Skip to content

Data Processing Agreement (DPA)#

This Data Processing Agreement ("DPA") is entered into between meritboost, hereinafter referred to as the "Data Processor," and you on behalf of your Organization, hereinafter referred to as the "Data Controller," collectively referred to as the "Parties."

Background#

The Data Controller provides the meritboost services and has engaged the Data Processor to provide software-as-a-service (SaaS) solution. In the course of providing these services, the Data Processor may process personal data on behalf of the Data Controller.

Definitions#

  • Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject") that is processed by the Data Processor on behalf of the Data Controller.

  • Data Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

Obligations of the Data Processor#

  1. The Data Processor shall process Personal Data only on documented instructions from the Data Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

  2. The Data Processor shall ensure that persons authorized to process Personal Data on behalf of the Data Processor have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  3. The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the General Data Protection Regulation (GDPR).

  4. The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Data Processor.

  5. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in this Agreement and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

Data Subject Rights#

  1. The Data Processor shall promptly notify the Data Controller if it receives a request from a Data Subject exercising their rights under the GDPR regarding Personal Data processed on behalf of the Data Controller.

  2. The Data Processor shall provide reasonable assistance to the Data Controller in responding to any request from a Data Subject and in ensuring compliance with its obligations under the GDPR with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators.

Subprocessing#

  1. The Data Processor shall not engage another processor without prior specific or general written authorization of the Data Controller. In the case of general written authorization, the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes.

Data Security Breach#

  1. In the event of a Personal Data breach, the Data Processor shall notify the Data Controller without undue delay after becoming aware of the breach.

Term and Termination#

  1. This Agreement shall remain in effect for the duration of the provision of services by the Data Processor to the Data Controller and shall terminate upon the deletion of all Personal Data processed by the Data Processor on behalf of the Data Controller.

  2. Upon termination of this Agreement, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller and delete existing copies unless European Union or Member State law requires storage of the Personal Data.

Governing Law and Jurisdiction#

  1. This Agreement shall be governed by and construed in accordance with the laws of Lisbon, Portugal.

Note

Possible Template https://gdpr.eu/data-processing-agreement/