Agreement on Data Processing
to Art. 28 GDPR
4020 Linz, Österreich
(hereinafter referred to as the data processor)
1. OBJECT OF THE AGREEMENT
(2) The following data will be processed:
a. Contact details b. Communication data c. Billing details d. Address details e. Analysis data f. Order and billing details g. Contractual details
(3) The following categories of people shall be subject to the processing:
a. Clients of the Storyblok platform b. License holders c. Suppliers d. Employees e. Interested parties f. Website visitors
(4) The data processing covers: organization, order, storing, dissemination and other art of provision, deletion and extermination of data
2. DURATION OF THE AGREEMENT
The agreement is unlimited in time and can be terminated by both parties. The possibility of extraordinary termination for cause or in the case of a breach of the “Terms” (https://www.storyblok.com/terms) by the data controller remains unaffected.
3. DUTIES OF THE DATA PROCESSOR
(1) The data processor undertakes to process data and processing results exclusively pursuant to the data controller’s written orders. If the data processor receives an official order to disclose the data of the data controller, they are obliged to - if legally allowed - inform the data controller immediately and refer the official authority to them. Also, data processing for the data processor’s own purposes requires a written order.
(2) In a legally binding manner, the data processor declares that all the contracted persons had been obliged to maintain confidentiality or that they are subject to an appropriate legal duty of confidentiality prior to taking up their activity. In particular, the duty of confidentiality shall remain in force for the persons involved in the data processing also after their employment and services for the data controller have ceased.
(3) In a legally binding manner, the data processor declares to have taken all necessary measures to guarantee the security of data processing in accordance with Art 32 GDPR (details to be found in Appendix ./1).
(4) The data processor shall take the technical and organizational measures to enable to data controller to fulfil the rights of the person concerned pursuant to Chapter III of the GDPR (information, disclosure, correction and deletion, data portability, objection, as well as automated decision making in individual cases) within the statutory deadlines at any time and shall provide the data controller with all the necessary information. If a request is submitted to the data processor and they indicate to have been mistakenly considered the processor of the data operated, the data processor shall immediately forward the request to the data controller and inform the requesting body accordingly.
(5) The data processor shall assist the data controller in complying with the obligations within the Articles 32 to 36 of the GDPR (data security measures, reports to supervisory authorities concerning violation to the personal data protection, notification of the person affected by a violation to the personal data protection, data protection impact assessment, prior consultation).
(6) The data processor shall be informed about the obligation to establish and update a processing list according to Art 30 GDPR for the present order processing.
(7) The data controller or a third-party contracted by them, shall be granted the right to inspect and control the data processing systems at any time. The data processor undertakes to provide the data controller with the information necessary to review the compliance with the obligations determined in this agreement.
(8) After termination of this agreement, the data processor is obliged to forward all the processing results and documents containing data to the data controller or to remove them on their behalf. If the data processor processes the data in a specific technical format, they are obliged, after termination of this agreement, to provide the data either in the same format or at the request of the data controller in a format, in which they had received the data from the data controller or in a different common format.
(9) The data processor shall inform the data controller if they consider an instruction from the data controller as violating the data protection regulations of the EU or the Member States.
4. DATA SECURITY
(1) As further specified in Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, data processor shall implement and maintain appropriate technical and organizational measures for protection of the security (including protection against a Security Incident, as defined below), confidentiality and integrity of Customer Content, as set forth in the applicable Security and Privacy Operational Controls. Data processor regularly monitors compliance with these measures and will not materially decrease the overall security of the Services during a subscription term.
(2) Third-Party Certifications and Audits. Data processor has obtained the third-party certifications and audits set forth in the Security and Privacy Operational Controls. Upon Customer’s written request and no more than once annually, subject to appropriate confidentiality obligations (which may require execution of an additional non-disclosure agreement), data processor shall make available to Customer (so long as Customer or its independent, third-party auditor is not a competitor of data processor):
a. any written technical document that data processor generally provides or makes available to its customer base; and
b. a copy of data processor ´s then-current relevant third-party audits or certifications, or any summaries thereof, as applicable (as may be specified in the applicable Security and Privacy Operational Controls).
5. RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
(1) The Data Controller shall be responsible for complying with the legal provisions of the Applicable Data Protection Law, particular in relation to the allocation of Processing with respect to the Data processor, and for the Processing itself.
(2) Notification(s) of information concerning the Processing or Personal Data Breach (if any), will be delivered to the Data Controller’s registered team notification email address. It is the Data
Controller’s sole responsibility to ensure that it maintains accurate contact information on the service management console and secure transmission at all times.
(3) The Data Controller has the right to perform controls of the technical and organizational measures taken by the Data processor according to this agreement and to check them in regular intervals. These controls could also be performed by an independent auditor on behalf of the Data Controller but shall not interfere with the data processor’s business. Any controls can be denied if it contradicts with data processor’s data protection obligations with other customers.
(4) The Data Controller shall inform the Data processor without delay when it notices any mistakes or irregularities while performing controls. The Data processor shall without delay correct such errors or irregularities and notify the Data Controller when corrections have been made.
(5) If claims are placed on one of the contracting parties by a Data Subject in connection with any claim as per Art. 82 of the GDPR, the contracting party concerned shall notify the other party without delay. The contracting parties shall support one another in defending the claim.
