Data Processing Agreement
Last update: 17.07.2019
The Data Processing Agreement is part of the Agreement. The most current version of the Data Processing Agreement can be viewed by clicking on the “Privacy and Legal Terms” link at the bottom of our website (https://trustedfamily.com)
1. Object of this data processing agreement
1.1 When providing the Services to The Customer as defined in Article 2.1 of the Terms, The Supplier may process certain Personal Data as Processor on behalf of The Customer.
1.2 The Customer and The Supplier wish to lay down in this Data Processing Agreement the assignment for any further agreements concerning the processing of these Personal Data by The Supplier as Processor.
2. Interpretation
2.1 In this Data Processing Agreement, the following terms shall have the definitions given to them in Data Protection Legislation: “controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”, “processes” and “processed” shall be construed accordingly),
2.2 This Data Processing Agreement will be governed by the terms and conditions set out in the Terms. Capitalized terms used but not defined in this Data Processing Agreement shall have the meanings given to them in the Terms unless the context requires otherwise.
2.3 In this Data Processing Agreement:
Approved Subcontractors means the subcontractors approved by The Customer in accordance with article 7.2;
Data Protection Legislation has the meaning given to that term in article 1 of the Terms;
Data Processing Agreement means the present data processing agreement, including any Exhibits to this Data Processing Agreement;
Data Transfer Agreement has the meaning given to that term in article 8.1.3 of this Data Processing Agreement;
Exhibit means theexhibits attached to this Data Processing Agreement;
Personal Data means the personal data that The Supplier or any Approved Subcontractor will process when providing the Services to The Customer. For the purpose of this definition, “processing” of personal data and “personal data” will have the meaning given to those terms under the applicable Data Protection Legislation. A description of the categories of Personal Data is set out in Exhibit 1.1;
Services means the services that The Supplier provides to The Customer under or in connection with the Terms;
Terms has the meaning given to that term in article 1 of the Terms
Third Country has the meaning given to that term in article 8.1.
2.4 The Parties acknowledge and agree that this Data Processing Agreement and its Exhibits form an integral part of the Terms. If there is any conflict or inconsistency between any term in the main part of this Data Processing Agreement;
2.4.1 term in the main part of this Data Processing Agreement;
2.4.2 term in any of the Exhibits to this Data Processing Agreement; and
2.4.3 term in the main body of the Terms and its Annexes;
the term falling into the category first appearing in the list above shall take precedence.
3. SCOPE AND PURPOSE
3.1 The provisions of this Data Processing Agreement will only apply if and to the extent that, for the provision of the Services, The Supplier processes Personal Data as on The Customer’s behalf (the Customer will be Controller).
4. COMPLIANCE WITH APPLICABLE DATA PROTECTION LEGISLATION
4.1 When processing Personal Data, The Supplier will at all times comply with its obligations under all applicable Data Protection Legislation.
4.2 The Supplier will only process Personal Data:
4.2.1 in the manner and for the purposes set out in Exhibit 1.1; and
4.2.2 upon instruction of The Customer (Processing Instructions).
4.3 The Customer hereby:
4.3.1 instructs The Supplier to take such steps in the processing of Personal Data on behalf of The Customer as are reasonably necessary for the provision of the Services; and
4.3.2 authorises The Supplier to provide to the Approved Subcontractors and on behalf of The Customer instructions that are equivalent to the instructions set out in article 4.3.1.
4.4 The Supplier:
4.4.1 if Data Protection Legislation requires it to process Personal Data other than in accordance with the Processing Instructions, shall notify The Customer of any such requirement before processing Personal Data (unless applicable law prohibits such information on important grounds of public interest); and
4.4.2 shall inform The Customer if The Supplier becomes aware of a Processing Instruction that, in The Supplier’s reasonable opinion, infringes applicable Data Protection Legislation, provided that, to the maximum extent permitted by mandatory law, The Supplier shall have no liability howsoever arising for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Processing Instructions.
5. CONFIDENTIALITY AND SECURITY
5.1 The Supplier undertakes to treat all Personal Data as confidential. Unless The Customer requires otherwise in writing, The Supplier will not disclose Personal Data to any third party other than:
5.1.1 to those of its employees, Approved Subcontractors and employees of the Approved Subcontractors to whom such disclosure is reasonably necessary for the provision of the Services; or
5.1.2 to the extent required by law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction; and
5.1.3 provided that the persons to whom Personal Data may be disclosed pursuant to article 5.1.1 are bound by obligations of confidentiality consistent with those imposed upon The Supplier under this Data Processing Agreement and under the Terms;
5.2 Having regard to the technology available, the cost of its implementation and having regard to the nature, scope, context and purposes of the processing of Personal Data, The Supplier will take appropriate technical and organisational measures to prevent any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
5.3 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, The Customer and The Supplier shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as stated in Exhibit 1.3.
6 REPORTING PERSONAL DATA BREACHES
6.2 The Supplier will provide The Customer with written notice as soon as reasonably possible upon becoming aware of any actual breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data processed by The Supplier.
