Talexio Data Processing Agreement

The GDPR provides for the roles of 'Controller', 'Processor' and 'Sub-processor'. The roles of the parties to this Agreement (being an integral part of the Master Services Agreement) may vary depending on the nature of the Service being rendered to the Client as detailed in Talexio’s Privacy Policy. This Data Processing Agreement (the “DP Agreement”) forms an integral part of the Master Services Agreement.

The Customer and Talexio are individually referred to as a “Party” and collectively as the “Parties”.

WHEREAS

1. The Customer wishes to subcontract certain services, which imply the processing of personal data, to Talexio.
2. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3. In addition to the terms and conditions laid down and agreed to between the Parties under the Master Services Agreement , the Parties wish to set out, in further detail, their rights and obligations.

1. Definitions and Interpretation

1. Unless otherwise defined herein, capitalised terms and expressions used in this DP Agreement shall have the following meaning:

1. “DP Agreement” means this Data Processing Agreement, forming an integral part of the Master Services Agreement;
2. “Company Personal Data” means any Personal Data processed by a Contracted Processor pursuant to or in connection with any services governed by the Master Services Agreement;
3. “Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
4. “Contracted Processor” means a Sub-processor;
5. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
6. “EEA” means the European Economic Area;
7. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
8. ”GDPR” means EU General Data Protection Regulation 2016/679;
9. “Data Transfer” means:

1.         a transfer of Company Personal Data from the Customer to a Contracted Processor;
2. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

10. “Services” means any of the software and or services the Company provides;
11. “Subprocessor” means any person appointed by or on behalf of Talexio to process Personal Data on behalf of the Customer in connection with the services governed by the Master Services Agreement;
12. The terms “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly;
13. Roles of the Parties:

1.         The GDPR provides for the roles of 'Controller', 'Processor' and 'Subprocessor'.
2. Where a Customer is a Controller of the Client Data covered by this DP Agreement, Talexio shall be a Processor of the Client Data.
3. Where Customer is a Processor of the Client Data covered by this DP Agreement, Talexio shall be a Sub-Processor of the Client Data.
4. Additional details about the roles that the Customer and Talexio may adopt in relation to the Services are set out in the Privacy Policy.

2. Processor

1. The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Controller’s Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Controller’s Personal Data, as strictly necessary for the purposes of the Master ServicesAgreement, and to comply with applicable laws, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
2. The Processor shall ensure that all its employees:

1. are informed of the confidential nature of the Personal Data;
2. have undertaken training in the laws relating to the handling of Personal Data; and
3. are aware of both the Processor’s duties and their personal duties and obligations under the Data Protection Laws and this Agreement.

3. Processor Personnel

1. Talexio shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Company Personal Data, as strictly necessary for the purposes of this Agreement, and to comply with applicable laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Processing of Company Personal Data

1. Processor shall:

1. comply with Data Protection Laws in the Processing of the Controller’s Personal Data; and
2. not Process the Controller’s Personal Data other than on the Controller’s documented instructions unless Processing is required by any applicable law to which the Processor is subject, in which case the Processor shall to the extent permitted by applicable law inform the Controller of that legal requirement before the relevant Processing of that Personal Data.
3. not transfer the Controller’s Personal Data to a third country or an international organisation, unless required to do so by EU or local legislation applicable to the Processor; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
4. ensures that persons authorised to Process the Personal Data have committed themselves to confidentiality;
5. takes all measures required pursuant to Article 32 of the GDPR;
6. respects the conditions referred to herein  when  engaging another Processor;
7. in terms of Clause 8.1, take into account the nature of the Processing, assists the Controller through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights;
8. in terms of Clause 11, at the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless EU or local legislation, requires storage of the personal data;
9. in terms of Clause 13, makes available to the Controller all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable legislative provisions.

