This DPA reflects Retently’s and the Client’s agreement regarding the processing of Personal Data shared, uploaded and/or otherwise provided to Retently by the Client.
The terms used in this DPA shall have the meanings set forth in this Agreement. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
Article 1. Purposes of processing
1.2. The Personal Data to be processed by the Processor for the purposes set out in the previous clause and the categories of data subjects involved are set out in Appendix 1 to this Data Processing Agreement. The Processor shall not process the Personal Data for any other purpose unless with the Controller’s consent. The Controller shall inform the Processor of any processing purposes to the extent not already mentioned in this Data Processing Agreement. The Processor, however, is permitted to use Personal Data for quality assurance and statistical research purposes regarding the quality of the Processor’s services.
1.3. All Personal Data processed on behalf of the Controller shall remain the property of the Controller and/or the data subjects in question.
Article 2. Processor’s obligations
2.1. Regarding the processing operations referred to in the previous clause, the Processor shall comply with all applicable legislation, including all data processing legislation such as the General Data Protection Regulation (GDPR).
2.2. Upon the first request, the Processor shall inform the Controller about any measures taken to comply with its obligations under this Data Processing Agreement.
2.3. All obligations of the Processor under this Data Processing Agreement shall apply equally to any person processing Personal Data under the supervision of the Processor, including but not limited to employees in the broadest sense of the term.
2.4. The Processor shall inform the Controller without delay if in its opinion a Controller’s instruction would violate the legislation referred to in the first clause of this article.
2.5. The Processor shall provide reasonable assistance to the Controller in the context of any privacy impact assessments to be made by the Controller.
Article 3. Transfer of Personal Data
3.1. The Processor may process the Personal Data in any country within the European Union.
3.2. In addition the Processor may transfer the Personal Data to a country outside the European Union, provided that country ensures an adequate level of protection of Personal Data and complies with other obligations imposed on it under this Data Processing Agreement and the GDPR, including the availability of appropriate safeguards and enforceable data subject rights, and effective legal remedies for data subjects.
3.3. The Processor shall report to the Controller of the countries involved. The Processor warrants that, considering the circumstances that apply to the transfer of Personal Data or any category of transfers, the country or countries outside the European Union have an adequate level of protection.
3.4. In particular, the Processor shall take into account the duration of the processing, the country of origin and the country of destination, the general and sector-based rules of law in the country of destination and the professional rules and security measures which are complied with in that country.
Article 4. Allocation of responsibilities
4.2. The Controller represents and warrants that the content, usage, and instructions to process the Personal Data as meant in this Data Processing Agreement are lawful and do not violate any right of any third party.
Article 5. Third party data processors
5.2. The Controller agrees that if and to the extent such transfers occur, the Controller is responsible for entering into separate contractual arrangements with such third party data processors binding them to comply with obligations in accordance with the GDPR.
5.3. In any event, the Processor shall ensure that any third parties are bound to at least the same obligations as agreed between the Controller and Processor.
Article 6. Security
6.1. The Processor shall use reasonable efforts to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk for the processing of involved operations, against loss or unlawful processing (in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed).
6.2. The Processor shall implement specific security measures specified in the GDPR. The Processor may adjust the security measures at any time unilaterally. The Processor shall inform the Controller of any adjustments.
6.3. The Processor does not warrant that the security is effective under all circumstances. If any security measure explicitly agreed in this Data Processing Agreement is missing, then the Processor shall use his best efforts to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6.4. The Controller shall only provide Personal Data to the Processor for processing if it has ensured that the required security measures have been taken. The Controller is responsible for the parties’ compliance with these security measures.
Article 7. Notification and communication of data breaches
7.1. The Controller is responsible at all times for notification of any security breaches and/or Personal Data breaches (which are understood as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed) to the competent supervisory authority, and for communication of the same to data subjects. In order to enable the Controller to comply with this legal requirement, the Processor shall notify the Controller within 72 hours after becoming aware of an actual or threatened security or Personal Data breach.
7.2. A notification under the previous clause shall be made at all times, but only for actual breaches.
7.3. The notification shall include at least the fact that a breach has occurred. In addition, the notification shall:
- Describe the nature of the Personal Data breach including, where possible, the approximate number of data subjects concerned;
- Describe the likely consequences of the Personal Data breach;
- Describe the measures taken or proposed to be taken by the Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Article 8. Processing requests from data subjects
8.1. In the event a data subject makes a request to exercise his or her legal rights under data protection legislation, the Processor shall pass on such request to the Controller, and the Controller shall process the request. The Processor may inform the data subject that the Controller has been notified of their request.
