Annex to the Non-Disclosure Agreement

General Terms and Conditions for the processing of personal data by the Beneficiary – Contract of entrustment with the processing of personal data

In the performance of the contractual obligations between the Controller and the Processor, which are secured by the Non-Disclosure Agreement (hereinafter referred to as the “Contractual Obligations“), the Processor processes personal data on behalf of the Controller. Contractual Obligations include marketing, IT, community and with those connected services.

The Parties are interested that the processing of personal data within the meaning of the preceding paragraph is carried out in accordance with the relevant legislation on the protection of personal data, i.e. in accordance with Regulation (EU)2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation“), Act No. 18/2018 Coll. on the Protection of Personal Data, as amended (hereinafter referred to as the “Act“), and the other data protection regulations (the Regulation, the Act and the other data protection regulations together hereinafter referred to as the “Data Protection Regulations“) and therefore hereby enter into the following contract of entrustment with the processing of personal data (hereinafter referred to as the “Contract“) in the following wording, in accordance with the Data Protection Regulations.

For the avoidance of any doubt, the Parties state that the Processor shall have the status of Processor under Article 4(8) of the Regulation and the Controller shall have the status of Controller under Article 4(7) when processing personal data under this Agreement and performing its contractual obligations. Regulation, specifying the means and purposes of the processing carried out by the Processor on its behalf. 

I. SUBJECT OF THE CONTRACT

  1. The subject matter of this Agreement is to regulate the terms and conditions of the processing of personal data by the Processor on behalf of the Controller in the performance of the Contractual Obligations. 
  2. The Controller authorizes the Processor to process personal data on behalf of the Controller, which occurs in the performance of the Contractual Obligations, subject to the following basic conditions and the other conditions set out in this Agreement:
    1. the subject matter and purpose of the processing of personal data – the Processor shall process the personal data of the data subjects in the performance of the Contractual Obligations solely for the purposes of the processing which are necessary for the performance of the Contractual Obligations (i.e. for the purposes which are necessarily related to the provision of advertising, marketing and related services), and which are specified in Annex 1 to this Agreement (hereinafter referred to as “Annex 1“); 
    2. processing period – the Processor is entitled to process personal data on behalf of the Controller for the duration of this Contract in accordance with Article 5 of this Contract. The termination of the authorization shall be without prejudice to the obligations of the Processor or Sub-Processor (if involved in the processing of personal data pursuant to Article 2. of this Agreement), which the Processor and/or Sub-Processor shall be obliged to perform after the termination of this Agreement.  In the event that the specified retention period for a specific processing purpose as defined in Annex 1 of this Agreement expires during the term of this Agreement, the Processor shall delete the specified personal data, unless otherwise provided for by applicable law;
    3. type of personal data – ordinary personal data (processed in the performance of the Controller’s legal obligations or contractual obligations), in particular: first name, surname, job position, work telephone, private telephone, work e-mail address, private e-mail address, IP, social media profiles, job classification, employer, other personal data necessary for advertising and marketing purposes, the processing of which is necessary for the performance of the Contractual Obligations and the legal obligations of the Processor (advertising and marketing data provided by the Controller, including ordinary personal data of its clients and customers);
    4. categories of data subjects – employees of the Controller, its contractors, members of the statutory body of the Controller, natural persons – clients and customers of the Controller, natural persons as representatives of legal entities of the Controller’s clients and customers, natural persons as clients and customers of the Controller’s contractual partners;
    5. nature of processing of personal data – the Processor shall carry out the processing of personal data through automated and non-automated means of processing on the basis of the provided documents, which the Controller shall transmit to the Processor in electronic form or in another agreed or customary form.  
  3. The Parties are obliged to notify each other without undue delay, at the latest within 3 days, of any information that could affect a change in the facts referred to in point 2 of this Article of the Contract (i.e. facts relating to the purposes for which the Processor processes personal data pursuant to this Contract) and, in the event of a change in these facts, undertake to modify Annex 1 to this Contract, agreeing that a change to Annex 1 may be made without the need to conclude a separate amendment to this Contract. 
  4. The Parties are obliged to comply with the provisions of the Personal Data Protection Regulations in the performance of their obligations under this Agreement. 

II. SUB-PROCESSOR

  1. The Processor is entitled to involve another Processor in the processing of personal data on behalf of the Controller only with the prior written consent of the Controller (hereinafter referred to as the “Additional Processor“), unless otherwise provided below. 
  2. By concluding this Contract, the Controller grants the Processor consent to the involvement of Sub-Processor who, on the basis of the contractual relationship with the Processor as of the date of conclusion of this Contract, provide their services to the Processor as subcontractors and are specified in Annex 2 of this Contract. 
  3. If the Processor wishes to involve a new Sub-Processor in the processing of personal data under this Agreement during its term or if it wishes to change the Sub-Processor already involved, it shall inform the Controller thereof in advance. If the Controller does not comment within 5 working days from the date of notification of the Processor’s intention to involve Sub-Processor in the processing of personal data under this Agreement or to change an already involved Sub-Processor, the Controller shall be deemed not to have objected to the involvement of the additional Sub-Processor and to have given its consent to its involvement in the processing under this Agreement.  
  4. When involving Sub-Processor in the processing of personal data pursuant to this Article of the Contract or when changing other Sub-Processors pursuant to the preceding paragraph of this Article of the Contract, the Processor is obliged to comply with the following conditions:
    1. The Processor shall impose on the Sub-Processor, by means of a contract, the same obligations regarding the protection of personal data as those laid down in this Agreement, in particular the provision of sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing complies with the requirements of this Agreement and the Data Protection Regulations, 
    2. the involvement of an Sub-Processor does not relieve the Processor in any respect of its obligations under this Agreement and the Privacy Regulations, 
    3. if the Sub-Processor fails to comply with its data protection obligations, the Processor remains liable to the Controller for the performance of the Sub-Processor’s obligations to process personal data on behalf of the Controller under this Agreement. 

III. OBLIGATIONS OF THE PARTIES 

  1. The Processor shall only process personal data on the basis of documented instructions given by the Controller in writing or electronically, if they are in accordance with the Personal Data Protection Regulations (hereinafter referred to as “the instructions“) and this Agreement.  The Controller shall be entitled to amend or revoke the instructions given. A modification or revocation of the Instructions pursuant to the preceding sentence shall take effect against the Processor upon the expiration of 5 days after receipt of notice of such modification or revocation of the Instructions by the Controller. The instructions given to the Processor in entering into this Contract shall be deemed to be the relevant provisions of the Service Contract governing the Processor’s obligations in the provision of the Services. 
  2. In case of doubts of the Beneficiary about the Controller’s instructions in processing personal data, the Beneficiary is obliged to inform the Controller about the doubts and ask for supplementation or clarification of the instructions, or agree with the Controller on the further procedure. The Controller shall be obliged to supplement or clarify its instructions and/or agree with the Beneficiary on the further procedure within 5 days from the date of informing the Beneficiary of the doubts concerning the processing of personal data or the Controller’s instructions. If the Controller fails to complete, clarify and/or agree with the Beneficiary on the further course of action within the time limit according to the preceding sentence, the Beneficiary shall not follow the instruction but shall wait for one of the above conditions to be met. 
  3. The Processor is obliged to maintain confidentiality about the processing of personal data and about the personal data it processes on behalf of the Controller, while this obligation continues even after the end of the processing of personal data or after the termination of this Agreement. The Processor shall ensure that access to the personal data processed shall be limited to persons who strictly need access to the personal data for the performance of the Processor’s duties for which they have been entrusted (e.g. the Processor’s employees in their capacity as authorised persons within the meaning of Article 32(4) of the Contract). Regulation) or for the performance of this Agreement. The Beneficiary shall oblige the persons entrusted with the processing of personal data to maintain the confidentiality of the processing of personal data and of the personal data which they process on behalf of the Beneficiary, even after the termination of their entrustment. 
  4. The Processor is obliged, taking into account the nature of the processing and the information available to it, to notify the Controller:
    1. if, in its opinion, a particular instruction of the Controller violates the provisions of the Personal Data Protection Regulations, but always no later than 3 days from the date on which it became aware of the violation of the Personal Data Protection Regulations,  
    2. if a security incident occurs on the part of the Processor and/or Sub-Processor that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of Personal Data or unauthorized access to Personal Data (“Data Breach“) without undue delay after becoming aware of the Data Breach.

