Data Processing Agreement
Last modified: 05.09.2026
Last modified: 05.09.2026
Consvert (“Consvert” acting as Data Processor) and the counterparty agreeing to these terms (“Customer” acting as Data Controller) have entered into a written or electronic Main Service Agreement for the Services provided by Consvert (the “Service Agreement” or “MSA”) and/or a Statement of Work (the “SOW”) and/or and Order Form (the “Order Form”). This Data processing Agreement, pursuant with article 28 of GDPR and UK GDPR, reflects the parties’ agreement with respect to the Processing of Personal Data by Consvert as a Processor on your (if you are the counterparty reading this) behalf. This DPA, including the annexes (the “DPA”), forms part of the MSA, of the SOW, of the Order Form and of the Platform(s) Terms (“Ursula PT” and/or “Klauss PT”, which regulate the platforms at https://ursula.consvert.com/ , https://mailbox.consvert.com/ and https://klauss.consvert.com/).
Consvert (“Consvert” acting as Data Processor) and the counterparty agreeing to these terms (“Customer” acting as Data Controller) have entered into a written or electronic Main Service Agreement for the Services provided by Consvert (the “Service Agreement” or “MSA”) and/or a Statement of Work (the “SOW”) and/or and Order Form (the “Order Form”). This Data processing Agreement, pursuant with article 28 of GDPR and UK GDPR, reflects the parties’ agreement with respect to the Processing of Personal Data by Consvert as a Processor on your (if you are the counterparty reading this) behalf. This DPA, including the annexes (the “DPA”), forms part of the MSA, of the SOW, of the Order Form and of the Platform(s) Terms (“Ursula PT” and/or “Klauss PT”, which regulate the platforms at https://ursula.consvert.com/ , https://mailbox.consvert.com/ and https://klauss.consvert.com/).
Consvert (“Consvert” acting as Data Processor) and the counterparty agreeing to these terms (“Customer” acting as Data Controller) have entered into a written or electronic Main Service Agreement for the Services provided by Consvert (the “Service Agreement” or “MSA”) and/or a Statement of Work (the “SOW”) and/or and Order Form (the “Order Form”). This Data processing Agreement, pursuant with article 28 of GDPR and UK GDPR, reflects the parties’ agreement with respect to the Processing of Personal Data by Consvert as a Processor on your (if you are the counterparty reading this) behalf. This DPA, including the annexes (the “DPA”), forms part of the MSA, of the SOW, of the Order Form and of the Platform(s) Terms (“Ursula PT” and/or “Klauss PT”, which regulate the platforms at https://ursula.consvert.com/ , https://mailbox.consvert.com/ and https://klauss.consvert.com/).
Data Protection Law
Data Protection Law
Article 28 of Regulation (EU) 2016/679 ("GDPR") and of “UK GDPR”, namely Regulation (EU) 2016/679, as defined in section 3(10) of the Data Protection Act 2018 (hereinafter also "DP Law") establish that the processing carried out on behalf of a Controller by the Processor is governed by a binding contract between the Processor and the Controller, which defines the scope and duration of the processing, the nature and purpose, the type of personal data and categories of data subjects processed, and the obligations and rights of the parties.
Article 28 of Regulation (EU) 2016/679 ("GDPR") and of “UK GDPR”, namely Regulation (EU) 2016/679, as defined in section 3(10) of the Data Protection Act 2018 (hereinafter also "DP Law") establish that the processing carried out on behalf of a Controller by the Processor is governed by a binding contract between the Processor and the Controller, which defines the scope and duration of the processing, the nature and purpose, the type of personal data and categories of data subjects processed, and the obligations and rights of the parties.
Article 28 of Regulation (EU) 2016/679 ("GDPR") and of “UK GDPR”, namely Regulation (EU) 2016/679, as defined in section 3(10) of the Data Protection Act 2018 (hereinafter also "DP Law") establish that the processing carried out on behalf of a Controller by the Processor is governed by a binding contract between the Processor and the Controller, which defines the scope and duration of the processing, the nature and purpose, the type of personal data and categories of data subjects processed, and the obligations and rights of the parties.
MSA, SOW, Order Form, Platform(s)
MSA, SOW, Order Form, Platform(s)
The Processor will provide the Controller with the service ("Services") as specified in the service agreement signed by the Parties ("Service Agreement" or “MSA”) and/or the Statement of Work (“SOW”) and/or the Order Form (“Order Form”). In the context of these Services, the Processor will process personal data on behalf of the Controller in accordance with this Data Processing Agreement ("DPA"). Specifically, in performing the activities, the Processor will have access to (as a way of exemplification but not limited to) the Controller’s personal data of leads, prospects and customers needed to fulfill on the services provided.
The Processor will provide the Controller with the service ("Services") as specified in the service agreement signed by the Parties ("Service Agreement" or “MSA”) and/or the Statement of Work (“SOW”) and/or the Order Form (“Order Form”). In the context of these Services, the Processor will process personal data on behalf of the Controller in accordance with this Data Processing Agreement ("DPA"). Specifically, in performing the activities, the Processor will have access to (as a way of exemplification but not limited to) the Controller’s personal data of leads, prospects and customers needed to fulfill on the services provided.
The Processor will provide the Controller with the service ("Services") as specified in the service agreement signed by the Parties ("Service Agreement" or “MSA”) and/or the Statement of Work (“SOW”) and/or the Order Form (“Order Form”). In the context of these Services, the Processor will process personal data on behalf of the Controller in accordance with this Data Processing Agreement ("DPA"). Specifically, in performing the activities, the Processor will have access to (as a way of exemplification but not limited to) the Controller’s personal data of leads, prospects and customers needed to fulfill on the services provided.
Processor's Competence
Processor's Competence
The Processor guarantees that it possesses sufficient specialized knowledge, reliability, and resources to implement technical and organizational measures that meet the requirements of the Data Protection Law.
The Processor guarantees that it possesses sufficient specialized knowledge, reliability, and resources to implement technical and organizational measures that meet the requirements of the Data Protection Law.
The Processor guarantees that it possesses sufficient specialized knowledge, reliability, and resources to implement technical and organizational measures that meet the requirements of the Data Protection Law.
Data Assignment
Data Assignment
The Data Controller wishes to entrust the Processor with the personal data processing activities as detailed in Annex I and the Processor wishes to perform the processing on behalf of the Data Controller.
The Processor is not entitled to any specific compensation for performing the activities described in this DPA, as they are performed under the Service Agreement, which already defines the entire economic evaluation of the relationship between the Parties.
Based on the above assumptions, the Parties agree as follows.
The Data Controller wishes to entrust the Processor with the personal data processing activities as detailed in Annex I and the Processor wishes to perform the processing on behalf of the Data Controller.
The Processor is not entitled to any specific compensation for performing the activities described in this DPA, as they are performed under the Service Agreement, which already defines the entire economic evaluation of the relationship between the Parties.
Based on the above assumptions, the Parties agree as follows.
The Data Controller wishes to entrust the Processor with the personal data processing activities as detailed in Annex I and the Processor wishes to perform the processing on behalf of the Data Controller.