Article 9. Confidentiality obligations
9.1. All Personal Data that the Processor receives from the Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties. The Processor shall not use this information for any goals other than for which it was obtained, not even if the information has been converted into a form that is no longer related to an identified or identifiable natural person.
9.2. The confidentiality obligation shall not apply to the extent the Controller has granted explicit permission to provide the information to third parties The provision to third parties is reasonably necessary considering the nature of the assignment to the Controller or if the provision is legally required.
Article 10. Audit
10.1. The Controller has the right to have audits performed on the Processor by an independent third party bound by confidentiality obligations to verify compliance with the security requirements, GDPR compliance, unauthorized use of Personal Data by the Processor’s personnel, compliance with the Data Processing Agreement, and all issues reasonably connected thereto.
10.2. This audit may be performed once a year as well as in the event of a substantiated allegation of misuse of Personal Data.
10.3. The Processor shall give its full cooperation to the audit and shall make available employees and all reasonably relevant information, including supporting data such as system logs.
10.4. The audit findings shall be assessed by the parties in joint consultation and may or may not be implemented by either party or jointly.
10.5. The costs of the audit shall be borne by the Controller.
Article 11. Liability and contractual fine
11.1. The liability of parties for any damages as a result of a reputable failure to comply with this Data Processing Agreement, unlawful acts or otherwise, is excluded. To the extent such liability cannot be excluded, it is limited to direct damages per event (a sequence of successive events counting as one event), up to the amount received by the other party for all activities under this Data Processing Agreement for the month prior to the event. Any liability of the parties for direct damages shall in any event never be more than € 1.000.000.
11.2. Direct damages shall include only:
- Damages to physical objects;
- Reasonable and proven costs to cause the party in question to regain compliance with this Data Processing Agreement;
- Reasonable costs to assess the cause and extent of the direct damage as meant in this article;
- Reasonable and proven costs that the Controller has incurred to limit the direct damages as meant in this article.
11.3. Any liability for indirect damages by the parties is excluded. Indirect damages are all damages that are not direct damages, and thus including but not limited to consequential damages, lost profits, missed savings, reductions in goodwill, standstill damages, damages as a result of using the data prescribed by the Controller, or loss, corruption or destruction of data.
11.4. No limitation of liability shall exist if and to the extent the damages are a result of intentional misconduct or gross negligence on the part of the party in question or its directors.
11.5. Unless a failure by the party in question is incapable of redress, any liability shall exist only if the other party puts the responsible party on notice of default, including a reasonable term for addressing the failure, and the responsible party fails to comply even after this term. The notice shall contain a detailed description of the failure to ensure that the responsible party has a reasonable opportunity to address the failure.
11.6. Any claim for damages either party to the other that is not specifically notified in detail shall be extinguished by the passage of twelve (12) months after the date its cause first arose.
Article 12. Term and termination
12.2. This Data Processing Agreement is entered into for the duration of the Agreement, the subscription period of the Client, or for up to 90 days after the subscription has been canceled but the Client has not withdrawn consent for data processing.
12.3. Upon termination of the Data Processing Agreement, regardless of the reason or manner, the Processor shall – at the choice of the Controller – return in original format or destroy all Personal Data available to it.
12.4. This Data Processing Agreement may be changed in the same manner as the Agreement.
Appendix 1: Stipulation of Personal Data and data subjects
The Service processes two types of Personal Data: Client Personal Data and Data Controlled by Client. The Processor shall process the below Personal Data under the supervision of the Controller, as specified in article 1 of the Data Processing Agreement:
Client Personal Data: When signing up and using the Service we may ask you to provide us with certain Personal Data that includes:
- Email address
- First name and last name
- Company name
- Phone number
- IP address
- Location (country and/or city)
You may decline to share certain Personal Data with us, in which case you will not be able to sign up and use the Service.
Data Controlled by Client: While using the Service, you can upload, or import into your account lists containing your customers’ information. When uploading or importing your customers’ information to the Service, we may ask you to provide the following information:
- Data subject’s email address
- Data subject’s first name and last name
- Data subject’s company name
- Data subject’s title
- Data subject’s location (country and/or city)
The Service has no direct relationship with a user’s customers, and each user is solely responsible for notifying his customers about the reason behind the collection of their Personal Data and how this information is processed in or through the Service.
The Processor shall process the below Personal Data under the supervision of the Controller, as specified in article 1 of the Data Processing Agreement:
The Controller represents and warrants that the description of Personal Data and the categories of data subjects in this Appendix 1 is complete and accurate, and shall indemnify and hold harmless Process for all faults and claims that may arise from a violation of this representation and warranty.