Data processing agreement

Data processing agreement

Data Protection and Data Security - Appendix X

This Data Protection and Data Security Appendix (this “Appendix”) is incorporated by reference into the Agreement


The Supplier shall process Customer Personal Data only as necessary to provide the Services under the Agreement to the Customer and as instructed by the Customer in writing. “Customer Personal Data” means information relating to an identified or identifiable natural person or as otherwise defined in the Laws that is processed by the Supplier on behalf of the Customer pursuant to the Agreement.  The nature and purpose of the data processing and relevant categories of data subjects and data types is defined in the General Processing Specification Form or is otherwise specified in the main contract. The type of personal data used is defined in the attached service agreement. With respect to processing of Customer Personal Data in the context of the Services provided by the Supplier, the Supplier acts as a data processor.

The Supplier shall at all times comply with the provisions of all applicable laws and regulations relating to data protection, privacy and security in relevant jurisdictions (“Laws”) when processing Customer Personal Data under the Agreement. The Supplier shall also comply with the Customer’s written instructions and regulations, e.g. on handling, protecting and encrypting personal and other data. The Supplier shall immediately inform the Customer, if any Customer’s instructions could in the Supplier’s opinion violate the Laws. In this case the Supplier is not obliged to comply with the relevant part of the instructions until the Customer either changes its instructions or expressly confirms the relevant instructions.


Except to the extent necessary for the Supplier to perform its obligations towards the Customer under the Agreement or as required by law, the Supplier shall keep Customer Personal Data confidential and shall have no rights to Customer Personal Data and shall not access, use, process, disclose, or transfer Customer Personal Data (in part or in whole) to any third party (excluding its approved subcontractors) during or after the term of the Agreement.

The Supplier is entitled to transfer or disclose Customer Personal Data to third parties only with a prior written consent of the Customer. If the Customer has agreed in the Agreement or otherwise in writing that the Supplier may engage subcontractor(s) to process Customer Personal Data, then (i) such engagement will be under a written contract, and (ii) the subcontract will require the subcontractor to comply with the same obligations applicable to Supplier under this Appendix and the Laws. In any event, the Supplier will remain fully liable for the acts and omissions of its subcontractors.

When processing Customer Personal Data, the Supplier shall implement and maintain at all times appropriate physical, technical and organizational measures to protect the Customer Personal Data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access so that all processing is in compliance with the Laws. Technical safeguards shall include up-to-date virus protection of the data files containing Customer Personal Data and backup copies of such files. The Supplier shall limit access to the Customer Personal Data to authorized and properly trained personnel with a well-defined “need-to-know” and who are bound by appropriate confidentiality obligations.

The Supplier warrants that in performing the Services all necessary precautions are taken by the Supplier to prevent loss and alteration of any data or programs, to prevent introduction of viruses to the Customer’s systems, and to prevent improper access to the Customer’s IT environment and Confidential Information of the Customer. The Supplier undertakes to inform the Customer immediately, if the data security measures taken by the Supplier do not meet the standards set out in the Customer's instructions. This applies accordingly if there are disturbances and if there is any suspicion that there is a violation of the data protection or any irregularities concerning the processing of Customer Personal Data.


If requested by the Customer in order for the Customer to comply with the Laws, the Supplier shall promptly provide the Customer with information and cooperation regarding the processing of Customer Personal Data, and/or carry out an action related to the processing of Customer Personal Data, as the Customer may reasonably request under this Agreement or to fulfil legal requirements, by way of example:

  1. maintain and provide the Customer with a written record of data processing activities carried out by the Supplier on behalf of the Customer, containing the information on such Supplier processing which the Customer is required to maintain as prescribed under the Laws;
  2. assist the Customer in carrying out a privacy impact assessment of new technologies or products;
  3. notify promptly, at latest within 24 hours or any shorter period as may be required by the Laws, the Customer of any security incidents; such notification will include, or be shortly succeeded by, all due information on the security incident in order for the Customer to be able to carry out its obligations under Laws;
  4. assist with the Customer’s obligation to respond to requests from individuals seeking to exercise their rights under the Laws applicable to Customer.


The Supplier shall not (and shall procure that its subcontractors shall not) transfer any Customer Personal Data to any third country or any international organization outside the EU or EEA (together “Third Countries”), unless expressly required or consented to do so by the Customer. Such consent shall be requested and provided in writing and separately for each recipient and/or location of the recipient of such transfers.

When carrying out a data transfer to such Third Countries and at all times when storing, transferring or maintaining Customer Personal Data, the Supplier shall ensure that all such transfers are in compliance with the Laws and this Appendix. Transfers shall only be executed in accordance with the instructions of the Supplier.

Where a transfer ceases to be in compliance with the Laws or the Customer’s instructions, the Supplier shall immediately obtain substitutive means of transfer in order to ensure that the transfer becomes compliant with the Laws and the Customer’s instructions. If the Supplier fails to obtain such compliance for the transfer, it shall forthwith terminate the transfer of Customer Personal Data to Third Countries and return the Customer Personal Data to the EU/EEA, without additional costs to the Customer.

The Supplier shall upon request from the Customer inform the Customer where the Customer Personal Data is stored no later than five (5) working days from the request.

5. Other provisions

The Customer is entitled to audit the Supplier's compliance with the legal and contractual obligations regarding data protection at any time within the necessary scope, especially by making requests and checking the archived data and the data processing programs. The Customer shall try to ensure that the audit shall be performed in a manner not causing material adverse effect on the performance of the services under the Agreement or the Supplier's other activities.

This Appendix shall remain in full force for as long as the Agreement is in force and for such period thereafter as is necessary for the activities after Agreement termination or expiration to be completed (including but not limited to the deletion of Customer Personal Data). To the extent that Customer Personal Data is processed by or for the Supplier, for whatsoever reason, after the termination or expiration of the Agreement, this Appendix shall continue to apply to such processing for as long as such processing is carried out.

Breach by the Supplier (or its subcontractors, as the case may be) of its obligations under this Appendix will be deemed a material breach of the Agreement.

In respect of services provided under the Agreement, all damages arising out of or relating to the processing of data shall be deemed direct damages (regardless of their actual nature) unless the damages have incurred despite the Supplier's conduct in accordance with due care, diligence and professional skill in processing Customer data and such damage arises despite such conduct, which proper conduct can afterwards be demonstrated by the Supplier. Furthermore, no limitation of liability defined in the Agreement or this Appendix shall limit the Customer’s right to claim back from the Supplier their part of responsibility for the damage in accordance with the principles defined in Article 82 (5) of GDPR in full.

Any changes to this Appendix must be agreed in writing between the Parties.

Upon termination of the Agreement, the Supplier shall (and shall procure that its subcontractors shall) promptly return to the Customer all Customer Personal Data in a commonly used electronic form and/or duly destroy and delete all Customer Personal Data, as instructed by the Customer in writing, and all documentation and any material supplied by the Customer or made by the Supplier for the performance of its duties pursuant to the Agreement. The concrete medium of handing over the archived data (including, but not limited to, Customer Personal Data) is based on an individual agreement which has to be concluded before the termination date. If no such agreement can be concluded until the termination date, the Customer is entitled to determine the concrete medium as well as the other modalities of the handing over of the data. Afterwards, all Supplier's storage data as well as any test-material or rejects which have not been handed over to the Customer have to be erased physically.