Data Processing Agreement (DPA)

2. COMPLIANCE WITH LAWS AND LEGISLATION

2.1. The Supplier agrees to comply with the provisions of all laws applicable to the processing of personal data.

2.2. The Supplier shall also comply with Client’s written instructions provided to Supplier from time to time regarding e.g. processing, protecting and encrypting of Personal Data.

2.3. The Supplier shall deliver to Client and/or relevant data protection authority all information necessary for supervising the compliance with obligations set out in this Agreement.

3. PROCESSING OF PERSONAL DATA

3.1. The categories of Data Subjects and the types of Personal Data processed for the purposes of the Services in respect to which Client is the Data Controller are:
– Types of Personal Data: Basic Information (Name, Address, Email address, Purchase Details which includes the IP address of the purchaser for Fraud Prevention purposes)
– Categories of Data Subjects: Client’s representatives, directors and employees
– Processing Activities: Contact of requested other parties to allow for the purchase of Client devices, payment processing, warranty and returns support, as per the Provision of the Services under the Agreement

3.2. The categories of Data Subjects and the types of Personal Data processed for the purposes of the Services in respect to which Client is the Data Controller are:
– Types of Personal Data: Basic Information (Name, Address, Email address and Purchase Details which includes the IP address of the purchaser for Fraud Prevention purposes)
– Categories of Data Subjects: Client’s representatives, directors and employees
– Processing Activities: Contact of Clients to allow for the purchase of Client devices, payment processing, warranty and returns support as per the Agreement

3.3. The Supplier agrees to process Personal Data only for the purpose of the provision of the Services and in accordance with this Agreement, the Data Protection Legislation and instructions received in writing from Client from time to time. The Supplier shall assist Client to correct, amend and delete the Personal Data in the Supplier’s possession following Client’s requests and assist Client in complying with the rights and rightful requests of the Data Subjects, and with notices served by the relevant supervisory authority or any other law enforcement or regulatory authority.

3.4. The Supplier shall notify, unless such notification is prohibited by law, Client as soon as possible if it considers that an instruction from Client under clause 2.2 is in breach and/or against of Data Protection Legislation.

3.5. The Supplier shall assist Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation, taking into account the nature of processing and the information available to the Supplier.

3.6. The Supplier shall inform Client, as soon as possible, if it receives a request notice or other communication from a Data Subject seeking to exercise his or her rights under the Data Protection Legislation in respect of Personal Data, and shall assist Client with respect to that communication, request, or notice.

3.7. The Supplier shall implement and maintain at all times appropriate organizational, operational, managerial, physical and technical measures in order to ensure a level of security appropriate to the risks represented by the processing of Personal Data, taking into account the state of the art and the costs of implementation, the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons so that all processing is in compliance with Data Protection Legislation and this Agreement. Client reserves the right to also request new and/or additional security measures from the Supplier from time to time.

3.8. The Supplier shall not transfer the Personal Data outside the European Economic Area (“EEA”) without a prior written agreement with Client.

4. SUPERVISION RIGHT

4.1. Client shall be entitled to take the monitoring measures it is entitled to do in accordance with the Data Protection Legislation, to monitor that the Supplier acts in accordance with this Agreement and the Data Protection Legislation. The Supplier undertakes to provide assistance if required by Client in order to perform such monitoring measures in an effective manner.

4.2. The Supplier shall: (a) promptly provide Client with a copy of Personal Data in tangible form, (b) promptly correct, block or delete Personal Data, (c) promptly provide Client with such information and cooperation regarding the processing of Personal Data under the Agreement as Client may reasonably request, (d) provide individuals whose Personal Data is being processed with such information regarding the processing as Client may reasonably request, (e) provide upon Client’s request, a written report on its data security procedures.

4.3. Client or a third party authorized by Client is further entitled to audit the Supplier’s operations with respect to its fulfilment of this Agreement. Such audit may be performed by giving a written notice to the Supplier. If the date proposed by Client is not suitable for the Supplier, the Supplier may appoint another date that cannot be later than five (5) business days from the original date. Each Party shall bear its own costs for such audit, unless the audit reveals a breach of this Agreement and/or the applicable Data Protection Legislation, in which case the Supplier shall bear also all costs and expenses of Client, or a third party authorized by Client. The Supplier undertakes to co-operate in good faith with Client and provide Client or a third party authorized by Client with all such information relating to this Agreement Client or a third party authorized by Client may reasonably request in order to demonstrate that the Supplier has performed in compliance with the Data Protection Legislation.

5. USE OF SUBCONTRACTORS

5.1 In the event the Supplier uses subcontractors in the processing of Personal Data in connection with the provision of Services (“sub-processor”), the Supplier shall ensure that such sub-processors comply with the terms of this Agreement. The Supplier warrants to have equivalent terms in place with its sub-processors than the terms agreed in this Agreement.

5.2. The Supplier shall be responsible for its sub-processor’s actions and omissions under this Agreement, as though they were the Supplier’s own actions or omissions.

6. DATA BREACH

6.1. The Supplier shall inform Client without undue delay, and in any case within 48 hours, after the Supplier becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data.

6.2. In the event of a breach as set forth in section 6.1 the Supplier must take all appropriate measures to secure the Personal Data and limit any possible detrimental effect on the Data Subjects. The Supplier shall work with Client’s prior approval on quickly resolving the issue, and preventing further losses, and only subject to Client’s prior request, on providing notices to Data Subjects or supervisory authorities containing the information as mandated by the Data Protection Legislation.

6.3. The information referred to in section 6.1 shall where possible 1) describe the nature of the personal data breach including, the categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned, 2) communicate the name and contact details of a possible data protection officer, 3) describe the likely consequences of the personal data breach, 4) describe the measures taken by the Supplier to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects, 5) describe the measures proposed to be taken by the Supplier, Client to address the personal data breach and 6) include all possible other information required by Data Protection Legislation. In so far as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

7. CONFIDENTIALITY

7.1. The Parties agree that information, Personal Data, instructions, descriptions, audit reports and similar documentation (“Confidential Information”) that a Party receives from the other Party through exchanges of information pursuant to this Agreement may not be utilized or disclosed, whether directly or indirectly, for purposes other than as set forth in this Agreement.

7.2. The Parties however recognize that each of them may be part of a larger organization and that it may be necessary for one or both of them to provide Confidential Information to its affiliated companies. For this purpose, each Party agrees that to the extent allowed by the Data Protection Legislation:
(a) the receiving Party may disclose Confidential Information to another entity under common Control of that Party or to an entity that has the Control over the Party (an “Affiliate”) but only to the extent that such Affiliate needs to know the Confidential Information in order to carry out the Services;
(b) Disclosure by or to an Affiliate of a Party hereto shall be deemed to be a disclosure by or to that Party, as applicable; and
(c) each Party guarantees the observance and proper performance by all of its Affiliates of the terms and conditions of this Agreement.

For the purposes of this clause, “Control” means the direct or indirect ownership of more than 30 % of the shares entitled to vote for the appointment of directors for so long as such control subsists or equivalent power to exercise control over the management of the affiliated entity.

7.3. The Supplier undertakes that all of its personnel and its Affiliate’s personnel processing Personal Data are bound by duty of confidentiality. In the event the Supplier engages a third party (subcontractor) to perform its engagement (as agreed above in Section 5), Supplier shall ensure that such third party and its personnel are bound by the duty of confidentiality.

7.4. The duty of confidentiality shall not apply to information relating to which a party can demonstrate that it was developed by that party itself, was known to the party prior to receiving it or was in the public domain or came to the attention of such party from a third party other than as a result of a breach of this Agreement.

7.5. In the event a Party is required to disclose information according to law or the decisions of public authorities, such Party shall be obliged to inform the other Party thereof immediately and request confidentiality in conjunction with the disclosure of requested information.

8. TERM

8.1. This Agreement shall apply during such time that the Supplier processes Personal Data on behalf of Client. The termination of data processing takes place on the first of the following events to take place:
(a) Client requests the Supplier to remove the Personal Data and stop processing thereof;
(b) The Supplier’s obligation to provide Services to Client ceases permanently due to termination of the Agreement; or
(c) Client otherwise terminates this Agreement by giving a prior written notice to the Supplier no later than one (1) month prior to the actual termination.

9. MEASURES RELATING TO THE TERMINATION OF DATA PROCESSING

9.1. Upon the termination of data processing, the Personal Data shall, at Client’s discretion, either be returned to Client or be deleted, including any existing copies thereof.

10. CLAIMS AND DAMAGES

10.1. To the extent due to the Supplier’s, or its sub-processor’s fault, the Supplier shall be liable for any damage caused to a Data Subject as a consequence of processing contrary to the provisions of this Agreement and/or the applicable Data Protection Legislation and in respect of which Client has had to pay compensation to the Data Subject or pay administrative fines awarded by relevant supervisory authorities.

10.2 The Supplier shall indemnify and hold Client harmless against any and all claims, liabilities, costs, expenses (including but not limited to reasonable attorneys’ fees), damages and losses incurred by Client arising out of or in connection with claims, actions, suits, sanctions and/or proceedings brought by Data Subjects or supervisory authorities or any third party under the Data Protection Legislation in respect of Personal Data processed by the Supplier under this Agreement. The Supplier’s total aggregate liability with respect to all claims within the calendar year will be limited to the Margin as described in the Terms of Service, before VAT and after costs, as so withheld and or received by the Supplier from the Client for the lesser of the period up to 3 calendar months immediately preceding the date on which the claim arose, or if less, the period from the Effective Date of the Agreement to the date on which the claim arose.

11. AMENDMENTS

11.1. Any amendments or alterations to this Agreement shall be made in writing and be signed by duly authorized representatives of the Parties to be binding.

12. NO REMUNERATION

12.1. Neither Party is entitled to any additional remuneration on the basis of this agreement.

13. GOVERNING LAW AND DISPUTES

13.1. For a Client based in the United States this agreement shall be governed by the laws of Texas, United States. For a Client based everywhere else other than the United States this agreement shall be governed by the laws of Ireland.

13.2. The parties expressly consent to the jurisdiction of the courts based on the above for the resolution of any disputes arising under this agreement, regardless of any other jurisdiction in which a claim may be brought.