This DPA is between
(a) The company and its Affiliates (collectively “Customer”) identified in the signature block,
(b) Origo hf, a company incorporated under the laws of the laws of the Republic of Iceland, having its principal place of business at Borgartún 37, 105 Reykjavík, Iceland
Together the “Parties” and each a “Party”.
The Parties agree as follows:
1.1 This DPA applies to the Processing of Personal Data that is subject to the EU General Data Protection Regulation (“GDPR”) (EU Regulation 206/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).
1.2 This DPA supplements the terms of the Customer License Agreement (CLA), under which Servado provides certain services (“Services”).
1.3 To the extent Servado processes Personal Data subject to the GDPR on behalf of Customer in the course of the performance of a CLA, the terms of this DPA shall apply.
1.4 This DPA shall be effective starting on January 06, 2020.
2.1 The terms “Processing”, “Personal Data”, “Controller”, “Processor”, “Personal Data Breach” and “Supervisory Authority”, “Commission”, “Member State” shall have meanings given in the GDPR, and their cognate terms shall be construed accordingly.
2.2 “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
2.3 “Customer Data” means all Personal Data which is provided to Servado (or to any sub-processor) by the Customer in connection with the CLA.
3.1.1. Customer is the Data Controller. Customer will comply with the applicable GDPR obligations with respect to the processing of Customer Data (Art 24). Customer will not instruct Servado to process any Customer Data in a manner that would constitute a breach of the GDPR.
3.1.2. Customer warrants that Customer has all the necessary rights to provide the Customer Data to Servado for the Processing to be performed in relation to the Services. To the extent required by the GDPR, Customer is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should a consent be revoked by the data subject, Customer is responsible for communicating the fact of such revocation to Servado, and Servado remains responsible for implementing any Customer instruction with respect to the further processing of that Customer Data.
3.2.1. Servado is the Data Processor. Servado will comply with the applicable GDPR obligations with respect to the processing of Customer Data (Art 28).
4.1. Servado will process the Customer Data only as set forth in Customer’s written instructions as set forth in the CLA and in this DPA, or as agreed upon in writing by the parties and to the extent that the processing is appropriate for the provision of the Services, unless Servado is required to comply with a legal obligation to which the Servado is subject (Art 28(3)(a)). In such a case, the Servado shall notify the Customer of that legal obligation before processing unless that legal obligation explicitly prohibits the furnishing of such information to the Customer.
4.2. The Parties have entered into a CLA in order to benefit from the expertise of the Servado in processing the Customer Data for the purposes set out in Exhibit 2. Exhibit 2 describes the processing of Customer Data as required by GDPR, Article 28(3). Customer may make reasonable amendments to Exhibit 2 by written notice to Servado to meet the GDPR requirements. Nothing in Exhibit 2 (included as amended pursuant to this Section) confers any right or imposes any obligation on any Party to this DPA. Servado shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this DPA.
Without prejudice to any existing contractual arrangements between the Parties, Servad shall treat all Customer Data confidentiality and shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Customer Data. Servado shall ensure that all such persons or parties are under an appropriate obligation of confidentiality.
6.1. Servado will take all measures required by Article 32 (Security of Processing) of the GDPR.
6.2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, Servado shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Customer Data appropriate to the risk (Art 32(1)).
6.3 In assessing the appropriate level of security, Servado shall take into account the particular risks that are presented by processing, for example, from accidental or unlawful destruction, loss, alteration, unauthorized or unlawful storage, processing, or access or disclosure of Customer Data (i.e. Personal Data Breach) (Art 32(2)).
7.1. Customer authorizes the engagement of Servado’s Affiliates as subprocessors (Art 28(2)).
7.2. Customer agrees that Servado may continue to use those subprocessors already engaged by Servado as of the date of this DPA (Art 28(2)).