The Processor is not entitled to any specific compensation for performing the activities described in this DPA, as they are performed under the Service Agreement, which already defines the entire economic evaluation of the relationship between the Parties.
Based on the above assumptions, the Parties agree as follows.
1. Recitals and Annexes
1. Recitals and Annexes
The Recitals and Annexes are an integral and substantial part of this DPA.
The Recitals and Annexes are an integral and substantial part of this DPA.
The Recitals and Annexes are an integral and substantial part of this DPA.
2. Subject of the Agreement
2. Subject of the Agreement
By signing this DPA, the Parties intend to regulate the processing of personal data by the Processor on behalf of the Controller, specifying the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, and the Parties' obligations and rights.
The Controller, therefore, engages the Processor, who by signing accepts it, as the "Data Processor" for the processing of the data.
By signing this DPA, the Parties intend to regulate the processing of personal data by the Processor on behalf of the Controller, specifying the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, and the Parties' obligations and rights.
The Controller, therefore, engages the Processor, who by signing accepts it, as the "Data Processor" for the processing of the data.
By signing this DPA, the Parties intend to regulate the processing of personal data by the Processor on behalf of the Controller, specifying the subject matter, duration, nature, and purpose of the processing, the type of personal data and categories of data subjects, and the Parties' obligations and rights.
The Controller, therefore, engages the Processor, who by signing accepts it, as the "Data Processor" for the processing of the data.
3. Definitions
3. Definitions
The terms used in this DPA have the following meanings:
"GDPR" is the acronym for Regulation (EU) 679/2016 on the General Data Protection Regulation;
“UK GDPR” is the acronym for the United Kingdom General Data Protection Regulation, namely Regulation (EU) 2016/679, as defined in section 3(10) of the Data Protection Act 2018;
“Personal data", "special categories of personal data", "processing", "controller", "processor", "data subject", "third party", "supervisory authority", “international transfers”, “Standard data protection clauses or SCCs” have the same meaning as in the GDPR and in the UK GDPR;
"Subprocessor": any entity engaged by the Processor or any other subprocessor of the Processor that agrees to receive personal data from the Processor or any other subprocessor exclusively for the purpose of performing the Services in accordance with the terms of the DPA, and the terms of the subcontract;
"Data Protection law": the legislation that protects the fundamental rights and freedoms of natural persons, and in particular their right to privacy in relation to the processing of personal data, applicable to a Controller established in an EU Member State or in the United Kingdom or because such Controller offers goods and services to data subjects who are in the EU or in the United Kingdom;
"Technical and organizational measures": measures to ensure a level of security appropriate to the risk, designed to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, and against all other unlawful forms of processing;
"Personal data breach": a breach of security leading to the destruction, loss, alteration, unauthorized or unlawful disclosure of personal data transmitted, stored, or otherwise processed.
The terms used in this DPA have the following meanings:
"GDPR" is the acronym for Regulation (EU) 679/2016 on the General Data Protection Regulation;
“UK GDPR” is the acronym for the United Kingdom General Data Protection Regulation, namely Regulation (EU) 2016/679, as defined in section 3(10) of the Data Protection Act 2018;
“Personal data", "special categories of personal data", "processing", "controller", "processor", "data subject", "third party", "supervisory authority", “international transfers”, “Standard data protection clauses or SCCs” have the same meaning as in the GDPR and in the UK GDPR;
"Subprocessor": any entity engaged by the Processor or any other subprocessor of the Processor that agrees to receive personal data from the Processor or any other subprocessor exclusively for the purpose of performing the Services in accordance with the terms of the DPA, and the terms of the subcontract;
"Data Protection law": the legislation that protects the fundamental rights and freedoms of natural persons, and in particular their right to privacy in relation to the processing of personal data, applicable to a Controller established in an EU Member State or in the United Kingdom or because such Controller offers goods and services to data subjects who are in the EU or in the United Kingdom;
"Technical and organizational measures": measures to ensure a level of security appropriate to the risk, designed to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, and against all other unlawful forms of processing;
"Personal data breach": a breach of security leading to the destruction, loss, alteration, unauthorized or unlawful disclosure of personal data transmitted, stored, or otherwise processed.
The terms used in this DPA have the following meanings:
"GDPR" is the acronym for Regulation (EU) 679/2016 on the General Data Protection Regulation;
“UK GDPR” is the acronym for the United Kingdom General Data Protection Regulation, namely Regulation (EU) 2016/679, as defined in section 3(10) of the Data Protection Act 2018;
“Personal data", "special categories of personal data", "processing", "controller", "processor", "data subject", "third party", "supervisory authority", “international transfers”, “Standard data protection clauses or SCCs” have the same meaning as in the GDPR and in the UK GDPR;
"Subprocessor": any entity engaged by the Processor or any other subprocessor of the Processor that agrees to receive personal data from the Processor or any other subprocessor exclusively for the purpose of performing the Services in accordance with the terms of the DPA, and the terms of the subcontract;
"Data Protection law": the legislation that protects the fundamental rights and freedoms of natural persons, and in particular their right to privacy in relation to the processing of personal data, applicable to a Controller established in an EU Member State or in the United Kingdom or because such Controller offers goods and services to data subjects who are in the EU or in the United Kingdom;
"Technical and organizational measures": measures to ensure a level of security appropriate to the risk, designed to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, and against all other unlawful forms of processing;
"Personal data breach": a breach of security leading to the destruction, loss, alteration, unauthorized or unlawful disclosure of personal data transmitted, stored, or otherwise processed.
Scope of processing
The details of the data processing, i.e. the categories of personal data and data subjects, are specified in Annex I.
The details of the data processing, i.e. the categories of personal data and data subjects, are specified in Annex I.
The details of the data processing, i.e. the categories of personal data and data subjects, are specified in Annex I.
Applicability of UK Data Protection Law
Applicability of UK Data Protection Law
To the extent that the processing of personal data under this DPA involves, cumulatively or exclusively, data subjects located in the United Kingdom, along with or without data subject located in the EU because the Controller is, cumulatively or exclusively, subject to the UK GDPR for the relevant processing operations, the provisions of this DPA shall be interpreted with reference to the UK GDPR as well.
Where this DPA refers to the "GDPR" or "Regulation (EU) 2016/679", and where the Controller is subject to the UK GDPR under article 3(2), such references shall, in relation to processing subject to the UK GDPR, be construed as references to the corresponding provisions of the UK GDPR.
To the extent that the processing of personal data under this DPA involves, cumulatively or exclusively, data subjects located in the United Kingdom, along with or without data subject located in the EU because the Controller is, cumulatively or exclusively, subject to the UK GDPR for the relevant processing operations, the provisions of this DPA shall be interpreted with reference to the UK GDPR as well.
Where this DPA refers to the "GDPR" or "Regulation (EU) 2016/679", and where the Controller is subject to the UK GDPR under article 3(2), such references shall, in relation to processing subject to the UK GDPR, be construed as references to the corresponding provisions of the UK GDPR.
