GENERAL TERMS AND CONDITIONS
for Leadoo Partnership
These General Terms and Conditions (“GTC”) are incorporated by reference into each Partnership Agreement concluded between Leadoo Marketing Technologies Oy, business ID 2922046-1 registered at Paasivuorenkatu 3, 00530 Helsinki FINLAND (“Leadoo”) and a Partner and govern all rights and obligations not expressly set out in the Partnership Agreement.
- The Parties agree to execute obligations under this Agreement with due diligence and in good faith.
- Leadoo confirms ownership of all registered and unregistered intellectual property rights connected with Leadoo Products.
- The Partner confirms that it has access to sufficient and adequate internal resources that will enable acquisition, onboarding and retaining customers acquired with the intention to use Leadoo Products. Partner declares that it is familiar with Leadoo Products’ functionalities and capabilities to the extent appropriate to conduct the aforementioned activities.
- 2 LEADOO’S RIGHTS AND OBLIGATIONS
- Leadoo will make all reasonable efforts to maintain continuous development of the Leadoo Platform and ensure its reliability.
- Leadoo will make all reasonable efforts to maintain 24/7 Customer Service and Technical Support via [email protected].
- Leadoo will provide all necessary support and training to the Partner to facilitate sales, onboarding and retention processes.
- Unless otherwise agreed, Leadoo will deliver dedicated customer support to all customers acquired by or referred by the Partner, per the licence type selected, according to the Parties’ agreed arrangements.
- Leadoo has sole discretion to build direct relationships with customers if the customer so decides or significant retention issues arise.
- Leadoo may provide the Partner with potential customers for value-added services (Onboarding, Training, Consulting, Strategy Execution) without charging commissions, provided that the Partner agrees to it.
- Leadoo may use the Partner’s logo, brand and materials received during the partnership for marketing purposes.
- 3 PARTNER’S RIGHTS AND OBLIGATIONS
- The Partner will refrain from any activities that infringe Leadoo’s intellectual property rights or the rules of fair competition.
- The Partner will inform Leadoo before pursuing direct sales of competing products to Leadoo’s existing customers, except where the customer initiates the vendor change.
- The Partner is obliged to keep confidential all provisions of this Agreement, business know-how and all data regarding prospective and current customers during the term and for 5 years after expiration.
- The Partner may use Leadoo’s logo, brand and materials received during the partnership for marketing purposes or reach out to potential customers.
- The Partner may offer value-added services to customers. Leadoo will not charge commissions for those services.
- All Leadoo intellectual property rights including rights regarding the Leadoo Platform including logic, organizational principles and supporting documentation, know-how and confidential information remain Leadoo’s exclusive property. The Partner’s use is strictly limited to what is explicitly provided for in the Agreement.
- 4 COMMISSIONS – GENERAL PROVISIONS
- Leadoo may, at its own discretion and without obligation, pass its own leads to the Partner. Commission levels for such leads are determined case by case. The Partner may use Leadoo-provided leads only to execute this Agreement.
- Commissions apply only to revenues from Leadoo licence fees (net, paid invoices). They do not apply to additional services delivered by Leadoo to the Partner’s customer.
- The Partner will receive a monthly settlement report with a detailed list of invoices and payment statuses. Commission settlement terms:
3.1 If the licence agreement is concluded directly by Leadoo or by the Partner on behalf of Leadoo — Leadoo, at its sole discretion, will pay commission on paid invoices per the settlement periods in the licence agreement, or in monthly cycles;
3.2 If the licence agreement is concluded between the Partner and Leadoo — the Partner receives commission on paid invoices per the settlement periods in the licence agreement.
- If the delay in payment qualifies as bad debt (>180 days), the Partner is not entitled to any commission on those invoices.
- Leadoo is not responsible for local, federal, or state taxes chargeable in the Partner’s country.
- For situations not covered by this Agreement, the Parties will reach individual consensus. The Partner shall not have the right to reimbursement of expenses unless otherwise agreed in writing.
