This Data Processing Addendum (“DPA”) is an appendix to the Service Agreement between Zervant and the Customer, and is subject to its terms and conditions to the extent not otherwise agreed herein. It is legally binding only in connection with the Service Agreement between Zervant and Customer. The Service Agreement together with all its appendices (including this DPA) are jointly referred to as the “Agreement”.
1. Definitions of the DPA
The definitions of the Service Agreement apply to this DPA. In addition, the following definitions apply for the purposes of this DPA:
Personal Data means any information relating to an identified or identifiable natural person (the data subject), whether such identification is or can be done directly or indirectly.
Customer Personal Data means the personal data of the Customer or otherwise related to the Customer’s operations.
Processing means operations and actions that concern or include Personal Data such as collection, recording, organization, storage, adaptation or alteration, retrieval or use.
Data Controller means the entity who alone or jointly with others determines the purposes and means of the Processing of personal data.
Data subject means the natural person, who’s Personal Data is processed.
Processor means the entity who processes Personal Data on behalf and under the instructions of the Controller.
Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Applicable Laws means the laws of and practice arising from the General Data Protection Regulation, national legislation implementing or complementing the General Data Protection Regulation, the regulations and statements of regulatory authorities, including the European Data Protection Board, and acts of the Commission.
Subcontractor means an entity who processes Personal Data in accordance with the instructions of the Processor as a sub-processor of the Processor.
Zervant provides Services to Customer as identified in the Service Agreement. In the course of providing the Services to the Customer pursuant to the Service Agreement, Zervant may process Personal Data on behalf of the Customer. The purpose of this DPA is to agree the terms and conditions applicable to the Processing of Customer Personal Data in connection with the Services.
3. Customer obligations
3.1 Data Controller
Customer is the Data Controller in relation to any Customer Personal Data processed under this DPA and the Service Agreement, and shall be responsible for the lawful collection, Processing and use, and for the accuracy of the Customer Personal Data, as well as for fulfilling other legal obligations of a data controller. The Customer shall be responsible for informing the Data Subjects of disclosures of their Personal Data to and shall obtain their consent for such disclosures if necessary.
Customer acknowledges that the Processor cannot control and has no obligation to verify the Customer Personal Data disclosed or transferred to the Processor for Processing on behalf of the Customer when the Customer uses the Services. Customer ensures and is liable for having the appropriate legal basis to transfer and disclose the Customer Personal Data to the Processor so that the Processor may lawfully process the Customer Personal Data as agreed between the Parties.
Customer confirms that Customer’s instructions on Processing the Customer Personal Data (“Instructions”) are exhaustively set out in the Agreement. In case Customer subsequently wants to modify its Instructions, it shall primarily use the functions offered by the Services. If such functions would however not be sufficient for implementing such new Instructions, Customer shall contact the Processor in writing. If the scope of such new Instructions is beyond the Services, the Processor shall be entitled to charge the Customer for any additional costs incurred in relation to the Processor implementing such new Instructions. Instructions must be commercially reasonable, compliant with Applicable Laws and consistent with the Agreement.
4. Zervant obligations
4.1 Data Processor
Zervant is the Processor in relation of the Customer Personal Data Processed under the Agreement. Zervant undertakes to abide by the Applicable Laws and the Customer’s Instructions in relation to all its Processing of the Customer Personal Data. The Processor may not copy or reproduce the Customer Personal Data or in any way Process the Customer Personal Data for purposes other than those agreed on any Processing in the Agreement.
Processor shall notify the Customer if it reasonably believes that any new Instruction issued by Customer violate the Applicable Laws. Processor may suspend the implementation of such new Instruction until it is modified or confirmed by the Customer. The Customer is always ultimately responsible for any and all of its Instructions complying with the Applicable Laws. The Processor shall only be obligated to notify the Customer if it detects any imminent incompliances with the Applicable Laws in the Instructions, but is not otherwise obligated to inspect or verify the Instructions compliance with the Applicable Laws.
