1. Definitions and Interpretations
2. Processing of the Customer's Personal Data
4. Subsequent Subcontracting
5. Rights of the Person Concerned
6. Violation of Personal Data
7. Data Protection Impact Assessment and Prior Consultation
8. Delegation or Return of the Customer's Personal Data
9. Audit Rights
10. Transfer of Personal Data Notice
11. General Terms
12. Governing Law and Jurisdiction
This Data Processing Agreement, including its Exhibits and Appendices (“DPA”) forms an addendum to the Global Terms of Services between Qomon and Customer for the purchase of Services, including any and all applicable Order Form(s), Purchases, exhibits and/or schedules (the “Agreement”).
In the context of providing the Services, Qomon may process Personal Data on behalf of the Customer.
And the Customer acting as a Data Controller, collects and/or provides Personal Data, which involves the processing of Personal Data by Qomon, on behalf of the Customer, as a processor. The Parties wish to set out their rights and obligations in relation to such processing in accordance with the GDPR applicable Data Protection Laws.
This DPA reflects the parties’ agreement with regard to the Processing of Personal Data.
The Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
1.1 Unless otherwise defined, the terms and expressions used in this DPA have the following meaning:
1.1.1 "Agreement on the Processing of Personal Data" or "DPA" means this document on the processing of personal data;
1.1.2 “Sub-processor" means a sub-processor in connection with the processing of Personal Data;
1.1.3 “Personal Data Protection Laws" means all data protection laws and regulations applicable to the Processing of Personal Data under this DPA, which may, depending on the circumstances, include but not be limited to the European Data Protection Laws, as defined below;
1.1.4 "EEA" means the European Economic Area;
1.1.5 The terms “Data Controller” and “Data Processor” shall have the meaning ascribed by the GDPR. The terms “Data Subject”, “Personal Data” and “Process, Processing” "Commission," "Member State," "Personal Data Breach," and "Supervisory Authority" shall have the meaning ascribed by the GDPR. However, in case that the Applicable Data Protection Laws define these terms differently and the GDPR does not apply to the Processing, the definition set forth by the Applicable Data Protection Laws shall apply instead of the definition ascribed by the GDPR. In case that the Applicable Data Protection Laws define these terms differently and the GDPR applies to the Processing, the definition provided in the GDPR will prevail. In case the Applicable Data Protection Laws define terms, which have the same or materially similar meaning to the terms “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data,” “Commission,” “Member State,” “Personal Data Breach,” “Supervisory Authority,” and/or “Process, Processing”, such terms will be considered as covered correspondingly by the definitions provided here in;
1.1.6 “GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC ;
1.1.7 “Services” means the assignments or services provided by the Contractor under the TOS
1.1.8 “Applicable Data Protection Laws” or “applicable legal obligations” means all data protection laws and regulations applicable to the Processing of Personal Data under this DPA, which may, depending on the circumstances, include but not be limited to the European Data Protection Laws;
1.2 “European Data Protection Laws” means the GDPR, as applicable to the Personal Data Processing in question;
1.2.1 ”EU Standard Contractual Clauses for Data Transfers to Third Countries” means the standard contractual clauses as approved by the European Commission’s decision 2021/915 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR, and any amendments thereto.
2.1 The Customer hereby represents that this DPA complies, to its reasonable knowledge, with all Applicable Data Protection Laws and contains all provisions required by such laws. Considering the nature of the Services, the Customer acknowledges that the Processing of Personal Data under this DPA may be subject to various Applicable Data Protection Laws, even those which are not explicitly mentioned in this DPA, depending on the territorial extent of Customer’s usage of the Services. The Customer is responsible for informing Qomon without undue delay about any discrepancy between this DPA and the requirements of the Applicable Data Protection Laws.
2.2 The parties acknowledge that GDPR applies to the Processing of Personal Data if and to the extent conditions set forth by Art. 3 of the GDPR are fulfilled. Where the Customer acts as a Data Processor and engages Qomon as another Data Processor in accordance with Art. 28(4) of the GDPR, the Customer:
a) Is responsible for ensuring that the same data protection obligations as set out in the contract or other legal act between the Customer and the Data Controller of the Personal Data are hereby imposed on Qomon;
b) Assumes the rights and responsibilities of Data Controller towards Qomon under this DPA, therefore whenever this DPA refers to a “Data Controller”, such reference shall equally refer to the Customer, and vice versa; and
c) Remains fully liable to the Data Controller of the Personal Data where Qomon fails to fulfill its data protection obligations hereunder.
