Data Processing
Agreement (DPA)
This Data Processing Agreement
(′DPA′) applies where for the provision of the online services under the Main
Agreement, the Customer transmits or grants access to G+D to Customer Personal
Data which are subject to the General Data Protection Regulation (GDPR) and for
which the Customer remains the Data Controller and G+D serves as Data Processor
(′Online Services′).
1.
Definitions
Within this DPA,
except where the context otherwise requires, the following words and
expressions shall have the following meanings. In addition, the definitions set
forth in the Main Agreement (as defined below) shall apply unless they conflict
with those in this DPA.
1.1. ′Customer′ means the legal entity entitled
to use the Online Services on the basis of the Main
Agreement and that commissions G+D with the processing of Customer Personal
Data under this DPA.
1.2. ′Data Controller′ means the natural or
legal person, public authority, agency or other body which, alone or jointly
with others, determines the purposes and means of the Processing of Personal Data;
1.3. ′Data Processor′ means a natural or
legal person, public authority, agency or other body which Processes Personal Data
on behalf of the Data Controller;
1.4.
′G+D′
means Giesecke+Devrient Currency Technology GmbH, Prinzregentenstraße 159,
81677 München
1.5. ′GDPR′ means the General Data Protection
Regulation (Regulation (EU) 2016/679);
1.6. ′Main Agreement′ means the agreement
which sets out the subject matter and the conditions and specifications of the Online
Services, agreed between Customer and its supplier of the Online Service, to whom
G+D supplies the relevant services under separate agreement, such services
constituting the Online Services hereunder and the agreement with G+D allowing
Customer′s supplier to grant Customer access to the respective online services.
1.7. ′Online Services′ means the services further described in the
Main Agreement.
1.8. ′Personal Data′ means any information
relating to an identified or identifiable natural person (′data subject′); an
identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;
1.9. ′Customer Personal Data′ means any
Personal Data being subject to the Online Services under the Main Agreement provided
by G+D under this DPA in its role as Data Processor to the Customer as Data
Controller.
1.10.
′Processing′
means any operation or set of operations which is performed on Personal Data or
on sets of Personal Data, whether or not by automated means, such as
collection, recording, organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction;
2.
Specifications
The details of the
Processing, in particular the categories of Customer Personal Data and the
purposes of processing for which Customer Personal Data is processed on behalf
of the Data Controller are specified or references in the Appendix to this DPA.
3.1. G+D may Process Customer Personal Data only in
the framework of the Main Agreement including this DPA, and as further instructed
by the Customer, unless required to do so by applicable laws. In case of the
latter, G+D shall inform the Customer of that legal requirement before Processing,
unless the law prohibits this on important grounds of public interest.
Subsequent instructions may also be given by the Customer throughout the
duration of the Processing of Customer Personal Data. These instructions shall
always be documented.
3.2. G+D shall inform Customer if, in G+D′s opinion,
instructions given by the Customer infringe applicable data protection laws. G+D
is entitled to refrain from following the corresponding instruction until it is
expressly confirmed or amended by the Customer.
4.
Duration of Processing of Customer Personal
Data
The duration of this DPA
(term) corresponds to the term of the Main Agreement.
5.
Technical and organizational measures;
Confidentiality
5.1. G+D shall implement the technical and
organizational measures specified or referenced in the Appendix to this
DPA to ensure the security of Customer Personal Data. This includes protecting
the Customer Personal Data against a breach of security leading to accidental
or unlawful destruction, loss, alteration, unauthorized disclosure
or access to Customer Personal Data (personal data breach). In assessing the
appropriate level of security, the Parties shall take due account of the state
of the art, the costs of implementation, the nature, scope, context and
purposes of processing and the risks involved for the data subjects.
5.2. For the Processing of Customer Personal Data,
G+D may only utilize employees who have been obliged to maintain
confidentiality and have been familiarized with the related data protection requirements.
G+D and any individual under the control of G+D who has access to Customer Personal
Data may Process this data exclusively in accordance
with the service specifications set out in the Main Agreement and Customer′s
instructions unless they are legally required to Process such Personal Data.
6.
Compliance Information; Audits
6.1. G+D shall make available all information
necessary for Customer to demonstrate compliance with its obligations under
Article 28 GDPR where such information is held by G+D.
6.2.
Where G+D
is Processing Customer Personal Data for Customer as a Data Processor, the
Customer will provide G+D with at least four (4) weeks prior written notice of
any audit, which may be conducted by Customer or an independent auditor
appointed by Customer (provided that no person conducting the audit shall be,
or shall act on behalf of, a competitor of G+D).
6.3. The scope of an audit will be limited to G+D
systems, processes, and documentation relevant to the Processing of Customer
Personal Data under this DPA, and auditors will conduct audits subject to any
appropriate and reasonable confidentiality restrictions requested by G+D.
6.4. Customer will promptly notify and provide G+D
on a confidential basis with full details regarding any perceived
non-compliance or security concerns discovered during the
course of an audit.
G+D shall be authorized to engage other Data
Processors who are involved in the Processing or sub-Processing of Customer
Personal Data in connection with the provision of the Online Services under the
Main Agreement (′Subprocessors′) as follows:
7.1. G+D has the controller′s general authorization
for the engagement of Subprocessors. Subprocessors agreed at the time when this DPA is agreed
are listed or referenced in the Appendix to this DPA.
