last updated on December 09, 2016

DATA PROCESSING AGREEMENT

This Data Processing Agreement (DPA) frames the collaboration between Optimy and any Organisation with whom an Order form is signed with reference to this page, about the processing of personal data within the European Economic Area or in relationship with a country benefitting from an adequacy decision of the EU Comission, in accordance with Article 28 of the GDPR (EU General Data Protection Regulation).

Article 1. Definitions

For the purposes of this Data Processing Agreement, it is understood according to the GDPR (EU      General Data Protection Regulation):

  • Biometric data: Personal data resulting from specific technical processing relating to the physical, psychological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
  • Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law. In this Data Processing Agreement, the Customer acts as Controller and references to the “Controller” are references to the Customer.
  • Data concerning health: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
  • Data subject: means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
  • Genetic data: Personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.
  • Personal data: any information relating to an identified or identifiable natural person (“Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • Processing: any operation or set of operations which is performed on Personal data or on sets of Personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Processor: a natural or legal person, public authority, agency or other body which processes Personal data on behalf of the Controller. In this Data Processing Agreement, Optimy acts as Processor and references to the “Processor” are references to Optimy.
  • Recipient: a natural or legal person, public authority, agency or another body, to which the Personal data are disclosed, whether a Third-party or not. However, public authorities which may receive Personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
  • Sub-processor: A Sub-processor is a Third-party data Processor engaged by a data Processor who has or will have access to or process Personal data on behalf and under the instruction or supervision of a data Controller. The Processor and the Sub-processor have the same obligations with regard to GDPR.
  • Technical and organisational measures: to be found at https://www.optimy.com/legal/technical-and-organisational-measures. Rules, guidelines and checks implemented by Optimy in order to maintain compliance with applicable data protection laws and their requirements.
  • Third-party: a natural or legal person, public authority, agency or body other than the Data subject, Controller, Processor and persons who, under the direct authority of the controller or processor, are authorised to process Personal data.

Article 2. Scope

2.1. This Data Processing Agreement specifies the obligations of the contracting Parties relating to data protection within the scope of the Agreement they signed.

2.2. The Data Processing Agreement applies to all activities related to the Agreement which involve Processing of Personal data of the Controller by staff of the Processor or person commissioned by the Processor. 

2.3. Optimy’s employees, interns, subcontractors and affiliated entities, as well as Sub-processors mentioned in Article 7 of this Data Processing Agreement may be involved in the processing of Personal data on behalf of the Controller.

Article 3. Object and duration of data processing

3.1. Object

3.1.1. The Controller commits to give instructions to the Processor about the processing of Personal data for the limited following categories of Data subjects:

  • Organisations applying to the Controller’s projects (such as, but not limited to, grants or sponsorships) or their contact persons ;
  • Individual application to the Controller’s projects ;
  • Supplier of the Controller, including former and potential suppliers, or their contact persons ;
  • Partners of the Controller or their contact persons ;

3.1.2. If the Controller intends to use the Platform provided by the Processor for the processing of Personal data relative to other categories of Data subjects than the one listed above, the Controller must imperatively inform the Processor of its intention and mention the additional categories of Data subjects in the Order Form.

3.1.3. The Controller commits to give instructions to the Processor strictly about processing the following categories of Personal data:

  • Name, title, position and contact information such as, but not limited to, company address, email address and phone number ;
  • Billing and payment data ;
  • Contractual information, such as but not limited to, contractual relationship, orders, invoicing, payments ;
  • User names, passwords, and other login data ;
  • Data relating to the Data subject’s financial information, such as but not limited to debts, and salary ;

3.1.4. If the Controller intends to use the Platform provided by the Processor for the processing of other categories of Personal data than the ones listed above, the Controller must imperatively inform the Processor of its intention and mention the additional categories of Personal data in the Order or Service Agreement.

3.1.5. The Processor undertakes not to process any Personal data outside of the European Economic Area (“EEA”). Therefore, the Parties agree that no particular measure needs to be defined for the processing of Personal data outside the EEA.

3.1.6. The Controller is responsible for making sure the necessary legal basis exists for the processing of the Personal data, including any possible special categories of Personal data.

3.2 Duration 

The Data Processing Agreement shall apply from the Start date of the Agreement and shall expire at such time as the Agreement comes to an end and the Processor has stopped processing of Personal data on behalf of the Controller. 

Article 4. Obligations of the Processor

4.1. Instruction by the Customer 

4.1.1. The Processor may only process Personal data within the framework of the Agreement as instructed by the Controller, unless required to do so by European or national law to which the Processor is subject. The Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information. The Processor shall not process Personal data for its own purposes or for Third-party’s purposes (except where certain Personal Data is also processed by Optimy as a controller in the framework of the performance of the Agreement, as explicitly mentioned in the Agreement). In particular, entitlement to issue instructions includes usage of the Personal data, measures to protect data and the disposal of data carriers. 

