GDPR Terms - Sub-Processor

(1) The Processor may collect, process and/or use personal data on behalf of the Controller pursuant to the terms and conditions of this Agreement. Within the framework of this Agreement, the Controller shall remain the responsible body for the processing of personal data, for assessing the legal admissibility of processing the personal data and for respecting the rights of Data Subjects (as defined below).

(2) In compliance with the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”)) and the applicable national Data Protection Laws, the Parties wish to enter into this Agreement.

(1) The subject matter of the Agreement is the processing of Personal Data as set forth in Exhibit 1 (“Control-ler Data”) in connection with the following services:

Execution of service and support activities specified in the Letter of Engagement (“LoE”), specified, where applicable, by annexes, services descriptions, individual orders. This Agreement specifies the handling of personal data within the framework of the Letter of Engagement.  

(2) This Agreement covers any data processing with respect to Controller Data where Processor’s personnel engaged in the data processing under this Agreement or any third party assigned by the Processor come into contact with Personal Data, for the processing of which the Controller is the responsible body. Per-sonal Data shall mean in accordance with the definition provided in the GDPR and, until GDPR is applica-ble, the Data Protection Directive 95/46/EC any information concerning the personal or material circum-stances of an identified or identifiable natural person (“Data Subject”).

(3) The term of this Agreement shall commence along with the LoE and end upon termination of the LoE or earlier upon Processor’s material breach of this Agreement or any statutory provision, and (i) if the breach cannot be remedied, does not without undue delay discontinue such breach or commits a further breach of any provision of this Agreement or any statutory provision upon receipt of a written warning from Controller, or, (ii) if the breach can be remedied the Processor has not remedied such breach with-in a period of 30 days upon receipt of a written notification of such breach from the Controller.

(1) The Personal data that will be processed in the scope of the LoE and the purposes for which these data will be processed are set forth in Exhibit 1.

(2) Processor’s collection, processing and use of personal data shall be in compliance with the terms of this Agreement, the LoE and in accordance with Controller’s instructions.

(1) Any Processing (which includes access to data) in a third country (i.e. neither EU nor EEA) requires the prior written consent of the Controller. The specific requirements of Art. 44 et seq. GDPR must be met to the satisfaction of the Controller and the Processor must ensure compliance with the provisions of this Agreement. The Processor shall confirm compliance with Art. 44 et seq. GDPR on an annual basis and shall inform the Controller immediately as soon as the processor does not ensure an adequate level of data protection anymore.

(2) Transfers of personal data from the EU: The transfer of personal data originating in the EU, from the Con-troller to the Processor, is done on the basis of explicit and written authorization by the Controller.

(1) The Processor shall process Controller Data only in accordance with the terms of this Agreement and in accordance with the Controller's instructions, unless required otherwise by Union or Member State law. 

(2) The Processor shall not process and/or use Controller Data that have been provided to the Processor for purposes of data processing for any other purposes, in particular, not for its own purposes (including in anonymized form), and shall not transmit Controller Data to third parties unless this is a subject matter of the services under this Agreement. The foregoing shall not prevent the Processor from creating backup copies if and to the extent they are required to ensure proper data processing, or copies of data which are required to be kept by virtue of law or any other legal standard.

(3) The Controller reserves the comprehensive right to issue instructions as regards the scope, type and method of data processing which the Controller may specify by means of individual instructions. Mutual agreement in writing shall be required for any changes to the subject matter of processing and the pur-pose of data processing. 

(4) The Processor shall notify the Controller without undue delay if the Processor reasonably believes that an instruction contravenes statutory provisions. The Processor shall be entitled to suspend the imple-mentation of and/or compliance with the relevant instruction after reasonable prior notification until its legitimacy is confirmed by the Controller's representative in text form or until it is modified accordingly. 

(5) The Processor shall name a contact persons and his/her contact information in Exhibit 2 who are author-ized to

a) receive instructions and implement them, 

b) pass inquiries from Data Subjects, third parties or supervisory authorities on to the Controller, and 

c) attend to all other notification and reporting obligations in connection with this agreement. 

The Processor shall provide for a rule of replacement if the contact persons listed in Exhibit 2 are absent.