7. SUBCONTRACTING AND SUBPROCESSING
7.1 The Supplier may subcontract all or part of the processing of Personal Data if:
7.1.1 The Customer has provided its prior written approval for such subcontract; and
7.1.2 The Supplier and the subcontractor have entered into a written data processing agreement setting out obligations that are consistent with those set out in this Data Processing Agreement.
7.2 For the purpose of article 7.1, The Customer hereby approves the subcontracting of the processing of Personal Data to the subcontractors as described in Exhibit 1.2. The subcontractors described on our website will be deemed to be Approved Subcontractors for the purpose of this Data Processing Agreement.
7.3 The Supplier will, to the extent possible, notify The Customer in advance of any change to the list of subcontractors as described on our website https://trustedfamily.net/gdpr/subcontractors. Within 30 days after The Supplier’s notification of the intended change, The Customer may object to such change. The Customer’s objection shall be in writing and include The Customer’s specific reasons for its objection and options to mitigate, if any. If The Customer does not object within such period the respective subcontractor may be commissioned to process Personal Data. The Customer should also frequently check the link https://trustedfamily.net/gdpr/subcontractors to be informed about changes to subcontractors.
8. CROSS-BORDER TRANSFERS OF PERSONAL DATA
8.1 The Supplier may transfer Personal Data to a recipient in a country outside of the European Economic Area (such other country being a Third Country) if:
8.1.1 there has been an EU Commission finding of adequacy in respect of that Third Country pursuant to applicable Data Protection Legislation;
8.1.2 the transfer falls within the scope of the EU-US Privacy Shield program; or
8.1.3 the recipient has entered into a contract with The Customer that contains model clauses that have been approved by the EU Commission or another competent public authority in accordance with applicable Data Protection Legislation (each such contract a Data Transfer Agreement).
8.2 For the purpose of article 8.1.3 of this Data Processing Agreement, The Customer hereby grants to The Supplier a power of attorney to conclude Data Transfer Agreements in the name of and on behalf of The Customer with any recipients. If The Supplier executes Data Transfer Agreements on The Customer’s behalf, The Supplier shall include language similar to the following in those Data Transfer Agreements: “This Data Transfer Agreement is entered into between Younited S.A.’s customers, which have authorized Younited S.A. to enter into this Data Transfer Agreement in their name and on their behalf, as data exporters, and [name of recipient], as data importer.” The Supplier shall provide copies of Data Transfer Agreements signed under this article 8 to The Customer for approval and notification to supervisory authorities, where required.
9. AUDIT
9.1 The Supplier will provide The Customer with the information demonstrating The Supplier’s compliance with its obligations set out in this Data Processing Agreement.
9.1.1 Subject to thirty (30) calendar days’ prior written notice from The Customer, The Supplier will permit and reasonably cooperate with The Customer (or a third party auditor appointed by The Customer) to audit this compliance at reasonable intervals (but not more than once per calendar year), provided that:
9.1.1.1 the audit will:
9.1.1.2 not disrupt The Supplier’s business;
9.1.1.3 be conducted during business hours;
9.1.1.4 not interfere with the interests of The Supplier’s other customers;
9.1.1.5 not cause The Supplier to breach its confidentiality obligations vis-à-vis its other customers, suppliers or any other organisation; and
9.1.1.6 not exceed a period of two (2) business days;
9.1.2 The Customer (or its third-party auditor) will comply with The Supplier’s relevant security policies and appropriate confidentiality obligations; and
9.1.3 The Customer will reimburse The Supplier for its reasonable costs associated with the audit.
9.2 The Supplier may demonstrate its compliance with its obligations set out in this Data Processing Agreement by adhering to an approved code of conduct, by obtaining an approved certification, or by providing The Customer with an audit report issued by an independent third party auditor (provided that The Customer will comply with appropriate confidentiality obligations and not use this audit report for any other purpose).
10. ASSISTANCE WHEN HANDLING REQUESTS FROM DATA SUBJECTS
10.1 The Supplier will, to the extent possible and at The Customer’s costs and expenses, cooperate with The Customer when:
9.1.1 Handling requests from data subjects exercising their rights; and
9.1.2 Conducting any privacy impact assessments in connection with the provision of the Services.
11. TERM AND TERMINATION
11.1 This Data Processing Agreement enters into force on the Effective Date and will remain in force for as long as The Supplier will provide the Services under the Agreement.
12. RETURN/DESTRUCTION OF PERSONAL DATA
12.1 Within thirty (30) business days after expiration or termination of the Agreement, The Supplier will:
12.1.1 at the option of The Customer:
a) Return to The Customer in a then commonly used electronic format all Personal Data that, as of the termination date or expiration date, are in the possession or under the control of The Supplier; or
b) destroy or purge their computer systems and files of any Personal Data that, as of the termination date or expiration date, are in the possession or under the control of The Supplier; and
provide to The Customer a list of Personal Data that The Supplier is required by applicable law to retain after termination or expiration of this Agreement.
