Terms & Conditions – Exhibit A – Data Processing

1. Definitions

For the purposes of this Exhibit, the following capitalized terms shall have the meaning specified below and other capitalized terms used but not defined in this Exhibit have the same meanings as set forth in the GTCS:

• “Data Subject” shall mean an identified or identifiable individual, whose Data are processed;
• “Data Protection Law” shall mean (i) any directly applicable EU regulations (including but not limited to Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”)) as well as any delegated act in relation to the GDPR, national laws and decrees executing the GDPR and (ii) any similar applicable legislations from countries outside of the European Union;
• “Data” shall mean any personal data as defined in the Data Protection Law of which the Customer is the data controller and which is processed by ZN as data processor in the framework of the Services;
• “Processing” shall mean the “processing” as defined in the Data Protection Law of the Data of each Data Subject by ZN on behalf of the Customer, which includes the processing of the Data by ZN and the transfer of the Data to the Customer;
• “Purposes” shall mean the limited, specific and legitimate purposes of the Processing, namely the performance of the Services;
• “Subprocessor” shall mean any person (excluding an employee of ZN) appointed by or on behalf of ZN to process Data on behalf of the Customer.

2. Qualification

The Parties acknowledge that, for the purposes of this Exhibit A, where Data Protection Law applies, the Customer acts as the controller and ZN as the processor of Data to be processed, except where the Customer itself acts as processor (in which case Clause 12 applies). Accordingly, the Customer remains solely responsible for determining the means and the purposes of ZN’s Processing of Data under the Agreement.

3. Processing of Data

ZN agrees that any Processing of Data by ZN in respect of which ZN acts as processor on behalf of the Customer shall be carried out in accordance with the Data Protection Law and the provisions of this Exhibit A.

Without prejudice to the independence of the Parties, the Data shall only be processed in accordance with the instructions of the Customer and solely for the Purposes, to the exclusion of any other purposes. The Customer hereby generally instructs ZN to process Data for the Purposes and to the extent necessary to provide the Services in compliance with ZN’s obligations under the Agreement.

Without prejudice to the independence of the Parties, ZN represents and warrants that ZN and any person acting under the authority of or on behalf of ZN and having access to the Data shall only process the Data in accordance with the instructions of the Customer, except in case of a legal obligation, and in accordance with the Data Protection Law. To this end, ZN shall inform and train all persons acting under its authority and having access to the Data about the provisions of Data Protection Law.

4. Subprocessing – Onward transfer of Data

ZN acknowledges that Data cannot be transferred to any country outside the European Economic Area, except with the prior express written approval of the Customer.

ZN shall not engage any Subprocessor without prior general or specific written authorisation of the Customer. Where ZN engages a Subprocessor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this Exhibit shall be imposed on that Subprocessor by way of a written agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Where such Subprocessor fails to fulfil its obligations under Data Protection Law, ZN shall remain fully liable to the Customer for the performance of such Subprocessor’s obligations.

The Customer hereby specifically authorizes ZN to engage:

• [insert company name], a company incorporated and existing under the laws of [tbc], with its registered office at [tbc];
• [insert company name], a company incorporated and existing under the laws of [tbc], with its registered office at [tbc];

The Customer hereby further generally authorizes ZN to engage any other Subprocessor provided that ZN informs the Customer of any intended changes concerning the addition or replacement of Subprocessors. The Customer will have the possibility to object to such addition or replacement on the basis of objective grounds.

With respect to each Subprocessor, ZN shall:

• carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Data required by this Exhibit;
• ensure that the EU Standard Contractual Clauses regarding the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection (hereinafter the “EU Standard Contractual Clauses”) are at all relevant times signed between the Customer and the Subprocessor if the engagement of such Subprocessor involves a transfer to a country located outside of the European Economic Area which does not ensure an adequate level of data protection and where no appropriate safeguard exists (hereinafter the “Restricted Transfer”). For the purposes of this obligation, the Customer hereby grants to ZN a mandate (proxy) to enter into EU Standard Contractual Clauses in the name and on behalf of the Customer with the Subprocessors; and
• provide to the Customer for review such copies of the agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Agreement) as the Customer may request from time to time.

