For the purposes of this Exhibit, the following capitalized terms shall have the meaning specified below and other capitalized terms used but not defined in this Exhibit have the same meanings as set forth in the GTCS:
The Parties acknowledge that, for the purposes of this Exhibit A, where Data Protection Law applies, the Customer acts as the controller and ZN as the processor of Data to be processed, except where the Customer itself acts as processor (in which case Clause 12 applies). Accordingly, the Customer remains solely responsible for determining the means and the purposes of ZN’s Processing of Data under the Agreement.
ZN agrees that any Processing of Data by ZN in respect of which ZN acts as processor on behalf of the Customer shall be carried out in accordance with the Data Protection Law and the provisions of this Exhibit A.
Without prejudice to the independence of the Parties, the Data shall only be processed in accordance with the instructions of the Customer and solely for the Purposes, to the exclusion of any other purposes. The Customer hereby generally instructs ZN to process Data for the Purposes and to the extent necessary to provide the Services in compliance with ZN’s obligations under the Agreement.
Without prejudice to the independence of the Parties, ZN represents and warrants that ZN and any person acting under the authority of or on behalf of ZN and having access to the Data shall only process the Data in accordance with the instructions of the Customer, except in case of a legal obligation, and in accordance with the Data Protection Law. To this end, ZN shall inform and train all persons acting under its authority and having access to the Data about the provisions of Data Protection Law.
ZN acknowledges that Data cannot be transferred to any country outside the European Economic Area, except with the prior express written approval of the Customer.
ZN shall not engage any Subprocessor without prior general or specific written authorisation of the Customer. Where ZN engages a Subprocessor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this Exhibit shall be imposed on that Subprocessor by way of a written agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Where such Subprocessor fails to fulfil its obligations under Data Protection Law, ZN shall remain fully liable to the Customer for the performance of such Subprocessor’s obligations.
The Customer hereby specifically authorizes ZN to engage:
The Customer hereby further generally authorizes ZN to engage any other Subprocessor provided that ZN informs the Customer of any intended changes concerning the addition or replacement of Subprocessors. The Customer will have the possibility to object to such addition or replacement on the basis of objective grounds.
With respect to each Subprocessor, ZN shall:
ZN shall not communicate, disclose or transfer, either free of charge or in return for payment, the Data to any other legal person or individual, except pursuant to the prior written instructions of the Customer and except where such communication, disclosure or transfer: (i) is necessary to perform the Services or for the Purposes; or (ii) is required by any applicable law, regulation, or governmental authority in which case ZN will, wherever possible, notify the Customer promptly in writing prior to complying with any such request for communication, disclosure or transfer and shall comply with all reasonable directions of the Customer with respect to such communication, disclosure or transfer.
ZN shall ensure – having regard to the state of technological development and the cost of implementing any such measures as well as the sensitive nature of the Data to be processed – that appropriate technical and organizational measures are taken against accidental or unauthorized destruction, accidental loss, as well as against alteration of, access to and any other unauthorized processing of the Data. Without limitation to the foregoing and without prejudice to those obligations contained in the applicable policies (if any) which may be communicated from time to time to ZN, ZN shall, in particular, take adequate technical and organizational measures to:
Appendix 1 to this Exhibit A includes a list of the technical and organizational security measures implemented by ZN as processor.
Without prejudice to Clause 7, ZN agrees to inform the Customer in writing without delay and, in any case, within three (3) business days of any accidental or unlawful destruction or accidental loss or damage, alteration, unauthorized disclosure or access to the Data.
Any additional organizational or security measures specifically required by the Customer will be subject to additional fees to be negotiated on a case-by-case basis.
ZN shall provide in a prompt manner such co-operation as is reasonably necessary to enable the Customer to ensure compliance with the Data Protection Law, including but not limited to providing co-operation where the Customer must respond to requests for exercising the Data Subject’s rights granted by Data Protection Law. In particular, ZN shall:
ZN shall as soon as reasonably practicable and in any event in a manner that conforms to any time-scales set out in the Data Protection Law, provide the Customer with a copy of the Data that it processes, and/or correct or delete any inaccuracies in such Data, as directed by the Customer.
In case of any Data breach (defined by the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”), ZN shall, without delay, notify the Customer of such breach. The notification must, at least, describe the nature of the Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned, describe the likely consequences of the Data breach, describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
ZN shall, at the request of the Customer, submit its equipment used for the Processing of Data (if any) for audit of the Processing performed by ZN. Such audit shall be performed by the Customer or a third party (selected by the Customer and reasonably acceptable to ZN) to act on its behalf, at the Customer’s expense, at ZN’s offices or at another mutually agreed location during Normal Business Hours upon fifteen (15) days prior written notice and shall make reasonable endeavors to avoid causing any damage, injury, or disruption in ZN premises, equipment, personnel and business while its personal are on those premises in the course of such an audit or inspection. Audit reports shall only include detail sufficient to verify ZN’s compliance with its obligations under this Exhibit.
In carrying out any audit or inspection in accordance with this Clause 8, the Customer shall comply (and shall ensure that any appointed auditor and inspector complies) with any reasonable security or access procedures notified in writing by ZN to the Customer as well as with reasonable confidentiality obligations.
For the performance of the audit or inspection, the Customer will give a list of authorized person(s) (“Authorized Person”). ZN undertakes to give access to its premises to the Authorized Person provided that such Authorized Person:
ZN shall assist the Customer with any relevant data protection impact assessment and prior consultations with supervisory authorities or other competent data privacy authorities that would be required under Articles 35 or 36 of the GDPR, subject to terms and conditions and fees to be agreed upon on a case-by-case basis.
ZN shall ensure that any copies of Data in the possession of ZN are promptly, and in any event within one month of the date of cessation of the Services, returned to the Customer or destroyed (at the Customer’s option) upon the Customer’s notice and/or when they are no longer required for the performance of ZN’s obligations under the Agreement, whichever occurs first, and ZN shall delete existing copies unless Data Protection Law requires storage of the Data.
Without prejudice to Article 9. of the GTCS, ZN shall be liable for the Processing of the Data which is consigned to it by the Customer. ZN undertakes to indemnify and hold harmless the Customer, its directors and employees against any and all costs, charges, damages, expenses and losses (including costs incurred in recovering same), that are incurred by the Customer as a result of any breach by ZN of any representation or warranty in this Exhibit A or the failure to comply with any of its obligations under this Exhibit A. Where a Subprocessor fails to fulfil its obligations under Data Protection Law, ZN shall remain liable to the Customer for the performance of such Subprocessor’s obligations.
In case the Customer itself acts as processor and engages ZN as subprocessor for carrying out specific Processing activities on behalf of a third party controller, the same data protection obligations imposed to the Customer by such third party controller will be applicable to ZN upon notification of such obligations by the Customer, and express acceptance by ZN. The parties agree to enter into such separate agreement as may be necessary for the Customer to comply with its obligations under its agreement with the third party controller.
Appendix 1 to Exhibit A – Technical and organizational security measures
ZN has implemented and will maintain appropriate technical and organizational security measures. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access.
ZN will adhere to the following technical and organizational security measures:
ZN will take all reasonable measures to:
ZN will take all reasonable measures to keep track when users:
ZN will take all reasonable measures to ensure that a notification system is established that notifies ZN in real-time about any abnormal or suspicious activities such as personal data deletion.