Article 1. Applicability
- For the purpose of the fulfilment of its obligations under the agreement between AskAnna and client for the delivering and use of SaaS, AskAnna shall process personal data on behalf of client.
- In accordance with article 28 General Data Protection Regulation (hereinafter: GDPR) AskAnna and client describe the subject and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the parties in this Data Processing Agreement.
- Definitions that are used in this Data Processing Agreement, such as processing, personal data, controller and processor shall have the meaning as determined in the GDPR. In order to comply with the GDPR, with respect to the Processing of Personal Data, parties agree upon the conditions as set forth in this Data Processing Agreement.
Article 2. General
- Client, is the controller in the sense of the GDPR, has control over the processing of personal data and has established the purpose of and the means for the personal data processing.
- AskAnna is processor in the sense of the GDPR and, for that reason, has no control over the purpose of and the means for the personal data processing and, therefore, does not take any decisions on, amongst other things, the use of the personal data.
- Client guarantees AskAnna that it acts in compliance with the GDPR, that its systems and infrastructure are at any time appropriately secured and that the content, the use and/or the processing of the personal data are not unlawful and do not breach any third party rights.
- Client is not entitled to seek recovery from AskAnna of an administrative fine imposed on client by the supervisory authority, on whatever legal ground. By ‘supervisory authority’ is understood to mean the supervisory authority referred to in the GDPR.
Article 3. Security
- AskAnna’s service is not intended for processing special categories of personal data or data relating to convictions under criminal law or criminal offences.
- AskAnna endeavours to ensure that the security measures to be taken by AskAnna are appropriate for the use of the product or service intended by AskAnna.
- The security measures described offer a security level, in client’s opinion and taking the factors referred to in article 3.1 into account, appropriate to the risk involved in processing personal data used or provided by client.
- AskAnna may adjust the security measures implemented if this should be required, in AskAnna’s opinion, to continue to offer an appropriate security level. AskAnna keeps a record of important adjustments and informs client of these adjustments where relevant.
- Client may request AskAnna to implement further security measures. AskAnna is not obliged to implement any adjustments in its security measures following such a request. AskAnna may charge client for the costs involved in implementing the adjustments requested by client. AskAnna is not obliged to actually implement these adjusted security measures before the security measures requested by client have been agreed on in writing.
Article 4. Personal Data Breaches
- AskAnna does not guarantee that the security measures are effective in all circumstances. If AskAnna discovers a personal data breach, AskAnna informs client of this without undue delay. AskAnna will contact client by e-mail.
- It is up to client as a controller (or client’s client) to assess whether the personal data breach reported by AskAnna must be reported to the supervisory authority or the data subject. Reporting personal data breaches is, at any time, controller’s – i.e. client’s or client’s client’s – responsibility. AskAnna is not obliged to report personal data breaches to the supervisory authority and/or the data subject.
- Where required, AskAnna provides further information on the personal data breach and renders assistance in providing the information to client that client needs to report a breach to the supervisory authority or the data subject.
- AskAnna may charge client for the costs involved in this context, within reason and at AskAnna’s current rates.
Article 5. Confidentiality
- AskAnna ensures that the obligation to observe confidentiality is imposed on any person processing personal data under AskAnna’s responsibility.
- AskAnna is entitled to provide personal data to third parties if and insofar as this should be required pursuant to a judicial decision or a statutory requirement, on the basis of an authorized order by a public authority or in the context of the proper performance of the agreement.
Article 6. Term and Obligations following Termination
- The duration of the Data Processing Agreement is equal to the duration of the agreement.
- In the event the Data Processing Agreement ends, AskAnna deletes or return, within a reasonable time, all personal data received from client that it has in its possession in such a way that they can no longer be used and are rendered inaccessible.
- The provisions of article 6.1 do not apply if statutory provisions should prohibit AskAnna to delete the personal data or return these, in part or in full. In such event AskAnna only continues to process the personal data insofar as required under its statutory obligations.
- The provisions of article 6.1 do not apply either if AskAnna is a controller in the sense of the GDPR with respect to the personal data.
Article 7. Data subjects’ rights, Data Protection Impact Assessment (DPIA) and Audit Rights
- Where possible, AskAnna renders assistance in reasonable requests by client that are related to data subjects exercising their rights against client. If AskAnna is directly contacted by a data subject, AskAnna refers this data subject, whenever possible, to client.
- If client should be obliged under the GDPR to carry out a Data Protection Impact Assessment (DPIA) or a prior consultation following this, AskAnna renders assistance, at client’s reasonable request, in this DPIA or prior consultation.