The Processor shall obligate all persons who may have access to Controller Data to comply with the in-structions of the Controller and shall instruct these persons of the data protection obligations arising from this Agreement and from statutory provisions. Furthermore, for processing Controller Data, the Processor shall employ only such personnel must be adequately qualified to properly handle the tasks and sufficiently reliable in dealing with Personal Data. 

(1) The Processor shall ensure that the agreed technical and organizational measures for the protection of Controller Data have been and will be translated and realized in an appropriate data protection and secu-rity concept, in accordance with the requirements of Article 32 GDPR. The Processor shall organize its operation in a proper way so that it meets the specific requirements of data protection. These include in particular the measures agreed in Exhibit 3. The Processor shall document the realization and implemen-tation of such measures in writing and provide to the Controller prior to the commencement of this Agreement as well as thereafter upon Controller’s request a comprehensive and current data protection and security concept. 

(2) The agreed and/or documented technical and organizational measures are mandatory and binding. The Processor may adapt the data protection and security concept to reflect further technical or organiza-tional developments in the course of the contractual relationship. However, the security level of the adapted concept may not fall short of the level initially agreed in Exhibit 3. Material modifications to the data protection and security concept, even if they do not result in a modification of the technical and or-ganizational measures in Exhibit 3, as well as modifications to the technical and organizational measures agreed in Exhibit 3, must be agreed in writing by the Parties before they come into force.

(3) The Processor shall notify the Controller without undue delay if the security measures taken by the Pro-cessor do not or no longer meet the requirements set forth under this Agreement. The Controller may suspend the Master Agreement for so long as the Processor does not take remedial action and Controller may claim damages. In that case, the Processor shall not be entitled to payment of the relevant consider-ation, reimbursement of expenses or compensation for damages.

(4) The Processor shall, at its own costs, implement additional technical and organizational measures which go beyond the measures specified in this Agreement if reasonably requested by the Controller in writing or if required by current or new statutory law, and if implementation by the Processor is feasible from a technical and organizational point of view and reasonable. 

(1) The Processor shall engage subcontractors in connection with the processing of Controller Data. For pur-poses of enabling the Controller to decide whether such consent can be granted the Processor shall (i) Identify the proposed subcontractor on Exhibit 4; (ii) select the subcontractor upon thorough review and under specific consideration of its qualification and the eligibility of the technical and organizational measures taken and he has verified that such technical and organizational measures are followed; and (iii) provide the documentation of such verification upon Controller’s request. The Processor shall con-tractually ensure that the provisions stipulated in this Agreement apply to its subcontractors as well and the subcontractor provides for an adequate security level which is comparable to the level provided un-der this Agreement. 

(2) In the event Processor intends to use subcontractors located in third countries, the additional require-ments of Art. 44 et seq. GDPR and, until applicable, Art. 26 of the Data Protection Directive 95/46/EC shall apply and have to be fulfilled. Sec. 3 of this Agreement applies accordingly. 

(3) The Controller may at any time request that a subcontractor may be replaced for good cause. A good cause shall in particular exist if the Controller is in doubt of the qualification of such subcontractor or the eligibility of the technical and organizational measures taken, the implementation of such technical and organizational measures, compliance with the terms of this Agreement or other reliability in connection with the handling of Personal Data.

(4) In due consideration of the fact that the Controller is responsible for collecting, processing and using Personal Data, the Processor warrants that the subcontractor selected by the Processor complies with the statutory data protection regulations.

(5) In case of subcontracting, the Controller shall be granted direct rights of control and inspection at the subcontractor's site in accordance with this Agreement (contract for the benefit of a third party, includ-ing Controller's right to obtain information from the Processor on request about the material provisions of the contract and the implementation of obligations relating to data protection in the sub-contractual relationship. The Controller's clients shall have rights of control and inspection at the subcontractor's site as well. 

(1) The Processor shall assist the Controller in providing information to Data Subjects upon their request and in compliance with statutory data protection regulations. The same shall apply with respect to the correc-tion of Personal Data upon request of individual Data Subjects.  