VI. The Processor is entitled to carry out the transfer of personal data within the European Union. The Processor is entitled to transfer personal data to a country which is not a Member State of the European Union (“third country“), provided that the European Commission has issued an adequacy decision in relation to that country or international organisation – in the absence of an adequacy decision, the Processor may only do so on the basis of the prior written consent of the Controller (including consent given in electronic form).

V. CONTROL 

  1. The Processor shall allow the Controller to inspect the processing of personal data for the purpose of verifying whether the Processor is fulfilling its obligations under this Agreement under the following conditions: 
    1. the control shall be carried out by the Controller or another person authorised by the Controller, whereby the Controller is obliged to inform the Beneficiary about the control of the processing of personal data at least ___ days in advance. In the notice of the inspection, the Controller shall indicate the date of the inspection, the identification of the persons through whom the inspection is to be carried out and the identification of the information, records or documents whose submission is requested by the Controller,
    2. an inspection within the meaning of the preceding paragraph of this Article of the Contract may be carried out only for the duration of this Contract, and the Controller shall be entitled to carry out an inspection once during each year of this Contract. In the event of any doubt as to whether the Processor complies with the provisions of this Contract and/or the Personal Data Protection Regulations when processing personal data on behalf of the Controller, the Controller shall be entitled to carry out an inspection pursuant to this Article of the Contract at any time during the term of this Contract, including repeatedly.

VI. VALIDITY OF THE CONTRACT

  1. The Processor is entitled to process personal data under this Agreement for the duration of the Service Contract.
  2. This Agreement and the authorisation to process personal data under this Agreement shall terminate on the date on which the Processor no longer provides the Contractual Obligations to the Controller. This is without prejudice to the obligations of the Processor and/or the Sub-Processor which the Processor and/or the Sub-Processor is obliged to perform after the termination of this Contract.
  3. Upon termination of this Agreement and the cessation of the processing of personal data on behalf of the Controller, the Processor shall, at the Controller’s discretion delivered to the Processor, erase (destroy) all personal data it has processed on behalf of the Controller under this Agreement or return to the Controller and erase (destroy) all existing copies, unless applicable law or the Data Protection Regulations require the retention of such personal data. 
  4. The Processor shall issue a confirmation to the Controller of the deletion (destruction) or return of the Personal Data to the Controller upon termination of this Contract pursuant to the preceding paragraph of this Article of this Contract, without undue delay after the termination of this Contract and the deletion (destruction) or return of the Personal Data to the Controller.

VII. SECURITY OF PERSONAL DATA

  1. The Processor shall, taking into account the state of the art, the cost of implementing the measures and the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons within the meaning of Article 32 of the Regulation, take security measures in order to ensure an adequate level of protection of the personal data processed on behalf of the Controller pursuant to this Agreement and the Service Contract. In order to ensure an adequate level of protection of the personal data processed in accordance with the preceding sentence, the Processor undertakes to take the following minimum technical and organisational measures:
    1. specifying and minimising the range of persons who process personal data on behalf of the Beneficiary and ensuring compliance with the provisions of the personal data protection regulations in the processing of personal data by such persons,
    2. the introduction of measures to prevent unauthorised persons from accessing information systems in which personal data are processed on behalf of the Controller, by means of a system of passwords and access authorisations,  
    3. the introduction of measures to ensure that personal data cannot be unlawfully read or disclosed when they are transmitted or processed on display units or other technical devices or documents processed in paper form,
    4. the introduction of mechanical security measures (lockable doors, locked cabinets and storage areas) to ensure an adequate level of protection of paper-based personal data media and software security measures (firewall, antivirus, use of a secure network, use of VPN connections, regular updates of software programs in use) to ensure an adequate level of protection of personal data processed in electronic form,
    5. putting in place vetting processes for suppliers who will process the personal data of data subjects on behalf of the Beneficiary as Sub-Processors,
    6. the adoption of internal documentation on the protection of personal data, specifying additional security measures and conditions for the processing of personal data of data subjects. 

VIII. FINAL PROVISIONS

  1. The Parties agree that this Contract is without prejudice to any agreement between the Controller and the Processor governing the protection of confidential information (other than personal data) in connection with the performance of the Contractual Obligations.
  2. This Agreement forms part of the Non-Disclosure Agreement.
  1. This Agreement shall become valid and effective on the date of signing of the Non-Disclosure Agreement by both Parties. 
  2. Amendments to this Agreement must be made in writing, in the form of numbered amendments, and must be approved by both Parties.
  3. If any provision of this Agreement becomes invalid, ineffective and/or unenforceable, the validity, effectiveness and/or enforceability of the remaining provisions of this Agreement shall not be affected unless precluded by law from the nature of such provision. Upon the Parties becoming aware that any provision of this Contract or part thereof is invalid, ineffective or unenforceable, the Parties shall replace the invalid, ineffective and/or unenforceable provision of the Contract or part thereof without undue delay with a new provision that respects the intent of this Contract. 
  4. The Parties declare that they have read this Contract, that they understand its contents and that this Contract expresses their serious, free and definite will and that it is not concluded under conditions of duress and is not concluded under manifestly unfavourable conditions.

IX. STANDARD CONTRACTUAL CLAUSES FOR THE TRANSFER OF PERSONAL DATA TO A COUNTRY FOR WHICH THERE IS NO ADEQUACY DECISION

This part of the Contract shall only apply if the Processor operates from a country for which the European Commission has not issued an adequacy decision. If there is a conflict between the provisions of the preceding parts of the Contract and these Standard Contractual Clauses, these Standard Contractual Clauses shall prevail.

SECTION I 

Clause 1 

Purpose and scope 

  1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) when transferring personal data to a third country. 
  2. Parties: 
    1. the natural or legal person, public authority, agency or other body (hereinafter referred to as the ‘body‘) carrying out the transfer of personal data as set out in Annex I, Part A (hereinafter referred to as the ‘data exporter‘); and 
    2. an entity in a third country that receives personal data from the data exporter, directly or indirectly through another entity that is also a party to these clauses, as referred to in Annex I, Part A (hereinafter referred to as the ‘data importer‘)

have agreed to the following standard contractual clauses (“Clauses“): 

  1. These clauses shall apply to the transfer of personal data pursuant to Annex I, Part B. 
  2. An appendix to these clauses containing the annexes referred to in these clauses shall form an integral part of these clauses. 

Clause 2 

Effect and immutability of clauses

  1. These clauses shall set out adequate safeguards, including enforceable rights of data subjects and effective legal remedies under Articles 46(1) and 46(2)(c) of Regulation (EU) 2016/679 and, as regards transfers of data from Controllers to Processors and/or from Processors to Processors, the standard contractual clauses under Article 28(7) of Regulation (EU) 2016/679, unless modified, except where an appropriate module(s) is selected or where information in the appendix is supplemented or updated. This does not prevent the parties from including the standard contractual clauses set out in these clauses in a broader contract and/or adding other clauses or additional safeguards, provided that they do not directly or indirectly conflict with these clauses or restrict the fundamental rights or freedoms of the data subjects. 
  2. These clauses are without prejudice to the obligations applicable to the data exporter under Regulation (EU) 2016/679. 