3.1 Description of the processing
Object of the processing
Providing the Services as per the Global Terms of Services.
Nature of the processing
Personal Data will be subject to the following basic processing activities:
Data Collection, data sorting, data storage, consultation by Client; distribution by Client; comparison; hosting; maintenance and computer support; data entry; registration; modification.
Type of personal data processed
The Personal Data processed concern the following categories of data:
- Identification data: first name, last name, telephone number, email address, etc.
- Professional data : position, organization chart, etc.
- Financial data: IBAN, credit card number, billing address etc.
- Connection data: logs to the services
- Internet data: cookies, IP
Categories of data subjects
The processed Personal Data concerns the following categories of Data Subjects:
Client, authorized users, any natural persons whose Personal Data are processed by Client.
Duration of processing
The term of the Global Terms, subject to applicable legal obligations.
Petition, online forms & online surveys
Furthermore, depending on the Service concerned (in particular in the context of the creation of online petitions ,online surveys or online contact forms) and under its sole responsibility, the Client may have to choose other categories of data or Data Subjects to be collected, and determine their mandatory or optional nature.
Categories of concerned persons
The Personal Data processed concerns the following categories of Data Subjects: Customer, Users/End Users, any person whose Personal Data the Customer processes.
Duration of processing
The processing shall last for the full duration of the TOS, subject to applicable legal obligations.
3.2 The Contractor shall:
3.2.1 comply with all applicable Personal Data Protection Laws in connection with the Processing it carries out on behalf of the Customer;
3.2.2 not process the Customer's Personal Data other than in accordance with its documented instructions and for the purposes described in this DPA; if it considers that any instruction constitutes a breach of the GDPR or any other provision of the applicable Personal Data Protection Laws, it shall immediately inform the Customer. In addition, if it is required to transfer Personal Data to a country outside the EEA under EU law or the law of the Member State, state or country to which it is subject, it shall inform the Customer prior to the Processing, unless the relevant law prohibits such information on important public interest grounds;
3.2.3 ensure the confidentiality of the Personal Data processed under the TOS ;
3.2.4 keep a record of any Processing of Personal Data that it carries out on behalf of the Controller, including records of processing activity as required under applicable Personal Data Protection Laws, and be able to provide a copy of such records to the Controller upon request;
3.2.5 take reasonable steps to ensure the trustworthiness of any employee or agent under its responsibility who may have access to the Customer's Personal Data, and ensure in each case that access thereto is strictly limited to those persons who have a need to know/access such Personal Data, and that all such persons are (i) subject to confidentiality undertakings or professional or legal obligations of confidentiality, and (ii) provided with the necessary training in relation to the management of the Personal Data.
3.2.6 The Customer instructs the Contractor to process the Customer's Personal Data for the purposes of the services provided under the TOS. By default, the execution of the purpose of the TOS shall constitute the documented instructions of the Customer. Any additional instructions regarding data processing by Qomon shall be given by the Customer in written form. Additional documented instructions from the Customer shall be at the Customer's expense and shall be processed subject to their technical and organizational feasibility, unless expressly provided otherwise in the TOS.
3.2.7 Notwithstanding the above, Customer hereby explicitly acknowledges that Qomon may process Personal data, as a separate Data Controller, for other processing purposes in compliance with the Applicable Data Protection Laws, e.g. in case of Qomon’s legitimate interest on such processing or when applicable laws require such processing from Qomon. Qomon, as a Data Controller, remains responsible for the processing of Personal Data described in the previous sentence; and this DPA does not apply to such processing of the Personal Data.
3.3 The Client, in the context of the DPA, undertakes to :
3.3.1 provide Qomon with all the data it needs to fulfill its obligations under the TOS and this Agreement in a timely manner, and is responsible for the quality of the Personal Data transmitted to Qomon;
3.3.2 record in writing any instructions regarding the Processing of Personal Data transmitted to Qomon ;
3.3.3 inform Qomon immediately of any errors or irregularities it becomes aware of with regard to the protection of Personal Data, or of its instructions when examining the results of the Services entrusted to Qomon;
3.3.4 ensure beforehand and throughout the Processing period that Qomon complies with its obligations under applicable Personal Data Protection Laws.
3.4 In general, the Personal Data entrusted by the Customer to Qomon remains under his/her full responsibility. The Customer is thus responsible for the Personal Data he/she provides on the Qomon platform and for all Personal Data collected through the Qomon platform and more generally through the Services.
