Processor may be adapted to technical and organisational developments in the course of the contractual relationship, but may not fall short of the agreed standards.
- The Data Processor must align on essential changes with the Data Controller in documented form (in writing or electronic form). The results of such alignment are to be kept for the duration of this Agreement.
- Obligations of the Data Processor after completion of the Order, Art. 28 para. 3 sentence 2 lit. g GDPR
After completion of the contractual performances, the Data Processor shall have all data, documents and processing or usage results obtained by the Data Processor and sub-processors in connection with the contractual relationship
- returned to the Data Controller; or
- deleted or destroyed in accordance with applicable data protection regulations; the deletion or destruction must be confirmed to the Data Controller in writing or in electronic form, stating the date of deletion or destruction.
- With regard to liability towards data subjects, the Parties herewith expressly refer to Art. 82 GDPR as mandatory law.
- As to the mutual liability of the Parties in all other respects, the liability and indemnification provisions of the MSA (see Sections 8 and 9 of the MSA) shall apply mutatis mutandis to this Agreement.
- Any arrangements of Parties as to applicable technical and organisational measures as well as any audit and inspection reports (also relating to sub-processors) shall be kept by both Parties for the term of the Agreement and subsequently for additional three full calendar years.
- Ancillary agreements, amendments and supplements to this Agreement must be made in writing or in electronic form in order to be valid. This also applies to the waiver of this form requirement.
- Should the Data Controller’s property as to data carriers or the personal data itself that is processed by the Data Processor be endangered by measures of third parties (such as seizure or confiscation), by insolvency proceedings or by other events, the Data Processor must inform the Data Controller hereof without undue delay.
- Any rights of retention of the Data Processor with regard to the data processed on behalf of the Data Controller and the associated data carriers are excluded.
- Should any provision of this Agreement be or become invalid or unenforceable in whole or in part, or should this Agreement contain a gap, this shall not affect the validity of the remaining provisions of this Agreement. In this case, the Parties undertake to agree on a new, legally effective and enforceable provision which comes as close as possible to the economic purpose of the invalid, unenforceable or missing provision.
For an executable copy of this DPA, please visit this page.