7.2. G+D shall ensure that Subprocessors are bound by contractual terms that are in substance the same data protection
obligations as the ones imposed on the Data Processor in accordance with this
DPA.
7.3. G+D shall be liable for the acts and omissions
of its Subprocessors to the same extent G+D would be
liable if performing the services of each of those Subprocessors
directly under the terms of this DPA, except as otherwise set forth in the Main
Agreement.
7.4. From time to time, G+D may replace existing Subprocessors or engage new Subprocessors.
In such cases, G+D shall inform the Customer thereof with appropriate advance
notice. The Customer may object against such change or new engagement of Subprocessors for good cause in writing. The Customer
understands and agrees that in the event of an objection, the Online Services
under the Main Agreement may no longer be provided to the Customer in whole or
in part. In such case, Customer and G+D will negotiate in good faith whether
and under what conditions the Main Agreement can be continued or whether it must
be terminated.
8.
International transfers
For international
transfers of Personal Data the following shall apply:
8.1. The Partis agree and understand that the
transfer of Customer Personal Data outside the European Economic Area (EEA)
under the GDPR is subject to Chapter 5 of the GDPR.
8.2. The Customer agrees that where G+D engages a Subprocessor in accordance with Clause 7 for carrying out specific processing
activities (on behalf of the controller) and those processing activities
involve a transfer of personal data within the meaning of Chapter 5 of the
GDPR, G+D and Subprocessor can ensure compliance with
this Chapter 5 by using appropriate safeguards as per Article 46 GDPR
(e.g. binding corporate rules or standard data protection clauses adopted by
the EU Commission). This does not apply for transfers on the
basis of an adequacy decision of the EU Commission as per Article 45
GDPR.
8.3. The Parties agree that they will enter into
additional agreements regarding additional security or data protection measures
for international data transfers as required by local or European data
protection authorities.
9.
Security Incident and Breach Notification
G+D shall
report to Customer any accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of or access to Customer Personal Data (′Security
Incident′) that it becomes aware of without undue delay.
10. Cooperation,
Assistance
Where G+D is
Processing Customer Personal Data, G+D will, taking into account the nature of the data processing and the
information available to G+D,
10.1.
cooperate
as reasonably requested by Customer to enable Customer to comply with any
exercise of rights by a data subject afforded to data subjects under GDPR in
respect of Customer Personal Data Processed by G+D in providing the Online Services
under the Main Agreement;
10.2.
provide
assistance, where necessary with requests received directly from a data subject
in respect of a data subject′s Personal Data submitted through the Online Services
provided by G+D under the Main Agreement;
10.3.
cooperate
with any supervisory authority or any replacement or successor body from time
to time (or, to the extent required by Customer, any other data protection or
privacy regulator with established authority over the Customer) in the
performance of such supervisory authority's tasks where required; and
10.4.
assist
Customer as reasonably required where Customer (1) conducts a data protection
impact assessment involving the Online Services under the Main Agreement, or
(2) is required to notify a Security Incident to a supervisory authority or to
a relevant data subject.
11. Deletion
As soon as the provision of Online Services has
ended, G+D shall delete all Customer Personal Data of the respective Customer
in accordance with current and recognized technical standards in such a way
that recovery of the data is not possible or only possible with
disproportionate effort, unless otherwise agreed with the Customer.
12. Governing
Law
This Annex shall be
governed by the laws of the Federal Republic of Germany unless otherwise
specified in the Main Agreement.
13. Hierarchy
In the event of a
contradiction between provisions of this DPA and provisions of the Main
Agreement, including other related agreements between the Parties, existing at
the time when this DPA is agreed or entered into
thereafter, the provisions of the DPA shall prevail.
14. Severability
Clause
Should any part or
provision of this Annex be held unenforceable or in conflict with the
applicable law of any jurisdiction, the validity of the remaining parts or
provisions shall not be affected thereby. The void, ineffective or
unenforceable provision shall be replaced by an appropriate provision, which
most closely approximates to the sense and purpose of this Annex and which the
parties to the Main Agreement would have wished if they had taken
into account the voidness, ineffectiveness or unenforceability.
Annex: Specifications of the Processing of
Personal Data
(1)
Nature
and purpose
Nature and purpose of the Processing of Personal Data by G+D
are defined in the Main Agreement.
(2)
Data
Types and Categories of Data Subjects
Customer Personal data includes the
following data types and categories of data subjects:
a.
Data
types: data related to machines or the usage of
machines operated by the Customer or other data provided by the Customer
b.
Categories
of data subjects: Customer′s users or machine operators or other individuals
whose data is provided by the Customer
(3)
Subprocessors
|
Subprocessor |
Data Location |
Service |
Safeguards |
|
Microsoft Ireland
Operations Limited One Microsoft Place South County Industrial
Park Dublin D18 P521 Ireland |
Agriport 601, Middenmeer, Netherlands |
Microsoft
Azure Cloud Services |
Standard Data
Protection Clauses |
|
Giesecke+Devrient Currency Technology America, Inc. 45925 Horseshoe Drive, 20166 Dulles USA |
3700 Steeles Ave., West
Suite 202 L4L 8K8 Vaughan,
Ontario Canada |
2nd Level support (on-premise installation) |
Binding Corporate Rules
|
(4)
Technical and Organisational
Measures
Upon request by the Customer, G+D
commits to providing the necessary information to the Customer.