This agreement is also available as a signable PDF for download. Please contact hello@mergua.com.
Purpose of the Agreement
The Processor has committed to providing the data processing described in Appendix 1 to the Controller. For the purposes of this agreement, the definitions of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter "GDPR") shall apply.
Right to Issue Instructions
The Processor shall process personal data only on documented instructions from the Controller — including with regard to the transfer of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject.
The Processor shall inform the Controller without delay if, without conducting a legal review by a legal professional, it is of the opinion that an instruction obviously infringes the GDPR or other data protection provisions of the EU or the Member States. The Processor is not obligated to obtain legal advice in connection with the performance of this agreement and does not provide legal advisory services in the performance of this agreement.
Instructions from the Controller shall be consistent with the subject matter of this agreement. Should compliance with an instruction result in effort exceeding one working hour for the Processor, the entire effort shall be compensated by the Controller.
Confidentiality
The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of secrecy.
Data Security
The Processor shall take all measures that are mandatorily required pursuant to Article 32 GDPR.
The Processor fulfills this obligation by implementing the security measures described in Appendix 2.
The Processor shall inform the Controller of any personal data breach concerning data that the Processor processes on behalf of the Controller, provided that the breach poses a risk to the rights and freedoms of natural persons.
This notification shall be made without delay as soon as the Processor becomes aware of such a breach and shall be directed to the contact point designated by the Controller in writing.
The notification shall, to the extent possible considering the circumstances, include:
- the nature of the personal data breach
- the categories and approximate number of data subjects concerned
- the categories and approximate number of personal data records concerned
- the likely consequences of the breach
- the measures taken or proposed to address the breach
Sub-Processing
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors or sub-processors. The Controller has the opportunity to object to such changes.
If the Controller does not raise an objection within two weeks, the change shall be deemed approved.
If an objection is raised, the Processor shall have the right to terminate the agreement with two weeks' notice to the end of the month.
Where a sub-processor is engaged, the same data protection obligations shall be imposed on it by way of a contract, in particular with regard to appropriate technical and organizational measures.
If the sub-processor fails to comply with its data protection obligations, the Processor shall be liable to the Controller for compliance with those obligations.
Assistance
The Processor shall, to the extent possible, assist the Controller by appropriate technical and organizational measures in fulfilling its obligations in connection with data subject rights pursuant to Chapter III GDPR.
As a general rule, this assistance is provided by forwarding incoming requests from data subjects to the Controller.
To the extent that additional assistance is required and provided by the Processor, the Processor is entitled to charge reasonable compensation for this.
Furthermore, the Processor shall assist the Controller in complying with its obligations pursuant to Articles 32–36 GDPR, in particular through the measures relating to confidentiality, data security, and notification of personal data breaches.
Return of Personal Data
At the choice of the Controller, the Processor shall, upon completion of the processing services, delete all personal data or return it, unless statutory retention obligations require otherwise. Reasonable compensation may be charged for the return of data.
Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this agreement.
Pre-announced audits may be conducted during business hours by an independent third party, provided they do not disrupt business operations.
The costs of such audits shall be borne by the Controller. Reasonable compensation may be charged for services provided by the Processor in connection with such audits.
Alternatively, the Processor may have an audit conducted by an independent third party at least every three years and make the results available to the Controller.
Liability
The liability of both parties is limited to gross negligence. Liability for mere financial losses is excluded.
The Controller shall be liable to the Processor for the lawfulness of all instructions issued and shall indemnify and hold the Processor harmless against all damages and disadvantages resulting from compliance with an instruction.
Miscellaneous
Amendments to this agreement shall be made exclusively in writing. This shall also apply to this written form requirement.
Should any provision of this agreement be invalid or unenforceable, it shall — to the extent permitted by law — be replaced by the provision that most closely reflects the economic intent of the invalid or unenforceable provision.