1. Definitions
The terms “Personal Data” (or “PD”), “Data Controller”, “Processor”, “Sub-processor”, “Data Subject”, “personal data breach”, “processing”, and “supervisory authority” shall have the meanings assigned to them in the GDPR, and related terms shall be interpreted accordingly.
2. Context and Roles
As part of the Services under the Agreement and the information exchanged or accessed in connection with the Agreement, including Article 9 of the GTC:
• For any processing of PD, each Party agrees to comply with its obligations under Data Protection Legislation.
• The Parties exchange PD consisting of professional contact data (professional identification) of the other Party, necessary for the performance of the Agreement, and each acts as a Data Controller in this context.
• The Client is the Data Controller if it determines the purposes and means of processing Client Data containing PD.
• When the Provider processes Client Data containing PD on behalf of the Client, the Provider acts as a Processor.
• The Provider is a Sub-processor if the Client itself acts as a Processor.
This Annex defines:
• The case of exchanging PD of professional contact data between the Parties.
• The rights and obligations of the Parties when the Provider acts as a Processor (or Sub-processor).
The processing details are outlined in Annex A “Description of the Processing of PD”, and the security measures are specified in Annex B.
3. Exchange of PD – Professional Contacts
Each Party may process the PD referred to as “professional contact data” of the other Party in the performance of the Agreement. This may include the following identification data: names, titles, and professional contact details (email address, IP address) of the individuals from each Party involved in the partnership.
Each Party will process the professional contact PD of the other Party as a Data Controller for the following purposes:
(i) providing administrative services, managing client or partner relationships, including communication about service offerings, contractual monitoring, and technical support for IT systems used by each Party for its activities;
(ii) hosting such systems and providing maintenance, archiving, or backup services;
(iii) conducting quality reviews and statistical studies;
(iv) complying with legal, regulatory, or professional body requirements;together referred to as the “Processing Purposes.”
Each Party agrees to comply with Data Protection Legislation concerning the processing of this PD, including:
• Processing the PD lawfully, fairly, and transparently, within the limits of the Processing Purposes, while respecting data minimization principles and updating the data as needed.
• Not retaining the PD beyond the duration necessary for the Processing Purposes.
• Processing the PD within the EU or adhering to GDPR-compliant transfer mechanisms.
• Engaging Sub-processors for this processing only after ensuring they provide sufficient guarantees.
• Implementing appropriate organizational and technical measures to ensure the security, integrity, and confidentiality of the PD, and being able to demonstrate compliance with GDPR.
4. Processing of PD on behalf of the Client
4.1) Obligations of the Client
As the Data Controller, the Client is responsible for the effective compliance of the data processed and the processing it implements, including processing subcontracted to the Provider. Under the Agreement, the Provider is not responsible for ensuring this effective compliance or advising the Client on Data Protection Legislation concerning the Client’s processing.
The Client guarantees the Provider that the processing in question is based on the legal grounds under Data Protection Legislation and complies with its requirements, that it has fulfilled its obligations, including ensuring the PD was collected lawfully and fairly relative to the processing purpose, and that it has informed Data Subjects of the use of their PD. The Client also ensures it holds and maintains all rights, permissions, registrations, and consents required under Data Protection Legislation for the Provider to process and transfer PD for the performance of the Agreement.
The Client indemnifies the Provider against any damage resulting from claims against the Provider for breaches of these guarantees.
The Client agrees to document, in writing, any instructions regarding the processing of PD by the Provider and instructs the Provider to carry out the processing described in Annex A.
The Client agrees to provide the Provider with all necessary information for proper subcontracting, including providing, within five (5) days of the Agreement, the contact details (name, surname, email) of its Data Protection Officer (or the relevant data protection contact, as applicable).
The Client ensures compliance with Data Protection Legislation obligations by the Provider through audits as outlined in the “Audit” Article.
4.2) Obligations of the Provider
Subject to the liability provisions of the GTC, the Provider shall make its best efforts to preserve the security, integrity, and confidentiality of Client Data, as required by law.
When acting as a Processor, the Provider guarantees to implement, where applicable, the appropriate technical and organizational measures to ensure that processing performed on behalf of the Client complies with Data Protection Legislation, as listed in Annex B.
The Provider:
• Processes PD solely for the purpose(s) outlined in Annex A.
• Processes PD only following documented instructions from the Client and complies with GDPR provisions concerning transfers outside the EU.
• Informs the Client if an instruction constitutes a violation of Data Protection Legislation and may suspend processing until the instruction is clarified.
• Ensures personnel authorized to process PD are committed to confidentiality.
• Notifies the Client of any PD breaches promptly and assists in notifications to the supervisory authority and Data Subjects, as needed.
