Part A

Preliminary Matters

Definitions
1. Terms and expressions that are not defined in this DPA are defined in the MSA to which it relates to.
2. The following words and expressions shall bear the meanings assigned to them below and cognate words and expressions bear corresponding meanings -
  1. "Applicable Agreements" - collectively, the MSA and its addendums, any applicable Order Forms, and this DPA;
  2. "Applicable Privacy Law" - any data protection, privacy or access to information law applicable to a Party's Processing of Personal Data in any jurisdiction, including the GDPR and EU member states' respective national data protection laws and applicable data directive;
  3. "Authorised Purpose" - the Service Provider's provision of the Services in terms of the MSA and otherwise performing in terms of the Applicable Agreements, including Section 16 and 22, whichever is applicable of this DPA;
  4. "Data Protection Authority" - the body established in terms of any Applicable Privacy Law for the purposes of monitoring and enforcing compliance with Applicable Privacy Law, including, for purposes of the GDPR, the Supervisory Authority;
  5. "Disclose" - disseminating, transferring, sharing or otherwise making available or accessible, and "Disclosed" shall be construed accordingly;
  6. "DPA" - this agreement and any schedules thereto as amended from time to time;
  7. "DSR" - a request by a Data Subject to exercise any right afforded to them in terms of the GDPR or any other Applicable Privacy Law;
  8. "EU" - the European Union;
  9. "GDPR" - European Union General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 and the following terms shall bear the meaning ascribed thereto in the GDPR: "Commission", "Supervisory Authority", "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processor", "Processing", , "Standard Contractual Clauses", and the terms "Processing" ,"Processed" and "Joint Controller" shall be construed accordingly;
  10. "Indemnified Loss" - the Losses which are indemnified in terms of Section 10;
  11. "Losses" - actual or contingent losses, liabilities, damages, costs (including legal costs on the scale as between attorney and own client and any additional legal costs which are obliged to be paid or are reasonably incurred) and expenses of any nature whatsoever, and "Loss" shall be construed accordingly;
  12. "MSA" - the Masters Services Agreement concluded between the Parties;
  13. "Sub-Processor" - a Person who Processes Personal Data for a Processor in terms of a contract or mandate, without coming under the direct authority of that Processor;
  14. "Sensitive Data" - any Special Category Personal Data or Personal Data relating to a "child", as defined in the applicable member state law;
  15. "Special Category Personal Data" - the categories of data listed in Article 9(1) of the GDPR;
  16. "Third Country" - any country not part of the EU; and
  17. "Third Party" - any Person including any Sub-Processor but shall not include an employee, and "Third Parties" shall mean more than one.
Structure of this DPA and Conflicts
1. This DPA is divided into the following parts -
  1. Part A: preliminary matters, containing provisions relating to the definitions, structure of the DPA, general matters, and the introduction to the DPA;
  2. Part B: common data protection obligations, containing the data protection obligations that apply to the Service Provider irrespective of its Processing role as a Processor or a Controller;
  3. Part C: Processor Processing obligations, containing the data protection principles that apply to the Service Provider where it acts as a Processor; and
  4. Part D: Controller Processing obligations, containing the data protection principles that apply to the Service Provider where it acts as a Controller.
2. Part A will always apply irrespective of whether each Party is a Controller, Joint Controller or Processor.
3. Where the Service Provider -
  1. is a Processor - Part B and Part C apply;
  2. is a Controller - Part B and Part D apply; or
  3. is a Joint Controller, together with the Customer - Part B and Part D apply, and the terms of the DPA will be further subject to the requirements contained in Schedule 1.
4. In the event of a conflict between Part B and -
  1. Part C; or
  2. Part D,
    1. Part C or Part D will prevail to the extent of the conflict (whichever is applicable).
General
1. Subject to Schedule 1, if applicable, to the extent that any Applicable Privacy Law applies to the Authorised Purpose or the Parties, any term or concept referred to in this DPA should be interpreted to mean the analogous concept in the Applicable Privacy Law. Although this DPA is drafted in terms of the GDPR, the Parties' compliance obligations are to be read to apply mutatis mutandis to any other Applicable Privacy Law.
2. To the extent that there is a conflict between this DPA and the -
  1. MSA, the terms of this DPA will prevail to the extent of the conflict; and
  2. Standard Contractual Clauses, the terms of the Standard Contractual Clauses, will prevail to the extent of the conflict.
Introduction
1. The Parties have entered into the MSA in respect of the Services. This DPA sets out the Parties respective data protection obligations in respect of their Processing of Personal Data for the Authorised Purpose.
2. Depending on the relationship between the Parties -
  1. the Service Provider and the Customer are each a Controller; or
  2. the Service Provider is the Customer's Processor, for purposes of Applicable Privacy Laws.
3. Accordingly, the Parties agree as set out herein.

