Data Processing AgreementDownload Data Processing Agreement
This Data Processing Agreement (the “Agreement”) is between the Customer and XTM International (the “Parties”) and shall take effect and become binding between them:
As per the XTM Subscription Agreement (the “Principle Agreement”) entered into between the Parties for the Services;
to the extent that XTM International processes Customer Personal Data for which they are deemed Data Controllers;
and where this Agreement is required under the applicable Data Protection legislation.
For the purpose of the Data Protection Law, the Parties acknowledge that the Customer is the Controller and that XTM International is the Processor in respect of any Personal Data.
This Agreement sets out the additional terms and conditions under which the Processor will process Personal Data on behalf of the Controller when providing Services under the Principle Agreement.
1. DEFINITIONS AND INTERPRETATION
The following definitions and rules of interpretation apply in this Agreement.
In this Agreement:
Business Purposes means the services described in the Principle Agreement or any other purpose specifically identified in Annexure A.
Controller means the entity that determines the purposes and means of the processing of Personal Data.
Data Protection Laws means any data protection and privacy laws applicable to the processing of Personal Data under this Agreement including EU Data Protection Law and, to the extent applicable, the data protection or privacy laws of any other country;
Data Subject means an individual who is the subject of Personal Data.
EU Data Protection Law means both (i) Directive 94/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”); and (ii) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).
Personal Data means any information relating to an identified or identifiable natural person that is processed by the Processor as a result of, or in connection with, the provision of the services under the Principle Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data Breach means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
Process means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor means the entity that processes Personal Data on behalf of a Controller.
Standard Contractual Clauses (SCC) means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU, a copy of which comprises Annexure B.
Sub-processor means any person (including any third party and any Processor Affiliate, but excluding an employee of the Processor) appointed by or on behalf of the Processor to Process Personal Data on behalf of the Controller in connection with the Principal Agreement; and
Services means the services and other activities to be supplied to or carried out by or on behalf of the Processor for the Controller pursuant to the Principal Agreement;
Supervisory Authority means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection, which has supervisory authority and jurisdiction over Controller.
- This Agreement is subject to the terms of the Principle Agreement and is incorporated into the Principle Agreement.
- The Annexes to this Agreement form part of this Agreement and shall have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.
- Clause, annexure and paragraph headings shall not affect the interpretation of this Agreement.
- A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment and includes any subordinate legislation for the time being in force made under it.
- A reference to writing or written includes faxes but not e-mail.
- Where the words include(s), including or in particular are used in this Agreement, they are deemed to have the words without limitation following them. Where the context permits, the words other and otherwise are illustrative and shall not limit the sense of the words preceding them.
- In the case of conflict or ambiguity between:
- any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail;
- the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail;
- any of the provisions of this Agreement and the provisions of the Principle Agreement, the provisions of this Agreement will prevail; and
- any of the provisions of this Agreement and any executed SCC, the provisions of the executed SCC will prevail.
OBLIGATIONS, PERSONAL DATA TYPES AND PROCESSING PURPOSES
- Annexure A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Processor may process the Personal Data to fulfil the Business Purposes of the Principle Agreement.
- The Controller’s prior written authorisation is required to process the Personal Data or for transferring the Personal Data to any country or international organisation as reasonably necessary for the provision of the Services and must be consistent with the Principal Agreement and Business Purpose.
- Obligations of the Controller:
- The Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Law, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Processor.
- The Controller shall refrain from providing instructions which are not in accordance with applicable laws including Applicable Data Protection law, and, in the event that such instructions are given, the Processor is entitled to resist carrying out such instructions.
- Obligations of the Processor:
- The Processor will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Law. The Processor must promptly notify the Controller if, in its opinion, the Controller’s instruction would not comply with the Data Protection Law.
- The Processor will keep detailed, accurate and up-to-date records regarding any processing of Personal Data it carries out for the Controller. The Processor will ensure that the Records are sufficient to enable the Controller to verify the Processor’s compliance with its obligations under this Agreement and the Processor will provide the Controller with copies of the Records upon reasonable request.
- Processor must promptly comply with any Controller’s request or instruction requiring the Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
- The Processor will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Controller or this Agreement specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Processor to process or disclose Personal Data, the Processor must first inform the Controller of the legal or regulatory requirement and give the Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice.
- The Processor will reasonably assist the Controller with meeting the Controller’s compliance obligations under the Data Protection Law, taking into account the nature of the Processor’s processing and the information available to the Processor, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Law.
