1. DEFINITIONS
1.1. “Agreement” means this data processing agreement.
1.2. “Applicable Laws” shall mean the relevant data protection and privacy laws to which the Parties are subject including but not limited to the Data Protection Regulation (as defined herein) and the Data Protection Act, Chapter 586 of the Laws of Malta and subsidiary legislation thereto, as may be amended from time to time.
1.3. ” Confidential Information ” shall mean any information relating to Personal Data, the Controller’s customers, prospective customers, employees and any other data subjects, and all other information relating to the Controller’s business affairs including any trade or professional secrets, know-how and any information of a confidential nature imparted by the Controller to the Processor as part of this Agreement or coming into existence as a result of the Processor’s obligations, whether existing in hard copy form, in electronic form or otherwise, and whether disclosed orally or in writing;
1.4. “Data Protection Regulation” shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
1.5. “Parties” means the Client and Melita;
1.6. “Personal data”, “process/processing” ” controller”, ” processor”, “data subject”, data protection officer, and “supervisory authority” shall have the same meaning as in the Regulation.
1.7. “Services” means the services as described in Schedule 1 to be provided by the Processor to the Controller commissioned by and on behalf of the Controller.
1.8. “Sub-Processor” shall mean any sub-processor engaged by the Processor who agrees to receive from the Processor the Personal Data exclusively intended for the purposes of conducting the Services in this Agreement to be carried out on behalf of the Controller.
1.9. “Technical and Organisational Security Measures” shall mean the particular security measures required of the Processor, intended to protect the Personal Data as specified in this Agreement and as the same may be updated or reissued from time to time by mutual agreement between the Parties in writing.
2. SCOPE AND RESPONSIBILITY
2.1. The Client may be either (a) a Controller of Customer Personal Data, or (b) a Processor when it Processes Customer Personal Data on behalf of its end-users.
2.2. Melita is a Processor where the Client is a Controller or Processor, or a sub processor when Client is acting as a Processor on behalf of its end-users;
2.3. Each party undertakes to comply with all Data Protection Laws applicable to it and will not knowingly cause the other to breach Data Protection Laws.
2.4. The Processor agrees and warrants that it will, and will procure that all its sub-processors:
2.4.1. will process the Personal Data only on behalf of the Controller in the performance of the Services and in accordance with this Data Processing Agreement together with any instructions received in writing from authorised personnel of the Controller from time to time which may be specific instructions or instructions of a general nature as set out in this Data Processing Agreement or as otherwise notified by the Controller to the Processor during the duration of the Main Agreement;
2.4.2. will immediately inform the Controller if it is legally required to process Data otherwise than instructed by Controller before such processing occurs, unless the law requiring such processing prohibits the Processor from notifying the Controller on important grounds of public interest, in which case it shall notify Controller as soon as that law permits it to do so;
2.4.3. will not assume any responsibility for determining the purposes for which or the manner in which the Data is processed;
2.4.4. it shall keep Personal Data logically separate to data Processed on behalf of any other third party;
2.4.5. will implement and maintain appropriate technical and organisational security measures from the Smart Cloud firewall inwards, to prevent unauthorised or unlawful processing of or accidental loss, destruction or damage, alteration or disclosure to the Personal Data and against all other unlawful forms of processing and acknowledges that the security measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing and accidental loss, destruction, damage, alteration or disclosure to the Personal Data and having regard to the Personal Data which is to be protected and will at a minimum include those measures described in Schedule 2.
2.4.6. will ensure that (i) all employees and sub-processor personnel involved in the processing of the Personal Data have undergone adequate training in the care, protection and handling of Personal Data; and (ii) are both informed of the confidential nature of the data and obliged to keep such data confidential;
2.4.7. will promptly notify the Controller of:
a. any instruction that infringes Applicable Laws;
b. any actual or suspected unauthorised or unlawful processing or any accidental loss, destruction, damage, alteration or disclosure of the Data as soon as it becomes aware and will keep the Controller informed of any related developments (“Information Security Beach and Data Breach”);
c. any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited from doing so by law;
d. there is a request for access, correction, blocking or deletion of Personal Data directly from the data subject or from a third party (without responding to that request unless it has been authorised to do so by the Controller); and
e. the Privacy Authority contacts the Processor regarding the Services or the Processing activities covered by this Agreement
2.4.8. taking into account the nature of the processing, to:
a. assist Controller with the fulfilment of the Controller’s obligation to respond to requests for exercising data subjects’ rights as set out in Applicable Laws;
b. assist Controller in ensuring compliance with Applicable Laws, including obligations to investigate, remediate and provide information to supervisory authorities or data subjects about Security Breaches without undue delay, to carry out privacy impact assessments and to consult with supervisory authorities regarding processing that is the subject of a privacy impact assessment;
c. make available all information necessary to demonstrate compliance with Applicable Laws.