Part B

Common Data Protection Obligations

Purpose Limitation
1. The details of the Processing and in particular the categories of Personal Data that are Processed and the purpose(s) for which they are Processed are specified in Schedule 1.
2. Subject to Part C or Part D, as the case may be, the Parties must not Process Personal Data for other purpose/s, or Process Personal Data on different terms, other than as set out in Schedule 1.
3. Where Sensitive Data is Processed, the Service Provider shall apply the specific restrictions and/or additional safeguards described in Schedule 1.
Security of Processing
1. The Service Provider will implement appropriate technical and organizational measures to ensure the security of Personal Data including protection against a breach of security leading to a Personal Data Breach.
2. In assessing the appropriate level of security, the Service Provider shall take due account of: (i) the state of the art; (ii) the costs of implementation; (iii) the nature, scope, context and purpose(s) of Processing; and (iv) the risks involved in the Processing for the Data Subjects.
3. The Service Provider shall in particular consider having recourse to encryption including during transmission, where the purpose of Processing can be fulfilled in that manner.
4. In complying with its obligations under this Section 6, Service Provider shall at least implement the technical and organisational measures specifics in line with industry standards which will, at a minimum, comply with those contained in Schedule 1. Service Provider shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
5. The Service Provider shall grant access to the Personal Data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of Applicable Agreements and shall ensure that any Persons authorised to Process the Personal Data has committed themselves to confidentiality agreements or are under an appropriate statutory or professional obligation of confidentiality.
Personal Data Breach
1. In the event of a Personal Data Breach concerning Personal Data Processed by the Service Provider in connection with the Authorised Purpose, the Service Provider shall take appropriate measures to address the breach, including measures to mitigate its adverse effects.
2. The Service Provider shall notify the Customer of a Personal Data Breach without undue delay - but in no less than 24 hours - after having become aware of the breach. Such notification shall contain -
  1. the details of the contact Person who the Customer can contact relating to the breach;
  2. a description of the nature of the Personal Data Breach (including, where possible, categories and approximate number of data subjects and Personal Data records concerned);
  3. the likely consequences of the Personal Data Breach; and
  4. the measures taken or proposed to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects.
3. Where, and in so far as, it is not possible to provide all the information contained in Section 7.2 at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
4. The Service Provider shall cooperate with and assist the Customer to enable the Customer to comply with its reporting obligations under any Applicable Privacy Law, in particular to notify the competent Data Protection Authority and the affected Data Subjects taking into account the nature of Processing and the information available to the Parties.
5. If when first notified to the Service Provider or subsequently, the Personal Data Breach is continuing, the Service Provider shall -
  1. do all things reasonably necessary to eliminate the Personal Data Breach;
  2. regularly report to the Customer on the Personal Data Breach until it has been eliminated.
6. The Service Provider shall document all relevant facts relating to the Personal Data Breach including its effects and any remedial action taken, and it will keep a record thereof.
Third Countries and Onward Transfers
1. Where the Service Provider is located a country that is not subject to an adequacy decision by the European Commission, the Parties will rely on the Standard Contractual Clauses to govern the transfer of Personal Data outside of the EU.
2. Where a Third Party is in a Third Country, the Service Provider shall only Disclose Personal Data to such Third Party provided they enter into a legally enforceable agreement on the same terms as this DPA and which is enforceable by the Service Provider and the Customer.
Other Assistance
1. The Service Provider shall assist the Customer with complying with any of its other obligations in terms of Applicable Privacy Laws, to the extent that such assistance is reasonably required, including performing any data protection impact assessment or seeking prior consultation from the Data Protection Authority.
Indemnity
1. The Service Provider hereby indemnifies and holds the Customer harmless from any Losses it incurs as a result of a -
  1. Personal Data Breach whether occurring while the Personal Data was in the Service Provider's possession or control, or the possession or control of any Third Party to whom Service Provider has Disclosed Personal Data to (including any Processor); or
  2. breach of this DPA or non-compliance with any Applicable Privacy Laws by the Service Provider (including any employee) or any other Third Party,

(each an "Indemnified Loss").

Duration of Privacy Obligations
1. Processing by the Service Provider shall only take place for as long as the MSA is in effect. Upon the termination of the MSA for any reason, this DPA will also automatically terminate.
2. Once the events in Section 11.1 take place, the Service Provider shall, at the choice of the Customer, delete or return all Personal Data Processed on behalf of the Customer and certify to the Customer that it has done so.
3. Until Section 11.1 is complied with, the Service Provider shall continue to ensure compliance with this DPA.
4. In case of any Applicable Law that prohibits the return or deletion of the Personal Data, the Service Provider warrants that it will continue to ensure compliance with this DPA and that it will only Process Personal Data to the extent and for as long as required under such Applicable Law/s.
Non-Compliance with the Clauses and Termination
1. The Service Provider shall promptly inform the Customer if it is unable to comply with this DPA for whatever reason.
2. In the event that the Service Provider is in breach of this DPA or unable to comply with this DPA, the Customer shall suspend the transfer of Personal Data to the Service Provider until compliance is again ensured or the DPA is terminated.
3. The Customer shall be entitled to terminate this DPA where -
  1. the Customer has suspended the transfer of Personal Data to the Service Provider pursuant to Section 12.2 and compliance with this DPA is not restored within a reasonable time and in any event within one month of suspension;
  2. the Service Provider is in substantial or persistent breach of this DPA; or
  3. the Service Provider fails to comply with a binding decision of a competent court or Data Protection Authority regarding its obligations under this DPA.
4. Where the Service Provider has conducted any of the actions referred to in Section 12.3, this will amount to a material breach for purposes of the MSA and then the Customer shall have the rights contained herein and in terms of any Applicable Law.
Jurisdiction
1. The Service Provider agrees to submit itself to the jurisdiction of and cooperate with the Data Protection Authority in any procedures aimed at ensuring compliance with this DPA. In particular, the Service Provider agrees to respond to enquiries, submit to audits, and comply with the measures adopted by the Data Protection Authority, including remedial and compensatory measures. It shall provide the Data Protection Authority with written confirmation that the necessary actions have been taken where requested to do so.
2. The Parties acknowledge and agree that the provisions of this DPA relating to the processing of Personal Data shall apply irrespective of whether such processing takes place within the EU or in any other jurisdiction.