5. Controller

1. The Controller has the sole and exclusive authority to determine the purposes of the processing of the Personal Data in the context of the Master Services Agreement and it is responsible to provide the Processor with adequate instructions in accordance with applicable Data Protection Laws.
2. The Controller must notify the Processor, if it identifies errors or irregularities relating to the requirements of applicable Data Protection Laws with regard to the results of the Data Processor’s activities.
3. The Controller undertakes to notify the Processor of any request submitted by any public authority for disclosure of information relating to the functioning and the characteristics of the Service.
4. The Controller accepts responsibility for abiding to any applicable Data Protection Laws, including providing relevant information to Data Subjects about the processing of Personal Data in connection with the Master Services Agreement, as required by applicable Data Protection Laws. For the avoidance of doubt, in the event that the Customer opts for services relating to Talexio Team Voice Survey and/or SIM, the Customer undertakes to inform the Data Subjects of the purposes for which it will process their Personal Data and, where necessary obtain the Data Subject’s consent, as well as provide all the information necessary in accordance with applicable laws and policies, to ensure that the Data Subject understands how Personal Data will be processed by Talexio.
5. Without prejudice to everything provided for in the Terms and Conditions, except to the extent caused by an ascertained breach of this Agreement by the Processor (to be ascertained by final judgement or by final decision issued by the relevant Data Protection Authority), the Controller shall be responsible for all activities performed by the latter under its use of the service provided by the Processor, regardless of whether such activities are authorized or undertaken by the Controller, including any activity illegitimately performed by its employees or a third party that had access to the service of the Processor, including, by merely way of example, Controller's contractors, interns, agents, Customer Users or any other subject.

6. Security

1. The Processor undertakes in relation to the Controller’s Personal Data to implement appropriate technical and organizational measures, as far as possible, to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.  The measures set forth in Clause 6.1 shall be no less than:        

1. those adopted by the Processor to protect any of the Processor’s own confidential information; and
2. those reasonably and ordinarily expected from a leading organization operating in the same industry as the Processor.

2. Upon request, the Processor shall provide the Controller with details about the measures set forth in this Clause 6.
3. In assessing the appropriate level of security, the Processor shall take account, in particular, of the risks that are presented by Processing, in particular from a Personal Data Breach perspective.

7. Sub-processing

1. The Controller hereby accepts and consents the Processor may delegate its obligations to a sub-processor and will inform the Controller accordingly and provide documented evidence that the sub-processor will be processing the data according to the Data Protection Laws.          
2. Where applicable, the sub-processor authorised for the processing to be undertaken in terms of the Master Services Agreement, are  the following:

Sub-processor name: Amazon Web Services (AWS)

Purpose: Cloud Hosting Services

Location: Frankfurt, Germany

Sub-processor name: Zendesk

Purpose: Customer Support Services

Location: Frankfurt, Germany

8. Data Subject Rights

1. Taking into account the nature of the Processing, Talexio shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, as reasonably understood by Talexio, to respond to requests to exercise Data Subject rights under the Data Protection Laws, including but not limited to the rights set forth in Article 15 to 23 of the GDPR.
2. Talexio shall:

1. promptly notify the Controller if it receives a request from a Data Subject under any Data Protections Law in respect of the Company Personal Data;
2. ensure that it does not respond to that request except on the documented instructions of the Controller or as required by applicable law to which Talexio is subject, in which case Talexio shall to the extent permitted by applicable law inform the Controller of that legal requirement before the Contracted Processor responds to the request; and
3. comply with any request for assistance received by the Controller pursuant to clause 8.1 above.

9. Personal Data Breach

1. Talexio shall notify the Controller without undue delay upon Talexio becoming aware of a Personal Data Breach affecting Company Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.         
2. Such notification shall as a minimum:

4. describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;                            
5. communicate the name and contact details of the Processor's data protection officer or other relevant contact from whom more information may be obtained;
6. describe the likely consequences of the Personal Data Breach; and
7. describe the measures taken or proposed to be taken to address the Personal Data Breach.

3. Subject to Clause 14.7 below, Talexio shall cooperate with the Controller and take reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

10. Data Protection Impact Assessment and Prior Consultation

1. Talexio shall provide reasonable assistance to the Controller  with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required under Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

11. Deletion or Return of Company Personal Data

1. Subject to this Clause 11, Talexio shall promptly and in any event within sixty (60) Business Days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of Company Personal Data. Notwithstanding the aforesaid, Talexio shall promptly inform the Controller of a new timeline in those instances where deletion and procurement of the deleted copies of Company Personal Data shall not be carried out within the aforementioned timeframe in order to safeguard the legitimate interests of the Parties.                        

