DATA PROCESSING AGREEMENT
DPA
DATA PROCESSING AGREEMENT
DPA
The provision of the Services by SSC International Ltd (“SSC”) involves Personal Data processing activities carried out by SSC, as Data Processor, on behalf of the Client, as Data Controller.
This DPA aims to regulate the conditions applicable to the processing of Personal Data activities performed by SSC on behalf of the Client, ensuring compliance with Article 28 paragraphs (3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”), and other applicable data protection legal requirements.
The following clauses shall be applicable to SSC and the Client:
Clause 1
Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex I.
Clause 2
Obligations of the Parties
2.1. Instruction
2.2. Purpose limitation
The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I, unless it receives further instructions from the controller.
2.3. Duration of the processing of personal data
Processing by the processor shall only take place for the duration specified in Annex I.
2.4. Security of processing
2.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.
2.6. Documentation and compliance
2.7. Use of sub-processors
2.8. International transfer
Any transfer of data to a third country or an international organization by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfill a specific requirement under the law to which the processor is subject and shall take place in compliance with the applicable data protection legal requirements.
Clause 3
Assistance of the controller
Clause 4
Notification of personal data breach
In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its legal obligations, where applicable, taking into account the nature of processing and the information available to the processor
4.1. Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay
4.2. Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
Clause 5
Non-compliance with the DPA and termination
Description of the processing
Categories of data subjects whose personal data is processed: the audience.
Categories of personal data processed: name, surname, contact details (e-mail address), company, role
Nature of the processing: normal processing, which does not involve automated decision-making, including profiling.
Purpose(s) for which the personal data is processed on behalf of the controller: provision of the contractual services – market research and custom audience building, e-mailing, monitoring campaigns and data analytics.
Duration of the processing: during the provision of the services.
Technical and organizational measures including technical and organizational measures to ensure the security of the data
Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons: