DATA PPOCESSING AGREEMENT
between
(client) (data controller)
and
Fast Lane IP Limited trading as IMPERACOM (contractor) (data processor)
PREAMBLE
The processing is based on the agreement between the parties for the provision of various services by the contractor.
- Subject of the agreement
1.1. The contractor collects/processes/uses personal data on behalf of the client.
1.2. Subject of the service
The purpose of the service is to process data by collecting, recording, organizing, sorting, storing, adapting or modifying, reading, querying, using, disclosing through transmission, dissemination or any other form of provision, matching or linking, restriction, erasure or destruction of data exclusively in connection with the services listed in the main agreement (here: registration and administration of domain names and – if applicable – the provision of hosting services). The data will not be processed for other purposes.
The contractual services will be executed exclusively in member states of the EU or in one of the contracting states of the agreement on the European Economic Area on the part of the data processor. A transfer of the services or of partial work to a third country may occur only if the special requirements of Art. 44 et seq. GDPR are met and this is absolutely required for the provision of the services.
Changes of the processing object and procedural changes are to be mutually agreed.
1.3. Duration of the contracting
The agreement begins with the date of signature by both parties and ends with the effective date of the termination of the main agreement. This agreement shall not become effective prior to May 25, 2018.
1.4. Scope, nature and purpose of collection, processing or use of data:
1.4.1. Type of processing
The contractor processes personal data of the client‘s customers, or of client‘s employees.
1.4.2. Type of personal data
Personal data required for the execution of the service:
– personal master data
– communication data (traffic data)
– contractual master data
– if required by the main agreement: billing and payment data
– if required by registrar regulations: proof of identity.
1.4.3. Circle of persons involved
Customers and employees of the client.
- Rights and obligations of the client
2.1. The client is solely responsible for the assessment of the lawfulness of the data collection/processing/use as well as for the protection of the rights of the persons involved.
2.2. The client issues all orders or partial orders in writing or in a documented electronic format.
2.3. The client is entitled to give the contractor written instructions regarding the processing of personal data provided by client.
2.4. Prior to the start of data processing and then in – regular intervals the client is entitled to verify the compliance of the contractor with any agreed – technical and organizational measures and with the obligations arising from this contract. The client can also use third parties to carry out this verification. The client undertakes to remunerate all expenses incurred by the contractor as a result of making this verification possible.
2.5. The client informs the contractor immediately if he detects any errors or irregularities in the examination of the services.
2.6. The client is obliged to treat with confidentiality all knowledge acquired about business secrets and data security measures of the contractor resulting from the contractual relationship. This obligation remains valid even after termination of this contract.
- Obligations of the contractor
3.1. The contractor shall only process personal data in accordance with the agreements, legal requirements and instructions of the client in accordance with GDPR, unless he is required to process it under the laws of the European Union or of the member state the processor is subject to (for example investigations of law enforcement and state protection authorities). In this case, the processor must notify the controller of such legal requirements prior to processing, unless such communication is prohibited due to important public interests under applicable law (Art. 28 (3) sentence 2 (a) GDPR).
3.2. The contractor shall correct, delete and block personal data under the contractual relationship or restrict its processing if the client so requests in the agreement or instructs him so unless this contradicts the legitimate interests of the contractor. When an affected person directly contacts the contractor in this regard, the contractor will immediately forward this request to the client. The contractor may act upon such a request if the client does not respond to requests by affected data subjects within reasonable time.
3.3. The contractor does not use the personal data provided for data processing for any other, especially not for own purposes. Copies or duplicates are not created without the knowledge of the client. The contractor assures the contractual processing of all agreed measures in the area of order-based processing of personal data. He assures that the processed data is strictly separated from other data.
3.4. The contractor will immediately inform the client if, in his opinion, an instruction issued by the client violates statutory provisions. The contractor shall be entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by the person responsible at the client.
3.5. The contractor agrees that the client – by appointment – is entitled to control compliance with this agreement to the extent required under Art. 28 GDPR either directly or through third parties commissioned by the client. The contractor undertakes to provide the client with the necessary information and to prove the implementation of the technical and organizational measures.
3.6. After completion of the contractual obligations, the contractor shall delete all data, documents and processing or utilization results, which were obtained in connection with the contractual relationship unless doing so is not possible due to legal or factual grounds.
3.7. Data protection officer of the contractor is
Donica Cunnington
Changes of the data protection officer shall be notified to the client without undue delay.
3.8. The contractor confirms to be familiar with the data protection regulations of the GDPR that are relevant for the processing of personal data and that is in compliance with his respective obligations.
3.9. The contractor undertakes to maintain confidentiality when processing personal data provided by the client. This obligation shall survive the termination of the agreement.
3.10. The contractor warrants that the employees involved in the provision of the services are familiar with the requirements of data protection relevant to their work and that they are bound to maintain confidentiality for the duration of their employment as well as after termination of the employment relationship. The contractor monitors compliance with the data protection regulations.
