Introduction #
This Data Processing Agreement (the “Data Processing Agreement” or the “DPA”) is established under Article 28 of the GDPR and forms part of the Agreement (as defined below) between ISMS Policy Generator and the Customer. By accepting the applicable Terms of Service, the Customer also accepts this DPA. ISMS Policy Generator does not operate via a marketplace operated by a third-party, hence all services are provided directly to the Customer.
ISMS Policy Generator will process the Customer’s Personal Data, including data inputs for policy generation (Inputs) and the resulting documents (Outputs), as a Data Processor for the sole purpose of providing the agreed services, including technical support, upon the Customer’s request.
Short Version #
This DPA between ISMS Policy Generator (Data Exporter) and its Customers (Data Importers) establishes guidelines for data processing in compliance with GDPR, particularly for data transfers to countries outside the EEA.
1. Definitions and Roles:
- Defines key terms and establishes the roles of ISMS Policy Generator as Data Processor and Customers as Data Controllers.
2. Data Processing Obligations:
- ISMS Policy Generator processes data based on Customer instructions, maintaining confidentiality and integrity.
- Ensures compliance with GDPR, including implementing technical and organizational security measures.
3. Customer responsibility:
- Responsibility for service use: Customers must have the right or authority to input third-party data and secure organizational approval if using the service as an employee.
4. Data Transfers:
- Data transfers to restricted countries are governed by Standard Contractual Clauses to ensure GDPR compliance.
- Details of these transfers are specified in Exhibit 1.
5. Data Subject Rights:
- Both parties assist each other in handling data subject requests, ensuring rights under GDPR are respected.
6. Sub-Processors:
- Outlines the use of Sub-processors by ISMS Policy Generator, with commitments to maintain data protection standards. Some sub-processors are located in the US.
- Lists obligations in selecting and monitoring Sub-processors.
7. Audits and Compliance:
- Provides for documentary and, where necessary, virtual audits to demonstrate compliance with the DPA.
- ISMS Policy Generator will assist in audits and regulatory inquiries.
8. Personal Data Breach:
- Sets out procedures for notifying Customers of any data breaches and assisting in mitigating their effects.
9. Return or Destruction of Data:
- After service ends, ISMS Policy Generator will either delete or return all personal data, in line with its own policies.
10. Liability and Term:
- Limits liability as set out in the service agreement.
- The DPA remains effective for the duration of the service agreement between ISMS Policy Generator and the Customer.
Definitions #
In this Agreement, capitalized terms shall have the meanings given below:
- “Agreement”: Refers to the service agreement entered into by and between ISMS Policy Generator and the Customer, governing the provision of the Services.
- “Applicable Data Protection Law”: Includes (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the GDPR, applicable since 25 May 2018, and (ii) data protection laws and regulations applicable in France.
- “Authorized Recipient”: Encompasses (i) ISMS Policy Generator’s affiliates, (ii) ISMS Policy Generator’s team members, (iii) ISMS Policy Generator’s Sub-processors, and (iv) any third party authorized by the Applicable Data Protection Law to access Personal Data.
- “Authorized Purpose”: The authorized purpose for the Processing as outlined in Exhibit 1.
- “Customer”: Any legal entity that subscribes to the Services provided by ISMS Policy Generator, including its affiliates where applicable.
- “Data Controller”: The entity that determines the purposes and means of the Processing of Personal Data.
- “Data Processing Agreement” or “DPA”: This data processing agreement, which forms part of the Agreement and governs the Processing carried out by the Parties.
- “Data Processor”: The entity that processes Personal Data on behalf of the Data Controller under documented instructions.
- “Data Subjects”: Individuals whose Personal Data is processed.
- “ISMS Policy Generator”: Powered by Better ISMS, a French entity, registered at the Trade register of Paris under number 87848573900022, with its corporate seat at 60 rue François 1er, 75008 Paris, France.
- “Personal Data”: Any data relating to an identified or identifiable individual (Data Subject).
- “Personal Data Breach”: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, with potential risk to the rights and freedoms of Data Subjects.
- “Processing”: The processing of Personal Data as described in Exhibit 1.
- “Restricted Country”: Any country outside of the European Economic Area (EEA) not recognized by the European Commission as having adequate data protection.
- “Services”: The services provided by ISMS Policy Generator to the Customer.
