DATA PROCESSING AGREEMENT

1 DEFINITIONS AND INTERPRETATION

Definitions. Capitalized terms set forth in this Data Processing Agreement (“DPA”) have the meaning ascribed thereto hereunder and cognate terms shall be construed accordingly:

Company Personal Data

means any Personal Data Processed by a Processor or Subprocessor on behalf of Company pursuant to or in connection with the Agreement.

Controller

means the entity that determines the purposes and means of Processing Personal Data.

Data Protection Laws

means data protection or privacy laws and regulations directly applicable to Provider’s Processing of Company Personal Data under the Agreement, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and any national data protection laws, implementing regulations, or binding decisions made under the GDPR.

Data Subject

means the identified or identifiable natural person to whom Personal Data relate.

Data Subject Request

means a request from a Data Subject exercising his or her rights under Data Protection Laws that relates to Company Personal Data and identifies such Data Subject.

Personal Data

means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Personal Data Breach

means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data.

Process and Processing

mean any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Processor

means the entity that Processes Personal Data on behalf of a Controller.

Subprocessor

means any Processor (including any third party and any Provider Affiliate, but excluding an employee of Provider or any employee of its Subcontractors) appointed by Provider or an Affiliate of Provider to Process Company Personal Data on Provider’s or its Affiliates’ behalf while providing the Cloud Services or Professional Services.

The terms “Data Subject”, “Personal Data”, “Processing”, and “Supervisory Authority”

shall have the meaning ascribed thereto in the GDPR, and their cognate terms shall be construed accordingly.

Interpretation. Any other capitalized term not defined in this DPA or any document referenced therein shall have the same meaning ascribed thereto in the Master Agreement.
A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time. Any words following the terms including, include, in particular or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

2 SCOPE AND ROLES

Scope. This DPA applies when Provider Processes Company Personal in providing the Cloud Services or Professional Services under the Agreement to Company and its Affiliates. If Provider Processes Personal Data on behalf of a Company’s Affiliate, Company is entering this DPA on behalf of itself and such Affiliate to the extent required under the Data Protection Laws.
Roles. The Parties agree that Company is a Controller and Provider is a Processor with respect to the Processing of Company Personal Data in relation to the Cloud Services and/or Professional Services under the Agreement.
Notwithstanding anything to the contrary, Provider may Process certain Personal Data provided by Company as a Controller, if so stipulated in the Agreement/Statement of Work. This DPA does not apply to such Processing.
The categories of Data Subjects and of Company Personal Data, the respective data protection officers or representatives, and the region of the data centers hosting Company Personal Data, are identified in Annex 1.

3 DUTIES OF THE PARTIES

Provider Obligations. Provider shall:
    a)  comply with all Data Protection Laws applicable to it as a Processor in the Processing of Company          Personal Data;
    b)  Process Company Personal Data only on the grounds of the Agreement, this DPA and only to the           extent and in a manner, it is necessary in order to provide the relevant Cloud Services and           Professional Services, and according to the documented instructions of the Company, unless          Processing is required by any Data Protection Laws to which Provider or the relevant Subrocessor           is subject, in which case Provider shall to the extent permitted by applicable Data Protection Laws           inform Company of that legal requirement before the relevant Processing of that Company           Personal Data;
    c)  notify Company without undue delay if Provider reasonably determines that (i) it can no longer          meet its obligations under this DPA (including to follow Company’s instructions) or Data Protection          Laws; or (ii) any Processing instruction of Company infringes Data Protection Laws; and, in such          event, Provider shall enter into further agreements as requested by Company which are required          to comply with Data Protection Laws;
Provider shall promptly notify Company of any complaints received or any notices of investigation or non-compliance from any Supervisory Authority or any similar regulatory authority in any country or territory relating to the collection or Processing of Company Personal Data. Company will handle all communications and correspondence with regulators relating to Company Personal Data. Provider shall cooperate with Company and the relevant Supervisory Authority or similar regulatory authority in the event of any investigation or litigation concerning Company Personal Data.
If any Company Personal Data is requested or subject to an order for compelled disclosure by any law enforcement or security authorities or other government agencies, or Provider has any reason to believe that such request may be made, in each case Provider shall:
     a)  promptly redirect the third-party to request the Personal Data directly from Company and notify           Company, unless prohibited under applicable law or by the relevant authority, in which case            Provider shall communicate as much information to Company as soon as possible;
      b)  Use all commercially reasonable efforts to challenge the request or order for disclosure on the            basis of any relevant conflicts with the Data Protection Laws;
      c)  upon written request by Company, promptly suspend or cease Processing any Company            Personal Data provided to it by or on behalf of Company; and
      d)  not make transfers of Company Personal Data to any law enforcement or security authorities or            other government agencies in breach of the Data Protection Laws, unless such transfer is            requested by Company or required under applicable law.
Provider has the right to anonymize Company Personal Data Processed by it under this DPA and use that anonymized data within Allshares Group as part of benchmark material used in the production of similar products and/or services and for developing the services of Allshares Group.
Company Obligations. Company shall:
     a)  be responsible for ensuring that the Processing of Company Personal Data is undertaken in           compliance with Data Protection Laws;
     b)  comply with all obligations under all applicable Data Protection Laws applicable to it as a           Controller;
     c)  instruct Provider (and authorize Provider to instruct each Subprocessor) to: (i) Process Company           Personal Data, and (ii) in particular, transfer Company Personal Data to any country or territory;           solely for the purpose of the provision of the services in accordance with the terms of this DPA           and the Agreement; and
     d)  warrant and represent that it is and will at all relevant times remain duly and effectively authorized           to give the instructions set out above.

