DATA PROCESSING AGREEMENT
2.The term "Applicable Data Protection Legislation" refers to (i) the European Regulation 2016/679 relating to the processing of Personal data (hereinafter "GDPR") as of its date of application, and (ii) any other laws relating to the processing of Personal data (hereinafter together the "Applicable Data Protection Legislation") applicable during the term of this DPA.
3.All capitalized terms used in this DPA but not otherwise defined herein have the meanings given to them in the GDPR.
4.Each party is obliged to comply with the relevant obligations of the Applicable Data Protection Legislation that apply to the performance of this DPA in relation to their respective role as further described below.
5.Applicability of this DPA is excluded if both IceWarp subsidiary and customer are located outside of the European Union or other member states of European Economic Area which adopted rules pursuant to GDPR, unless (i) the processing activities are related to the offering of products or services by you to customers in the European Union (or EEA country), or (ii) monitoring of behavior of the data subjects takes place within the European Union (or EEA country).
1.You hereby authorize IceWarp to process the Personal data of your employees and contractors, customers and any other persons (hereinafter "Data Subjects") provided by You to IceWarp within the products and services of IceWarp. You act as a Controller and IceWarp (as a Processor) is obliged to process Personal data only on your behalf. IceWarp processes Personal data to the extent necessary for due performance of their obligations ensuing from this DPA and the agreement for provision of products and services.
III.Subject-matter of the processing, categories of the Data Subjects and type of Personal data
IV.Nature and purpose of the processing
1.IceWarp processes the Personal data automatically with the use of statistical and analytical methods aided by computer technology. Occasional manual Personal data processing may occur.
2.The purpose of the Personal data processing is defined by the purpose of the products and services defined above, which are provided on the basis of the agreement.
V.Duration of the processing
1.The Personal data processing takes place during the term of the agreement. IceWarp’s obligations concerning the protection of the Personal data will be observed during the whole term of the agreement unless, by the provisions of the agreement, these obligations persists beyond the end of its term.
VI.Representations and warranties
1.You represent and warrant, that as of the day hereof your duties imposed by Applicable Data Protection Legislation have been duly met, in particular:
a.You have been processing the Personal data lawfully and for the purpose, in the scope, by means and methods specified herein;
b.You inform the Data Subjects on processing of their Personal data in a manner and extent prescribed by Applicable Data Protection Legislation;
c.You enable the Data Subjects to exercise their rights under Applicable Data Protection Legislation;
d.You observe your duty to notify the Office for Personal Data Protection on the Personal data processing, if such duty applies to You;
e.You stop processing the Personal data at the moment the Personal data become unnecessary for the purpose for which the Personal Data are processed;
f.You observe all of Your remaining duties arising from the Applicable Data Protection Legislation;
g.and undertake to observe the abovementioned duties during the whole term of the agreement.
VII.Obligations of IceWarp
1.IceWarp is obliged to:
a.process Personal data according to Your strict and clear instructions in writing and for no other purposes than the ones expressly approved by You in writing. To exclude any doubts, the processing of the Personal data in accordance with performance of the agreement and this DPA is deemed to be made in accordance with Your instructions;
b.to ensure that persons authorized to process personal data commit themselves to confidentiality or comply with the relevant statutory duty of confidentiality;
c.not engage any other processor without your prior specific or general written approval, which is given below in this DPA;
d.taking into account the nature of the processing, assist You, by means of appropriate technical and organizational measures and if necessary, in order to meet Your obligation to respond to requests for exercise of rights of the Data Subjects;
e.cooperate with You in order to allow You the assessment and document compliance with the processing of Personal data carried out as a result of this DPA;
f.assist You, while taking into account the nature of the processing and the available information from You, in meeting Your obligations with:
•ensuring a level of security of processing;
•reporting Personal data breaches to the Office for Personal Data Protection and, where necessary, to Data Subjects;
•undertaking Data protection impact assessments; and
•consulting the Office for Personal Data Protection prior to processing;
g.inform You about Data Subjects’ requests and/or complaints IceWarp may receive in relation to the processing of the Personal data;
h.follow Your instructions in matters of transferring Personal data to third countries/international organization. If following of instructions is forbidden by Union or Member State law to which IceWarp is a subject, IceWarp informs You of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; and
i.allow for audits and contribute to these audits; the parties agree that IceWarp carries out audits on their own initiative every two calendar years with a selected independent auditor; in the case of request for an additional audit, the parties will agree on a scope and price of this audit.