- If a Party breaches the provisions of this Agreement, it agrees to pay damages to the other Party in accordance with general principles of law.
- Leadoo can terminate the Agreement immediately in the following circumstances:
- the Partner’s failure to pay invoices exceeds 30 days (applies to agreements concluded by the Partner on behalf of the customer),
– without prejudice to the possibility of termination of the Agreement, the above violation may also lead to restriction or blocking Partner’s customer’s access to Leadoo,
- violation by the Partner of the fundamental rules of social coexistence or business ethics having an impact on Leadoo image or Leadoo brand,
- breach by the Partner of the rules of law,
- if the Partner lacks of sales activity for at least 2 months where sales activity is understood as all activities that lead to acquiring customers (e.g. social media posts, joint webinars, blog posts, partner outbound activities, pitching)
- in case of Partner’s lack of commitment to customer service process, in particular Partner’s unresponsiveness to the customer or to Leadoo’s Customer Success Manager responsible for taking care of the customer acquired by the Partner – when the Partner’s commitment is necessary to retain this customer.
- The Parties may terminate this Agreement at any time without reason with a 3-month notice period.
- To avoid any doubt, the Parties agree that after the termination of this Agreement, the Partner shall not be entitled to any commissions, except as expressly provided in the Partnership Agreement.
- The Partner shall comply with all applicable export controls, economic sanctions and import laws and regulations, including EU, UK and US regulations. The Partner will not, directly or indirectly, enter into a business relationship with any person or entity: (i) resident in, located in, or organised under the laws of any country subject to comprehensive economic sanctions (currently including Crimea, Cuba, Iran, North Korea and Syria) (“Sanctioned Countries”); or (ii) identified on any applicable restricted party list (including OFAC SDN List, HM Treasury Consolidated List, EU Consolidated List) (“Restricted Party Lists”).
- The Partner warrants it is not, and will not become, resident in a Sanctioned Country or identified on a Restricted Party List. Leadoo reserves the right to request periodic written compliance confirmations.
- The Partner shall strictly adhere to applicable data protection legislation, including the GDPR, in processing personal data under this Agreement, including obtaining proper consents and implementing required technical and organisational measures. The Partner will indemnify and hold harmless Leadoo for losses or damages resulting from a data breach caused by the Partner, its employees, contractors or suppliers. The Partner’s liability is limited to damages resulting from wilful misconduct or gross negligence.
- The Partner declares it has read the information on Leadoo’s processing of personal data of Partner’s representatives (Appendix 1) and undertakes to provide this information to the relevant data subjects.
- The Parties have regulated the processing of entrusted personal data in the Personal Data Processing Agreement attached as Appendix 2.
- Where the licence agreement is concluded pursuant to § 4.3.2 of these GTC, the Partner shall, within 14 calendar days of the date on which the end customer is granted access to the Leadoo Platform, provide Leadoo with written confirmation (email to [email protected] sufficient) that the end customer has been furnished with all information required under Article 28(1) of Regulation (EU) 2023/2854 (Data Act), including the jurisdiction information set out in Appendix No. 1 to the Leadoo General Terms and Conditions.
- The Partner shall forward to Leadoo, without undue delay and in any event within 48 hours of receipt, any request, complaint or demand submitted by the end customer that relates to rights under the Data Act, including requests for data portability or switching under Articles 23–25 thereof. Failure to comply with this obligation shall constitute a material breach of this Agreement and entitle Leadoo to terminate the Agreement with immediate effect pursuant to § 6(1).
- The Partner shall include in its agreement with the end customer a provision informing the end customer that Data Act requests may be submitted directly to Leadoo at [email protected], and that Leadoo will process such requests in accordance with its obligations under applicable law.
- The Partner shall indemnify and hold harmless Leadoo against any losses, regulatory penalties, damages or costs (including reasonable legal fees) incurred by Leadoo as a result of the Partner’s failure to fulfil the obligations set out in this § 8.
