1.1 By signing the Purchase Order, the Customer accepts and agrees to the terms and conditions of this data processing agreement (the “DPA”).
1.2 As part of the Agreement, iotcomms.io will, as processor or a sub-processor (the “Processor”) be processing certain personal data on behalf of Customer, as a controller or processor (the “Controller”).
1.3 As a consequence thereof, the Parties are entering into this DPA to govern the conditions for the Processor’s processing of, and access to, personal data on behalf of Controller in accordance with the General Data Protection Regulation (EU) 2016/679 (the ”GDPR”) and other applicable data protection legislation (”Applicable Data Protection Legislation”). The DPA shall remain in force for as long as the Processor processes personal data on behalf of Controller.
1.4 The Controller is considered a data controller and the Processor is considered a data processor regarding the personal data processed under the DPA (“Relevant Personal Data”). The Relevant Personal Data is described in the instruction available at the Platform under the section “Legal” (the “Instruction”).
1.5 The DPA comprises this document, the Instruction and the from time-to-time applicable list of subprocessors, available at the Platform under the section “Legal” (the “List of Subprocessors”). In the event of any contradictions between this document and the Instruction, this document shall take precedence.
1.6 All terms defined in Article 4 of the GDPR shall have the same meaning in the DPA, unless expressly stated otherwise.
1.7 This DPA shall supersede any prior agreements, arrangements and understandings between the Parties and constitutes the entire agreement between the Parties relating to the subject matter hereof.
2.1 Scope of processing. Processor shall only process Relevant Personal Data in accordance with this DPA, the Agreement, the GDPR and Applicable Data Protection Legislation, unless further processing is required under applicable EU or Member State law to which Processor is subject. In such case Processor shall inform Controller of this legal obligation unless such disclosure is prohibited by law.
2.2 Personnel confidentiality. Processor shall ensure that its employees and all other persons for whom the Processor is liable and who are authorized to process Relevant Personal Data sign a confidentiality undertaking not less restrictive than the confidentiality undertakings set forth in this DPA.
2.3 Security. Processor shall implement appropriate technical and organizational measures to secure Relevant Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as required pursuant to Article 32 in the GDPR.
2.4 Subprocessors. Processor is entitled to engage subprocessors listed in the List of Subprocessors (“Subprocessors”) for the processing of Relevant Personal Data on behalf of Controller. Processor shall notify Controller (by notice in the Platform or otherwise) of any intended addition or replacement of its Subprocessors. If Controller has not objected within ten (10) days from the notice, Controller is assumed to have approved the engagement. An objection shall include legitimate reasons for the objection and possible solutions. A legitimate reason for the objection is e.g. that the Subprocessor does not meet the requirements of the GDPR or the Applicable Data Protection Legislation which significantly affects or is likely to affect the personal integrity of the data subjects. If Processor engages Subprocessors, Processor shall enter into a subprocessor agreement with the same obligations as in this DPA, with the exception that the Subprocessor may not retain another Subprocessor without Controller’s prior written approval. In the event the Subprocessor fails to fulfil its obligations, Processor shall bear full liability to Controller for the performance of the Subprocessors’ work, undertakings, and obligations.
2.5 Third country transfers. Processor may, by itself or through a Subprocessor, move, store, transfer, make available, or otherwise process Relevant Personal Data belonging to Controller outside of the EU/EEA with Controller’s prior written consent. Such consent is considered given regarding transfers described in the List of Subprocessors. Transfer to a third country also requires that prior to commencing such transfer or provision of access, Processor meets the requirements and undertakings which follow from the GDPR, which may include entering into EU Standard Contractual Clauses.
2.6 Requests from data subjects. Processor shall implement appropriate technical and organisational measures to assist Controller to fulfil its obligation to respond to requests by data subjects to exercise their rights under Chapter III in the GDPR, such as the right of access and data portability.
2.7 Assistance and personal data breach. Processor shall assist Controller to fulfil its obligations pursuant to Articles 32 to 36 in the GDPR, especially regarding security of processing and personal data breach. Processor shall notify Controller without undue delay and within twenty-four (24) hours after Processor has learned of a personal data breach.
2.8 Return of information. Processor shall upon termination of the DPA or upon notice from Controller, at Processor’s choice, return or delete, all personal data processed under the DPA, unless Processor is required to retain the personal data pursuant to national law or EU law.
2.9 Audit and inspection. Processor shall at its own cost, make available to Controller upon Controller’s request, all information necessary to demonstrate that Processor is fulfilling its obligations under the DPA. Processor shall also enable and assist in audits, including inspections, which are conducted by Controller or by a third party authorised by Controller, at Controller’s cost.
3.1 In addition to any confidentiality obligations provided for in the Agreement, Processor undertakes not to disclose Relevant Personal Data or other information on the processing of Relevant Personal Data to any third party without express instruction from Controller. This Section does not apply, however, to information which is disclosed to Subprocessors for the purpose of enabling these to fulfil their obligations under a subprocessor agreement, information which is generally known (due to other reasons than a breach of the Customer’s confidentiality obligations), information which the Processor is required to disclose under mandatory legislation or under a decision or ruling of a court of competent jurisdiction or another competent authority. In the latter case, Processor shall be obliged to inform Controller thereof immediately and request confidentiality in conjunction with the disclosure of requested information.
3.2 The Processor shall ensure that each Subprocessor, person or third party that is given access to Relevant Personal Data is subject to at least the same obligation of confidentiality.
3.3 The obligation of confidentiality pursuant to this Section 4 shall apply without limitation in time.
4.1 Processor shall only compensate Controller for any loss which Controller, a data subject, another natural or legal person, or a public authority incurs as a result of the Processor’s processing of Relevant Personal Data in contravention with the Instruction, the DPA and the GDPR.
4.2 Processor is only responsible for data received by the Platform, not for data in transit in private, public or telephony networks.