Data processing appendix

 

This Appendix forms an integral part of the Contract and is entered into by:

 

  1. (i) The Client ("Data Exporter")
  2. (ii) POSTCODEZIP ("Data Importer")

 

Each being a "Party" and commonly "Parties".

 

Preamble

WHERE the Data Importer provides professional software services, computer, and related services;

WHERE pursuant to the Contract, the Data Importer has agreed to provide to the Data Exporter the services specified in the Contract (the "Services");

WHERE, by providing the Services, the Data Importer receives or benefits from access to the Data Exporter's information or the information of other persons having a (potential) relationship with the Data Exporter, such information may be qualified as personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on protecting individuals regarding the processing of personal data and on the free movement of such data ("GDPR") and other applicable data protection laws.

WHERE this Appendix contains the terms and conditions applicable to the collection, processing, and use of such personal data by the Data Importer in its capacity as the authorized data processing agent of the Data Exporter, to ensure that the Parties comply with applicable data protection law.

 

THEREFORE, and to enable the Parties to continue their relationship lawfully, the Parties have concluded this Appendix as follows:

Part 1

 

1. Structure of the document and definitions

1.1 Structure

This Appendix comprises different parts as follows:

 

Part 1:

contains general provisions, e.g. concerning the definitions used in this Appendix, compliance with local laws, timing, and termination

Part 2:

contains the body of the unamended Standard Contractual Clauses document

Appendix 1.1 of Part 2:

contains the details of the processing operations provided by the Data Importer to the Data Exporter as the authorized data processing agent (including the processing, nature, and purpose of the processing, the type of personal data, and the categories of data subjects) under this Appendix

Appendix 2 of Part 2:

contains a description of the Data Importer's technical and organizational security measures, which are applied in connection with all processing activities described in Appendix 1.1 of Part 2

Part 3:

contains the signatures of the Parties to be bound by this Appendix and identifies each Data Importer

 

1.2 Terminology and definitions

For the purposes of this Appendix, the terminology and definitions used by the GDPR are applicable (In the body of the Standard Contractual Clause document in Part 2, where defined terms are not capitalized). 

 

"Member State"

means a country belonging to the European Union or the European Economic Area

"Special categories of (personal) data"

refers to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, if processed for the purpose of uniquely identifying a person, data concerning health, data concerning a person's sex life or sexual orientation

"Standard Contractual Clauses"

means the Standard Contractual Clauses for transferring personal data of processing agents established in third countries, under Commission Decision 2010/87/EU on the 5th of February 2010, which was amended by the Commission Implementing Decision (EU) 2016/2297 on the 16th of December 2016

“Data processor”

means any processing agent, located inside or outside the EU/EEA, who agrees to receive from the Data Importer or any other processor of the Data Importer, personal data for the exclusive purpose of processing activities to be carried out by the Data Exporter after the transfer in accordance with the Data Exporter's instructions, the terms of this Appendix and the Contract with the Data Importer

 

 

2. Obligations of the Data Exporter

2.1 The Data Exporter has an obligation to ensure compliance with all applicable obligations under the GDPR and any other applicable data protection law that applies to the Data Exporter and to show such compliance as required by Article 5 (2) of the GDPR. The Data Exporter warrants that the Data Importer has obtained the prior consent of the data subjects in accordance with Article 6 (a) of the GDPR and has complied with its obligation to inform the data subjects in accordance with Article 13 and 14 of the GDPR.

2.2 The Data Exporter must provide the Data Importer with the respective files of the processing activities in accordance with Article 30 (1) of the GDPR related to the Services under this Appendix, to the extent necessary for the Data Importer to comply with the obligation under Article 30 (2) of the GDPR.

2.3 The Data Exporter must appoint a data protection officer or representative to the extent required by applicable data protection law. The Data Exporter is obliged to provide the contact details of the data protection agent or representative, if any, to the Data Importer.

2.4. The Data Exporter confirms prior to the completion of the processing, by acceptance of this Appendix, that the Data Importer's technical and organizational security measures, as set out in Appendix 2 to Part 2, are appropriate and sufficient to protect the rights of the data subject and confirms that the Data Importer provides sufficient safeguards in this respect.

 

3. Compliance with local law

In order to meet the requirements of the implementation of the processing agents following Article 28 of the GDPR, the following amendments are applicable:

 