- These GTC, together with the Partnership Agreement, permanently settle and supersede all previous discussions and arrangements of the Parties.
- The Partner may only transfer rights or obligations under this Agreement to a third party with prior written approval of Leadoo.
- Any amendment must be in writing or via digital signature tools (e.g. DocuSign), or in the form of a scanned document, otherwise null and void.
- If any provision is held unlawful, void or unenforceable, it shall be deleted and the Agreement shall remain in full force. The Parties shall negotiate in good faith to agree a mutually acceptable alternative.
- Any dispute shall be subject to the exclusive jurisdiction of the courts at Leadoo’s registered office. The Parties may also mutually agree to resolve disputes amicably or by mediation.
- This Agreement is governed by and construed under the laws of Finland.
APPENDIX 1 – INFORMATION ON PROCESSING OF PERSONAL DATA
Data Controller: The data controller of your personal data is Leadoo Marketing Technologies Oy, business ID 2922046-1, registered at Paasivuorenkatu 3, 00530 Helsinki, Finland (hereinafter referred to as “Leadoo” or “the controller”).
Purposes and legal basis of personal data processing: The controller will process personal data of the contractors who are natural persons:
- to perform an agreement between the contractors and the controller or take action at the request of the contractors before the conclusion of the contract (Article 6(1)(b) of the GDPR);
- fulfilling the legal obligations incumbent on the controller, arising in particular from tax and accounting legislation (Article 6(1)(c) of the GDPR);
- pursuing or defending against claims, which is the legitimate interest of the controller (article 6(1)(f) of the GDPR).
Purposes and legal basis of personal data processing: The controller will process personal data of the contractor’s representatives persons conducting agreements, users and contact person:
- to maintain business contacts, which is the legitimate interest of the controller (Article 6(1)(f) of the GDPR);
- fulfilling the legal obligations incumbent on the controller, arising in particular from tax and accounting legislation (Article 6(1)(c) of the GDPR);
- for the purpose of creating a user account to perform the contract concluded with the customer, which is a legitimate interest of the controller (Article 6(1)(f) of the GDPR);
- pursuing or defending against claims, which is the legitimate interest of the controller (Article 6(1)(f) of the GDPR).
The recipients of the personal data: The controller may disclose the personal data of the contractors to entities authorised by the law. Entities supporting the controller, including IT services providers, may also have access to the personal data of the contractors on the basis of agreements conducted with the controller.
Processing period: The personal data of the contractors shall be processed for the period required by the law or by the limitation period for any claims, depending on which of these events occurs later. The personal data processed for contact purposes will be processed for the time for the duration of the business relationship.
Voluntary/obligation to provide personal data: Providing personal data is voluntary however necessary to conclude an agreement with the controller.
Transfers of personal data to third countries or international organisations: Your personal data will also be processed in tools/systems provided by the entities supporting the data controller that are based or process data outside the European Economic Area. In this case, personal data is transferred on the basis of standard contractual clauses approved by the European Commission or a decision of the European Commission stating an adequate level of protection in a given country, e.g. on the basis of the EU-US Data Protection Framework.
Decision-based solely on automated processing/profiling: The controller is not making decisions based solely on automated processing, including profiling (concerning the purposes of data processing described above).
Data subjects rights: You have the right, as applicable, to:
- request access to your personal data, rectification, deletion and limitation of processing, and if your personal data is processed by automated means on the basis of a contract, you also have the right to transfer your personal data;
- withdraw your consent at any time, if that data was processed on the basis of this consent. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
- object to the processing of your personal data – when the data is processed on the basis of the controller’s legitimate interest.
- You also have the right to lodge a complaint with the supervisory authority (the Office of the Data Protection Ombudsman / Tietosuojavaltuutetun toimisto), PO Box 800, 00531 Helsinki, Finland, email: [email protected]
The data controller:
Leadoo Marketing Technologies Oy
business ID 2922046-1 Paasivuorenkatu 3
00530 Helsinki FINLAND
Data Protection Officer:
e-mail: [email protected]
APPENDIX 2 – PERSONAL DATA PROCESSING AGREEMENT
Between Leadoo Marketing Technologies Oy (“Entruster”) and the Partner (“Processor”), collectively the “Parties”.
