Data Proceccing Amendment.
You or the legal entity that you represent (hereinafter “You”) and Musketeer OÜ a private limited company established under Estonian law, Estonian commercial register code 16479329, location Tartu, Arhitekti tn 2-10, 50407, Estonia (hereinafter «Musketeer») individually herein referred to as a “Party” and collectively as the “Parties”, have concluded this Data Processing Addendum (hereinafter “DPA”) on the following terms:
1. Background
1.1. Parties have concluded a Terms of Service. This DPA is an addendum of the Terms of Service. In the event of conflict between Terms of Service and the DPA the DPA shall prevail.
2. Definitions
2.1. The DPA terms that are written in the upper case first letter hereinafter is used in the following meanings unless the context indicates a different meaning:
2.1.1. Applicable Law means all legislation, ordinations and advice from supervisory authorities, applicable to Musketeer (includes also the European Regulation 2016 /679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data known as the EU GPDR (General Data Protection Regulation), hereinafter the “GDPR”);
2.1.2. Consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him/her;
2.1.3. Controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
2.1.4. Data Subject means an identified or identifiable natural person;
2.1.5. Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
2.1.6. Personal Data means any information relating to a Data Subject that enables to identify, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2.1.7. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.1.8. Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
2.1.9. Services means services which are listed or provided according to the Terms of Service;
2.1.10. Subprocessor means any subprocessor processing Personal Data engaged by Musketeer;
2.1.11. Third Party means a person who is not a Party to the contract concluded between the Parties;
2.1.12. Third Party Services means all services which are provided to and for or from a Third Party;
2.1.13. Your Controlled Data means the Personal Data processed by Musketeer on Your behalf and according to Your instructions as part of the Services, but only to the extent of which You are subject to under Applicable Law. Your Controlled Data does not include Personal Data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to Musketeer’s Site) with respect to Your end users’ interactions with Your site through their browser and technologies like cookies;
2.2. Headings are used in this DPA are for convenience only and shall not affect any construction or interpretation of this DPA.
3. Confidentiality
3.1. Musketeer guarantees to Process and store Personal Data in strict confidence. Personal Data may only be accessed and managed by such persons and Subprosessors and Third Parties of Musketeer that need access to Personal Data for fulfilling Musketeer’s obligations under this DPA, have confirmed confidentiality, and only to the extent necessary for fulfilling Musketeer’s obligations according to this DPA.
3.2. The obligation of confidentiality pursuant to this section shall apply without any limitation in time and survive termination of the DPA.
4. Liability
4.1. Musketeer is not responsible for Personal Data that You have elected to process through Third Party Services or outside of the Services, including the systems of any Third Party cloud services, offline or on-premises storage.
5. Indemnification
5.1. You shall indemnify and hold Musketeer harmless from any damage, claims or administrative fines incurred by or arising against Musketeer, whether directly or indirectly, due to Your Processing of Personal Data in breach of this DPA or Applicable law.
5.2. If claims or administrative fines are directed against Musketeer as a result of breach of this DPA or Applicable Law, You shall immediately notify Musketeer thereof and take every possible measure to mitigate the damages resulting from the breach.
5.3. Without prejudice to the regulations regarding right to compensation, liability and fines, if Musketeer infringes Applicable Law by determining the purposes and means of Processing, Musketeer shall be considered to be a Controller in respect of the Processing and hence fully responsible for any such Processing.
6. Force majeure
6.1. Parties understand and agree that the Party shall not be liable in connection with any force majeure event, including, labour disputes or other industrial disturbances, electrical, telecommunications, hardware, software or other utility failures, software bugs or weaknesses, earthquakes, storms, or other nature-related events, blockages, embargoes, riots, strikes, acts or orders of government authority, acts of terrorism or war, technological change and changes in interest rates or other monetary conditions.
6.2. If an event of force majeure occurs, the Party injured hereto by the other’s inability to perform may elect to suspend the DPA, in whole or part, for the duration of the force majeure circumstances.