Part C

Processor Processing Obligations

Processing Specification
1. The Service Provider -
  1. will act as an Processor with respect to the Personal Data it Processes for the Authorised Purpose;
  2. must Process Personal Data in accordance with this DPA and the Processing specifications indicated at Schedule 1;
  3. will not Process Personal Data -
    1. not included in Schedule 2 nor Process Personal Data in a manner that is in accordance with this DPA including the specifications contained in Schedule 1; and
    2. for a purpose/s other than what is indicated in Schedule 1; and
  4. must promptly and without undue delay notify the Customer if it becomes aware that the Personal Data it has received is inaccurate or has become outdated.
2. In the case of Section 14.1.4, the Customer shall cooperate with the Service Provider to erase the Personal Data or rectify the Personal Data following receipt of updated information from the Customer (upon the Customer's election and instructions).
The Customer’s Right and Obligations
1. The Customer shall be responsible for ensuring that the Processing of the Personal Data takes place within the framework of, and in compliance with the Applicable Privacy Law.
2. The Customer will have both the right and obligation to make decisions about the purposes and means of Processing of Personal Data.
Service Provider Acts on Written Instructions
1. The Service Provider shall not sub-contract any of its Processing activities performed on behalf of the Customer in connection with the Authorized Purpose to a Sub-Processor not listed in Schedule 2 without the Customer’s prior specific written authorization.
2. The Service Provider acknowledges that the Customer may give Written Instructions throughout the duration of this DPA.
3. The Service Provider shall immediately inform the Customer if -
  1. the Written Instructions are in the Service Provider's reasonable opinion in contravention of any Applicable Law including any Applicable Privacy Law/s; and / or
  2. the Service Provider is unable to follow and / or undertake the Written Instructions.
Onward Transfers

The Service Provider shall only Disclose the Personal Data to a Third Party that is not a Sub-Processor on documented instructions from the Customer; alternatively subject to the Customer's prior written consent.

Sub-Processors
1. The Service Provider shall not sub-contract any of its Processing activities performed on behalf of the Customer in connection with the Authorised Purpose to a Sub-Processor without the Customer’s prior specific written authorisation (which shall not be unreasonably withheld).
2. Where the Service Provider engages a Sub-Processor to carry out specific Processing activities (on behalf of the Customer), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those contained in this DPA ("Sub-Processor Agreement").
3. The Service Provider shall ensure that the Sub-Processor complies with the obligations to which the Service Provider is subject pursuant to this DPA.
4. The Service Provider shall at the Customer’s request provide a copy of such a Sub-Processor Agreement (as amended) to the Customer. To the extent necessary to protect business secrets or other confidential information, including Personal Data, the Service Provider may redact the Sub-Processor Agreement to the extent reasonably necessary prior to providing the Customer with a copy.
5. The Service Provider shall -
  1. remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations in connection with the Authorised Purpose; and
  2. immediately notify the Customer of any failure by the Sub-Processor to fulfil its obligations under that Sub- Processor Agreement.
6. The Service Provider shall agree a third-party beneficiary clause with the Sub-Processor whereby - in the event the Service Provider has factually disappeared, ceased to exist in law or has become insolvent – the Customer shall have the right to terminate the Sub-Processor Agreement and to instruct the Sub-Processor to erase or return the Personal Data.
Data Subject Requests
1. The Service Provider shall promptly notify the Customer of any DSR received. It shall not respond to such DSR itself unless it has been authorised to do so by the Customer.
2. The Service Provider shall assist the Customer in fulfilling its obligations to respond to any DSR. In this regard, the Parties shall set out in 1 the appropriate technical and organisational measures, taking into account the nature of the Processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
3. In fulfilling its obligations under this Section 28, the Service Provider shall comply with the instructions from the Customer.
Indemnity
1. The Service Provider shall not, and shall procure that its representatives shall not, admit any liability in respect of any claim that may give rise to an Indemnified Loss. The Service Provider shall under no circumstances be entitled to make any admission on behalf of the Customer, nor to reach a compromise or settle any claim without the Customer's prior written consent.
2. The Service Provider shall notify the Customer in writing of any such claim as soon as is reasonably possible after the Service Provider becomes aware of that claim, but in any event within seven Business Days after the Service Provider becomes aware of that claim, to enable the Customer to contest that claim should it in its discretion elect to do so. Unless agreed otherwise between the Parties, the Service Provider shall conduct and control any legal proceedings arising from such claim, at its cost, provided that the Customer may, in its sole discretion and at its cost, appoint its own legal representative to act on its behalf in such proceedings. Notwithstanding the foregoing provisions of this Section 20.2, the Service Provider's liability in terms of Section 20.1 shall not be affected by any failure of the Service Provider or its representatives to comply with this Section 20.3.
3. The Service Provider shall be obliged to pay the Customer any amount due to the Customer in respect of any Indemnified Loss as soon as the Customer is obliged to pay the amount thereof (in any case which involves a payment by the Indemnified Party) or as soon as the Customer actually suffers the Indemnified Loss (in any case which does not involve a payment by the Customer).
Documentation and Compliance
1. The Service Provider shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and at the Customer’s request, allow for audits of the Processing activities covered by this DPA, at reasonable intervals or if there are indications of non- compliance.
2. The cost of any audit shall by borne by the Customer unless the audit finds evidence of non-compliance with Applicable Privacy Laws or this DPA.
3. The Customer may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the Service Provider and shall, where appropriate, be carried out with reasonable notice.

Part D

Controller Processing Obligation

Processing Specification
1. Each Party must not Process Personal Data for a purpose/s other than set out in Schedule 1 unless-
  1. it has obtained the relevant Data Subject’s prior consent;
  2. where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
  3. where necessary in order to protect the vital interests of the Data Subject or of another natural person.
2. Each Party shall only Process Personal Data subject to a lawful basis contained in Article 6 of the GDPR; and any Special Category Personal Data subject to a lawful basis contained in Article 9 of the GDPR.
3. Where Sensitive Data is Processed, the Service Provider shall apply the specific restrictions and/or additional safeguards described in Schedule 1.
Transparency
1. To enable Data Subjects to effectively exercise their rights under Applicable Privacy Laws, each Party shall inform them, either directly or through the Customer -
  1. of its identity and contact details;
  2. of the categories of Personal Data Processed;
  3. where it intends to onward transfer the Personal Data to any Third Party/ies -
    1. the recipient or categories of recipients; and
    2. the purpose of such onward transfer and the ground therefore pursuant to 25.
2. Clause 23.1 shall not apply where -
  1. the Data Subject already has the information, including when such information has already been provided by the Customer; or
  2. providing the information proves impossible or would involve a disproportionate effort for the Service Provider, in which case the Service Provider shall, to the extent possible, make the information publicly available.
3. This Section 23.1 and 23.2 does not absolve either Party of any notification obligations under Applicable Privacy Law/s.
Accuracy and Data Minimisation
1. Each Party shall ensure that the Personal Data is accurate and, where necessary, kept up to date and shall take every reasonable step to ensure that Personal Data that is inaccurate, having regard to the purpose(s) of Processing, is erased or rectified without delay.
2. If one of the Parties becomes aware that the Personal Data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
3. The Parties shall ensure that the Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of Processing.
Onward Transfers

The Service Provider shall only Disclose the Personal Data to a Third Party subject to compliance with Applicable Privacy Law/s.

Processing Under the Authority of the Service Provider

The Service Provider shall ensure that any person acting under its authority, including any Processor, only Processes the Personal Data on its instructions.

Documentation and Compliance
1. Each Party shall be able to demonstrate compliance with its obligations under this DPA. In particular, the Service Provider shall keep appropriate documentation of the Processing activities carried out under its responsibility.
2. The Service Provider shall make such documentation available to a Data Protection Authority on request.

Data Subject Requests

The Service Provider shall, where relevant with the assistance of the Customer, deal with any enquiries and requests it receives from a Data Subject relating to the Processing of their Personal Data and the exercise of their rights under Applicable Privacy Law.

Liability
1. Subject to Section 10, each Party shall be liable to the -
  1. other Party for any damages it causes such other Party;
  2. Data Subject for any damages it suffers,

due to a breach of this DPA or any Applicable Privacy Law/s.

Where more than one Party is responsible for any damage caused to the Data Subject as a result of a breach of this DPA or any Applicable Privacy Law/s, each Party shall be jointly but not severally liable to the Data Subject, and the Data Subject is entitled to bring an action in court against both Parties on such basis.
The Parties agree that if one Party is held liable under 29.2, it shall be entitled to claim back from the other Party that part of the compensation corresponding to its responsibility for the damage.
The Service Provider may not invoke the conduct of a Processor or Sub- Processor to avoid its own liability.