- Whenever referred to in this Agreement:
- GDPR– should be understood as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
- Agreement – should be understood as the Personal Data Processing Agreement;
- Main Agreement – should be understood as the Partnership Agreement concluded between the Entruster and the Processor.
- Where terms defined in the GDPR are used in this PDPA, these terms have the same meaning as in the GDPR.
- 2 Statements of the Parties
- The Processor hereby declares that it has the resources, including infrastructure resources, experience, know-how, and qualified personnel, to the extent that it is able to duly perform the Agreement, in compliance with the applicable laws. In particular, the Processor declares that it is familiar with the principles of personal data processing and security resulting from the GDPR.
- The Processor declares that it will process personal data only at the documented instruction of the Entruster. A documented instruction should be understood as, in particular, data processing activities ordered under the Agreement and the Main Agreement.
- The Processor hereby declares that it applies all required technical and organizational measures so that the processing is carried out in accordance with Article 32 of the GDPR.
- The Entruster declares that, with respect to the entrusted personal data, it is the controller or processor and has the right to process them and to entrust or further entrust their processing.
- Acting pursuant to Article 28(3) of the GDPR, the Entruster entrusts the Processor with the processing of personal data to the extent specified in the Agreement.
- The Agreement is entered in connection with the execution of the Main Agreement between the Entruster and the Processor.
- The purpose of entrusted processing of personal data is related to the Processor’s performance of the activities detailed in the Main Agreement. The nature of entrusted processing of personal data is, in particular, the following operations or sets of operations performed on personal data by the Processor: recording, organizing, structuring, storing, retrieving, viewing, using, combining, limiting, deleting.
- The agreement covers the entrustment of the following range of personal data:
- Categories of persons: contractors who are natural persons, representatives of contractors, persons executing the contract between the Entruster and the contractor, persons designated by the contractor to contact the Entruster, potential contractors who are natural persons, representatives of potential contractors, persons to execute the contract that the Entruster and the potential contractor intend to conclude, persons designated by the potential contractor to contact the Entruster,
- Scope of data: name, surname, e-mail address, telephone number, other contact details, position, correspondence address, address of the contractor’s registered office, place of employment, other data necessary to carry out the purpose specified in §3 paragraph 3 of the Agreement.
- 4 Rights and obligations of Parties
- The Processor shall:
- Process personal data in accordance with the GDPR, applicable national regulations adopted to enable the application of the GDPR, other applicable laws, the Agreement and the instructions (orders) of the Entruster. The instructions (orders) shall be transmitted by the Entruster by e-mail addressed to the address indicated in §10 (4)(a) of the Agreement; the Processor shall implement the instructions (orders) promptly, but no later than within 7 business days of their receipt.
- Process personal data only upon the documented instruction of the Entruster (which is considered to be, in particular, this Agreement), unless such obligation is imposed by applicable national or EU law. Where the Processor’s obligation to process personal data is imposed by law, the Processor shall inform the Entruster via email – prior to commencing processing – of this legal obligation, unless such law prohibits the provision of such information due to important public interest;
- Process personal data only at the location agreed upon in the Main Agreement and on equipment managed by the Processor and its personnel or the Entruster, in compliance with the highest security and personal data protection principles required by the applicable laws.