In particular, and depending on the Service concerned, the Customer guarantees that it has obtained the consent, if necessary, of all Data Subjects and that in any event the latter have been duly informed prior to the collection, processing, storage, use and sharing of their Personal Data; the Customer undertakes to comply with its obligations under this DPA in respect of all its Users and in respect of each Data Subject.
3.5 3.5 In general, the Customer guarantees to Qomon that he/she complies with his/her obligations under applicable Personal Data Protection Laws and/or regulatory provisions applicable to him/her. In this respect, the Customer indemnifies Qomon against any recourse, complaints or claims from a natural person whose Personal Data is processed within the framework of the TOS and which result from a failure by the Customer or a third party to comply with one of its obligations under the Personal Data Protection Laws and/or any other local legal and/or regulatory provisions applicable to it.
4.1 The Contractor shall take into account, with respect to its tools, products, applications or services, the principles of protection of Personal Data by design and by default.
4.2 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement, with respect to the Customer's Personal Data, appropriate technical and organizational measures to ensure a level of security appropriate to that risk. This includes, where applicable given the territorial extent of the Customer’s use of the services, the measures referred to in Article 32(1) of the GDPR.
The Customer authorizes Qomon to use a subcontractor to carry out specific processing activities. The list of Qomon's subcontractors, with the exception of freelance service providers who are only to be used on an ad hoc basis, shall be provided upon request by the Customer.
Qomon undertakes to inform the Customer of any intended changes concerning the addition or replacement of subsequent Subcontractors as soon as possible.
The Client shall have a period of ten (10) working days from the date of receipt of such information to present its reasonable and legitimate objections in writing. The Customer acknowledges and accepts that the absence of objections within this period shall be deemed to be acceptance by the Customer of the subsequent Subcontractor. In the event of an objection, Qomon shall be given the opportunity to respond to the Customer with information that will remove the objection. If the Customer maintains his/her objections, the Parties will undertake to meet and discuss in good faith the continuation of their relationship.
6.1 Taking into account the nature of the Processing, the Contractor shall assist the Client by implementing appropriate technical and organizational measures, insofar as is possible, for the fulfillment of the Client's obligations relating to the rights of data subjects.
6.2 In this context, the Contractor undertakes to :
6.2.1 inform the Customer if it receives a request from a Data Subject concerning his or her Personal Data being Processed by the Processor on behalf of the Customer, upon receipt; and
6.2.2 not respond to such requests except on the express instructions of the Client; or, where applicable, within the scope of the laws to which the Contractor is subject. In this case the Contractor shall, to the extent permitted by law or the authorities, inform the Customer of this legal requirement before responding to the request.
Where possible and at its discretion, depending on the Service concerned, the Contractor may provide the Client with technical means and/or aids enabling it to meet its obligations to inform the persons concerned and, where applicable, to obtain consent via standard media under the Personal Data Protection Laws. For the avoidance of doubt, it is emphasized that the Subcontractor shall not be liable for the use (or otherwise) of these tools and/or aids transmitted for information purposes or for their content as validated / completed by the Client.
Finally, to the extent set forth by the Applicable Data Protection Laws, Qomon shall assist the Customer, insofar as this is possible, for the fulfillment of its obligation to respond to Data Subject right requests concerning notably the right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
The Contractor shall notify the Client as soon as possible upon becoming aware of a Personal Data Breach. Such notification shall be accompanied by all relevant documentation to enable the Client, if necessary, to notify the relevant supervisory authority and the Data Subjects of the Personal Data Breach.
As far as is possible and taking into account the nature of the Processing, the Subcontractor undertakes to assist the Client in the context of any impact analysis relating to the protection of the Personal Data which is the subject of the Processing, as well as in the case of consultations with the supervisory authorities or other competent authorities regarding the confidentiality of Personal Data.
This reasonable assistance shall only be provided to the extent that the Customer cannot access the relevant information by any other means. Thus, upon written request by the Customer, and subject to ten (10) working days' notice, Qomon undertakes to provide the Customer with any relevant documentation in its possession that is not protected by intellectual property rights, thereby enabling it to carry out its impact assessment.
Any request for additional assistance will be subject to the conditions applicable at the time the request is made.
For the avoidance of doubt, it is noted that Qomon is not responsible for the performance and/or updating of the Customer's impact assessment.
At the end of the contractual relationship between the Parties which is the subject of the TOS and this DPA, and for whatever reason, the Contractor undertakes to return and/or destroy the Personal Data entrusted to it by the Client in the performance of the DPA, subject to the legal obligations applicable to the Contractor.