Clause 3 

Authorised third parties 

  1. Data Subjects may invoke and enforce these clauses as third party beneficiaries against the data exporter and/or data importer, subject to the following exceptions: 
    1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
    2. Clause 8 – Module 1: Clause 8.5(e) and Clause 8.9(b); Module 2: Clause 8.1(b), Clause 8.9(a), (c), (d) and (e); Module No. 3: clause 8.1(a), (c) and (d), as well as clause 8.9(a), (c), (d), (e), (f) and (g); Module 4: clause 8.1(b) and clause 8.3(b); 
    3. Clause 9 – Module 2: Clause 9(a), (c), (d) and (e); Module 3: Clause 9(a), (c), (d) and (e); 
    4. Clause 12 – Module 1: Clause 12(a) and (d); Modules 2 and 3: Clause 12(a), (d) and (f); 
    5. Clause 13; 
    6. Clause 15.1(c), (d) and (e); 
    7. Clause 16(e); 
    8. Clause 18-Modules 1, 2 and 3: Clause 18(a)(ab); Module 4: Clause 18. 

Point (a) shall be without prejudice to the rights of data subjects under Regulation (EU) 2016/679. 

Clause 4 

Interpretation 

Where these clauses use terms defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation. 

These clauses shall be interpreted in accordance with the provisions of Regulation (EU) 2016/679. 

These clauses must not be interpreted in a way that conflicts with the rights and obligations set out in Regulation (EU) 2016/679. 

Clause 5 

Hierarchy 

In the event of a conflict between these clauses and the provisions of related agreements between the Parties existing at the time these clauses were agreed or entered into at a later date, these clauses shall prevail. 

Clause 6 

Description of the transfer 

The information on the transfer, and in particular the categories of personal data transferred and the purpose for which they are transferred, is set out in Annex I, Part B. 

Clause 7 – optional

Accession clause 

  1. An entity that is not a Party to these clauses may, with the consent of the Parties, accede to these clauses at any time as an exporter or importer of data by completing an addendum and signing Annex I, Part A. 
  2. Upon completion of the Addendum and signing of Annex I, Part A, the acceding entity will become a party to these clauses and will have the rights and obligations of an exporter or importer of data in accordance with the designation in Annex I, Part A. 
  3. The acceding entity shall have no rights or obligations under these clauses in respect of the period before it became a Party. 

SECTION II – OBLIGATIONS OF THE PARTIES 

Clause 8 

Data protection safeguards 

The data exporter declares that it has made reasonable efforts to establish that the data importer is able to fulfil its obligations under these clauses by taking appropriate technical and organisational measures. 

MODULE 1: Operator-to-operator transfer 

8.1 Limitation of purpose 

The data importer shall be entitled to process personal data only for the specific purposes of the transfer set out in Annex I, Part B. It may process personal data for another purpose only if: 

  1. obtained the prior consent of the data subject; 
  2. it is necessary for the purpose of establishing, exercising or defending legal claims in the context of a particular administrative, regulatory or judicial proceeding; or 
  3. it is necessary in order to protect the vital interests of the data subject or of another natural person. 

8.2 Transparency 

  1. In order to enable data subjects to exercise their rights under Clause 10 effectively, the data importer shall inform them directly or through the data exporter: 
    1. your identity and contact details; 
    2. the categories of personal data processed; 
    3. the right to obtain a copy of those clauses; 
    4. in the case of an intention to make a subsequent transfer of personal data to any third party, the Processor or categories of Processors (where necessary to provide meaningful information), the purpose and the reason for the subsequent transfer under the clause  
  1. Point (a) shall not apply where, first, the data subject already has the information, including where such information has already been provided by the data exporter, or, second, where the provision of the information proves impossible or would require disproportionate effort on the part of the data importer. In the latter case, the data importer shall, to the extent possible, make the information available to the public. 
  2. The Parties shall make available to the person concerned, on request and free of charge, a copy of these clauses, including the addendum completed by them. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Parties may, before providing a copy of the addendum, delete part of the text of the addendum, but shall provide a meaningful summary if the person concerned would otherwise be unable to understand its contents or to exercise his or her rights. The Parties shall, upon request, notify the data subject of the reasons for the removal of the text, preferably without disclosing the information removed. 
  3. Points (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679. 

8.3 Accuracy and data minimisation 

  1. Each Party shall ensure that the personal data is correct and, where necessary, updated. The data importer shall take all reasonable measures to ensure that personal data which are incorrect in relation to the purposes of the processing are erased or rectified without delay. 
  2. If one of the Parties becomes aware that the personal data it has transmitted or received is incorrect or out of date, it shall inform the other Party without undue delay. 
  3. The data importer shall ensure that the personal data are adequate, relevant and limited to what is necessary for the purposes of the processing. 

8.4 Minimising retention 

The data importer shall not retain personal data for longer than is necessary for the purposes for which they are processed. In order to comply with this obligation, it shall put in place appropriate technical or organisational measures, including the erasure or anonymisation (2) of the data and any backups at the expiry of the retention period. 

8.5 Security of processing 

  1. The data importer and, during the transfer, the data exporter shall take appropriate technical and organisational measures to ensure the security of the personal data, including protection against security breaches resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (“personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, as well as the risks to the data subject associated with the processing. In particular, the Parties shall consider the use of encryption or pseudonymisation, including during the transmission, if they can fulfil the purpose of the processing. 
  2. The Parties agree on the technical and organisational arrangements set out in Annex II. The data importer shall carry out regular checks to ensure that these measures provide an adequate level of security at all times. 
  3. The data importer shall ensure that the persons authorised to process personal data undertake to maintain the confidentiality of the data or are subject to an appropriate legal obligation of confidentiality. 
  4. In the event of a personal data breach relating to personal data processed by the data importer pursuant to these clauses, the data importer shall take appropriate measures to remedy the personal data breach, including measures to mitigate its possible adverse effects. 
  5. In the event of a personal data breach that may pose a risk to the rights and freedoms of natural persons, the data importer shall, without undue delay, send a notification thereof to the data exporter and to the competent supervisory authority pursuant to Clause 13. Such notification shall include (i) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and personal data records); (ii) the likely consequences of the breach; (iii) the measures taken or proposed to be taken to remedy the breach; and (iv) the details of a point of contact where more information can be obtained. To the extent that it is not possible for the data importer to provide all the information at the same time, it may be provided in stages without further undue delay. 
  6. In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall, without undue delay, notify the data subjects of the personal data breach and the nature of the personal data breach, if necessary in cooperation with the data exporter, together with the information referred to in points (e)(ii) to (e)(iv), unless the data importer has taken measures to substantially reduce the risk to the rights or freedoms of natural persons, or unless the notification would require disproportionate efforts. In that case, the data importer shall instead publish a notice or take a similar measure to inform the public of the personal data breach. 
  7. The data importer shall document and keep a record of all relevant facts relating to the personal data breach, including its effects and any remedial measures taken. 

8.6 Sensitive data 

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning the health or sex life or sexual orientation of a person, or data concerning criminal convictions (‘sensitive data’), the data importer shall apply specific limitations and/or additional safeguards tailored to the specific nature of the data and the risks involved. This may include limiting the range of employees who have access to the personal data, additional security measures (e.g. pseudonymisation) and/or additional restrictions on onward disclosure. 