3.1 Instructions

  1. (i) The Data Exporter instructs the Data Importer to process personal data only on behalf of the Data Exporter. The Data Exporter's instructions are provided in this Appendix and in the Contract. The Data Exporter has the obligation to ensure that all instructions were given to the Data Importer comply with applicable data protection laws. The Data Importer must process personal data only in accordance with the instructions provided by the Data Exporter unless otherwise required by the European Union or the law of the Member State (in the latter case, Part 1 Clause 3.2 (iv) (c) applies).
  2. (ii) All other instructions going beyond the instructions in this Appendix or in the Contract must be included in the subject of this Appendix and the Contract. If implementing this additional instruction involves costs for the Data Importer, the Data Importer shall inform the Data Exporter of such costs and provide an explanation before implementing the instruction. Only after the Data Exporter has confirmed acceptance of these costs for implementing the instruction, the Data Importer shall implement this additional instruction. The Data Exporter must give additional instructions in writing unless urgency or other specific circumstances require another form (e.g. oral, electronic). Instructions in a form other than in writing must be confirmed in writing and without delay by the Data Exporter.
  3. 1. Unless the Data Exporter cannot carry out the rectification, erasure, or restriction of personal data by itself, the instructions may also relate to the rectification, erasure, and/or restriction of personal data as set out in Part 1 Clause 3.3.
  4. 2. The Data Importer must immediately inform the Data Exporter if, in its opinion, an Instruction violates the GDPR or other applicable data protection provisions of the European Union or a Member State ("Disputed Instruction"). If the Data Importer believes that an Instruction infringes the GDPR or other applicable data protection provisions of the European Union or a Member State, the Data Importer is not obliged to follow the Disputed Instruction. If the Data Exporter confirms the Contested Instruction upon receipt of information from the Data Importer and acknowledges its responsibility for the Contested Instruction, the Data Importer shall implement the Contested Instruction, unless the Contested Instruction relates to (i) the implementation of technical and organizational measures, (ii) the rights of the Data Subjects or (iii) the engagement of Data processors. In cases (i) to (iii), the Data Importer may contact a competent supervisory authority to have the contested Instruction legally evaluated by such authority. If the supervisory authority declares the challenged Instruction to be legal, the Data Importer shall implement the challenged Instruction. Part 1 Clause 3.1 (ii) shall remain applicable.

 

3.2 Obligations of the Data Importer

  1. (i) The Data Importer must ensure that persons authorized by the Data Importer to process personal data on behalf of the Data Exporter, in particular employees of the Data Importer and employees of any Sub-Contractor, have undertaken to observe confidentiality or are subject to an appropriate statutory duty of confidentiality, and that such persons who have access to personal data process it in accordance with the Data Exporter's instructions.
  2. (ii) The Data Importer must implement the technical and organizational security measures as set out in Appendix 2 to Part 2 before processing the personal data on behalf of the Data Exporter. The Data Importer may change the technical and organizational security measures from time to time if they do not provide less protection than those set out in Appendix 2 to Part 2.
  3. (iii) The Data Importer shall make available to the Data Exporter, upon request by the Data Exporter, information to show compliance with the Data Importer's obligations under this Appendix. The Parties agree that this information obligation is met by providing the Data Exporter with an audit report (covering security of principles, system availability, and confidentiality) ("Audit Report"). If additional audit activities are legally required, the Data Exporter may request that inspections be carried out by the Data Exporter or another auditor appointed by the Data Exporter, subject to the execution by such auditor of a confidentiality agreement with the Data Importer to the Data Importer's reasonable satisfaction ("Audit"). This Audit is subject to the following conditions: (i) the prior formal written acceptance of the Data Importer; and (ii) the Data Exporter shall bear all costs relating to the On-Site Audit for the Data Exporter and the Data Importer. The Data Exporter must create an audit report summarizing the results and observations of the On-Site Audit ("On-Site Audit Report"). The On-Site Audit Reports, and the Audit Reports, are confidential information of the Data Importer and must not be disclosed to third parties unless required by applicable data protection law or in accordance with the consent of the Data Importer.
  4. (iv) The Data Importer has an obligation to notify the Data Exporter without undue delay:
    1. a. regarding any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to protect the confidentiality of a law enforcement investigation
    2. b. regarding any complaint and request received directly from a data subject (e.g. regarding access, rectification, deletion, restriction of processing, data portability, objection to data processing, automated decision making) without responding to that request, unless the Data Importer has been authorized to do so
    3. c. if the Data Importer or Data processor is obligated, under the law of the European Union or of the Member State to which the Data Importer or Data processor is subject, to process the personal data beyond the Data Exporter's instructions, before carrying out such processing beyond the instructions, unless laws of the European Union or of the Member State prohibits such processing on vital public interest grounds, in which case the notification to the Data Exporter shall specify the legal requirement under that law of the European Union or of the Member State; or
    4. d. if the Data Importer realizes an infringement of personal data, solely because of itself or its sub-contractor, which would affect the Data Exporter's personal data covered by the present contract, in which case the Data Importer will assist the Data Exporter in its obligation, vis-à-vis the applicable data protection law, to inform the data subjects and, where applicable, the supervisory authorities by providing the information at its disposal, in accordance with Article 33 (3) of the GDPR.
    5. (v) At the request of the Data Exporter, the Data Importer shall be compelled to assist the Data Exporter in its obligation to carry out a data protection impact assessment that may be required by Article 35 of the GDPR and a prior consultation that may be required by Article 36 of the GDPR concerning the services provided by the Data Importer to the Data Exporter under this Appendix, providing the necessary and information to the Data Exporter. The Data Importer will only be obliged to provide such assistance if the Data Exporter cannot fulfill its obligation by other means. The Data Importer will advise the Data Exporter of the cost of such assistance. As soon as the Data Exporter has confirmed that it can bear this cost, the Data Importer will provide the Data Exporter with this help.
    6. (vi) At the end of the provision of the services, the Data Exporter may request the return of the personal data processed by the Data Importer under this Appendix within one month after the services. Unless the legislation of the Member State or of the European Union requires the Data Importer to store or retain such personal data, the Data Importer will delete all such personal or non-personal data after the one-month period, whether they have been returned to the Data Exporter at its request or not.