• Deletes or returns all PD at the end of the Services unless otherwise required by law.
• Provides the Client with all necessary information to demonstrate compliance and allow for audits as per the “Audit” Article.
In assisting the Client, the Provider agrees to:
• Support the Client in addressing Data Subject requests concerning their rights by forwarding any received requests directly to the Client.
• Aid the Client in ensuring security obligations are met through technical and organizational measures.
• Assist with breach notifications, Data Protection Impact Assessments, and prior consultations with supervisory authorities, providing necessary documentation.
4. Assistance
The Parties agree that any assistance provided by the Provider to the Client under this clause is carried out taking into account the nature of the processing, the level of information available to the Provider from the Client, and within the limits of the Provider’s obligations. Requests for assistance shall be subject to a specific agreement between the Parties.
4.3 Transfers
In the event of an instruction from the Client involving a transfer of PD to a country outside the European Union, the Client guarantees the Provider that such transfers will be carried out in compliance with the requirements of Data Protection Legislation.
The Client agrees to the transfer of PD by the Provider outside the European Union provided that the transfer is based on:
(i) a decision by the European Commission confirming that the third country, a territory or one or more specific sectors in that third country, or the international organization concerned ensures an adequate level of protection; or
(ii) the European Commission’s Standard Contractual Clauses, with the Client authorizing the Provider to sign said Standard Contractual Clauses with its sub-processors located outside the European Union on behalf of and for the Client; or
(iii) appropriate safeguards as described in Article 46 of the GDPR; or
(iv) one of the conditions set out in Article 49 of the GDPR.
4.4 Audit
The Provider shall make available to the Client, upon written request, all reasonably necessary information to demonstrate compliance with this Annex.
If the information provided is insufficient, the Client may, during the term of the Agreement, conduct an audit at its own expense and responsibility to verify compliance with Data Protection Legislation, subject to the following conditions:
• Such audits may occur no more than once per contractual year and must be justified by legitimate grounds. • The audit must be notified to the Provider at least thirty (30) Business Days prior to the intended implementation date via a registered letter with acknowledgment of receipt, detailing the audit protocol, methods, and data to be audited.
• The audit will be conducted by the Client or a third party designated by the Client, provided that the third party is not a direct or indirect competitor of the Provider and has signed a confidentiality agreement, a copy of which will be submitted to the Provider for approval.
• On-site audits must be conducted during the Provider’s normal working hours over a reasonable period not exceeding two (2) business days and will be subject to the Provider’s security policies. The Client shall ensure its auditors minimize disruptions to the Provider’s operations.
Under no circumstances shall the Provider be required to disclose internal documents, including financial, accounting, or client-related information. The Client assumes full responsibility for any consequences of the audit on the Provider’s ability to perform its contractual Services.
Audit results will be discussed and validated by the Parties. Audit costs, including any additional expenses or time spent by the Provider, shall be borne by the Client.
4.5 Subcontracting
The Provider reserves the right to engage Sub-processors, including third-party hosting providers, for the provision of Services. These Sub-processors are listed in Annex A.
The Provider imposes obligations equivalent to those set out in this Annex on its Sub-processors via contractual agreements. The Provider remains liable to the Client in accordance with the provisions of this Annex.
In case of changes to the list of Sub-processors in Annex A, such as the addition or replacement of a Sub-processor, the Provider shall notify the Client, who may raise objections to these changes. The Client must submit objections within ten (10) calendar days of receiving the notification, providing reasonable and documented grounds concerning the Sub-processor’s non-compliance with Data Protection Legislation.
If no objections are raised within this period, the changes will be deemed accepted. In case of an objection, the Parties shall cooperate in good faith to find a commercially reasonable solution to prevent the contested Sub-processor from processing PD. Failing an agreement, the Client may terminate the affected Services as its sole remedy.
5. Amendments
The Parties may occasionally adjust or modify this Annex under the following circumstances:
(i) upon the request of a supervisory authority or any other governmental or regulatory entity,
(ii) if necessary to comply with Data Protection Legislation, or
(iii) if reasonably required by the Parties.
Annex A may also be updated by notification for the following purposes:
(i) to reflect updates to processing instructions, or
(ii) to include changes or additions of Sub-processors.
The technical and organizational security measures implemented by the Provider are detailed in Annex B in its current version. The Provider reserves the right to update this technical annex regularly and will notify the Client of such updates.
The modifications will be discussed in good faith and may affect the pricing or execution of the Services. If new specific requirements arising from PD processing significantly increase the Provider’s workload, the Parties will agree to an amendment to define the terms, including financial conditions, of this extension.
