Data Processing Agreement
Effective date: _______
(1) You (the “Controller” or “you”); and
(2) MakeStoryboard UG (tax number 143/159/11711), address: Heinrich-Lübke-str. 16, 81737 München, Germany, telephone: +49 1516 84 16167, e-mail: firstname.lastname@example.org
(A) This Agreement is to ensure there is in place proper arrangements relating to personal data passed from you to the Processor.
(B) This Agreement is compliant with the requirements of the General Data Protection Regulation.
(C) The parties wish to record their commitments under this Agreement.
IT IS AGREED AS FOLLOWS:
- Undertakings of the Processor
- The Processor agrees to process the Data only in accordance with Data Protection Laws and in particular on the following conditions:
- the Processor shall only process the Data (i) on the written instructions from you (ii) only process the Data for completing obligations related to the Service;
- ensure that all employees and other representatives accessing the Data are (i) aware of the terms of this Agreement and (ii) have received comprehensive training on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality;
- the Processor have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
- the Processor shall not involve any third party in the processing of the Data without your consent. Such consent may be withheld without reason. If consent is given a further processing agreement will be required;
- respond to requests from individuals exercising their rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making;
- the Processor shall ensure compliance with the obligations pursuant to security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the national regulator, taking into account the nature of processing and the information available to the Processor;
- at your choice safely delete or return the Data at any time. Where the Processor is to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement to retain the Data. Where there is a legal requirement the Processor will prior to entering into this Agreement confirm such an obligation in writing to you. Upon your request the Processor shall provide certification of destruction of all Data;
- make immediately available to you all information necessary to demonstrate compliance with the obligations laid down under this Agreement and allow for and contribute to any audits, inspections or other verification exercises required from time to time;
- arrangements relating to the secure transfer of the Data from you to the Processor and the safe keeping of the Data by the Processor;
- maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created;
- immediately contact you if there is any personal data breach or incident where the Data may have been compromised.
- Scope of Processing
- The Processor may not transfer Data to a third country or to an international organization outside EU/EEA (together "Third countries"), unless Controller has specifically requested or approved to do so. Such written approval should be requested and provided in writing to every entity and/or transmission receiver separately.
- All Data and its copy shall remain the property of the Controller. The Processor will not grant access to Data to third parties without direct authorization of the Controller.
- The Processor shall only process Data in accordance with the terms of this Agreement.
- The Processor shall process Data for the limited purpose of performing the obligations set out under the Agreement.
- Data processing by the Processor shall include such actions as may be specified in the Agreement.
- The Agreement enables the Controller to use the Service developed by the Processor. The Service enables the Controller to upload information without the Processors’ participation or knowledge.
- The Processor undertakes no responsibility for data uploaded by the Controller in the Service.
- To the extent that such upload of data constitutes processing of personal data, the Controller warrants:
- that the Controller has the relevant legal basis for having and processing the personal data, including, if applicable, the relevant permissions from the data subject; and
- that, if the transfer involves sensitive categories of data, the data subject has been informed or will be informed before the transfer, or as soon as possible after, that its data could be transmitted to a third country not providing adequate protection within the meaning of the Data Protection Legislation.
- The Processor ensures that Personal Data is processed within EU/EEA and not transferred to a third country or international organization if the Controller does not consent in writing to such transfer.
- The Data Processor shall:
- maintain an up-to-date list of its Subprocessors on the Processor’s website;
- update with details of any change in Subprocessors at least 10 days prior to any such change (except to the extent a 10 days’ notice is not possible due to an emergency) and notify the Controller of such change via the Processor’s usual e-mail notification process;
- provide a copy upon request of the data processing agreement(s) between the Processor and the Subprocessors at any given time to the Processor.
- The Processor is authorized to replace Subprocessors. The Processor will notify you of any intended replacement of any Subprocessor and you are entitled to object to such changes within 10 days of receiving notification.
- In the case of a justified objection, the Parties shall negotiate in good faith to find an alternative solution. If such alternative solution cannot be found and the Processor decides to proceed with such Subprocessor, the Controller can terminate the Agreement. Neither of the Parties shall be considered in breach of contract in the event of such termination.
- Technical and organizational security measures
- The Processor will implement and maintain throughout the term of the Agreement and will procure its Subprocessors to implement and maintain through the term of the Agreement, the appropriate technical and organizational security measures to protect personal data against accidental or unlawful destruction, loss, damage or alteration and against unauthorized disclosure, abuse or other processing in violation of the requirements of Data Protection Legislation.
- The Processor will ensure that it and its Subprocessors involved in the processing of Data at all times comply with the minimum data security requirements set out herein.
- The Processor shall take reasonable measures:
- to prevent physical access, such as secured buildings, to prevent unauthorized persons from gaining access to personal data;
- to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or logging of access on several levels;
- to provide that personal data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the personal data to which they have privilege of access; and, that personal data cannot be read, copied, modified or removed without authorization in the course of processing;
- to implement an access policy under which access to its system environment, to personal data and other data by authorized personnel only;
- to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport;
- to provide that it is possible to check and establish whether and by whom personal data has been entered into data processing systems, modified or removed.
- The Processor will procure that any personnel of the Processor required to access personal data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality.