To the extent that the processing of personal data under this DPA involves, cumulatively or exclusively, data subjects located in the United Kingdom, along with or without data subject located in the EU because the Controller is, cumulatively or exclusively, subject to the UK GDPR for the relevant processing operations, the provisions of this DPA shall be interpreted with reference to the UK GDPR as well.
Where this DPA refers to the "GDPR" or "Regulation (EU) 2016/679", and where the Controller is subject to the UK GDPR under article 3(2), such references shall, in relation to processing subject to the UK GDPR, be construed as references to the corresponding provisions of the UK GDPR.
6. Controller’s Obligations
6. Controller’s Obligations
The Data Controller agrees and guarantees:
A) Compliance - It is responsible for assessing the lawfulness of data processing and ensuring the rights of the data subjects involved.
B) Security - It ensures that technical and organizational measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected, taking into account the state of the art and the cost of their implementation.
C)Instructions – That, if needed, it will issue written or oral instructions regarding the purpose and procedure of data processing, where applicable, amplifying, specifying, and modifying the provisions of this DPA.
The Data Controller agrees and guarantees:
A) Compliance - It is responsible for assessing the lawfulness of data processing and ensuring the rights of the data subjects involved.
B) Security - It ensures that technical and organizational measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected, taking into account the state of the art and the cost of their implementation.
C)Instructions – That, if needed, it will issue written or oral instructions regarding the purpose and procedure of data processing, where applicable, amplifying, specifying, and modifying the provisions of this DPA.
The Data Controller agrees and guarantees:
A) Compliance - It is responsible for assessing the lawfulness of data processing and ensuring the rights of the data subjects involved.
B) Security - It ensures that technical and organizational measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected, taking into account the state of the art and the cost of their implementation.
C)Instructions – That, if needed, it will issue written or oral instructions regarding the purpose and procedure of data processing, where applicable, amplifying, specifying, and modifying the provisions of this DPA.
7. Processor’s Obligations
7. Processor’s Obligations
The Data Processor agrees and guarantees:
The Data Processor agrees and guarantees:
The Data Processor agrees and guarantees:
7.1 Compliance with the Controller's Activities
To process personal data only on behalf of the Controller and limited to processing activities strictly necessary for the performance of the Services, in accordance with the main Service Agreement, this DPA and, if present, with Controller’s instructions. If the Data Processor is unable to comply for any reason, it will promptly inform the Controller, which has the right to suspend data processing and/or terminate the Service Agreement and this DPA.
To process personal data only on behalf of the Controller and limited to processing activities strictly necessary for the performance of the Services, in accordance with the main Service Agreement, this DPA and, if present, with Controller’s instructions. If the Data Processor is unable to comply for any reason, it will promptly inform the Controller, which has the right to suspend data processing and/or terminate the Service Agreement and this DPA.
To process personal data only on behalf of the Controller and limited to processing activities strictly necessary for the performance of the Services, in accordance with the main Service Agreement, this DPA and, if present, with Controller’s instructions. If the Data Processor is unable to comply for any reason, it will promptly inform the Controller, which has the right to suspend data processing and/or terminate the Service Agreement and this DPA.
7.2 Compliance with Law
That it has no reason to believe that applicable law prevents it from fulfilling the instructions received from the Controller and its obligations under the Service Agreement and this DPA. If it believes that a change in law may have a material adverse effect on the aforementioned warranties and obligations, it will promptly notify the Controller, which has the right to suspend data processing and/or terminate the Service Agreement and this DPA.
That it has no reason to believe that applicable law prevents it from fulfilling the instructions received from the Controller and its obligations under the Service Agreement and this DPA. If it believes that a change in law may have a material adverse effect on the aforementioned warranties and obligations, it will promptly notify the Controller, which has the right to suspend data processing and/or terminate the Service Agreement and this DPA.
That it has no reason to believe that applicable law prevents it from fulfilling the instructions received from the Controller and its obligations under the Service Agreement and this DPA. If it believes that a change in law may have a material adverse effect on the aforementioned warranties and obligations, it will promptly notify the Controller, which has the right to suspend data processing and/or terminate the Service Agreement and this DPA.
7.3 Technical and Organizational Measures
That, taking into account the risk to the rights and freedoms of data subjects, the Processor shall adopt the technical and organizational security measures summarized in Annex II (which is present in the signed version of this DPA), which itself has compiled.
That, taking into account the risk to the rights and freedoms of data subjects, the Processor shall adopt the technical and organizational security measures summarized in Annex II (which is present in the signed version of this DPA), which itself has compiled.
That, taking into account the risk to the rights and freedoms of data subjects, the Processor shall adopt the technical and organizational security measures summarized in Annex II (which is present in the signed version of this DPA), which itself has compiled.
7.4 Prompt Notification
That it will promptly inform the Data Controller of:
• Any legally binding request for disclosure of personal data by a judicial authority, unless prohibited for important reasons of public interest;
• Any breach of the personal data referred to in this Agreement of which it becomes aware;
That it will promptly inform the Data Controller of:
• Any legally binding request for disclosure of personal data by a judicial authority, unless prohibited for important reasons of public interest;
• Any breach of the personal data referred to in this Agreement of which it becomes aware;
That it will promptly inform the Data Controller of:
• Any legally binding request for disclosure of personal data by a judicial authority, unless prohibited for important reasons of public interest;
• Any breach of the personal data referred to in this Agreement of which it becomes aware;
7.5 Cooperation with the Controller for Supervisory Authorities
To cooperate with the Controller in complying with any orders issued by Supervisory Authorities or judicial authorities regarding data processing, as well as to promptly and appropriately handle the Controller's requests regarding data processing and to comply with the Supervisory Authorities’ guidelines regarding data processing.
To cooperate with the Controller in complying with any orders issued by Supervisory Authorities or judicial authorities regarding data processing, as well as to promptly and appropriately handle the Controller's requests regarding data processing and to comply with the Supervisory Authorities’ guidelines regarding data processing.
To cooperate with the Controller in complying with any orders issued by Supervisory Authorities or judicial authorities regarding data processing, as well as to promptly and appropriately handle the Controller's requests regarding data processing and to comply with the Supervisory Authorities’ guidelines regarding data processing.
8. Security of Processing
8. Security of Processing
Processors and sub-processors must comply with technical and organizational security measures that at least meet the requirements of the Data Protection law and any specific measures specified in this DPA. Processors and sub-processors will immediately inform the Data Controller of any personal data breach.
Processors and sub-processors must comply with technical and organizational security measures that at least meet the requirements of the Data Protection law and any specific measures specified in this DPA. Processors and sub-processors will immediately inform the Data Controller of any personal data breach.
Processors and sub-processors must comply with technical and organizational security measures that at least meet the requirements of the Data Protection law and any specific measures specified in this DPA. Processors and sub-processors will immediately inform the Data Controller of any personal data breach.
9. Appointment of Sub-Processors
9. Appointment of Sub-Processors
The Data Controller acknowledges and hereby consents to the Processor using, for the performance of the services required to fulfill the Service Agreement, suppliers (sub-processors) who offer the necessary guarantees regarding the processing of personal data in relation to the protection of privacy, freedoms, and fundamental rights of natural persons.
