Data Processing Agreement

Parties

1. Publitas.com B.V., established in Leiden and with office address J.H. Hoortweg 21, 2333 CH, Leiden The Netherlands, registered with the Dutch Chamber of Commerce under the number 39096214, (hereinafter: “Publitas.com”), and
2. Customer who is not a consumer within any relevant legal provisions via the Publitas platform and the entity or individual that will make use of the Publitas Product or Services, and is dated as such of the date of Publitas’ Order, hereinafter referred to as Customer or Controller.

hereinafter jointly referred to as “Parties”.

1. General Regulations
   1. Introduction, scope, definition
      1. This Agreement governs the rights and obligations of the Controller and Processor (hereinafter collectively referred to as “Parties”) in the context of the processing of personal data on behalf of the Controller (hereinafter referred to as the “DPA”). This DPA is designed to comply with the provisions of the EU General Data Protection Regulation (hereinafter “GDPR”).
      2. If the term “Service Agreement” is used in this DPA, this shall mean the separate conclusion of a contract with the Controller resulting from the conclusion of a free and/or chargeable user agreement – in accordance with the General Terms and Conditions (“GTC”) of the Processor, the Privacy Policy of the Processor or a separately concluded user agreement between Parties.
      3. Insofar as the term “Publitas” or “Software” is used in this Agreement, this shall mean the web-based online subscription service consisting of web-based applications and a platform provided by Publitas at www.publitas.com to upload, produce, host and deliver digital publications within the Publitas server environment under the terms set out in the Service Agreement (Service which for the avoidance of doubt includes the technology provided by Publitas as part of the Services).
      4. This DPA applies to activities in which the Processor, employees of the Processor or subprocessors commissioned by the Processor process personal data of the Controller in accordance with the Service Agreement within the meaning of Art. 28 GDPR. 
      5. Terms used in this DPA shall be understood in accordance with their definition in the GDPR.
   2. Scope of processing, categories of data, data subjects
      1. The subject, scope, type and purpose of data processing are derived from this DPA and the Service Agreement. The following processing activities will be carried out by the Processor on behalf of the Controller:
         A) Collection of data on the Controller’s use of the Processor’s products.
         B) Aggregation and analysis of data and storage of data via subprocessors and thus transferring data to subprocessors. Data will be accessed by the Processor for the purpose of maintenance, global analytics or support to the Controller. Upon instruction from the Controller, the Processor forwards the Controller’s data to third parties appointed by the Controller.
      2. The Processor does not process sensitive personal data. The Processor may process the following categories of personal data on behalf of the Controller and such mentioned that may be mentioned in the subprocessor list added to this DPA in Annex 1: Subprocessor list:
         A) Email addresses
         B) IP address
         C) Phone number
         D) Other information linked to or retrieved from above mentioned personal data, such as location data
         As the Processor’s platform is open, the Controller may independently choose to collect other categories of personal data. The Controller may however not use the Processor’s platform to collect and thereby make the Processor process sensitive personal data. Any such collection of personal data will be considered a breach of this Agreement.
      3. The following categories of data subjects are affected by the data being processed:
         Visitors to the Controller’s content such as, but not limited to content and other Publitas functionalities who have registered their data in the spaces selected by the Controller, such as websites, apps and similar platformsThe provision of the contractually agreed data processing takes place exclusively in a member state of the European Union, another state party to the Agreement on the European Economic Area or a state with an adequate level of data protection in accordance with Art. 45 GDPR, as determined by the European Commission.
      4. The relocation of the service to a third country – a country outside the scope of No. 1.2.4. – requires the prior consent of the Controller and may only take place if the special requirements of Art. 44 et seqq. GDPR is fulfilled. If these requirements are met, there must be important data protection related reasons to refuse consent.
      5. In case of data protection related contradictions between the Service Agreement or any other agreement with Processor and this Agreement, this Agreement shall take precedence as a more specific provision.
   3. Duration of processing
      The duration of the processing (term) will never be longer than necessary in order to carry out the processing activities and corresponds to the term of the Service Agreement, unless the provisions of this DPA give rise to obligations in excess thereof. In the latter case, this DPA shall terminate upon lapse of the excess obligations of the Service Agreement.
