Data Processing Addendum (DPA)
Last updated: April 2021
Note: this is not part of the DPA hereunder
Some points on the importance of a DPA:
Essentially, a DPA is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. The GDPR requires data controllers to take measures to ensure the protection of the personal data they handle. If data controllers decide to outsource certain data processing activities, they must be able to demonstrate that their suppliers and sub-processors also provide sufficient guarantees to protect the data and act in a GDPR compliant manner.
So, to say if one is a controller and as a result of outsourcing, you wish to transfer your data to a third-party, for example, a cloud provider you need to sign a DPA with that third party. The obligation is on both the Controller and the Processor.
This Data Processing Addendum (“Processing Agreement”) governs the processing of personal data under Service Agreement between On Point Limited (“Company”), a limited liability company incorporated under the laws of Malta, bearing company registration C81670, with its registered office at: 8, 24 Church Street, Zebbug, Malta and the “Vendor”.
The Processing Agreement has been pre-signed by the Vendor. This Processing Agreement is effective as of the date signed below by the parties (“Processing Agreement Effective Date”). This Processing Agreement shall be required, subject to the following conditions:
i. You must have placed an order for an app on the Atlassian Marketplace and
ii. You have not made any deletions to other revisions to this DPA.
This shall mean a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Data Protection Laws’
This shall mean the laws and regulations, applicable from time to time, in respect of processing of personal data, including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data General Data Protection Regulation (the ‘GDPR’), as well as the supervisory authority’s binding decisions, regulations and recommendations and supplementary local adaptions and regulations in respect of data protection in Malta.
This shall mean an individual you permit or invite to use the App(s), including:
i. Individuals invited by your End User (s)
ii. Individuals under managed accounts, and
iii. Individuals interacting with an app as your customer or other relations.
This shall mean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
This shall mean another processor engaged by the Vendor for carrying out specific processing activities on behalf of the Vendor (including but not limited to companies within the Vendor’s group of companies). The Sub-Processor will have access and will be able to process personal data from the Controller, always with the controllers written approval.
This shall mean a country outside the European Economic Area (EEA).
Any other term used in capitalized letters in this Processing Agreement (such as ‘Data Subject’, ‘Processing’ and ‘Personal Data’) shall, unless otherwise stated, have the meaning provided for under the national Data Protection Act (“The Act”) and The General Data Protection Regulation (“GDPR”).
The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679), the national Data Protection Act (The “Act”) Chapter 586 of the Laws of Malta and any applicable national subsidiary legislation.
Under this Processing Agreement, the Vendor shall have the right to process data, including Personal Data, in connection with the use of the app and Vendor’s provision of services under the agreement. Vendor shall ensure that it and each of its sub-processors (if any) shall comply at all times with the applicable law and shall not perform their obligations in such a way as to cause such party or Company (or any of its affiliates) to breach any such laws. Vendor is the processor and Company is the Controller.
Vendor may not otherwise use or modify the personal data, merge it with other data, commercially exploit it, disclose it, transfer it across international borders (in the case that the data is transferred outside the EU or the EEA), or do any other thing that may in any manner adversely affect the integrity, security or confidentiality of such personal data, other than as expressly specified herein or the Service Agreement referred above.
Nature and purpose of the intended Processing of Data
The Subject-matter of Processing of Personal Data by Processor is the provision of the services to the Controller that involves the Processing of Personal Data, Personal Data will be subject to those Processing activities as may be specified in the Processing Agreement and an Order.
Types of Personal Data
Categories of Data Subjects
The type(s) of Personal Data to be Processed by the Vendor under this Processing Agreement, the purpose and duration of the Processing and categories of Data Subjects are set out in Appendix 1 (Instructions regarding the Processing of Personal Data). The Vendor shall only Process Personal Data on documented instructions from the Data Subject as set out in Appendix 1.
As of the Effective date, additional Processing may also be performed provided that Union of Member State law to which the Vendor or a sub-processor is subject to requires such Processing. In such case of additional processing, the Vendor shall inform the Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
The customer undertakes to fulfil its duties as Controller under the applicable Data Protection laws. The Customer undertakes to continuously inform the Vendor regarding any measures taken by third parties, including but not limited to supervisory authorities and Data Subjects, relating to the Processing by the Vendor hereunder.
