In connection with Personal Data that is received into, processed by, stored within and/or transmitted from the YuzeData Platform in connection with the Partner DPL between Customer and YuzeData, the Parties have agreed to the following Data Processing Agreement, pursuant to which Customer shall serve as Data Controller and YuzeData shall serve as Data Processor.
WHEREAS:
- The Data Controller is responsible for determining the purposes and means of processing personal data.
- The Data Processor processes personal data on behalf of the Data Controller.
Both parties wish to regulate such processing in compliance with applicable data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR").
- Definitions
1.1 Personal Data: Any information relating to an identified or identifiable natural person.
1.2 Processing: Any operation performed on Personal Data, including but not limited to collection, recording, storage, and transmission.
1.3 Data Subject: The individual to whom Personal Data relates.
1.4 Applicable Laws: The GDPR and any other applicable data protection regulations.
- Subject Matter and Duration of Processing
2.1 The subject matter of this Agreement is the processing of Personal Data as defined by the scope of use of the YuzeData Platform for the Data Controller.
2.2 This Agreement shall remain in effect as long as the Data Processor processes Personal Data on behalf of the Data Controller.
- Obligations of the Data Controller
3.1 The Data Controller determines the purposes and means of the processing of Personal Data.
3.2 The Data Controller warrants that it has a lawful basis for processing the Personal Data.
3.3 The Data Controller is responsible for ensuring that Data Subjects are informed of their rights under the GDPR.
- Obligations of the Data Processor
4.1 The Data Processor agrees to process Personal
4.2 Data only on documented instructions from the Data Controller.
4.3 The Data Processor shall ensure that persons authorized to process Personal Data are bound by confidentiality.
4.4 The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
- Sub-processors
5.1 The Data Processor shall not engage any sub-processors without prior written authorization from the Data Controller.
5.2 The Data Processor shall ensure that any sub-processor it engages complies with the terms of this Agreement.
- Data Subject Rights
6.1 The Data Processor shall assist the Data Controller, where possible, in responding to Data Subject requests to exercise their rights under the GDPR, including rights to access, rectify, erase, or restrict processing.
- Data Breaches
7.1 The Data Processor shall notify the Data Controller without undue delay after becoming aware of any data breach affecting Personal Data.
7.2 The Data Processor shall cooperate with the Data Controller to investigate the breach and implement corrective measures.
- Data Transfers
8.1 The Data Processor shall not transfer Personal Data to any third country or international organization without the prior consent of the Data Controller, unless such transfer is required by EU or Member State law.
- Deletion or Return of Personal Data
9.1 Upon termination of this Agreement or upon the Data Controller's request, the Data Processor shall, at the Data Controller’s choice, delete or return all Personal Data to the Data Controller, unless retention is required by law.
- Audit Rights
10.1 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this Agreement.
10.2 The Data Processor shall allow for audits, including inspections, conducted by the Data Controller or a third party authorized by the Data Controller.
- Limitation of Liability
11.1 Both parties agree that the Data Processor’s liability for breaches of this Agreement shall be limited to direct damages.