- The Processor must promptly notify the Controller of any changes to Data Protection Law that may adversely affect the Processor’s performance of the Principle Agreement.
3. PROCESSOR EMPLOYEES AND AFFILIATED PERSONNEL
- The Processor will ensure that all employees or persons authorised to process the Persona Data:
- Are advised of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of this Personal Data; and
- Are aware of both the Processor’s duties and their personal duties and obligations under the Data Protection Law and this Agreement.
- The Processor will take reasonable steps to ensure the reliability of any employee or authorised person who may have access to the Personal Data.
- The Processor will ensure that access to the personal data is granted only to the extent that this is necessary for the performance of the data processing operations as instructed by the Controller.
- The Processor will ensure that any authorised person who has access to the Personal Data does not process it except on instruction.
- The Processor shall not appoint a third party (Sub-processors) to process Personal Data unless it has received prior written consent from the Controller. In such circumstances the Controller must be provided with an opportunity to object to the appointment of each Sub-processor after the Processor supplies the Controller with full details regarding such Sub-processor.
- The Processor must enter into a written contract with the Sub-processor that contains terms substantially the same as those set out in this Agreement, providing sufficient guarantees that appropriate technical and organisational measures will be implemented when Processing the Personal Data. The Processor should exercise control over all Personal Data it entrusts to the Sub-processor.
- Those Sub-processors approved as at the commencement of this Agreement are set out in Annexure A. The Processor must list all approved Sub-processors in Annexure A and include any sub-processor’s name and location and contact information for the person responsible for privacy and data protection compliance.
- Where the Processor has engaged a Sub-processor, the Processor shall be fully liable for the fulfilment of all obligations by the Sub-processor.
- Both the Processor and the Controller shall at all times maintain, evaluate and, where necessary, adapt and update appropriate technical and organisational measures to protect against any form of unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Annexure C.
- Such measures guarantee, taking into account the nature, scope, context and purposes of processing, the state of the art and the cost of implementation, an appropriate level of security in view of the risks of varying likelihood and severity entailed by the processing of the data to be protected, and are in accordance with the provisions of the guidelines and Article 32 of the GDPR. They further include as appropriate:
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services the ability to restore the availability;
- and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of security measures.
- At the Controller’s request, the Processor shall make all information available that is necessary to prove that the provisions of this clause 5.3 have been complied with.
6. PERSONAL DATA BREACH
- The Processor shall notify the Controller without undue delay upon the Processor becoming aware of a Personal Data Breach affecting the Personal Data. It must provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform the Data Subjects of the Personal Data Breach or the Supervisory Authority under the Data Protection Laws.
- Such notification shall as a minimum:
- describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
- communicate the name and contact details of the Processor’s data protection officer or other relevant contact from whom more information may be obtained;
- describe the likely consequences of the Personal Data Breach; and
- describe the measures taken or proposed to be taken to address the Personal Data Breach.
- The Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- The Processor will not inform any third party of any Personal Data Breach without first obtaining the Controller’s prior written consent, except when required to do so by law.
- The Processor agrees that the Controller has the sole right to determine:
- whether to provide notice of the Personal Data Breach to any Data Subjects, Supervisory Authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Controller’s discretion, including the contents and delivery method of the notice; and
- whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
- The Processor will cover all reasonable expenses associated with the performance of the obligations under this clause 6 unless the matter arose from the Controller’s specific instructions, negligence, wilful default or breach of this Agreement, in which case the Controller will cover all reasonable expenses.
7. DATA IMPACT ASSESSMENT
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required of the Controller by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available.
8. CROSS-BORDER TRANSFERS OF PERSONAL DATA
- Prior written consent is required from the Controller if the Processor (or any Sub-processor) is to transfer or process Personal Data outside the European Economic Area (EEA).
- Where such consent is granted, the Processor may only process, or permit the processing, of Personal Data outside the EEA under the following conditions:
- the Processor is processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Law that the territory provides adequate protection for the privacy rights of individuals. The Processor must identify in Annexure A the territory that is subject to such an adequacy finding; or
- the Processor participates in a valid cross-border transfer mechanism under the Data Protection Law, so that the Processor (and, where appropriate, the Controller) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR. The Processor must identify in Annexure A the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Processor must immediately inform the Controller of any change to that status; or
- the transfer otherwise complies with the Data Protection Law for the reasons set out in Annexure A.
