Lobster – Data Processing Agreement
This Data Processing Agreement (“DPA“) applies between Customer and Supplier to the extent that the Parties have agreed on Customer’s subscription, access to and use of the Service in accordance with the Agreement between the Parties. Capitalized terms used but not defined herein shall have the meaning ascribed to them in the Agreement.
1. General
1.1 This DPA forms an integral part of the Agreement and shall apply to all processing of personal data where Supplier processes personal data on behalf of Customer as data processor in accordance with applicable data protection legislation.
1.2 If and to the extent Customer submits or provides Customer Data to Supplier in accordance with the Agreement and such Customer Data contains personal data, Customer shall be considered the data controller of such personal data under EU regulation 2016/679 (“GDPR“) and Supplier will process, when providing the Service to Customer, such personal data on behalf of Customer as a data processor for the purposes of the Agreement.
1.3 As used in this DPA, “personal data” means personal data contained in Customer Data that Supplier processes on behalf of Customer as Customer’s data processor. For the avoidance of doubt, this DPA shall not apply to processing of personal data for which Supplier acts as an independent data controller in accordance with the Agreement or the GDPR.
1.4 The processing of personal data under this DPA is initially specified as follows, which may be further specified in writing between the Parties:
- Subject matter and duration: Provision of the Service during the term of the Agreement.
- Nature and purpose of the Processing: Making the Service and its functionalities available to Customer and its Users.
- Types of personal data: Names, contact details and information regarding data subjects’ professional background and circumstances.
- Categories of data subjects: Customer’s or its own customers or contractors’ representatives and employees, policymakers and other professionals.
1.5 Customer shall be responsible for having a legal basis to process the personal data submitted to Supplier for processing on behalf of Customer. Further, Customer is responsible for its lawful collection, processing and use of the personal data, and for the accuracy thereof, as well as for preserving the rights of the individuals concerned. Customer acknowledges that due to the nature of the Service, Supplier cannot control and has no obligation to verify the personal data that Customer submits to the Service for processing on behalf of Customer when Customer uses the Service.
2. Processing of Personal Data
2.1 Supplier shall only process personal data in accordance with this DPA and documented instructions from Customer, unless required to do so by Union or Member State law to which Supplier is subject. In such case, Supplier shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.2 Customer’s instructions must be commercially reasonable, compliant with applicable data protection legislation and consistent with this DPA. If Customer’s instructions require additional measures or work to be performed by Supplier, then Supplier has the right to charge Customer for such additional measures or work on a time and materials basis in accordance with Supplier’s then current price for consulting services, subject to Customer’s prior approval of such additional costs.
2.3 Supplier shall immediately notify Customer in writing, if, in its opinion, an instruction of Customer infringes applicable data protection legislation. If Customer’s instructions are not compliant with the GDPR or any other applicable data protection legislation, Supplier is not required to comply with such Customer’s instructions.
3. Data Security
3.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Supplier’s processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Supplier shall implement and maintain appropriate technical and organizational security measures in order to safeguard the personal data against unauthorized or unlawful processing and damage, and in particular against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. The security measures are further agreed and described in the Agreement.
3.2 Supplier shall, without undue delay after having become aware of it, inform Customer in writing about any data breaches relating to personal data. Supplier’s notification about the breach to Customer shall include at least the following: (i) description of the nature of the breach; (ii) name and contact details of Supplier’s contact point where more information can be obtained; (iii) description of the likely consequences of the breach; (iv) description of the measures taken by Supplier to address the breach, including, where appropriate, measures to mitigate its possible adverse effects. Supplier shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
3.3 Supplier’s shall ensure that individuals processing personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Assistance Obligations
4.1 Taking into account the nature of the processing, Supplier shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR (such as the right of access and the right to rectification or erasure).
4.2 Taking into account the nature of the processing and the information available to Supplier, Supplier shall further provide Customer with assistance in ensuring compliance with Customer’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority). If such assistance requires measures from Supplier, Supplier has the right to charge Customer for handling such assistance requests on a time and materials basis in accordance with Supplier’s then current price for consulting services, subject to Customer’s prior approval of such additional costs.
5. Subprocessors
5.1 Customer gives its general authorization to allow Supplier to engage subcontractors as sub-processors to process personal data in connection with the provision of the Service.
5.2 Supplier is free to choose and change its sub-processors. Upon request, Supplier shall inform Customer of sub-processors currently involved. In case there is a later change of a sub-processor (addition or replacement), Supplier shall notify Customer of such change, thereby giving Customer the opportunity to object to such change. If Supplier is not willing to change the sub-processor that Customer has objected to, both Parties shall have the right to terminate the Agreement and this DPA.
5.3 Where Supplier engages a sub-processor for processing of personal data on behalf of Customer, the same data protection obligations as set out in this DPA shall be included in the data processing agreement between Supplier and that sub-processor. Where a sub-processor fails to fulfil its data protection obligations, Supplier shall remain fully liable to Customer for the performance of the sub-processor’s obligations.
6. International transfers
6.1 Customer accepts that Supplier may have personal data processed and accessible by Supplier or its sub-processors outside the European Economic Area (“EEA”) to provide the Service. If personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, Customer authorizes Supplier to enter, on behalf of Customer, into the standard contractual clauses adopted or approved by the European Commission applicable to processing outside the EEA, or Supplier shall provide for other appropriate safeguards for the protection of the personal data transferred outside the EEA as set out in the GDPR.
7. Audits
7.1 Customer or an auditor appointed by Customer shall with the assistance of Supplier have the right to audit the processing activities of Supplier under this DPA to assess the compliance of Supplier with its contractual obligations under this DPA and applicable data protection legislation during ordinary business hours of Supplier and with 60 days’ prior written notice. Customer shall be responsible for the costs incurred by Supplier or Customer in relation to the audit. Customer shall make available the audit results and report to Supplier.
7.2 Any third-party auditor shall be an independent and professional auditor, that is not a competitor of Supplier. The auditor shall agree to be bound to confidentiality to Supplier’s benefit.
7.2 Supplier makes available to Customer, at Customer’s request, information necessary to demonstrate compliance with the GDPR. In case the aforementioned request by Customer require measures or work to be performed by Supplier, then Supplier has the right to charge Customer for such measures or work on a time and materials basis in accordance with Supplier’s then current price for consulting services, subject to Customer’s prior approval of such additional costs.
8. Erasure or return of personal data
8.1 Upon any termination of the Agreement or after Customer has permanently ceased to use the Service, Supplier shall, as instructed by Customer and in accordance with the provisions of the Agreement regarding return or deletion of Customer Data, delete or return to Customer all personal data, except to the extent that Supplier is under a European Union or Member State law obligation to continue storing such personal data.
Data Processing Agreement Effective Date: December 9, 2019
This document is in connection to Lobster’s Terms of Service.