2.Performance of subsections VII.1.d to VII.1.g is reimbursable in accordance with IceWarp’s pricelist. If the respective activity is not specified in this pricelist, reimbursement shall be introduced from the side of IceWarp on Your request.
VIII.Involving of other processors and transfer to the third countries
2.In any case, IceWarp shall require its personnel and its subcontractors to comply with Applicable Data Protection Legislation, with the same obligations as those defined hereunder and with reinforced confidentiality obligations.
3.Where IceWarp intends to rely on third parties located in countries out of the European Union and other member states of European Economic Area which adopted rules pursuant to GDPR, it shall only do so if there is a decision from the European Commission that a certain country outside the EU/EEA ensures an adequate level of protection, including where the processors or controllers have taken appropriate protection measures, for example Binding Corporate Rules (BCR) or Standard Contractual Clauses (SCC). You may express your preferences regarding the data transfers by using the data storage options listed on IceWarp website. IceWarp informs You about any change of the country you selected to store your data, to give you the opportunity to oppose to such change of data storage location.
IX.Security of personal data
1.IceWarp has implemented and maintains technical and organizational measures to prevent unauthorized or accidental access to the Personal data, their change, destruction or loss, unauthorized transfers, or other unauthorized processing thereof, as well as any other abuse of the Personal data.
2.IceWarp has implemented and maintains, in particular, following technical measures to ensure an appropriate level of security in accordance to risks, rising from the particular processing of personal data, including:
a.pseudonymization and encryption of the Personal data;
b.the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services – these measures and their correct operation are subject to regular checks;
c.the ability to restore the availability and access to the Personal data in a timely manner in the event of a physical or technical incident;
d.a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
e.logs of performed erasures of Personal data;
g.malware, ransomware and spyware antivirus protections;
h.unauthorized access monitoring;
i.encrypted data transfers;
j.access to the Personal data is restricted to authorized personnel only;
k.servers with Personal data are kept physically locked in the data centres; and
l.data back-ups are stored in separate geographic location, transferred and stored encrypted and only authorized personnel may access them.
3.In the event IceWarp reasonably believes that there has been any potential or actual unauthorized or unlawful access to, or potential or actual use or disclosure of, the Personal data, IceWarp notifies You without undue delay after becoming aware of such Personal data breach.
1.Finally, upon termination or expiry of the DPA, IceWarp ceases any processing of the Personal data and returns and/or deletes the Personal data in accordance with the termination assistance services plan as defined in the agreement, unless applicable laws require storage of the Personal data. If no termination assistance services plan is defined, IceWarp deletes or returns all the Personal data to You according to your choice within 30 days from the agreement termination or expiry.
2.The parties hereby provide that if there is a damage (including both harm to assets and liabilities and non-pecuniary harm) incurred by IceWarp because of the breach of Your obligations under the Applicable Data Protection Legislation or this DPA, You provide IceWarp with full compensation for such damage. The compensation for damage comprises, in particular, of (i) compensation for damage (including both monetary and non-pecuniary harm) incurred by Data Subjects as provided by the Applicable Data Protection Legislation and (ii) compensation for fines imposed upon IceWarp by data protection authority or other authority.
3.IceWarp is not obliged to compensate damages, resulting from substantively inaccurate, incomplete or otherwise incorrect instruction, received from You, despite the fact that IceWarp informed You about such defect of instruction in advance.
4.The parties expressly agree that as this DPA only governs aspects of data processing performed by IceWarp for You as a part of products and services based on the agreement concluded between You and IceWarp, the liability of IceWarp for any damage caused by breach of IceWarp’s obligations under the DPA and Applicable Data Protection Legislation, including any fines imposed upon You by data protection authority or other authority, is limited by and is a subset of total liability of IceWarp for damage specified under the agreement for provision of products and services of IceWarp, to which this DPA applies, and nothing in this DPA increases the total liability of IceWarp for damage under such agreement.