Home » Downloads » Agreement on the processing on behalf of a controller. Such processors may be salary-accounting offices, data-carrier providers, advertising and marketing agencies, cloud computing providers, web or e-mail hosting companies or freelancers. The free data protection contract template from activeMind. The GDPR has increased the obligations for both controllers and processors.
One obligation is to enter into a legally binding contract governing the processing of personal data when a processor principal or agent is commissioned to process personal data as instructed by the controller client. The data protection contract specifies the rights and obligations of the controller and the processor as well as sub-processors, if applicable. In this way, it is easier to meet the accountability and joint-liability requirements of the GDPR. I'm a Washington-licensed lawyer specializing in trademark practice and with an extensive trademark education and academic background.
I currently work with domestic and international businesses seeking trademark protection in the U. I'm passionate about trademark law and always looking forward to helping small and medium businesses promote their value by having a registered federal trademark. Pomeranz serves as the principal of Pomeranz Law PLLC, a boutique law firm representing clients across myriad industries and verticals. Before founding the firm, Mr. Pomeranz began his career with Mainline Information Systems, Inc.
I have 10 years experience providing general counsel, in the form practical and timely legal advice, under strict deadlines to individuals and various business unit stakeholders, balancing commercial needs with legal concerns at large corporations and start-ups.
I am skilled at reviewing, analyzing, drafting and negotiating commercial and government contracts globally for the procurement and sale of services and goods. I also help clients ensure compliance with regulations including data privacy , laws and contractual obligations and protect, enforce and exploit intellectual property rights and support in the development of IP strategy.
Over 15 year experience drafting, reviewing and negotiating contracts both as in-house counsel and in law firms, including my own law firm. Rinky S. Parwani began her career practicing law in Beverly Hills, California handling high profile complex litigation and entertainment law matters.
Later, her practice turned transactional to Lake Tahoe, California with a focus on business startups, trademarks, real estate resort development and government law. After leaving California, she also served as in-house counsel for a major lending corporation headquartered in Des Moines, Iowa as well as a Senior Vice President of Compliance for a fortune mortgage operation in Dallas, Texas prior to opening Parwani Law, P.
She has represented various sophisticated individual, government and corporate clients and counseled in a variety of litigation and corporate matters throughout her career. Parwani also has prior experience with state and federal consumer lending laws for unsecured credit cards, revolving credit, secured loans, retail credit, sales finance and mortgage loans.
She also has served as a special magistrate and legal counsel for numerous Florida County Value Adjustment Boards. Her practice varies significantly from unique federal and state litigation cases to transactional matters.
Born and raised in Des Moines, Iowa, Ms. Parwani worked in private accounting for several years prior to law school. She is a Fellow of the American Bar Association. She is a frequent continuing legal education speaker and has also taught bankruptcy seminars for the American Bar Association and Amstar Litigation.
She was commissioned by the Governor of Kentucky as a Kentucky Colonel. In addition, she teaches Immigration Law, Bankruptcy Law and Legal Research and Writing as an adjunct faculty instructor at the Hillsborough Community College Ybor campus in the paralegal studies program. It was easy to work with Contracts Counsel to submit a bid and compare the lawyers on their experience and cost.
I ended up finding someone who was a great fit for what I needed. I really appreciated the ease of the system and the immediate responses from multiple lawyers!
Their platform put me in touch with the right lawyers for my industry and the team was as responsive as humanly possible during the whole process.
I'll be back for more contract work in the future, as the lawyers they've vetted for these services are top tier. Resource Guides. Most Recent Questions. Who do I submit my operating agreement to? Lien on business name I am currently looking to purchase or refinance my home which I am living in under a land contract, how can I do this the easiest way?
What do you do when your client wants the governing law to be their state, not yours? Jump to Section. Need help with a Data Protection Agreement? What is a Data Protection Agreement? Exhibit Data Processing Addendum. Flextronics Design and Manufacturing Services Agreement. Flextronics Telecom Systems, Ltd. For clarity, this Addendum only applies if and to the extent to Personal Data relating to FireEye and its personnel that is received by Service Provider from or on behalf of FireEye for Processing as a data importer while performing those functions or activities as required by the Agreement.
The parties hereby agree as follows:. General Definitions. All capitalized terms not otherwise defined herein shall have the meanings set forth in the Agreement. Scope of Addendum.
As of the Addendum Effective Date and for any period of time thereafter during which Service Provider is a data importer and has possession of or access to FireEye Personal Data in connection with the Services until expiration or termination of the Agreement, Service Provider shall have implemented at its Facilities, and shall thereafter maintain policies, procedures and practices that satisfy the applicable requirements set forth in this Data Processing Addendum.
Page 1. During the term of the Agreement:. In performing its obligations in the Agreement, if Service Provider at any time from the Addendum Effective Date and until termination of the Services or the Agreement undertakes Processing of Personal Data for or on behalf of FireEye, Service Provider will process all Personal Data fairly and lawfully, respecting the Data Subject's privacy, and in accordance with all Data Protection Laws applicable to such Processing of Personal Data. Service Provider will take reasonable measures to require that all of its Personnel and each of its Sub-processors process all Personal Data in a similar manner as further described in Section 5 below.