Part A

Preliminary Matters

Definitions
1. Terms and expressions that are not defined in this DPA are defined in the MSA to which it relates to.
2. The following words and expressions shall bear the meanings assigned to them below and cognate words and expressions bear corresponding meanings -
  1. "Applicable Agreements" - collectively, the MSA and its addendums, any applicable Order Forms, and this DPA;
  2. "Applicable Privacy Law" - any data protection, privacy or access to information law applicable to a Party's Processing of Personal Data in any jurisdiction, including the GDPR and EU member states' respective national data protection laws and applicable data directive;
  3. "Authorised Purpose" - the Service Provider's provision of the Services in terms of the MSA and otherwise performing in terms of the Applicable Agreements, including Section 16 and 22, whichever is applicable of this DPA;
  4. "Data Protection Authority" - the body established in terms of any Applicable Privacy Law for the purposes of monitoring and enforcing compliance with Applicable Privacy Law, including, for purposes of the GDPR, the Supervisory Authority;
  5. "Disclose" - disseminating, transferring, sharing or otherwise making available or accessible, and "Disclosed" shall be construed accordingly;
  6. "DPA" - this agreement and any schedules thereto as amended from time to time;
  7. "DSR" - a request by a Data Subject to exercise any right afforded to them in terms of the GDPR or any other Applicable Privacy Law;
  8. "EU" - the European Union;
  9. "GDPR" - European Union General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 and the following terms shall bear the meaning ascribed thereto in the GDPR: "Commission", "Supervisory Authority", "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processor", "Processing", , "Standard Contractual Clauses", and the terms "Processing" ,"Processed" and "Joint Controller" shall be construed accordingly;
  10. "Indemnified Loss" - the Losses which are indemnified in terms of Section 10;
  11. "Losses" - actual or contingent losses, liabilities, damages, costs (including legal costs on the scale as between attorney and own client and any additional legal costs which are obliged to be paid or are reasonably incurred) and expenses of any nature whatsoever, and "Loss" shall be construed accordingly;
  12. "MSA" - the Masters Services Agreement concluded between the Parties;
  13. "Sub-Processor" - a Person who Processes Personal Data for a Processor in terms of a contract or mandate, without coming under the direct authority of that Processor;
  14. "Sensitive Data" - any Special Category Personal Data or Personal Data relating to a "child", as defined in the applicable member state law;
  15. "Special Category Personal Data" - the categories of data listed in Article 9(1) of the GDPR;
  16. "Third Country" - any country not part of the EU; and
  17. "Third Party" - any Person including any Sub-Processor but shall not include an employee, and "Third Parties" shall mean more than one.
Structure of this DPA and Conflicts
1. This DPA is divided into the following parts -
  1. Part A: preliminary matters, containing provisions relating to the definitions, structure of the DPA, general matters, and the introduction to the DPA;
  2. Part B: common data protection obligations, containing the data protection obligations that apply to the Service Provider irrespective of its Processing role as a Processor or a Controller;
  3. Part C: Processor Processing obligations, containing the data protection principles that apply to the Service Provider where it acts as a Processor; and
  4. Part D: Controller Processing obligations, containing the data protection principles that apply to the Service Provider where it acts as a Controller.
2. Part A will always apply irrespective of whether each Party is a Controller, Joint Controller or Processor.
3. Where the Service Provider -
  1. is a Processor - Part B and Part C apply;
  2. is a Controller - Part B and Part D apply; or
  3. is a Joint Controller, together with the Customer - Part B and Part D apply, and the terms of the DPA will be further subject to the requirements contained in Schedule 1.
4. In the event of a conflict between Part B and -
  1. Part C; or
  2. Part D,
    1. Part C or Part D will prevail to the extent of the conflict (whichever is applicable).
General
1. Subject to Schedule 1, if applicable, to the extent that any Applicable Privacy Law applies to the Authorised Purpose or the Parties, any term or concept referred to in this DPA should be interpreted to mean the analogous concept in the Applicable Privacy Law. Although this DPA is drafted in terms of the GDPR, the Parties' compliance obligations are to be read to apply mutatis mutandis to any other Applicable Privacy Law.
2. To the extent that there is a conflict between this DPA and the -
  1. MSA, the terms of this DPA will prevail to the extent of the conflict; and
  2. Standard Contractual Clauses, the terms of the Standard Contractual Clauses, will prevail to the extent of the conflict.
Introduction
1. The Parties have entered into the MSA in respect of the Services. This DPA sets out the Parties respective data protection obligations in respect of their Processing of Personal Data for the Authorised Purpose.
2. Depending on the relationship between the Parties -
  1. the Service Provider and the Customer are each a Controller; or
  2. the Service Provider is the Customer's Processor, for purposes of Applicable Privacy Laws.
3. Accordingly, the Parties agree as set out herein.