3.11. The contractor may only provide information to third parties or the data subject about personal data obtained in the course of the service with prior instruction or written consent of the client, or when as this information is provided on the basis of legal requirements.
- Subcontractors
4.1. The use of subcontractors for the processing of data such as registries, registrars and data escrow providers is permitted due to the special nature of the process of administrating and registering domain names and requires no further consent, provided the use of these subcontractors is required to execute orders under the main agreement. The approval required under Art. 28 (2) and (9) GDPR is hereby granted.
4.2. Name and address as well as the intended activity of the subcontractor are included in the applicable contract appendices and/or the information page for the specific TLDs. The contractor shall ensure that he has carefully selected the subcontractor with special consideration of the suitability of the technical and organizational measures taken by the subcontractor in accordance with Art. 32 GDPR.
4.3. Subcontractors in third countries may only be commissioned if the special conditions of Art. 44 et seq. GDPR are met (for example adequacy decisions by the European Commission, model data protection clauses, approved codes of conduct) or if their commissioning is absolutely necessary for the provision of the service by the contractor.
4.4. The contractor must ensure that the agreed regulations between the client and the contractor apply to subcontractors to the greatest extent possible and will regularly review compliance with the obligations of the subcontractor(s).
4.5. In the agreement with the subcontractor the responsibilities of the parties shall be so specific to allow a clear distinction. If multiple subcontractors are used this also applies to the responsibilities between these subcontractors.
4.6. The subcontractors currently engaged in the processing of personal data for the contractor are listed in the respective service description or result from the service. The client agrees to their commissioning.
4.7. The processor shall provide advance information to the controller of any change with regard to the use of new or the replacement of existing subcontractors to allow the client the opportunity to object to such changes (Art. 28 II, 2 GDPR).
- Technical and organizational measures
5.1. The contractor shall ensure an appropriate level of protection for any data processing in accordance with the risks towards the rights and freedoms of data subjects affected by the processing. This shall at a minimum take into account the protection objectives of confidentiality, availability and integrity of the systems and services, as well as their resilience in terms of the nature, extent, circumstances and purpose of the processing so as to permanently reduce such risks by means of appropriate technical and organizational corrective measures.
5.2. The data protection concept utilized by the contractor has selected its technical and organizational measures by taking into account the protection objectives in accordance with the state of the art of the IT systems and processing processes.
5.3. The contractor shall comply with the principles of proper data processing. He shall ensure the contractually agreed and legally required data security measures.
5.4. The technical and organizational measures may be modified to keep pace with technical and organizational developments over the course of the contractual relationship. The contractor shall establish procedures for the periodic review and evaluation of the effectiveness of the measures to ensure the safety of the processing. Significant changes will be communicated to the client in documented form.
5.5. The contractor shall immediately notify the client of any disruptions, violations against data protection regulations or the stipulations made under this agreement by the contractor or persons under his employ, as well as about the suspicion of data breaches or irregularities in the processing of personal data. This applies in particular with regard to any notification and notification obligations of the client in accordance with Art. 33 and 34 GDPR. The contractor agrees to adequately support the client in his duties according to Art. 33 and 34 GDPR.
- Liability
6.1. For the compensation of damages suffered by a data subject within the scope of the contractual relationship due to violations of data protection requirements or incorrect data processing responsibility towards the data subject rests with the client. The client may only take recourse for such third-party damages permissible if the contractor has violated this agreement with intent or in a grossly negligent manner.
6.2. For all other intents and purposes the existing liability terms for the respective services as agreed in the main agreement apply.
- Special right of termination
7.1. In the case of serious violations of the terms of this agreement, in particular against compliance with applicable data protection regulations, the client entitled to a special right of immediate termination. Further sanctions, in particular contractual penalties, are excluded.
7.2. In particular a serious breach shall be presumed if the contractor has not materially fulfilled or has not fulfilled at all the obligations specified under this agreement.
7.3. In the case of insignificant violations the client shall set a reasonable deadline for the contractor to remedy the situation. If the remedy does not occur in time, the client is entitled to extraordinary termination as described in this section.
- Miscellaneous
8.1. Both parties are obliged to treat in confidence all knowledge of business secrets and data security measures of the respective other party obtained over the course of the contractual relationship. This obligation shall survive the termination of this agreement. In case of doubt as to whether certain information is subject to this obligation it must be treated as confidential until written approval by the other party.
8.2. The written form is required for side agreements.
8.3. Terms used in this contract are to be understood according to their definitions in the EU General Data Protection Regulation.
- Effectiveness of the agreements
Should individual terms or clauses of the agreement be invalid or unenforceable, this does not affect the validity of the agreement otherwise. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that comes closest to the economic purpose pursued by the parties with the invalid or unenforceable provision.