ZN shall not communicate, disclose or transfer, either free of charge or in return for payment, the Data to any other legal person or individual, except pursuant to the prior written instructions of the Customer and except where such communication, disclosure or transfer: (i) is necessary to perform the Services or for the Purposes; or (ii) is required by any applicable law, regulation, or governmental authority in which case ZN will, wherever possible, notify the Customer promptly in writing prior to complying with any such request for communication, disclosure or transfer and shall comply with all reasonable directions of the Customer with respect to such communication, disclosure or transfer.

5. Security

ZN shall ensure – having regard to the state of technological development and the cost of implementing any such measures as well as the sensitive nature of the Data to be processed – that appropriate technical and organizational measures are taken against accidental or unauthorized destruction, accidental loss, as well as against alteration of, access to and any other unauthorized processing of the Data. Without limitation to the foregoing and without prejudice to those obligations contained in the applicable policies (if any) which may be communicated from time to time to ZN, ZN shall, in particular, take adequate technical and organizational measures to:

1. ensure that access to the Data is only granted to persons acting under its authority and strictly on a need-to-know basis;
2. deny unauthorized persons access to data processing systems within which the Data is processed (access control);
3. prevent the use of data processing systems by unauthorized persons (access control);
4. ensure that persons authorized to use a data processing system are only able to access the Data to which their access privileges apply (access control);
5. ensure that the Data cannot be read, copied, modified or removed without the authorization of ZN during electronic transfer or during transport or storage on data media and that it is possible to check and determine to whom communication of the Data is made through data transfer facilities (checking the identity of any person who forwards the Data and any person to whom the Data is forwarded);
6. ensure that the Data is only processed in accordance with the Customer’s instructions (instruction checking);
7. ensure the reliability of any employee, agent or contractor of the Customer or any Subprocessor and that they are subject to confidentiality obligations (reliability and confidentiality);
8. ensure that the Data is protected against accidental destruction or loss (availability checking);
9. ensure that pseudonymisation and encryption of Data are used where possible; and
10. ensure that Data processed for other purposes can be processed separately (separation checking).

Appendix 1 to this Exhibit A includes a list of the technical and organizational security measures implemented by ZN as processor.

Without prejudice to Clause 7, ZN agrees to inform the Customer in writing without delay and, in any case, within three (3) business days of any accidental or unlawful destruction or accidental loss or damage, alteration, unauthorized disclosure or access to the Data.

Any additional organizational or security measures specifically required by the Customer will be subject to additional fees to be negotiated on a case-by-case basis.

6. Cooperation

ZN shall provide in a prompt manner such co-operation as is reasonably necessary to enable the Customer to ensure compliance with the Data Protection Law, including but not limited to providing co-operation where the Customer must respond to requests for exercising the Data Subject’s rights granted by Data Protection Law. In particular, ZN shall:

• promptly notify the Customer if ZN or any Subprocessor receives a request from a Data Subject under any Data Protection Law in respect of Data; and
• ensure that ZN and/or any Subprocessor only responds to such request upon express written instructions of the Customer or as required by applicable laws to which ZN and/or the Subprocessor is subject, in which case ZN shall to the extent permitted by applicable laws inform the Customer of that legal requirement before ZN and/or the Subprocessor responds to the Data Subject’s request.

ZN shall as soon as reasonably practicable and in any event in a manner that conforms to any time-scales set out in the Data Protection Law, provide the Customer with a copy of the Data that it processes, and/or correct or delete any inaccuracies in such Data, as directed by the Customer.

