Nitro Sign Premium and Identity Hub EU GDPR Data Processing Addendum
THIS DATA PROCESSING ADDENDUM APPLIES IF YOU HAVE SIGNED UP FOR NITRO SIGN PREMIUM OR NITRO IDENTITY HUB UNDER THE NITRO TERMS OF SERVICE FOR NITRO SIGN PREMIUM AND NITRO IDENTITY HUB AND THE EU GDPR APPLIES TO THE PROCESSING OF PERSONAL DATA IN THE CONTEXT OF THE AGREEMENT.
1. SCOPE; ROLES OF THE PARTIES
Nitro will receive and process Personal Data for the benefit and on behalf of the Customer when providing the Services, according to the instructions and purpose defined by the Customer in the Data Processing Details. By means of this Data Processing Addendum, Parties wish to lay down their specific agreements in respect to processing Personal Data within the framework of the Agreement.
By default, Nitro shall act as a Processor and the Customer shall act as a Controller in respect of the Services provided by Nitro to the Customer pursuant to the Nitro Terms of Service. This Data Processing Addendum supersedes and replaces all previous agreements made (if any) in respect of processing Personal Data and data protection between the Parties related to the Services offered by Nitro.
This Data Processing Addendum supplements and forms part of the Terms of Service, and together the Terms of Service and this Data Processing Addendum constitute a single legal agreement between the Parties. In case of discrepancies or contradictions between this Data Processing Addendum and the Terms of Service, the Data Processing Addendum will prevail.
2. DEFINITIONS
“Controller” refers to the Customer as identified in the Terms of Service and the applicable Order Form;
“Data Processing Details” means the data processing details as included in the Order Form and which includes more details on the Customer’s instructions on the processing of Personal Data such as the purpose, object and nature of processing and the kind of Personal Data being processed;
“EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Personal Data” means personal data as defined under EU GDPR that Nitro processes for the benefit and on behalf of the Customer when providing the Services according to the instructions and purpose defined by the Customer in the Data Processing Details;
“Processor” refers to Nitro Software Belgium NV, supplier of the Services to the Customer and as identified in the Terms of Service;
“Sub-processor List” refers to the list of Sub-processors as made available online by Nitro that includes the Sub-processors engaged by Nitro for the provisioning of the Services and the fulfillment of Nitro’s obligations under the Data Processing Addendum in general. Nitro may update the Sub-processor List from time to time as per the process set out in this Data Processing Addendum;
“Sub-processor” means any third party processor engaged by Nitro for the processing of Personal Data related to the provisioning of the Services to the Customer;
All other terms and definitions written with capital letters and which are not defined expressly in this Data Processing Addendum, are defined as set out in the applicable data protection legislation or Nitro’s Terms of Service.
3. OBJECT OF THIS DATA PROCESSING ADDENDUM
3.1 This Data Processing Addendum determines the conditions of the processing by Nitro of Personal Data communicated by or at the initiative of the Customer in the context of the Agreement. The nature and purpose of the processing, a list and the kind of Personal Data as well as the categories of the Data Subjects are listed in the Data Processing Details.
3.2 The processing will exclusively take place for the benefit of the Customer and for the purpose as defined by the Customer in the Data Processing Details. Nitro shall immediately inform the Customer if, in its opinion, an instruction infringes the applicable (data protection) legislation. Nitro will only process the Personal Data according to the documented instructions of the Customer and will not use these Personal Data for its own purpose, unless as explicitly permitted in the Terms of Service. If Nitro is legally obliged to proceed with any processing of Personal Data, Nitro will, unless this would violate applicable mandatory rules, inform the Customer of such obligation.
4. TERM
4.1 This Data Processing Addendum is applicable to all processing of Personal Data executed in the context of the provisioning of the Services to the Customer by Nitro and applies as long as Nitro processes Personal Data on behalf of the Customer in the context of the Agreement. This Data Processing Addendum supplements the Nitro Terms of Service and is meant to ensure the Parties’ compliance with the requirements imposed by the applicable data protection laws and regulations for Customer´s use of the Services.
4.2 This Data Processing Addendum ends automatically upon termination of the Agreement (or at the moment the processing by Nitro is terminated). The provisions of this Data Processing Addendum that are either expressly or implicitly (given their nature) intended to have effect after termination of the Data Processing Addendum shall survive the end of the Agreement with regard to the Personal Data communicated by or at the initiative of the Customer in the context of the Agreement.
