Data Protection Agreement
This Data Processing Agreement (hereinafter referred to as DPA) by and between Saber B.V., a private limited liability company (besloten vennootschap met beperkte aansprakelijkheid) duly organized and existing under the Laws of the Netherlands, with its statutory seat (statutaire zetel) in Amsterdam, the Netherlands, and its offices at De Entree 201, 1101HG Amsterdam, the Netherlands and registered with the Dutch chamber of commerce under number 17182045 (Saber), and [●] (Customer).
Whereas:
A.
Saber is in the business of developing and selling software-as-a-service solutions for businesses with an aim to make sales teams more efficient, including by but not limited to
I.
centralizing data across the tools sellers use including but not limited to a seller's CRM, content repository, and their productivity and communications tools;
II.
automating sales workflows;
III.
providing solutions for continuous learning and development for sellers (the Business)
B.
Customer has retained the Services of Saber under the Services Agreement.
C.
In doing so, Saber will be Processing Personal Data on behalf of Customer, whereby Saber will be acting as Data Processor and Customer will be acting as Data Controller.
D.
The Parties seek to implement this DPA to comply with the requirements of the GDPR.
E.
This DPA will be supplemental to the Services Agreement between the Parties, and this DPA will follow the terms thereof and definitions therein.
THEREFORE IT IS HEREBY AGREED as follows:
1. Definitions
Unless the context requires otherwise, capitalized terms and expressions are defined terms and expressions which will have the meaning as set out in this Section:
1.1
Unless the context requires otherwise, capitalized terms and expressions are defined terms and expressions which will have the meaning as set out in this Section:
I.
Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to transmitted, stored, or otherwise processed Personal Data.
II.
Data Controller: a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.
III.
Data Processing Agreement or DPA: this agreement including its appendices.
IV.
Data Processor: a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of the Data Controller.
V.
Data Subject: an identified or identifiable natural person to whom the processed Personal Data relates.
VI.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
VII.
Personal Data: any information relating to an identified or identifiable natural person (Data Subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
VIII.
Process, Processes, Processed or Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data.
IX.
Processing Purposes: the purposes for which Personal Data are processed, as described in Annex A.
X.
Services Agreement: has the meaning given to it in Recital (B).
XI.
Sub-Processors: those who process (part of) the Personal Data on behalf of the Data Processor.
XII.
Supervisory Authority: an independent public authority responsible for monitoring compliance with the law in relation to the Processing of Personal Data. In the Netherlands, this is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
2. Scope
During the term of the Services Agreement, Saber will process Personal Data on behalf of Customer and in accordance with applicable laws and regulations. The relevant Personal Data Processed under this DPA are described in Annex A. Saber Processes the Personal Data solely for the specified purpose or purposes of the Processing (the Processing Purposes), as described in Annex A, unless further written instructions are provided by Customer.
3. Nature of processing
3.1
Saber Processes the Personal Data solely on behalf of Customer and based on Customer’s instructions. Saber Processes the Personal Data only to the extent necessary for the performance of the Services Agreement and in accordance with the documented instructions of Customer. Customer may reasonably provide additional or different instructions in writing. Saber will follow all instructions from Customer regarding the Processing of Personal Data. Saber will immediately notify Customer if, in its opinion, an instruction is in violation of applicable laws and regulations concerning the Processing of Personal Data.
3.2
If Saber determines the purpose and means for the Processing of Personal Data, Saber will be considered a Data Controller for those Processing activities.
3.3
Without prejudice to any other contractual confidentiality obligation binding on Saber, Saber guarantees that all Personal Data will be treated as strictly confidential. In this regard, Saber will inform all its employees, representatives, and subcontractors (Sub-Processors, see Section 7) involved in this Processing of this confidentiality requirement and ensure that they will act accordingly.
4. Security of Personal Data
4.1
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk and severity for the rights and freedoms of natural persons, Saber shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. An overview of the security measures is included in Annex B.
4.2
In assessing the appropriate level of security, Saber shall take account of the risks that are presented by Processing, in particular from a Data Breach.
4.3
Saber will monitor security breaches and maintain a record of any security incidents.
4.4
In the event of a Data Breach, whether actual, potential, or suspected, Saber will notify Customer as soon as possible, but no later than 36 hours after Saber becomes aware of the breach. The notification will include all relevant information regarding the nature of the incident, the affected Personal Data, and any measures taken or to be taken to mitigate the consequences.
4.5
Saber will always investigate any Data Breach, determine an appropriate response, and take necessary measures, including potentially informing the Supervisory Authority and the Data Subjects.
5. Audit
Saber makes available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
6. Data Transfers
Saber will not transfer Personal Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of Customer. If Personal Data Processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Personal Data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
7. Sub-processors
Saber shall only grant Sub-Processors access to Personal Data with prior written consent from Customer, which consent shall not be unreasonably withheld. Saber confirms that a Sub-Processor shall be held to the same conditions as outlined in this DPA.
8. Data Subject Rights
When Customer receives a request from a Data Subject regarding the exercise of their rights under Chapter III of the GDPR, Saber will promptly cooperate.
9. Liability
9.1
Saber shall not be liable for any indirect, consequential, special, incidental, or punitive damages, including but not limited to loss of profits, business interruption, loss of data, or loss of goodwill, arising out of or in connection with this DPA.
9.2
Customer shall indemnify Saber against all claims, fines, and/or measures from third parties, including Data Subjects and the Supervisory Authority, brought against or imposed upon Saber due to a breach of the GDPR and/or other applicable laws and regulations concerning the Processing of Personal Data by Saber and/or Sub-Processors engaged by Saber, except for when Saber (or any Sub-Processor engaged by Saber) has materially breached the provisions of this DPA or provisions of the GDPR directly applicable to Saber as Processor.
10. Term
10.1
The term of the DPA shall be the same as the duration of the Services Agreement and begins upon signing. The DPA cannot be terminated independently from the Services Agreement. The DPA shall terminate automatically upon the termination of the Services Agreement.
10.2
Within two (2) months after the termination of the Services Agreement, Saber shall destroy or return all Personal Data and/or transfer it to Customer and/or another party designated by Customer, as chosen by Customer. All existing (other) copies of Personal Data, whether with Sub-Processors engaged by Saber or not, will be demonstrably permanently deleted or made inaccessible, unless storage of the Personal Data is legally required. Customer shall bear the costs for the destruction, return, and/or transfer of the Personal Data.
10.2
Obligations from the DPA that, by their nature, are intended to continue after the termination of the DPA, shall continue to apply after the termination of the DPA.
11. Applicable law and dispute resolution
11.1
The DPA and its execution are governed by Dutch law. Any disputes arising between the Parties in connection with the DPA shall be submitted to the competent court of the District Court of Amsterdam.
11.2
This DPA is an integral part of the Services Agreement. Therefore, all rights and obligations from the Services Agreement also apply to the DPA.
11.3
Deviations from this DPA are only valid if agreed upon in writing by the Parties.
