Data Processing Agreement
This Data Processing Agreement (DPA) forms part of the existing agreement(s) between Customer and VPLS, and/or other written or electronic agreement between VPLS and Customer for the purchase of Services provided by VPLS to reflect the parties’ agreement with regard to the Processing of Personal Data of Customer. This DPA is subject to the terms of the Agreement (capitalized terms used and not defined herein have the meanings given them in the General Data Protection Regulation 2016/679 (GDPR)).
1. General Terms
This DPA applies to the Processing of Personal Data, within the scope of the EU General Data Protection Regulation 2016/679 (as further defined in Section 11, and hereinafter “GDPR”), by VPLS on behalf of Customer. Effective May 25, 2018, VPLS will Process Personal Data in accordance with the GDPR requirements directly applicable to VPLS’s provision of its Services. This DPA does not limit or reduce any data protection commitments relating to Processing of Customer Data previously negotiated by Customer in the Agreement (including any existing data processing agreement to the Agreement).
By signing this agreement, Customer enters into the DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent VPLS Processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, the term “Customer” shall include Customer and Authorized Affiliates, unless otherwise indicated herein.
In the course of providing the Services to Customer pursuant to the Agreement, VPLS may Process Personal Data on behalf of Customer. VPLS agrees to comply with the following provisions with respect to any Personal Data Processed for Customer in connection with the provision of the Services. If not otherwise defined in the relevant section.
- VPLS shall Process Personal Data in accordance with applicable Data Protection Laws, the GDPR requirements, directly applicable to VPLS’s provision of its Services. VPLS shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions and shall treat Personal Data as Confidential Information. Customer instructs VPLS to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable orders; (ii) Processing to comply with other reasonable instructions provided by Customer (e.g., via a support ticket) where such instructions are consistent with the terms of the Agreement, and (iii) Processing of Personal Data that is required under applicable law to which VPLS or VPLS Affiliate is subject, including but not limited to applicable Data Protection Laws, in which case VPLS or the relevant VPLS Affiliate shall to the extent permitted by applicable law, inform the Customer of such legally required Processing of Personal Data.
Customer shall, in its use or receipt of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Customer will ensure that its instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data
- Customer acknowledges and agrees that VPLS may engage subcontractors to Process Personal Data (Subprocessors) on Customer’s behalf.
- VPLS shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause VPLS to breach any of its obligations under this DPA.
- VPLS shall provide Customer reasonable advance notice (for which email shall suffice) if it adds or removes Sub-processors.
- Customer may object in writing to VPLS appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying VPLS promptly in writing within five (5) calendar days of receipt of VPLS’s notice in accordance with Section 3.3. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services that cannot be provided by VPLS without the use of the objected-to-new Sub-processor.
4. Technical and organizational measures
- VPLS shall implement and maintain technical and organizational to ensure a level of security appropriate to the risk for VPLS’s scope of responsibility.
- VPLS shall ensure that any person who is authorized by VPLS to process Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
- VPLS will notify Customer without undue delay after becoming aware of a Personal Data Breach with respect to the Services. VPLS will promptly investigate the Personal Data Breach if it occurred on VPLS infrastructure or in another area VPLS is responsible for.
- VPLS shall maintain records of its security standards. Upon Customer’s written request, VPLS shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to confirm VPLS compliance with this DPA, provided that Customer shall not exercise this right more than once per year.
5. Data Subject Rights and Requests
- To the extent permitted by law, VPLS will inform Customer of requests from Data Subjects exercising their Data Subject rights (e.g. rectification, deletion and blocking of data) addressed directly to VPLS regarding Personal Data. Customer shall be responsible to respond to such requests of Data Subjects.
- If a Data Subject brings a claim directly against VPLS for a violation of their Data Subject rights, Customer will indemnify VPLS for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that VPLS has notified Customer about the claim and given Customer the opportunity to cooperate with VPLS in the defense and settlement of the claim. Subject to the terms of the Agreement, Customer may claim from VPLS amounts paid to a Data Subject for a violation of their Data Subject rights caused by VPLS’s breach of its obligations under GDPR.
6. Third Party Requests and Confidentiality
- VPLS will not disclose Personal Data to any third party, unless authorized by the Customer or required by law. If a government or Supervisory Authority demands access to Personal Data, VPLS will notify Customer prior to disclosure, unless prohibited by law.
VPLS requires all of its personnel authorized to Process Personal Data to commit themselves to confidentiality and not Process such Personal Data for any other purposes, except on instructions from Customer or unless required by applicable law.8. Transborder Data Processing
7. International Transfers
- VPLS stores and processes EU Data in data centers located inside and outside the European Union. All other Customer Data may be transferred and processed in the United States and anywhere in the world where Customer, its Affiliates and/or its Sub-processors maintain data processing operations. VPLS shall implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.
- Notwithstanding Section 5.1, to the extent VPLS processes or transfers (directly or via onward transfer) Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland (“EU Data”) in or to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, Customer hereby authorizes any transfer of EU Data to, or access to EU Data from, such destinations outside the EU.
8. Return or Deletion of Personal Data
- Upon termination or expiration of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent VPLS is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data VPLS shall securely isolate and protect from any further processing, except to the extent required by applicable law.