8.7 Subsequent transmissions 

The data importer will only disclose personal data to a third party located outside the European Union (3) (in the same country as the data importer or in another third country, hereinafter referred to as ‘onward transfer’) if that third party is bound by these clauses or agrees to be bound by these clauses, in accordance with the relevant module. Otherwise, the data importer may only carry out onward transfer in the following cases: 

  1. it is made to a country subject to an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679, which is the subject of the subsequent transfer; 
  2. the third party otherwise provides adequate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 in relation to the processing in question; 
  3. the third party enters into an agreement with the data importer on a binding instrument ensuring the same level of data protection as under these clauses, and the data importer provides a copy of these safeguards to the data exporter; 
  4. it is necessary for the purpose of establishing, exercising or defending legal claims in the context of a particular administrative, regulatory or judicial proceeding; 
  5. it is necessary in order to protect the vital interests of the data subject or of another natural person; or 
  6. where none of the above conditions apply, the data importer has obtained the data subject’s explicit consent to the onward transfer in the specific situation, after informing him or her of its purpose, the identity of the Processor and the possible risks of such a transfer for him or her due to the lack of adequate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the latter’s request, provide him with a copy of the information provided to the data subject. 

For the purposes of any onward transfer, the data importer is required to comply with all other safeguards under these clauses, in particular the purpose limitation. 

8.8 Processing on the basis of the data importer’s authorisation

The data importer shall ensure that any person acting on its behalf, including an processor

process the data solely on his instructions. 

8.9 Documentation and compliance 

  1. Each Party shall be able to demonstrate compliance with its obligations under these clauses The data importer shall keep in particular the relevant documentation relating to the processing activities carried out under its responsibility. 
  2. The data importer shall make this documentation available to the competent supervisory authority upon request. 

MODULE 2: Transmission from Controller to Processor 

8.1 Instructions 

The data importer shall only process personal data on the basis of documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract. 

The data importer shall immediately inform the data exporter if it is unable to comply with these instructions. 

8.2 Limitation of purpose

The data importer shall be entitled to process personal data only for the specific purposes of the transfer set out in Annex I, Part B, unless otherwise instructed by the data exporter. 

8.3 Transparency̌ 

The data exporter shall make available to the data subject, upon request and free of charge, a copy of these clauses, including the addendum completed by the parties. To the extent necessary to protect trade secrets or other confidential information, including the measures referred to in Annex II and personal data, the data exporter may, before providing a copy of the addendum to these clauses, delete part of its text, providing a meaningful summary if the data subject would otherwise be unable to understand its contents or exercise his or her rights. The Parties shall, upon request, notify the data subject of the reasons for the removal of the text, preferably without disclosing the information removed. This clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679. 

8.4 Correctness 

If the data importer becomes aware that the personal data it has obtained are incorrect or out of date, it shall inform the data exporter without undue delay. In such a case, the data importer shall cooperate with the data exporter to erase or correct the data. 

8.5 Processing period, erasure or return of data 

The data importer shall be authorised to process the data only for the period specified in Annex I, Part B. Upon termination of the provision of processing services, the data importer shall delete all personal data processed on behalf of the data exporter and confirm this to the data exporter, or return all personal data processed on its behalf and delete existing copies to the data exporter, whichever the data exporter chooses. The data importer shall ensure compliance with these clauses until the deletion or return of the data has taken place. With respect to local laws applicable to the data importer that prohibit the return or erasure of personal data, the data importer represents that it will continue to ensure compliance with these clauses and will only process personal data to the extent and for as long as required by that local law. This is without prejudice to Clause 14, in particular the data importer’s obligation under Clause 14(e) to send notifications to the data exporter during the duration of the contract where it has reason to believe that it is or has become subject to legislation or practices which are not in accordance with the requirements set out in Clause 14(a). 

8.6 Security of processing 

  1. The data importer and, during the transfer, the data exporter shall take appropriate technical and organisational measures to ensure the security of the data, including protection against security breaches that result in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the data (hereinafter referred to as a ‘data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, as well as the risks to data subjects associated with the processing. In particular, the Parties shall consider the use of encryption or pseudonymisation, including during the transmission, if they can fulfil the purpose of the processing. In the case of pseudonymisation, the additional information for the attribution of personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In fulfilling its obligations under this point, the data importer shall at least take the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures provide an adequate level of security at all times. 
  2. The data importer shall only grant access to personal data to its employees to the extent strictly necessary for the performance, management and monitoring of the contract. It shall ensure that those authorised to process personal data undertake to keep the data confidential or are subject to an appropriate legal obligation of confidentiality. 
  3. In the event of a personal data breach relating to personal data processed by the data importer under these clauses, the data importer shall take appropriate measures to remedy the breach, including measures to mitigate its adverse effects. The data importer shall also send a notification of the breach to the data exporter without undue delay after becoming aware of the breach. Such notification shall include details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and records of personal data), the likely consequences of the breach, as well as the measures taken or proposed to remedy the breach, including, where appropriate, measures to mitigate its possible adverse effects. Unless all the information can be provided at the same time, the initial notification shall contain the information that was available at the time, with further information to be provided without undue delay after it becomes available. 
  4. The data importer shall cooperate with and assist the data exporter in fulfilling its obligations under Regulation (EU) 2016/679, in particular with regard to notifications to the supervisory authority and to the data subjects affected, taking into account the nature of the processing and the information available to the data importer. 

8.7 Sensitive data 

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning the health or sex life or sexual orientation of a person, or data concerning criminal convictions (‘sensitive data’), the data importer shall apply the specific limitations and/or additional safeguards set out in Annex I, Part B. 

8.8. Subsequent transmissions 

The data importer shall only provide personal data to a third party on the basis of documented instructions from the data exporter. In addition, data may only be provided to a third party located outside the European Union (4) (in the same country as the data importer or in another third country, hereinafter referred to as ‘onward transfer’) if that third party is bound by these clauses or agrees to be bound by these clauses, in accordance with the relevant module, or if: 

  1. the onward transfer takes place to a country subject to an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679, which is the subject of the onward transfer; 
  2. the third party otherwise provides adequate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 in relation to the processing in question; 
  3. the subsequent transfer is necessary for the purpose of establishing, exercising or defending legal claims in the context of a specific administrative, regulatory or judicial proceeding; or 
  4. the subsequent transfer is necessary in order to protect the vital interests of the data subject or of another natural person. 

For the purposes of any onward transfer, the data importer is required to comply with all other safeguards under these clauses, in particular the purpose limitation. 

8.9 Documentation and compliance 

  1. The data importer shall deal promptly and appropriately with requests from the data exporter concerning processing under these clauses. 
  2. The parties must be able to demonstrate that they have fulfilled their obligations under these clauses. In particular, the data importer shall keep the relevant documentation relating to the processing activities carried out on behalf of the data exporter. 
  3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these clauses and shall, at the request of the data exporter, facilitate and provide the necessary cooperation with audits of the processing activities covered by these clauses at reasonable intervals or where there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer. 
  4. The data exporter may decide whether to carry out the audit itself or to commission an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall be carried out after reasonable notice, if necessary. 
  5. The Parties shall make the information referred to in points (b) and (c), including the results of any audits, available to the competent supervisory authority upon request. 

MODULE 3: Transfer from Processor to Processor 

8.1 Instructions 

  1. The data exporter has informed the data importer that it is acting as an agent under the Controller’s instructions, which the data exporter will make available to the data importer prior to processing. 
  2. The data importer shall only process personal data on the basis of documented instructions from the Controller communicated to the data importer by the data exporter and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the Controller’s instructions. The Controller or the data exporter may give further documented instructions concerning the processing of the data throughout the duration of the contract. 
  3. The data importer shall immediately inform the data exporter if it is unable to comply with these instructions. If the data importer is unable to comply with the Controller’s instructions, the data exporter shall immediately send a notification to the Controller. 
  4. The data exporter declares that it has imposed on the data importer the same data protection obligations as those laid down in the contract or other legal act under Union or Member State law concluded between the data Controller and the data exporter (5). 