- Grant access to personal data only to persons who, due to the scope of their tasks, have been authorized by the Processor to process such data and only for the purpose of performing their obligations under the Agreement, and take measures to ensure that any natural person acting under the authority of the Processor who has access to personal data processes such data only at the direction of the Entruster, unless the processing is required by applicable national or EU regulations;
- Ensure that persons authorized to process personal data undertake an obligation of confidentiality (with the obligation of confidentiality also existing after the execution of the Agreement and termination of employment with the Processor, not less than 3 years after the expiration of the Agreement), unless they are persons subject to the relevant statutory obligation of confidentiality;
- Maintain records of persons who have been instructed to process personal data processed in connection with the performance of the Main Agreement, and provide a copy or appropriate extract from such records whenever requested by the Entruster;
- Implement, in accordance with the guidelines indicated in §5 of the Agreement, appropriate technical and organizational measures to ensure a degree of security corresponding to the risk of infringement of the rights or freedoms of the natural persons whose personal data will be processed under the Agreement, and ensure the implementation of the principles of data protection by design and data protection by default (as set in Article 25 of the GDPR);
- Support the Entruster, (in particular, through the use of appropriate technical and organizational measures) in fulfilling its obligation to respond to the requests of data subjects in exercising their rights set in Chapter III of the GDPR. The Processor’s cooperation with the Entruster, within the scope indicated above, shall be in a form and timeframe that allows the Entruster to fulfill these obligations; in connection with the fulfillment of this obligation, the Processor shall, in particular:
- in the event of a request by a data subject for the right of access referred to in Article 15 of the GDPR, to prepare a report for the Entruster within 5 Business Days allowing the Entruster to provide the data subject with the information referred to in Article 15(1) of the GDPR,
- in the event of notification by the personal data subject of the right to rectification of personal data referred to in Article 16 of the GDPR, to note the personal data subject’s request by updating the personal data, insofar as the update of the personal data is covered by the Main Agreement, and to provide information thereon to the Entruster within 5 Business Days,
- in the event of notification by the personal data subject of the right to be forgotten referred to in Article 17 of the GDPR, to promptly communicate this request to the Entruster, no later than 3 Business Days after the request is made by the personal data subject,
- in the event of notification by the data subject of the right to restrict processing referred to in Article 18 of the GDPR, to promptly communicate this request to the Entruster, no later than within 3 Business Days of the request by the data subject,
- in the event of notification by the data subject of his/her right to personal data portability referred to in Article 20 GDPR, to export to the Entruster all personal data concerning that person processed electronically, no later than within 5 Business Days of the request by the data subject,
- in the event of notification by the data subject of his/her right to object as provided for in Article 21 of the GDPR, to promptly provide the information to the Entruster, no later than 3 Business Days after the request by the data subject,
- in the event of a request by the personal data subject for the right to obtain human intervention by the controller or the right to express one’s position and to challenge an automated decision, as referred to in Article 22 of the GDPR, to promptly communicate this request to the Entruster no later than 3 Business Days after the request by the data subject.
- However, the Processor shall not respond to such request without the prior consent or express instruction of the Entruster;
- Provide, on behalf of the Entruster, to the data subject during the acquisition of his/her personal data, insofar as this set of personal data operations occurs in the performance of the Main Agreement, all the information referred to in Article 13 of the GDPR. The content and form of the information clause presented by the Processor on behalf of the Entruster may change at any time; the new content of the information clause shall apply as of the date indicated by the Entruster.