(2) The Processor shall correct, delete or block Controller Data in accordance with the terms and conditions of this Agreement and in accordance with the Controller's instructions at the latest within 5 business days after notification. The Processor shall take the appropriate technical and organizational precautions to ensure that Controller Data can be corrected, deleted and blocked in the Processor’s own data pro-cessing facilities. If the Processor provides sufficient evidence that the deletion of Controller Data is not possible or such deletion would constitute an unreasonable burden for the Processor, the Processor may block the relevant Controller Data from access instead of deletion unless the Controller requests dele-tion of the relevant Controller Data and reimburses the associated reasonable costs.

(3) To the extent a Data Subject contacts the Processor with a request to correct, delete or block Controller Data, or if the Processor has other reasons to believe that certain Controller Data should be corrected, deleted or blocked, the Processor shall inform the Controller thereof in writing without undue delay. The Controller shall then issue the necessary instructions to the Processor. The Processor shall be obliged to assist the Controller upon first demand in connection with the correction, deletion or blocking of Con-troller Data.

(4) The Processor may provide information to Data Subjects or to third parties or fulfil any other rights as-serted by a Data Subject or third party only upon the prior written consent of and upon consultation with the Controller. The Processor shall inform the Controller about receipt of such inquiries without undue delay.

(1) The Controller is responsible for compliance with the provisions of the GDPR and other data protection regulations as applicable and keeps control over Controller Data. The Processor shall reasonably assist the Controller in meeting this obligation, in particular by providing all necessary documentation and evi-dence, assignment of adequate personnel resources as well as compliance with the agreed technical and organizational measures.

(2) The Processor shall contribute to the preparation of the Controller's register of processing operations. The Processor shall provide the information required in accordance with Art. 30 GDPR to the Controller upon request in the form of appropriate documents. 

(3) The Processor shall prepare its own register of processing operations in accordance with Art. 30 GDPR and keep it up-to-date. The Processor shall provide the register of processing operations upon first de-mand of the Controller.

(4) The Processor shall assist the Controller in providing information and reportable data to supervisory au-thorities, government agencies or other third parties, and in compliance with statutory data protection regulations. In this respect, the Processor shall in particular make available to the Controller all necessary documentation, evidence and data which the Controller may reasonably need to provide information, is-sue notifications, and fulfil its reporting obligations.

(5) Where the Controller deems appropriate under Art. 35 GDPR, the Processor shall assist the Controller in carrying out an assessment of the impact of the envisaged processing operations on the protection of personal data.

(6) The Processor shall immediately inform the Controller of any communication received from supervisory authorities (e.g. inquiries, notifications concerning provisions or requirements) which concern the Pro-cessor in connection with this data processing by the Processor.

(7) The Processor shall without undue delay comprehensively notify the Controller of any violations of provi-sions regarding the protection of Personal Data or breaches of the terms of this Agreement in connec-tion with Controller Data or any other risk with respect to the integrity or confidentiality of Controller Da-ta by the Processor, the persons engaged by the Processor, or subcontractors in accordance with Section 6 of this Agreement. Verbal notifications are to be confirmed immediately in text form. Notification about any incident shall include information with respect to the timing, type of incident (including information, which of the Controller Data are affected), the affected system, the persons concerned, time of discov-ery, any potential adverse consequences as well as the counter-measures taken by the Processor. 

(8) The Processor shall without undue delay notify the Controller of any incidents which could trigger a noti-fication obligation of Controller in accordance with Art. 33 GDPR, irrespective of the cause, and shall con-firm these incidents without undue delay in writing. This shall also apply to severe disruptions in the Pro-cessor's operations, or if the Processor suspects other serious violations of the provisions on the protec-tion of Personal Data or other serious irregularities in handling the Controller Data. After consultation with the Controller, the Processor shall immediately take appropriate measures to secure the data as well as to reduce potential adverse consequences for the Data Subjects. To the extent that the Controller is subject to duties under Art. 33 GDPR, the Processor shall be required to assist the Controller on first de-mand in preparing the notification by submitting documents and other evidences reasonably necessary. This includes, among other things, the provision of documents requested by the competent supervisory authority, and information to Data Subjects. The Processor shall compensate to the Controller any costs and expenses in connection with the fulfilment of any notification obligations in accordance with this Sec-tion 9(7), unless the notification obligation was not triggered by Processor’s fault, the fault of any person assigned by the Processor or any of its subcontractors in accordance with Section 7 of this Agreement.

