This Data Processing Agreement ("Agreement") forms part of the Contract forServices ("Principal Agreement") between
(the “Controller”) and
(the “Data Processor”)
(together as the “Parties”) WHEREAS
(A) The customer acts as the Data Controller
(B) The Data Processor provides to the Data Controller certain Services, asper in the Principal Agreement, which imply the processing of personal data bythe Data Processor on behalf of the Data Controller.
(C) The Parties seek to implement a data processing agreement that complieswith the requirements of their respective applicable legal frameworks inrelation to data processing.
(D) 1. By virtue of its status as an Intergovernmental Organization, the DataController is solely subject to and processes personal data solely in accordance withits own internal legislation: Operational Circular No. 11 “The processing of personaldata at CERN” (OC 11) further herein “OC11” (http://cds.cern.ch/record/2651311);
2. The Data Processor is subject to the General Data Protection Regulation (EU2016/679), as well as subject to relevant national privacy law that might beapplicable, and commit to abide to OC11 principles in performing his obligations asProcessor.
(E) The Parties lay down in this Agreement the conditions that complies with therequirements of their respective current legal frameworks in relation to dataprocessing;
(F) The "Data Protection Questionnaire" included in doc. "Questions to EnterpriseCloud providers and Data Protection questionnaire", signed by the Processor on21/6/2022/ forms part of this Agreement".
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 "Agreement" means this Data Processing Agreement and allSchedules;
1.1.2 "Controller Personal Data" means any Personal Data Processed by aSubprocessor on behalf of the Data Controller pursuant to or inconnection with the Principal Agreement;
1.1.3 "Contracted Processor" means a Subprocessor;
1.1.4 "Data Protection Laws" means for the Data Controller Operational Circular No.11(OC11) and for the Data Processor the principles set out in OC11, EU Data ProtectionLaws and, to the extent applicable, the data protection or privacy laws of any othercountry;
1.1.5 "EEA" means the European Economic Area;
1.1.6 "EU Data Protection Laws" means the General Data ProtectionRegulation (EU 2016/679), and laws implementing or supplementing theGDPR;
1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.8 "Data Transfer" means:1.1.8.1 a transfer of Controller Personal Data from theController to a Subprocessor; or1.1.8.2 an onward transfer of Controller Personal Data from aSubprocessor, orbetween two establishments of a Subprocessor.
1.1.9 "Services" means the services that the Processor provides to theController as defined in the Principal Agreement.
1.1.10 "Subprocessor" means any person appointed by or on behalf ofProcessor to process Personal Data on behalf of the Controller inconnection with the Agreement.1.2 The terms, "Commission", "Controller", "Data Subject", "Member State","Personal Data", "Personal Data Breach", "Processing" and "SupervisoryAuthority" shall have the same meaning as in OC1
2. Processing of Controller Personal Data
2.1 Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing ofController Personal Data; and
2.1.2 Not process Controller Personal Data other than on the relevantController’s documented instructions.Data Processing Agreement
2.2 The Controller instructs the Processor to process Controller Personal Data.
3. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any of itsemployee, agent or contractor and of any employee, agent or contractorof any Subprocessor who may have access to the Controller PersonalData, ensuring in each case that access is strictly limited to thoseindividuals who need to know / access the relevant Controller PersonalData, as strictly necessary for the purposes of the Principal Agreement,and to comply with Applicable Laws in the context of that individual'sduties to the Subprocessor, ensuring that all such individuals are informedof the confidential nature of the Personal Data, have received appropriatetraining regarding their responsibilities and have signed a writtenconfidentiality agreement which is no less protective of Personal Data thanthis Agreement.
4. Security
4.1 Taking into account the state of the art, the costs of implementation and thenature, scope, context and purposes of Processing as well as the risk ofvarying likelihood and severity for the rights and freedoms of naturalpersons, Processor shall in relation to the Controller Personal Dataimplement appropriate technical and organizational measures to ensure alevel of security appropriate to that risk, including, as appropriate, themeasures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, the Processor shall take account inparticular of the risks that are presented by Processing.