 

3.3 Rights of persons concerned

  1.  
    1. (i) The Data Exporter manages and responds to requests made by data subjects. Data Importer is not obliged to respond directly to the data subjects.
    2. (ii) If the Data Exporter requires the Data Importer's assistance in processing and responding to the Data Subject's requests, the Data Exporter shall issue a further instruction in accordance with Clause 3.1 (ii) of Part 1. The Data Importer will assist the Data Exporter with the following appropriate and technical organizational measures to respond to the requests for the exercise of the rights of data subjects set out in Chapter III of the GDPR as follows:
    3. a. Regarding requests for information, the Data Importer will only provide the Data Exporter with the information required by Article 13 and 14 of the PGRD that it may have at its disposal if the Data Exporter cannot find it on its own.
    4. b. Regarding requests for access (Article 15 of the GDPR), the Data Importer will only provide the Data Exporter with the information that is supposed to be provided to a data subject for the said request for access, which it may have at its disposal if the latter cannot find it alone.
    5. c. Regarding requests for rectification (Article 16 of the GDPR), requests for erasure (Article 17 of the GDPR), restriction of requests for processing (Article 18 of the GDPR), or requests for portability (Article 20 of the GDPR), and only if the Data Exporter cannot itself rectify or erase, limit or transmit the personal data to another third party, the Data Importer will offer the Data Exporter the possibility to rectify or erase, limit, or transmit the personal data concerned to the other third party, or if this is not possible, it will provide the assistance to rectify or erase, limit, or transmit to the other third party the personal data concerned.
    6. d. Regarding the notification relating to rectification, erasure, or restriction of processing (Article 19 of the GDPR), the Data Importer will assist the Data Exporter by notifying all recipients of personal data engaged by the Data Importer as processors if the Data Exporter so requests and if the Data Exporter cannot remedy the situation on its own.
    7. e. Regarding the right of opposition exercised by a data subject (Article 21 and 22 of the GDPR) the Data Exporter will determine whether the opposition is legitimate and how to deal with it.
    8. (iii) The Data Importer's assistance obligations are limited to personal data processed within its infrastructure (e.g. databases, systems, applications owned or provided by the Data Importer).
    9. (iv) The Data Exporter shall determine whether a Data Subject may exercise the rights of Data Subjects set out in Clause 3.1 of this Part 1 and shall advise the Data Importer of the extent to which the assistance specified in Clauses 3.3 (ii), (iii) of Part 1 is necessary.
    10. (v) If the Data Exporter requests additional or modified technical and organizational measures to meet the rights of data subjects which go beyond the assistance provided by the Data Importer under Sub-Clause 3.3 (ii), (iii) of Part 1, the Data Importer shall inform the Data Exporter of the costs of implementing such additional or modified technical and organizational measures. As soon as the Data Exporter has confirmed that it can meet these costs, the Data Importer shall implement such additional or modified technical and organizational measures to assist the Data Exporter in responding to the Data Subjects' requests.
    11. (vi) Without limiting the scope of Clause 3.3 (v) of Part 1, the Data Exporter shall be obliged to reimburse the Data Importer for its reasonable expenses incurred in responding to the Data Subjects' requests.

 

3.4 Sub-processing

  1.  
    1. (i) The Data Exporter authorizes the Data Importer's use of sub-contractors for the provision of services under this Appendix. The Data Importer shall select such Data processor(s) carefully. The Data Exporter approves the Data processor(s) listed in Appendix 1.1 at the end of Part 2.
    2. (ii) The Data Importer shall transfer its obligations under this Appendix to the Data processor (s) to the extent applicable to the subcontracted services.
    3. (iii) The Data Importer may dismiss, replace, or appoint another appropriate and reliable Data processor (s) at its discretion. If so requested in writing by the Data Exporter, the Data Importer must follow the procedure set out below:
  1.  
    1. a. The Data Importer shall inform the Data Exporter before any changes to the list of Data processors referenced under Clause 3.4 (i) of Part 1. If the Data Exporter does not object under Clause 3.4. (b) of Part 1 thirty days after receiving notification from the Data Importer, the additional Data processors shall be deemed to be accepted.
    2. b. If the Data Exporter has a legitimate reason to object to an additional Data processor, it will give prior written notice to the Data Importer within thirty days of receipt of the Data Importer's notification and before the Data Importer's service is put into operation. If the Data Exporter objects to the use of an additional Data processor, the Data Importer may purge the objection by one of the following options (chosen at its discretion): (A) the Data Importer will cancel its plans to use an additional processor regarding the Data Exporter's personal data; (B) the Data Importer will take the corrective measures requested by the Data Exporter in its objection (canceling the objection) and use the additional processor regarding the Data Exporter's personal data; (C) the Data Importer may cease to provide or the Data Exporter may agree not to use (temporarily or permanently) a particular aspect of the service which would involve the use of the Data Exporter's further processor of the Data Exporter's personal data.
  1.  
    1. (iv) if the Data processor is based outside the EU-EEA in a country that is not recognized as offering an adequate level of data protection following a decision of the European Commission, the Data Importer will take the measures to comply with an adequate level of data protection in accordance with the GDPR (such measures may include - among others and - the use of data processing contracts based on the clauses of the EU Model, transfer to self-certified Data processors in the framework of the EU-US Protection Shield, or a similar program).