2.4.9. if it Processes the Personal Data for any other purpose which is not provided in this Agreement, or in such a way that it acts as a controller, it will be responsible as a controller for compliance with the Applicable Law.
2.5. The Controller warrants and undertakes that:
2.5.1. If personal data of the Client’s customers, end users or other identifiable individuals in use of the Service is processed, Controller is responsible for providing legally adequate privacy notices and obtaining necessary consents for the processing of such data. Controller warrants that all necessary privacy notices were provided and obtained all necessary consents. Controller is responsible for processing such data in accordance with applicable law.
2.5.2. all the data including any personal data stored onto the Processor’s solution is encrypted at all times and visibility to the Processor is only enabled if maintenance is required.
3. INFORMATION SECURITY BREACH AND DATA BREACH
3.1. The Processor shall inform the Controller immediately and without undue delay, in writing, of any actual or suspected breach of security, including but not limited to, unauthorised, accidental or unlawful destruction or loss, damage, alteration, unauthorised disclosure or access to Personal Data stored or otherwise Processed, and against any and all other unlawful forms of Processing, to ensure compliance with the Applicable Law (“Data Breach Notice”).
3.2. The Processor shall, not later than 48 hours from the Data Breach Notice, provide the Controller with a written report on any and all information necessary for compliance with data breach notifications to the Privacy Authority and data subjects in accordance with the Applicable Law (“Data Breach Report”), or any other supervisory body or authority, including but not limited to:
3.2.1. a description of the nature of the personal data breach including, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
3.2.2. a communication of the name and contact details of the Data Protection Officer of the Processor or other contact point where more information can be obtained;
3.2.3. a description of the likely consequences of the data breach;
3.2.4. a description of the measures taken or proposed to be taken by the Processor to address the data breach, including measures to mitigate its possible adverse effects;
3.2.5. a description of the initiatives undertaken or to be undertaken by the Processor to safeguard against future security data breaches.
3.3. Where the Data Breach Notice is not provided immediately or the Data Breach Report is not provided within 48 hours, the Processor shall provide reasons in writing to the Controller for the delay.
4. CROSS BORDER AND ONWARD DATA TRANSFER
4.1. The Processor shall not transfer or authorise the transfer of Personal Data to countries outside the EU and/or the EEA without the prior written permission of the Controller unless such export is made to a jurisdiction that the European Commission has found to offer an adequate level of protection for personal data transferred to it from the EEA.
4.2. Where Processor has obtained Controller’s written permission in accordance with clause 4.1 the Processor shall ensure that any processing (including, without limitation storage) or transfers of such personal data to any third country that cannot ensure an adequate level of protection are made in compliance with the applicable requirements of the Regulation concerning international and onward data transfers and any rules and regulations based upon the Regulation and shall co-operate with the Controller and take all necessary steps to ensure compliance with the same.
5. AUDIT
5.1. Upon reasonable advance written notice by the Controller, Processor will submit its data processing facilities for audits and inspections of the processing activities covered by this Data Processing Agreement. Such audits shall be held during normal business hours which shall be carried out by an impartial inspection auditing firm selected by the Controller and not reasonably objected to by the Processor. The cost of such audit shall be borne by the Controller.
5.2. The Parties agree that the supervisory authority may have the right to conduct an audit of the Processor under the Applicable Laws and the Processor should grant the supervisory authority such right.
5.3. The Processor shall promptly inform the Controller about the existence of any legislation applicable that may prevent the conduct of an audit by the Controller.
6. CONFIDENTIALITY
6.1. The Personal Data and the Processing in relation to the Service shall procure that all Confidential Information disclosed to the Processor by the Controller under this Data Processing Agreement or come into the Processor’s knowledge, possession or control as a result of this Data Processing Agreement, shall be kept secret and confidential and shall not be used for any purposes other than those required or permitted by this Agreement and shall not be disclosed to any third party without the consent of the Controller, to the extent permitted by law.