7.3 Customer generally authorizes the engagement of any other third-parties as subprocessors (Art 28(2)).
7.4 Information about subprocessors, including their functions and locations, is available at email@example.com.
7.5 Requirements for subprocessor engagement (Art 28(4)) With respect to each subprocessor, Servado shall:
7.5.1. Before the subprocessor first processes any Personal Data, carry out adequate due diligence to ensure that the subprocessor is capable of providing the level of protection for Personal Data required by the CLA;
7.5.2. Ensure that the arrangement is governed by a written contract including terms that offer at least the same level of protection for Personal Data as those set out in this DPA and meet the requirements of GDPR Article 28(3);
7.5.3. Remain fully liable for all obligations subcontracted to, and all acts and omissions of the subprocessor.
8.1. Customer instructs Servado to transfer Customer Data to any country or territory as is reasonably necessary for the provision of the Services.
8.2. Customer agrees that Servado and its subprocessors may store and process Customer Data in a country outside of the European Economic Area provided that the European Commission has determined that the country provides an adequate level of protection, or the Commission has determined that a regulatory framework provides an adequate level of protection.
8.3. To the extent that a Party relies on a basis for international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to terminate promptly the transfer and to pursue an alternate mechanism that can lawfully support the transfer.
9.1 Servado shall use reasonable endeavours to assist the Customer in responding to their Data Subject requests. Servado shall have at least 20 days, from the time the Customer asks for assistance, to respond to the Customer’s request. The performance and cost of such requests shall be in accordance to the CLA and Servado’s price list at any giving time.
9.2 Servado must not disclose the Personal Data to any Data Subject or to a third party and responsibility for responding to requests from Data Subjects shall remain with the Customer.
10.1 If requested, Servado will provide reasonable assistance to the Customer to comply with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Servado.
10.2 Servado shall make available to Customer upon request any reasonable information to demonstrate compliance with Servado’s obligations under this DPA. Servado shall reply to any requests for information under this Section within 60 days of receiving the request.
10.3 Servado will perform audits of its Personal Data Processing practices and the information technology and information security controls for its facilities and systems used in complying with its obligations under this Agreement.
11.1. Servado shall notify Customer without undue delay upon Servado (or any subprocessor) becoming aware of a Personal Data Breach affecting Customer Data, and provide Customer with sufficient information to allow each it to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the GDPR.
11.2. Servado shall co-operate with Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
11.3. Any notifications made to the Customer pursuant to this Section shall be addressed to the employee of the Customer whose contact details are provided in Exhibit 1 of this DPA, and shall contain:
11.3.1. a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
11.3.2. the name and contact details of the Servado’s data protection officer or another contact point where more information can be obtained;
11.3.3. a description of the likely consequences of the incident; and
11.3.4. a description of the measures taken or proposed to be taken by the Servado to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
12.1. Upon termination of this DPA, upon Customer’s written request, or upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required, Servado shall, at the discretion of Customer and within reasonable business efforts, either delete, or destroy Customer’s data.
12.2. Servado shall notify all subprocessors of the termination of the Data Processing Agreement and shall notify that all such subprocessors either delete or destroy the Personal Data, at the discretion of Customer.
12.3. Servado and its subprocessors may retain Customer Personal Data to the extent required by a legal obligation and only to the extent and for such period as required by the legal obligation.
Servado’s liability to Customer for any kind of loss or damage arising out of or in connection with breach of this DPA (including breach of contract, tort, misrepresentation or restitution) will: (a) be subject to the exclusions of liability applicable to Servado in the CLA; and (b) be subject to, and will in no event exceed, the limitation on Servado’s liability in the Service Agreement. Any liability incurred under this DPA, such as regulatory fines, will be included in the calculation of Servado’s liability in the Service Agreement.
This DPA will remain in effect until the later of: (a) the termination or expiry of the Service Agreement, and (b) Servado ceasing to process the Customer Data.
15.1. The terms of the Service Agreement shall apply to this DPA.
15.2. Order of Precedence. In the event of any conflict or inconsistency between this DPA and the Service Agreement, the DPA shall prevail.
We share certain information with service providers that may be considered our “sub-processors” under GDPR, Article 28. If you wish to receive the current list please send a request via our Servado Customer Support (“Get support”).
New sub-processor notification
If you would like to be notified when we start working with a new sub-processor, you can sign up to an email list here below. We will only use this list to send notifications about new sub-processors.
Sign up to receive updates
Request a demo, self-service to book a personalized demo meeting with us