Asset Management Maintain policies establishing data retention and secure destruction requirements 6. Access Controls Maintain controls designed to limit access to Personal Data Review personnel access rights on a periodic basis Maintain policies requiring termination of physical and electronic access to Personal Data and Insight systems after termination of an employee Implement access controls designed to authenticate users and limit access to Personal Data and Insight Implement policies restricting access to the data center facilities hosting Insight to approved data center personnel and limited and approved Gigamon personnel Maintain dual layer access authentication processes for Gigamon employees with administrative access rights to Insight 7.
Cryptography Implement encryption key management procedures Encrypt sensitive data using a minimum of AES bit ciphers in transit 8. Physical Security Maintain high assurance physical security controls including manned security stations, mantraps, and biometric or badge- based access control 9.
Operations Security Perform periodic network and application vulnerability testing using qualified internal or 3 rd party resources Contract with qualified independent 3rd parties to perform periodic penetration testing Implement procedures to document and remediate vulnerabilities discovered during vulnerability and penetration tests Communications Security Maintain a secure boundary using firewalls and network traffic filtering Require segmentation to isolate production systems from development systems Require periodic reviews and testing of network controls System Acquisition, Development, and Maintenance Assign responsibility for system security, system changes and maintenance Test, evaluate and authorize major system components prior to implementation Supplier Relationshipa.
Periodically review available security assessment reports of Subprocessors hosting Insight to assess their security controls and analyze any exceptions set forth in such reports Information Security Incident Management Monitor the access, availability, capacity and performance of Insight, and related system logs and network traffic Maintain incident response procedures for identifying, reporting, and acting on Information Security Incidents Establish a cross-disciplinary Security Incident response team Business Continuity Management Design customer portal infrastructure with goal of Clause 2 Details of the transfer The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 Third-party beneficiary clause The data subject can enforce against the data exporter this Clause, Clause 4 b to i , Clause 5 a to e , and g to j , Clause 6 1 and 2 , Clause 7, Clause 8 2 , and Clauses 9 to 12 as third-party beneficiary. The data subject can enforce against the data importer this Clause, Clause 5 a to e and g , Clause 6, Clause 7, Clause 8 2 , and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
The data subject can enforce against the subprocessor this Clause, Clause 5 a to e and g , Clause 6, Clause 7, Clause 8 2 , and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 6 Liability The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity.
The liability of the subprocessor shall be limited to its own processing operations under the Clauses. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8 Cooperation with supervisory authorities The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 b.
Clause 9 Governing Law The Clauses shall be governed by the law of the Member State in which the data exporter is established. Clause 10 Variation of the contract The parties undertake not to vary or modify the Clauses. Clause 11 Subprocessing The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter.
Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law.
The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 j , which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority. Clause 12 Obligation after the termination of personal data processing services The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred.
In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore. Categories of data The personal data transferred concern the following categories of data please specify : As described in the section entitled "Categories of Personal Data" in Appendix 1 to the DPA. Special categories of data if appropriate The personal data transferred concern the following special categories of data please specify : None.
Processing operations The personal data transferred will be subject to the following basic processing activities please specify : As described in the section entitled "Nature and Purpose of the Processing" in Appendix 1 to the DPA. Conduct periodic risk assessments designed to analyze existing information security risks, identify potential new risks, and evaluate the effectiveness of existing security controls Maintain risk assessment processes designed to evaluate likelihood of risk occurrence and material potential impacts if risks occur Document formal risk assessments Review formal risk assessments by appropriate managerial personnel.
Information Security Policies. Create information security policies, approved by management, published and communicated to all employees and relevant external parties Review policies at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.
Human Resources Security. Maintain policies requiring reasonable background checks of any new employees who will have access to Insight systems, subject to local law Regularly and periodically train personnel on information security controls and policies that are relevant to their business responsibilities and based on their roles within the organization.
Maintain policies establishing data retention and secure destruction requirements. Maintain controls designed to limit access to Personal Data Review personnel access rights on a periodic basis Maintain policies requiring termination of physical and electronic access to Personal Data and Insight systems after termination of an employee Implement access controls designed to authenticate users and limit access to Personal Data and Insight Implement policies restricting access to the data center facilities hosting Insight to approved data center personnel and limited and approved Gigamon personnel Maintain dual layer access authentication processes for Gigamon employees with administrative access rights to Insight.
Implement encryption key management procedures Encrypt sensitive data using a minimum of AES bit ciphers in transit. Maintain high assurance physical security controls including manned security stations, mantraps, and biometric or badge- based access control. Perform periodic network and application vulnerability testing using qualified internal or 3 rd party resources Contract with qualified independent 3rd parties to perform periodic penetration testing Implement procedures to document and remediate vulnerabilities discovered during vulnerability and penetration tests.
Communications Security. Maintain a secure boundary using firewalls and network traffic filtering Require segmentation to isolate production systems from development systems Require periodic reviews and testing of network controls.
System Acquisition, Development, and Maintenance. Assign responsibility for system security, system changes and maintenance Test, evaluate and authorize major system components prior to implementation. Periodically review available security assessment reports of Subprocessors hosting Insight to assess their security controls and analyze any exceptions set forth in such reports.
0コメント