- Comply with any guidance or recommendations, if any, issued by a supervisory authority or an EU advisory body dealing with the protection of personal data, regarding the processing of personal data, in particular with respect to the application of the GDPR;
- Assist the Entruster to comply with the obligations set in the GDPR (including, in particular, Articles 32-36 of the GDPR), i.e. in particular:
- Apply all technical and organizational measures to secure personal data, in the principles set forth in Article 32 of the GDPR;
- Make notifications of personal data protection violations to the supervisory authority and notify data subjects of such violations. The processor has an obligation to:
- provide the Entruster with information regarding the personal data breach within 24 hours of the discovery of an event or suspected event constituting a personal data breach, including the preparation of the information required in the data breach notification to the supervisory authority referred to in Article 33(3) of the GDPR; the notification should contain, at a minimum, information on:
- the date, duration and location of the personal data breach;
- the nature and scale of the breach, i.e., in particular, the categories and approximate number of data subjects and the categories and approximate number of personal data records affected by the breach, and, if possible, an indication of the data subjects affected;
- the computer system in which the violation occurred (if the violation occurred in connection with data processing in the computer system);
- the expected time needed to remedy the damage caused by the violation;
- the nature and scope of the personal data affected by the breach;
- the possible consequences of the breach, taking into account the consequences for data subjects;
- the measures taken to minimize the consequences of the breach and the proposed preventive and corrective measures;
- contact information for a person who can provide further information about the breach;
- maintain a register of data protection violations, which will provide the circumstances of the personal data protection violation, its consequences and the remedial actions taken,
- modify the scope of information covered by the register of personal data protection violations at the request of the Entruster,
- make the register of violations referred to above immediately available to the Entruster at any request,
- conduct a prior analysis of the causes of the violation of the rights and freedoms of data subjects and communicate the results of this analysis to the Entruster within 24 hours of the discovery of an event constituting a personal data protection violation,
- if the Processor is not able to provide all the information referred to above to the Entruster at the same time, it should provide it successively without undue delay
- designate persons responsible for taking steps to remedy the breach and take corrective action in consultation with the Entruster,
- until instructed by the Entruster, without undue delay take all reasonable steps to mitigate and remedy the negative effects of the occurrence of the personal data breach
- The Processor shall not, without express instruction (direction) from the Entruster, notify data subjects or the supervisory authority of the breach;
- Perform data protection impact assessments by the Entruster and consult the Enstruster with the supervisory authority.
- Keep, in writing (including electronically), records of all categories of processing activities performed on behalf of the Entruster, and grant the Entruster access to those parts of the records that relate to data processing performed on behalf of the Entruster;
- Make available to the Entruster, upon any request from the Entruster, no later than within 3 business days, all information necessary to demonstrate the Entruster’s compliance with its obligations under applicable laws, in particular the GDPR, including providing information on safeguards in place, identified risks and incidents in the area of personal data protection;
- Enable the Entruster or an auditor authorized by the Entruster to conduct audits under the terms of §7 of the Agreement;
- Immediately inform the Entruster if, in its opinion, the order issued to it constitutes a violation of the GDPR or other national or EU data protection regulations; the information in this regard should be provided to the Entruster in electronic form and should contain appropriate justification and indication of the provision of law which, in the opinion of the Processor, has been violated;
- Immediately, but no later than within 2 working days, inform (unless this would lead to a violation of the provisions of applicable law) the Entruster of any proceedings, in particular administrative or judicial proceedings concerning the processing of personal data by the Processor, of any administrative decision or ruling concerning data processing addressed to the Processor, of any audits and inspections concerning by a supervisory authority, as well as of any complaints from data subjects related to the processing of their personal data;
- Keep the personal data only for as long as specified by the Entruster, and, without undue delay, update, correct, amend, anonymize, limit processing or delete the designated personal data in accordance with the Entruster’s guidelines and the Main Agreement.
- The Processor shall not transfer personal data that are processed under this Agreement to a third country (i.e., a country that is not a member of the European Economic Area) or an international organization, unless otherwise agreed by the Parties, and provided that the requirements under Chapter IV of the GDPR are met in this regard, which requires, under pain of nullity, the conclusion of a separate written agreement between the Parties or an annex to this Agreement.
- 5 Organizational and technical measures
- The Processor shall implement and apply adequate technical and organizational measures prior to commencing the processing of personal data under the Agreement, in order to ensure a degree of security appropriate to the risk of violating the rights or freedoms of natural persons whose personal data are processed under the Agreement, and undertakes to maintain them during the execution of the Agreement.
- In assessing whether the degree of security referred to in §5(1) of the Agreement is adequate, the Processor is required to take into account the risks inherent in the processing, in particular those arising from accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise processed.
