1. Introduction
This Data Processing Agreement (the “DPA”) is entered into between Rakreel.com (the “Controller”) and [Data Processor Name] (the “Processor”) and supplements any other agreements between the parties. The DPA is designed to ensure compliance with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR) when the Processor is involved in the processing of personal data on behalf of the Controller.
2. Definitions
- “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Scope of Processing
- The Processor agrees to process Personal Data only in accordance with the documented instructions of the Controller. Such instructions shall include the purposes and means of processing, and any other relevant details as specified by the Controller.
- The Processor shall not engage in any processing of Personal Data that is not expressly authorized by the Controller.
4. Data Security
- The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage of Personal Data.
- These measures shall include, but not be limited to, access controls, encryption of personal data, regular backups, and incident response procedures. The Processor shall also ensure that its employees and subcontractors who have access to Personal Data are bound by appropriate confidentiality obligations.
5. Data Subject Rights
- The Processor shall assist the Controller in fulfilling its obligations with respect to the rights of Data Subjects under applicable data protection laws. This includes, but is not limited to, facilitating the exercise of rights such as access, rectification, erasure, and the right to object.
- Upon request by the Controller, the Processor shall provide the necessary information and cooperation to enable the Controller to respond to Data Subject requests and inquiries in a timely and accurate manner.
6. Data Transfers
- If the Processor is required to transfer Personal Data to a third country or an international organization, it shall ensure that such transfer is carried out in accordance with applicable data protection laws. This may involve using an appropriate legal mechanism, such as the Standard Contractual Clauses or Binding Corporate Rules, to safeguard the rights of Data Subjects.
- The Processor shall notify the Controller in advance of any planned data transfers and obtain the Controller’s prior written consent, if required.
7. Sub-Processing
- The Processor may only engage sub-processors with the prior written consent of the Controller. The Processor shall ensure that any sub-processor is bound by terms and conditions that provide at least the same level of protection for Personal Data as those set out in this DPA.
- The Processor shall remain fully liable for the acts and omissions of its sub-processors in relation to the processing of Personal Data.
8. Audit and Monitoring
- The Controller shall have the right, upon reasonable notice and during normal business hours, to audit the Processor’s compliance with this DPA. The audit may be carried out by the Controller itself or by an independent third party auditor.
- The Processor shall cooperate fully with the Controller and the auditor and provide access to all relevant records, systems, and personnel as required.
9. Breach Notification
- The Processor shall notify the Controller without undue delay upon becoming aware of a personal data breach. The notification shall include details of the breach, the likely impact on Data Subjects, and the measures taken or proposed to be taken by the Processor to address the breach.
- The Processor shall also cooperate with the Controller in any investigations, notifications to Data Subjects or regulatory authorities, and in taking remedial actions to mitigate the effects of the breach.
10. Term and Termination
- This DPA shall remain in effect for as long as the Processor is engaged in the processing of Personal Data on behalf of the Controller.
- Either party may terminate this DPA in the event of a material breach by the other party that remains uncured after a reasonable period of time. Upon termination, the Processor shall return or delete all Personal Data in its possession or control, as instructed by the Controller.
11. Governing Law and Jurisdiction
- This DPA shall be governed by and construed in accordance with the laws of [Applicable Jurisdiction]. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts in [Applicable Jurisdiction].
12. Amendments
- This DPA may be amended by mutual agreement of the parties. Any amendments shall be made in writing and signed by both parties.
This DPA is an integral part of the overall contractual relationship between Rakreel.com and the Processor and is intended to ensure the proper and legal processing of personal data.