The Data Processors ensures that any subprocessor provides an adequate level of data protection pursuant to the Data Protection law.
The Controller approves the subprocessors listed in Annex III, which the Processor will update as necessary. The subprocessors will be considered as processors of the Controller.
The Data Controller acknowledges and hereby consents to the Processor using, for the performance of the services required to fulfill the Service Agreement, suppliers (sub-processors) who offer the necessary guarantees regarding the processing of personal data in relation to the protection of privacy, freedoms, and fundamental rights of natural persons.
The Data Processors ensures that any subprocessor provides an adequate level of data protection pursuant to the Data Protection law.
The Controller approves the subprocessors listed in Annex III, which the Processor will update as necessary. The subprocessors will be considered as processors of the Controller.
The Data Controller acknowledges and hereby consents to the Processor using, for the performance of the services required to fulfill the Service Agreement, suppliers (sub-processors) who offer the necessary guarantees regarding the processing of personal data in relation to the protection of privacy, freedoms, and fundamental rights of natural persons.
The Data Processors ensures that any subprocessor provides an adequate level of data protection pursuant to the Data Protection law.
The Controller approves the subprocessors listed in Annex III, which the Processor will update as necessary. The subprocessors will be considered as processors of the Controller.
10. Rights and Requests of Data Subjects
10. Rights and Requests of Data Subjects
Due to the nature of the Services provided, the Data Controller will receive, as a service offered by the Processor, all the technical and procedural tools in order to fulfill requests from data subjects and, therefore, comply with the applicable Data Protection law.
The Data Controller will have ownership of the infrastructure and will, therefore, be autonomous in being able to technically fulfill data subjects’ requests.
Given the controllership of the Data Controller on its processing activities the Data Processor and its sub-processors will not respond to requests from data subjects concerning processing activities that are carried out by the Controller and rely on the Controller’s infrastructure as provided by the Processor. Notwithstanding, the Processor will cooperate with the Controller in helping fulfill the data subjects requests only in cases where, under the main Service Agreement, a managed-for-you or cooperation structure between the Processor and Controller is in place, or where a strictly technical intervention by the Processor is needed.
Due to the nature of the Services provided, the Data Controller will receive, as a service offered by the Processor, all the technical and procedural tools in order to fulfill requests from data subjects and, therefore, comply with the applicable Data Protection law.
The Data Controller will have ownership of the infrastructure and will, therefore, be autonomous in being able to technically fulfill data subjects’ requests.
Given the controllership of the Data Controller on its processing activities the Data Processor and its sub-processors will not respond to requests from data subjects concerning processing activities that are carried out by the Controller and rely on the Controller’s infrastructure as provided by the Processor. Notwithstanding, the Processor will cooperate with the Controller in helping fulfill the data subjects requests only in cases where, under the main Service Agreement, a managed-for-you or cooperation structure between the Processor and Controller is in place, or where a strictly technical intervention by the Processor is needed.
Due to the nature of the Services provided, the Data Controller will receive, as a service offered by the Processor, all the technical and procedural tools in order to fulfill requests from data subjects and, therefore, comply with the applicable Data Protection law.
The Data Controller will have ownership of the infrastructure and will, therefore, be autonomous in being able to technically fulfill data subjects’ requests.
Given the controllership of the Data Controller on its processing activities the Data Processor and its sub-processors will not respond to requests from data subjects concerning processing activities that are carried out by the Controller and rely on the Controller’s infrastructure as provided by the Processor. Notwithstanding, the Processor will cooperate with the Controller in helping fulfill the data subjects requests only in cases where, under the main Service Agreement, a managed-for-you or cooperation structure between the Processor and Controller is in place, or where a strictly technical intervention by the Processor is needed.
11. Persons authorized to process
11. Persons authorized to process
The Data Processor ensures that only qualified, duly authorized, and trained personnel process personal data pursuant to this DPA.
The Data Processor ensures that anyone acting under its authority who has access to personal data processes it in accordance with this DPA. To implement the above obligation, the Processor will provide such authorized persons with detailed instructions and training to comply with the Data Protection law and this DPA. It will ensure that each person has access only to personal data whose knowledge is necessary to perform their assigned tasks.
The Processor ensures that persons authorized to process data have undertaken to maintain confidentiality or are subject to a legal obligation of confidentiality, including for a reasonable period after the end of their employment with the Processor.
The Data Processor ensures that only qualified, duly authorized, and trained personnel process personal data pursuant to this DPA.
The Data Processor ensures that anyone acting under its authority who has access to personal data processes it in accordance with this DPA. To implement the above obligation, the Processor will provide such authorized persons with detailed instructions and training to comply with the Data Protection law and this DPA. It will ensure that each person has access only to personal data whose knowledge is necessary to perform their assigned tasks.
The Processor ensures that persons authorized to process data have undertaken to maintain confidentiality or are subject to a legal obligation of confidentiality, including for a reasonable period after the end of their employment with the Processor.
The Data Processor ensures that only qualified, duly authorized, and trained personnel process personal data pursuant to this DPA.
The Data Processor ensures that anyone acting under its authority who has access to personal data processes it in accordance with this DPA. To implement the above obligation, the Processor will provide such authorized persons with detailed instructions and training to comply with the Data Protection law and this DPA. It will ensure that each person has access only to personal data whose knowledge is necessary to perform their assigned tasks.
The Processor ensures that persons authorized to process data have undertaken to maintain confidentiality or are subject to a legal obligation of confidentiality, including for a reasonable period after the end of their employment with the Processor.
12. Data Communication
12. Data Communication
The Processor will refrain from communicating personal data undergoing processing to third parties without the prior written consent of the Data Controller.
The Processor will refrain from communicating personal data undergoing processing to third parties without the prior written consent of the Data Controller.
The Processor will refrain from communicating personal data undergoing processing to third parties without the prior written consent of the Data Controller.
13. Transfers to Third Countries
13. Transfers to Third Countries
Most of the personal data will be processed within the EEA but is possible that Consvert (and its sub-Processors), for the purpose of providing the Services to the Client, may transfer personal data subject to GDPR or UK GDPR, for which the Customer is the Controller, to third countries outside of the EEA or UK. In such cases Consvert will ensure the right safeguards under Chapter V of GDPR are put in place.
On the other hand, considering the main Service Agreement between Consvert and the Customer, in the cases of transfers of personal data, subject to GDPR and/or UK GDPR, back to the Customer, which is established in a non-EEA or UK country, where that would be considered as a transfer under Chapter V of GDPR, pursuant with article GDPR 46(2) letter c), the Standard Data Protection Clauses (or “SCCs”) -module 4: processor to controller, as identified by EDPB as “the available and most relevant transfer tools for data flows to importers subject to the GDPR”[1]- are the transfer mechanism of choice. In said scenarios the Data Controller would act as “Data Importer” and the Data Processor would act as “Data Exporter”.