2. Confidentiality
   The Processor shall ensure that confidentiality is maintained in accordance with Art. 28 para. 3 S. 2 point (b), 29 and 32 para. 4 GDPR. When processing data the Processor shall only use employees who are bound to confidentiality and who have been familiarized beforehand with the data protection provisions relevant to them. The Processor and any person subordinate to the Processor who has access to personal data, shall only process such data in accordance with the instructions of the Controller, the Service Agreement and the powers granted in this DPA, unless they are legally required to process such data.
3. Obligations of the Controller
   1. Within the scope of the DPA the Controller is solely responsible for compliance with the legal provisions of the data protection laws, in particular for the lawfulness of the data transferred to the Processor and for the lawfulness of the processing (“Controller” in the sense of Art. 4 No. 7 GDPR). This shall also apply with regard to the subject matter, scope, type and purpose of data processing regulated in this Agreement, the description of the relevant data pursuant to Section 1.2 and the protection of the rights of the data subjects.
   2. In particular, the Controller shall be responsible for ensuring that any technical and organizational measures that are directly or indirectly required by law and regulations for this processing provide an appropriate level of protection for the risks of the processed data. For his part, the Processor is responsible for complying with these measures.
   3. The Controller must inform the Processor in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, and in full if he detects errors or irregularities in light of processing with regard to data protection regulations.
   4. If necessary, the Controller shall provide the Processor with the contact person for any data protection issues arising within the scope of this DPA. If no contact person is assigned, Processor will contact the signee and/or contact Controller via the details presented in their Publitas Account.
   5. Further rights and obligations of the Controller result from the following provisions of this DPA and the GDPR, as well as the corresponding legal provisions.
4. Instructions
   1. The Processor – and any person subordinated to him – may process the personal data only within the framework of the Controller’s instructions, unless there are prevailing exceptional circumstances within the meaning of Article 28 para. 3 sentence 2 point (a) GDPR or another overriding legal provision. The Service Agreement and the DPA constitute the final instructions of the Controller (with regard to data processing) at the time of the conclusion of this DPA. Further instructions are reserved for the Controller but will be treated in accordance with Section 4.3. of this DPA. The Processor shall accept instructions from the Controller in writing, as well as via the electronic formats offered by the Processor for this purpose. Verbal instructions are only permitted in urgent cases and must be confirmed immediately by the Controller in writing or in an electronic format offered by the Processor for this purpose.
   2. The Processor shall inform the Controller without undue delay if he considers that an instruction violates relevant laws or regulations. The Processor may suspend the implementation of the instruction until it has been confirmed or amended by the Controller after verification. The Controller is fully liable to the Processor for damages of any kind arising from or out of confirmed instructions, and shall indemnify the Processor against claims of third parties on first demand. In the event of persistent dissent, the parties agree to consult the competent supervisory authority responsible for the Processor.
   3. If the Controllers instructions are not covered by the contractually agreed scope of services, they shall be treated as a request for a change of services. In the event of proposed modifications, the Processor may inform the Controller about the impact on the agreed services, in particular the possibility of providing the services, deadlines and remuneration. If the Processor cannot reasonably be expected to implement the instruction, the Processor shall be entitled to reject the instructions. In the event that the Controller nevertheless insists on the instructions, the Processor has a special right of termination and can terminate the processing – and further terminate the DPA and the Service Agreement – at any time with immediate effect.
   4. The Controller designates the persons exclusively authorized to issue instructions within Publitas or, if this is not possible within Publitas, by e-mail to the following address: privacy@publitas.com. In the event that no person authorized to issue instructions is appointed, only natural persons authorized to legally represent the Controller are entitled to issue instructions. The Processor may suspend the execution of instructions until the Controller has provided proof of the authority to legally represent the Controller to the Processor.
5. Obligations of the Processor
   1. General Obligations of the Processor
      1. In addition to complying with the provisions of this DPA, the Processor shall have statutory obligations pursuant to Articles 28 to 33 GDPR; in this respect, in particular, the Processor shall ensure compliance with the following provisions.