1. specifically if requested by the Controller, to return a complete copy of all Controller’s Personal Data to the Controller by secure file transfer in such format as is reasonably notified by the Controller to Processor; and                                        
2. in all events, delete and procure the deletion of all copies of those Controller’s Personal Data.          

2. The Processor and each Sub-Processor shall comply with any such written request. Notwithstanding the aforesaid, the Processor and each Sub-Processor’s obligation to comply with any such request may vary in respect of Talexio Team Voice Survey and SIM.                  
3. The Processor shall provide written certification to the Controller that it has fully complied with the provisions of this Clause within seven (7) calendar days of the Cessation Date.              
4. For the avoidance of doubt, in this Clause 11, the term “delete” shall mean to remove or obliterate Personal Data such that it cannot be recovered or reconstructed.

12. Restricted Processing and Data Transfer

1. Talexio may not transfer or authorise the transfer of Personal Data to countries outside the EU and/or the EEA and/or equivalent jurisdictions without the prior written consent of the Customer. If Personal Data processed under this Agreement is transferred from a country within the EU or EEA to a country outside the EU or EEA, the Parties shall ensure that the personal data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Personal Data.

13. Audit rights

1. Subject to Clause 14.7 below, the Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Controller or an auditor mandated by the Controller in relation to the Processing of the Controller’s Personal Data.          
2. Information and audit rights of the Controller only arise under this Clause to the extent that the Master Services Agreement does not otherwise give them information and audit rights meeting the relevant requirements of the Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).

14. General Terms

1. Confidentiality: Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement and the Master Services Agreement (the “Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

1. disclosure is required by law;
2. the relevant information is already in the public domain.             

2. Successors & Assigns – This Agreement shall be binding upon, and enure to the benefit of the Parties and their respective successors and permitted assignees, and references to a Party shall include its successors and permitted assignees.                    
3. Rights and Remedies - Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.              
4. Notices – Save for as otherwise expressly provided in this Agreement, all notices required to be sent pursuant to this Agreement shall be in writing and shall be delivered to the contact details set forth in the first page of this Agreement or such other address as may be notified by that party for such purposes. A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in business hours, at 9 am on the first business day following delivery). A correctly addressed notice sent by prepaid post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. Moreover, a notice sent by email will be deemed to have been received at the time shown in a delivery confirmation report generated by the sender's email.
5. Severance - If any one or more of the provisions contained in this Agreement (or part thereof) or any document executed in connection herewith shall be deemed to be invalid, illegal or unenforceable in any respect by any court or administrative body, the validity, legality and enforceability of the remaining provisions contained herein shall not in any way be affected or impaired thereby.                  
6. Waiver - The rights of a Party may be waived by such Party only in writing and specifically; the conduct of any one of the Parties shall not be deemed a waiver of any of its rights pursuant to this Agreement and/or as a waiver or consent on its part as to any breach or failure to meet any of the terms of this Agreement or as an amendment hereto. A waiver by a Party in respect of a breach by the other Party of its obligations shall not be construed as a justification or excuse for a further breach of its obligations.
7. Additional Instructions - Additional in-depth support related to the Controller’s obligations under GDPR, for assistance or intervention required by the Controller of the Processor, shall be discussed and agreed in advance.  Such additional instructions fall under Additional Services.

15. Governing Law and Jurisdiction

1. This Agreement and any disputes or claims arising therefrom (including non-contractual disputes or claims) are governed by, and construed in accordance with the laws of the Republic of Malta.
2. The Parties agree that any dispute, action or claim arising in relation to this Agreement, or the breach, termination or invalidity thereof, shall be subject to arbitration in accordance with the Malta Arbitration Centre rules in force at the time of the dispute. The Parties agree that:

1. the appointing authority and administrator shall be the Malta Arbitration Centre;
2. the number of arbitrators shall be one (1);
3. the place of arbitration shall be Malta; and
4. the applicable substantive law shall be the laws of Malta.

There shall be no appeal from the decision of the sole arbitrator appointed in accordance with the provisions of this Agreement.