Free book: "The Next CMO: A Guide to Operational Marketing Excellence (2nd Edition)"
Get it Now

Data Processing Agreement (DPA)

Last Updated October 2020

 

  1. General Data Protection regulation (GDPR)
  2. Data Processing Agreement
  3. EU Standard Contractual Clauses
  4. Technical and Organizational Measures
  5. Data Processing Details
  6. Sub-Processor List

DOWNLOAD PRE-SIGNED DPA

This Data Processing Agreement (“Agreement”) is made upon acceptance of the Main Agreement as defined below, between the customer entity accepting the terms of the Main Agreement (“Company”); and the Processor entering into the Main Agreement (“Plannuh”),
each a “Party” and together the “Parties”.

RECITALS

(A) Plannuh and Company have entered into one or more agreements under which Plannuh supplies certain SaaS products to Company from time to time as detailed in the various agreements (referred to collectively as the “Main Agreement”).

(B) The Parties have agreed that in order for Plannuh to perform its obligations pursuant to such Main Agreement, it will be necessary for Plannuh to Process certain Personal Data in respect of which Company will be a Data Controller, or acting on behalf of the Data Controller, for the purposes of this Agreement under and subject to the applicable Data Protection Laws (as defined below).

(C) The Parties have agreed to enter into this overarching Agreement in order to address the compliance obligations imposed upon Company pursuant to applicable Data Protection Laws, and to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data.

(D) Except as otherwise expressly set forth in the Main Agreement between the Parties, the provision of Services shall be governed by Agreement pursuant to applicable Data Protection Laws and this Agreement is hereby incorporated into the Main Agreement by reference.

1. DEFINITIONS.

The following expressions are used in this Agreement: In the event the definitions herein differ from the Main Agreement relating to data protection, this Agreement shall prevail as to the specific subject matter of such definition.

(a) “Services” refers to the application, product or services and other activities to be supplied or carried out by or on behalf of Company/Company Affiliate pursuant to the Main Agreement.

(b) “Data Subject Request” means a request from or on behalf of a Data Subject relating to access of, or the rectification of, erasure of or data portability of that person’s Personal Data or an objection from or on behalf of a Data Subject to the Processing of his or her Personal Data.

(c) “Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Main Agreement, including but not limited to the GDPR.

(d) “GDPR” means Regulation (EU) 2016/79 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (known as the General Data Protection Regulation).

(e) “EU Standard Contractual Clauses” means the standard data protection clauses for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR, pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010.

(f) “Personal Data” shall have the meaning given to it by applicable Data Protection Laws.

(g) “Personal Data Breach” means a Personal Data breach as defined under applicable Data Protection Laws that is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data within Plannuh’s scope of responsibility by any of its staff, sub-processors or any other identified or unidentified third party after Plannuh becomes aware with a reasonable degree of certainty that such Personal Data Breach has occurred.

(h) “Adequate Country” means a country, territory, or specified sectors within a country and international organization published by the European Commission in the Official Journal of the European Union for which it has decided that an adequate level of protection is ensured.

(i) “Process”, “Processing”, “Controller”, “Data Controller”, “Processor”, “Data Processor”, “Data Subject”,” and “Supervisory Authority” or “National Authority” shall have the meanings given to them by GDPR.

2. STATUS OF THE PARTIES

2.1 Company is the Data Controller and Plannuh is the Data Processor. Accordingly, Company grants Plannuh the right to Process the Personal Data for the purposes of providing the Services to Company. Plannuh agrees that it shall Process all Personal Data in accordance with its obligations in performing the Services pursuant to this Agreement and the Main Agreement.

3. PROCESSING REQUIREMENTS

3.1 Data Processing Details. The type of Personal Data Processed pursuant to this Agreement as well as the subject matter, nature and purpose of the Processing, the Data Subjects involved, and the location(s) and duration of the Processing (details required by GDPR Article 28(3)) are as described in the Data Processing Details.

