Data Processing Addendum

​

This Data Processing Addendum ("DPA") forms an integral part of the Agreement (as defined in the Terms and Conditions) between Maoni ("Controller") and the Customer ("Processor") (collectively referred to as the "Parties").

 

The purpose of this DPA is to define the terms and conditions (the terms) under which Processor shall Process Personal Data on behalf of Controller. As used herein, all terms, except as otherwise indicated, shall have their respective meanings ascribed to them in the Terms. and shall be effective as of the date the Controller and Processor agree to these terms ("Start date").

​

The Service Provider acknowledges that the Customer is a Controller of Personal Data relating to its employees and clients. Pursuant to this Addendum, the Customer hereby entrusts data processing to the Service Provider to the extent specified below and in terms, and Service Provider undertakes to process entrusted data according to this DPA and Customers instructions. 

​

Now therefore, for good and valuable consideration, the sufficiency and receipt of which is hereby acknowledged, the Service Provider and the Customer agree to add the following provisions to the Terms, notwithstanding anything to the contrary in the Underlying Agreement:

 

1. Definitions

​

1.1 "Personal Data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

​

1.2 "Process" or "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

1.3 "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

 

1.4 “EU Privacy Law” - EU Regulation 2016/679 (the General Data Protection Regulation) and any applicable national legislation made under or pursuant to it; and EU Directive 2002/58/EC and any applicable national legislation implementing it; in each case as amended or superseded.

 

1.5 "Service" or "Services" means the services to be provided by Processor to Controller as set out in the Agreement.

​

1.6. "Sub-Processor" means any third-party processor engaged by the Processor for the processing of Personal Data on behalf of the Controller.

​

1.7 "Controller" means an entity that determines the purposes and means of processing Personal Data.

​

​

2. Processing of Personal Data

​

2.1 The Parties acknowledge and agree that Controller is the Controller of Personal Data and Processor is the Processor of Personal Data.

​

2.2 Processor shall Process Personal Data on behalf of Controller only for the purposes of providing the Services, unless Processing is required by applicable law to which Processor is subject.

​

​

3. Obligations of the Processor

​

3.1 Processor shall Process Personal Data only in accordance with this DPA, unless Processing is required by applicable law to which Processor is subject, in which case Processor shall inform Controller of such legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

​

3.2 Processor shall ensure that all personnel who have access to and/or Process Personal Data are obliged to keep the Personal Data confidential.

​

3.3 Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Personal Data to be protected, taking into account the state of the art and the cost of their implementation.

​

3.4 Processor shall ensure that access to Personal Data is limited to those personnel who require access to such Personal Data in order to provide the Services.

​

3.5 Processor shall provide assistance to Controller, where possible, in order to enable Controller to comply with its obligations as a Controller under the GDPR.

 

4. Data Subject Rights

​

4.1 Processor shall, to the extent legally permitted, promptly notify Controller if Processor receives a request from a Data Subject for access to, correction, or deletion of that Data Subject's Personal Data.

​

4.2 Processor shall, to the extent legally permitted, promptly forward any Data Subject request for access to, correction, or deletion of Personal Data to Controller.

 

4.3 Taking into account the nature of processing, the Service Provider shall assist the Customer, by taking appropriate technical and organizational measures, in so far as this is possible, in the fulfilment of the Service Provider’s obligation to respond to requests for exercising the data subjects’ rights laid down i.a. in the Chapter III of the GDPR.

 

4.4 The Service Provider shall assist the Customer in ensuring compliance with the obligations pursuant to the Articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Service Provider.

 

 

5. Security Breaches

​

5.1 After finding a breach of personal data protection leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data sent, stored or otherwise processed, the Service Provider notifies the Customer about it without undue delay.

​

​

6. Subprocessing

​

6.1 Controller hereby consents to Processor engaging third-party sub-processors to Process Personal Data on behalf of Controller.

6.2 The Service Provider may engage another processor (Sub-processor) by way of a written contract (general consent within the meaning of Article 28 paragraph 2 of the GDPR). In such contract shall be set out the same data protection obligations as in this DPA. The list of current sub-processors is available on Controller’s request or on the Service Provider’s website at www.maoni.eu/sub-processors. Service provider undertakes to keep the list up to date and the Controller should constantly review the list of Sub-processors for any objection, which should be granted within 7 days of the entity being named on the list.

 

​

7. Guaranties

​

7.1 Customer guarantees that the personal data entrusted to Service Provider collected in accordance with the law and legitimizes the appropriate legal basis for their processing.

​

​

8. Term and Termination

​

8.1 This DPA shall remain in force and effect for the duration of the Agreement.

8.2 Upon termination of the Agreement, Processor shall, at the choice of Controller, either return or destroy all Personal Data Processed under this DPA and certify to Controller that it has done so, unless applicable law requires storage of the Personal Data.

 

​

9. Governing Law and Jurisdiction

​

9.1 This DPA shall be governed by and construed in accordance with the laws of the State of Florida and of the United States of America.

 

9.2 Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Florida in the United States of America.

 

10. Not Legal Advice

​

10.1 Service Provider may provide recommended terms and conditions, privacy policy or disclosure language to the Customer. The Customer acknowledges that shall not rely on such recommended language as, or as a substitute for, legal advice, and that the Customer itself is solely responsible for any disclosures in its terms and conditions, privacy policies or on its websites.

 

11. Cooperation

​

11.1 If either Party receives any inquiry, complaint or correspondence (a Third Party Notice) from an individual, regulator, or other third party concerning the processing of Customer's employees' /clients' Personal Data in connection with the Services, it shall promptly inform the other Party, and the Parties shall cooperate in good faith and as reasonably necessary to address the requirements of such Third Party Notice.

​​​

 

To the extent there is a conflict between the Terms and this Addendum, the terms of this Addendum shall govern and prevail.