This Data Processing Agreement (“DPA”) (in the version dated September 02, 2022) governs the data processing operations between the Customer (“Data Controller”) and Heybooster OÜ (“Data Processor”) with company registration number 16144095 by entering a Service Agreement including the Privacy Policy conditions set forth either in the same agreement or a separate Privacy Policy that references this DPA, Customer agrees to the terms and conditions of this DPA.
1. Background
- The Data Controller and the Data Processor have entered into the above-mentioned Service Agreement (“Agreement”) under which the Data Processor shall provide certain services to the Data Controller. Within the scope and for the purpose of the performance of the services defined in the Agreement, the Data Processor will process, besides other, potentially Personal Data on behalf of the Data Controller.
- The Data Controller and the Data Processor have entered into this DPA in order to fulfil the requirement of a written agreement between a data controller and a data processor of Personal Data as set out in Applicable Data Protection Legislation. In addition to what may be set out in the Agreement, the following shall apply in relation to the Data Processor’s processing of Personal Data on behalf of the Data Controller. Data Subjects, data categories as well as the extent, nature, and purpose of data processing are determined by the Agreement, Appendix 1 to this DPA, and the Data Controller’s instructions.
2. Definitions
All terms used in this DPA are to be understood in accordance with the EU General Data Protection Regulation ((EU) 2016/679 “GDPR”), unless otherwise expressly agreed. The following terms and expressions in this DPA shall have the meaning set out below:
“Agreement” as set forth in Article 1;
“Applicable Data Protection Legislation” means any national or internationally binding data protection laws or regulations (including but not limited to the GDPR and the Estonian Personal Data Protection Act) including any requirements, guidelines and recommendations of the competent data protection authorities applicable at any time during the term of this DPA to, as the case may be, the Data Controller or the Data Processor;
“Audit” as set forth in Article 7.1;
“Countries with Adequate Protection” as set forth in Article 5.
“Data Controller” means the legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data under this DPA;
“Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller under this DPA;
“DPA” means this this Data Processing Agreement;
“Sub-processor” means any legal or natural person, including any agents and intermediaries, processing Personal Data on behalf of the Data Processor as set forth in Art 28 (2) and (4) GDPR and section 4.1 below;
“Personal Data” means any information relating to an identified or identifiable living, natural person
“Personal Data Breach” as set forth in Article 6.2
“Data Subject” as set forth in Article 4 (1) GDPR;
“Privacy Policy” terms that are set forth by the Data Processor on its website to inform the users and customers and accepted in accordance and simultaneously with using the website or being a party to the Agreement by the Data Controller.
“Processing” means any operation or set of operations which are performed on Personal Data or on sets of Personal Data, whether or not by automated means as set forth in Art 4 (2) GDPR.
3. Processing of Personal Data
- The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake to only process Personal Data documented instructions communicated both separately and in the Privacy Policy and Agreement by the Data Controller. The Data Processor shall only process Personal Data to the extent necessary to fulfil its obligations under this DPA or Applicable Data Protection Legislation.
- If the services are altered during the term of the Agreement and such altered services involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change.
- When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable Data Protection Legislation and applicable recommendations by competent Data Protection Authorities or other competent authorities and shall keep itself updated on and comply with any changes in such legislation and/or recommendations. The Data Processor shall accept to make any changes and amendments to this DPA that are required under Applicable Data Protection Legislation.
- The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Legislation, including but not limited to the Data Controller’s obligation to comply with the rights of data subjects and in ensuring compliance with the Data Controller’s obligations relating to the security of processing (Art. 32 GDPR), the notification of a Personal Data Breach (Art 33, 34 GDPR) and the Data Protection Impact Assessment and the prior consultation (Art 35, 36 GDPR), obligation to respond to requests for exercising the data subject’s rights to information regarding the processing of its Personal Data. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable Data Protection Legislation.
- The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller either directly or by means of the Privacy Policy and Agreements, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law or provided instruction to do so in either Privacy Policy, Agreement or this DPA. The Data Processor shall assist the Data Controller in an appropriate manner to enable him to respond to such a request, complaint, message or other communication in accordance with Applicable Data Protection Legislation. In particular, the Data Processor shall not publish any submissions, notifications, communications, announcements or press releases in the event of a breach of data protection as defined in section 6.3. In the event Data Processor, according to applicable laws and regulations, is required to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof immediately, unless prohibited by law.
4. Sub-processors
- The Data Controller authorizes the Data Processor to engage the Sub-processors. All Sub-processors authorized by the Data Controller act under the authority and are subject to the Data Controller's direct instructions. A list of the current authorized Sub-processors is set out in the Privacy Policy for the purposes specified therein. The Data Processor shall notify the Data Controller in writing in advance of any changes, in particular before engaging other Sub-processors in which event the Data Processor shall without undue delay and at the latest 2 weeks prior to transferring any Personal Data to a Sub-processor, inform the Data Controller in writing (publishing on the website in accordance with the Privacy Policy is sufficient) of the identity of such Sub-processor as well as the purpose for which it will be engaged.