3.2 Processing under Control of Controller. Plannuh shall only Process the Personal Data to provide the Services and shall act only in accordance with Company’s documented instructions to the extent appropriate for the provision of the Services, and except as required to comply with a legal obligation to which Plannuh is subject. Company’s individual instructions on Processing of Personal Data shall be as detailed in the Main Agreement and this Agreement. To fully optimize product performance, Company instructs Plannuh and its sub-processors to use, compile (including statistical and other models), annotate and otherwise analyze the Data to develop, train, tune, enhance, and improve the benchmarking, forecasting, recommendation and other components of Plannuh’s software and technologies embodied in the SaaS product.

3.3 Confidentiality. Without prejudice to any existing contractual arrangements between the Parties, Plannuh shall treat all Personal Data as strictly confidential. Plannuh shall take appropriate steps so that only authorized personnel who are subject to binding obligations of confidentiality, either contractual or statutory, will have access to the Personal Data. Termination or expiration of this Agreement shall not discharge Plannuh from its confidentiality obligations.

3.4 Limitation of Access. Plannuh will ensure the performance of the Services according to this Agreement is limited to the personnel performing the Services under the Main Agreement.

3.5 Data Subject Requests. As between the Parties, Company shall be responsible for addressing all Data Subject Requests. Plannuh shall promptly notify Company if Plannuh receives a request from a Data Subject to exercise his or her Data Subject’s rights. Taking into account the nature of the Processing and insofar as possible, Plannuh shall assist Company by appropriate technical and organization measures in fulfilment of Company’s obligations to respond to said Data Subject Request under applicable Data Protection Laws. To the extent legally permitted, Company shall be responsible for any costs arising from Plannuh’s provision of such assistance.

3.6 Notice of Personal Data Breach. Plannuh maintains an Incident Management Policy and shall notify Company of any Personal Data Breach without undue delay.
In the event of a Personal Data Breach, Plannuh shall make reasonable efforts to identify the cause of such Personal Data Breach and take reasonable steps as Plannuh deems necessary and reasonable under industry standards, in order to remediate the cause of such breach to the extent the remediation is within Plannuh’s reasonable control, in fulfilling Company’s obligation under Data Protection Laws. Plannuh shall not be responsible for incidents that are caused by Company or Company’s end users.

3.7 Deletion of Personal Data. Upon Company’s written request, or as reasonably practicable following the termination of this Agreement or the Main Agreement, Plannuh shall delete all Personal Data, except to the extent applicable law requires Plannuh to continue to store the Personal Data. Company acknowledges that Plannuh’s deletion of Personal Data represents compliance with any legal obligation to return Personal Data to Company.

3.8 Audit and Records. Subject to reasonable prior notice from Company, Plannuh shall provide Company with reasonable evidence to demonstrate Plannuh’s compliance with this Agreement and Data Protection Laws and shall allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company. Company’s right of audit under Data Protection Laws may be satisfied by Plannuh through Plannuh providing to Company:

(a) an audit report not older than 18 months by a registered and independent external auditor demonstrating that Plannuh’s technical and organizational measures described in the Description of Technical and Organizational Measures are sufficient and in accordance with an accepted industry audit standard such as SOC 2; and/or

(b) additional information in Plannuh’s possession or control to a Supervisory Authority when it requests or requires additional information in relation to the data processing activities carried out by Plannuh under this Agreement.

(c) If Plannuh is unable to provide the information in (a) and (b) above, Company may audit Plannuh’s control practices. Company shall reimburse Plannuh for any time expended for any such audit at Plannuh’s then-current services rates, which shall be made available to Company upon request. Before the commencement of any such on-site audit, Company and Plannuh shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Plannuh shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Plannuh. Company shall promptly notify Plannuh with information regarding any noncompliance discovered during the course of an audit and allow reasonable time for remediation.

(d) The Parties agree that when carrying out audit procedures relevant to the protection of Personal Data, the Company shall take all reasonable measures to limit any impact on Plannuh’s usual course of business operations.

4. SECURITY

Taking into account the most recent available technology, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Plannuh will maintain appropriate technical and organizational protections as set forth in the Description of Technical and Organizational Measures.