5. TECHNICAL AND ORGANIZATIONAL MEASURES
5.1 Nitro offers adequate guarantees with regard to the implementation of appropriate technical and organizational measures (“TOMs”) to ensure secure processing of Personal Data and so the protection of the Data Subject's rights are guaranteed. The TOMs implemented by Nitro are as set out in the Data Processing Details. The TOMs may be updated by Nitro from time to time, however Nitro will ensure not to downgrade the overall security it has implemented at the moment of the Data Processing Addendum’s execution. The Customer acknowledges the TOMs to be adequate for the processing of its Personal Data at the moment of signing or accepting this Data Processing Addendum.
5.2 Nitro shall take all appropriate technical and organizational measures as referred to in article 32 EU GDPR to ensure an adequate level of security appropriate to the risk.
5.3 If the Customer provides sensitive Personal Data as referred to in articles 9 and 10 EU GDPR to Nitro in the context of the Agreement, the Customer will include such information in the Data Processing Details.
5.4 In case the Customer is requesting specific technical and organizational measures to be implemented by Nitro (which Nitro has not implemented by default), the Customer will reimburse Nitro for implementing such additional measures according to Section 14 “Costs” of this Data Processing Addendum.
5.5 Adherence by Nitro to an approved code of conduct as referred to in article 40 EU GDPR, or an approved certification mechanism as referred to in article 42 EU GDPR may be used as an element of proof of sufficient guarantees as referred to in EU GDPR.
6. RETENTION
6.1 Nitro will not keep Personal Data any longer than required for processing of such Personal Data in the context of the Agreement. Customer will not instruct Nitro to store any Personal Data longer than necessary. The applicable retention period (as defined by the Customer) is set out in the Data Processing Details.
6.2 At the choice of the Customer, Nitro shall delete or return all Personal Data to the Customer after the end of the provisioning of Services and shall delete existing copies unless Union or Member State law requires storage of the Personal Data. Customer acknowledges the Services might include download functionalities at the disposal of the Customer to enable Customer to download its data. To the extent such functionalities are available, the Customer shall use such functionalities to extract or delete its data.
7. CONFIDENTIALITY
7.1 Parties have agreed on a confidentiality clause in the Terms of Service which applies to the processing of Personal Data in the context of the Agreement.
7.2 Nitro acknowledges and agrees that only those employees, contractors or agents of Nitro who are involved in the processing of Personal Data may be informed about the Personal Data and only to the extent as reasonably necessary for the performance of the Agreement. Nitro ensures that persons authorized to process the Personal Data are committed to confidentiality by contract or are under an appropriate statutory obligation of confidentiality.
8. DATA SUBJECT RIGHTS
8.1 Taking into account the nature of the processing, Nitro shall use all reasonable efforts, by taking appropriate technical and organizational measures, to assist the Customer in the fulfillment of its obligation to respond to requests from Data Subjects.
8.2 For all assistance performed by Nitro in the context of the treatment of such requests from Data Subjects, the Customer will reimburse Nitro in accordance with Section 14 “Costs” of this Data Processing Addendum. Such reimbursement by the Customer shall not apply (i) in case the Data Subject is invoking its rights because of a Personal Data Breach proven attributable to Nitro or (ii) in case such assistance by Nitro does not exceed four (4) hours of work during the Term of the Agreement.
9. DUTY TO NOTIFY
9.1 Upon becoming aware of a Personal Data Breach, Nitro shall notify the Customer thereof without undue delay by contacting the contact person indicated in the Agreement or the relevant Order Form (or alternatively via the Customer’s Notification Email Address). Nitro’s contact person for any data protection related matters can be contacted per email: privacy@gonitro.com.
9.2 At the request of the Customer, Nitro will inform the Customer of any new developments with regard to any Personal Data Breach and of the measures taken to limit its consequences and to prevent the repetition of such Personal Data Breach. It is the responsibility of the Customer to report any Personal Data Breach to the Supervisory Authority or the Data Subject(s), as required.
10. SUB-PROCESSING
10.1 The Customer expressly authorizes Nitro to engage Sub-processors for the processing of Personal Data for the performance of the Agreement and to facilitate the provisioning of the Services in general. To this extent, the Customer grants a general written authorization to Nitro to decide with which Sub-processor(s) Nitro cooperates for the fulfilment of its obligations under the Agreement. Nitro publishes a Sub-processor List referring to the Sub-processors engaged by Nitro.