- “Sub-processor”: Any Data Processor appointed by ISMS Policy Generator to perform part or all of the Processing on behalf of the Customer.
- “Supervisory Authority”: Any independent authority responsible for supervising the Processing of Personal Data.
Any capitalized term not defined in this DPA shall have the meaning given in the Agreement.
Role of the Parties #
ISMS Policy Generator as Data Processor: In accordance with the Processing described in Exhibit 1, the Customer shall act as the Data Controller, and ISMS Policy Generator shall act as the Data Processor.
Description of the Processing: ISMS Policy Generator processes Personal Data on behalf of the Customer to provide the Services as agreed under the Agreement. Details of this Processing are outlined in Exhibit 1 of this DPA. The Customer acknowledges that ISMS Policy Generator may update the Processing description to incorporate new services, features, or functionalities. ISMS Policy Generator will inform the Customer of any such updates via email at least fifteen (15) days before they become effective. The Customer has the right to object to these changes within the notice period based on relevant data protection laws. In case of unresolved objections, the Customer may terminate the Agreement for convenience.
ISMS Policy Generator as Data Controller: The Customer authorizes ISMS Policy Generator to process Personal Data inputs and resulting documentation as Data Controller for (a) monitoring abuse, and (b) research purposes, as stated in ISMS Policy Generator’s privacy policy. This processing will be communicated to Data Subjects through our privacy policy.
Training: At ISMS Policy Generator, we utilize AI models provided by OpenAI and MistralAI for generating information security documents. Our primary focus is on refining the instructions for creating high-quality security documentation. When users input data into our system, this data is sent to the APIs of OpenAI and Mistral to generate the requested documents.
It is important to note that we do not use user-provided Personal Data to train these AI models. The data sent to OpenAI’s API is not used for model training but is retained for a period of 30 days to ensure operational integrity and compliance with data protection standards. We believe a similar approach is taken by Mistral, ensuring that Personal Data is not used for training their models. This practice aligns with our commitment to respecting user privacy and strictly using Personal Data for its intended purpose of document generation. Details about the handling of data by OpenAI and Mistral can be found in our Privacy Policy.
General Obligations of the Parties #
Each Party shall adhere to their respective obligations under the Applicable Personal Data Protection Law and ensure that their actions or omissions do not cause the other Party to breach any obligations under the same laws.
General Obligations of ISMS Policy Generator #
ISMS Policy Generator shall:
- Process Personal Data: Only in accordance with the lawful instructions provided by the Customer, as detailed in this DPA, the Agreement, or via email. This excludes any processing required by applicable laws, in which case ISMS Policy Generator shall promptly inform the Customer of that legal requirement, unless prohibited by law.
- Compliance Alert: Promptly notify the Customer if it believes the Customer’s instructions infringe the Applicable Data Protection Law, and reserve the right to refuse processing that is believed to violate such laws.
- Confidentiality Obligations: Ensure all persons authorized to process Personal Data (including team members and Subprocessors) are bound by confidentiality obligations, either contractually or by law.
- Assistance: Provide reasonable assistance to the Customer, as required by Applicable Data Protection Laws, in relation to investigations by Supervisory Authorities, data protection impact assessments, and compliance with GDPR Article 32.
General Obligations of the Customer #
The Customer agrees to:
- Compliance: Adhere to its obligations under Applicable Data Protection Law regarding the Processing and instructions issued to ISMS Policy Generator.
- Guidance and Filters: Provide guidance to Authorized Users on the use of Services, especially regarding the use of Personal Data, and apply filters to prevent unauthorized use of Personal Data by Authorized Users.
- Customer’s Security Obligations: Acknowledge that ISMS Policy Generator’s security obligations under this DPA are complementary to the Customer’s own security obligations under Applicable Data Protection Law.
- Consents and Rights: Ensure that all necessary notices have been provided and consents obtained as required under Applicable Data Protection Law for ISMS Policy Generator to process Personal Data under this DPA.
-
Responsibility for Use of the Service:
- If the Data Controller (the Customer) is using the service on behalf of a third party (e.g., as a consultant for a client), they must ensure that they have the appropriate right and authority to use third parties’ data and to input any personal and confidential data into the service.
- Similarly, if the Data Controller is an employee of an organization, they must have the necessary approval from their organization to use this service and to share any data. This includes ensuring compliance with their organization’s internal policies, data protection, and confidentiality agreements.
