What is data-processing agreement.

What is data-processing agreement.

This data-processing agreement (DTA) is the basis of the relationship between you (the customer), as data controller, and Professor Moriarty, the service provider, as a sub-contractor. processor (“data processor” in English) under data protection legislation (GDPR).

It is an essential agreement which constitutes the contractual basis of the processing of the data that we do, on your account. It explains how your data can be processed and its purpose. We treat your personal data only as needed and according to your instructions, as stated in the Agreement.

Due to the volume of our customers, it would be impossible to conclude individually signed agreements with all our users. We also hope that the ease of agreement with this DTA will ensure that acceptance of the new General Terms and Conditions, to satisfy the RGPD, will take less time for you as an entrepreneur.

This ATD ensures that we (Professor Moriarty), as your subcontractor, meet the requirements of the GDPR. You are furthermore assured that we maintain the required agreements with all our third parties. The details of your business are automatically entered into your account when you accept the terms of use and the privacy policy, including the DTA. Your information will always represent the most recent information that you have provided us. The ATD is detailed below for more information.

Agreement on data processing

Agreement on data processing

Enter :

Customer’s name (hereinafter “the customer” or “controller”) [This information will be automatically filled out once you have completed your registration]

And

Professor Moriarty GmbH. Choriner Str. 34 10435 Berlin, Germany (hereinafter ‘Professor Moriarty’ or ‘subcontractor’)

each being a “party”; together “the parties”,

HAVE AGREED terms of this data processing contract (hereinafter the “DTA” or “Agreement”) on the protection of personal data concerning the processing of personal data when the customer acts as controller and Professor Moriarty acts as a subcontractor to fulfill the service obligations described in the service agreement (detailed below). In performing these service obligations, Professor Moriarty will process certain personal data on behalf of the controller in accordance with the terms of this agreement. Each party agrees and will ensure that the terms of this agreement are also fully applicable to its affiliates who may be involved in the processing of personal data for the project defined in the service agreement. More specifically, Professor Moriarty will ensure that all subcontractors operate under the same conditions as this agreement when processing the customer’s personal data.

Introduction and definitions

Introduction and definitions

“Personal data” is defined as any information relating to a data subject, and by which it can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural or legal person (if any).

All other definitions mentioned here, including the terms “controller” and “processor”, are determined by data protection laws, including regulation 2016/679 of 27 April 2016 (hereinafter ” RGPD “).

Sensitive personal data are not considered processed as part of the application service offered by the data center and are therefore excluded from the terms of this contract.

By registering to use the Professor Moriarty software and accept the Terms and Conditions, including the Privacy Policy and this DTA, the parties agree, under all national data protection laws and the GDPR, that this Agreement governs the relationship between the controller and the subcontractor, defining the treatment of the customer’s personal data by Professor Moriarty. This Agreement is a priority unless it has been superseded by another signed DTA, which gives precedence to this Agreement.

The treatment of the Customer’s Personal Data by Professor Moriarty is intended to ensure the full use of the Service by the Customer and to allow this Agreement to be complied with. Professor Moriarty ensures that sufficient security of personal data is maintained at all times.

Both parties confirm their authority to sign the agreement by doing so.

Responsibilities of the subcontractor

Responsibilities of the subcontractor

The subcontractor must manage all personal data on behalf of the controller and follow their instructions. In concluding this Agreement, Professor Moriarty (and all subcontractors with whom the subcontractor has a legal agreement for services) is responsible for processing the customer’s personal data:

  1. In accordance with all national and Agency laws
  2. To fulfill its obligations under the conditions of the service request
  3. According to the instructions of the controller
  4. As described in this agreement

To provide its service, the subcontractor is required to always provide the Customer with adequate solutions to support the ongoing development of its business, using the service. The subcontractor tracks how the Customer uses the App to make the best suggestions possible, provide relevant services at all times, and send accurate communications for ease of use and improved customer satisfaction. Regarding the processing of personal data of the application, they are processed only in accordance with this DTA, and applicable law, and are shared only as needed, to provide a better customer experience.

Given the technology available and the costs of implementation, as well as the scope, context and purpose of the treatment, the subcontractor must take all reasonable measures, including technical and organizational, to ensure a level of sufficient security to ensure that personal data is protected. The subcontractor shall assist the controller by taking the appropriate technical and organizational measures and taking into account the nature of the processing and the category of information available to the subcontractor, to ensure compliance with the obligations. subcontractor, within the framework of data protection laws. The subcontractor must notify the controller if the first person realizes the presence of a security breach, without delay.

In addition, the processor must, as far as possible and legally, inform the controller if a request for information on the data held is requested (request for access to data) by an organization to which the data should be provided. The subcontractor will respond to such requests once it has been authorized by the controller to do so. The subcontractor will also not disclose information about this contract unless the controller is required by law to do so, for example by court order.

If the data controller needs information or assistance regarding data security, or documentation or information on how the processor usually deals with personal data, he may request this information from the data controller. subcontractor.

The subcontractor, its employees and affiliates must ensure the confidentiality of the personal data processed under the contract. This provision continues to apply after termination of the Agreement, regardless of the reason for the termination.

Responsibilities of the controller

Responsibilities of the controller

The controller confirms, by signing this agreement, that when using the application, he must be able to process his data freely in accordance with all legal data protection requirements, including RGPD. They give their explicit consent to the processing of their personal data at any time during the use of the service.