The parties agree that when the transfer of Personal Data protected by European Data Protection Laws from Consvert to Customer is a Restricted Transfer, then the appropriate standard contractual clauses and additional safeguards shall apply as follows:
a)EU Transfers: in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
i) Module Four will apply because Customer is a Controller;
ii) in Clause 7, the optional docking clause will apply;
iii) in Clause 17, “These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Italy.”;
iv) in Clause 18, “Any dispute arising from these Clauses shall be resolved by the courts of Italy.”;
v)Annex I (provided in the signed version of this DPA) of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and
vi)Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II (provided in the signed version of this DPA) to this DPA.
b) UK Transfers: in relation to UK Personal Data that is protected by the UK GDPR and sent back from Consvert (the data Processor and exporter) to the Customer (the data Controller and importer) which is located outside of the UK and in a non-EEA country, under ICO guidance, this does not constitute a restricted transfer. This is true because: (i) Consvert is only handling the personal information as a processor under the instructions of the Customer (data controller); and (ii) transferring the personal information to the same controller (the Customer) that instructed Consvert to do the processing. This is not a restricted transfer as the information is flowing to the controller itself, and not to a separate organization.
In respect of Restricted Transfers made to Consvert under article 13, Consvert will not participate in (nor permit any sub-Processor to participate in) any further Restricted Transfers of Personal Data (whether as an “exporter” or an “importer” of the Personal Data) unless such further Restricted Transfer is made in full compliance with Applicable Data Protection Laws.
[1] EDPB Guidelines 05/2021 “on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR” - p.14 footnote 30
Most of the personal data will be processed within the EEA but is possible that Consvert (and its sub-Processors), for the purpose of providing the Services to the Client, may transfer personal data subject to GDPR or UK GDPR, for which the Customer is the Controller, to third countries outside of the EEA or UK. In such cases Consvert will ensure the right safeguards under Chapter V of GDPR are put in place.
On the other hand, considering the main Service Agreement between Consvert and the Customer, in the cases of transfers of personal data, subject to GDPR and/or UK GDPR, back to the Customer, which is established in a non-EEA or UK country, where that would be considered as a transfer under Chapter V of GDPR, pursuant with article GDPR 46(2) letter c), the Standard Data Protection Clauses (or “SCCs”) -module 4: processor to controller, as identified by EDPB as “the available and most relevant transfer tools for data flows to importers subject to the GDPR”[1]- are the transfer mechanism of choice. In said scenarios the Data Controller would act as “Data Importer” and the Data Processor would act as “Data Exporter”.
The parties agree that when the transfer of Personal Data protected by European Data Protection Laws from Consvert to Customer is a Restricted Transfer, then the appropriate standard contractual clauses and additional safeguards shall apply as follows:
a)EU Transfers: in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
i) Module Four will apply because Customer is a Controller;
ii) in Clause 7, the optional docking clause will apply;
iii) in Clause 17, “These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Italy.”;
iv) in Clause 18, “Any dispute arising from these Clauses shall be resolved by the courts of Italy.”;
v)Annex I (provided in the signed version of this DPA) of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and
vi)Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II (provided in the signed version of this DPA) to this DPA.
b) UK Transfers: in relation to UK Personal Data that is protected by the UK GDPR and sent back from Consvert (the data Processor and exporter) to the Customer (the data Controller and importer) which is located outside of the UK and in a non-EEA country, under ICO guidance, this does not constitute a restricted transfer. This is true because: (i) Consvert is only handling the personal information as a processor under the instructions of the Customer (data controller); and (ii) transferring the personal information to the same controller (the Customer) that instructed Consvert to do the processing. This is not a restricted transfer as the information is flowing to the controller itself, and not to a separate organization.
In respect of Restricted Transfers made to Consvert under article 13, Consvert will not participate in (nor permit any sub-Processor to participate in) any further Restricted Transfers of Personal Data (whether as an “exporter” or an “importer” of the Personal Data) unless such further Restricted Transfer is made in full compliance with Applicable Data Protection Laws.
[1] EDPB Guidelines 05/2021 “on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR” - p.14 footnote 30
Most of the personal data will be processed within the EEA but is possible that Consvert (and its sub-Processors), for the purpose of providing the Services to the Client, may transfer personal data subject to GDPR or UK GDPR, for which the Customer is the Controller, to third countries outside of the EEA or UK. In such cases Consvert will ensure the right safeguards under Chapter V of GDPR are put in place.
On the other hand, considering the main Service Agreement between Consvert and the Customer, in the cases of transfers of personal data, subject to GDPR and/or UK GDPR, back to the Customer, which is established in a non-EEA or UK country, where that would be considered as a transfer under Chapter V of GDPR, pursuant with article GDPR 46(2) letter c), the Standard Data Protection Clauses (or “SCCs”) -module 4: processor to controller, as identified by EDPB as “the available and most relevant transfer tools for data flows to importers subject to the GDPR”[1]- are the transfer mechanism of choice. In said scenarios the Data Controller would act as “Data Importer” and the Data Processor would act as “Data Exporter”.
The parties agree that when the transfer of Personal Data protected by European Data Protection Laws from Consvert to Customer is a Restricted Transfer, then the appropriate standard contractual clauses and additional safeguards shall apply as follows:
a)EU Transfers: in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
i) Module Four will apply because Customer is a Controller;
ii) in Clause 7, the optional docking clause will apply;
iii) in Clause 17, “These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Italy.”;
iv) in Clause 18, “Any dispute arising from these Clauses shall be resolved by the courts of Italy.”;
v)Annex I (provided in the signed version of this DPA) of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and
vi)Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II (provided in the signed version of this DPA) to this DPA.
b) UK Transfers: in relation to UK Personal Data that is protected by the UK GDPR and sent back from Consvert (the data Processor and exporter) to the Customer (the data Controller and importer) which is located outside of the UK and in a non-EEA country, under ICO guidance, this does not constitute a restricted transfer. This is true because: (i) Consvert is only handling the personal information as a processor under the instructions of the Customer (data controller); and (ii) transferring the personal information to the same controller (the Customer) that instructed Consvert to do the processing. This is not a restricted transfer as the information is flowing to the controller itself, and not to a separate organization.
In respect of Restricted Transfers made to Consvert under article 13, Consvert will not participate in (nor permit any sub-Processor to participate in) any further Restricted Transfers of Personal Data (whether as an “exporter” or an “importer” of the Personal Data) unless such further Restricted Transfer is made in full compliance with Applicable Data Protection Laws.
[1] EDPB Guidelines 05/2021 “on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR” - p.14 footnote 30
14. Supplementary Safeguards for Transfers to a Data Importer Subject to GDPR article 3(2) from a Third Country with no Adequacy Decision
14. Supplementary Safeguards for Transfers to a Data Importer Subject to GDPR article 3(2) from a Third Country with no Adequacy Decision
14.1 Purpose and scope of this Clause
The Parties acknowledge that, in the case where the Controller, as a Data Importer, is directly subject to the GDPR pursuant to Article 3(2) for the processing operations covered by this DPA, and the following further provisions in this article shall be complied with.
This article does not seek to duplicate obligations already incumbent on the Data Importer under the GDPR but rather addresses the specific risks arising from the Data Importer's establishment in a third country, in particular:
i. the potential for conflicting obligations under the laws of that third country and the GDPR;
ii. the risk of government access requests that may not meet the standards of Article 23(1) GDPR; and
iii. practical difficulties in enforcement and redress against entities outside the EEA.