4.1.2. The Processor shall immediately inform the Controller if the former believes that the Controller’s instructions are in breach of the GDPR or other applicable Data protection laws. The Processor may cease acting on instructions until the Controller confirms or changes those instructions. 

4.1.3. The persons who are authorised to issue instructions in the name and on behalf of the Controller, hereinafter referred to as the “Controller’s point of contact”, are explicitly specified within the Order Form signed between the Parties.

The Controller shall confirm verbal instructions in writing or by-email, in text form.

The person at the Processor who is authorised to take receipt in connection with instructions is referred to in the Order form signed with Optimy.

4.2. General provisions on Data processing 

4.2.1. The Processor undertakes to keep a record of processing activities in accordance with Article 30 (2) of the GDPR and shall allow the Controller to view the parts of the record pertaining to the Controller's processes upon the Controller's request. The Processor warrants that the staff involved in processing Personal data of the Controller and other persons working for the Processor are prohibited from processing the Personal data, except as instructed. 

4.2.2. The Processor furthermore warrants that the persons authorised to process Personal data have been bound to uphold confidentiality and non-disclosure obligations, or are subject to adequate statutory confidentiality obligations. Confidentiality requirements continue to apply to the Processor after the termination of the Agreement and after other persons authorised to process Personal data have ceased activity or after the departure of the Processor’s employees.

4.3. Protective technical and organisational measures 

4.3.1. The Processor shall ensure that appropriate technical, organisational, administrative and physical measures, as described in the technical and organisational measures, have been taken for processing and that processing is carried out in a manner compliant with applicable Data protection laws, upholding the rights of the Data subjects. The Processor shall demonstrate such in a suitable manner. 

4.3.2. The Processor shall implement appropriate technical, organisational, contractual or other security measures to ensure the confidentiality, integrity, availability and the resilience of the systems as well as means to restore the availability of the data and access to it in a timely manner in the event of a physical or technical incident. 

4.3.3. The Controller is aware of these technical and organisational measures and is responsible for ensuring that at all times these afford an adequate level of protection against risks relevant to the data to be processed. 

4.3.4. The Controller accepts that the measures described in technical and organisational measures of the Agreement are sufficient, considering the types of Personal data, the categories of Data subjects and the kind of processing operations that are performed  under its responsibility.

4.4. Personal data breaches 

4.4.1. The Processor shall ensure by means of appropriate technical and organisational measures that Personal data breaches within the Processor’s premises, or at those of its subcontractors, can be detected and notified to the Controller without undue delay. 

4.4.2. In consultation with the Controller, the Processor shall implement appropriate measures to protect data and provisional measures to mitigate potential adverse consequences for Data subjects.The Processor shall furthermore assist the Controller in fulfilling the latter’s obligations to notify the competent Supervisory Authority and communicate the Personal data breach to Data subjects, providing the Controller with all necessary information in this regard.

4.5. Cooperation obligations 

4.5.1. The Processor shall cooperate to assist the Controller in responding to requests of Data subjects while exercising their rights in line with Chapter III of the GDPR. In the unlikely event that a Data subject contacts the Processor to exercise his/her rights under the GDPR, the Processor shall forward such request from Data subjects to the Controller without undue delay. Notifications will be sent to the Controller’s point of contact.

4.5.2. If the Controller is subject to an audit by the Supervisory authority, to regulatory or criminal proceedings, to a liability claim by a Data subject or a Third-party or any other claim relating to processing by the Processor, the Processor shall assist the Controller to a reasonable extent and in consideration of the fees the Parties agreed upon. 

4.6. Notifications obligations 

To the extent permitted by law, the Processor shall inform the Controller immediately of any audit or measure conducted by the Supervisory authority which pertains to the Agreement or this Data Processing Agreement, if authorised to do so by the Supervisory authority. Notifications should be sent in English. This also applies if a competent authority is investigating the Processor in connection with an administrative or criminal procedure concerning the processing of Personal data. To the extent permitted by law, the Processor shall coordinate with the Controller in advance on any direct interaction with such authorities.

4.7. Deletion and return of data and data carriers 

4.7.1. The Processor shall correct, delete or restrict access to the Personal data as instructed by the Controller as long as such instructions are documented and fall within the instructional scope. If Personal data deletion or restriction of data processing in compliance with data protection requirements is not possible, the Processor shall perform the destruction of data carriers and other materials in compliance with Data protection laws under a specific order by the Controller, or return the data carriers to the Controller. The Parties may agree on provisions for compensation for performing this task. 

4.7.2. At the end of the provision of the Services that involves the processing, the Processor shall cease the processing of Personal data.It shall erase the Personal data in its possession and return or destroy the material supports carrying the Personal data. 