4 SECURITY

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider will in relation to the Company Personal Data implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to that risk. Information on beqom SA’s (which is Provider’s Subprocessor) technical and organizational measures can be found at https://www.beqom.com/technical-org-measures (noting that beqom SA may update said page from time to time).
Provider will take appropriate steps to ensure compliance with the technical and organizational measures by its employees, agents, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Company Personal Data have agreed to appropriate confidentiality obligations or are subject to a statutory confidentiality obligation.

5 SUBPROCESSING

Company generally authorizes Provider to engage Subprocessors in accordance with this Section 5 and approves Provider’s use of the Subprocessors listed in Annex 1. Provider shall inform Company in advance on any changes concerning the addition or replacement of Subprocessors, with thirty (30) calendar days prior written notice by email to the contact person of Company. Company may object to such engagement of a Subprocessor on reasonable grounds related to the protection of Company Personal Data by written notice to Provider within twenty (20) calendar days of Company’s receipt of the notice from Provider, in which case Provider may satisfy the objection by:
    a)  not using the Subprocessor to Process Company Personal Data;
    b)  taking corrective steps requested by Company in its Objection Notice; or
    c)  ceasing to provide the parts of the services that involve the Subprocessor Processing Company          Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the          Cloud Services considering their reduced scope.
If none of the options outlined above are reasonably available and Company’s objection has not been resolved to the Parties’ mutual satisfaction within thirty (30) days of Provider’s receipt of the objection notice, either Party may terminate the affected Order Form and Provider will refund to Company a pro rata share of any unused amounts prepaid by Company under the applicable Order Form for Cloud Services on the basis of the remaining portion of the current terms of the Order Form. If Company does not provide a timely objection notice with respect to a new Subprocessor, Company will be deemed to have authorized Provider’s use of the Subprocessor and to have waived its right to object.
Provider will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. Provider will be liable for the actions and omissions of its Subprocessors undertaken in connection with Provider’s performance under this DPA to the same extent Provider would be liable if performing the services directly.
With respect to each Subprocessor, Provider shall ensure that:
a) the Subprocessor is capable of providing the level of protection for Company Personal Data required by the terms of the DPA, and
b) the arrangement between Provider and the relevant Subprocessor is governed by a written contract including terms, which offer at least the same level of protection for Company Personal Data as those set out in this DPA and meet at least the same level of requirements as those provided under the GDPR.

6 OBLIGATION TO ASSIST

Assistance. Provider is obligated, taking into account the nature of the Processing of Personal Data and the data available and as further detailed in Sections 6(2) and 6(3), to assist Company in ensuring that Company complies with Art. 32-36 GDPR. Provider is obligated to assist Company only to the extent that applicable legislation obligates the Processor. To the extent permitted by the applicable law, Company will be responsible for any costs arising from Provider’s assistance.
Data Subject Request. If Provider receives a Data Subject Request, Provider will:
a) advise the Data Subject to submit the request to Company directly, and
b) promptly notify Company of the request.
Where required by Data Protection Laws, Provider will, on Company’s request and taking into account the nature of Company Personal Data Processed, provide reasonable assistance to Company in fulfilling the Data Subject Request to the extent Company is unable through its business operations or its use of the Cloud Services to address a particular Data Subject Request on its own.
Data Protection Impact Assessment. Taking into account the nature of the Processing and the information available to Provider, Provider shall, when required by Data Protection Laws, provide reasonable assistance to Company with its obligations related to data protection impact assessments (where related to the Cloud Services, and only to the extent that Company does not otherwise have access to the relevant information) and prior consultation, including by providing the information outlined in Section 7, with Supervisory Authorities or other competent data privacy authorities, which Company reasonably considers to be required under the Data Protection Law, in each case solely in relation to Processing of Company Personal Data by Provider.

7 PERSONAL DATA BREACH

Provider shall notify Company without undue delay (but in any event, within 48 business hours) upon becoming aware of a Personal Data Breach affecting Company Personal Data. Provider’s notification to Company will describe:
    a)  the occurred Personal Data Breach,
    b)  the nature of the personal data including, where if possible, the sets of Data Subjects and the          number thereof, as well as the sets of Personal Data types and estimated numbers,
    c)  a description of the likely consequences caused by the Personal Data Breach, and
    d) a description of reparative measures that Provider has implemented or will implement in order to          prevent Personal Data Breaches in the future, and if necessary, the measures to minimize the          harmful effects of the Personal Data Breach.
If Provider cannot provide all the information above in the initial notification, Provider will provide the information to Company as soon as it is available.
Provider will promptly take all actions relating to its technical and organizational measures that it deems necessary and advisable to identify and remediate the cause of a Personal Data Breach.

