Terms & Conditions
The undersigned:
1. CordialPress
hereinafter referred to as: Controller
and
2. Fluent CRM
hereinafter referred to as: Processor
hereinafter jointly referred to as: Parties;
WHEREAS:
- Insofar as the Contractor processes Personal Data on behalf of the Client within the scope of the Agreement, the Client qualifies as the Controller for the Processing of Personal Data and the Contractor as the Processor, pursuant to Article 4 (7) and (8) of the Regulation;
- The Parties to this Data Processing Agreement, within the meaning of Article 28 paragraph 3 of the Regulation, wish to record their agreements on the Processing of Personal Data.
Agree as follows:
1. Definitions
The following terms used in this Data Processing Agreement shall have the meaning hereby assigned to them:
1.1 Agreement
The agreement between the Controller and the Processor.
1.2 Data Subject
The person to whom Personal Data relates
1.3 Data Processing Agreement
This agreement including its recitals and annexes.
1.4 Personal Data
Any information relating to an identified or identifiable natural person that the Processor processes on behalf of the Controller within the scope of the Agreement.
1.5 Personal Data Breach
A breach of security that accidentally or unlawfully results in the destruction, loss, alteration or unauthorized disclosure or access to personal data transmitted, stored or otherwise processed.
1.6 Processing
Any operation or any set of operations relating to Personal Data within the scope of the Agreement, carried out by means of automated processes or otherwise, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by means of transmission, disseminating or otherwise making available, aligning or combining, restriction, erasure or destruction.
1.7 Regulation
Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
2. Subject of this Data Processing Agreement
2.1
This Data Processing Agreement regulates the Processing of Personal Data by the Processor within the scope of the Agreement.
2.2
The nature and the purpose of the Processing, the type of Personal Data, and the categories of Data Subjects are set out in Annex 1.
2.3
The Processor guarantees the implementation of appropriate technical and organizational measures, so that the Processing complies with the requirements of the Regulation and the protection of the rights of the Data Subject is guaranteed.
2.4
The Processor guarantees compliance with the requirements of applicable legislation and regulations relating to the processing of Personal Data.
2.5
The personal data to be processed on the instructions of the Controller shall remain the property of the Controller.
3. Entry into force and duration
3.1
This Agreement shall enter into force on the date it is signed by the Parties.
3.2
This Data Processing Agreement shall terminate after and insofar as the Processor has deleted or returned all Personal Data in accordance with Article 10.
3.3
Neither Party may terminate this Data Processing Agreement prematurely.
3.4
Parties may only amend this Agreement by mutual consent.
4. Scope of Processing Authority of the Processor
4.1
The Processor shall process the Personal Data exclusively on the basis of written instructions from the Controller, except in the case of derogating statutory provisions applicable to the Processor.
4.2
If, in the opinion of the Processor, an instruction as referred to in the first paragraph conflicts with a statutory regulation on data protection, it shall inform the Controller thereof prior to the Processing, unless a statutory regulation prohibits such notification.
4.3
If the Processor is required to provide Personal Data on the basis of a statutory provision, it shall inform the Controller without delay and, if possible, prior to providing the data.
4.4
The Processor has no control over the purpose and means of Processing of Personal Data.
5. Security of the Processing
5.1
The Processor will endeavour to implement adequate technical and organizational measures with regard to the processing operations of personal data to be carried out, against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or transmission of personal data).
5.2
Parties recognise that ensuring an appropriate level of security may require additional security measures to be implemented at any time. The Processor shall ensure a level of security appropriate to the risk. If and insofar as the Controller explicitly requests this in writing, the Processor shall implement additional measures with respect to the security of the Personal Data.
5.3
The Processor shall not process Personal Data outside the European Union, unless explicit written consent to do so has been granted by the Controller and subject to derogating statutory obligations.
5.4
The Processor shall inform the Controller without unreasonable delay as soon as it has become aware of any unlawful Processing of Personal Data or any breach of security measures as referred to in the first and second paragraph.
5.5
The Processor shall assist the Controller in compliance with the obligations under Articles 32 through 36 of the Regulation.
6. Duty of Confidentiality of Personnel of the Processor
6.1
The Personal Data is of a confidential nature. The Processor shall not use this data for any purpose other than for which it has been acquired, even if it has been converted into such a form that it cannot be traced to data subjects.
