AIM Cloud Services

Main

DATA PROCESSING AGREEMENT

 

WHEREAS

 

A.    Company acts as a Controller. Company wishes to use the Cloud Service proposed by Reseller, which implies the processing of personal data by Reseller acting as Processor.

B.    The Parties seek to implement a data processing agreement that complies with the requirements of the Data Protection Laws. The Parties wish to lay down their rights and obligations in this Data Processing Agreement (hereinafter the “DPA”) which is incorporated into and forms part of the Agreement between Reseller and Company. This DPA applies to Personal Data processed by Reseller and its Sub-processors in connection with provision of the Cloud Service, to the extent that such Personal Data is processed on the behalf of Customer and is subject to Data Protection Laws.

 

IT IS AGREED AS FOLLOWS:

 

1.     Definitions and Interpretation

 

1.1 Unless otherwise defined in the Agreement, capitalized terms and expressions used in this DPA shall have the following meanings:

“Company Personal Data” means any Personal Data Processed by Reseller or a Sub-processor on behalf of Company pursuant to or in connection with the Agreement;

“Data Protection Laws” means (i) the GDPR and laws implementing or supplementing the GDPR and, to the extent applicable, (ii) the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019; in each case as may be amended from time to time.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);

“Sub-processor” means any person appointed by Reseller to process Company Personal Data on behalf of Company in connection with the DPA.

 

The terms “Controller”, “Data Subject”,  “Personal Data”, “Personal Data Breach”, “Processing” or “processing” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly.

 

2.     Processing of Company Personal Data

 

2.1. Each Party shall comply with Data Protection Laws directly applicable to its Processing of Company Personal Data.

2.2. Reseller shall process Company Personal Data only in accordance with the Company’s documented instructions, unless required to do so by law (in which a case, Reseller shall inform Company of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). The Agreement as well as the use of the Cloud Service functionalities constitute Company’s documented instructions. Reseller shall immediately inform Company if, in its opinion, an instruction infringes Data Protection Laws. Notwithstanding the foregoing, nothing in this DPA shall be construed as an affirmative obligation of Reseller to verify the compliance with Data Protection Laws or an instruction from Company.

2.3 Company will collect and maintain Company Personal Data in compliance with applicable Data Protection Laws. Company shall be solely responsible for obtaining any relevant authorizations, consents and permissions for the processing of Company Personal Data in accordance with this DPA. Where authorizations, consent, instructions or permissions are provided by Company these are provided not only on behalf of Company but also on behalf of any other Controller authorized by Company to use the Cloud Service.

 

3.     Duty of confidentiality. Reseller Personnel

 

3.1. Reseller shall take reasonable steps to ensure that access to Company Personal Data is strictly limited to those individuals who need to know or access such data, as necessary for the purposes of the Agreement.

 

3.2. Reseller shall take reasonable steps to ensure its employees, agents and contractors, and those of its Sub-processors, who may have access to Company Personal Data, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

 

4.     Security of processing

 

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Reseller shall in relation to Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Reseller shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach affecting Company Personal Data.

4.3. The security technical and organizational measures related to the Cloud Service are confidential but are available to Company upon request. Reseller may change the security technical and organizational measures at any time provided such changes do not diminish the level of security provided.

 

5.     Sub-processing

 

5.1. Company hereby authorizes Reseller to appoint and disclose Company Personal Data to Sub-processors as necessary to perform the Agreement, provided Reseller and each Sub-processor enter in a written agreement with data protection terms consistent with the terms of this DPA and ensuring sufficient guarantees to implement appropriate technical and organisational measures. Reseller shall remain liable for Sub-processors’ compliance with the terms of this DPA.

5.2. The list of Sub-processors is the following:

-  Coteng nv, Kruiningenstraat 6+8, 2100 Deurne, Belgium

-  Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, Luxembourg, Luxembourg

-  Axalta Coating Systems GmbH

-  Axalta Coating Systems Belgium BVBA

-  Axalta Coating Systems Sweden AB

-  Axalta Coating Systems Germany GmbH & Co. KG

-  Axalta Coating Systems France SAS

-  Axalta Coating Systems Austria GmbH

5.3. Reseller shall inform Company via e-mail of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Company the opportunity to object to such changes if Company as a legitimate reason to do so. Company shall have 15 (fifteen) days from the date of such email to notify Reseller in writing that Company objects to the Sub-processor.  In such situation, the parties shall discuss in good faith to try to find an acceptable solution, failing which Company may terminate the Agreement. Notwithstanding the foregoing, Reseller may replace a Sub-processor without advance notice where the reason for the change is outside of Reseller’s reasonable control and prompt replacement is required for security or other urgent reasons. In this case, Reseller will inform Company of the replacement Sub-processor as soon as possible following its appointment.

