Data Processing Agreement (DPA) and Standard Contractual Clauses (SCC)


How to Sign the Data Processing Agreement and Standard Contractual Clauses
Click here to start the signing process.
Data Processing Agreement
‍ This GDPR Data Processing Agreement (“DPA”) forms part of the Master Services Agreement or Terms of Use available on this same page above or such other location as the Terms of Use may be posted from time to time (as applicable, the “Agreement”), entered into by and between the Customer and SMART FUNNEL SOFTWARE LLC ("Deadline Funnel"), pursuant to which Customer has accessed Deadline Funnel’s Application Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below. If the Customer entity entering into this DPA has executed an order form or statement of work with Deadline Funnel pursuant to the Agreement (an “Ordering Document”), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If the Customer entity entering into this DPA is neither a party to an Ordering Document nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement executes this DPA. This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA. In the course of providing the Application Services to Customer pursuant to the Agreement, Deadline Funnel may process personal data on behalf of Customer. Deadline Funnel agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Application Services or collected and processed by or for Customer through the Application Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
Data Processing Terms
‍ In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)), and all other applicable laws relating to the processing of personal data and privacy that may exist in any relevant jurisdiction.

“Data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation.

“Sub-processor” is a Third-party, independent contractors, vendors and suppliers who provide specific services and products related to the Deadline Funnel website and our services, such as hosting, credit card processing and fraud screening, mailing list hosting, and analytics ("third-party" or "outside contractor" shall have similar meanings).

The parties agree that Customer is the data controller and that Deadline Funnel is its data processor in relation to personal data that is processed in the course of providing the Application Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Deadline Funnel pursuant to the Agreement.

The subject-matter of the data processing covered by this DPA is the Application Services ordered by Customer either through Deadline Funnel’s website or through an Ordering Document and provided by Deadline Funnel to Customer via www.deadlinefunnel.com, or via deadlinefunnel.com, or via app.deadlinefunnel.com, or via another sub-domain of deadlinefunnel.com, or as additionally described in the Agreement or the DPA. The processing will be carried out until the term of Customer’s ordering of the Application Services ceases.

Further details of the data processing are set out hereto. In respect of personal data processed in the course of providing the Application Services, Deadline Funnel shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to Deadline Funnel (from time to time).

If Deadline Funnel is required to process the personal data for any other purpose provided by applicable law to which it is subject, Deadline Funnel will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest; shall notify Customer without undue delay if, in Deadline Funnel's opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation; shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.

These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.

Deadline Funnel may hire other companies to provide limited services on its behalf, provided that Deadline Funnel complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Deadline Funnel has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Deadline Funnel remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Deadline Funnel transfers personal data will have entered into written agreements with Deadline Funnel requiring that the subcontractor abide by terms substantially similar to this DPA; at the Customer’s request and cost (and insofar as is possible).

Deadline Funnel shall assist the Customer by implementing appropriate and reasonable technical and organisational measures to assist with the Customer’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that Deadline Funnel reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.

Deadline Funnel shall take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Article 32 to 36 of the General Data Protection Regulation (Regulation (EU) 2016/279) taking into account the nature of the processing under this DPA, provided that Deadline Funnel reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance.

At the end of the applicable term of the Application Services, upon Customer’s request, shall securely destroy or return such personal data to Customer; may transfer personal data from the EEA to the US for the purposes of this DPA; shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Deadline Funnel in connection with the provision of the Application Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause.

The purposes of an audit pursuant to this Clause include to verify that Deadline Funnel is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Deadline Funnel of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Deadline Funnel’s IT personnel. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Deadline Funnel’s IT system, data hosting sites or centers, or infrastructure will be permitted.

If Deadline Funnel becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Deadline Funnel in the course of providing the Application Services (an “Incident”) under the Agreement it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Deadline Funnel shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident; Deadline Funnel shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.

Deadline Funnel commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our privacy policy should first contact Deadline Funnel at: help [AT] deadlinefunnel [DOT] com.

Details of the Data Processing

Deadline Funnel shall process information to provide the Application Services pursuant to the Agreement. Deadline Funnel shall process information sent by Customer’s end users identified through Customer’s implementation of the Application Services.

Personal Data We Collect And Receive
1. Registration, contact, and company information
  • first and last names;
  • email addresses;
  • phone numbers;
  • avatars;
  • company name;
  • your role in your company.
2. Payment information
  • credit card information;
  • billing and mailing addresses;
  • other payment-related information.
3. Device data
  • operating system type and version number, manufacturer and model;
  • browser type;
  • screen resolution;
  • IP address;
  • unique device identifiers.
4. Service data
  • the website you visited before browsing to the Deadline Funnel Services;
  • how long you spent on a page or screen;
  • how you interact with our emails;
  • navigation paths between pages or screens;
  • date and time;
  • pages viewed;
  • links clicked.
5. Third party source data
  • profile information gathered from social networking sites;
  • information that you have viewed or interacted with our content;
  • company information;
  • job titles;
  • avatars;
  • email addresses;
  • phone numbers;
  • addresses;
  • geolocation data.
The sources of this third party personal data may include:
  • Contact enrichment and lead generation providers;
  • Our Geolocation IP intelligence provider;
  • Targeted online advertising providers;
Your Access and Control of Data
‍ Data Subjects whose Personal Data is covered by this Policy have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the GDPR (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated). Requests for access, correction, amendment, or deletion should be sent to: help [AT] deadlinefunnel [DOT] com.
Sharing Your Personal Data

We may disclose some or all of the personal data we collect to the following third parties:

To Deadline Funnel Group Companies:
  • SIMPLEPAY.IO LLC
  • SMART FUNNEL SOFTWARE LLC
  • TRAVEL NURSE DEPOT, INC.
  • BORN GROUP PTY LTD
Any such other group companies as may be added to this list from time to time.
Service Providers:
  • Consultants and vendors engaged by us to support our provision of the Deadline Funnel Services and Sites and the operation of our business;
  • Any such other Service Providers as may be added to the Subprocessor list, from time to time.
Advertising Partners:

Third party advertising companies may use cookies and similar technologies to collect information about your activity on the Deadline Funnel Services and other online services over time to serve you online targeted advertisements, including the companies listed in the third-party cookies section of our Cookie Policy.

