Data Processing Agreement

Last updated: April 30, 2018

This Data Processing Agreement is entered into between us ("Fusioo Ltd.") and the Customer and forms part of the Terms of Use available at https://www.fusioo.com/policies/terms-and-conditions.

The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below.


Definitions

"Controller" means you ("the Customer");
"Data Subject" shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (as amended from time to time, or replaced by subsequent legislation);
"DPA" means this data processing agreement;
"Personal Data" as defined under the General Data Protection Regulation 2016/679 and includes any equivalent definition in the Applicable Law;
"Processor" means us ("Fusioo Ltd");
"Standard Contractual Clauses" means the EU model clauses for Personal Data transfer from controllers to processors c2010-593 - Decision 2010/87EU;
"Terms of Use" means the legal agreement between the Controller as the user and the Processor, that governs the Controller’s limited, non-exclusive and terminable right to the use of the Fusioo Site and Services as defined in the Terms of Service.


Article 1. Processing Objectives

1.1 The Processor has agreed to provide the Services to the Controller in accordance with the Terms of Use. In providing the Services, the Processor shall process Customer Data on behalf of the Controller. Customer Data may include Personal Data. The Processor will process and protect such Personal Data in accordance with the terms of this DPA.

1.2 In providing the Services to the Controller pursuant to the Terms of Use, the Processor shall process Personal Data only to the extent necessary to provide the Services in accordance with both the Terms of Use and this DPA.

1.3 All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data subjects.

1.4 The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision thereof to third parties and the storage duration of the data.


Article 2. Processing Obligations

2.1. The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data.

2.2. The Processor shall promptly inform the Controller, if in the Processor’s opinion, any of the instructions regarding the processing of Personal Data provided by the Controller, breach any applicable data protection laws.

2.3. The Processor confirms that it shall process Personal Data on behalf of the Controller and shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data does not process the Personal Data except on instructions from the Controller.

2.4. The Processor shall ensure that all employees, agents, officers and contractors involved in the handling of Personal Data: (i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential; (ii) have received appropriate training on their responsibilities as a data processor; and (iii) are bound by the terms of this DPA.

2.5. The Processor shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

2.6. When a Data subject submits a request to the Processor to inspect, or to improve, add to, change or protect their personal data, the Processor will forward the request to the Controller and the request will then be dealt with by the Controller. The Processor may notify the Data subject hereof.


Article 3. Controller Obligations

3.1. The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its Subsidiaries and Sub-Processors, to execute their rights or perform their obligations under this DPA.

3.2. The Processor shall only be responsible for processing the personal data under this DPA, in accordance with the Controller’s instructions and under the (ultimate) responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and / or for other purposes.

3.3. Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this DPA.

3.4. All Subsidiaries of the Controller who use the Services shall comply with the obligations of the Controller set out in this DPA.

3.5. The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller.

3.6. The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Terms of Use. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible.


Article 4. Transmission of Personal Data

4.1. Where Sub-processors are located outside of the EEA, the Processor confirms that such Sub-processors: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with the Processor; or (iii) have other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.

4.2. All Sub-processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this DPA.

4.3. Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in.


Article 5. Duty to Report

5.1. In the event of an accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any Personal Data (“Data Breach”)., the Processor shall, to the best of its ability, notify the Controller thereof with undue delay. The Processor will endeavor that the furnished information is complete, correct and accurate.

5.2. The Processor’s notification of, or response to, a Data Breach under this Article 5 will not be construed as an acknowledgement by the Processor of any fault or liability with respect to the Data Breach.

5.3. The Processor will not assess the content of the Controller’s data in order to identify information subject to any specific Controller data breach. Controller is solely responsible for complying with data breach notification laws applicable to the Controller and fulfilling any third party notification obligations related to any Data Breach(es).

5.4. The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding:

  • the (suspected) cause of the leak;
  • the (currently known and/or anticipated) consequences thereof;
  • the (proposed) solution;
  • the measures that have already been taken.

Article 6. Security

6.1. The Processor will endeavor to take adequate technical and organisational measures against loss or any form of unlawful processing (such as unauthorised disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under this DPA.

6.2. The Processor does not guarantee that the security measures are effective under all circumstances. The Processor will endeavor to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.

6.3. The Controller will only make the personal data available to the Processor if it is assured that the necessary security measures have been taken. The Controller is responsible for ensuring compliance with the measures agreed by and between the Parties.


Article 7. Non Disclosure and Confidentiality

7.1. All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this DPA is subject to a duty of confidentiality vis-à-vis third parties.

7.2. This duty of confidentiality will not apply in the event that the Controller has expressly authorised the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of this DPA, or if there is a legal obligation to make the information available to a third party.


Article 8. Data Deletion

8.1. The Processor can delete Personal Data using the functionality provided by the Service. For certain deletions, a recovery feature is offered by the Processor to enable recovery from accidental deletions for up to 14 days. This may be overridden by the Processor. After any recovery period, the Controller will permanently delete the Personal Data from the service.

8.2. On termination, the Controller has the option to request the return or deletion of Personal Data. This request must be made within 14 days of termination.

8.3. If the Controller requests the Personal Data to be returned, to the extent possible, the Processor shall make reasonable commercial efforts to return the Personal Data in the format generally available through the Services.


Article 9. Compliance and Cooperation

9.1. In order to confirm compliance with this DPA, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.

9.2. The audit may only be undertaken when there are specific grounds for suspecting the misuse of personal data, and no earlier than three weeks after the Controller has provided written notice to the Processor.

9.3. The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.

9.4. The Processor will notify the Controller promptly of any request or complaint regarding the processing of Personal Data, which adversely impacts the Controller, unless such notification is not permitted under applicable law or a relevant court order.

9.5. The costs of the audit will be borne by the Controller.


Article 10. Duration and Termination

10.1. This DPA is entered into for the duration set out in the Terms of Use, and in the absence thereof, for the duration of the cooperation between the Parties.

10.2. The DPA may not be terminated in the interim.

10.3. This DPA may only be amended by the Parties subject to mutual consent.

10.4. The Processor shall provide its full cooperation in amending and adjusting this DPA in the event of new privacy legislation.


Article 11. Miscellaneous

11.1. In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:

  • this DPA;
  • the Terms of Use;
  • additional conditions, where applicable.

11.2. Logs and measurements taken by the Processor shall be deemed to be authentic, unless the Controller supplies convincing proof to the contrary.

11.3. This DPA shall be governed by the laws of Malta. The courts of Malta shall have exclusive jurisdiction for the settlement of all disputes arising under this DPA.