7. Musketeer’s Processing Responsibilities
7.1. We process Your Controlled Data for the purpose described in our Privacy Policy and Terms of Service or consents You give us through Your Account. You agree that the Agreement and the instructions given through Your Account are your complete and final documented instructions to us in relation to Your Controlled Data.
7.2. Audits
7.2.1. Musketeer shall make available to You upon request all information necessary to demonstrate compliance with the obligations laid down in this DPA.
7.2.2. Musketeer shall allow for and contribute to audits, including inspections, requested by You. These audits may be conducted by an independent auditor bound by confidentiality obligations appointed by Musketeer.
7.2.3. The audits will be carried out no more than once a year, unless an exceptional event justifies an audit (e.g. a request or investigation by a supervisory authority, a request by a Data Subject).
7.2.4. Your right to request audits cannot affect and/or impede Musketeer’s economic and professional activities, other Musketeer’s clients and Data Subjects, Musketeer’s confidentiality obligations etc. Musketeer can determine the audit conditions regarding time and place.
7.2.5. When infringements are detected during the audits, Musketeer will be given a reasonable timeframe (usually from twenty (20) to forty (40) days, but possibly less), depending on the nature and severity of the infringements, to implement corrective actions at Musketeer’s own expense.
7.2.6. You will pay Musketeer’s costs in considering and addressing any request in relation to the audits.
7.3. Sub-Processors
7.3.1. Musketeer has the right to engage Subprocessor to carry out all or part of the Processing activities entrusted to Musketeer by You.
7.3.2. Upon your written request Musketeer shall communicate to You in writing (i) the identity of the Subprocessor, (ii) the location of the Subprocessor and (iii) the location of the Processing activities carried out by the Subprocessor.
7.3.3. The Subprocessor shall be subject to the same obligations as Musketeer according to this DPA. Therefore, the Subprocessor shall comply with all obligations set out in this DPA and the obligations applicable to the Processor under the GDPR and any applicable data protection laws and regulations. Musketeer must impose these obligations on the Subprocessor, in writing by the way of a contract.
7.3.4. Musketeer shall cause the Subprocessor to strictly comply with all obligations set out in this DPA and Musketeer will in any case remain fully liable to You for the due and timely performance of all and any such obligations by the Subprocessor.
7.4. Security measures
7.4.1. Parties shall implement appropriate technical and organizational measures to ensure an adequate level of security for the Personal Data in order (in particular) to prevent the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, use or unauthorized access. These measures must comply with Applicable Law.
7.4.2. Parties must implement a process for regularly testing, assessing and evaluating the effectiveness of these measures for ensuring the security of the Processing.
7.4.3. Musketeer agrees that it shall not disclose any Personal data to any third party without Your consent, except according to this DPA or if legally allowed or obligated to do so.
7.5. Cross border data transfers
7.5.1. Musketeer shall not transfer Personal Data provided by You, its affiliates or their employees to countries outside the European Economic Area or other countries with cross border data transfer restrictions unless Musketeer has implemented appropriate safeguards in accordance with Applicable Law.
7.5.2. Prior to any cross border transfer, Musketeer must confirm whether there is (i) a decision from the European Commission or a competent authority in the relevant exporting country acknowledging that the importing country or importing category of recipients provide an adequate level of protection (ii) approved binding corporate rules or (iii) an approved certification authorizing the transfer or (iv) an approved code of conduct authorizing the transfer or (v) another approved data transfer mechanism in the relevant exporting country.
7.5.3. When the transfer cannot benefit from the above-mentioned safeguards, Musketeer (as a Data Exporter) and the Data recipient (as a Data Importer) must conclude and implement standard contractual clauses adopted or approved under Applicable Law or regulations of the exporting country, such as the “Standard Contractual Clauses (processors) for the transfer of personal data to processor established in third countries which do not ensure an adequate level of data protection” proposed by the EU Commission. In this context, Musketeer (i) will make sure that, at all times, the Data Importer fully implements appropriate safeguards in accordance with this DPA, Applicable Law and (ii) proceeds with any relevant assessment, and (iii) immediately informs the Data Controller (You) in case of any breach by the data Importer or as the case may be, any subsequent Subprocessors.