7.  Data breach

In case of any Data breach (defined by the GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”), ZN shall, without delay, notify the Customer of such breach. The notification must, at least, describe the nature of the Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned, describe the likely consequences of the Data breach, describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Audit and inspection

ZN shall, at the request of the Customer, submit its equipment used for the Processing of Data (if any) for audit of the Processing performed by ZN. Such audit shall be performed by the Customer or a third party (selected by the Customer and reasonably acceptable to ZN) to act on its behalf, at the Customer’s expense, at ZN’s offices or at another mutually agreed location during Normal Business Hours upon fifteen (15) days prior written notice and shall make reasonable endeavors to avoid causing any damage, injury, or disruption in ZN premises, equipment, personnel and business while its personal are on those premises in the course of such an audit or inspection. Audit reports shall only include detail sufficient to verify ZN’s compliance with its obligations under this Exhibit.

In carrying out any audit or inspection in accordance with this Clause 8, the Customer shall comply (and shall ensure that any appointed auditor and inspector complies) with any reasonable security or access procedures notified in writing by ZN to the Customer as well as with reasonable confidentiality obligations.

For the performance of the audit or inspection, the Customer will give a list of authorized person(s) (“Authorized Person”). ZN undertakes to give access to its premises to the Authorized Person provided that such Authorized Person:

• produces reasonable evidence of identity;
• works during normal business hours of ZN unless the audit needs to be conducted on an emergency basis.

9.  Data Protection Impact Assessment

ZN shall assist the Customer with any relevant data protection impact assessment and prior consultations with supervisory authorities or other competent data privacy authorities that would be required under Articles 35 or 36 of the GDPR, subject to terms and conditions and fees to be agreed upon on a case-by-case basis.

10. Deletion or return of Data

ZN shall ensure that any copies of Data in the possession of ZN are promptly, and in any event within one month of the date of cessation of the Services, returned to the Customer or destroyed (at the Customer’s option) upon the Customer’s notice and/or when they are no longer required for the performance of ZN’s obligations under the Agreement, whichever occurs first, and ZN shall delete existing copies unless Data Protection Law requires storage of the Data.

11. Liability

Without prejudice to Article 9. of the GTCS, ZN shall be liable for the Processing of the Data which is consigned to it by the Customer. ZN undertakes to indemnify and hold harmless the Customer, its directors and employees against any and all costs, charges, damages, expenses and losses (including costs incurred in recovering same), that are incurred by the Customer as a result of any breach by ZN of any representation or warranty in this Exhibit A or the failure to comply with any of its obligations under this Exhibit A. Where a Subprocessor fails to fulfil its obligations under Data Protection Law, ZN shall remain liable to the Customer for the performance of such Subprocessor’s obligations.

12. Subprocessing

In case the Customer itself acts as processor and engages ZN as subprocessor for carrying out specific Processing activities on behalf of a third party controller, the same data protection obligations imposed to the Customer by such third party controller will be applicable to ZN upon notification of such obligations by the Customer, and express acceptance by ZN. The parties agree to enter into such separate agreement as may be necessary for the Customer to comply with its obligations under its agreement with the third party controller.

Appendix 1 to Exhibit A – Technical and organizational security measures

ZN has implemented and will maintain appropriate technical and organizational security measures. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, disclosure or access.

ZN will adhere to the following technical and organizational security measures:

1. ZN will take all reasonable measures to control who gets to access personal data.

ZN will take all reasonable measures to:

• Devise proper access controls including, physical access controls, and restrict personal data access.
• Grant personal data handling access only to privileged users.

2. ZN will take all reasonable measures to audit user behavior.

ZN will take all reasonable measures to keep track when users:

• Access our personal data storage platform (whether that is a server, database, or cloud application).
• Alter personal data (e.g.  modify, delete, or rename files).
• Perform access modifications, permission changes, and privilege escalations with respect to personal data access.

3. ZN will take all reasonable measures to get real-time insights.

ZN will take all reasonable measures to ensure that a notification system is established that notifies ZN in real-time about any abnormal or suspicious activities such as personal data deletion.