Vendor shall only process Personal Data to provide the services on Company’s written instructions and in accordance with the GDPR and any applicable national laws.
Vendor shall not, without the prior written permission of Company, transfer or process any Personal data provided or made available by or on behalf of Company or its affiliates, outside of the European Economic Area (EEA). Must be taken into account that the EEA consists of the Member States of the European Union (EU) and three countries of the European Free Trade Association (EFTA) which are Iceland, Liechtenstein and Norway, excluding Switzerland.
Vendor shall enter into any potential amendments to this Processing Agreement, or a new processing agreement as may be required by Company or necessitated by changes in applicable laws.
Vendor shall inform Company immediately if it considers that an instruction violates data protection regulations. Vendor shall then be entitled to suspend the execution of the relevant instructions until Company changes them.
COMMITMENT TO CONFIDENTIALITY
The vendor shall ensure that persons authorised to process Personal Data (i.e., all employees, agents or contracts who process or access the Personal Data) are subject to contractual confidentiality obligations in respect of Personal Data and undergo regular training in relation to their data protection obligations and compliance with Vendor’s Measures.
SECURITY OF PROCESSING
The Vendor shall take all measures required pursuant to article 32 of the GDPR.
The Vendor shall take into account the nature of Processing and the information available to the Vendor, assist the Company in ensuring compliance with the obligations pursuant to article 32 to 36 of the GDPR.
Vendor shall not appoint (nor disclose any Personal Data under this Processing Agreement) to a Sub-processor, without the prior written consent of the Company. The processor must ensure that the same processing obligations the processor is subject to are made applicable to any sub-processor and confirm that the sub-processor is fully aware and agrees with such obligations. The processor remains responsible for any processing conducted by the sub-processor.
The Vendor shall notify the Company of any intended changes concerning the addition or replacement of sub-processors, thereby giving the company the opportunity to object to such changes if to the extent the conditions set forth in the below paragraph are not fulfilled, within 14 days from being notified. In the event that the Company provides such an objection to a new Sub-processor and such objection in the Vendor’s opinion prevents effective provision of the Vendor’s services, the Vendor may terminate the Agreement without penalty or liability.
The Vendor may engage Sub-processors, provided that the same data protection obligations as set out in this Processing Agreement as referred to in article 28(3) of the GDPR, are imposed on such Sub-processor by way of a written contract. The Vendor must ensure that only Sub-processors are engaged who provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the Data Protection Laws.
The Sub-processors listed in Appendix 2 have been approved by the Company to be used as Sub-processors by the Vendor under this Processing Agreement. Upon changes of Sub-processors, Appendix 2 will be updated.
ASSISTANCE OF VENDOR
Vendor shall assist Company by co-operating and implementing appropriate administrative, technical and organizational measures for responding to Data Subjects' requests relating to their rights of: (i) access; (ii) rectification; (iii) erasure; (iv) restriction of processing; (v) data portability; (vi) objection to processing; and (vii) avoiding automated individual decision making, including profiling. Vendor shall forward any such requests it receives from Company employees to Company without responding to the data subject.
TECHNICAL AND ORGANISATIONAL MEASURES
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the Personal Data under this Processing Agreement implement and comply with appropriate technical and organizational measures to ensure a level of security appropriate to that risk and in compliance with GDPR Measures. Details of the actual technical and organizational measures are outlined in Appendix 3.
The Measures are subject to technical progress and further development and Vendor shall review the measures on a regular basis to ensure that they continue to provide adequate protection of the Personal Data. The overall protection afforded in the Measures must not be reduced. Substantial changes must be documented.
BREACH OF MEASURES
Vendor shall promptly notify the Company within 72 hours from detection in the event of any breaches of the Measures or if Vendor learns or has reason to believe that any person or entity has breached or attempted to breach Vendor’s security measures which are applicable to the Services or has gained unauthorized access to personal data or any confidential information provided or made available by Company or any of its affiliates.
