Common use of Rights and Obligations of the Processor Clause in Contracts

Rights and Obligations of the Processor. (1) [Purpose of processing] The Processor shall provide the Controller with the services/process the Data for the purposes described in the Framework CDP. (2) [Lawfulness of processing] The Processor shall process the Data in accordance with the Legal Provisions, the provisions of this Contract, and the instructions of the Controller. If, due to a Legal Provision, the Processor is prevented from processing the Data in accordance with this Contract and the instructions of the Controller, it shall inform the Controller of this before carrying out the processing, unless it is legally forbidden under Union or Member State Law to inform the Controller on important public interest grounds. The Processor shall not use the Data for any other purpose and shall in particular not be permitted to pass on the Data provided to it to third parties. Copies and duplicates must not be created without the prior consent of the Controller. This excludes backups required to assure proper data processing. In the case of maintenance, remote maintenance and/or IT fault analysis, access to the Data of the Controller shall be prevented as far as possible. If Data access is unavoidable, the Processor must limit Data access to the unavoidable minimum. (3) [Data protection officer] The Processor provides assurance that it has engaged a competent and reliable data protection officer, who is granted the time required to perform his or her duties. The data protection officer performs the duties in accordance with the Legal Provisions; in particular, he/she takes steps to ensure compliance with the legal and agreed regulations regarding data protection. As far as the engagement of a data protection officer is not required by law and the Processor therefore does not have a data protection officer in place the Processor determines a contact person responsible for the matter of data protection. Detailed information on the contact details of the data protection officer / the responsible contact person is provided in § 8 below. (4) [Territorial restrictions] The data processing may generally take place in a Member State of the European Union/European Economic Area. The location of processing is (add the location). Changes regarding the processing location and/or the inclusion of further processing locations require the prior agreement of the Controller (in writing or by e-mail). Data processing in third countries (i.e. countries that are not member states of the European Union/European Economic Area and do not possess an accepted appropriate level of data protection) shall only take place on the basis of an additional, separate agreement (EU Standard Contractual Clauses) to ensure an appropriate level of data protection. Furthermore Processor agrees to enter into separate EU Standard Contractual Clauses directly with a respective Superordinate Customer (Data Exporter), as defined in § 1 (3), if necessary. Processor is obligated to enter into the EU-Standard Contractual Clauses in the name and on behalf of Controller and/or, if so, the respective Superordinate Customers with its Subprocessors in third countries which are approved by Controller. The power of attorney for this purpose is hereby granted by the Controller. Controller is obligated to obtain a respective power of attorney from its Superordinate Customers. If Processor offers safeguards according to Article 46 GDPR to Controller, it is in Controller´s discretion to decide, if processing in third countries can be carried out on that basis. § 6 remains unaffected. The foregoing provisions also apply to any access to or viewing of the Data by the Processor, e.g., as part of internal checks or for the purpose of development, carrying out tests, or administration. (5) [Audits] With regard to § 2 (4) above, the Processor shall provide information and cooperate accordingly. The Processor shall support the Controller in particular in data protection audits conducted by the supervisory authorities to the extent that such audits concern the processing of Data under this Contract, and shall immediately implement the requirements of the supervisory authority in agreement with the Controller. The Processor itself must also monitor compliance with the Legal Provisions and this Contract. Checks must be carried out by the Processor at regular intervals to review the effectiveness and success of the technical and organizational data protection measures implemented. Evidence of the implementation of contractually agreed measures must, upon request of the Controller, be presented in the form of up-to-date attestations, reports, or extracts thereof. (6) [Data subjects exercising their rights] On the instructions of the Controller, the Processor is obliged to support the Controller in fulfilling its obligations toward data subjects who are exercising their rights in accordance with the Legal Provisions (e.g., right to information, correction). If a data subject addresses the Processor directly, the Processor shall not disclose any information, but rather refer the data subject to the Controller. The Processor shall inform the Controller accordingly. (7) [Further support] The Processor shall also support the Controller in the performance of its other legal duties where these are associated with the data processing by the Processor. In particular, it shall: (a) on request, provide the Controller with all the information it has at its disposal that the Controller needs to comply with its reporting and/or documentation duties in accordance with the Legal Provisions (in particular the records of processing activities); (b) support the Controller in providing information to the extent that information about the processing of Data is required to be reported to a governmental agency or a person in accordance with the Legal Provisions; (c) inform the Controller of any incidents of serious disruption to operations, any suspicion of data protection violations, and/or other irregularities in relation to the processing of the Data. The Processor is aware that the Controller is obliged to inform the supervisory authorities immediately of any data protection violations. The relevant information shall be documented and shall contain the details necessary for reporting to the supervisory authorities. In the event of data protection violations, the Processor shall support the Controller in notifying the data subjects and the supervisory authority, if requested to do so. (8) The Processor shall immediately notify the Controller of any and all communications from the supervisory authorities (e.g., inquiries, notification of measures or requirements) to the Processor in connection with the processing of Data under this Contract. Subject to mandatory statutory requirements under Union or Member State Law, the Processor shall only provide information to third parties, including supervisory authorities, with the prior consent of and in consultation with the Controller (in writing or by e-mail). (9) [Deletion or return of data] Upon completion of the commissioned work or earlier at the request of the Controller, the Processor shall delete all personal data or destroy data carriers containing personal data in accordance with current and recognized technical standards in such a way that recovery of the Data is not possible or only possible with disproportionate effort, and shall confirm this to the Controller stating the methodology used. The destruction of data carriers shall be recorded stating the serial number of the data carrier, and the type and date of destruction. The aforesaid shall also apply to test and waste material and any backup copies produced. Instead of deletion/destruction – and if agreed – the Processor shall hand over to the Controller the Data and any documents, processing results, and data carriers in its possession. Deviations from the above deletion and return obligations shall only be considered if the Legal Provisions stipulate the storage of the personal data. The Processor shall inform the Controller of this.