 

3.5 Expiry

The expiration of this Appendix is identical to the expiration date of the corresponding Contract. Except as otherwise provided in this Appendix, the rights and duties relating to termination shall be the same as those contained in the Contract.

 

4. Limitation of Liability

4.1 Each party handles its obligations under this Appendix and the applicable data protection legislation.

4.2 Any liability relating to a breach of the obligations under this Appendix or applicable data protection legislation shall be subject to and governed by the liability provisions set out in, or applicable to, the Contract, except as otherwise provided in this Appendix. If liability is governed by the liability provisions set out in or applicable to the Contract, for calculating liability limits or determining the application of other limitations of liability, any liability arising under this Appendix shall be deemed to arise under the Contract.

 

5. General provisions

5.1 If there are any inconsistencies or discrepancies between Parts 1 and 2 of this Appendix, Part 2 shall prevail. Specifically, even in such a case, Part 1 which simply goes beyond Part 2 (i.e. the terms of Standard clauses) without contradicting it shall remain valid.

5.2 If any discrepancy arises between the provisions of this Appendix and those of other contracts binding the parties, this Appendix shall prevail regarding the parties' data protection obligations. In case of doubt as to whether clauses in other contracts concern the parties' data protection obligations, this Appendix shall prevail.

5.3 If any provision of this Appendix is invalid or unenforceable, the remainder of this Appendix shall remain in full force and effect. The invalid or unenforceable provision will be (i) amended to ensure its validity and enforceability, while preserving as far as possible the intention of the parties, or - if this is not possible - (ii) interpreted as if the invalid or unenforceable part had never been part of the contract. The foregoing shall also apply if there is an omission in this Appendix.

5.5 To the extent necessary, the Parties may request amendments to Part 1, Clause 3 (Compliance with local law) or other parts of the Appendix in order to comply with interpretations, directives, or orders issued by the competent authorities of the Union or the Member States, national enforcement provisions, or any other legal developments concerning the GDPR or other conditions of delegation to any entities involved in data processing and specifically regarding the use of the Standard Contractual Clauses in the GDPR. The terms of the Standard Contractual Clauses may not be modified or replaced unless the European Commission expressly approves it (e.g. by new adequate clauses and data protection standards).

5.6 Any reference in this Appendix to the " Clauses " shall be understood to refer to all the provisions of this Appendix unless otherwise stated.

5.7 The choice of law in Part 2, Clause 9 applies to the entire Contract.

 

6. Personal data transmitted and processed by the parties for personal purposes (transfer from the data controller to the data controller)

6.1 The Parties know fully that certain personal data will be transferred from the Data Exporter to the Data Importer and vice versa, and that such data is processed by each Party for its own purposes. Regarding such personal data, it does not affect the other provisions of this Appendix (except for this clause 6).

6.2 The Data Exporter may transfer personal data relating to the staff of the Data Importer to the Data Importer, including information on security incidents, or any other documents or files created or established by the Data Exporter in connection with the Services provided by the staff of the Data Importer. The Data Importer may process such personal data for its own purposes, in particular in its professional relations with the Data Importer's personnel, for quality control and training, or for business purposes.

6.3. The Data Importer may transfer personal data to the Data Exporter, including the name and contact details of the Data Importer's personnel. The Data Exporter may process such personal data for its own purposes.

6.4 Both parties shall comply with any applicable data protection laws, including the GDPR, in collecting, processing, and using such personal data received from the other party under clause 1 of Part 1. In particular, both Parties shall take adequate security measures, providing a similar level of protection to the security measures set out in Appendix 2 of Part 2. Any access to such personal data shall be limited to the need to know them.

6.5 Both Parties must delete such personal data as soon as possible after the objectives have been achieved.

Part 2

 

DECISION OF THE COMMISSION

on the 5th February 2010

on standard contractual clauses for the transfer of personal data to data processors established in third-party countries under the 95/46/EC Directive of the European Parliament and of the Council

 

 

 

Clause 1

Definitions

Within the meaning of the clauses:

a) 'personal data', 'special categories of data', 'processing/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in the 95/46/EC Directive of the European Parliament and of the Council of the 24th October 1995 on protecting individuals regarding the processing of personal data and on the free movement of such data (1);

b) the 'Data Exporter' is the Data controller transferring the personal data;

c) the 'Data Importer' is the Data processor who agrees to receive from the Data Exporter personal data intended to be processed on behalf of the Data Exporter after the transfer in accordance with its instructions and under the terms of these clauses and who is not subject to the mechanism of a third country ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; (d) 'Data processor' means the Data processor engaged by the Data Importer or by any other Data processor of the Data Importer who agrees to receive from the Data Importer or any other Data processor of the Data Importer personal data exclusively for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with the instructions of the Data Exporter, under the conditions set out in these Clauses and under the terms of the written sub-contracting the data processing contract;

e) "applicable data protection law" means the legislation protecting the fundamental rights and freedoms of individuals, including the right to privacy regarding the processing of personal data, and applying to a controller in the Member State where the Data Exporter is established;

f) “technical and organizational measures relating to security” means measures intended to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over networks, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer, including, where appropriate, special categories of personal data, are specified in Appendix 1, which forms an integral part of these clauses.