The processor shall assist the data controller in meeting its data protection obligations in relation to the security of processing and notifying the controller of personal data breaches and to conduct Data Protection Impact Assessments (DPIA).
Subject to the below paragraph, the parties agree to indemnify and hold each other harmless from any claim of damages or loss suffered or incurred in connection with either party’s breach of its obligations under this Processing Agreement or the Data Protection Laws. The limitation of liability agreed under the Agreement, shall apply correspondingly with respect to this Processing Agreement.
AUDIT RIGHTS AND INDEMNITY
Vendor shall, at no additional cost, keep full and accurate records relating to all processing of Personal Data on behalf of Company. Company may, upon written notice to Vendor, audit Vendor's facilities, systems, records and supporting documentation to check Vendor's compliance with its obligations.
Notwithstanding any other provision of the Agreement, Vendor hereby fully indemnifies and holds harmless the Company and its affiliates for all losses (including direct and indirect losses, fines, penalties, all legal and external professional fees and compensatory damages) in respect of all claims or actions resulting from Vendor’s failure to comply with this Processing Agreement (including relevant data protection legislation).
RESPONSBILTY OF PROCESSOR
Note that nothing within this agreement relieves the processor of its own direct responsibilities under the GDPR.
TRANSFER OF PERSONAL DATA OUTSIDE OF THE EEA
The Vendor shall only allow to transfer Personal Data to a third country or an international organisation with the Company’s written approval. Transfer of personal Data to a third country or an international organisation may also take place provided that Union or Member State law to which the Vendor or sub-processor is subject to requires such transfer. In such case of legal requirement for transfer to a third country, the Vendor shall inform Company of that legal requirement before transferring Personal Data to a third country, unless that law prohibits such information on important grounds of public interest.
If Company has approved transfer of Personal Data to a third country or if transfer of Personal Data to a third country is necessary for the Vendor to provide its services to the Company under the Agreement, the Vendor and Customer shall take the necessary steps to ensure that the transfer is performed in accordance with the Data Protection Laws, for example by signing the EU Model Contracts for the transfer of Personal Data to third countries.
DEMONSTRATION OF COMPLIANCE
The Vendor shall make available to the Company all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for, and contribute to audits, including inspections, conducted by an independent third-party auditor mandated by the Vendor.
The Vendor shall inform the Company if, in the Vendor’s opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
The Vendor shall have the right to invoice the Company for any work performed by the Vendor or a Sub-processor under the sections 4 (2nd paragraph), 6, 8 (1st paragraph) and 13 according to the Vendor’s or the Sub-processor’s applicable hourly fees.
If, during the Term, Data Protection Laws are changed, or new guidelines, rulings or regulations are published by the Supervisory Authority causing this Processing Agreement to be non-compliant with such law, guidelines, rulings or regulations, each of the parties shall have the right to request appropriate amendments to this Processing Agreement to satisfy the new requirements. Changes to this Processing Agreement shall, in order to be effective, be made in writing and signed by both Parties.
With regard to the Processing of Personal Data, the provisions in the Processing Agreement shall have priority over conflicting provisions in any other agreement between the parties.
This Processing Agreement shall be governed by the substantive laws of Malta. Any dispute, controversy or claim arising out of or in connection with this Processing Agreement shall be settled in accordance with the dispute regulations laid down in the Agreement.
This Processing Agreement may be executed in two or more counterparts, each of which shall be deemed an original, but all of which shall together constitute one agreement. Signatures to this Processing Agreement delivered by email or other electronic means shall have the same force and effect as originals.
TERM AND TERMINATION
The Processing Agreement is authorized for an unlimited period and can be terminated by the Company immediately for breach or for convenience. Without prejudice to the foregoing, the Company may take any one or more of the following actions: (i) suspend the transfer of personal data to Vendor; (ii) require Vendor to cease processing personal data; (iii) demand the return or destruction of the personal data; or (iv) require the Vendor to take such measures as may reasonably be required to place Vendor in compliance with this Processing Agreement.
Additionally, the processor must provide the controller with all the information it needs to ensure that they are both meeting their data protection obligations. The vendor must also inform the controller when, in its opinion, the controller’s instruction would breach Union or Member state law.