8.2 Limitation of purpose 

The data importer shall be entitled to process personal data only for the specific purposes of the transfer set out in Annex I, Part B, in the absence of other instructions from the Controller communicated by the data exporter to the data importer or other instructions from the data exporter. 

8.3 Transparency

The data exporter shall make available to the data subject, upon request and free of charge, a copy of these clauses, including the addendum completed by the parties. To the extent necessary to protect trade secrets or other confidential information, including personal data, the data exporter may remove part of the text of the addendum before providing a copy, but shall provide a meaningful summary if the data subject would otherwise be unable to understand its contents or exercise his or her rights. The Parties shall, upon request, notify the person concerned of the reasons for the removal of the text, preferably without disclosing the information removed. 

8.4 Correctness 

If the data importer becomes aware that the personal data it has obtained are incorrect or out of date, it shall inform the data exporter without undue delay. In such a case, the data importer shall cooperate with the data exporter to correct or erase the data. 

8.5 Processing period, erasure or return of data 

The data importer shall be authorised to process the data only for the period specified in Annex I, Part B. Upon termination of the provision of processing services, the data importer shall delete all personal data processed on behalf of the Controller and confirm this to the data exporter, or return all personal data processed on its behalf to the data exporter and delete existing copies, whichever the data exporter chooses. The data importer shall ensure compliance with these clauses until the erasure or return of the data has taken place. With respect to local laws applicable to the data importer prohibiting the return or deletion of personal data, the data importer represents that it will continue to ensure compliance with these clauses and will only process personal data to the extent and for as long as required by that local law. This is without prejudice to Clause 14, in particular the data importer’s obligation under Clause 14(e) to send notifications to the data exporter during the duration of the contract where it has reason to believe that it is or has become subject to legislation or practices which are not in accordance with the requirements set out in Clause 14(a). 

8.6 Security of processing 

  1. The data importer and, during the transfer, the data exporter shall take appropriate technical and organisational measures to ensure the security of the data, including protection against security breaches that result in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the data (hereinafter referred to as a ‘data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the cost of implementation, the nature, scope, context and purposes of the processing, as well as the risks to the data subject associated with the processing. In particular, the Parties shall consider the use of encryption or pseudonymisation, including during the transmission, if they can fulfil the purpose of the processing. In the case of pseudonymisation, the additional information for the attribution of personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or Controller. In fulfilling its obligations under this point, the data importer shall take at least the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures provide an adequate level of security at all times. 
  2. The data importer shall only grant access to the data to its employees to the extent strictly necessary for the performance, management and monitoring of the contract. It shall ensure that those authorised to process personal data undertake to keep the data confidential or are subject to an appropriate legal obligation of confidentiality. 
  3. In the event of a personal data breach relating to personal data processed by the data importer under these clauses, the data importer shall take appropriate measures to remedy the breach, including measures to mitigate its adverse effects. The data importer shall, without undue delay, send a notification to the data exporter and, where applicable, if possible, to the Controller after becoming aware of the breach. Such notification shall include details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and personal data records), the likely consequences of the breach, as well as the measures taken or proposed to remedy the data breach, including measures to mitigate its possible adverse effects. Unless all the information can be provided at the same time, the initial notification shall contain the information that was available at the time, with further information being provided without undue delay once it becomes available. 
  4. The data importer shall cooperate with and assist the data exporter in fulfilling its obligations under Regulation (EU) 2016/679, in particular with regard to notifications to the Controller, so that the Controller can subsequently send a notification to the competent supervisory authority and to the data subjects affected, taking into account the nature of the processing and the information available to the data importer. 

8.7 Sensitive data 

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning the health or sex life or sexual orientation of a person, or data concerning criminal convictions (‘sensitive data’), the data importer shall apply the specific limitations and/or additional safeguards set out in Annex I, Part B. 

8.8. Subsequent transmissions 

The data importer shall only disclose personal data to a third party on the basis of documented instructions from the Controller, communicated to the data importer by the data exporter. In addition, data may only be disclosed to a third party located outside the European Union (6) (in the same country as the data importer or in another third country, hereinafter referred to as ‘onward transfer’) if that third party is bound by these clauses or agrees to be bound by these clauses, in accordance with the relevant Module, or if: 

  1. the onward transfer takes place to a country subject to an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679, which is the subject of the onward transfer; 
  2. (ii) the third party otherwise provides adequate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679; 
  3. (iii) the subsequent transfer is necessary for the purpose of establishing, exercising or defending legal claims in the context of a specific administrative, regulatory or judicial proceeding; or 
  4. (iv) the onward transfer is necessary for the protection of the vital interests of the data subject or of another natural person. 

For the purposes of any onward transfer, the data importer is required to comply with all other safeguards under these clauses, in particular the purpose limitation. 

8.9 Documentation and compliance 

  1. The data importer shall deal promptly and appropriately with requests from the data exporter or Controller concerning processing under these clauses. 
  2. The parties must be able to demonstrate that they have fulfilled their obligations under these clauses. In particular, the data importer shall keep the relevant documentation relating to the processing activities carried out on behalf of the Controller. 
  3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these clauses, and the data exporter shall provide it to the Controller. 
  4. The data importer shall allow the data exporter to carry out audits of the processing activities covered by these clauses and shall provide the necessary cooperation at reasonable intervals or where there are indications of non-compliance. The same shall apply where the data exporter requests an audit on the basis of instructions from the Controller. When deciding on an audit, the data exporter may take into account relevant certifications held by the data importer. 
  5. If the audit is carried out on the basis of instructions from the Controller, the data exporter shall make the results available to the Controller. 
  6. The data exporter may decide whether to carry out the audit itself or to commission an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall be carried out after reasonable notice, if necessary. 
  7. The Parties shall make the information referred to in points (b) and (c), including the results of any audits, available to the competent supervisory authority upon request. 

MODULE 4: Transfer from Processor to Controller 

8.1 Instructions 

  1. The data exporter shall only process personal data on the basis of documented instructions from the data importer in its capacity as Controller. 
  2. The data exporter shall immediately inform the data importer if it is unable to comply with the instructions in question, including where the instructions in question infringe Regulation (EU) 2016/679 or other Union or Member State data protection legislation. 
  3. The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of onward transfer or with regard to cooperation with the competent supervisory authorities. 
  4. Upon termination of the provision of processing services, the data exporter shall delete all personal data processed on behalf of the data importer and confirm this fact to the data importer, or return all personal data processed on its behalf and delete existing copies to the data importer, whichever the data importer chooses. 

8.2 Security of processing 

  1. The Parties shall take appropriate technical and organisational measures to ensure the security of the data, including during transmission, as well as to protect against security breaches resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter referred to as a “data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the cost of implementing the measures, the nature of the personal data (7 ), the nature, scope, context and purpose of the processing and the risks associated with the processing for the data subjects, in particular considering the use of encryption or pseudonymisation, including during the transfer, where they can fulfil the purpose of the processing. 
  2. The data exporter shall assist the data importer to ensure adequate security of the data in accordance with point (a). In the event of a personal data breach relating to personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of the breach and shall provide assistance to the data importer in remedying the breach. 
  3. The data exporter shall ensure that the persons authorised to process personal data undertake to maintain the confidentiality of the data or are subject to an appropriate legal obligation of confidentiality. 

8.3 Documentation and compliance 

  1. The parties must be able to demonstrate that they have fulfilled their obligations under these clauses. 
  2. The data exporter shall make available to the data importer all information necessary to demonstrate that it has complied with its obligations under these clauses, shall facilitate audits and shall provide the necessary cooperation in such audits. 

