A. The Customer acts as a Data Controller.
B. The Customer wishes to subcontract certain Services, which imply the processing of personal data, to Zonos as the Processor.
C. The Parties seek to implement a DPA that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
D. The Parties wish to lay down their rights and obligations.
This DPA includes and incorporates by reference the annexes and addenda referenced at the bottom of this document. All capitalized terms not defined in this DPA shall have the meaning set forth in the Principal Agreement.
Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
“Contracted Processor” means a Sub-processor;
“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
“Data Transfer” means:
“DPA” means this Data Processing Agreement and all Schedules;
“EEA” means the European Economic Area;
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
“GDPR” means EU General Data Protection Regulation 2016/679;
“Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Customer pursuant to or in connection with the Principal Agreement;
“Services” means any product or service provided by Zonos to the Customer pursuant to and as more particularly describe in the Principal Agreement;
“Sub-processor” means any Processor appointed by or on behalf of Zonos to process Personal Data on behalf of the Customer in connection with the DPA.
The terms, “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach” and “Processing” shall have the same meaning as in the GDPR and their cognate terms shall be construed accordingly.
Compliance with Laws.
Controller Instructions. The Parties agree that the Principal Agreement (including this DPA), together with the Customer’s use of Zonos Services in accordance with the Principal Agreement, constitute the Customer’s complete and final instructions to Zonos in relation to the Processing of Personal Data, and additional instructions outside the scope of the instructions shall require prior written agreement between the Customer and Zonos.
Compliance with Laws. Within the scope of the DPA and in its use of the Services, Zonos shall:
Zonos Personnel. Zonos shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Sub-processing. Zonos shall not appoint (or disclose any Personal Data to) any Sub-processor unless required or authorized by the Customer.
Data Subject Rights.
Taking into account the nature of the Processing, Zonos shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Zonos' obligations, as reasonably understood by Zonos, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
Zonos agrees to:
Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation. Zonos shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Return or Deletion of Data. Upon deactivation or termination of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent Zonos is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on backup systems, which such Personal Data Zonos shall securely isolate and protect from any further processing, except to the extent required by applicable law.
Security Reports. Zonos shall maintain records of its security standards. Upon the Customer’s written request, Zonos shall provide responses (on a confidential basis) to all reasonable requests for information made by the Customer, including responses to information security and audit questionnaires, that the Customer (acting reasonably) considers necessary to confirm Zonos’ compliance with this DPA, provided that the Customer shall not exercise this right more than once per year.
Data Transfer. The Customer acknowledges and agrees that Zonos may access and process Personal Data on a global basis as necessary to provide the Services in accordance with the Principal Agreement, and in particular that Personal Data will be transferred to and processed by Zonos in the United States and to other jurisdictions where Zonos' Sub-processors have operations. Zonos shall ensure such transfers are made in compliance with the requirements of Data Protection Laws, including compliance with EU approved standard contractual clauses for transfer of personal data.
Additional Provisions for California Personal Information.
This Section 11 shall only apply with respect to California Personal Information.
When processing California Personal Information in accordance with the Customer’s instructions, the Parties acknowledge and agree that the Customer is a business and Zonos is a service provider for the purposes of the CCPA.
Zonos certifies that it understands and will comply with the restrictions set out in Section 11(c).
Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
Notices. All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this DPA at such other address as notified from time to time by the Parties changing address.
This DPA is governed by the laws and jurisdiction provisions in the Principal Agreement unless required otherwise by Data Protection Laws.\
Annex A. List of Zonos Sub-processors
Available upon request
Annex B. Security Measures
Available upon request