6.2
At the request of the Controller, the Processor shall demonstrate that its Personnel have undertaken to observe confidentiality. The personal data will only be disclosed to those employees and/or third parties who must necessarily take cognisance of the Personal Data.
6.3
This duty of confidentiality shall not apply where the Controller has given express consent to disclose the data to third parties, if disclosure of the data to third parties is logically necessary given the nature of the assignment and the performance of this Data Processing Agreement, or if there is a statutory obligation to disclose the data to a third party.
7. Sub-processor
7.1
Within the scope of the Agreement, the Processor may make use of third parties on condition that the Controller is informed thereof in advance; the Controller may terminate the Agreement if it cannot accept the use of a specific third party.
7.2
In any case, the Processor shall ensure that these third parties assume, in writing, at least the same obligations as those agreed between the Controller and the Processor.
7.3
The Processor is responsible for correct compliance with the obligations under this Data Processing Agreement by these third parties, and in the event of errors by these third parties it shall be liable as if it were at fault.
8. Assistance on account of the rights of the Data Subject
8.1
In the event a data subject submits a request to the Processor to exercise his/her legal rights, the Processor shall forward the request to the Controller, and the Controller shall further handle the request. The Processor may inform the data subject accordingly.
8.2
The Processor shall, to the extent within its power, provide assistance to the Controller in fulfilling the latter's obligation to respond to requests of the Data Subject to exercise its rights laid down in Chapter III of the Regulation.
9. Personal Data Breach
9.1
The Processor shall inform the Controller without unreasonable delay, as soon as it has become aware of a Personal Data Breach, but no later than within 36 hours after discovery.
9.2
Information that must at least be provided by the Processor shall include:
- The nature of the Personal Data Breach
- The Personal Data and Data Subject
- Likely consequences of the Personal Data Breach
- Measures proposed or implemented by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
9.3
The Processor shall also inform the Controller of further developments concerning the Personal Data Breach after having reported the breach pursuant to the first paragraph.
9.4
Each party shall bear their own costs relating to the report to the competent supervisory authority and the Data Subject.
9.5
In accordance with Article 33, paragraph 5 of the GDPR, the Processor shall document all data breaches, including the facts relating to the Personal Data Breach, its consequences and the corrective measures taken. Upon request, the Processor shall provide the Controller with access to this information.
10. Returning Personal Data
10.1
After expiry of the Agreement, the Processor shall, at the discretion of the Controller, arrange for the return of all Personal Data to the Controller or for the erasure of all Personal Data. The Processor shall remove all copies, except where otherwise provided by law.
10.2
The Controller shall have the right to have audits carried out by an independent external expert, who is bound by confidentiality, to verify compliance with all points of the Data Processing Agreement and everything directly related to this. This audit shall only take place after the Controller has requested similar audit reports from the Processor, reviewed them, and put forward reasonable arguments to justify an audit initiated by the Controller.
10.3
Such an audit shall be justified in the event of a concrete suspicion of abuse. The Controller shall communicate the audit to the Processor in advance, with due observance of a minimum period of two weeks.
10.4
The findings of the audit carried out will be assessed by the Parties in joint consultation and, depending on the assessment, implemented (or not) by either Party or jointly by both Parties.
10.5
The costs of the audit as described in paragraph 1 shall be borne by the Processor
11. Other Terms and Conditions
11.1
The Processor shall be liable towards the Controller for all consequences of the breach of this Data Processing Agreement, and shall indemnify the Controller against all claims by third parties, including any penalties, to the extent attributable to the Processor.
Annex 1: The Processing of Personal Data
Purpose of the processing
Newsletters
Personal Data
Within the scope of the Data Processing Agreement, the Processor shall process the following (special) personal data on the instructions of the Controller:
- Email address
Data subject categories
Personal data of the following groups of persons shall be processed:
- Other:
subscribers
Data subject categories
The Controller shall ensure that the purposes, personal data, and categories of data subjects described in this Annex 1 are complete and correct, and shall indemnify the Processor against any defects and claims resulting from an incorrect representation by the Controller.
Annex 2: Engagement of third parties and/or sub-processors
The Controller has given the Processor permission to engage the following third parties and/or sub-processor(s):
This agreement takes effect when all parties have signed it, and its date is the date next to [or below] the signature of the last signer to sign it.
Date: ____________
Controller:
Per:___________________________
Service Provider:
Per:___________________________