Data Subjects #
Information Responsibilities:
- As Data Controller, the Customer is solely responsible for providing Data Subjects with all necessary information required by Applicable Data Protection Law.
Data Subject Requests:
- Considering the nature of the Processing, ISMS Policy Generator will offer commercially reasonable assistance to the Customer upon request. This assistance is aimed at enabling the Customer to respond effectively to Data Subject requests to exercise their rights under Applicable Data Protection Law.
Requests Made Directly to ISMS Policy Generator:
- If a Data Subject request is made directly to ISMS Policy Generator, we will not directly respond to such a request without the Customer’s prior approval, except when legally mandated.
- In cases where direct response is not permitted, ISMS Policy Generator will forward the request to the Customer, who then holds sole responsibility for responding.
- If legally obligated to respond to a Data Subject request, ISMS Policy Generator will promptly inform the Customer and provide a copy of the request, unless such disclosure is legally prohibited.
Security and Personal Data Breach #
Security Measures #
- Implementation of Security Measures: In line with current technological standards, the costs of implementation, and the nature, scope, context, and purposes of Processing, ISMS Policy Generator commits to implementing and maintaining appropriate technical and organizational measures. These measures aim to protect Personal Data against any Personal Data Breach and ensure the security and confidentiality of such data.
- Adaptation and Evolution: ISMS Policy Generator recognizes that security measures must evolve with technological advancements. The Customer acknowledges that ISMS Policy Generator may periodically update these security measures. However, any such updates will not materially reduce the overall protection and security of the data processing activities.
Personal Data Breach #
- Immediate Notification: In alignment with the nature of our Processing activities and available information, ISMS Policy Generator will inform the Customer of any Personal Data Breach without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of it. It is important to note that such notification does not constitute an admission of fault or liability by ISMS Policy Generator regarding the Personal Data Breach.
-
Notification Details to the Customer: The notification will include:
- (a) Contact details of ISMS Policy Generator’s designated point of contact for further information.
- (b) The nature of the Personal Data Breach, including categories and number of Data Subjects and Personal Data involved.
- (c) Recommended measures for the Customer to mitigate possible adverse effects and prevent future breaches.
- (d) Potential consequences of the Personal Data Breach.
- (e) Actions taken or proposed by ISMS Policy Generator to address and prevent future breaches.
- Responsibility for Reporting: The Customer holds the responsibility for notifying the relevant Supervisory Authority and/or Data Subjects about the Personal Data Breach.
- Assistance in Compliance: Upon the Customer’s request, and considering the nature of the Processing and available information, ISMS Policy Generator will provide commercially reasonable assistance. This includes aiding in the Customer’s obligation to communicate the breach to Data Subjects as required by Applicable Data Protection Laws, and offering support to mitigate or remediate the breach.
Sub-processing #
General Authorization:
- The Customer provides prior and general authorization for ISMS Policy Generator to appoint Sub-processors to assist in providing the Services and in Processing activities, in line with the terms of this DPA. This includes:
- Maintaining an up-to-date list of Sub-processors on the ISMS Policy Generator platform.
- Notifying the Customer of any changes to this list.
- Entering into agreements with each Sub-processor that impose data protection terms aligning with this DPA’s standards.
- Retaining liability for any data protection obligations not fulfilled by Sub-processors.
Changes to Sub-processors List:
- ISMS Policy Generator will inform the Customer of any changes to the Sub-processors list as soon as possible and at least thirty (30) days before engaging a new Sub-processor.
- The Customer has the right to object in writing to the appointment of a new Sub-processor within this notice period, based on reasonable grounds related to Applicable Data Protection Laws.
- In case of objections, both parties will engage in good faith negotiations to find a satisfactory resolution. If unresolved, the Customer retains the right to terminate all or part of the Agreement for convenience.
Transfers of Personal Data to a Restricted Country #
Customer Located in a Restricted Country:
- If the Customer is situated in a Restricted Country (any country outside the EEA not recognized by the European Commission as having adequate data protection), the transfer of Personal Data between the Customer and ISMS Policy Generator will be governed by the Standard Contractual Clauses attached to this DPA.
Transfers to Authorized Recipients in Restricted Countries:
- The Customer grants prior general authorization for ISMS Policy Generator to transfer Personal Data to any Authorized Recipients located in Restricted Countries. These transfers will be carried out using Standard Contractual Clauses approved by the European Commission or other appropriate safeguards as per GDPR.