Clause 3

Third-party beneficiary clause

1. The data subject may enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e) and (g) to (j), Clause 6 (1) and (2), Clause 7, Clause 8(2) and Clauses 9 to 12 as a third party beneficiary

2. The data subject may enforce this Clause, Clause 5 (a) to (e) and (g), Clause 6, Clause 7, Clause 8 (2) and Clauses 9 to 12 against the Data Importer where the Data Exporter has physically disappeared or has ceased to exist in law, unless all of his legal obligations have been transferred, by contract or by operation of law, to the successor entity, to which the rights and obligations of the Data Exporter therefore revert, and against which the data subject can therefore enforce the said clauses.

The data subject may enforce this Clause, Clause 5 (a) to (e) and (g), Clause 6, Clause 7, Clause 8 (2) and Clauses 9 to 12 against the Data processor, but only in cases where the Data Exporter and the Data Importer have physically disappeared, ceased to exist in law or have become insolvent, unless all the legal obligations of the Data Exporter have been transferred, by contract or by operation of law, to the legal successor, to whom the rights and obligations of the Data Exporter are therefore vested, and against whom the data subject may therefore enforce such clauses. Such liability of the Data processor must be limited to its own processing activities under these clauses.

4. The parties do not object to the data subject being represented by an association or other body if he or she so wishes and if national law so allows.

Clause 4

Obligations of the Data Exporter

The Data Exporter accepts and guarantees the following:

a) the processing, including the actual transfer of personal data, has been and will continue to be carried out in accordance with the relevant provisions of applicable data protection law (and, where applicable, has been notified to the competent authorities of the Member State in which the Data Exporter is based) and does not infringe the relevant provisions of that State;

b) they have instructed, and will instruct for the duration of the personal data processing services, the Data Importer to process the personal data transferred on the sole behalf of the Data Exporter and in accordance with applicable data protection law and these clauses;

c) the Data Importer will provide sufficient safeguards regarding the technical and organizational security measures specified in Appendix 2 to the present contract;

d) after evaluation of the requirements of the applicable data protection law, the security measures are adequate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing and ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the level of technology and the cost of implementation;

e) they will ensure compliance with security measures;

f) if the transfer relates to special categories of data, the data subject has been informed or will be informed before the transfer, or as soon as possible after the transfer that his or her data may be transferred to a third country that does not offer an adequate level of protection within the meaning of Directive 95/46/EC;

g) they will forward any notification received from the Data Importer or any Data processor under Clauses 5 (b) and 8 (3) to the data protection supervisory authority if it decides to continue transferring or to lift its suspension;

h) they shall make available to data subjects, if they so request, a copy of these Clauses, except for Appendix 2, and a summary description of the security measures, and a copy of any further subcontracting agreement, concluded under these Clauses unless the Clauses or the agreement contain commercial information, in which case he may withdraw such information;

i) in case of sub-contracting the data processing process, the processing activity is carried out in accordance with Clause 11 by a Data processor providing at least the same level of protection of personal data and data subject's rights as the Data Importer under these Clauses; and

j) it will ensure compliance with Clause 4 (a) to (i).

Clause 5

Obligations of the Data Importer

The Data Importer accepts and guarantees the following:

a) they will process the personal data only on behalf of the Data Exporter and under the Data Exporter's instructions and these clauses; if it cannot comply for any reason, they agree to inform the Data Exporter of its inability as soon as possible, in which case the Data Exporter may suspend the data transfer and/or end the contract;

b) they have no reason to believe that the law applicable to them prevents him from fulfilling the instructions given by the Data Exporter and the obligations incumbent upon him under the contract, and if such law is subject to a change which could have a material adverse effect on the warranties and obligations under the Clauses, he shall notify the Data Exporter of the change without delay after becoming aware of it, in which case the Data Exporter may suspend the data transfer and/or end the contract; (c) they have implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;

d) they will notify the Data Exporter without delay:

i) any binding request for disclosure of personal data from a law enforcement authority, unless otherwise specified, such as a criminal prohibition aimed at preserving the secrecy of a police investigation;

ii) any incidental or unauthorized access; and

iii) any request received directly from the persons concerned without replying to it unless he has been authorized to do so; administrators

e) they will deal promptly and properly with all inquiries from the Data Exporter concerning its processing of the personal data being transferred and will act under the opinion of the supervisory authority regarding the processing of the data transferred;

f) at the request of the Data Exporter, they will subject its data processing facilities to an audit of the processing activities covered by these clauses to be carried out by the Data Exporter or a supervisory body composed of independent members with the requisite professional qualifications, subject to an obligation of secrecy and chosen by the Data Exporter, where appropriate with the agreement of the supervisory authority;

g) they will make available to the data subject, if he so requests, a copy of these Clauses, or any existing sub-contracting the data processing contract, unless the Clauses or the contract contain commercial information, in which case it may remove such information, except for Appendix 2, which will be replaced by a summary description of the security measures, where the data subject cannot obtain a copy from the Data Exporter;

h) in the case of confidential further sub-contracting the data processing, he will ensure that he informs the Data Exporter in advance and obtains the Data Exporter's written consent;

i) the processing services provided by the Data processor shall comply with Clause 11;

j) they will promptly send a copy of any sub-contracting of the data processing agreement entered into by it under these Clauses to the Data Exporter.