      2. If necessary by law, the Processor guarantees the written appointment of a data protection officer who performs his duties in accordance with Articles 38 and 39 GDPR. The constantly updated contact details of this data protection officer shall be easily accessible on the homepage or within Publitas.
      3. The Controller and the Processor shall cooperate with the supervisory authority in the performance of their tasks if needed.
      4. The Processor shall immediately inform the Controller of any control actions and measures taken by the supervisory authority in so far as they relate to this Agreement. This shall also apply if a competent authority determines that personal data from this processing has been processed by the Processor and is connected to administrative or criminal proceedings, unless the Processor is obliged by law or by the authorities to refrain from making such notification.
      5. Where the Controller is himself subject to inspection by the supervisory authority, administrative or criminal proceedings, the liability of a person concerned or of a third party or any other claim in connection with the processing of data by the Processor, the Processor shall, upon request, assist the Controller to the best of its ability.
      6. The Processor shall regularly monitor internal processes and technical and organizational measures to ensure that processing within his sphere of responsibility is carried out in accordance with the requirements of the applicable data protection legislation and that the rights of the data subject are protected.
      7. The Processor shall provide the Controller with documents proving the technical and organizational measures taken in accordance with Section 6.2, by demonstrating TOM´s relevant ISO certifications covering privacy security and such.
   2. Duty to cooperate in inspections
      1. The Controller is entitled to inspect compliance with the obligations arising from the DPA in relation to his own data with due regard to the legitimate interests of the Processor, the technical and organizational measures as well as the data protection regulations upon agreement with the Processor during their usual business hours – taking into account a minimum of 14 days’ notice – or to have them checked by auditors to be appointed in individual cases. For inspections that become necessary due to a security incident or a more than insignificant violation of the provisions for the protection of personal data or provisions of this DPA (henceforth “event- related on-site inspection”), the notification period from sentence 1 shall be reduced to an appropriate period but not later than 72 hours. Furthermore, event-related on-site inspections are not subject to the restrictions of clauses 5.2.3.-5.2.4. of this DPA.
      2. The Processor may make the consent to the inspection dependent on the inspector submitting to an appropriate confidentiality agreement. If the inspector commissioned by the Controller is in a competitive relationship with the Processor or if another justified case exists, the Processor has the right to object to the Controller’s choice.
      3. Within the scope of this clause, the Processor is only obliged to tolerate and cooperate in one non-event-related on-site inspection (without cause) per calendar year by an independent third party. The effort of an non-event-related on-site inspection (without cause) is generally limited to one day per calendar year for the Processor. All costs related to the inspection for both Controller and Processor are to be paid by Controller. Processors will not charge for internal costs such as cost of labor.
      4. The Processor shall have the right to refuse the non-event-related on-site inspection (without cause) from this Section if and as long as he provides evidence of the fulfillment of his obligations, by means of appropriate evidence. Appropriate evidence may in particular include approved rules of conduct within the meaning of Art. 40 GDPR or an approved certification procedure within the meaning of Art. 42 GDPR. Both Parties agree that the submission of certificates or reports by independent bodies (e.g. IT security officer, data protection officer, etc.), a conclusive company data security concept or a suitable certification by an IT security and data protection audit are also recognized as suitable evidence.
6. Technical and organizational measures
   1. The Processor shall document the implementation of the technical and organizational measures set out and required prior to the conclusion of the contract before the start of processing, in particular with regard to the specific data processing, and shall keep it available for inspections by the Controller.
   2. The Processor shall ensure the security of the processing in accordance with Art. 28 para. 3 point (c) and 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing, as well as the risk of varying probability and severity of the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account. 
   3. The technical and organizational measures are subject to technical progress and further development. The Processor reserves the right to change the security measures taken, although it must be ensured that the contractually agreed level of protection is not undercut. Significant changes must be documented.