Part B

Common Data Protection Obligations

Purpose Limitation
1. The details of the Processing and in particular the categories of Personal Data that are Processed and the purpose(s) for which they are Processed are specified in Schedule 1.
2. Subject to Part C or Part D, as the case may be, the Parties must not Process Personal Data for other purpose/s, or Process Personal Data on different terms, other than as set out in Schedule 1.
3. Where Sensitive Data is Processed, the Service Provider shall apply the specific restrictions and/or additional safeguards described in Schedule 1.
Security of Processing
1. The Service Provider will implement appropriate technical and organizational measures to ensure the security of Personal Data including protection against a breach of security leading to a Personal Data Breach.
2. In assessing the appropriate level of security, the Service Provider shall take due account of: (i) the state of the art; (ii) the costs of implementation; (iii) the nature, scope, context and purpose(s) of Processing; and (iv) the risks involved in the Processing for the Data Subjects.
3. The Service Provider shall in particular consider having recourse to encryption including during transmission, where the purpose of Processing can be fulfilled in that manner.
4. In complying with its obligations under this Section 6, Service Provider shall at least implement the technical and organisational measures specifics in line with industry standards which will, at a minimum, comply with those contained in Schedule 1. Service Provider shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
5. The Service Provider shall grant access to the Personal Data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of Applicable Agreements and shall ensure that any Persons authorised to Process the Personal Data has committed themselves to confidentiality agreements or are under an appropriate statutory or professional obligation of confidentiality.
Personal Data Breach
1. In the event of a Personal Data Breach concerning Personal Data Processed by the Service Provider in connection with the Authorised Purpose, the Service Provider shall take appropriate measures to address the breach, including measures to mitigate its adverse effects.
2. The Service Provider shall notify the Customer of a Personal Data Breach without undue delay - but in no less than 24 hours - after having become aware of the breach. Such notification shall contain -
  1. the details of the contact Person who the Customer can contact relating to the breach;
  2. a description of the nature of the Personal Data Breach (including, where possible, categories and approximate number of data subjects and Personal Data records concerned);
  3. the likely consequences of the Personal Data Breach; and
  4. the measures taken or proposed to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects.
3. Where, and in so far as, it is not possible to provide all the information contained in Section 7.2 at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
4. The Service Provider shall cooperate with and assist the Customer to enable the Customer to comply with its reporting obligations under any Applicable Privacy Law, in particular to notify the competent Data Protection Authority and the affected Data Subjects taking into account the nature of Processing and the information available to the Parties.
5. If when first notified to the Service Provider or subsequently, the Personal Data Breach is continuing, the Service Provider shall -
  1. do all things reasonably necessary to eliminate the Personal Data Breach;
  2. regularly report to the Customer on the Personal Data Breach until it has been eliminated.
6. The Service Provider shall document all relevant facts relating to the Personal Data Breach including its effects and any remedial action taken, and it will keep a record thereof.
Third Countries and Onward Transfers
1. Where the Service Provider is located a country that is not subject to an adequacy decision by the European Commission, the Parties will rely on the Standard Contractual Clauses to govern the transfer of Personal Data outside of the EU.
2. Where a Third Party is in a Third Country, the Service Provider shall only Disclose Personal Data to such Third Party provided they enter into a legally enforceable agreement on the same terms as this DPA and which is enforceable by the Service Provider and the Customer.
Other Assistance
1. The Service Provider shall assist the Customer with complying with any of its other obligations in terms of Applicable Privacy Laws, to the extent that such assistance is reasonably required, including performing any data protection impact assessment or seeking prior consultation from the Data Protection Authority.
Indemnity
1. The Service Provider hereby indemnifies and holds the Customer harmless from any Losses it incurs as a result of a -
  1. Personal Data Breach whether occurring while the Personal Data was in the Service Provider's possession or control, or the possession or control of any Third Party to whom Service Provider has Disclosed Personal Data to (including any Processor); or
  2. breach of this DPA or non-compliance with any Applicable Privacy Laws by the Service Provider (including any employee) or any other Third Party,

(each an "Indemnified Loss").

Duration of Privacy Obligations
1. Processing by the Service Provider shall only take place for as long as the MSA is in effect. Upon the termination of the MSA for any reason, this DPA will also automatically terminate.
2. Once the events in Section 11.1 take place, the Service Provider shall, at the choice of the Customer, delete or return all Personal Data Processed on behalf of the Customer and certify to the Customer that it has done so.
3. Until Section 11.1 is complied with, the Service Provider shall continue to ensure compliance with this DPA.
4. In case of any Applicable Law that prohibits the return or deletion of the Personal Data, the Service Provider warrants that it will continue to ensure compliance with this DPA and that it will only Process Personal Data to the extent and for as long as required under such Applicable Law/s.
Non-Compliance with the Clauses and Termination
1. The Service Provider shall promptly inform the Customer if it is unable to comply with this DPA for whatever reason.
2. In the event that the Service Provider is in breach of this DPA or unable to comply with this DPA, the Customer shall suspend the transfer of Personal Data to the Service Provider until compliance is again ensured or the DPA is terminated.
3. The Customer shall be entitled to terminate this DPA where -
  1. the Customer has suspended the transfer of Personal Data to the Service Provider pursuant to Section 12.2 and compliance with this DPA is not restored within a reasonable time and in any event within one month of suspension;
  2. the Service Provider is in substantial or persistent breach of this DPA; or
  3. the Service Provider fails to comply with a binding decision of a competent court or Data Protection Authority regarding its obligations under this DPA.
4. Where the Service Provider has conducted any of the actions referred to in Section 12.3, this will amount to a material breach for purposes of the MSA and then the Customer shall have the rights contained herein and in terms of any Applicable Law.
Jurisdiction
1. The Service Provider agrees to submit itself to the jurisdiction of and cooperate with the Data Protection Authority in any procedures aimed at ensuring compliance with this DPA. In particular, the Service Provider agrees to respond to enquiries, submit to audits, and comply with the measures adopted by the Data Protection Authority, including remedial and compensatory measures. It shall provide the Data Protection Authority with written confirmation that the necessary actions have been taken where requested to do so.
2. The Parties acknowledge and agree that the provisions of this DPA relating to the processing of Personal Data shall apply irrespective of whether such processing takes place within the EU or in any other jurisdiction.

