Special Addendum to the Data Protection Agreement
CloudCrossing BV As the Processor / We / Us / Our
You As the End User or Controller
Contrary to what is specified in art 3.1 of the DPA, the specific underlying Assignment requires Us as the Processor to store for a certain period Personal Data obtained from the Controller and not destroy these Personal Data immediately.
In view of this specific need to store Personal Data the DPA art 3 is amended as follows:
- We will process and store the Personal Data provided by End User for the purposes of providing the specific Services (including administration, operations, technical and customer support), in accordance with the terms of the Assignment.
- Data Subjects include the individuals about whom Personal Data is provided to Us via the Services by the Controller. These Data Subjects can be customers, employees, representatives, or other business contacts of Controller.
- The Controller may submit Personal Data which may include, without limitation: name, geographic location, age, contact details, IP address, profession, gender, employment history, employment references, salary and other preferences and other personal details that the Controller may collect. The Data may also include name, title, employer, contact information (company, email, phone, address, etc.), payment information, and other account-related data and or Personal Data of sensitive nature as specified in the DPA.
- Roles of the Parties. The Parties acknowledge and agree that We will process the Personal Data only in the capacity of a Processor and that the End User will be the Controller of the Personal Data.
- Controller agrees that the underlying Assignment, the DPA and this special Annex to the DPA constitute End User ’s documented instructions concerning all Personal Data that will be stored.
- Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR. Processor is not responsible for determining the requirements of laws applicable to End User’s business or that Processor’s provision of the Services meet the requirements of such laws.
- End User/ Controller’s Obligations:
- Controller shall warrant that the instructions it provides to Processor pursuant to this DPA comply with the Data Protection Laws.
- Controller shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under the Data Protection Laws, and all communications from Supervisory Authorities that relate to Personal Data, in accordance with Data Protection Laws. To the extent such requests or communications require Our assistance, the Controller shall notify Us of the Data Subject or Supervisory Authority request.
- Controller is responsible for providing the necessary notice to the Data Subjects under the Data Protection Laws. Controller is responsible for obtaining, and demonstrating evidence that it has obtained, all necessary consents, authorizations and required permissions under the Data Protection Laws in a valid manner for Lever to perform the Services.
- Processor’s/ Our Obligations:
- We will process the Personal Data on instructions from the Controller, and in such manner as is necessary for the provision of Services except as required to comply with a legal obligation to which We are subject. Controller acknowledges and agrees that We are not responsible for performing legal research or for providing legal advice to Controller concerning Data protection laws.
- If We receives a request from any Data Subject made under Data Protection relating to Personal Data, We will provide a copy of that request to the Controller within a reasonable laps of time of receipt. We will provide reasonable assistance to the Controller in responding to the request.
- We will assist Controller in addressing any communications and abiding by any advice or orders from the Supervisory Authority relating to the Personal Data.
- We will retain Personal Data only for as long as the Controller deems it necessary for the permitted purpose, or as required by applicable laws. At the termination of this DPA, or upon Controller’s written request, We will either destroy or return the Personal Data to the End User, unless legal obligations require storage of the Personal Data.
- We will process the Personal Data only within the European Economic Area, unless parties have made other relevant agreement. These agreements shall be recorded jointly in writing or by email.
- Disclosure to third parties and Confidentiality. We as Processor will not disclose the Personal Data to third parties except as permitted by the DPA or the underlying Agreement, unless We are required to disclose the Data by applicable laws, in which case We will (to the extent permitted by law) notify the End User in writing and liaise before complying with such disclosure request.
- We treat all Personal Data as strictly confidential and requires all employees, agents, and Sub-processors engaged in processing the Personal Data to commit themselves to confidentiality, and not process the Personal Data for any other purposes, except on instructions from Controller.
- Taking into account the nature of the processing and the information available, We will provide assistance to Controller in complying with its obligations under GDPR Articles 32-36 (inclusive) (which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation).
- Controller agrees that We may engage third-party Sub-processors in connection with the provision of Services, subject to compliance with the requirements below. As a condition to permitting a Sub-processor to process Personal Data, We will enter into an agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. We will provide copies of any Sub-processor agreements to Controller pursuant only upon reasonable request by Controller.
- Controller acknowledges and agrees that We as Processor may engage current Sub-processors listed here:
- AWS (within your region)
- Connective.eu (only when using SIGN Butler)
- ILovePDF.com (only when complex conversions of Excel and Powerpoint are required)
- We will remain responsible for compliance with all the obligations of this DPA and for any acts and omissions of Our Sub-processors that cause Us to breach any of Our obligations under this DPA.
All other clauses of the DPA remain unchanged.
If you have any questions or suggestions about our Policy, do not hesitate to contact us by clicking the button below