- If any Personal Data transfer between the Controller and the Processor requires execution of SCC in order to comply with the Data Protection Law (where the Controller is the entity exporting Personal Data to the Processor outside the EEA), the parties will complete all relevant details in, and execute, the SCC contained in Annexure B, and take all other actions required to legitimise the transfer.
- The terms of the Standard Contractual Clauses outlined in Annex B will apply where the applicable transfer of Customer Personal Data is (a) not subject to the laws of a jurisdiction recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Legislation); or (b) not covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for personal data. In the event of any conflict or inconsistency between the provisions of this Addendum and the Standard Contractual Clauses outlined in Annex B, the provisions of the Standard Contractual Clauses shall prevail. In the event that any provision of the Standard Contractual Clauses is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of the Standard Contractual Clauses and the terms of this Addendum shall remain operative and binding on the parties.
- If the Controller consents to appointment by the Processor located within the EEA of a Sub-processor located outside the EEA in compliance with the provisions of clause 8, then the Controller authorises the Processor to enter into SCC contained in Annexure B with the Sub-processor on its behalf. The Processor will make the executed SCC available to the Controller on request.
9. DATA SUBJECT RIGHTS
- Taking into account the nature of the Processing, the Processor shall, assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, to enable the Controller to respond to requests to exercise Data Subject rights under the Data Protection Law.
- The Processor shall:
- promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of any Personal Data;
- give the Controller its full co-operation and assistance in responding to any Data Subject request; and
- not disclose the Personal Data to any Data Subject or to a third party other than at the Controller’s request or instruction, as provided for in this Agreement or as required by law.
10. TERM AND TERMINATION
- This Agreement will remain in full force and effect so long as:
- the Principle Agreement remains in effect; or
- the Processor carries out Personal Data processing operations or retains Personal Data on behalf of Controller (“Term”).
- Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Principle Agreement in order to protect Personal Data will remain in full force and effect.
- Failure to comply with the terms of this Agreement is a material breach of the Principle Agreement. In such event, the Controller may temporarily suspend [the Principle Agreement or any part of the Principle Agreement authorising the processing of Personal Data until the breach is repaired or the Agreement is terminated.
11. DATA RETURN AND DESTRUCTION
- Upon instruction by the Controller or termination or expiry of the Principle Agreement, the Processor will either:
- give the Controller a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Controller; or
- will delete and procure the deletion of all copies of the Personal Data and demonstrate to the satisfaction of the Controller that it has taken such measures.
- At the request of Controller, the Processor shall return and not retain, the Personal Data in its possession or control.
- If any law, regulation, or government or regulatory body requires the Processor to retain any documents or materials that the Processor would otherwise be required to return or destroy, it will notify the Controller in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
- The Processor will certify in writing that it has destroyed the Personal Data within 7 days after it completes the destruction.
- The Processor shall make available to the Controller or its third-party representative all information required to demonstrate compliance with this Agreement in relation to the process of Private Data. This may be accomplished through annual audits or inspections by the Controller on at least 14 days written notice to the Processor at any time during the term of this Agreement.
- The Processor shall give every assistance to that end and provide in a timely manner such information relevant to the audit as is necessary to be able to prove compliance with the obligations contained in Article 28 of the GDPR.
- The notice requirements in clause 12.1 will not apply if the Controller reasonably believes that a Personal Data Breach occurred or is occurring, or the Processor is in breach of any of its obligations under this Agreement or any Data Protection Law.
- The Controller shall appoint an audit representative to undertake the audits. When undertaking an audit, the Controller shall make reasonable endeavours to avoid causing (or, if it cannot avoid, to minimise) any damage, injury or disruption to the Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. The Controller shall also abide by all security and safety measures in place on the Processor’s premises. The Processor need not give access to its premises for the purposes of such an audit or inspection is performed outside of normal business hours, unless the audit or inspection needs to be conducted on an emergency basis and the Controller has given notice to the Processor.
- The costs of an audit are payable by the Controller, unless the audit shows that the Processor has acted contrary to this agreement or has failed to take appropriate measures, taking into account the state of the art and the cost of implementation, in view of the risks entailed by the processing, the nature, the scope, the context and the purposes of the data to be protected.
- If a Personal Data Breach occurs or is occurring, or the Processor becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Law, the Processor will:
- promptly conduct its own audit to determine the cause;
- produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
- provide the Controller with a copy of the written audit report; and
- remedy any deficiencies identified by the audit as soon as possible.