 

6.     Data Location. Data Transfer

 

6.1. Data centre location. The data centres used to host Company Personal Data in the Cloud Service are located in the EEA or Switzerland. Should Reseller plan to migrate Company Personal Data outside of EEA or Switzerland, Reseller will notify Company in writing.

6.2. Reseller may not transfer or authorize the transfer of Personal Data to countries outside the EU and/or the European Economic Area (EEA) unless such country ensures an adequate level of protection, or enforceable data subject rights and effective legal remedies for data subjects are available and Reseller has provided appropriate safeguards such as binding corporate rules, standard data protection clauses or an approved code of conduct.

6.3 With respect to the Company Personal Data, Company, as data exporter, and Reseller, as data importer on behalf of its affiliate(s) in any third country (as defined under Data Protection Laws), hereby enter into the European Commission-approved controller to processor standard contractual clauses (“SCC”), which are expressly incorporated herein by reference and take effect as from the commencement of a transfer of Company Personal Data to the extent such transfer would be prohibited by Data Protection Laws in the absence of the SCC. Appendix 1 of the SCC is completed by Section 13 of this DPA, and Appendix 2 of the SCC is completed by the technical and organizational measures referred to in Section 4 of this DPA. To the extent the SCC are superseded by new or amended standard contractual clauses (“Amended SCC”), the Amended SCC will be expressly incorporated herein upon Company’s written notice to Reseller given at least fourteen (14) days prior to Company’s proposed effective date of the Amended SCC, and the Amended SCC shall take effect and be binding upon the parties as of such effective date, unless Reseller provides written notice of its objection to Company prior to the effective date.

 

7.     Data Subject Rights

 

7.1. Data Subject rights. Taking appropriate technical and organisational measures and insofar as this is possible, Reseller shall take reasonable and appropriate measures to help Company respond to requests from individuals to exercise their Data Subject rights that implicate Company Personal Data.

7.2. Data Subject request. Reseller shall:

-        notify Company as soon as reasonably possible if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

-        ensure that it does not respond to that request except on the documented instructions of Company or as required by applicable Data Protection Laws to which the Reseller is subject, in which case Reseller shall, to the extent permitted by applicable Data Protection Laws, inform Company of that legal requirement before responding to the request.

 

8.     Assistance

 

Taking into account the nature of the Processing and the information available, Reseller shall reasonably assist Company in meeting its Data Protection Laws obligations in relation to keeping Company Personal Data secure, notifying Personal Data Breaches affecting Company Personal Data to the Supervisory Authority and Data Subjects, carrying out data protection impact assessments (DPIA) of Company Personal Data when required and consulting the Supervisory Authority where such a DPIA indicates there is a high risk that cannot be mitigated.

 

9.     Audit rights

 

Reseller shall make available to Company on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to reasonable audits, including inspections, at Company’s expense, by Company or an independent third-party auditor mandated by Company in relation to the Processing of Company Personal Data, provided, however, that Company shall provide Reseller at least fourteen (14) days’ prior written notice of such audit or inspection; that no more than one audit or inspection shall be conducted in any 12-month period unless required by a Supervisory Authority or unless in the event of a Personal Data Breach affecting Company Personal Data; and that Company’s audit or inspection rights shall be subject to and limited by requirements of Data Protection Laws or any contractual provisions regarding confidentiality, including but not limited to confidentiality obligations owed to customers of Reseller or Reseller’s Sub-processors. Prior to any audit, the Parties shall agree on the scope, schedule and allocation of Reseller’s potential costs of such audit, which shall not interfere with normal course of business.

 

10.   Personal Data Breach

 

Reseller shall notify Company without undue delay upon Reseller becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company to meet its obligations to report or inform Data Subjects of such Personal Data Breach under the Data Protection Laws.

 

11.  Deletion

 

Reseller shall, upon notification by Company, delete or return all Company Personal Data to Customer, subject to any Data Protection Laws that require Reseller to retain the Company Personal Data, in which case Reseller shall take reasonable steps to secure the Company Personal Data and keep it confidential.

 

12.  Precedence

 

In the event of any conflict between the terms of this DPA and the Agreement, the terms of this DPA shall prevail.

 

 

13.  Detail of the Personal Data Processing

 

·       Subject matter and purpose of the processing: Provide the Cloud Service and notably identify the users, show custom content and track product consumption per user, and more generally to perform obligations and exercise rights under the Agreement

·       Duration of the processing: Term of the Agreement

·       Nature of the processing: Automated and Manual Processing Operations.

·       Type of personal data involved: UID, Full Name, E-Mail Address, Phone Number, Company (employer), Job Title, Country, City, Zip Code, Language

·       Categories of data subject: Employees, Employees of Suppliers