Clause 6

Responsibility

1. The parties agree that any data subject who has suffered damage because of a breach of the obligations referred to in Clause 3 or Clause 11 by one party or by a Data processor may obtain compensation from the Data Exporter for the damage suffered.

2. If a data subject is prevented from bringing an action for damages as referred to in paragraph 1 against the Data Exporter for failure by the Data Importer or its Data processor to comply with any of its obligations under Clause 3 or Clause 11 because the Data Exporter has physically disappeared, ceased to exist in law or has become insolvent, the Data Importer agrees that the data subject may lodge a complaint against it as if it were the Data Exporter unless all legal obligations of the Data Exporter have been transferred, by contract or by operation of law, to its successor entity, against which the data subject may then enforce his rights. The Data Importer may not rely on a breach of its obligations by a Data processor to avoid its own liability.

3. If a data subject is prevented from bringing the action referred to in paragraphs 1 and 2 against the Data Exporter or the Data Importer for breach by the Data processor of its obligations under Clause 3 or Clause 11 because the Data Exporter and the Data Importer have physically disappeared, ceased to exist in law or have become insolvent, the Data processor agrees that the data subject may lodge a complaint against it regarding its own processing activities in accordance with these clauses as if it were the Data Exporter or Data Importer unless all legal obligations of the Data Exporter or Data Importer have been transferred, by contract or by operation of law, to the legal successor, against whom the data subject may then assert his rights. The liability of the Data processor must be limited to its own processing activities in accordance with these clauses.

 

Clause 7

Mediation and jurisdiction

1. The Data Importer agrees that if under the clauses, the data subject invokes against him the right of the third party beneficiary and/or claims compensation for the prejudice suffered, he will accept the decision of the data subject:

a) to submit the dispute to mediation by an independent person or, where appropriate, the supervisory authority;

b) to bring the dispute before the courts of the Member State where the Data Exporter is based.

2. The parties agree that the choice made by the data subject shall not affect the procedural or substantive right of the data subject to obtain redress in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The Data Exporter agrees to deposit a copy of the present contract with the supervisory authority if the latter so requires or if such deposit is provided for by the applicable data protection law.

2. The parties agree that the supervisory authority may carry out checks at the Data Importer and any Data processor to the same extent and under the same conditions as with checks carried out at the Data Exporter in accordance with applicable data protection law.

3. The Data Importer shall inform the Data Exporter as soon as possible of the existence of legislation concerning the Data Importer or any Data processor which prevents verification at the Data Importer or any Data processor in accordance with paragraph 2. In such a case, the Data Exporter may take the measures provided for in Clause 5 (b).

Clause 9

Applicable law

The clauses apply and are governed by the law of the Member State where the Data Exporter is based.

Clause 10

Modification of the contract

The parties undertake not to modify the present clauses. The parties remain free to include other commercial clauses that they deem necessary, provided that they do not contradict the present clauses.

Clause 11

Subsequent subcontracting

1. The Data Importer shall subcontract none of its processing activities carried out on behalf of the Data Exporter under these clauses without the prior written consent of the Data Exporter. The Data Importer shall only subcontract its obligations under these Clauses, with the consent of the Data Exporter, through a written agreement with the Data processor imposing on the Data processor the same obligations as those imposed on the Data Importer under these Clauses. If the Data processor cannot comply with its data protection obligations under that written agreement, the Data Importer shall remain fully responsible to the Data Exporter for the fulfillment of those obligations.

2. The prior written agreement between the Data Importer and the Data processor shall also include a third-party beneficiary clause as set out in Clause 3 for cases where the data subject is prevented from bringing the claim for damages referred to in Clause 6 (1), against the Data Exporter or Data Importer because the Data Exporter or Data Importer has physically disappeared, ceased to exist in law or has become insolvent and all legal obligations of the Data Exporter or Data Importer have not been transferred, by contract or by operation of law, to another successor entity. Liability of the Data processor must be limited to its own processing activities in accordance with these clauses.

3. The provisions relating to the data protection aspects of sub-contracting the data processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.

4. The Data Exporter shall keep a list of the sub-contracting the data processing agreements concluded under these Clauses and notified by the Data Importer in accordance with Clause 5 (j), which shall be updated at least once a year. This list shall be made available to the Data Exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that upon completion of the data processing services, the Data Importer and the Data processor will, at the Data Exporter's convenience, return all personal data transferred and copies thereof to the Data Exporter, or destroy all such data and provide proof the destruction to the Data Exporter, unless legislation imposed on the Data Importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the Data Importer guarantees that it will ensure the confidentiality of the personal data transferred and that it will no longer actively process the data.

2. The Data Importer and the Data processor shall ensure that, if so requested by the Data Exporter and/or the supervisory authority, they will subject their means of data processing to verification of the measures referred to in paragraph 1.

 

 

 

 

Appendix 1.1 to Part 2

Details of the transfer

 

 

Data Exporter

The Data Exporter is the Customer defined in the Contractual agreement.

 

Data Importer

The Data Importer is POSTCODEZIP and is assigned to process the data, providing services to the Data Exporter.

 

Subjects of the data

The personal data transferred concern the following categories of data subjects:

telephone subscribers listed in the universal directory

Others, including:

 

Categories of data

The personal data transferred concern the following categories of data:

 

Categories of personal data of the Data Exporter's data subjects in particular,

Full name

Postal address

Contact details (e-mail, telephone, IP address, etc.)