- At client’s request, AskAnna provides all information that would be reasonably required to demonstrate compliance with the arrangements laid down in this agreement with respect to personal data processing, for example by means of a valid Data Pro Certificate or another certificate at least equal to it, an audit report (Third Party Memorandum) drafted by an independent expert commissioned by AskAnna or by means of other information to be provided by AskAnna. If client should nevertheless have reasons to assume that the personal data are not processed in accordance with the agreement, client may commission an audit, no more than once per year and at client’s expense, by an independent, certified external expert who has demonstrable experience in the type of data processing that is carried out under the agreement. AskAnna is entitled to refuse an expert if this expert affects, in AskAnna’s opinion, AskAnna’s competitive position. The audit is limited to verifying compliance with the arrangements on personal data processing as laid down in the agreement. The expert is obliged to observe confidentiality with respect to his findings and only reports issues to client which result in a failure by AskAnna to meet its obligations under the agreement. The expert provides AskAnna with a copy of his report. AskAnna may refuse an expert, an audit or an instruction by the expert if this should be, in AskAnna’s opinion, in violation of the GDPR or other laws and regulations or if this should be an unacceptable breach of the security measures implemented by AskAnna.
- AskAnna and client hold consultations on the findings of the report as soon as possible. They comply with the improvement measures proposed and laid down in the report insofar as this can be reasonably expected from them. AskAnna implements the proposed measures insofar as these are appropriate in AskAnna’s opinion, taking into account the processing risks associated with AskAnna’s product or service, the state of the art, the implementation costs, the market in which AskAnna operates and the intended use of the product or service.
- Client is fully responsible for the costs it has incurred in the context of the provisions laid down in this article. AskAnna and client will consult with each other in advance, in order to determine the costs.
Article 8. Subprocessors
- Client authorises AskAnna to engage other processors to fulfil (parts of) the obligations under the agreement, subject to the conditions that AskAnna shall notify client of any intended change concerning the addition or replacement of other processors. Client may object to any intended change within 5 working days after being notified. If AskAnna does not accept client’s objections, client may terminate the agreement without observing any notification period.
- If AskAnna instructs another processor for carrying out specific processing activities on behalf of client, AskAnna shall ensure that the same data protection obligations as set out under this Processing Agreement are imposed on the other processor. AskAnna shall lay down these obligations in a written contract. If the other processor fails to comply with its obligations regarding data protection, AskAnna shall remain liable to client for the performance of that other processor’s obligations.
- Information about subprocessors, including their functions and locations, is available in Attachment 1.
Article 9. Liability
Article 10. Transfer to Third Countries
- AskAnna is entitled to process personal data within the European Economic Area (EEA). Transfer of personal data to countries outside the EEA is only permitted if the country guarantees an adequate level of protection or if it has taken appropriate safeguards for this, as is referred to in articles 45 and 46 of the GDPR.
- If AskAnna must provide personal data to any third party pursuant to a legal obligation applicable in national or European regulations, AskAnna will verify the basis of the request and the identity of the applicant and AskAnna will immediately, prior to the provision, inform client, unless the law prohibits this for substantial reasons of public interest.
- The transfer of personal data outside the EEA or to international organizations for the implementation of the agreement are described in more detail in the Privacy Statement.
Article 11. Miscellaneous
- If changes occur in the national legislation or the European legislation on the protection of personal data in the future, AskAnna and client will amend this Processing Agreement to the extent that this is necessary to comply with new regulations.
Attachment 1. Subprocessors
The following subprocessors shall be considered approved by the controller at the time of entering into this Data Processing Agreement:
|Subprocessor entity name||(Category) personal data that subprocessor processes||Activity||Country of processing||Country of registration|
|Google Ireland Limited||All shared personal data, a.o. email, name and address||Cloud Hosting||The Netherlands, Belgium and Germany||Ireland|
|Intercom R&D Unlimited Company||Account information, a.o. email & IP||Technical Support||Ireland and United States||Ireland|
|Functional Software, Inc.||Account information, a.o. email & IP||Technical Support||United States and other countries||United States|
|Twilio Inc.||Name and email||Mail Service||United States||United States|
Transfer outside the European Economic Area (EEA):
|Entity that transfers the personal data + country||Entity that receives the personal data + country||Additional safeguards for transfer outside the EEA|
|Google Ireland Limited
|Standard Contractual Clauses (SCC)|
|Functional Software, Inc.
|Standard Contractual Clauses (SCC)|
|Standard Contractual Clauses (SCC)|
|Standard Contractual Clauses (SCC)|