5. Subprocessing
5.1 Processor shall not appoint (or disclose any Controller Personal Data to) anySubprocessor unless required or authorized by the Controller.
5.2. "The Processor shall remain fully responsible to the Controller for theperformance of its subprocessors’ obligations . The Processor shall notify theController of any failure by the sub-processors or the Subprocessors to fulfil theircontractual obligations.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist theController by implementing appropriate technical and organisationalmeasures, insofar as this is possible, for the fulfilment of the Controllerobligations, to respond to requests to exercise Data Subject rights underthe Data Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify the Controller if it receives a request from a DataSubject under any Data Protection Law in respect of ControllerPersonal Data; and
6.2.2 ensure that it does not respond to that request except on thedocumented instructions of the Controller or as required byApplicable Laws to which the Processor is subject, in which caseProcessor shall to the extent permitted by Applicable Lawsinform the Controller of that legal requirement before theContracted Processor responds to the request.
7. Personal Data Breach
7.1 The Data Processor shall notify the Controller without undue delay uponProcessor becoming aware of a Personal Data Breach affecting Controller PersonalData, providing the Data Controller with all the necessary information to allow theController to meet any obligations under OC11. The Processor shall at least includethe following information when notifying the Controller:-the nature of the PersonalData including where possible, the categories and approximate number of datasubjects concerned and the categories and approximate number of Personal Datarecords concerned; the likely consequences of the Data breach; the measures takenor proposed to be taken to address the Personal Data breach".
7.2 Processor shall co-operate with the Controller and take appropriate steps toassist the Controller in the investigation, mitigation and remediation of each suchPersonal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Controller with anydata protection impact assessments, which Controller considers to berequired by OC11, in each case solely in relation to Processing ofController Personal Data by, and taking into account the nature of theProcessing and information available to, the Subprocessors.
9. Deletion or return of Controller Personal Data
9.1 Subject to this section 9 Processor shall promptly and in any event within 10business days of the date of cessation of any Services involving theProcessing of Controller Personal Data (the "Cessation Date"), delete andprocure the deletion of all copies of said data.
9.2 Processor shall provide written certification to the Controller that it has fullycomplied with this section 9 within 10 business days of the CessationDate.
10. Audit rights
10.1 Subject to this section 10, Processor shall make available to the Controlleron request all information necessary to demonstrate compliance with thisAgreement, and shall allow for and contribute to audits, includinginspections, by the Controller or an auditor mandated by the Controller inrelation to the Processing of the Controller Personal Data by theSubprocessors.
10.2 Information and audit rights of the Controller only arise under section 10.1to the extent that the Agreement does not otherwise give theminformation and audit rights meeting the relevant requirements of DataProtection Law.Data Processing Agreement
11. Data Transfer
11.1 The Processor shall not transfer or authorize the transfer of Data tocountries outside the EU and/or the European Economic Area (EEA) without theprior written consent of the Controller. If personal data processed under thisAgreement is transferred from a country within the European Economic Area to acountry outside the European Economic Area, the Parties shall ensure that thepersonal data are adequately protected. To achieve this, the Parties shall, unlessagreed otherwise, rely on EU approved standard contractual clauses for thetransfer of personal data.
11.2 The same obligations will apply to the Subprocessors as well as to anysub-processor engaged by the Processor.
12. General Terms
12.1 Confidentiality. Each Party must keep this Agreement and information itreceives about the other Party and its business in connection with thisAgreement (“Confidential Information”) confidential and must not use ordisclose that Confidential Information without the prior written consent ofthe other Party except to the extent that:(a) disclosure is required by law;(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement mustbe in writing and will be delivered personally, sent by post or sent byemail to the address or email address set out in the heading of thisAgreement at such other address as notified from time to time by theParties changing address.IN WITNESS WHEREOF, this Agreement is entered into with effect from the datefirst set out below.
Controller
Signature ______________________________
Name: ________________________________
Title: _________________________________
Date Signed: ___________________________
Processor
Signature ______________________________
Name _________________________________
Title __________________________________
Date Signed ___________________________