6. NOTIFICATION DUTIES
(1) In case of a Personal Data Breach involving Personal Data Processed on behalf of the Data Controller, the Data processor shall take into account the nature of Processing and the information available to the Data processor to support the Data Controller in ensuring compliance with the Data Controllers obligations pursuant to article 33 in the GDPR.
(2) If the Data processor becomes aware of a Personal Data Breach, the Data processor shall without undue delay notify the Data Controller of the Personal Data Breach. The notification shall at least:
a. Describe the nature of the violation, the categories concerned, and the approximate number of individuals and datasets affected; b. Describe the likely consequences of the Personal Data breach; c. Describe the measures taken or proposed to be taken by the Data Controller to mitigate the effects and to minimize any damage resulting from the Personal Data Breach; and d. rovide the name and contact details of a contact partner for further information.
(3) The data controller and the data processor shall cooperate, on request, with the supervisory authority. The data controller shall be informed immediately of any inspections and measures executed by the supervisory authority, insofar as they relate to the activities under this DPA. This also applies insofar as the data processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any provision regarding the processing of personal data in connection with the processing of this DPA. Insofar as the data controller is subject to an inspection by the supervisory authority, an administrative fine, a preliminary injunction or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the processing of data by the Processor as of this DPA, the data processor shall make reasonable effort to support the data controller.
7. PLACE OF DATA PROCESSING
Data processing activities are also carried out, at least in part, outside the EU or the EEA, in the United States. The adequate level of data protection results from:
- an adequacy decision of the European Commission under Article 45 GDPR.
- Standard data protection clauses in accordance with Article 46 (2) (c) and (d) GDPR.
The data processor is allowed to consult the companies as sub-processors which are enlisted at the website www.storyblok.com/subprocessors. Data Controller authorizes Data processor to engage the sub-processors listed on Data processor’s website (www.storyblok.com). The Data Controller retains a right to veto; if Data Controller objects to any change under this clause with a reasonable reason then data processor will act and both parties will seek a joint solution. In case of termination for such reason, Data processor will not provide a refund of prepaid fees upon that fee period. Without prejudice to Data Controller’s rights under this clause, Data processor will (at Data Controller’s request) discuss in good faith with Data Controller how to resolve Data Controller’s objections.
Authorisation to use the Sub-Processors listed on the website is deemed to have been granted:
- to ensure, by written agreement, that all authorised sub-processors must comply with the same obligations that apply to the Data processor under this DPA. The Data processor shall, upon request, submit a copy of the written agreement entered into with the respective sub-processor to the Data Controller; to assume full liability towards the Data Controller for the fulfilment of all obligations by the sub-processors under said written agreement;
- to ensure that neither the Data processor and its employees nor any third party entrusted by the Data processor with supporting functions in the provision of the Services will dispose of, reassign or reuse any device or electronic, magnetic or other medium that is being used or has been used to store personal data or any other data generated, obtained, stored, used or stored for the purposes of this DPA without having ensured that such data has been completely removed or otherwise securely deleted.
9. TERMINATION OF CONTRACTUAL RELATIONSHIP
(1) This DPA shall continue in force until the termination of the Service (the “Termination Date”).
(2) Upon termination of this DPA, the Data processor shall permanently erase, or completely block for access, all business-related information, documentation, and data provided by the Data Controller, including Personal Data created in connection with this DPA, unless there is an legal obligation for the storage of Personal Data (see Art. 28 para. 3 lit. g GDPR). The Data processor shall confirm at the latest 30 days after the request of the Data Controller the return, destruction, erasure, and blocking of all information and records. The same applies to sub-processors.
(1) The data processor carries the burden of proof that a damage lies not in his responsibility insofar as the relevant data was processed under this agreement.
(2) The data processor is liable to the data controller for all culpably damages that were caused by Personal or other commissioned subjects fulfilling the obligations given by the main agreement.
(3) Art 1 and 2 apply not if the damage originates to the correct fulfillment of the data processor obligations or directives of the data controller.
11. LIMITATION OF LIABILITY
Each party and each of their Affiliates’ liability, taken in aggregate, arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the section of the Agreement entitled ‘Limitation of Liability’ and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this DPA).
(1) Even after termination of the main contract both parties are bound to all in the frame of this agreement obtained Acknowledge of business secrets and data security measures of the other party treat confidential. If there is doubt that an information falls under this confidentiality obligation until the written approval of the other party it must be treated as confidential.
(2) Should be property of the data controller that is held by the data processor endangered due to actions of a third party(seizure or confiscation), insolvency or composition proceedings or other circumstances the data processor must notify the data controller without delay.
(3) Additional agreements must be made in written form and explicit references to this agreement.
(4) If and to the extent any provision of this Agreement is held invalid or unenforceable at law, such provision will be deemed stricken from the Agreement and the remainder of the Agreement will continue in effect and be valid and enforceable to the fullest extent permitted by law.
(5) This Agreement is binding upon and inures to the benefit of the parties and their heirs, executors, legal and personal representatives, successors and assigns, as the case may be.
(6) This Agreement is to be governed and construed under the laws of Austria, without regard to its choice of law provisions. The parties agree that the jurisdiction and venue for any action to enforce this Agreement shall be the competent court in Linz, Austria.