- The Processor will procure that all personnel of the Processor required to access personal data are informed of the confidential nature of the personal data and the security procedures applicable to the processing of or access to the personal data.
- The Processor’s personnel’s undertaking to abide by such confidentiality requirements will continue after the end term of this Agreement.
- Assistance to the Controller
- The Processor shall provide reasonable and timely assistance to the Controller to enable the Controller to respond to:
- any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and
- any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to the Processor, the Processor shall promptly inform the Controller providing full details of the same.
- The Processor shall provide the Controller with reasonable cooperation to enable the Controller to conduct any data protection impact assessment that it is required to undertake under Applicable Data Protection Law.
- Obligations of the Controller
- Any transfer of personal data to third countries or international organizations by the Processor shall only occur on the basis of documented instructions from the Controller and shall always take place in compliance with Chapter V GDPR.
- If any Controller’s Data originates from any country (other than an EEA country) with one or more laws imposing data transfer restrictions or prohibitions and the Controller has informed the Processor of such data transfer restrictions or prohibitions, the Controller and the Processor shall ensure appropriate transfer mechanism (satisfying the country’s data transfer requirement(s)) is in place, as reasonably requested by the Controller and mutually agreed upon by both Parties, before transferring or accessing Controller’s Data outside of such country. For the avoidance of doubt, this transfer restriction does not pertain to the Controller or its Affiliates’ authorized users who have access to the Service and the Controller’s Data, and the Processor shall not be held responsible for actions of the Controller or its Affiliates’ authorized users. Neither the Controller nor its authorized users shall be entitled to use the Service in any country with data localization laws that would require the Controller's environment to be hosted in said country.
- The Controller shall be responsible, among others, for ensuring that the processing of personal data, which the Processor is instructed to perform, has a legal basis.
- The Controller will inform the Processor in writing without undue delay following the Controller’s discovery of a failure to comply with Data Protection Legislation with respect to processing of personal data in accordance with this Agreement.
- The Controller shall be responsible for providing accurate and relevant contact details after entering into the Agreement and thereafter to assist in Processor’s notification obligations.
- Notification of data breach
- The Processor shall without undue delay, and no later than 36 hours, in writing, notify the Controller in case of any identified or potential breach of personal data processed under the Agreement.
- The notification must, to the extent possible:
- describe the nature of the personal data breach including where possible (e.g., loss, theft, copying), the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned,
- communicate the name and contact details of the person with the Processor where more information can be obtained,
- describe the likely consequences of the personal data breach, and
- describe the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Additional assignments
- The Processor shall carry all costs associated with compliance of this Agreement in its capacity as Data Processor.
- The Controller shall carry all costs associated with compliance of this Agreement in its capacity as Data Controller.
- In respect of tasks of the Processor, that are not an obligation under this Agreement, the Processor shall be entitled to charge the Data Controller for the additional resources, time and material necessary to fulfill the required task(s), unless such services are already included in the services rendered under the Agreement.
- The Processor will notify the Controller in advance of such additional charges and, to the extent possible, provide the Controller with a quote of the expected costs.
- If the Controller cannot agree to the costs, the Processor shall be entitled not to perform the additional assignment and to terminate the Agreement. The Processor shall not be considered in breach of contract in this event.
- Deletion and return of Data
- Following the termination of the Agreement, the Processor shall (at Controller’s election) destroy or return to the Controller all Data in its possession or control. The Controller reserves the right after 90 days to delete personal data from all locations when the Controller has not elected either option. This requirement shall not apply to the extent that the Processor is required by applicable law to retain some or all of the Data.
- Upon Controller’s request, the Processor shall certify in writing the destruction of the personal data.
- The term of this Agreement shall continue until the latter of the following: the termination of the Agreement, or the date at which the Processor ceases to process personal data for the Controller.
- You may immediately terminate this Agreement on written notice to the Processor. The Processor may not terminate this Agreement without your written consent.
- Upon termination of this Agreement for whatsoever reason, the Processor shall return all Data in its possession to the Controller and shall thereafter delete any Data stored.
- This Agreement is subject to the law of Germany.
- Any claim or dispute arising from or in connection with the Data Processing Agreement must be settled by courts of Germany.
- Each party will notify the other party in writing of any dispute within 30 days of the date it arises, so that the parties can attempt in good faith to resolve the dispute informally. Notice to us shall be sent by email. Your notice must include (a) your name, postal address, email address and telephone number, (b) a description in reasonable detail of the nature or basis of the dispute, and (c) the specific relief that you are seeking. If you and we cannot agree how to resolve the dispute within 30 days after the date notice is received by the applicable party, then either you or we may, as appropriate and in accordance with this section, commence a court proceeding.
- The Agreement is provided in English and its translations into other languages may contain inaccuracies, for which we do not bear any responsibility. We suggest using the English version and using other languages is at your own peril and risk. You also agree that all communications are conducted with us in English.
- You agree to receive communications from us electronically. Electronic notifications will be sent to your e-mail address that you used for registration purposes, as it can be subsequently changed by you in your account settings or by written notification. All communications in electronic form will be considered “in writing” and are considered to be received on the day of mailing. We reserve the right, but not the obligation to provide communication in paper format.
Something we haven't covered? Contact us
and we'll get back to you!