These provisions supplement, and do not contradict, the Standard Contractual Clauses as set out in Article 13.
The Parties acknowledge that, in the case where the Controller, as a Data Importer, is directly subject to the GDPR pursuant to Article 3(2) for the processing operations covered by this DPA, and the following further provisions in this article shall be complied with.
This article does not seek to duplicate obligations already incumbent on the Data Importer under the GDPR but rather addresses the specific risks arising from the Data Importer's establishment in a third country, in particular:
i. the potential for conflicting obligations under the laws of that third country and the GDPR;
ii. the risk of government access requests that may not meet the standards of Article 23(1) GDPR; and
iii. practical difficulties in enforcement and redress against entities outside the EEA.
These provisions supplement, and do not contradict, the Standard Contractual Clauses as set out in Article 13.
The Parties acknowledge that, in the case where the Controller, as a Data Importer, is directly subject to the GDPR pursuant to Article 3(2) for the processing operations covered by this DPA, and the following further provisions in this article shall be complied with.
This article does not seek to duplicate obligations already incumbent on the Data Importer under the GDPR but rather addresses the specific risks arising from the Data Importer's establishment in a third country, in particular:
i. the potential for conflicting obligations under the laws of that third country and the GDPR;
ii. the risk of government access requests that may not meet the standards of Article 23(1) GDPR; and
iii. practical difficulties in enforcement and redress against entities outside the EEA.
These provisions supplement, and do not contradict, the Standard Contractual Clauses as set out in Article 13.
14.2 Conflict of laws
The Data Importer warrants that, as of the effective date of this DPA, it is not aware of any law or practice applicable to it in the country of its establishment that would prevent it from fulfilling its obligations under this DPA and the GDPR, including but not limited to laws requiring disclosure of personal data to public authorities in a manner that goes beyond what is necessary and proportionate in a democratic society within the meaning of Article 23(1) GDPR.
Where a conflict arises between the Data Importer's obligations under this Agreement or the GDPR and any legal requirement under the laws of its country of establishment, the Data Importer shall:
i.promptly notify the Data Exporter in writing of the conflict, providing as much detail as legally permissible regarding the nature and scope of the conflicting obligation;
ii. use all reasonable efforts to minimize the impact of the conflicting obligation on the personal data processed under this Agreement, including by seeking available exemptions, derogations, or waivers under the third-country law;
iii.refrain from disclosing personal data to any third-country authority in response to a conflicting obligation unless compelled to do so under the applicable procedural rules, and in such case, disclose only the minimum amount of data strictly necessary to satisfy the requirement;
iv.Where the conflict cannot be resolved in a manner that ensures compliance with the GDPR, the Data Importer shall inform the Data Exporter without delay, and the Data Exporter shall be entitled to suspend the transfer and/or terminate the main Service Agreement as it concerns the processing of personal data.
The Data Importer warrants that, as of the effective date of this DPA, it is not aware of any law or practice applicable to it in the country of its establishment that would prevent it from fulfilling its obligations under this DPA and the GDPR, including but not limited to laws requiring disclosure of personal data to public authorities in a manner that goes beyond what is necessary and proportionate in a democratic society within the meaning of Article 23(1) GDPR.
Where a conflict arises between the Data Importer's obligations under this Agreement or the GDPR and any legal requirement under the laws of its country of establishment, the Data Importer shall:
i.promptly notify the Data Exporter in writing of the conflict, providing as much detail as legally permissible regarding the nature and scope of the conflicting obligation;
ii. use all reasonable efforts to minimize the impact of the conflicting obligation on the personal data processed under this Agreement, including by seeking available exemptions, derogations, or waivers under the third-country law;
iii.refrain from disclosing personal data to any third-country authority in response to a conflicting obligation unless compelled to do so under the applicable procedural rules, and in such case, disclose only the minimum amount of data strictly necessary to satisfy the requirement;
iv.Where the conflict cannot be resolved in a manner that ensures compliance with the GDPR, the Data Importer shall inform the Data Exporter without delay, and the Data Exporter shall be entitled to suspend the transfer and/or terminate the main Service Agreement as it concerns the processing of personal data.
The Data Importer warrants that, as of the effective date of this DPA, it is not aware of any law or practice applicable to it in the country of its establishment that would prevent it from fulfilling its obligations under this DPA and the GDPR, including but not limited to laws requiring disclosure of personal data to public authorities in a manner that goes beyond what is necessary and proportionate in a democratic society within the meaning of Article 23(1) GDPR.
Where a conflict arises between the Data Importer's obligations under this Agreement or the GDPR and any legal requirement under the laws of its country of establishment, the Data Importer shall:
i.promptly notify the Data Exporter in writing of the conflict, providing as much detail as legally permissible regarding the nature and scope of the conflicting obligation;
ii. use all reasonable efforts to minimize the impact of the conflicting obligation on the personal data processed under this Agreement, including by seeking available exemptions, derogations, or waivers under the third-country law;
iii.refrain from disclosing personal data to any third-country authority in response to a conflicting obligation unless compelled to do so under the applicable procedural rules, and in such case, disclose only the minimum amount of data strictly necessary to satisfy the requirement;
iv.Where the conflict cannot be resolved in a manner that ensures compliance with the GDPR, the Data Importer shall inform the Data Exporter without delay, and the Data Exporter shall be entitled to suspend the transfer and/or terminate the main Service Agreement as it concerns the processing of personal data.
14.3 Government access requests and surveillance
The Data Importer shall promptly notify the Data Exporter if it receives a legally binding request from a public authority, including judicial authorities, under the laws of its country of establishment for the disclosure of personal data transferred under this DPA.
Such notification shall include, whether the request concerns data transferred under this DPA, to the extent legally permissible:
i. the identity of the requesting authority;
ii. the legal basis for the request, the categories and volume of data requested.
If the Data Importer is prohibited under the laws of its country of establishment from notifying the Data Exporter of a specific request, the Data Importer shall use best efforts to obtain a waiver of the prohibition or shall, at a minimum, provide the Data Exporter with aggregate information regarding the number and type of requests received, to the extent permitted by applicable law.
The Data Importer shall review the legality of each request under the laws of its country of establishment and shall challenge any request it has reasonable grounds to consider unlawful, including by pursuing available appeals. The Data Importer shall not disclose the requested data until required to do so under the applicable procedural rules.
If the Data Importer becomes aware of any form of direct access by public authorities to personal data transferred under this DPA, it shall notify the Data Exporter without delay and provide all information available to it.
The Data Importer shall promptly notify the Data Exporter if it receives a legally binding request from a public authority, including judicial authorities, under the laws of its country of establishment for the disclosure of personal data transferred under this DPA.
Such notification shall include, whether the request concerns data transferred under this DPA, to the extent legally permissible:
i. the identity of the requesting authority;
ii. the legal basis for the request, the categories and volume of data requested.
If the Data Importer is prohibited under the laws of its country of establishment from notifying the Data Exporter of a specific request, the Data Importer shall use best efforts to obtain a waiver of the prohibition or shall, at a minimum, provide the Data Exporter with aggregate information regarding the number and type of requests received, to the extent permitted by applicable law.