Clause 9 

Use of other iprocessors

MODULE 2: Transmission from Controller to Processor 

  1. OPTIONS: SPECIAL PRIOR AUTHORIZATION The data importer is not entitled to subcontract any of its processing activities carried out on behalf of the data exporter under these clauses to another Processor without the prior specific written authorization of the data exporter. The data importer shall submit a request for a specific authorisation at least 15 days prior to the involvement of the additional Processor, together with information enabling the data exporter to decide on the authorisation. A list of additional Processors in respect of which the data exporter has already granted an authorisation is set out in Annex III. The Parties are required to keep Annex III up to date.
    OPTION 2: GENERAL WRITTEN AUTHORISATION 
  2. The data importer shall have the general authorisation of the data exporter to engage additional processor from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to this list with regard to the addition or replacement of additional Processors at least 15 days in advance, giving the data exporter sufficient time to object to such changes before the involvement of the additional Processor. The data importer shall provide the data exporter with information on the basis of which it may exercise its right to object. 
  3. If the data importer engages another Processor to carry out specific processing activities (on behalf of the data exporter), it will do so on the basis of a written contract which sets out essentially the same data protection obligations as those of the data importer under these clauses, including with regard to the rights of the authorised third party in the case of data subjects (8). The Parties declare that by complying with the obligations under this clause, the data importer will also comply with the obligations under clause 8.8. The data importer will ensure that the Sub-Processor complies with the obligations applicable to the data importer under these clauses.
  4. The data importer shall provide the data exporter, upon request, with a copy of the agreement with the Sub-Processor, as well as any subsequent amendments to that agreement. To the extent necessary to protect trade secrets or other confidential information, including personal data, the data importer may delete portions of the text of this agreement before providing a copy. 
  5. The data importer shall remain fully liable to the data exporter for the performance of the obligations of the Sub-Processor under the contract it has concluded with the data importer. The data importer shall notify the data exporter of any breach of the obligations of the Sub-Processor under that contract. 
  6. The data importer shall agree with the Sub-Processor on a third-party entitlement clause under which the data exporter has the right, in the event that the data importer has effectively ceased to exist, has ceased to exist under the law or has become insolvent, to terminate the contract with the Sub-Processor and to instruct the Sub-Processor to delete or return the personal data. 

MODULE 3: Transfer from Processor to Processor

  1. OPTION 1: SPECIAL PRIOR AUTHORIZATION The data importer shall not be entitled to subcontract any of its processing activities carried out on behalf of the data exporter under these clauses to another Processor without the specific prior written authorization of the Controller. The data importer shall submit a request for a specific authorisation at least 15 days before the involvement of the additional Processor, together with information enabling the Controller to decide on the authorisation. It shall inform the data exporter of this involvement. A list of additional Processors in relation to which the Controller has already granted an authorisation is set out in Annex III. The Parties shall keep Annex III up to date. 
  2. If the data importer engages another Processor to carry out specific processing activities (on behalf of the Controller), it will do so on the basis of a written contract which sets out substantially the same data protection obligations as those of the data importer under these clauses, including with regard to the rights of the authorised third party in the case of data subjects. The Parties declare that by complying with the obligations under this clause, the data importer shall also comply with the obligations under clause 8.8. The data importer shall ensure that the Sub-Processor complies with the obligations applicable to the data importer under these clauses. 
  3. The data importer shall provide the data exporter with a copy of the agreement with the Sub-Processor, as well as of any subsequent amendments to that agreement, at the latter’s request or at the Controller’s request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the data importer may delete parts of the text of the agreement before providing a copy. 
  4. The data importer shall remain fully liable to the data exporter for the performance of the obligations of the Sub-Processor under the contract it has concluded with the data importer. The data importer shall notify the data exporter of any breach of the obligations of the Sub-Processor under that contract. 
  5. The data importer shall agree with the Sub-Processor on a third-party entitlement clause under which the data exporter has the right, in the event that the data importer has effectively ceased to exist, has ceased to exist under the law or has become insolvent, to terminate the contract with the Sub-Processor and to instruct the Sub-Processor to delete or return the personal data. 

Clause 10 

Rights of data subjects 

MODULE 1: Operator-to-operator transfer 

  1. The data importer shall, with the assistance of the data exporter, as appropriate, deal with any queries and requests it receives from the data subject concerning the processing of his or her personal data and the exercise of his or her rights under these clauses without undue delay and at the latest within one month of receipt of the query or request in question. (10) The data importer shall take appropriate measures to facilitate such queries, requests and the exercise of the data subject’s rights. Any information provided to the data subject shall be in a comprehensible and easily accessible form and shall be clearly and simply worded.
  2. At the request of the data subject, the data importer shall, in particular, free of charge: 
    1. provide the data subject with confirmation as to whether personal data relating to him or her are being processed; if so, a copy of the data relating to him or her and the information in Annex I; where personal data have been or will be subsequently transferred, provide information on the Processors or categories of Processors (as appropriate to provide meaningful information) to whom the personal data have been or will be subsequently transferred, the purpose of such subsequent transfers and the reason for such subsequent transfers pursuant to Clause 8.7; and provide information on the right to lodge a complaint with the supervisory authority in accordance with Clause 12(c)(i); 
    2. correct incorrect or incomplete data concerning the data subject; 
    3. erase personal data relating to the data subject where such data are or have been processed in contravention of clauses designed to safeguard the rights of a legitimate third party or where the data subject withdraws the consent on which the processing is based. 
  1. Where the data importer processes personal data for direct marketing purposes, it shall cease processing for those purposes if the data subject objects. 
  2. The data importer shall not be entitled to base a decision solely on automated processing of the personal data transmitted (‘automated decision’) which would produce legal effects concerning the data subject or similarly significantly affect him or her, unless the data subject has expressly consented to it or the data importer is entitled to do so under the law of the country of destination, in so far as that law provides for appropriate measures to safeguard the rights and legitimate interests of the data subject. In such a case, the data importer, alone or in cooperation with the data exporter, shall: 
    1. inform the data subject of the intended automated decision and the consequences, as well as the logic involved; and 
    2. put in place appropriate safeguards, at least by allowing the person concerned to challenge the decision in question, to make his or her views known and to obtain a human review. 
  1. Where the data subject’s requests are disproportionate, in particular because of their repetitive nature, the data importer may either charge a reasonable fee, taking into account the administrative costs involved in processing the request, or refuse the request. 
  2. The data importer may refuse the data subject’s request where such refusal is permitted by the law of the country of destination and is necessary and proportionate in a democratic society for the protection of one of the purposes referred to in Article 23(1) of Regulation (EU) 2016/679. 
  3. If the data importer intends to reject the data subject’s request, it shall inform the data subject of the reasons for the rejection and of the possibility to lodge a complaint with the competent supervisory authority and/or to seek redress before a court. 

MODULE 2: Transmission from Controller to Processor 

  1. The data importer shall immediately notify the data exporter of any request received from the data subject. He shall not be entitled to respond to such a request himself, unless he has been authorised to do so by the data exporter. 
  2. The data importer shall assist the data exporter in fulfilling its obligation to respond to data subjects’ requests to exercise their rights under Regulation (EU) 2016/679. In this respect, the Parties shall set out in Annex II the appropriate technical and organisational arrangements for providing assistance, as well as the extent of the assistance required, taking into account the nature of the processing. 
  3. The data importer shall comply with the instructions of the data exporter in fulfilling its obligations under points (a) and (b). 