- In cases where Standard Contractual Clauses are invalidated, suspended, or deemed inadequate, ISMS Policy Generator will:
- (i) Promptly inform the Customer of this development.
- (ii) Suspend the transfer of Personal Data to the Restricted Country until an alternative GDPR-compliant safeguard for the transfer is established.
Audit #
Documentary Audit:
- ISMS Policy Generator will provide all required documentation and information to demonstrate compliance with this DPA upon the Customer’s written request. This will be done timely, within commercially reasonable limits, and as mandated by Applicable Data Protection Laws.
Virtual Audit:
- Given ISMS Policy Generator’s remote operational structure, physical on-premises audits are not applicable. Instead, virtual audits conducted remotely are available if required.
- These virtual audits will maintain the same standards of confidentiality and impartiality as physical audits.
- They will focus solely on information and/or Personal Data pertinent to the Customer and will be conducted in a manner that avoids disrupting ISMS Policy Generator’s operational efficiency.
- The costs associated with conducting virtual audits will be borne by the Customer.
9. Return or Destruction of Personal Data #
After the termination or expiry of the Services, ISMS Policy Generator will either delete or return all Personal Data processed on behalf of the Customer. This action will be in line with ISMS Policy Generator’s established deletion policies and procedures. The Customer should be aware that Personal Data will become inaccessible after a thirty (30) day period following the end of their access to and use of the Services.
10. Term #
This DPA becomes effective concurrently with the Agreement and will remain in effect for the duration of the Agreement. Any modifications or termination of the Agreement will similarly affect the validity of this DPA.
11. Limitation of Liability #
The liabilities of both ISMS Policy Generator and the Customer, as well as their respective affiliates, under this DPA are subject to the exclusions and limitations of liability outlined in the Agreement. This clause ensures that liability under this DPA is consistent with the terms agreed upon in the main service agreement.
EXHIBIT 1 – Description of the Processing #
ISMS Policy Generator Privacy Contact: contact@ismspolicygenerator.com
Categories of Data Subjects:
- Includes Customers, Authorized Users, and any individuals whose roles are utilized in the service process (e.g., IT security officers).
Categories of Personal Data:
- Covers the Customer’s account data (name and email) and key role names within the company as provided by the Customer for policy generation.
- Outputs generated in response to these inputs.
Special Categories of Personal Data:
- None. Customers are encouraged to use role names (e.g., IT Security Officer) instead of personal names when generating policies that require appointing a responsible person for an activity.
Authorized Purposes:
- Provision of ISMS Policy Generator services, including technical support and generation of ISMS documentation, as per the Customer’s subscription.
Duration of the Processing:
- Aligned with the term of this DPA.
Retention Periods:
- Customer account data and generated policies/documentation are retained as long as the user account is active.
- For inactive accounts, data is retained for 5 years for evidentiary purposes.
Sub-processors:
- Includes Bubble.io (data stored on US AWS servers), OpenAI (data stored on US servers), MistralAI, Zapier, and Google Docs. The role and data storage locations of each Sub-processor are maintained in an updated list.
EXHIBIT 2 – Standard Contractual Clauses #
These standard contractual clauses apply when the Customer is located in a Restricted Country.
SECTION I: Purpose and Scope #
Clause 1: Purpose and Scope #
(a) The purpose of these clauses is to ensure compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) for transferring personal data to third countries.
(b) The Parties:
- (i) Data Exporter: Refers to the natural or legal person(s), public authorities, agencies, or other bodies transferring the personal data, as detailed in Annex I.A.
- (ii) Data Importer: Entities in third countries receiving personal data from the data exporter, directly or indirectly via another entity party to these clauses, as detailed in Annex I.A.
(c) These Clauses apply to the transfer of personal data as specified in Annex I.B.
(d) The Appendix containing Annexes forms an integral part of these Clauses.
Clause 2: Effect and Invariability of the Clauses #
(a) These Clauses provide appropriate safeguards, enforceable rights for data subjects, and legal remedies in accordance with Articles 46(1) and 46(2)(c) of the GDPR. They are standard contractual clauses under Article 28(7) of the GDPR and must remain unaltered, except for module selection or updating information in the Appendix. These Clauses can be part of a broader contract, provided they do not contradict these Clauses or infringe on the fundamental rights of data subjects.