6.2. The Processor, its principals, agents, contractors, employees and/or the Sub-Processor are only entitled to Process Confidential Information in the performance of this Agreement.
6.3. The Processor shall procure that its principals, agents, contractors, employees and/or the Sub-Processors are made aware of and agree to comply with the obligations contained in this Agreement regarding the Personal Data, the Processing for the purposes of rendering the Services, and this confidentiality clause, and the Processor shall take all reasonable steps to ensure that its principals, agents, contractors, employees and/or the Sub-Processor to whom the Personal Data is made available, shall comply with such obligations in carrying out the Services.
6.4. For the performance of the obligations in relation to this Agreement, the Processor shall only appoint such principals, agents, contractors, employees and/or the Sub-Processor who are informed about all relevant data privacy obligations and instructed to comply with confidentiality of the Confidential Information prior to performing their duties.
6.5. The Processor shall regularly train its employees to comply with their data protection and contractual obligations incumbent on the Processor in this Agreement and in the Applicable Law.
6.6. This clause shall survive termination of this Agreement
7. TERM AND TERMINATION
7.1. This Agreement shall enter into force on the same date of the Main Agreement and shall remain in force for as long as the Processor processes on behalf of the Controller, or until the Main Agreement between Melita and Client expires or terminates, whichever is the later.
7.2. Upon the termination of this Agreement for whatever reason, the Processor or any subsequent sub-processor as appointed in accordance with Clause 9 below must return all Confidential and Personal Data and copies thereof to the Controller or, at the Controller’s choice, must destroy all copies of the same Data in hard copy and/or electronic form and certify to the Controller that it has complied with the Controller’s instruction.
7.3. The Processor may not comply with the Controller’s instruction under Clause 7.2 if the Processor is prevented by Applicable Laws from destroying or returning all or part of such data, in which event the Data will be kept confidential and will not be actively processed for any purpose.
8. ASSIGNMENT AND SUB-CONTRACTING
8.1. The Processor shall not sub-contract and/or outsource any of its Processing of Personal Data under this Data Processing Agreement to any other person or entity (the “Sub-Processor”) without prior written notification to the Controller.
8.2. The Processor may subcontract any of its processing operations performed on behalf of the Controller under this Data Processing Agreement provided that it gives 30 days prior notification of the identity of the sub-processor to the Controller and the Controller has not objected to the appointment within that period. The Controller shall not unreasonably object to the engagement of a Sub-Processor. If the Client objects to any Sub-Processor, Melita may terminate the Main Agreement immediately upon notice to Client without liability to either party.
8.3. Where the Processor subcontracts its obligations under the terms of this Data Processing Agreement in accordance with Clause 8.1, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the Processor under this Data Processing Agreement.
8.4. The Processor shall guarantee the lawfulness and compliance of the Sub-Processor’s Processing of Personal Data. If the Sub-Processor fails to fulfil its data protection obligations, the Processor shall remain fully liable towards the Controller for the fulfilment of such other data protection obligations.
8.5. The Sub-Processor Agreement shall terminate automatically on termination of this Agreement.
9. VARIATION
9.1. The Processor reserves the right to vary or modify this Data Processing Agreement. Any variation shall be made at any time by giving the Controller 30 days written notice and such amendments shall automatically become part of this Agreement.
9.2. If any provision of this Data Processing Agreement is held to be illegal, invalid or unenforceable in whole or in part in any jurisdiction this Data Processing Agreement shall continue to be valid as to its other provisions and the remainder of the affected provision; and the legality, validity and enforceability of such provision in any other jurisdiction shall be unaffected.
10. LIABILITY AND INDEMNIFICATION
10.1. The Processor indemnifies, defends and holds harmless the Controller from any and all damages, liabilities, costs and expenses incurred by the Controller as a result of any suit, action or proceeding regarding the processing of the Personal Data in respect of non-compliance with this Data Processing Agreement and/or the relevant legislation regarding the protection of personal data by the Processor or its employees, agents or sub-processors.
10.2. To the extent permitted by law, the Processor’s liability under this Data Processing Agreement or for or in relation to a breach of this agreement, shall be limited to any invoiced amount in the preceding twelve months prior to the occurrence of the breach.
11. GOVERNING LAW AND JURISDICTION
11.1. This Agreement shall be governed by the laws of Malta and the Parties agree to submit to the jurisdiction of Maltese Court.