MODULE 3: Transfer from Processor to Processor 

  1. The data importer shall immediately notify the data exporter, where applicable, and the Controller of any request received from the data subject, without responding to it, unless it has been instructed to do so by the Controller. 
  2. The data importer shall, where necessary, in cooperation with the data exporter, assist the Controller in fulfilling its obligation to respond to requests from data subjects to exercise their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this context, the Parties shall determine in Annex II the appropriate technical and organisational arrangements for providing assistance, as well as the extent of the assistance required, taking into account the nature of the processing. 
  3. The data importer shall comply with the Controller’s instructions communicated to it by the data exporter when carrying out its obligations under points (a) and (b). 

MODULE 4: Transfer from Processor to Controller 

The Parties shall provide assistance to each other in responding to data subjects’ queries and requests under the local law applicable to the data importer or, in the case of data processing by an EU data exporter, under Regulation (EU) 2016/679. 

Clause 11 

Remedy

  1. The data importer shall inform data subjects in a transparent and easily accessible format, by means of an individual notice or on its website, of the point of contact authorised to handle complaints. It shall deal promptly with any complaint it receives from a data subject. 

MODULE 1: Operator-to-operator transfer 

MODULE 2: Transmission from Controller to Processor 

MODULE 3: Transfer from Processor to Processor 

  1. In the event of a dispute between the person concerned and one of the Parties concerning compliance with the provisions of these clauses, that Party shall use its best endeavours to resolve the dispute expeditiously by way of conciliation. The Parties shall keep each other informed of such disputes and, where necessary, cooperate in their resolution. 
  2. Where the data subject invokes the right of an authorised third party under Clause 3, the data importer shall accept the data subject’s decision: 
    1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work or with the competent supervisory authority under clause 13; 
    2. refer the dispute to the competent courts within the meaning of clause 18. 
  1. The Parties consent to the data subject being represented by a non-profit entity, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. 
  2. The data importer is obliged to comply with the decision, which is binding under applicable EU or Member State law. 
  3. The data importer agrees that the decision of the data subject shall not affect his or her substantive and procedural rights to seek redress in accordance with applicable law. 

Clause 12 

Responsibility̌ 

MODULE 1: Operator-to-operator transfer 

MODULE 4: Transfer from Processor to Controller 

  1. Each Party shall be liable to the other Party for any damage caused to it as a result of a breach of these clauses. 
  2. Each Party shall be liable to the person concerned for any pecuniary or non-pecuniary damage caused to the person concerned by the violation of the rights of an authorised third party under these clauses, and the person concerned shall be entitled to compensation for that damage. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679. 
  3. If more than one party is liable for the damage caused to the person concerned as a result of a breach of these clauses, these parties shall be jointly and severally liable, and the person concerned shall be entitled to bring an action in court against any of these parties. 
  4. The Parties agree that where one Party is liable under subparagraph (c), it shall be entitled to recover from the other Party the portion of the compensation reflecting its liability for the damage. 
  5. The data importer may not rely on the actions of the Processor or Sub-Processor in order to absolve itself of its own liability. 

MODULE 2: Transmission from Controller to Processor 

MODULE 3: Transfer from Processor to Processor 

  1. Each Party shall be liable to the other Party for any damage caused to it as a result of a breach of these clauses. 
  2. The data importer shall be liable to the data subject for any pecuniary or non-pecuniary damage caused to the data subject by himself or by another Processor as a result of the violation of the rights of an authorised third party under these clauses, and the data subject shall be entitled to compensation for that damage. 
  3. Notwithstanding point (b), the data exporter shall be liable to the data subject for any pecuniary or non-pecuniary damage caused to the data subject by him or by the data importer (or Sub-Processor, as the case may be) through the violation of the rights of a third party beneficiary under these clauses, and the data subject shall be entitled to compensation for that damage. This is without prejudice to the liability of the data exporter and, where the data exporter is an agent acting on behalf of the Controller, the liability of the Controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as the case may be. 
  4. The Parties agree that where the data exporter is liable for the damage caused by the data importer (or Sub-Processor) under subparagraph (c), the data exporter shall be entitled to recover from the data importer the portion of the compensation reflecting its liability for the damage. 
  5. If more than one party is liable for the damage caused to the person concerned as a result of a breach of these clauses, these parties shall be jointly and severally liable, and the person concerned shall be entitled to bring an action in court against any of these parties. 
  6. The Parties agree that, where one Party is liable under (e), it shall be entitled to recover from the other Party that part of the compensation which reflects its liability for damage. 
  7. The data importer may not rely on the actions of another Processor in order to absolve itself of its own liability. 

Clause 13 

Surveillance

MODULE 1: Operator-to-operator transfer 

MODULE 2: Transmission from Controller to Processor 

MODULE 3: Transfer from Processor to Processor

  1. If the data exporter is established in an EU Member State:
  2. The supervisory authority responsible for ensuring that the data exporter complies with the provisions of Regulation (EU) 2016/679 in the area of data transfers as set out in Annex I, Part C shall have the status of competent supervisory authority.
    [Where the data exporter is not established in an EU Member State but falls within the territorial scope of Regulation (EU) 2016/679 in accordance with Article 3(2), designating a representative in accordance with Article 27(1) of Regulation (EU) 2016/679:] 

The supervisory authority of the Member State in which the agent is established within the meaning of Article 27(1) of Regulation (EU) 2016/679 pursuant to Annex I, Part C shall have the status of competent supervisory authority.
[Where the data exporter is not established in an EU Member State but falls within the territorial scope of Regulation (EU) 2016/679 in accordance with Article 3(2) without having to designate a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] 

The supervisory authority of one of the Member States in which the data subjects whose personal data are transferred in accordance with these clauses in relation to goods or services offered to them or whose behaviour is monitored, as referred to in Annex I, Part C, are located shall have the status of a competent supervisory authority. 

  1. The data importer undertakes to submit to the jurisdiction of the competent supervisory authority and to cooperate with it in any proceedings to ensure compliance with these clauses. In particular, the data importer undertakes to respond to inquiries, to submit to audits and to comply with the measures taken by the supervisory authority, including corrective and compensatory measures. It shall provide written confirmation to the supervisory authority that the necessary measures have been taken. 

SECTION III – LOCAL LEGISLATION AND OBLIGATIONS IN THE CASE OF ACCESS BY PUBLIC AUTHORITIES 

Clause 14 

Local legislation and practice affecting compliance with the clauses 

MODULE 1: Operator-to-operator transfer 

MODULE 2: Transmission from Controller to Processor 

MODULE 3: Transfer from Processor to Processor

MODULE 4: Transfer from Processor to Controller (where the Processor in the EU combines personal data received from a Controller in a third country with personal data obtained by the Processor in the EU) 