(b) These Clauses do not affect the obligations of the data exporter under the GDPR.
Clause 3: Third-party Beneficiaries #
(a) Data subjects can enforce these Clauses against the data exporter and/or importer, with exceptions outlined in various clauses and modules.
(b) This provision does not affect the rights of data subjects under the GDPR.
Clause 4: Interpretation #
(a) Terms defined in the GDPR have the same meaning in these Clauses.
(b) These Clauses should be interpreted in light of the GDPR’s provisions.
(c) These Clauses shall not conflict with the rights and obligations provided in the GDPR.
Clause 5: Hierarchy #
In case of contradictions between these Clauses and other agreements between the parties, these Clauses shall prevail.
Clause 6: Description of the Transfer(s) #
Details of data transfers, including categories of personal data and the purposes of transfer, are specified in Annex I.B.
Clause 7: Docking Clause (Optional) #
(a) Non-parties can join these Clauses as either data exporter or importer by completing the Appendix and signing Annex I.A.
(b) Upon signing, the entity becomes a party to these Clauses with respective rights and obligations.
(c) Rights and obligations apply only after becoming a party to these Clauses.
SECTION II – OBLIGATIONS OF THE PARTIES #
Clause 8: Data Protection Safeguards #
- Data Exporter’s Warranty: The data exporter (ISMS Policy Generator) ensures it has verified that the data importer can meet the obligations of these Clauses through adequate technical and organizational measures.
8.1 Instructions:
- (a) Process personal data based on documented instructions from the data importer.(b) Inform the data importer immediately if unable to follow instructions or if instructions violate GDPR or other data protection laws.(c) The data importer must not take actions preventing the data exporter from complying with GDPR.(d) Post-processing, delete all personal data or return it to the data importer and delete existing copies, based on the importer’s choice.
:
- (a) Implement measures to ensure data security, including during transmission, and protect against data breaches.(b) The data exporter assists the importer in ensuring data security and addresses any breaches.(c) Ensure confidentiality obligations for all persons authorized to process personal data.
:
- (a) Demonstrate compliance with these Clauses.
- (b) The data exporter provides necessary information for demonstrating compliance and contributes to audits.
Clause 9: Use of Sub-processors #
- N/A (Not applicable as ISMS Policy Generator manages its subprocessors directly as outlined in the DPA).
Clause 10: Data Subject Rights #
- Parties will assist each other in responding to data subject requests under the applicable law of the data importer and GDPR for processing by the data exporter within the EU.
Clause 11: Redress #
- (a) The data importer (ISMS Policy Generator) will inform data subjects transparently about a contact point for complaints and address any complaints promptly.
Clause 12 #
Liability
- (a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
- (b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
- (c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
- (d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
- (e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.
Clause 13 #
Supervision
N/A
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES #
Clause 14 #
Local laws and practices affecting compliance with the Clauses
- (a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- (b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- (ii) the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards
- (iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
- (c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- (d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
- (e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). For Module Three: The data exporter shall forward the notification to the controller.
- (f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfill its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three:, if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15 #
Obligations of the data importer in case of access by public authorities
15.1 Notification
- (a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
- (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
- (b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- (c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]
- (d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
- (e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
- (a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
- (b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
- (c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS #
Clause 16 #
Non-compliance with the Clauses and termination
- (a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- (b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
The data exporter shall be entitled to terminate the contract,
insofar as it concerns the processing of personal data under these Clauses, where:
- (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a
reasonable time and in any event within one month of
suspension; - (ii) the data importer is in substantial or persistent breach of | these Clauses; or
- (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
- (d) The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- (e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17 #
Governing law
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law mentioned in the Agreement.
Clause 18 #
Choice of forum and jurisdiction
Any dispute arising from these Clauses shall be resolved by the courts of mentioned on the Agreement.
Appendix #
Annex I #
A. List of Parties
- Data Exporter: ISMS Policy Generator, which provides the services outlined in the Agreement and processes personal data as part of these services.
- Data Importer: The Customer who uses the services provided by ISMS Policy Generator and whose personal data may be processed as part of these services.
B. Description of Transfer
- The detailed description of the data transfer, including the categories of personal data, the nature and purpose of processing, and other relevant details, are provided in Exhibit 1 of this Data Processing Agreement.