Part C

Processor Processing Obligations

Processing Specification
1. The Service Provider -
  1. will act as an Processor with respect to the Personal Data it Processes for the Authorised Purpose;
  2. must Process Personal Data in accordance with this DPA and the Processing specifications indicated at Schedule 1;
  3. will not Process Personal Data -
    1. not included in Schedule 2 nor Process Personal Data in a manner that is in accordance with this DPA including the specifications contained in Schedule 1; and
    2. for a purpose/s other than what is indicated in Schedule 1; and
  4. must promptly and without undue delay notify the Customer if it becomes aware that the Personal Data it has received is inaccurate or has become outdated.
2. In the case of Section 14.1.4, the Customer shall cooperate with the Service Provider to erase the Personal Data or rectify the Personal Data following receipt of updated information from the Customer (upon the Customer's election and instructions).
The Customer’s Right and Obligations
1. The Customer shall be responsible for ensuring that the Processing of the Personal Data takes place within the framework of, and in compliance with the Applicable Privacy Law.
2. The Customer will have both the right and obligation to make decisions about the purposes and means of Processing of Personal Data.
Service Provider Acts on Written Instructions
1. The Service Provider shall not sub-contract any of its Processing activities performed on behalf of the Customer in connection with the Authorized Purpose to a Sub-Processor not listed in Schedule 2 without the Customer’s prior specific written authorization.
2. The Service Provider acknowledges that the Customer may give Written Instructions throughout the duration of this DPA.
3. The Service Provider shall immediately inform the Customer if -
  1. the Written Instructions are in the Service Provider's reasonable opinion in contravention of any Applicable Law including any Applicable Privacy Law/s; and / or
  2. the Service Provider is unable to follow and / or undertake the Written Instructions.
Onward Transfers

Sub-Processors
1. The Service Provider shall not sub-contract any of its Processing activities performed on behalf of the Customer in connection with the Authorised Purpose to a Sub-Processor without the Customer’s prior specific written authorisation (which shall not be unreasonably withheld).
2. Where the Service Provider engages a Sub-Processor to carry out specific Processing activities (on behalf of the Customer), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those contained in this DPA ("Sub-Processor Agreement").
3. The Service Provider shall ensure that the Sub-Processor complies with the obligations to which the Service Provider is subject pursuant to this DPA.
4. The Service Provider shall at the Customer’s request provide a copy of such a Sub-Processor Agreement (as amended) to the Customer. To the extent necessary to protect business secrets or other confidential information, including Personal Data, the Service Provider may redact the Sub-Processor Agreement to the extent reasonably necessary prior to providing the Customer with a copy.
5. The Service Provider shall -
  1. remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations in connection with the Authorised Purpose; and
  2. immediately notify the Customer of any failure by the Sub-Processor to fulfil its obligations under that Sub- Processor Agreement.
6. The Service Provider shall agree a third-party beneficiary clause with the Sub-Processor whereby - in the event the Service Provider has factually disappeared, ceased to exist in law or has become insolvent – the Customer shall have the right to terminate the Sub-Processor Agreement and to instruct the Sub-Processor to erase or return the Personal Data.
Data Subject Requests
1. The Service Provider shall promptly notify the Customer of any DSR received. It shall not respond to such DSR itself unless it has been authorised to do so by the Customer.
2. The Service Provider shall assist the Customer in fulfilling its obligations to respond to any DSR. In this regard, the Parties shall set out in 1 the appropriate technical and organisational measures, taking into account the nature of the Processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
3. In fulfilling its obligations under this Section 28, the Service Provider shall comply with the instructions from the Customer.
Indemnity
1. The Service Provider shall not, and shall procure that its representatives shall not, admit any liability in respect of any claim that may give rise to an Indemnified Loss. The Service Provider shall under no circumstances be entitled to make any admission on behalf of the Customer, nor to reach a compromise or settle any claim without the Customer's prior written consent.
2. The Service Provider shall notify the Customer in writing of any such claim as soon as is reasonably possible after the Service Provider becomes aware of that claim, but in any event within seven Business Days after the Service Provider becomes aware of that claim, to enable the Customer to contest that claim should it in its discretion elect to do so. Unless agreed otherwise between the Parties, the Service Provider shall conduct and control any legal proceedings arising from such claim, at its cost, provided that the Customer may, in its sole discretion and at its cost, appoint its own legal representative to act on its behalf in such proceedings. Notwithstanding the foregoing provisions of this Section 20.2, the Service Provider's liability in terms of Section 20.1 shall not be affected by any failure of the Service Provider or its representatives to comply with this Section 20.3.
3. The Service Provider shall be obliged to pay the Customer any amount due to the Customer in respect of any Indemnified Loss as soon as the Customer is obliged to pay the amount thereof (in any case which involves a payment by the Indemnified Party) or as soon as the Customer actually suffers the Indemnified Loss (in any case which does not involve a payment by the Customer).
Documentation and Compliance
1. The Service Provider shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and at the Customer’s request, allow for audits of the Processing activities covered by this DPA, at reasonable intervals or if there are indications of non- compliance.
2. The cost of any audit shall by borne by the Customer unless the audit finds evidence of non-compliance with Applicable Privacy Laws or this DPA.
3. The Customer may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the Service Provider and shall, where appropriate, be carried out with reasonable notice.