The controller may revoke this consent at any time, but in doing so terminates the agreement and the subcontractor will no longer be able to provide the service.

The Customer has a legal basis to process the Personal Data with the subcontractor (including subcontractors), with the help of Professor Moriarty’s services.

The controller is responsible at all times for the accuracy, integrity, content and reliability of the personal data processed by the subcontractor. They have fulfilled all the mandatory requirements regarding the notification or obtaining the permission of the competent public authorities concerning the processing of personal data. In addition, they have fulfilled their disclosure obligations to the competent authorities with regard to the processing of personal data in accordance with all applicable data protection laws.

The controller must have a clear list of the categories of personal data he processes, especially if this treatment differs from the categories listed by the subcontractor in Annex A.

Agreement on data transfer and use of subcontractors

Agreement on data transfer and use of subcontractors

In order to provide the service to the controller, the subcontractor uses subcontractors. These subcontractors may be third-party suppliers both inside and outside the EU / EEA. The data processor shall ensure that all subcontractors comply with the obligations and requirements of this agreement, and in particular that their level of data protection complies with the standards required by the relevant data protection legislation. If a jurisdiction does not fall within the scope of the EU / EEA and does not appear on the list of satisfactory data protection levels approved by the Agency Commission, a specific agreement is concluded between Professor Moriarty and this subcontractor to ensure maintaining all personal data in accordance with the requirements of the current EU data protection law.

Subcontractors of the data provider are listed in the list of subcontractors attached: List of subcontractors

This Agreement constitutes the specific and explicit prior consent of the controllers to the use of subcontractors by the subcontractor, who may sometimes be based outside the EU / EEA, or territories approved by the Agency Commission.

The controller may revoke this consent at any time, but in doing so terminates the agreement and the data center will no longer be able to provide the service.

If a deputy director is established or stores personal data outside the territories approved by the EU / EEA or the Agency Commission, the subcontractor is responsible for guaranteeing the transfer of personal data to a third country on behalf of the controller. This includes the use of standard Agency Commission contracts or specific measures that have been previously approved by the Agency Commission.

The controller must be informed before the subcontractor replaces his subcontractors. The controller may then oppose a new subcontractor who processes his personal data on behalf of the subcontractor, but only if the subcontractor does not process the data in accordance with the relevant legislation on data protection. data. The subcontractor can demonstrate compliance by providing the controller with access to the data protection assessment performed by the subcontractor.

If the controller continues to oppose the use of the subcontractor, he may terminate his subscription to the service without the usual notice period, and then ensure that his personal data are not processed by the subcontractor not privileged.

Duration of the agreement

Duration of the agreement

The agreement remains valid as long as the subcontractor processes the Personal Data with the use of the application by the subcontractor, and unless it is replaced by another signed DTA that takes precedence over this Agreement.

Termination of the agreement

Termination of the agreement

In the event of termination of the subscription, the subcontractor deletes all personal data, except those which he is required to keep under the applicable legal provisions and, in this case, will be kept in accordance with the technical and organizational guarantees of Professor Moriarty.

The controller has the complete ability to recover all his personal data in the application. If the controller requests assistance in data recovery, the associated costs will be determined by mutual agreement between the parties and will depend on the complexity of the requested process and the time required to complete it in the chosen format.

Amendments to the agreement

Introduction and definitions

Amendments to the Agreement should be included in a separate annex to the Agreement.

If any provision of the contract is found to be invalid, this does not affect the other provisions. The parties will replace the invalid provisions with a legal provision that reflects the purpose of the invalid provision.

Audits

Audits

The controller is authorized to review the subcontractor’s obligations under the agreement once a year. If the subcontractor is required to do so under applicable law, audits may be repeated once a year. A detailed audit program must be provided detailing the scope, duration and start date at least four weeks before the proposed start date. The parties decide together whether a third party should perform the audit. However, the controller may allow the subcontractor to have the safety review by a neutral third party, choose by the subcontractor if it is a processing environment in which responsible for the treatment are processed.

If the proposed scope of the audit follows an ISAE, ISO, or similar certification report by a qualified third-party auditor, within the last twelve months, and the subcontractor confirms that there is no no significant changes in the measures examined, this will be satisfactory for any request received within this period. Audits must not unreasonably interfere with the usual activities of the subcontractor. The controller is responsible for all costs associated with the review request.

Responsibilities and jurisdictions

Responsibilities and jurisdictions

Liability for actions arising from a violation of the provisions of this Agreement is governed by the liability and indemnification provisions in the Subscription Conditions in Section 13. This also applies to any breach by the sub-processors data processing. This agreement is governed by the German courts which have exclusive jurisdiction to rule on any dispute concerning it.

Annex A

Annex A

Appendix A – Categories of Personal Information and Standard Treatment Categories

A. Categories of Personal Information (non-exhaustive list)

  1. Name
  2. Address
  3. Phone numbers
  4. Electronic address (es)
  5. Address (es)
  6. Any account number and / or bank details

B. Standard treatment categories (non-exhaustive list)

  1. Employees of the controller
  2. The contacts of the controller (phone / email / addresses, etc.)
  3. Clients of the controller
  4. The bank details of the controller
  5. The employees of their clients
  6. The contacts of their customers (phone / email / addresses, etc.)
  7. Customers of their customers
  8. Banking information of their customers