- The Processor shall also implement, both in determining the manner of processing and at the time of the processing itself, appropriate technical and organizational measures designed to effectively implement the data protection principles set in the GDPR and to protect the rights of data subjects, as well as appropriate technical and organizational measures so that, by default, only those personal data are processed that are necessary to achieve each specific purpose of the processing set forth in §3 of the Agreement.
- In implementing the organizational and technical measures referred to above, the Processor:
- Shall comply with the instructions of the Entruster with respect to the manner of securing the processing of personal data in accordance with the provisions of applicable law, as referred to in §3(1) and §4(1)(a) of the Agreement;
- Shall take into account the state of the art and the nature, scope, context and purposes of the processing, as well as the risk of violating the rights or freedoms of individuals whose personal data it will process under the Agreement;
- If it is determined that the measures in place may be inadequate for the identified risks, the Processor shall inform the Entruster of this fact and, in consultation with the Entruster, shall adjust the appropriate safeguards for the processing of personal data, after the Parties have agreed on the scope, manner and timing of such measures.
- The Processor is obliged to allow the Entruster, whenever requested, to review the technical and organizational measures in place and the documentation of such measures so that the processing is carried out in accordance with the law, and to update such measures in consultation with the Entruster.
- The Processor may entrust the personal data entrusted to it to other processors (sub-processors) only to the extent and for the purpose as specified in the Agreement, and only after obtaining the consent of the Processor in writing, under pain of nullity. The Processor shall ensure that it will use only sub-processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and other applicable laws.
- In the case of entrusting the processing of personal data to sub-processors, such entrustment of processing shall have as its basis an agreement under which the sub-processor undertakes to perform the same obligations that are imposed on the Processor under this Agreement.
- The Processor shall ensure that sub-processor entrusted with the processing of personal data apply at least an equivalent level of personal data protection as the Processor.
- At any request of the Entruster, in order to demonstrate the Processor’s compliance with its obligations under the Agreement, the Processor shall make available to the Entruster all information regarding sub-processors and the agreements entered into with such processors.
- The Entruster may require the Processor to immediately terminate the agreement with another processor insofar as it relates to the processing of the entrusted personal data in the event that the Processor has entered into an agreement with such entity for the entrustment of personal data processing without the prior written consent of the Entruster, as well as in the event that the sub-processor does not provide a guarantee of adequate security of personal data, and in any other case where the Entruster has reasonable grounds to conclude that further processing of personal data by such entity has a negative impact on the protection of personal data.
- The Processor shall be fully responsible to the Entruster for compliance with the obligations under the entrustment agreement entered into between the Processor and the further processor. If the downstream processor fails to comply with its data protection obligations, the full responsibility to the Entruster for fulfilling the obligations of a sub-processor shall rest with the Processor.
- The Entruster shall be entitled at any time to audit the compliance of the processing of personal data by the Processor, as well as any sub-processor – with the Agreement and applicable laws, in particular, the Entruster may verify the compliance and adequacy of technical and organizational safeguards for the processing of personal data implemented by the Processor or the sub-processor. The Processor shall, at its own risk and expense, ensure that the Entruster’s rights against each sub-processor can be exercised.
- The Entruster shall inform the Processor at least 3 business days before the planned date of the audit of its intention to conduct the audit, unless due to a high risk of threat to the rights and freedoms of data subjects, the audit should be conducted immediately. The Processor is obliged to cooperate with the Entruster and the auditors authorized by the Entruster, in particular to provide them with access to the premises and documents covering personal data and information on the manner of processing personal data, ICT infrastructure and IT systems (including visual inspection), as well as to persons having knowledge of the personal data processing processes carried out by the Processor (including obtaining written or oral explanations to the extent necessary to establish the facts). The Entruster will conduct the audit while respecting the Processor’s business confidentiality.