Zervant agrees to reasonable assist the Customer in performing its obligations as a Data Controller in relation to the Customer Personal Data Processed by Zervant hereunder. These obligations may include assisting the Customer in answering to requests or inquiries made by competent supervisory authorities, performing data protection impact assessments and requesting prior consultation with the supervisory authorities, as well as assisting the Customer in realizing requests made by Data Subjects in relation to their rights under the Applicable Laws.
When it comes to assistance in responding requests made by a Data Subject exercising her/his rights under the Applicable Laws (such as the right of access and the right to rectification or erasure), the Customer shall first use the corresponding functions of the Services. Where and to the extent the Customer cannot respond to such request by using the Services’ functions, Zervant shall otherwise provide Customer with commercially reasonable assistance. Zervant has the right to invoice any reasonable additional costs incurred due to such assistance and the Customer shall be obligated to pay such additional costs as invoiced by Zervant.
In case any Data Subject, other individual or supervisory authority makes a request for assistance directly to Zervant concerning the Customer Personal Data (such as a request for access, rectification or erasure, delivering any information or executing any other action), Zervant shall inform Customer on such request as soon as reasonably possible and as allowed by Applicable Law.
4.3 Transfers of personal data
Zervant mainly processes Customer Personal Data within the European Economic Area (“EEA”). However, in order to provide the Services, Zervant may from time to time have to disclose or transfer the Customer Personal Data also outside the EEA. These situations may include cases, where Zervant’s Subcontractors’ or their systems are located outside EEA. In such cases, Zervant shall always implement necessary legal safeguards to ensure the security and confidentiality of Customer Personal Data in accordance with Applicable Laws. The Customer acknowledges and accepts such disclosures and transfers in connection with the Services. Zervant shall, upon the Customer’s request, provide the Customer further information on such transfers and the applied legal safeguards.
Zervant’s right to use Subcontractors is further described below in section 6.
4.4 Data protection officer
Zervant has appointed Privacy and Information Officer to take care of Data protection issues. If required under Applicable Laws, Zervant appoints a data protection officer, and shall communicate the relevant contact details to Customer upon request.
Zervant familiarizes, instructs and trains its employees who participate in Processing Personal Data (including Customer Personal Data) of the data protection and privacy requirements under Applicable Laws, and ensures that these employees have committed themselves to appropriate confidentiality or are under an appropriate statutory obligation of confidentiality. Where the Customer has issued specific Instructions on Processing the Customer Personal Data, Zervant shall also instruct its employees participating in the Processing of the Customer Personal Data on the contents of any such Instructions.
Zervant implements and maintains appropriate technical and organizational security measures to protect all Personal Data (including the Customer Personal Data) it Processes. Zervant chooses such security measures at its sole discretion based on e.g. industry standards, market practice and specific requirements under Applicable Laws. Zervant may modify its security measures from time to time, but will not decrease the overall level of security during the term of the DPA.
Zervant shall at all times ensure the confidentiality, integrity, availability and resilience of the systems it uses for Processing of Personal Data. Zervant shall regularly test, investigate and evaluate the effectiveness of the technical and organizational security measures Zervant has implemented. Zervant undertakes to comply with regulatory decisions concerning appropriate security measures for the Processing of Personal Data.
In the event of any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Customer Personal Data Processed by Zervant (“Security Incident”), Zervant shall notify Customer without undue delay of such Security Incident.
Such notification of a Security Incident shall include at least and as required under the Applicable Laws:
a) a description of the nature and extent of the Security Incident, including, where feasible, the categories of and the approximate number of Data Subjects affected by the Security Incident as well as the categories of and the approximate amount of Customer Personal Data affected by the Security Incident;
b) name of and contact details of Zervant’s data protection officer (if appointed) or other points of contact where more information can be obtained;
c) a description of the estimated consequences of the Security Incident; and
d) a description of the measures which Zervant has taken or intends to take to address and amend the Security Incident, including measures for mitigating its potential negative effects.