The Data Importer shall review the legality of each request under the laws of its country of establishment and shall challenge any request it has reasonable grounds to consider unlawful, including by pursuing available appeals. The Data Importer shall not disclose the requested data until required to do so under the applicable procedural rules.
If the Data Importer becomes aware of any form of direct access by public authorities to personal data transferred under this DPA, it shall notify the Data Exporter without delay and provide all information available to it.
The Data Importer shall promptly notify the Data Exporter if it receives a legally binding request from a public authority, including judicial authorities, under the laws of its country of establishment for the disclosure of personal data transferred under this DPA.
Such notification shall include, whether the request concerns data transferred under this DPA, to the extent legally permissible:
i. the identity of the requesting authority;
ii. the legal basis for the request, the categories and volume of data requested.
If the Data Importer is prohibited under the laws of its country of establishment from notifying the Data Exporter of a specific request, the Data Importer shall use best efforts to obtain a waiver of the prohibition or shall, at a minimum, provide the Data Exporter with aggregate information regarding the number and type of requests received, to the extent permitted by applicable law.
The Data Importer shall review the legality of each request under the laws of its country of establishment and shall challenge any request it has reasonable grounds to consider unlawful, including by pursuing available appeals. The Data Importer shall not disclose the requested data until required to do so under the applicable procedural rules.
If the Data Importer becomes aware of any form of direct access by public authorities to personal data transferred under this DPA, it shall notify the Data Exporter without delay and provide all information available to it.
14.4 Enforcement and redress
Pursuant with article 77 of the GDPR, the Data Importer acknowledges that data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence.
Furthermore, the Data Importer acknowledges that data subject shall have the right to an effective judicial remedy where they consider their rights under GDPR have been infringed as a result of the processing of personal data in non-compliance with said regulation. Pursuant with GDPR article 82 and 79(2) proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.
The Data Importer shall cooperate fully with the competent supervisory authority and comply with any binding decision issued by that authority or by a court of a Member State in relation to the processing of personal data under this Agreement.
The Data Importer acknowledges that data subjects whose personal data is transferred under this DPA may invoke this article as third-party beneficiaries for the purposes of Clauses 14.2, 14.3, and 14.4.
Pursuant with article 77 of the GDPR, the Data Importer acknowledges that data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence.
Furthermore, the Data Importer acknowledges that data subject shall have the right to an effective judicial remedy where they consider their rights under GDPR have been infringed as a result of the processing of personal data in non-compliance with said regulation. Pursuant with GDPR article 82 and 79(2) proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.
The Data Importer shall cooperate fully with the competent supervisory authority and comply with any binding decision issued by that authority or by a court of a Member State in relation to the processing of personal data under this Agreement.
The Data Importer acknowledges that data subjects whose personal data is transferred under this DPA may invoke this article as third-party beneficiaries for the purposes of Clauses 14.2, 14.3, and 14.4.
Pursuant with article 77 of the GDPR, the Data Importer acknowledges that data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence.
Furthermore, the Data Importer acknowledges that data subject shall have the right to an effective judicial remedy where they consider their rights under GDPR have been infringed as a result of the processing of personal data in non-compliance with said regulation. Pursuant with GDPR article 82 and 79(2) proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.
The Data Importer shall cooperate fully with the competent supervisory authority and comply with any binding decision issued by that authority or by a court of a Member State in relation to the processing of personal data under this Agreement.
The Data Importer acknowledges that data subjects whose personal data is transferred under this DPA may invoke this article as third-party beneficiaries for the purposes of Clauses 14.2, 14.3, and 14.4.
14.5 Transfer impact assessment
The Parties (and mainly the Exporter) warrant that they have carried out an assessment of the laws and practices of the Data Importer's country of establishment relevant to the transfer, taking into account the specific circumstances of the processing, including:
i. the nature of the data;
ii. the purposes of transfer;
iii. the transfer tool;
iv. the applicable legal framework regarding government access; and
v. any supplementary technical or organizational measures in place;
vi. the necessity of re-evaluation of the transfer.
This assessment is documented (and annexed in Annex IV) and shall be made available to the competent supervisory authority on request.
The Data Importer agrees to promptly notify the Data Exporter of any change in the laws or practices of its country of establishment that may affect its ability to comply with this DPA or the GDPR, including following a change in law or a government access request indicating a divergence from the assessment documented.
The Parties (and mainly the Exporter) warrant that they have carried out an assessment of the laws and practices of the Data Importer's country of establishment relevant to the transfer, taking into account the specific circumstances of the processing, including:
i. the nature of the data;
ii. the purposes of transfer;
iii. the transfer tool;
iv. the applicable legal framework regarding government access; and
v. any supplementary technical or organizational measures in place;
vi. the necessity of re-evaluation of the transfer.
This assessment is documented (and annexed in Annex IV) and shall be made available to the competent supervisory authority on request.
The Data Importer agrees to promptly notify the Data Exporter of any change in the laws or practices of its country of establishment that may affect its ability to comply with this DPA or the GDPR, including following a change in law or a government access request indicating a divergence from the assessment documented.
The Parties (and mainly the Exporter) warrant that they have carried out an assessment of the laws and practices of the Data Importer's country of establishment relevant to the transfer, taking into account the specific circumstances of the processing, including:
i. the nature of the data;
ii. the purposes of transfer;
iii. the transfer tool;
iv. the applicable legal framework regarding government access; and
v. any supplementary technical or organizational measures in place;
vi. the necessity of re-evaluation of the transfer.
This assessment is documented (and annexed in Annex IV) and shall be made available to the competent supervisory authority on request.
The Data Importer agrees to promptly notify the Data Exporter of any change in the laws or practices of its country of establishment that may affect its ability to comply with this DPA or the GDPR, including following a change in law or a government access request indicating a divergence from the assessment documented.
15. Liability
15. Liability
The Parties acknowledge that any data subject who has suffered damage as a result of a breach of data processing obligations by a Party or sub-processor is entitled to compensation from the Controller or Processor for the damage directly caused and suffered.
If the Data Controller and the Processor are involved in the same processing and are held liable for any damage caused to the data subjects, each party is jointly and severally liable for the full amount of the related compensation, in order to ensure effective compensation for the data subject.
If the Data Controller or Processor has paid the full compensation for the damage, such Data Controller or Processor has the right to seek compensation from the other party involved in the processing for the portion corresponding to their liability for the damage, in accordance with the conditions set forth by law
The Processor may not rely on a breach by a sub-processor to avoid its own liability.
The Parties acknowledge that any data subject who has suffered damage as a result of a breach of data processing obligations by a Party or sub-processor is entitled to compensation from the Controller or Processor for the damage directly caused and suffered.
If the Data Controller and the Processor are involved in the same processing and are held liable for any damage caused to the data subjects, each party is jointly and severally liable for the full amount of the related compensation, in order to ensure effective compensation for the data subject.