This Processing Agreement enters into force on the Effective Date and remains in force for as long as the Vendor Processes Personal Data on behalf of the Company under the Agreement (the “Term”).
Upon termination of this Processing Agreement or provision of the services, Vendor shall, subject to any legitimate business reason (including without limitation compliance with professional standards and document retention and IT system backup policies and protocols) or legal, no longer process all such Personal Data and upon Company’s written request securely purge, delete and destroy such Personal Data or return all the Personal Data to the Company and delete existing copies unless Union or Member State Law requires storage of the Personal Data.
In addition, once the data is purged the Vendor must provide formal confirmation to a client confirming the data destruction. If Processor is unable to delete Personal Data for technical or other reasons, Processor will apply measures to ensure that the Personal Data is blocked from any further Processing.
Appendix 1 – Instructions regarding the Processing of Personal Data
The following instructions apply for the Processing of Personal Data for which the Company is responsible as Controller. In addition to what is already stated in this Processing Agreement, the Vendor shall adhere to the instructions below.
Please specify all the purposes for which the Personal Data will be Processed for by the Vendor
The Provide Apps and the services in accordance with the Agreement.
Types of Personal Data
Please specify the categories/types of personal Data that will be Processed by the Vendor.
To provide services in accordance with the Agreement, the Vendor will process any Personal Data supplied by users of the Apps, such as:
Direct identifying information (e.g. name, email address, phone number)
Indirect identifying information (e.g. place of work, title, address)
Device identification data (e.g. IP addresses, logs)
However, the Vendor does not knowingly collect (and Company shall not submit or upload) any special categories of data (as defined under the Data Protection Legislation).
Categories of Data Subjects
Please specify the Categories of Data Subjects whose Personal Data will be Processed by the Vendor.
End Users and individuals whose Personal Data is supplied by End Users of the App(s).
Please specify the time and requirements for retention of Personal Data that are being Processed by the Vendor.
Personal Data is kept with the Vendor as long as the Categories of Data Subjects is deemed to be active (e.g. as long as there is a valid Agreement for the use of the App(s)).
The Vendor erases Personal Data from operative data systems when the Customer does not have any business relationship with the Vendor.
Personal Data stored in backup systems can be stored up to ten years due to the period of limitation according to the Maltese statute of limitation.
Processing operations Please specify all processing activities to be conducted by the Vendor
Data processing is done manually and automatically through data systems.
The Vendor is collecting, storing and structuring data to fulfil the purpose of data processing. More specifically the processing includes:
Sending emails regarding product or service updates
Sending newsletters via email to Data Subjects who opted-in to receive newsletters
Structuring data as a foundation for internal reporting
Erasing or anonymizing personal data when appropriate
Location of Processing
Data is processed at the Vendor’s offices and on Approved Sub-processors data equipment.
Appendix 2 – Approved Sub-processors
Below are listed the Sub-processors that have been approved by the Customer for use by the Supplier to Process Personal Data under the Processing Agreement.
Appendix 3 – Technical and Organisational measures
The following technical and organizational measures have been implemented by the Vendor:
Confidentiality (Article 32 Paragraph 1 Point b GDPR)
Physical Access Control
No unauthorised access to Data Processing Facilities, individual Smartcard access control, burglar alarm and recorded CCTV facilities at office entrance, locked entrance to server rooms.
Electronic Access Control
No unauthorised use of the Data Processing and Data Storage Systems, e.g.:(secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
Internal Access Control (permissions for user rights of access to and amendment of data)
No unauthorised Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events;
Encryption (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)
The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
Integrity (Article 32 Paragraph 1 Point b GDPR)
Data Transfer Control
No unauthorised Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
Data Entry Control
Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management
Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)
Prevention of accidental or wilful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), UTM for threat management and access control including firewall, anti-malware, mail and web content filtering, reporting procedures and contingency planning.
Rapid Recovery (Article 32 Paragraph 1 Point c GDPR)
Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)
Data Protection Management;
Incident Response Management;
Data Protection by Design and Default (Article 25 Paragraph 2 GDPR);
Order or Contract Control;
No third-party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.