- The Data Controller at its own discretion may object to any such changes within 2 weeks after the Data Processor’s notice.
- The Data Processor shall impose by a written agreement, which includes an electronic form, on all Sub-processors processing Personal Data under this DPA (including inter alia its agents, intermediaries and sub-contractors) the same obligations as apply to the Data Processor, in particular the obligations defined in section 4.1 (in particular, the procedure of notification to Data Controller and Data Controller’s right to issue direct instructions to Sub-processors) and section 4.2 of this DPA (such obligation shall not be required with respect to the Sub-processors that have a similar obligation under either the agreement they made with Data Processor or have declared these similar obligations through their website).
5. Transfer to Third Countries
The location(s) of the intended or actual processing of Personal Data is set out in the Privacy Policy and the Agreement. Other than those have been specified under the Privacy Policy and the Agreement, the Data Processor must not transfer or otherwise directly or indirectly disclose Personal Data outside the European Economic Area or countries recognised as providing adequate protection by the European Commission (“Countries with Adequate Protection”) without the prior written consent of the Data Controller (which may be refused or granted at its own discretion) and ensure that the level of protection of natural persons guaranteed by means of the GDPR (or a national regulation on a similar level and protection) and as set forth in this DPA is not undermined. Unless otherwise agreed between the Parties, adequate protection in the receiving country shall be secured through an agreement incorporating the European Commission’s Standard Contractual Clauses.
6. Security of Processing
- Data Processor guarantees to implement and uphold appropriate technical and organizational measures according to the current state of the art to ensure an appropriate level of security for the Personal Data and shall continuously review and improve the effectiveness of its security measures. The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful loss, alteration or access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, the technical and organizational measures to be implemented by the Data Processor shall include, as appropriate:
- the pseudonymization and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- The Data Processor shall, without undue delay, notify the Data Controller of any accidental or unauthorized access or supposed access to Personal Data or any other actual security incidents (“Personal Data Breach”) after becoming aware of such incidents. The notification shall be in written form and shall at least:
- describe the nature of the Personal Data breach including where possible, the categories and the approximate number of data subjects concerned and the categories and the approximate number of Personal Data records concerned;
- communicate the name and contact details of the data protection officer or other contact points where more information can be obtained;
- describe the likely consequences of the Personal Data Breach;
- describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
- include any other information available to the Data Processor that the Data Controller is required to notify the Data Protection Authorities and/or the data subjects.
- The Data Processor will furthermore provide reasonable assistance requested by the Data Controller for the Data Controller to investigate the Personal Data Breach and notify the Data Protection Authorities and/or the data subjects as required by Applicable Data Protection Legislation.
- In addition, the Data Processor shall at its own expense immediately take necessary measures to restore and/or reconstruct Personal Data that has been lost, damaged, destroyed or corrupted as a result of the Personal Data Breach. The Data Controller shall provide reasonable assistance requested by the Data Processor to take such measures. The Data Controller shall also be liable for any additional costs of measures or costs of the additional measures that need to be taken or imposed penalties and fines caused by or derived from the Data Controller’s inability (except cases where such inability is not Data Controller’s fault) or unwillingness to provide requested reasonable assistance.
- The Data Processor undertakes to not disclose or otherwise make the Personal Data processed under this DPA available to any third party, without the Data Controller’s prior written approval. This section 6.5 shall not apply if the Data Processor is required by applicable laws and regulations to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, in which case what is set out in section 3.5 shall apply.
- The Data Processor undertakes to ensure that access to Personal Data under this DPA is restricted to those of its personnel who directly require access to the Personal Data in order to fulfil the Data Processor’s obligations in accordance with this DPA, Privacy Policy and the Agreement. The Data Processor shall ensure that such personnel (whether employees or others engaged by the Data Processor) (i) has the necessary knowledge of and training in the Applicable Data Protection Legislation to perform the contracted services; and (ii) is bound by a confidentiality obligation concerning the Personal Data to the same extent as the Data Processor in accordance with this DPA.
- The Data Processor requires all of its personnel (employees and Sub-processors) authorized to process Personal Data not to process Personal Data for any other purpose, except on instructions from the Data Controller or unless required by applicable law. The Data Processor shall ensure that this confidentiality obligation extends beyond the termination of employment contracts, Sub-processor contracts, service contracts or the termination of this DPA. This confidentiality obligation shall remain in force after the expiry or termination of the DPA.
- The Data Processor appoints the following person responsible for data protection matters: Neslihan Büşra Emikoğlu - neslihan@heybooster.ai.