Upon termination of this Agreement or the Service Agreement or at the Controller's request upon first demand, the Processor shall return all Controller Data which the Processor has received from the Con-troller for the purpose of order data processing or which the Processor has collected on the Controller's behalf, in readable and processible format to the Controller and subsequently delete any records in ac-cordance with data protection requirements. The same applies to security copies, archiving data, test and scrap material, except to the extent required by applicable law.

(1) The Processor shall regularly monitor compliance with the provisions of this Agreement by conducting its own reviews, including control of subcontractors under Section 7.

(2) At Controller’s request, Processor makes available to Controller the information necessary to demon-strate compliance with the obligations under this Agreement, in a commonly used and machine-readable format. 

(3) The Controller shall be entitled to assure itself, by way of inspections at the Processor, before com-mencement of the data processing and regularly thereafter that the Processor complies with the terms of this Agreement, in particular with respect to compliance with the provisions of the GDPR, and that ad-equate data security is guaranteed within the meaning of this Agreement as well as the implementation of technical and organizational measures pursuant to Art. 32 GDPR. 

(4) The Processor shall assist the Controller in exercising its monitoring rights. For this purpose, the Proces-sor shall grant the Controller access to any documents that the Controller reasonably requests in connec-tion with its control, records and file registers and grant access to its systems to the extent they are used in connection with the processing of Controller Data under this Agreement. As evidence for the imple-mentation of technical and organizational measures in accordance with Exhibit 2 the Controller may also request the Processor to present a current certificate, report or report excerpt of an independent third party or any appropriate certification by IT security or data protection audits.

(5) The Processor shall grant the Controller access to any and all places at which Controller Data are pro-cessed or have been processed during regular business hours and to the extent the business operations will not be unreasonably disrupted. The Controller shall notify the Processor of any on-site inspection, if reasonably possible 2 weeks in advance in text form. In the event of a violation of statutory provisions or terms of this Agreement or the Master Agreement the Controller may access the premises at any time and exercise its monitoring rights and on-site control without prior notification. If the Controller identifies any violations or irregular practices it will notify the Processor thereof. The Processor shall without un-due delay take all necessary measures to remedy any violations or irregular practices completely. 

(6) The Controller shall be entitled to request information from the Processor’s data protection officer with respect to any and all aspects of the collection, processing and use of Controller Data, including the tech-nical and organizational measures taken. The Controller shall be entitled to request a confirmation from the data protection officer regarding compliance with the technical and organizational measures pursu-ant to Exhibit 2. The Processor shall ensure, taking into account that the data protection officer is not bound to directives of the Processor, that the data protection officer is able to answer those requests in a timely manner.

(7) The Processor shall compensate to Controller all reasonable costs in connection with a control in the event the Controller identifies any violation against the terms of this Agreement or data protection regu-lations.

(8) The Processor shall grant to the supervisory authority and/or the Controller all necessary and reasonable access, information and inspection rights, in compliance with applicable law. The Processor shall notify the Controller without undue delay of any control activities, investigations or other actions of supervisory authorities and notification thereof, relating to Controller Data.

(1) The Processor shall without undue delay comprehensively notify the Controller of any violations of provi-sions regarding the protection of Personal Data or breaches of the terms of this Agreement in connec-tion with Controller Data or any other risk with respect to the integrity or confidentiality of Controller Da-ta by the Processor, the persons engaged by the Processor, or subcontractors in accordance with Section 7 of this Agreement. Verbal notifications are to be confirmed immediately in text form.

(2) Notification about any incident under Section 12(1) shall include information with respect to the timing, type of incident (including information, which of the Controller Data are affected), the affected system, the persons concerned, time of discovery, any potential adverse consequences as well as the counter-measures taken by the Processor. A preliminary notification must be made within 24 hours at the latest after becoming aware of the incident. The Processor will conduct a comprehensive investigation of the incident within 5 days at the latest and provide to the Controller within such 5 days’ period and inform the Controller upon request about the measures taken and the remediation of the incident.