  1. The Parties declare that they have no reason to consider that the laws and practices in the third country of destination with regard to the processing of personal data by the data importer, including any requirements for the disclosure of personal data or measures authorising access by public authorities, would prevent the data importer from fulfilling its obligations under these clauses. This is based on the interpretation that legislation and practice which respect the essence of fundamental rights and freedoms and do not go beyond what is necessary and proportionate in a democratic society to secure one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 are not contrary to these clauses.
  2. The Contracting Parties declare that they have taken due account, in particular, of the following elements in connection with the declaration in subparagraph (a): 
    1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; the intended onward transfers; the type of Processor; the purpose of the processing; the categories and format of the personal data transferred; the sector of the economy in which the transfer takes place; the place of storage of the data transferred; 
    2. the law and practice of the third country of destination – including those requiring the provision of data to public authorities or authorising access by those authorities – which are relevant to the specific circumstances of the transfer, as well as the applicable limitations and safeguards (12); 
    3. any appropriate contractual, technical or organisational safeguards put in place to supplement the safeguards under these clauses, including measures applied during the transfer and processing of personal data in the country of destination. 
  1. The data importer declares that it has made every effort to provide the data exporter with relevant information when carrying out the assessment under point (b) and undertakes to continue to cooperate with the data exporter to ensure compliance with these clauses. 
  2. The Parties undertake to document the assessment referred to in point (b) and to make this documentation available to the competent supervisory authority upon request. 
  3. The data importer undertakes to notify the data exporter without delay whether, after having consented to these clauses, it has reason to believe during the term of the contract that it is or has become subject to legislation or practices that do not comply with the requirements under point (a), even after the third country’s legislation has changed or action (such as a data subject request) has been taken concerning the application of such legislation in a practice that does not comply with the requirements under point (a). [In the case of Module 3: the data exporter shall forward the notification to the Controller.] 
  4. Following a notification under point (e), or where the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these clauses, the data exporter shall promptly identify appropriate measures (for example, technical or organisational measures to ensure security and confidentiality) to be taken by the data exporter and/or data importer to address the situation [in the case of Module 3: in consultation with the Controller, as appropriate]. The data exporter shall discontinue the data transfer if it considers that it is not possible to provide adequate safeguards for such transfer or if instructed to do so by [in the case of Module 3: the Controller or] the competent supervisory authority. In such a case, the data exporter shall be entitled to terminate the contract with respect to the processing of personal data pursuant to these clauses. If the contract has more than two parties, the data exporter may only terminate it in relation to the relevant party, unless otherwise agreed by the parties. In the event of termination under this clause, clause 16(d) and (e) shall apply. 

Clause 15 

Obligations of the data importer in case of access by public authorities 

MODULE 1: Operator-to-operator transfer 

MODULE 2: Transmission from Controller to Processor 

MODULE 3: Transfer from Processor to Processor 

MODULE 4: Transfer from Processor to Controller (where the Processor in the EU combines personal data received from a Controller in a third country with personal data obtained by the Processor in the EU) 

15.1 Notification 

  1. The data importer undertakes to notify the data exporter and, where appropriate, the data subject (with the assistance of the data exporter, if necessary) without delay if: 
    1. it receives a legally binding request from a public authority, including judicial authorities under the law of the country of destination, to provide personal data transferred under these clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or 
    2. becomes aware of any direct access by public authorities to personal data transferred under these clauses in accordance with the law of the country of destination; such notification shall include all information available to the importer. 

[In the case of Module 3: The data exporter shall forward the notification to the Controller.] 

  1. Where the data importer is prohibited under the law of the country of destination from sending a communication to the data exporter and/or data subject, the data importer undertakes to make every effort to obtain an exemption from the prohibition in order to communicate as much information as possible and as soon as possible. The data importer undertakes to document its best efforts in such a way that it can demonstrate them at the request of the data exporter. 
  2. If the legislation of the country of destination so permits, the data importer undertakes to provide the data exporter with as much relevant information as possible about the requests received (in particular, the number of requests, the type of data requested, the requesting authority, whether the requests have been contested and the outcome of the related proceedings, etc.) at regular intervals during the duration of the contract. [In the case of Module 3: The data exporter shall forward the information to the Controller.] 
  3. The data importer undertakes to keep the information referred to in points (a) to (c) for the duration of the contract and to make it available to the competent supervisory authority on request. 
  4. Subparagraphs (a) to (c) shall apply without prejudice to the data importer’s obligation under Clause 14(e) and Clause 16 to inform the data exporter without delay if it is unable to comply with those Clauses. 

15.2 Legality check and data minimisation 

  1. The data importer undertakes to examine the lawfulness of the data subject’s request, in particular whether the competence of the requesting public authority is maintained, and to challenge the request if, after careful consideration, it concludes that there are reasonable grounds to believe that the request is unlawful under the law of the country of destination, applicable obligations under international law and principles of comity in international relations. The data importer is obliged to make use of the possibilities of appeal under the same conditions. When challenging an application, the data importer shall propose interim measures to suspend the effects of the application until the competent judicial authority has ruled on the merits of the case. It shall only provide the requested personal data when it is obliged to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e). 
  2. The data importer undertakes to document the relevant legal assessment as well as any challenge to the data request and, to the extent permitted by the laws of the country of destination, to make the documentation available to the data exporter. It shall also make this documentation available to the competent supervisory authority upon request. [In the case of Module 3: The data exporter shall make the assessment available to the Controller.] 
  3. The data importer undertakes to provide the minimum permitted amount of information in response to a data request, based on a reasonable interpretation of the request. 

Clause 16 

Failure to comply with clauses and termination 

  1. The data importer shall immediately inform the data exporter if it is unable to comply with these instructions for any reason. 
  2. In the event that the data importer is in breach of these clauses or is unable to comply with its obligations under these clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is regained or the contract is terminated. Clause 14(f) is not affected. 
  3. The data exporter shall be entitled to terminate the contract insofar as it relates to the processing of personal data under these clauses if: 
    1. the data exporter has interrupted the transfer of personal data to the data importer pursuant to point (b) and compliance with these clauses is not resumed within a reasonable period and in any event within one month of the interruption; 
    2. the data importer is in serious or persistent breach of these clauses; or 
    3. the data importer is in breach of a binding decision of a competent court or supervisory authority with respect to its obligations under these clauses. 

In these cases, it shall inform the competent supervisory authority [in the case of Module 3: and the operator] of the infringement. Where a contract has more than two parties, the data exporter may only terminate it in relation to the relevant party, unless otherwise agreed by the parties. 

  1. [In the case of Modules 1, 2 and 3: Personal data that have been transferred prior to the termination of the contract pursuant to point (c) shall be returned to the data exporter without delay or deleted in their entirety, whichever the data exporter chooses. The same applies in the case of copies of the data]. [In the case of Module 4: Personal data obtained by the data exporter in the EU that have been transferred prior to the termination of the contract pursuant to point (c) shall be deleted immediately in their entirety, including copies thereof.] The data importer shall issue a confirmation to the data exporter that the data have been deleted. The data importer shall ensure compliance with these clauses until such time as the data are deleted or returned. With respect to local laws applicable to the data importer that prohibit the return or erasure of transferred personal data, the data importer represents that it will continue to ensure compliance with these clauses and will only process the data to the extent and for as long as required by that local law. 
  2. Either Party may withdraw its consent to be bound by these clauses if (i) the European Commission adopts a decision under Article 45(3) of Regulation (EU) 2016/679 concerning the transfer of personal data covered by these clauses, or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data are transferred. This is without prejudice to the other obligations applicable to the processing in question under Regulation (EU) 2016/679. 

Clause 17 

Applicable law 

MODULE 1: Operator-to-operator transfer 

MODULE 2: Transmission from Controller to Processor 

MODULE 3: Transfer from Processor to Processor

Such clauses shall be governed by the law of a Member State of the European Union if that law gives effect to the rights of the third party beneficiary. The Parties agree that such law shall be the law of the Slovak Republic.

MODULE 4: Transfer from Processor to Controller 

These clauses are governed by the law of the country giving effect to the rights of the third party beneficiary. The Parties agree that this law shall be the law of the Slovak Republic. 

Clause 18 

Choice of court and jurisdiction 

MODULE 1: Operator-to-operator transfer 

MODULE 2: Transmission from Controller to Processor 

MODULE 3: Transfer from Processor to Processor

  1. The courts of an EU Member State have jurisdiction over disputes arising from these clauses. 
  2. The Parties agree that these courts shall be the courts of the Slovak Republic. 
  3. The data subject may also bring an action against the data exporter and/or data importer before the courts of the Member State in which he or she is habitually resident. 
  4. The Parties agree to submit to the jurisdiction of these courts. 

MODULE 4: Transfer from Processor to Controller 

The courts of the Slovak Republic shall have jurisdiction to adjudicate disputes arising out of these clauses. 

Give your content marketing an uplift

Download our FREE guide to help your startup grow through content marketing.