7. Audit Rights
- The Data Processor shall allow the Data Controller or an external auditor mandated by the Data Controller to conduct audits, investigations and inspections on data protection and/or data security (“Audit”) in order to ensure that the Data Processor or Sub-processors are able to comply with the obligations under this DPA and Applicable Data Protection Legislation and that the Data Processor or Sub-processors have undertaken the required measures to ensure such compliance.
- The Data Processor makes available all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Legislation and assists the Data Controller in the performance of Audits.
8. Indemnification
The Data Processor shall indemnify and hold harmless the Data Controller upon the Data Controller’s first demand insofar as third parties (Data subjects in particular) make claims against the Data Controller on the grounds of an infringement of their personal rights or of data protection law where such infringement is caused by actions of the Data Processor in intentional or gross negligent violation of this DPA. The obligation to indemnify is – except in cases of willful intent or in relation to personal injuries or death – capped with the amount of fees paid by the Controller in the 12 months immediately before the infringing incidence.
9. Term
- The term of this DPA follows the above-mentioned Agreements.
- In case of a termination of the Agreement, this DPA shall remain in force as long as the Data Processor processes Personal Data for the Data Controller.
- The Data Controller may terminate the Agreement without notice as a result of a breach of the obligations under this DPA by the Data Processor or one of its Sub-processors.
10. Notices
- A notice or other communication to be provided by one party to the other party under this DPA shall be provided in accordance with the notices provision of the Agreement.
- In case the Data Processor determines that any instruction to process data of the Data Controller violates Applicable Data Protection Legislation or substantial provisions of this DPA (including technical and organizational measures), it will immediately inform the Data Controller thereof.
11. Measures upon Completion of Processing of Personal Data
- Upon expiration or termination of this DPA, the Data Processor shall delete or return all Personal Data (including any copies thereof) to the Data Controller, as instructed by the Data Controller, and shall ensure that any Sub-processors do the same unless otherwise required by applicable law. When returning the Personal Data, the Data Processor shall provide the Data Controller with all necessary assistance.
- Upon request by the Data Controller, the Data Processor shall provide written notice of the measures taken by itself or its Sub-processors with regard to the deletion or return of the Personal Data upon the completion of the processing.
12. Final Provisions
- If the Data Controller and the Data Processor have entered into additional agreements in conflict with this DPA, the provisions of this DPA regarding the processing of Personal Data shall take priority, except where such provision is included in the Agreement or Privacy Policy for the purpose of supplementing this DPA. All other conflicting provisions shall be governed by the provisions of the Commercial Agreement.
- This DPA is governed by the law of the Republic of Estonia to the exclusion of the conflict law rules under private international law. In the event of all disputes arising from a contract – including disputes about its existence or non-existence – the courts with subject-matter jurisdiction at the registered seat of the Data Processor shall be the exclusive forum.
- If a provision or parts of a provision in this DPA is or becomes ineffective under applicable legislation, this will not affect the effectiveness and validity of the remaining provisions. The contracting parties will replace it with a provision that, in terms of content, is as close as possible to the ineffective provision.
Appendix 1 – Data Processing Instructions
Purposes
Specify all purposes for which the personal data will be processed by the Data Processor.
Provide Data Controller access to and benefit from Data Processor’s services as set forth in the Agreement.
Categories of data
Specify the different types of Personal Data that will be processed by the Data Processor
As set out in the Agreement and Privacy Policy
Special categories of Personal Data
Specify the different special categories of Personal Data that will be processed by the Data Processor.
The Controller does not intend to and will not instruct the Processor to process any special categories of Personal Data.
In the event that the Data Controller instructs the Data Processor to process special categories of Personal Data on its behalf, the Data Controller shall ensure that all legal requirements for the processing of such special categories of Personal Data by the Data Processor (esp. those set forth in art. 9 (2) GDPR) are met at all times.
Data subjects
Specify the categories of data subjects whose personal data will be processed by the Data Processor.
The following categories of data subjects are affected by the data processing operations by default. If the Data Controller intends to process Personal Data of other categories of data subjects with the services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded.
- Users, customers, and/or visitors of Data Controller
Processing operations
Specify all processing activities to be conducted by the Data Processor
Collect, store, and process data to enable Data Controller access to the Data Processor’s Application Services.
Sub-processor(s)
Specify the Sub-processors engaged by the Data Processor (if any) and the purposes for which the personal data is processed by such Sub-processor
Sub-processors as set forth in the Privacy Policy.
Location of Processing Operations
Specify all locations where the Personal Data will be processed by the Data Processor and any Sub-processor (if applicable)
With respect to the services of the Data Processor:
- If the Data Controller is based in the EU, the data will be hosted on servers located in a data center in the EU or Countries with Adequate Protection.
- If the Data Controller is located outside the EU, the data might be hosted on servers anywhere appropriate for the purpose of the Agreement, Privacy Policy and this DPA.