Data Processing Agreement
Data Processing Agreement is made on the May 17, 2018.
This Data Processing Agreement (the “DPA”) becomes effective upon the later of i) the acceptance of the General Terms & Conditions or ii) May 25, 2018.
Customer shall make available to MMDSmart and Customer authorizes MMDSmart to process information including personal data for the provision of the Services under the Agreement. The Parties have agreed to enter into this DPA to confirm the data protection provisions relating to their relationship and so as to meet the requirements of applicable Privacy Laws.
Customer's continued use of MMDSmart services will act as acceptance of the Data Processing Agreement with effective date as stated above.
Both, MMDSmart and Customer, hereinafter referred individually to as “Party” or collectively as “Parties”.
In this DPA, the following terms shall have the meanings specified below.
“Privacy Laws” mean any applicable law relating to data protection and security, including without limitation General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 94/46/RC) (“GDPR”) and any amendments, replacements or renewals thereof (collectively the “EU Legislation”), all binding national laws implementing the EU Legislation and other binding data protection or data security directives, laws, regulations and rulings valid at the given time including any guidance and codes of practices issued by the applicable supervisory authority.
The terms used in this DPA such as “processing”, “personal data”, “data subject”, “data controller”, “data processor”, “transfer of personal data”, “categories of data” and “personal data breach” shall have the meaning ascribed to them in the GDPR.
2. Role of the Parties
The Parties understand that for the provision of the Services a distinction is made between two types of processing of personal data: (i) the provision of platform services (i.e. the database of call data records and the logs created and managed by MMDSmart on behalf and under the supervision of Customer) for which MMDSmart will act as a data processor and agrees to comply with the respective obligations set out in Sections 3 – 12, and (ii) the transmission of messages (i.e. A2P SMS) by MMDSmart and other third-party providers for which MMDSmart will act as a data controller and agrees to comply with the respective obligations set out in Section 14.
3. Subject matter, nature and purpose of processing of personal data by MMDSmart
3.1 The subject matter, nature and purpose of the processing of personal data under this DPA is MMDSmart performance of the Services pursuant to the Agreement and as further instructed in writing by the Customer in its use of the Services, unless required to do so otherwise by Privacy Laws, in which case to the extent permitted by Privacy Laws, MMDSmart shall inform the Customer of this legal requirement prior to carrying out the processing. MMDSmart shall only collect or process personal data for the duration of the Agreement to the extent, and in such a manner, as is necessary for provision of the Services and in accordance with the Agreement and Privacy Laws applicable to MMDSmart in its role as data processor.
MMDSmart will process personal data originating from and sent to a country located in the European Union / European Economic Area (EU/EEA) or Switzerland solely in countries situated in the EU/EEA or Switzerland and not cause any cross border transfer of personal data from a country situated in the EU/EEA or Switzerland to any country situated outside the EU/EEA or Switzerland unless personal data is transferred to a country approved by the European Commission as providing an adequate level of protection for personal data, the transfer is made pursuant to European Commission approved.
3.2 Where the performance of the Services involves a transfer of personal data to a processing party outside the EU/EEA or Switzerland, additional requirements are to be met in addition to ensure an adequate level of data protection.
The processing of personal data will be carried out by MMDSmart for the duration of the Agreement unless otherwise agreed upon in writing.
5. Type of personal data processed
The Customer may submit Customer personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data:
- Contact information (company, email, phone, physical address)
- First and last name
- ID data
- Connection data
- Localisation data
6. Type of data subjects
The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subject:
- Customers, business partners and vendors of the Customer (who are natural persons)
- Employees of contact persons of the Customer’s customers, business partners and vendors
- Employees, agents, advisors, freelancers of the Customer (who are natural persons)
- Customer’s service user including any user of the Services, which Customer permits using the Services.
7. Security measures
7.1 Without prejudice to any other security standards agreed upon by the Parties, MMDSmart shall take appropriate technical and organisational measures to ensure the security of the processing of personal data. These measures shall include inter alia as appropriate:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
7.2 The technical and organisational measures are subject to technical progress and further development. In this respect MMDSmart may implement alternative adequate measure, however, the security level of the defined measures must never be reduced.