4.7.3. An exception is made for copies, such as backup copies, necessary to ensure the protection of the Parties’ interests or their legal position or to ensure compliance with legal retention obligations under the applicable law during and after the duration of the Agreement. 

4.7.4. For security reasons, Personal data is stored in a backup copy for the maximum period of time of 1 (one) year after the erasure of the data. In this case, the Processor guarantees that it will keep the Personal data confidential and that it will refrain from any active processing.

4.7.5. A deletion certificate can be presented upon request. 

Article 5. Obligations of the Controller

5.1. The Controller shall fully inform the Processor without delay upon becoming aware of any error or irregularity pertinent to applicable Data protection laws in relation to the performance of the Agreement. 

5.2. The Controller shall notify the Processor of data protection issues related to this Agreement. 

Article 6. Auditing rights of the Controller

6.1. The Controller is entitled to have an audit performed at most once per year. The Controller can exceptionally perform additional audits in case it demonstrates that it has objective and serious indications to suspect that the Processor processes the Personal data in an unlawful way or in breach of the provisions of this Data Processing Agreement. 

6.2. The language of the proceedings for such an audit should be English.

6.3. The audit can be conducted by the Controller itself or by an independent third-party auditor it designates. The independent third-party auditor must not be a direct or indirect competitor of the Processor and must be bound by a confidential agreement.

6.4. The mission of the auditor shall be restricted to assessing the compliance of the Processor’s operations with:

(i) Data protection laws applicable to the Processor, and

(ii) this Data Processing Agreement.

6.5. The auditor is not entitled to assess the compliance of the Processor with other elements of the Agreement, unless the Parties agree to extend the scope of the auditor’s mission. 

6.6. The Controller shall give notice of the audit at least 30 (thirty) calendar days in advance. In urgent cases, the Controller may shorten the notice period to 7 (seven) calendar days. Events where enquiries or inspections are being made by the data protection Supervisory authorities, other public authorities and courts, and cases of reportable incidents shall be the only events considered as urgent. 

6.7. The audit can only be performed during business hours. The Controller and the auditor shall endeavour to limit the impact on the business operations of the Processor. 

6.8. To the extent necessary to assess compliance with the data protection obligations of the Processor, the Processor undertakes to provide the Controller with all necessary information, including physical access to the following documents in English:

(i) business documents, 

(ii) stored data, 

(iii) data processing programs, 

(iv) documentation on business processes, and 

(v) other documentation

6.9. Proof of adequate measures in place, not solely pertaining to the Agreement, can be verified via: 

(i) self-audit; 

(ii) a company-internal code of conduct requiring external documentation of compliance;

(iii) a data protection or information security certificate (e.g. ISO 27001); 

(iv) an approved code of conduct in accordance with Article 40 of the GDPR; 

(v) certificates as per Article 42 of the GDPR; 

(vi) any other means determined jointly by the Parties. 

6.10. The Controller shall bear the costs of the audit. 

6.11. The Parties shall discuss the outcome of the audit and, should any default be found and accepted by the Processor, the measures to be taken to remedy the data protection and security issues. 

Article 7. Sub-processors

7.1. The Controller acknowledges and confirms that the Processor may work with Sub-processors for the processing of data in the performance of the Agreement. The Processor shall implement provisions with such Sub-processors as required to ensure that adequate data protection and information security measures are in place. 

7.2. Sub-processors within the meaning of this provision are those providing services which pertain directly to the rendering of the Services under the Agreement; this does not include ancillary services which are used by the Processor, for example in the form of telecommunications services, laptop operating systems, post and transport services or the disposal of data carriers. However, the Processor must conclude adequate and lawful contractual agreements and undertake monitoring activities to ensure the protection and security of the Controller's data, also where ancillary services are outsourced.

7.3. The contractually agreed services and service elements to be performed with the involvement of Sub-processors are outlined online using the following URL link, in the section relating to Optimy standard services: https://www.optimy.com/legal/list-of-subprocessors.

7.4. For future reference, the Processor shall inform in writing the Controller’s point of contact of any intended change concerning the addition or replacement of Sub-processors. The Controller shall then have a period of 5 (five) business days to object with serious and unbiased reasons, by proving the downsides with regards to the protection of Personal data and the compliance with applicable Personal data protection laws. If the Controller does not reply within this period, the Controller has accepted the new business relationship.

7.5. The Processor shall bind any Sub-processors to the same data protection obligations as set out in this Data Processing Agreement by way of an agreement. 

Article 8. Miscellaneous 

8.1. Amendments and supplements to this Data Processing Agreement and any element thereof must be implemented in a written agreement signed between the Parties. 

8.2. Should any provision of this Data Processing Agreement be or become invalid, the validity of this Data Processing Agreement and the validity of the Agreement as a whole shall not be affected. In such a case, the contracting Parties shall replace the invalid provision with a provision aligned with statutory law.