Details of marketing activities concerning the telephone subscriber

Others, including the type of housing, income, and average ages by the city made anonymously

 

Special categories of data (if applicable)

The personal data transferred concern the following special categories of data:

The transfer of special categories of data is not foreseen

Race or ethnic origin

Religious or philosophical beliefs

Trade union membership

Political views

Genetic information

Biometric information

Information on sexual orientation or sexual life

Health data

 

Processing activities

The personal data transferred will be subject to the following basic processing activities:

 

  •  
    • • Purpose of the processing

The processing undertaken on behalf of the Data Exporter is based on the following subjects, in particular:

Taking charge of the products or services offered by the Data Exporter

The offer of a product or service that the called person can request

Orders taken from the persons called and further processing of these orders

Study questionnaires and analyses

Telemarketing

Others, including:

 

  •  
    • • Nature and purpose of the processing

The Data Importer processes the personal data of the data subjects on behalf of the Data Exporter, in order to provide the following services, and most notably:

  • Automatic form completion
  • Addresses validation form

Sales and Marketing

Others, including updating databases of town halls and political parties

 

  •  
    • • Provision of services and employment of service providers

 

POSTCODEZIP mainly combines, centralizes, and provides services to the Data Exporter. The services provided by the named service provider may be structured (among others as appropriate) around the following ancillary services: (i) provision of applications, tools, systems, and IT infrastructure in relation to the data processing centers used, in order to provide and support the services, including the processing of the personal data of the data subjects as described above, via such applications, tools, and systems, (ii) the provision of IT support, maintenance and other services relating to such applications, tools, systems and IT infrastructure, including potential access to personal data stored in such applications, tools, and systems, and (iii) the provision of data protection services, protection monitoring, and incident response services, including potential access to personal data when providing such protection services. POSTCODEZIP may engage Data processors as set below to provide the services, including ancillary services.

 

  •  
    • • External third-party service providers as sub-entities assigned to data processing

 

POSTCODEZIP engages external and third-party service providers, which are not subsidiaries of POSTCODEZIP, to support the provision of services to the Data Exporter. The Data Exporter approves such external third-party service providers as sub-entities assigned to data processing.

 

If a sub-entity involved in data processing is located outside the EU/EEA, in a country deemed not to have an adequate level of data protection under a decision of the European Commission, the Data Importer will take steps to obtain an adequate level of data protection in accordance with the GDPR and section 3.4 (iv) of Part 1.

 

 

Appendix 2, Part 2

Technical and organizational protective measures

 

The Data Importer shall take the following technical and organizational protection measures confirmed by the Data Exporter, in order to guarantee an appropriate level of security for the rights and freedoms of individuals, depending on the risks. In assessing the level of protection concerned, the Data Exporter has considered, in particular, the risks involved in the processing, including accidental or unlawful destruction, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed. By clarification: These technical and organizational protection measures do not apply to the applications, tools, systems, and/or IT infrastructure provided by the Data Exporter.

1 General technical and organizational protection measures

1.1 General information and data protection strategies

The following steps should be taken to follow general data and information protection strategies:

  • a) take measures to evaluate those taken regarding technical and organizational protection;
  • b) provide training to raise awareness among employees;
  • c) have a description of the systems concerned and grant access to employees;
  • d) establish a formal documentation process whenever systems are implemented or modified;
  • e) documenting the organizational structure, processes, responsibilities, and respective evaluations;

1.2 Organization of information protection

The following measures should be taken in order to coordinate data and information protection activities:

  • a) defined responsibilities for the protection of information and data (e.g. through the data protection management policy);
  • b) the necessary expertise on protecting information and data remaining available;
  • c) all employees are committed to ensuring that personal data is kept confidential, and have been informed of the potential consequences of breaching this commitment.

1.3 Access control to processing areas

The following measures must be taken to prevent unauthorized persons from gaining access to data processing systems (in particular software and hardware) when personal data are processed, stored, or transmitted:

  • a) establish secure areas;
  • b) protect and restrict access to data processing systems;
  • c) establish access authorizations for employees and third parties, including the respective documents;
  • d) any access to data processing centers in which personal data are stored shall be logged.

1.4 Access control to data processing systems

The following measures must be taken in order to prevent unauthorized access to data processing systems:

  • a) user authentication policies and procedures;
  • b) the use of passwords on all computer systems;
  • c) remote access to the network requires multi-factor authentication and is granted to the person concerned according to their responsibilities and upon authorization;
  • d) access to specific functions is based on job functions and/or attributes individually assigned to a user's account;
  • e) access rights related to personal data are reviewed regularly;
  • f) records of changes to access rights are kept up to date.

1.5 Controlling access to particular areas of use of data processing systems

The following measures must be taken to ensure that authorized persons with the right to use the data processing system can only access data within their respective responsibilities and access authorizations and that personal data cannot be read, copied, modified, or deleted without authorization:

  1. 1. 
    1. a) policies, instructions, and training of employees, concerning the obligations of each of them about confidentiality, rights of access to personal data, and the scope of the processing of personal data;
  • b) disciplinary measures against persons accessing personal data without authorization;
  • c) access to personal data shall be granted only to authorized persons, on a need-to-know basis;
  • d) maintain a list of system administrators and take appropriate measures to monitor system administrators;
  • e) not to copy or reproduce personal data on any storage system to enable unauthorized persons to remove the information of the originator;
  • f) controlled and documented deletion or destruction of data;
  • g) to store securely all personal data that must be retained for legal or regulatory reasons (e.g. obligations to retain data), and only for as long as required by law.