- Upon completion of the audit or inspection, an employee authorized to audit or inspect by the Entruster or a third party authorized to audit or inspect by the Entruster shall prepare a post-audit or post-inspection protocol containing guidelines and recommendations concerning, in particular, the improvement of the security of the processing of the entrusted personal data, which shall be signed by representatives of both Parties, and the Processor shall be obliged to remove the irregularities indicated in the protocol and comply with the recommendations indicated therein within the period agreed with the Entruster.
- The Processor shall be fully liable for damages that arise to the Entruster, personal data subjects, or third parties as a result of the Processor’s processing of personal data covered by the Agreement, the GDPR, or other applicable laws contrary to the Agreement, including acting outside of the Entruster’s lawful instructions. In particular, the Processor shall be liable for damages caused by the application or non-application of technical or organizational measures to ensure the security of personal data to the extent corresponding to the risk of their processing. For the avoidance of doubt, the Parties agree that any limitations of the Processor’s liability provided for in the Main Agreement shall not apply to the Processor’s liability under this Agreement, including breaches of personal data protection.
- The Processor shall be obligated to pay any damages, as well as any costs, expenses, including legal fees and financial penalties that the Entruster incurs or may incur, or for which the Entruster may become liable, in connection with any lawsuit, claim, or proceeding brought against it in connection with the Processor’s improper performance of its obligations under the Agreement and its obligations under the GDPR and other applicable laws.
- 9 Termination of the Agreement
- On the date of termination of the Agreement, the Processor should, in accordance with the Entruster’s instructions, return or destroy, in a manner separately agreed with the Entruster, all personal data and their copies, unless the relevant provisions of national or EU law require the storage of personal data.
- At the request of the Entruster, the Processor sends written confirmation of the deletion of personal data within the deadline specified by him.
- If the Processor concludes an agreement for entrusting the processing of personal data with sub-processor, the Processor undertakes to include in such an agreement provisions according to which this agreement, in the scope of entrusting the processing of personal data entrusted under this Agreement, will be automatically terminated upon termination of the Agreement.
- The Processor informs the Entruster about the deletion of all existing copies of personal data and enables the Entruster to conduct an audit in accordance with §7 of the Agreement.
- If the scope of entrusting processing is limited by the Entruster, in the manner specified in the Agreement, the provisions on termination of entrusting processing shall apply accordingly to personal data which, due to the limitation of the scope, can no longer be processed by the Processor.
- The Agreement is valid for the duration of the Main Agreement and the performance of all obligations arising from this Agreement.
- This Agreement replaces all other personal data processing agreements that the Parties previously concluded in connection with the implementation of the Main Agreement.
- The contract may be terminated immediately if:
- The Processor will process personal data contrary to applicable law, in particular GDPR;
- The Processor will process personal data contrary to the Agreement;
- The Processor will not remove the deficiencies indicated by the Entruster during the inspection;
- The processor will entrust processing to a third party without concluding an appropriate contract for entrusting the processing of personal data;
- The processor does not apply appropriate technical and organizational measures to ensure an adequate level of security corresponding to the risk associated with the processing of the entrusted personal data;
- The Processor has lost the ability to perform the Agreement, in particular it has lost the ability to guarantee proper security of the entrusted personal data.
- The parties have designated persons authorized to contact in matters related to the implementation of this agreement:
- The Entruster – [email protected];
- The Processor – contact person indicated in the Main Agreement.
A change of the persons referred to above and the data of these persons requires notification to the other Party in documentary form (e-mail sent to the previously valid address indicated above). For the avoidance of doubt, the Parties agree that such a change does not require an amendment to the Agreement.
- In matters not regulated by the Agreement, the provisions of applicable civil law, GDPR and acts and regulations issued on its basis shall apply.
- Unless the Agreement provides otherwise, any changes to the Agreement must be made in writing to be null and void.
- In the event that any provision of the Agreement turns out to be invalid or ineffective by operation of law, the remaining provisions of the Agreement will remain valid and the Parties will immediately agree on a new provision reflecting their intention with respect to such invalid or ineffective provision.
- Disputes related to the performance of this Agreement will be resolved by the court competent for the registered office of the Entruster.