7.5.4. If You are the one who asks for the transfer of Personal data to third country, You have to submit to Musketeer documentation, which confirms that the transfer complies with Applicable Law.
8. Data Breach
8.1. In case of a Data Breach that is likely to result in a high risk for the rights and freedoms of a Data Subject, Musketeer shall notify You immediately after becoming aware of the Data Breach.
8.2. The notification shall, in any case, include the following information: description of the facts, type of breach (confidentiality / integrity / availability), stakeholders, countries, nature of compromised Personal Data, number of individuals impacted, approximate number of records compromised, likely consequences of the Data Breach, measures taken to address the Data Breach, measures taken to address the adverse effects. Where any of the information is not available at the time of the original notification, Musketeer shall obtain such information forthwith and immediately notify You of such information after becoming aware of it.
8.3. Musketeer must provide prompt support to You in assessing the need of and dealing with the notification of a Data Breach to supervisory authorities and to the Data Subjects, including the communication of any information needed to comply with these obligations. Musketeer shall forthwith propose measures to mitigate the Data Breach and its adverse effects on Data Subjects. Once agreed by You, these measures shall be promptly implemented by Musketeer at Musketeer’s cost, unless the Data Breach is due to Your default or failure.
9. Data Subjects’ rights
9.1. As part of its duties under this DPA, Musketeer shall, provide all reasonable assistance to You for the fulfilment of Your obligation to respond to requests from Data Subjects exercising their data protection rights.
9.2. In the event that Musketeer as the Processor receives such requests directly from Data Subjects, Musketeer must not respond directly to such request but, within maximum 10 days from the receipt of such request, inform You and provide timely all relevant information to You in order to enable You to respond to the Data Subject’s request taking into account the nature of the Processing, Musketeer must (i) provide You all necessary information in order to respond to a request based on the right of access and the right to portability, in the appropriate form and format, (ii) take necessary steps in order to implement the instructions given by You to address requests based on the rights of erasure, rectification, restriction and objection. Musketeer’s action and response must be provided timely in order to enable You to comply with the required timeframes under applicable laws and regulations.
9.3. In the event that Musketeer receives a data protection claim, from a Data Subject, it shall immediately inform You and provide forthwith all relevant information in order to enable You to participate in the defense of such a claim. In the event of a failure to do so Musketeer shall bear any costs, losses, expenses or claims which You pay or is ordered to pay to Data Subjects in respect of such a claim, unless the claim is caused by Your actions or omissions.
10. Cooperation with the supervisory authority
10.1. Musketeer must inform You immediately upon receiving a request relating to data privacy from a supervisory authority according to Applicable Law, unless court document or equivalent document forbids to do so.
10.2. Taking into account the information available, Parties will promptly and efficiently assist other Party in its obligation to cooperate with the supervisory authority, in order to enable the Party to respond promptly to any queries of the supervisory authority.
11. Term and changes of the DPA
11.1. This DPA is valid from signing and for as long as Musketeer Processes any Personal Data on behalf of Party.
11.2. In case of changes in Applicable Law, a final judgement causes another interpretation of Applicable Law, the Services under this DPA, or in the event of a material change in the ownership structure of Musketeer, the Parties shall in good faith cooperate to update the DPA accordingly.
11.3. Musketeer shall be entitled to give written notice of termination of this DPA, effective immediately or at any later date, in the event the Parties cannot agree on a suitable change in the DPA due to changes in Applicable Law, a final judgment, if the Services under the Agreement require changes to this DPA, or in the event of a material change in the ownership structure of Musketeer.
11.4. Any breach of the obligations by You under this DPA is deemed material and entitles Musketeer to give written notice of termination of this DPA effective immediately or at any later date.
12. Applicable law and Disputes
12.1. The DPA has been drawn up in accordance with the laws of the Republic of Estonia and the application, interpretation, and termination thereof shall be subject to the laws of the Republic of Estonia.
12.2. Any disputes arising from the performance of the DPA shall be settled through negotiations. If the Parties fail to resolve the dispute through negotiation, the disputes shall be settled by Tartu Maakohus (Tartu County Court), pursuant to the procedure provided by the law of the Republic of Estonia.