Recourse, Enforcement, and Liability

Deadline Funnel commits to resolve complaints about your privacy and our collection or use of your Personal Data. Data Subjects with inquiries or complaints regarding this Policy should first contact Deadline Funnel at: help [AT] deadlinefunnel [DOT] com.

Accountability for Onward Transfer

In the event we transfer Personal Data covered by this Policy to a sub-processor, we will do so consistent with any notice provided to Data Subjects and any consent they have given, and only if the third party has given us contractual assurances that it will (i) process the Personal Data for limited and specified purposes consistent with any consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the GDPR and notify us if it makes a determination that it cannot do so; and (iii) cease processing of the Personal Data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Deadline Funnel has knowledge that a third party is processing Personal Data covered by this Policy in a way that is contrary to the GDPR, Deadline Funnel will take reasonable steps to prevent or stop such processing. With respect to our agents, we will transfer only the Personal Data covered by this Policy needed for an agent to deliver to Deadline Funnel the requested product or service. Furthermore, we will (i) permit the agent to process such Personal Data only for limited and specified purposes; (ii) require the agent to provide at least the same level of privacy protection as is required by the GDPR; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Deadline Funnel’s obligations under the GDPR; and (iv) require the agent to notify Deadline Funnel if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the GDPR. Upon receiving notice from an agent that it can no longer meet its obligation to provide the same level of protection as is required by the GDPR, we will take reasonable and appropriate steps to stop and remediate unauthorized processing. Deadline Funnel remains liable under the GDPR if an agent processes Personal Data covered by this Policy in a manner inconsistent with the GDPR, except where Deadline Funnel is not responsible for the event giving rise to the damage.

Disclosure of Personal Data to Regulatory Agencies

Deadline Funnel transfers Personal Data to third parties, including without limitation, law enforcement agencies and consumer reporting agencies, under the following normal business procedures:

Deadline Funnel uses a Visitor's IP address to help diagnose problems with its servers, and to administer its website.

Deadline Funnel uses cookies to help it recognize Visitors as unique Visitors when they return to Deadline Funnel's website. Deadline Funnel also uses cookies to tailor content or advertisements to match your preferred interest; avoid showing Visitors the same advertisements repeatedly; compile anonymous, aggregated statistics that allow Deadline Funnel to understand how users use its site and to help it improve the structure of its website (Deadline Funnel cannot identify Visitors personally in this way); and count the number of anonymous users of its websites.

If you breach the Customer Agreement or other applicable Service Level Agreement, or if Deadline Funnel is under a duty to disclose or share your personal data in order to comply with any legal obligation, Deadline Funnel may disclose your information to a relevant authority. Disclosure may include, but is not limited to, exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction. In particular, Deadline Funnel may release the information it collects to third parties when Deadline Funnel believes that it is appropriate to comply with the law, to enforce its' legal rights, to protect the rights and safety of others, or to assist with industry efforts to control fraud, spam or other undesirable conduct. Deadline Funnel may release the information it collects to third parties, where the information is provided to enable such third party to provide services to Deadline Funnel, provided that the third party has agreed to use at least the same level of privacy protections described in this Privacy Policy, and is permitted to use the information only for the purpose of providing services to Deadline Funnel.

Categories of Data Subjects

Users of the Customers web and mobile applications.

Processing Activities

The provision of Application Services by Deadline Funnel to Customer.

STANDARD CONTRACTUAL CLAUSES

‍For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, the data exporting organization (the data exporter) and the data importing organisation (the data importer), each a ‘party’; together ‘the parties’, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in the "Personal Data We Collect and Receive" section of the Data Processing Agreement.

Clause 1 - Definitions

For the purposes of the Clauses: ‍ (a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b)‘the data exporter’ means the controller who transfers the personal data;

(c)‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d)‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e)‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;(f)‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2 - Details of the Transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in the "Personal Data We Collect and Receive" section of the Data Processing Agreement which forms an integral part of the Clauses.

Clause 3 - Third-Party Beneficiary Clause

1.The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2.The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3.The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

4.The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4 - Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c)that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in the Security page on the Deadline Funnel website (www.deadlinefunnel.com/security);

(d)that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)that it will ensure compliance with the security measures;

(f)that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g)to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)that it will ensure compliance with Clause 4(a) to (i).

Clause 5 - Obligations of the Data Importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)that it has implemented the technical and organisational security measures specified in the Security page on the Deadline Funnel website (www.deadlinefunnel.com/security) before processing the personal data transferred;

(d)that it will promptly notify the data exporter about: (i)any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;(ii) any accidental or unauthorised access; and (iii)any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i)that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j)to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6 - Liability

1.The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

2.If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3.If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7 - Mediation and Jurisdiction

1.The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; (b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2.The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8 - Cooperation with Supervisory Authorities

1.The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2.The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3.The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9 - Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely …

Clause 10 - Variation of the Contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11 - Sub-processing

1.Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

2.The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3.The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely …

4.The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12 - Obligation after the termination of personal data-processing services

1.The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2.The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Related Content