Subject to this Article 9, the Contractor shall make available to the Customer, upon request, all information necessary to demonstrate compliance with this DPA, and shall permit and contribute to audits, including inspections, by the Customer or an auditor appointed by the Customer with respect to the Processing of the Customer's Personal Data under the conditions hereinafter provided.
Within the limit of one audit per annual period and with a notice period of thirty (30) working days (unless applicable laws state otherwise) - subject to having previously requested in writing from Qomon information aimed at demonstrating the latter's compliance with its obligations as a Subcontractor and if the answers do not appear to be sufficient (except in the event of an imminent risk relating to the security of the Personal Data) - the Customer may notify Qomon by registered letter with a request for notice of receipt a request for an on-site compliance audit of the processing of Personal Data under the TOS, duly motivated, in which the Customer shall designate the appointed auditor, the date and the scope of the auditor's intervention. For the avoidance of doubt, it is specified that the scope of the on-site audit shall be strictly limited to Qomon's processes thereby enabling it to operate the Processing in its capacity as a Subcontractor of the Processing entrusted by the Client within the framework of the TOS.
The appointed auditor shall be an independent auditor, be professionally recognised in his or her field, and shall not be a competitor of Qomon. The auditor shall be subject to a written confidentiality agreement prior to the start of the audit.
The Customer shall bear all costs incurred by the audit, including but not limited to the auditor's fees, and shall reimburse Qomon for all expenses and costs incurred by this audit, including those corresponding to the time spent on the audit by Qomon's staff in excess of the four (4) man-days referred to above, based on the average man-days of Qomon's staff who worked on the audit.
The Customer undertakes to communicate the results of the audit to Qomon, and if it is found that Qomon is not complying with its obligations under the applicable Data Protection Laws, Qomon shall take all necessary measures to remedy this and shall inform The Customer of the measures taken in this respect. The Parties acknowledge that all reports and information obtained in the course of this audit are confidential information.
If Personal Data processed under this DPA is transferred from an EEA country to a country outside the EEA, and where the transfer is not authorized by an adequacy decision of the European Commission pursuant to Article 45 of the GDPR, the Processor undertakes to ensure a level of protection of Personal Data equivalent to the European legal requirements and to regulate the said transfer in accordance with the Personal Data Protection Laws, it being specified that in this context, for each transfer and mechanism chosen, the Processor has carried out a test of substantial equivalence to the protections guaranteed by the GDPR, and has added appropriate additional safeguards where necessary.
Where the Processing of Personal Data consists of or includes a transfer of Personal Data from Qomon, whose activities are subject to the European Data protection Law, acting as a data exporter, to a third party, who is in a Location Subject to Appropriate Safeguards and whose activities are not subject to the European Data protection Law, acting as a data importer (including, but not limited to, the Subprocessors), Qomon may transfer the Personal Data to the third party only if the previously stated conditions are met.
In particular, with regard to transfers between the Data Processor and its subsequent Subcontractors, where applicable, the Data Controller expressly authorizes the use of the standard contractual clauses adopted by the European Commission in its decision of 27 June 2021. The Processor undertakes to send the Controller - upon request - a signed copy of the said standard contractual clauses.
In the event of any conflict or inconsistency between this DPA and the EU Standard Contract Clauses for Data Transfers to Third Countries incorporated herein, the EU Standard Contractual Clauses for Data Transfers to Third Countries shall prevail.
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by applicable law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out as the “generic email” when you subscribe to the Services.
If either party changes its contact information, it must inform the other party without delay.
13.1 Without prejudice to mandatory application of Applicable Data Protection Laws, and respecting their potential mandatory prevalence, this DPA shall be governed by and construed in accordance with the laws of the country or territory stipulated for this purpose in the Agreement and each of the Parties agrees to submit to the choice of jurisdiction as stipulated in the Agreement in respect of any claim or matter arising under or related to this DPA.
13.2 In order to resolve any dispute that may arise with respect to the interpretation, the performance and/or the termination of this DPA, the Parties agree to negotiate after the receipt of a notice by one of the Parties, with the intent to solve any dispute in an amicable way. Failing for the parties to reach an amicable settlement by signing a settlement agreement within thirty (30) days following the notification by a party of the existence of the dispute and making an express reference to this provision, the Parties shall submit their dispute to the relevant court that will have jurisdiction to settle the dispute.
IN WITNESS WHEREOF, this Agreement is entered into with effect from the date the Customer signs a Qomon Quote or starts a Qomon subscription, thereby accepting the General Terms of Service (TOS) and this present agreement.