Data Processing Agreement

Effective as of May 25, 2018

This Restpack Data Processing Agreement (the “Agreement”) is between you (“Data Controller”) and Restpack INC (“Data Processor”). If you are agreeing to this Agreement not as an individual but on behalf of your company, then “Customer” or “you” means your company, and you are binding your company to this Agreement. Restpack may modify this Agreement from time to time.

By clicking on the “I agree” (or similar button) that is presented to you at the time of your Order, or by using or accessing Restpack products, you indicate your assent to be bound by this Agreement.

PROCESSING OBJECTIVES

  • The Processor undertakes to process personal data on behalf of the Controller in accordance with the conditions laid down in this Data Processing Agreement. The processing will be executed exclusively within the framework of the Agreement, and for all such purposes as may be agreed to subsequently.
  • The Processor shall refrain from making use of the personal data for any purpose other than as specified by the Controller. The Controller will inform the Processor of any such purposes which are not contemplated in this Data Processing Agreement.
  • All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the relevant Data subjects.
  • The Processor shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision thereof to third parties and the storage duration of the data.

PROCESSOR’S OBLIGATIONS

  • The Processor shall warrant compliance with the applicable laws and regulations, including laws and regulations governing the protection of personal data.
  • The Processor shall furnish the Controller promptly on request with details regarding the measures it has adopted to comply with its obligations under this Data Processing Agreement.
  • The Processor’s obligations arising under the terms of this Data Processing Agreement apply also to whomsoever processes personal data under the Processor’s instructions.

TRANSMISSION OF PERSONAL DATA

  • The Processor may process the personal data in countries outside the European Union. In addition, the Processor may also transfer the personal data to a country outside the European Union provided that such country guarantees an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this Data Processing Agreement
  • Upon request, the Processor shall notify the Controller as to which country or countries the personal data will be processed in.

ALLOCATION OF RESPONSIBILITY

  • The Processor shall only be responsible for processing the personal data under this Data Processing Agreement, in accordance with the Controller’s instructions and under the (ultimate) responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, and processing by third parties and / or for other purposes.
  • Controller represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Agreement.

ENGAGING OF THIRD PARTIES OR SUBCONTRACTORS

  • The Processor is authorised within the framework of the Agreement to engage third parties, without the prior approval of the Controller being required. Upon request of the Controller, the Processor shall inform the Controller about the third party/parties engaged.
  • The Processor shall in any event ensure that such third parties will be obliged to agree in writing to the same duties that are agreed between the Controller and the Processor.

DUTY TO REPORT

  • In the event of a security leak and/or the leaking of data, the Processor shall, to the best of its ability, notify the Controller thereof with undue delay, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. The Processor will endeavour that the furnished information is complete, correct and accurate.
  • If required by law and/or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.
  • The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding:
    • the (suspected) cause of the leak;
    • the (currently known and/or anticipated) consequences thereof;
    • the (proposed) solution;
    • the measures that have already been taken.

SECURITY

  • The Processor will endeavour to take adequate technical and organisational measures against loss or any form of unlawful processing (such as unauthorised disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under this Data Processing Agreement.
  • The Processor does not guarantee that the security measures are effective under all circumstances. The Processor will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
  • The Controller will only make the personal data available to the Processor if it is assured that the necessary security measures have been taken. The Controller is responsible for ensuring compliance with the measures agreed by and between the Parties.

HANDLING REQUESTS FROM INVOLVED PARTIES

Where a Data subject submits a request to the Processor to inspect, or to improve, add to, change or protect their personal data, the Processor will forward the request to the Controller and the request will then be dealt with by the Controller. The Processor may notify the Data subject hereof.

NON DISCLOSURE AND CONFIDENTIALITY

  • All personal data received by the Processor from the Controller and/or compiled by the Processor within the framework of this Data Processing Agreement is subject to a duty of confidentiality vis-à-vis third parties.
  • This duty of confidentiality will not apply in the event that the Controller has expressly authorised the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of this Data Processing Agreement, or if there is a legal obligation to make the information available to a third party.

AUDIT

  • In order to confirm compliance with this Data Processing Agreement, the Controller shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.
  • The audit may only be undertaken when there are specific grounds for suspecting the misuse of personal data, and no earlier than two weeks after the Controller has provided written notice to the Processor.
  • The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
  • The costs of the audit will be borne by the Controller.

DURATION AND TERMINATION

  • This Data Processing Agreement is entered into for the duration set out in the Agreement, and in the absence thereof, for the duration of the cooperation between the Parties.
  • The Data Processing Agreement may not be terminated in the interim.
  • This Data Processing Agreement may only be amended by the Parties subject to mutual consent.
  • The Processor shall provide its full cooperation in amending and adjusting this Data Processing Agreement in the event of new privacy legislation.