8 TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA

Provider and its Subprocessors may from time-to-time process Company Personal Data outside the EU/EEA when providing the services within the Agreement.
In case Company Personal Data would be transferred outside the EU/EEA, the Provider ensures that the transfer is: to (a) countries for which the European Commission has decided that they have an adequate level of data protection or (b) subject to standard contractual clauses approved by the European Commission or other appropriate safety measures as they are described in Article 46 of the GDPR.

9 DELETION OR RETURN OF PERSONAL DATA

Subject to Subsections 9(2) and 9(3), Provider shall promptly upon Company’s written request and in any event within thirty (30) days of the date of termination of the Agreement (the “Termination Date”) delete and procure the permanent and irrevocable deletion of all Company Personal Data from the Platform, back-ups included.
Subject to Subsection 9(3), Company may in its absolute discretion by written notice to Provider within thirty (30) days of the Termination Date require Provider to:
a) return to Company by secure file transfer a complete copy of all Company Personal Data then under Provider’s control in a generally accepted industry-standard electronic format (e.g. csv, xls); and
b) delete and procure the permanent and irrevocable deletion of all other copies of Company Personal Data Processed by Provider and any Subprocessor.
Provider shall comply with any such written request within thirty (30) days of the Termination Date and Company shall acknowledge in writing safe receipt of the returned Company Personal Data.
Provider and each Subprocessor may retain Company Personal Data only to the extent required by applicable Data Protection Laws and only to the extent and for such period as required by the applicable Data Protection Laws, and always provided that Provider shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the applicable Data Protection Laws requiring its storage, and for no other purpose.
Without prejudice to the foregoing, Company agrees and acknowledges that Provider has no obligation to retain Company Data beyond that period and that Company Personal Data shall be irretrievably deleted after thirty (30) days following the term or termination of the applicable Agreement. Provider shall not be liable to Company nor to any third party for any termination of Company’s access to the Cloud Services or for deletion of Company Personal Data in compliance with this Section 9.

10 AUDIT RIGHTS

Subject to Subsections 10(2) to 10(4) hereunder, Provider shall make available to Company on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company in relation to the Processing of Company Personal Data by Provider or its Subprocessors.
Information and audit rights of Company only arise under Subsection 10(1) to the extent that the Agreement does not otherwise give Company information and audit rights meeting the relevant requirements of the applicable Data Protection Law.
Except where required by a Supervisory Authority or other regulator, Company shall give Provider at least 30 business days’ prior notice of any audit or inspection to be conducted under Subsection 10(1) and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Processor’s or Subprocessors’ premises, equipment, personnel and business while its personnel are on said premises in the course of such an audit or inspection. Auditors must sign a conventional non-disclosure agreement.
Except where required by a Supervisory Authority or other regulator, neither Provider or a Subprocessor need not give access to its premises for the purposes of such an audit or inspection:
    a)  to any individual unless he or she produces reasonable evidence of identity and authority;
    b)  outside normal business hours at those premises, unless the audit or inspection needs to be          conducted on an emergency basis and Company has given notice to Provider that this is the case          before attendance outside those hours begins; or
    c)  for the purposes of more than one audit or inspection, in respect of Provider or a Subprocessor, in          any calendar year, except for any additional audits or inspections which: (i) Company reasonably          considers necessary because of genuine concerns as to Provider’s compliance with this DPA; or          (ii) Company is required or requested to carry out by Data Protection Law, a Supervisory Authority          or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any          country or territory; where Company has identified its concerns or the relevant requirement or          request in its notice to Provider of the audit or inspection.
Each Party will be responsible for its own expenses caused by the auditing. If the audit discloses Provider being in a material breach of this DPA, Provider will compensate Company for costs and expenses of the audit.

11 LIMITATION OF LIABILITY

Each Party’s liability taken together in the aggregate, arising out of or related to this DPA is subject to the limitation of liability provisions of the Master Agreement.

12 AMENDMENTS

Provider may make changes to this DPA where the change is required to comply with the Data Protection Laws, and provided that the change:
     a) does not reduce the security of the Cloud Services or Professional Services;
     b)  does not change the scope of Provider’s Processing of Company Personal Data;
     c)  and does not have a material adverse impact on Company’s rights under this DPA or the Master           Agreement.

13 GOVERNING LAW AND DISPUTES

This DPA shall be governed by the laws of the jurisdiction specified in the Master Agreement. The dispute resolution clause of the Master Agreement shall apply to this DPA.

14 SIGNATURE AND EFFECT

This DPA is deemed to be validly executed, effective and enforceable as of the Effective Date of the first Order Form jointly signed by the Parties.

15 ANNEXES

The following annexes form an integral part of this DPA:
a) Annex 1, Processing Specification Form (attached to the Order Form)