10.2 Nitro will inform the Customer of any intended changes concerning the addition or replacement of Sub-processors via the Customer’s contact person indicated in the Agreement or the relevant Order Form (or via the Customer’s Notification Email Address). The Customer will have the right to object to the addition or replacement by addressing Nitro in writing. Parties will in such case discuss the addition, replacement or alternative in good faith and as soon as reasonably possible after the Customer's written notice of objection.
10.3 Where Nitro engages a Sub-processor for carrying out specific processing activities, the same or similar data protection obligations as set out in this Data Processing Addendum shall be imposed on that Sub-processor by way of a written agreement, in particular providing sufficient guarantees to implement appropriate technical and organizational measures (and complying with the relevant technical and organizational measures). Where a Sub-processor fails to fulfil its data protection obligations, Nitro shall remain fully liable to the Customer for the performance of such Sub-processor’s obligation.
11. INTERNATIONAL DATA TRANSFERS
11.1 Customer authorizes international transfers of Personal Data for the purposes of providing the Services. Such international data transfers are considered an instruction of the Customer. Customer acknowledges that Sub-processors authorized under Section 10 may also process Personal Data in third countries. Customer permits such transfers, subject to Nitro taking all steps necessary to ensure such transfers comply with the provisions of Chapter V of the EU GDPR and other applicable data protection laws.
11.2 In case the transfer of Personal Data to a third country or an international organization is mandatory under applicable EU or Member State law to which Nitro is subject, Nitro shall be allowed to perform such transfer and shall inform the Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest.
12. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
12.1 If Customer performs a Data Protection Impact Assessment (“DPIA”) (article 35 EU GDPR) or a prior consultation (article 36 EU GDPR) linked to the processing of Personal Data in the context of the performance of the Agreement, Nitro shall reasonably assist the Customer by providing assistance upon the Customer’s written request. The Customer will reimburse Nitro for assistance provided according to Section 14 “Costs” of this Data Processing Addendum. Such reimbursement of costs shall not apply in case (i) the assistance requested from Nitro is less than four (4) working hours during the Term of the Agreement, or (ii) the DPIA or prior consultation is triggered by a Personal Data Breach proven attributable to Nitro.
13. AUDIT RIGHT
13.1 Customer has the right to perform audits regarding the compliance by Nitro with its obligations under this Data Processing Addendum and the applicable data protection legislation. Nitro shall use its reasonable efforts to cooperate with such audits and to make available all information necessary to prove its compliance with its obligation. Customer shall notify Nitro of such audit at least one (1) month prior to the date on which the audit will be performed, by given written notice to Nitro via privacy@gonitro.com.
13.2 In case an audit is being performed, all parties involved shall first sign a specific non-disclosure agreement issued by Nitro with respect to such audit and the audit results before the start of the audit. Upon the performance of any such audit, the confidentiality obligations of the Parties with respect to third parties must be taken into account. Both the Parties and their auditors must keep the information collected in connection with an audit secret and use it exclusively to verify its compliance with this Data Processing Addendum and the applicable laws and regulations in respect of data protection. Customer has the option to perform the audit itself or to assign an independent auditor, however such independent auditor must duly sign the non-disclosure agreement referred to in this Section.
13.3 Both Parties and where applicable their representatives, shall reasonably cooperate, upon request, with the Supervisory Authority in the performance of its tasks.
13.4 Customer will reimburse Nitro for the assistance provided by Nitro in relation to audit(s) in accordance with Section 14 “Costs” of this Data Processing Addendum. It being understood, such reimbursement shall not apply in case (i) the audit is a result of a Personal Data Breach proven attributable to Nitro or, (ii) in case Nitro’s assistance does not exceed four (4) working hours during the Term of the Agreement.
14. COSTS
14.1 The assistance to be performed under this Data Processing Addendum for which Nitro may charge the Customer, will be charged on the basis of the hours worked and the applicable standard hourly rates of Nitro (195 EUR/hour taxes excluded). Nitro will invoice these amounts on a monthly basis but also has the right to request an upfront retainer fee.
14.2 The payment by the Customer to Nitro for the assistance and professional services provided by Nitro under this Data Processing Addendum will take place in accordance with the provisions in the Terms of Service.
15. LIABILITY
15.1 Subject to the maximum extent permitted under applicable law, the provisions of the Terms of Service concerning limitation of liability also apply to this Data Processing Addendum and the damages arising out of it.
16. MISCELLANEOUS
16.1 The provisions of the Terms of Service concerning changes, entire agreement, severability, applicable law and competent courts are applicable to this Data Processing Addendum.