Part D

Controller Processing Obligation

Processing Specification
1. Each Party must not Process Personal Data for a purpose/s other than set out in Schedule 1 unless-
  1. it has obtained the relevant Data Subject’s prior consent;
  2. where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
  3. where necessary in order to protect the vital interests of the Data Subject or of another natural person.
2. Each Party shall only Process Personal Data subject to a lawful basis contained in Article 6 of the GDPR; and any Special Category Personal Data subject to a lawful basis contained in Article 9 of the GDPR.
3. Where Sensitive Data is Processed, the Service Provider shall apply the specific restrictions and/or additional safeguards described in Schedule 1.
Transparency
1. To enable Data Subjects to effectively exercise their rights under Applicable Privacy Laws, each Party shall inform them, either directly or through the Customer -
  1. of its identity and contact details;
  2. of the categories of Personal Data Processed;
  3. where it intends to onward transfer the Personal Data to any Third Party/ies -
    1. the recipient or categories of recipients; and
    2. the purpose of such onward transfer and the ground therefore pursuant to 25.
2. Clause 23.1 shall not apply where -
  1. the Data Subject already has the information, including when such information has already been provided by the Customer; or
  2. providing the information proves impossible or would involve a disproportionate effort for the Service Provider, in which case the Service Provider shall, to the extent possible, make the information publicly available.
3. This Section 23.1 and 23.2 does not absolve either Party of any notification obligations under Applicable Privacy Law/s.
Accuracy and Data Minimisation
1. Each Party shall ensure that the Personal Data is accurate and, where necessary, kept up to date and shall take every reasonable step to ensure that Personal Data that is inaccurate, having regard to the purpose(s) of Processing, is erased or rectified without delay.
2. If one of the Parties becomes aware that the Personal Data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
3. The Parties shall ensure that the Personal Data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of Processing.
Onward Transfers

The Service Provider shall only Disclose the Personal Data to a Third Party subject to compliance with Applicable Privacy Law/s.

Processing Under the Authority of the Service Provider

The Service Provider shall ensure that any person acting under its authority, including any Processor, only Processes the Personal Data on its instructions.

Documentation and Compliance
1. Each Party shall be able to demonstrate compliance with its obligations under this DPA. In particular, the Service Provider shall keep appropriate documentation of the Processing activities carried out under its responsibility.
2. The Service Provider shall make such documentation available to a Data Protection Authority on request.

Data Subject Requests

Liability
1. Subject to Section 10, each Party shall be liable to the -
  1. other Party for any damages it causes such other Party;
  2. Data Subject for any damages it suffers,

due to a breach of this DPA or any Applicable Privacy Law/s.

Where more than one Party is responsible for any damage caused to the Data Subject as a result of a breach of this DPA or any Applicable Privacy Law/s, each Party shall be jointly but not severally liable to the Data Subject, and the Data Subject is entitled to bring an action in court against both Parties on such basis.
The Parties agree that if one Party is held liable under 29.2, it shall be entitled to claim back from the other Party that part of the compensation corresponding to its responsibility for the damage.
The Service Provider may not invoke the conduct of a Processor or Sub- Processor to avoid its own liability.

Data Processing Agreement (DPA)

Download Document

Part A

Preliminary Matters

Part B

Common Data Protection Obligations

Part C

Processor Processing Obligations

Part D

Controller Processing Obligation

Unlock what
legal operations
is supposed to be.

Data Processing Agreement (DPA)

Download Document

Part A

Preliminary Matters

Part B

Common Data Protection Obligations

Part C

Processor Processing Obligations

Part D

Controller Processing Obligation

Unlock what
legal operations
is supposed to be.

Data Processing Agreement (DPA)

Download Document

Part A

Preliminary Matters

Part B

Common Data Protection Obligations

Part C

Processor Processing Obligations

Part D

Controller Processing Obligation

Unlock whatlegal operationsis supposed to be.

Data Processing Agreement (DPA)

Download Document

Part A

Preliminary Matters

Part B

Common Data Protection Obligations

Part C

Processor Processing Obligations

Part D

Controller Processing Obligation

Unlock whatlegal operationsis supposed to be.

Unlock what
legal operations
is supposed to be.

Unlock what
legal operations
is supposed to be.