The above mentioned information on the Security Incident may also be provided in phases if Zervant cannot provide them all simultaneously when informing the Customer of the Security Incident. Zervant shall document any and all Security Incidents it has suffered in accordance with Applicable Laws.
Zervant shall maintain appropriate records of or otherwise document its Processing concerning the Customer Personal Data where and to the extent required under Applicable Laws. Upon request, Zervant shall present to Customer a copy of the relevant part of such documentation or records relating to the Processing of Customer Personal Data by Zervant
The Customer or a third party auditor appointed by the Customer may audit Zervant’s compliance with this DPA and Applicable laws in relation to Processing of the Customer Personal Data in accordance with the terms of this DPA. The Customer must notify Zervant of any intended audit on the premises of Zervant in writing and always at least twentyone (21) days in advance. Zervant will create a test platform where the Customer can perform the audit in relation to Zervant’s Services. Such Audits must primarily be carried out by an independent third party auditor and always during normal business hours of Zervant without causing significant disturbances to the business operations of Zervant.
Zervant will provide a copy of its records of Processing of Customer Personal Data and any other existing documentation relevant to the audit and by request of the Customer, and agrees to provide the Customer reasonable assistance in the audits. For any additional documentation, support or service requested by Customer, Zervant reserves the right to invoice the effort and arising reasonable cost from Customer. This shall also include adequate compensation for the working hours of Zervant personnel while they are supporting the Customer in its audit. The Customer shall be responsible for its own costs (including the costs of any third party auditor used) in connection with such audits.
Zervant also agrees to allow audits initiated and performed by competent supervisory authorities in relation to Zervant’s Processing of Customer Personal Data, and agrees to provide necessary information on its Processing activities to such competent supervisory authorities. If Zervant receives a notice from any competent supervisory authority on an intended audit concerning Processing of the Customer Personal Data, Zervant shall promptly notify the Customer of such intended supervisory authority audit.
Zervant uses Subcontractors in connection with its Services, some of which will also participate in the Processing of Customer Personal Data. The Customer gives its general authorization and consent to allow Zervant to involve and use its´ affiliated companies and other Subcontractors to process the Customer Personal Data in connection with the provision of the Services, to the extent such appointment does not lead to non-compliance with the Applicable Laws or Zervant´s obligations under this DPA. Zervant ensures that the involved Subcontractors are properly qualified, will enter into a data processing agreement with Zervant, and will comply with data processing and confidentiality obligations at least as extensive as the ones agreed under this DPA. Zervant regularly monitors the performance of its Subcontractors and is liable for their work towards the Customer as it is of its own. Zervant agrees to provide the Customer a list of its Subcontractors used in relation to the Services upon the Customer’s request.
Zervant is free to choose and change Subprocessors in accordance with the terms of this DPA and Applicable Laws Zervant shall nonetheless inform the Customer of any material changes in its Subcontractors. If the Customer justifiably considers that such change in Zervant’s Subcontractors would result in a risk concerning the Customer Personal Data, the Customer shall have the right to state its objection to such change of Zervant’s Subcontractors.
In relation to the Processing of Customer Personal Data in connection with the Agreement, both Parties shall be liable towards one another for direct loss and damage caused by their breaches of this DPA or the Applicable Laws to the non-breaching Party (including, but not limited to any administrative sanctions imposed by competent supervisory authorities). Neither Party shall be liable for any indirect or consequential loss or damage, including but not limited to any loss of profits, revenue, reputation or goodwill.
The Parties’ liability hereunder shall be subject to the liability cap agreed in the Agreement.
This DPA enters into force on the same date as the General Data Protection Regulation shall apply and shall remain valid until the Agreement is terminated
During the period of thirty (30) days of the termination of the Agreement, Zervant makes the Customer Data available to the Customer without undue delay upon Customer’s request. After termination of the Agreement, Zervant shall without undue delay either destroy or return to the Customer all Customer Personal Data (as well as any copies thereto), unless Zervant is obligated to retain the Customer Personal Data due to requirements of any laws applicable to Zervant.