8.1 MMDSmart entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work.
8.2 Without prejudice to any existing contractual arrangements between the Parties, MMDSmart shall treat all personal data as strictly confidential. MMDSmart shall ensure that all persons or parties (employees, agents and other persons involved in the processing of personal data) have signed and are bound by an adequate confidentiality agreement and/or are under any other binding obligation of confidentiality.
8.3 MMDSmart is not violating this obligation if and when such disclosure is mandatory under applicable law or if and when the data subject has published its personal data in public.
9. Assistance and other duties
9.1 At the Customer’s cost and expense and taking into account the nature of the processing and the information available to MMDSmart, MMDSmart shall provide such information and assistance as the Customer may reasonably require assisting the Customer, insofar as this is possible, to comply with its obligations under applicable Privacy Laws which may include assisting the Customer to:
(i) notify the Customer of any request MMDSmart receives for a data subject relating to personal data processed;
(ii) comply with its security obligations;
(iii) discharge its obligations to respond to requests relating to the exercise of data subject rights including right to erasure (“right to be forgotten”), right to restriction of processing (to the extent that personal data is not accessible to the Customer through the Services).
9.2 MMDSmart shall periodically monitor the internal processes to ensure that processing within MMDSmart area of responsibility is in accordance with the requirements of Privacy Laws and the protection of the rights of the data subject.
The Customer agrees that MMDSmart may engage third parties to process personal data in order to assist MMDSmart to deliver the Services on behalf of the Customer (“Sub-processors”). MMDSmart has or will enter into written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor.
Customer has the right to perform an audit of MMDSmart in order to determine to what extent MMDSmart complies with the provisions of this DPA. Such audit will be performed by an independent third party and will take place at a time defined by both Parties together within two months after an initial written specified request thereto. The external auditor must sign an NDA, including an obligation not to disclose any business sensitive data in the audit report, such as but not limited to names of business partners of MMDSmart. The performance of the audit will take place during normal working days and normal working hours and without interrupting business operations of MMDSmart. Customer is not allowed to perform more than one audit per two years. MMDSmart shall provide the auditor access – on prior written and detailed request of the auditor – to the facilities, personnel, policies and documents that are reasonably necessary for the purpose of the audit; provided the facilities, personnel, policies and documents are/should be in the control of MMDSmart and unless MMDSmart is not limited in providing such access by law. The Customer shall bear the costs for the audit, including the appointment and remuneration of the qualified auditor and the costs of MMDSmart made in order to facilitate the qualified auditor.
12. Notification of a data breach
12.1 In the event of MMDSmart aware of any breach of security that results in the accidental, unauthorized or unlawful destruction or unauthorized disclosure of or access to personal data MMDSmart shall, among other things:
i) notify the Customer in writing without undue delay, but not later than 48 hours after becoming aware of the breach of security;
ii) assist the Customer with regard to the Customers obligation to provide information to the data subject and to provide the Customer with relevant information in this regard;
iii) support the Customer in consultations with data protection authority.
12.2 To the extent legally possible, MMDSmart may claim compensation for support services under this clause 12 which are not attributable to failures on the part of MMDSmart.
12.3 Customer shall retain all rights, copyright or other intellectual property rights, title and interest to any and all personal data, including all rights relating to.
12.4 MMDSmart understands and agrees that such personal data constitutes Customer proprietary and confidential information.
13. Deletion and return of personal data
Upon expiration of the Agreement or in the event of early termination for any reason whatsoever, MMDSmart and its Sub-processors shall promptly provide to Customer all personal data held by them for the duration of the Agreement for the performance of the Services. Upon Customer’s request, MMDSmart will destroy copies of personal data held in its systems and confirm this to Customer in writing unless required to keep certain personal data in order to comply with applicable laws.
14. Obligations of MMDSmart as data controller
15. Obligations of the Customer
The Customer shall comply at all times with applicable Privacy Laws in relation to the processing of personal data in connection with the Agreement and the Services.
16. Limitation of Liability
Each Party’s liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the Indemnification and Limitation of Liability section of the Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that Party and all of its affiliates under the Agreement and this DPA.