This General Data Protection Regulation Data Processing Agreement (this “DPA”) is entered into by and between Extensis and Partner, and governs Extensis’ Processing of Personal Data to the extent such Personal Data relates to natural persons in the European Economic Area (“EEA”) or Switzerland in connection with Extensis’ obligations under the Agreement. Unless otherwise indicated, all capitalized terms used but not defined in this DPA have the meanings given to them in Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”).
The parties agree that for the purposes of this DPA, Partner is a Data Controller and Extensis is a Data Processor.
1. Applicable Law. Extensis represents and warrants that it is in compliance with all applicable data protection laws.
2. Instructions from the Partner. Extensis will only Process Personal Data on documented instructions from Partner, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which Extensis is subject. Extensis will promptly inform Partner if following Partner’s instructions would result in a violation of applicable data protection law or where Extensis must disclose Personal Data in response to a legal obligation (unless the legal obligation prohibits Extensis from making such disclosure). For avoidance of doubt, Partner’s documented instructions include this DPA.
3. Confidentiality. Extensis will restrict access to Personal Data to those authorized persons who need such information to provide the Services. Extensis will ensure such authorized persons are obligated to maintain the confidentiality of any Personal Data.
4. Security. Extensis will implement appropriate technical and organizational measures to ensure a level of security appropriate to the Personal Data provided by Partner and Processed by Extensis.
5. Sub-processors. Partner agrees that Extensis may engage other Processors (“Sub-processors”) to assist in providing the Services consistent with this DPA. Extensis will make a list of such Sub-processors available through a website link. Partner will have 30 calendar days from the date the list is updated to object to Extensis’ use of new Sub-processors, after which time Partner will have been deemed to accept Extensis’ list of Sub-processors. Partner’s objection will be effective only if it articulates objective, justifiable reasons why it believes new Sub-processors are not able to adequately protect Personal Data in accordance with this DPA or applicable data protection law.
6. Sub-processor Obligations. Where Extensis engages a Sub-processor for carrying out specific Processing activities on behalf of Partner, the same data protection obligations as set out in this DPA will be imposed on that Sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the EU data protection law. Where that Sub-processor fails to fulfil its data protection obligations, Extensis will remain fully liable to Partner for the performance of that Sub-processor’s obligations.
7. Access Requests. Extensis has implemented and will maintain appropriate technical and organizational measures needed to enable Partner to respond to requests from data subjects to access, correct, transmit, limit processing of, or delete any relevant Personal Data held by Extensis.
8. Recordkeeping. Upon a request issued by a supervisory authority for records regarding Personal Data, Extensis will cooperate to provide the supervisory authority with records related to Processing activities performed on Partner’s behalf, including information on the categories of Personal Data Processed and the purposes of the Processing, the use of service providers with respect to such Processing, any data disclosures or transfers to third parties and a general description of technical and organizational measures to protect the security of such data.
9. Cooperation. Extensis will cooperate to the extent reasonably necessary in connection with Partner’s requests related to data protection impact assessments and consultation with supervisory authorities and for the fulfillment of Partner’s obligation to respond to requests for exercising a data subject’s rights in Chapter III of the GDPR. Extensis reserves the right to charge Partner for its reasonable costs in collecting and preparing Personal Data for transfer and for any special arrangements for making the transfer.
10. Third Party Requests. If Extensis receives a request from a third party in connection with any government investigation or court proceeding that Extensis believes would require it to produce any Personal Data, Extensis will inform Partner in writing of such request and cooperate with Partner if Partner wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable law.
11. Transfer of Personal Data; Appointment. Partner authorizes Extensis to transfer, store or Process Personal Data in the United States or any other country in which Extensis or its Sub-processors maintain facilities. Partner appoints Extensis to perform any such transfer of Personal Data to any such country and to store and Process Personal Data in order to provide the Services. Extensis will conduct all such activity in compliance with this DPA, applicable law and Partner’s instructions.
12. Data Transfers Outside of the EU. To the extent that the Services involve a transfer of Personal Data originating from either party’s systems in the EEA or Switzerland to Extensis’ systems located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission, such transfer will be subject to Extensis’ EU-US or Swiss-US Privacy Shield certification, or if Extensis is not then certified to the EU-US and Swiss-US Privacy Shields, the parties will execute the applicable standard contractual clauses annexed to EU Commission decisions 2001/497/EC, 2004/915/EC, or 2010/87/EU.
13. Retention. Personal Data received from Partner will be retained only for so long as may be reasonably required in connection with Extensis’ performance of this DPA or as otherwise required under applicable law.
14. Deletion or Return. At the choice of Partner, Extensis will delete or return all the Personal Data Processed in connection with the Services to Partner after the end of the provision of such Services, and delete existing copies unless applicable law requires storage of the Personal Data. Extensis will relay Partner’s instructions to all Sub-processors.
15. Breach Notification. After becoming aware of a Personal Data Breach, Extensis will notify Partner without undue delay of: (a) the nature of the data breach; (b) the number and categories of data subjects and data records affected; and (c) the name and contact details for the relevant contact person at Extensis.
16. Audits. Upon request, Extensis will make available to Partner all information necessary, and allow for and contribute to audits, including inspections, conducted by Partner or another auditor mandated by Partner, to demonstrate compliance with Article 28 of the GDPR. For clarity, such audits or inspections are limited to Extensis’ Processing of Personal Data only, not any other aspect of Extensis’ business or information systems. If Partner requires Extensis to contribute to audits or inspections that are necessary to demonstrate compliance, Partner will provide Extensis with written notice at least 60 days in advance of such audit or inspection. Such written notice will specify the things, people, places or documents to be made available. Such written notice, and anything produced in response to it (including any derivative work product such as notes of interviews), will be considered Confidential Information and will remain Confidential Information in perpetuity or the longest time allowable by applicable law after termination of this DPA. Such materials and derivative work product produced in response to Partner’s request will not be disclosed to anyone without the prior written permission of Extensis unless such disclosure is required by applicable law. If disclosure is required by applicable law, Partner will give Extensis prompt written notice of that requirement and an opportunity to obtain a protective order to prohibit or restrict such disclosure except to the extent such notice is prohibited by applicable law or order of a court or governmental agency. Partner will make every effort to cooperate with Extensis to schedule audits or inspections at times that are convenient to Extensis. If, after reviewing Extensis’ response to Partner’s audit or inspection request, Partner requires additional audits or inspections, Partner acknowledges and agrees that it will be solely responsible for all costs incurred in relation to such additional audits or inspections.