(3) The Processor shall, without undue delay after becoming aware of an incident under Section 12(1) con-duct a root cause analysis, document this analysis and provide to the Controller the documentation upon request. If the Controller determines that the technical and organizational measures taken by the Proces-sor are not sufficient, the Processor shall implement such additional measures at its own costs which the Controller deems necessary to secure an adequate security level for the Controller Data.

(4) The Processor shall notify the Controller of any incidents which trigger a notification obligation in accord-ance with Art. 33 GDPR, irrespective of the cause, and shall confirm these incidents without undue delay in writing. After consultation with the Controller, the Processor shall immediately take appropriate measures to secure the data as well as to reduce potential adverse consequences for the Data Subjects. To the extent that the Controller is subject to duties under Art. 33 GDPR, the Processor shall be required to assist the Controller on first demand in preparing the notification by submitting documents and other evidences reasonably necessary. The Processor shall compensate to the Controller any costs and ex-penses in connection with the fulfilment of any notification obligations in accordance with this Section 12(4), unless the notification obligation was not triggered by Processor’s fault, the fault of any person as-signed by the Processor or any of its subcontractors in accordance with Section 7 of this Agreement.

(1) Where the Controller Data become subject to search and seizure, an attachment order, confiscation dur-ing bankruptcy or insolvency proceedings, or similar events or measures by third parties while being processed, the Processor shall inform the Controller immediately thereof. 

(2) Furthermore, the Processor shall immediately advise all pertinent parties in such action, that any Person-al Data affected thereby is in the Controller’s sole property and power of disposal and that statutory pro-visions restrict any handling of these data. 

(1) If and to the extent that one of the provisions of this Agreement is held to be illegal, void or unenforcea-ble, the validity of the remaining provisions of this Agreement shall not be affected. The Parties agree to replace such an invalid provision by a valid one which comes as close as possible to the Parties' original objective as regards this contract.

(2) Amendments and modifications to this Agreement shall be made in writing. The same shall apply to amendments and modifications of this written form requirement.

(3) In the event of an inconsistency between the terms and conditions of this Agreement and the Service Agreement, the terms of the Service Agreement shall prevail. However, in the event of conflicts with re-gards to the processing of Controller Data between this Agreement and the LoE or other agreements be-tween the Parties the terms of the LoE shall prevail. 

Exhibit 1 

Personal data that will be processed in the scope of the Service Agreement, the categories of data subjects and the purposes for which these data will be processed

• Name, first name
• Identification number (e.g. ID, customer number, personnel number)
• Personal data (e.g. date of birth, place of birth, marital status, citizenship)
• Address data (e.g. street, house number, postal code, city, post office box)
• Communication data (e.g. telephone, fax, mobile phone, e-mail)
• Banking information (e.g. account number, BIC, name of financial institute, different name of account holder)
• Health insurance data (e.g. name of health insurance company, name of insured, insurance policy number)
• Employee data (e.g. date of joining/retiring from the company, probationary period, time limitation, re-entry)
• Salary data (e.g. salary level, number of salaries, allowances, special payments, benefits)
• Annual leave data (e.g. number of days of annual leave, residual leave, date of annual leave)
• Qualifications (e.g. certificates, application papers, training, assessments, written warnings)
• Recording of working time
• Log and protocol data
• Video recording (CCTV)

Group of data subjects

• Employees of the Controller 
• Patients 
• Customers or suppliers 
• Visitors of the Controller

Purposes for which personal data will be processed so that the Controll is able to defend thier corpreate postion in relation to:

• Internal Investigations
• Competition/Antitrust Investigations
• Litigation Disputes
• Employee Disputes
• Subject Data Access Requests (under the GDPR)
• Data Remediation Proposes
• Data Breach
• Data Theft
• Class Actions
• M&A Due Diligence
• Insolvency

Technical and organizational measures in accordance with Art. 33 GDPR

Processor has implemented the following technical and organizational security measures to provide the on-going confidentiality, integrity, availability and resilience of processing systems and services:

• Information Security Governance Policy
• Data Classification Policy
• Data Destruction and Disposal Policy
• Data Handling Policy
• Encryption and Key Management Policy
• Incident Response Plan
• Reveal Security Statement

Subcontractors

• Duncan Gardiner - Data Consultant
• Alex Kam - Data Consultant
• Reveal Data Corporation and its Employees - eDiscovery Software and Environment provider