5. SUB-PROCESSING

5.1 Cloud Services Sub-Processor. Company grants Plannuh a specific authorization to appoint AWS as cloud services provider for the Services.

5.3 Other Sub-Processors. Company grants Plannuh and Affiliates a general authorization to appoint the following types of sub-processors to support the delivery of the Services: Plannuh accountants, auditors and attorneys; consulting firms providing information technology and security advisory and support services; third party data center operators, and providers of outsourced technical support services.

5.4 List Available. A list of all sub-processors approved by Company above is included in the Sub-Processor List.

5.5 Sub-Processor Changes; Company Right to Object. Plannuh will notify Company of the names of any new and replacement sub-processors prior to them beginning sub-processing of Personal Data. Within ten (10) business days of receiving notice of a sub-Processor change, Company may object by providing written notice to Plannuh. The notice shall describe the basis for Company’s objection, which must have reasonable grounds. Failure to notify an objection during such time period shall constitute waiver of the right to object. If Company gives written notice of objection, Plannuh and Company will discuss the objection in good faith to seek to resolve it. If no objection by Company, the Sub-Processor List is deemed amended to include the sub-processor identified in the notice.

6. DATA TRANSFERS

6.1 Plannuh Hosting Location. Plannuh provides, operates, and maintains its SaaS application in the locations described in the Data Processing Details.

6.2 Transfer outside EEA, Switzerland and UK by Company. If, in connection with this Agreement, any Personal Data that is provided by Company from the EEA, Switzerland or the UK to Plannuh outside the EEA, UK, Switzerland and an Adequate Country, such transfer will be governed by the EU Standard Contractual Clauses.

6.3 Transfers outside the UK or EEA. Company acknowledges that Plannuh may transfer Personal Data to Affiliates and other sub-processors operating outside the UK or EEA. If, in the performance of this Agreement, Plannuh transfers any Personal Data outside the UK or EEA (and not to an Adequate Country), Plannuh shall ensure that a mechanism to achieve adequacy in respect to the Processing is in place, such as:

(a) The requirement for Plannuh to execute, for itself and/or on behalf of Company, Standard Contractual Clauses, as set forth in the EU Standard Contractual Clauses. Upon request, Plannuh will provide to Company for review such copies of agreements, subject to redaction for confidential commercial information not relevant to the requirements under this Agreement. Company authorizes Plannuh and its Affiliates to enter into Standard Contractual Clauses consistent with this Data Processing Agreement on behalf of Company

(c) The existence of any other specifically approved safeguard for data transfer under Data Protection Laws or a European Commission finding of adequacy.

9. GOVERNING LAW

Without prejudice to the Standard Contractual Clauses this Agreement shall be governed by and construed in all respects in accordance with the laws of Ireland and the Parties to this Agreement hereby submit to the exclusive jurisdiction of the courts of Ireland in respect of any dispute arising under or in relation to this Agreement.
Should any provision of this Agreement be invalid or unenforceable, then the remainder of the Agreement shall remain valid and in force. The invalid or unenforceable provisions shall be either (i) amended as necessary to ensure their validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

10. MISCELLANEOUS PROVISIONS

10.1 Limitation of Liability. Company’s remedies and Plannuh’s liability arising out of or related to this Agreement will be subject to those limitations and exclusions of liability that apply to Company under the Main Agreement to which this Agreement relates. As between the Parties, in no event shall Plannuh be responsible for any liability arising from Plannuh’s compliance with Company’s instructions.

10.2 Order of Precedence. To the extent that any provisions of this Agreement conflict with any provisions in the Main Agreement, this Agreement shall prevail as to the specific subject matter of such provisions; provided, however, that any limitations and exclusions of liability in the Main Agreement and any indemnification provisions in the Main Agreement shall in any event prevail over any provision of this Agreement. If Plannuh provides this Agreement in more than one language for the country of your billing address, and there is a discrepancy between the English text and the translated text, the English text will govern.

The following additional terms are part of this Agreement and are incorporated herein as stated above.

Subscribe to The Next CMO newsletter to get marketing best practices and tips.