If the Data Controller or Processor has paid the full compensation for the damage, such Data Controller or Processor has the right to seek compensation from the other party involved in the processing for the portion corresponding to their liability for the damage, in accordance with the conditions set forth by law
The Processor may not rely on a breach by a sub-processor to avoid its own liability.
The Parties acknowledge that any data subject who has suffered damage as a result of a breach of data processing obligations by a Party or sub-processor is entitled to compensation from the Controller or Processor for the damage directly caused and suffered.
If the Data Controller and the Processor are involved in the same processing and are held liable for any damage caused to the data subjects, each party is jointly and severally liable for the full amount of the related compensation, in order to ensure effective compensation for the data subject.
If the Data Controller or Processor has paid the full compensation for the damage, such Data Controller or Processor has the right to seek compensation from the other party involved in the processing for the portion corresponding to their liability for the damage, in accordance with the conditions set forth by law
The Processor may not rely on a breach by a sub-processor to avoid its own liability.
16. Termination and Subsequent Obligations
16. Termination and Subsequent Obligations
This DPA will be effective from the date of signature by the Parties and it will terminate coincidently the termination of the Service Agreement or the termination of data processing for any reason.
Upon termination of this DPA, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller and delete existing copies, unless applicable law requires further storage.
This DPA will be effective from the date of signature by the Parties and it will terminate coincidently the termination of the Service Agreement or the termination of data processing for any reason.
Upon termination of this DPA, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller and delete existing copies, unless applicable law requires further storage.
This DPA will be effective from the date of signature by the Parties and it will terminate coincidently the termination of the Service Agreement or the termination of data processing for any reason.
Upon termination of this DPA, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller and delete existing copies, unless applicable law requires further storage.
17. Applicable Law, Jurisdiction and Dispute resolution
17. Applicable Law, Jurisdiction and Dispute resolution
This DPA is governed by the laws of the Data Processor’s jurisdiction, unless otherwise provided in this DPA and in the SCCs, in accordance with the Data Protection Law.
The Parties shall first seek to resolve in good faith any dispute arising out of or in connection with this DPA through negotiations between representatives.
If the dispute is not resolved within thirty (30) days after written notice of the dispute, all disputes shall be resolved as set out in clause 24 of the MSA, and clause 24.6 in particular.
This clause does not apply to disputes arising from the Standard Contractual Clauses, which shall be governed exclusively by the dispute-resolution, governing-law and court provisions of the Standard Contractual Clauses as completed by the Parties. To the extent of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to their subject matter. Concerning these aforementioned disputes the Parties may, after a dispute has arisen, agree in writing to submit that specific dispute to the courts of the Data Processor place of establishment or before any other court deemed competent by the Data Processor, in lieu of arbitration.
This DPA is governed by the laws of the Data Processor’s jurisdiction, unless otherwise provided in this DPA and in the SCCs, in accordance with the Data Protection Law.
The Parties shall first seek to resolve in good faith any dispute arising out of or in connection with this DPA through negotiations between representatives.
If the dispute is not resolved within thirty (30) days after written notice of the dispute, all disputes shall be resolved as set out in clause 24 of the MSA, and clause 24.6 in particular.
This clause does not apply to disputes arising from the Standard Contractual Clauses, which shall be governed exclusively by the dispute-resolution, governing-law and court provisions of the Standard Contractual Clauses as completed by the Parties. To the extent of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to their subject matter. Concerning these aforementioned disputes the Parties may, after a dispute has arisen, agree in writing to submit that specific dispute to the courts of the Data Processor place of establishment or before any other court deemed competent by the Data Processor, in lieu of arbitration.
This DPA is governed by the laws of the Data Processor’s jurisdiction, unless otherwise provided in this DPA and in the SCCs, in accordance with the Data Protection Law.
The Parties shall first seek to resolve in good faith any dispute arising out of or in connection with this DPA through negotiations between representatives.
If the dispute is not resolved within thirty (30) days after written notice of the dispute, all disputes shall be resolved as set out in clause 24 of the MSA, and clause 24.6 in particular.
This clause does not apply to disputes arising from the Standard Contractual Clauses, which shall be governed exclusively by the dispute-resolution, governing-law and court provisions of the Standard Contractual Clauses as completed by the Parties. To the extent of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail with respect to their subject matter. Concerning these aforementioned disputes the Parties may, after a dispute has arisen, agree in writing to submit that specific dispute to the courts of the Data Processor place of establishment or before any other court deemed competent by the Data Processor, in lieu of arbitration.
18. Entire Agreement
18. Entire Agreement
This document governs the entire agreement between the Parties in relation to its subject matter.
This document governs the entire agreement between the Parties in relation to its subject matter.
This document governs the entire agreement between the Parties in relation to its subject matter.
19. Severability
19. Severability
If any provision of this DPA is or becomes invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall remain unaffected. In this case, the Parties agree to adopt a provision that best meets the intent of the invalid provision or the Parties' interests, as reflected in the entire structure of this DPA.
Without limiting the generality of the foregoing, Customer agrees that Section 11 of the MSA will remain in effect notwithstanding the unenforceability of any provision of this DPA.
If any provision of this DPA is or becomes invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall remain unaffected. In this case, the Parties agree to adopt a provision that best meets the intent of the invalid provision or the Parties' interests, as reflected in the entire structure of this DPA.
Without limiting the generality of the foregoing, Customer agrees that Section 11 of the MSA will remain in effect notwithstanding the unenforceability of any provision of this DPA.
If any provision of this DPA is or becomes invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall remain unaffected. In this case, the Parties agree to adopt a provision that best meets the intent of the invalid provision or the Parties' interests, as reflected in the entire structure of this DPA.
Without limiting the generality of the foregoing, Customer agrees that Section 11 of the MSA will remain in effect notwithstanding the unenforceability of any provision of this DPA.
20. General
20. General
20.1 This DPA is without prejudice to the rights and obligations of the parties under the Service Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Service Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
20.2 Consvert’s liability under or in connection with this DPA, including under the EU SCCs, is subject to the exclusions and limitations on liability contained in the Service Agreement. In no event does Consvert limit or exclude its liability towards data subjects or competent data protection authorities.
20.3 Except where and to the extent expressly provided in the EU SCCs or required as a matter of Applicable Data Protection Laws, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
20.1 This DPA is without prejudice to the rights and obligations of the parties under the Service Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Service Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
20.2 Consvert’s liability under or in connection with this DPA, including under the EU SCCs, is subject to the exclusions and limitations on liability contained in the Service Agreement. In no event does Consvert limit or exclude its liability towards data subjects or competent data protection authorities.
20.3 Except where and to the extent expressly provided in the EU SCCs or required as a matter of Applicable Data Protection Laws, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
20.1 This DPA is without prejudice to the rights and obligations of the parties under the Service Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Service Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
20.2 Consvert’s liability under or in connection with this DPA, including under the EU SCCs, is subject to the exclusions and limitations on liability contained in the Service Agreement. In no event does Consvert limit or exclude its liability towards data subjects or competent data protection authorities.
20.3 Except where and to the extent expressly provided in the EU SCCs or required as a matter of Applicable Data Protection Laws, this DPA does not confer any third-party beneficiary rights; it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.