Exhibit 1.1: Description of data processing
Nature and purpose of processing
Provision of a web and mobile platform for governance, communication, collaboration and information sharing, information storage.
Data Subjects
Data subjects include the individuals about whom personal data is provided to The Supplier via the Services by (or at the direction of) The Customer or by The Customer’s end users, the extent of which is determined and controlled by The Customer in its sole discretion, and which may include but is not limited to Personal Data relating to the following categories of data subjects:
- Family members, shareholders, board members, beneficiaries, advisors, customers, business partners and vendors of The Customer (who are natural persons)
- Employees or contact persons of The Customer’s family members, shareholders, board members, customers, business partners and vendors (who are natural persons)
- Employees, agents, advisors, freelancers of The Customer (who are natural persons)
- The Customer’s users authorized by The Customer to use the Services (who are natural persons)
Categories of data
Personal Data relating to individuals provided to The Supplier via the Services, by (or at the direction of) The Customer or by The Customer’s end users, the extent of which is determined and controlled by The Customer in its sole discretion, and which may include but is not limited to Personal Data relating to the following categories of data:
- First, Middle and Last Name (current and former)
- Title
- Position
- Employer
- Personal and Business Contact Information (company, email, physical address, phone number)
- ID data
- Professional life data
- Personal life data
- Connection data
- Localization data
- Genealogy data
- Age
- Gender
- Marital status
- Photograph
- Site usage data
- Date of birth
- Religious or philosophical beliefs
- …
Special categories of data
The Customer may submit special categories of Personal Data to the Services as part of its Personal Data, the extent of which is determined and controlled by The Customer in its sole discretion.
Processing operations
The Personal Data will be processed in accordance with the Terms and the Data Processing Agreement.
Exhibit 1.2: Approved Subcontractors
As explained in articles 7.2. and 7.3 of the Data Processing Agreement), the list of our current and future subcontractors is available on our website on https://trustedfamily.net/gdpr/subcontractors
Exhibit 1.3: Technical and Organisational Security Measures
These Security Measures are in effect on the signing date of the Offer of Services. Capitalized terms used herein but not otherwise defined have the meaning given to them in the Terms and/or the Data Processing Agreement.
The Supplier may in its sole discretion update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Information Security Program
- 1. Data Center and Network Security
- i. Data Centers
- 1. Infrastructure. The Supplier maintains geographically distributed data centers and stores all production data in physically secure data centers.
- 2. Power. All data centers are equipped with redundant power system with various mechanism to provide backup power, such as uninterruptible power supplies (UPS) batteries for short term blackouts, over voltage, under voltage or any power instabilities and diesel generators, for outages extending units of minutes, which allow the data centers to operate for days.
- 3. Server Operating System. The Supplier uses a Linux based operating system for the application environment with a centrally managed configuration. The Supplier has established a policy to keep systems up to date with necessary security updates.
- 4. Business Continuity. The Supplier makes daily backups to help protect against accidental destruction of loss of data.
- ii. Network and Transmission
- 1. Data Transmission. The Supplier uses industry standard encryption schemes and protocols to encrypt data transmissions between the data centers. This is intended to prevent reading, copying or modification of the data.
- 2. Incident Response. The Supplier’s security personnel will promptly react to discovered security incidents and inform the involved parties.
- 3. Encryption Technologies. The Supplier’s servers support HTTPS encryption and The Supplier uses only industry standard encryption technologies.
- i. Data Centers
- 2. Access and Site Controls
- i. Site Controls
- 1. Data Center Security Operations. All data centers in use by The Supplier maintain 24/7 on-site security operations responsible for all the aspects of physical data center security.
- 2. Data Center Access Procedures. Access to the datacenter only allows pre-approved authorized personnel to access The Supplier’s equipment.
- 3. Data Center Security. All data centers are equipped with CCTV, on-site security personnel and key card access system.
- ii. Access Control
- 1. Access Control and Privilege Management. The Customer’s administrators must authenticate themselves via an authentication system in order to administer the Services.
- 2. Internal Data Access Processes and Policies – Access Policy. The Supplier’s internal data access processes and policies are designed to prevent unauthorized persons or systems from getting access to system used to process Personal Data. The Supplier only provides access to a limited number of authorized personnel to production systems and servers.
- i. Site Controls
- 3. Data
- i. Data Storage, Isolation and Logging. The Supplier stores data in a combination of dedicated and multi-tenant environment on The Supplier-controlled servers. The Supplier also logically isolates the Customer’s data. The Customer may enable data sharing, should the Services functionality allow it. The Customer may choose to make use of certain logging capability that The Supplier may make available via the Services.
- 4. Personnel Security
The Supplier personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Personnel are required to execute a confidentiality agreement and must comply with The Supplier’s confidentiality, privacy and acceptable use policies. All personnel are provided with security training upon employment and then regularly afterwards.
Sub-processor Security
The Supplier enters into appropriate privacy, confidentiality and security contract terms with its Sub-Processors