1.6 Transmissions control

The following measures must be taken in order to prevent personal data from being read, copied, modified, or deleted by unauthorized third parties during the transmission or transport of data storage devices (depending on the processing of personal data undertaken):

  1. 1. 
    1. a) use of firewalls;
  • b) avoiding the storage of personal data on mobile storage devices for transport purposes, or encrypting the devices;
  • c) use on laptops and other mobile devices only after the encryption protection has been activated;
  • d) logging of personal data transmissions.

1.7 Data entry control

The following measures must be taken to ensure that it is possible to verify and determine whether personal data have been entered into or deleted from data processing systems and by whom:

  1. 1. 
    1. a) a policy for authorizing the reading, alteration, and deletion of stored data;
  • b) protection measures concerning the reading, alteration, and deletion of stored data.

1.8 Work control

In the case of delegated processing of personal data, the following measures must be taken to ensure that such data are processed in accordance with the instructions of the Supervisor:

  1. 1. 
    1. a) entities or sub-entities assigned to data processing, chosen with care (service providers processing personal data on behalf of the controller);
  • b) instructions concerning the scope of any processing of personal data to the employees, entities, or sub-entities assigned to the data processing;
  • c) audit rights agreed with the entities or sub-entities assigned to the data processing;
  • d) agreements in place with the entities or sub-entities assigned to process the data.

1.9 Separation from processing for other purposes

The following measures must be taken to ensure that data collected for other purposes can be processed separately:

  1. 1. 
    1. a) separate access to personal data in accordance with users' existing rights;
  • b) interfaces, batch processing and reporting are for other purposes and functions, so that data collected for other purposes can be processed separately.

1.10 Pseudonymization

The following measures must be taken regarding the pseudonymization of personal data:

  1. 1. 
    1. a) If the Data Exporter orders a specific processing operation or if this is considered appropriate by the Data Importer in accordance with the data protection laws in force concerning certain processing activities, the processing of personal data will be carried out in such a way that the data can no longer be attributed to a specific person without the use of additional information. This additional information will be kept separately;
  • b) use of pseudonymization techniques, including allocation list randomization; creation of values in the form of sharps.

1.11 Encryption

The following steps should be taken to encrypt personal data in applications and transmissions that support encryption:

  1.  
    1. a) use of encryption techniques;
  • b) establishment of encryption management to support the encryption techniques authorized to be used;
  • c) supporting the use of cryptography through procedures and protocols for generating, modifying, revoking, destroying, distributing, certifying, storing, capturing, using, and archiving cryptographic keys to protect against unauthorized modification and disclosure.

1.12 Completeness of data processing systems and services

The following measures must be taken in order to ensure the completeness of data processing systems and services:

  1. 1.a) protection of data processing systems against manipulation or destruction by appropriate means (e.g. anti-virus software, data loss prevention software and software against malware, software patches, firewalls, and managed desktop protection);
  • b) prohibit the installation of any service or software harmful to data processing systems, services, or the manipulation of personal data;
  • c) use of a network intrusion detection and prevention system in the structure of the network itself.

1.13 Availability of data processing systems and services and the possibility of restoring access to and use of personal data in the event of a material or technical incident

The following measures must be taken in order to ensure the availability of data processing systems, as well as to be able to quickly restore the availability of and access to personal data, in the event of a material or technical incident (in particular by ensuring that personal data are protected against accidental destruction or loss):

  • a) have means of control for keeping back-up copies and restoring lost or deleted data;
  • b) infrastructural redundancy and performance testing;
  • c) physical protection of computer resources;
  • d) use of tools to monitor the status and availability of the internal network;
  • e) incident reporting and response policies governing the incident management procedure, and reiteration of adherence to these policies as part of regular training;
  • f) backups (sometimes off-site) to restore the system to enable it to perform its functions again;
  • g) business continuity/disaster recovery plans

1.14 Resilience of data processing systems and services

The following measures must be taken to ensure the resilience of data processing systems and services:

  • a) systems and configured harmoniously, using approved security parameters;
  • b) network redundancy;
  • c) containment protection of critical systems.

1.15 Procedure for regularly testing, evaluating, and assessing the effectiveness of technical and organizational measures to ensure the security of data processing

Procedure for regularly testing, evaluating, and assessing the effectiveness of technical and organizational measures to protect data processing.

  • a) take the necessary steps to assess risks and mitigation strategies;
  • b) service analysis meetings of the IT department to address current issues;
  • c) business continuity/disaster recovery plans are regularly updated.

 

Part 3

Signatures of the parties and list of Data Importers

 

When you fill in the online order form and validate it by ticking the box accepting the general terms and conditions of use, the contract governing the relationship between the Customer and POSTCODEZIP is established.

Sending the payment to POSTCODEZIP will consider the contract agreed to and established.

Take a note: This text has been translated from French. The original French version, which is valid and legally restrictive, is available here.