- At the Controller’s written request, the Processor will:
- conduct an information security audit before it first begins processing any Personal Data and repeat that audit on an annual basis;
- produce a written report that includes detailed plans to remedy any security deficiencies identified by the audit;
- provide the Controller with a copy of the written audit report; and
- remedy any deficiencies identified by the audit within as soon as possible.
- On the Controller’s written request, the Processor will make all of the relevant audit reports available to the Controller for review. The Controller will treat such audit reports as the Processor’s confidential information under this Agreement.
Each Party indemnifies the other, at its own expense, against all costs, claims, damages or expenses incurred by a Party due to any failure by the other Party to comply with any of its obligations under this Agreement or the Data Protection Law.
14. DISPUTE RESOLUTION AND GOVERNING LAW
The Parties hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Agreement, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this Agreement and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to the addresses set out in Annexure A.
If any court or competent authority finds that any provision or part of this Agreement is invalid, illegal or unenforceable, that provision or part shall, to the extent required, be deemed to be deleted, and the remaining provisions of this Agreement shall continue in full force and effect.
No variation of this Agreement (or any document referred to in it) shall be effective unless it is in writing and signed by, or on behalf of, each of the Parties to this Agreement.
IN WITNESS WHEREOF, the Parties hereto have caused this Agreement to be executed by their respective authorised representatives to be effective as of the date first above written.
ANNEXURE A: PERSONAL DATA PROCESSING PURPOSES AND DETAILS
1. The Duration of Processing:
The Personal Data shall be processed for as long as the obligation to process the Personal Data under the Principle Agreement continues.
2. The Nature of Processing and the Business Purposes:
The processing purpose is to provide software solutions operated by the Data Processor that allow the Data Controller to translate electronic documents from a source language to one or more target languages.
XTM International shall store and process information entered by the Customer’s end users as required for the operation of the Services.
The Processor only obtains and uses personal information for the following purposes:
- Translating electronic documents;
- Managing User Accounts.
3. Personal Data Categories:
The following Personal Data Categories are processed:
- First name
- Last name
- Email address
- Default currency
- Telephone number
- Mobile phone number
- Source and target languages
- Subject matter specialization
- Rate cards
- Access rights to XTM International (e.g. which customer data can be accessed etc.)
- Rating (score card for quality etc.)
- Tasks allocated
- Any source text for translation which may contain personal data that is uploaded to XTM
4. Data Subject Types:
Users of the Customers web and mobile applications.
5. Processing Personal Data outside the EEA:
On request of the Data Controller the Data Processor can process data outside of the EEA
6. Approved Sub-processors:
- Name. OVH
Contact Person: Grégory Gitsels –
Data Protection Officer
Phone number: +44 333 370 0425
Address: Roubaix, France
- Name. Amazon Web Services
ANNEXURE B: STANDARD CONTRACTUAL CLAUSES
EU Standard Contractual Clauses
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
The EU Standard Contractual Clauses are available at the following link http://data.europa.eu/eli/dec/2010/87/oj. The Parties hereby agree that by reference to this link the EU Standard Contractual Clauses shall be deemed incorporated into this Data Processing Agreement and made an integral part of it.
ANNEXURE C: SECURITY MEASURES
The technical and organizational data security measures in place are the following:
- The Processor does not maintain any servers on site. All personal information is stored on secure hosted platforms.
- The Processor’s staff are only given access to electronic filing systems and folders to the extent that this is necessary to enable each staff member to fulfil his or her duties.
- Access to hosted data systems is password-protected and only current authorised staff have access.
- Staff only use laptops provided by the Processor.
- Staff use their own mobile phones for the Processor’s business. Members of staff who handle personal information of members and guests connected to the XTM programme are obliged to password-protect and encrypt their telephones and allow them to be remotely accessed and wiped in the event of loss or theft. Other members of staff are encouraged to do the same.
- Staff are required to log-off from systems and laptops when not in use.
- Staff are provided with training and guidance on the secure use of electronic devices in public and the associated risks.
- The Processor does not maintain any paper records containing personal information.
- The Processor ensures that its physical premises are secure from theft and other intrusion.
- The management of the Processor’s IT systems is the delegated responsibility of a third-party provider. The Managing Director is responsible for ensuring that these services provide an appropriate level of security. The Processor’s IT systems are reviewed for data security compliance purposes at intervals of no more than 12 months.
- The Processor’s full security program and policy document is available on request.