7. Subprocessing relationships
   1. Subprocessing relationships within the meaning of this Agreement are only those services that are directly related to the provision of the main service. Ancillary services, such as transport, maintenance and cleaning, the use of telecommunications services, user service or customer relationship management as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems, are not included. The Processor’s obligation to ensure compliance with data protection and data security in accordance with the relevant legal provisions shall remain unaffected in these cases as well.
   2. The subprocessors are listed in Annex 1: Subprocessor List. Controller´s approval is granted upon conclusion of the DPA.
   3. Furthermore, the Controller grants the Processor the general permission to use further subprocessors, taking into account Section 1.2.4. of the DPA. The Processor shall inform the Controller in text by active notification – e.g. by email, Controller´s Publitas Account – if he intends to engage further subprocessors or to replace subprocessors. The Controller may object to such changes, but this may not be done without important data protection reasons. Objection to the intended amendment must be lodged in writing to the Processor within 14 days of notification of the amendment being made available to: privacy@publitas.com. In the event of an objection, the Processor may, at his own discretion, render the service without the intended change or – if the performance of the service is unreasonable for the Processor without the intended change – discontinue the service vis-à-vis the Controller within 4 weeks after receipt of the substantiated objection and terminate the Service Agreement without notice and with immediate effect.
   4. If the Processor places orders with subprocessors, it shall be incumbent on the Processor to transfer his data protection obligations under this Agreement to the subprocessors and to conclude a contractual agreement with them in accordance with Art. 28 para. 2-4 GDPR. In particular, the Processor shall guarantee that the security of the processing of the subprocessors comply with the level of protection given in this DPA. 
   5. An on-site inspection at the subprocessors´ premises shall be carried out exclusively by the Processor and at most at annual intervals. Under the same conditions as in Section 5.2.4. of this DPA, an on-site inspection may be replaced by proof of data protection-compliant processing. The Processor shall grant the Controller the right to obtain information on the essential content of the contract and the implementation of the obligations of this contract, whereby the Processor may make this dependent on the subprocessors enabling this, for example by concluding a confidentiality agreement.
8. Rights of the data subjects
   1. If a data subject addresses the Processor with a claim under Chapter III of the GDPR with regard to the rights of the data subjects, the Processor will refer the data subject to the Controller, provided that an assignment to the Controller is possible after indication of the data subject. Furthermore, the Processor shall forward the request of the data subject to the Controller without delay but not later than 74 hours.
   2. Without prejudice to Section 8.1. the Controller enables comprehensive self- administration of the data, as well as autonomous access, processing and verification of the processed data by every employee or administrator of the Controller, within the scope of the assigned access rights. Thus, insofar as it is a matter of safeguarding the rights of data subjects under Chapter III of the GDPR, the Controller himself is primarily in a position and obliged to comply with the request of the data subject.
   3. If, despite the possibility of such self-administration, additional support from the Processor is required, the Processor will assist the Controller as far as possible in his obligation to respond to requests to exercise the rights of the person concerned as set out in Chapter III of the GDPR.
   4. The Processor is not liable if the Controller does not respond to the request of a data subject, does not respond correctly or does not respond in due time and this is solely the fault of the Controller.
9. Information and notification obligations
   1. The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 GDPR with regard to the security of personal data, reporting obligations in the event of data leaks and prior consultations, if necessary. This includes, among other things:
      1. The obligation to report any violation of the protection of personal data related to end users of the Controller, by the Processor, employees of the Processor or subprocessors commissioned by the Processor without undue delay to the Controller in the sense of Art. 33 para. 2 GDPR.
      2. The support of the Controller for his data protection impact assessment, if necessary. The Processor may comply with this by providing the Controller with the necessary information and documentation upon request.
      3. The assistance of the Controller in consultations with the supervisory authority prior to processing.
   2. The Processor may demand an appropriate remuneration for support services according to Sections 9.1.2. and 9.1.3.
10. Disclosure and deletion of data
    1. Upon completion of the data processing, the Processor shall disclose the personal data provided in accordance with the following paragraphs. As a rule, the data processing is terminated at the end of the term of the Service Agreement.
    2. The Processor may be entitled or obliged, either legally or contractually,  to keep the personal data provided for a certain period of time after the end of the contract. The Controller is entitled at any time until the expiry of this period to demand in text form the disclosure of personal data in a machine-readable format or deletion of the stored personal data or, if possible, to download the data directly from the software.
    3. If the Controller issues the Processor with binding instructions for deletion in text form, the Processor shall be entitled to carry out the deletion of data even before the expiry of the retention period pursuant to Section 10.2. The only exception to this is the data in respect of which the Processor is legally obliged to store i.e. security logs.
    4. If the Controller has neither requested the data to be disclosed nor requested the deletion of such data by the end of the period pursuant to Section 10.2., the Processor shall be obliged to delete such data.
11. Anonymization
    1. The Processor has the right to anonymize and aggregate the personal data covered by this Agreement and to carry out the processing steps required for anonymization and aggregation. While maintaining anonymity, the Processor may process and use all data thus generated for his own purposes, such as statistical evaluations, industry comparisons, benchmarking, product improvements, new product developments and other comparable purposes.
    2. Data required to provide services described in the Agreement and voluntarily by the Controller is not affected by the anonymization.
    3. Anonymized or aggregated data as defined in Section 11.1. Shall no longer be considered personal data and shall not be covered by the obligation to disclose or delete data as defined in Section 10. The Processor shall be entitled to use and store such data for his own purposes beyond the end of the contract.
12. Liability
    1. If damage has occurred because the Processor has not complied with his specifically imposed obligations under the GDPR or because the Processor has not complied with the lawfully issued instructions of the Controller or because the Processor has acted contrary to those instructions, he shall be liable for the damage incurred pursuant to Art. 82 para. 2 GDPR.
    2. In all other cases, the Controller shall be fully liable for the damage in the internal relationship and shall release the Processor from any claims of the data subject or third parties on first demand which are brought against the Processor in connection with the data processing. This shall apply in particular also if a claim as joint debtor exceeds the proportion of the debt attributable to the Processor in terms of sums. 
    3. The Controller bears the burden of proof that damage is not the result of circumstances for which he is responsible.
    4. Any exclusions of liability in this Agreement shall not apply in the event of intent or gross negligence or in the event of damage resulting from injury to life, limb or health.
    5. In all other respects, liability shall be governed by the Service Agreement.
13. Concluding Provisions
    1. The Parties may accept/confirm the conclusion of the contract in an electronic format in the sense of Art. 28 para. 9 GDPR.
    2. Both parties are obliged to confidentially treat all knowledge of business secrets and data security measures of the other party that were acquired within the scope of the contractual relationship, even beyond the termination of the Agreement. This also applies in particular to the contents of this DPA, as well as all documents, evidence etc. made available within the framework of the data protection audit. If there are any doubts as to whether information is subject to confidentiality, it shall be treated as confidential until it is released in writing by the other party.
    3. Amendments and supplements to this DPA and all its components – including any assurances given by the Processor – shall be made in writing in accordance with the GDPR, which may also be in an electronic format, and require an express indication that these terms and conditions have been amended or supplemented. This also applies to the waiver of this formal requirement. The parties agree that adjustments to the DPA or new contracts shall be concluded in an electronic format in accordance with Art. 28 para. 9 GDPR.  
    4. Should the data of the Controller be endangered by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Processor shall inform the Controller immediately, unless Processor is legally prohibited to do so by instructions of an official authority or the law itself. The Processor shall immediately inform all parties involved in this connection that the sovereignty and ownership of the data lies exclusively with the Controller as the “responsible party” in the sense of the GDPR.
    5. Dutch law shall apply.
    6. For all disputes in connection with this DPA the registered office of the Processor shall, if permissible, be agreed as the exclusive place of jurisdiction.
    7. This DPA replaces all previous or concomitant warranties, arrangements, agreements, contracts or notifications among the Controller and the Processor, whether written or oral, with respect to the subject matter of this DPA. The respectively concluded Service Agreements shall remain unaffected hereby.
    8. Should individual parts of this Agreement be invalid, this shall not affect the validity of the remaining parts of this Agreement.

ANNEX 1: SUBPROCESSOR LIST