Name the processor and controller, as well as the types of data that will be processed. You can also discuss the general activities that the Processor will perform for the Controller, as well as, if applicable, the duration of the contract. The European Commission may decide that the standard contractual clauses provide sufficient safeguards for data protection so that data can be transferred internationally. 1.1.8.2 a transfer of the company`s personal data from a processor to a sub-processor or between two entities of a processor in all cases where such a transfer would be prohibited by data protection laws (or by the terms of data transfer agreements established to meet data transfer restrictions of data protection laws); 1. The data importer shall not subcontract any of its processing operations carried out on behalf of the data exporter in accordance with the clauses without the prior written consent of the data exporter. If the data importer subcontracts its obligations under the Clauses with the consent of the data exporter, it will only do so through a written agreement with the sub-processor imposing on the sub-processor the same obligations as the data importer under the Clauses. If the Sub-Processor fails to comply with its data protection obligations under such a written agreement, the Data Importer will remain fully liable to the Data Exporter for the performance of the Sub-Processor`s obligations under this Agreement. HubSpot`s data processing agreement provides an example of a data protection agreement that includes the standard contractual clauses adopted by the European Commission, definitions of relevant terms, details of processing, obligations of subcontractors and more. This data processing agreement is based on the ProtonMail DPA, which can be found on this page. Organizations can use the following document as part of their GDPR compliance. (c) the Parties seek to implement an agreement on data processing in accordance with the requirements of the applicable legal framework with regard to data processing and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). This HubSpot Data Processing Agreement and its Appendices (“DPA”) reflect the parties` agreement regarding the processing of personal data by us on your behalf in connection with the HubSpot Subscription Services in accordance with the HubSpot Customer Terms of Service between you and us (also referred to as the “Agreement” in this DPA).
(f) at the request of the data exporter, to hand over its data processing facilities for the verification of the processing activities covered by the clauses carried out by the data exporter or a supervisory authority composed of independent members and possessing the necessary professional qualifications linked by a duty of confidentiality chosen by the data exporter, where appropriate in agreement with the supervisory authority; Outsourced processing: We host our service with outsourced cloud infrastructure providers. In addition, we maintain contractual relationships with suppliers to provide the Service in accordance with our DPA. We rely on suppliers` contractual agreements, privacy policies and compliance programs to protect the data processed or stored by those providers. Then you can go into more detail about who the agreement applies to and what role each party will fulfill. Since HubSpot uses this agreement with many different controllers, the intro is very widespread. If you are the controller, you may want to be more specific and name the exact parties involved in each data processing agreement you enter into. The GDPR allows the European Commission and supervisory authorities (such as the ICO) to issue standard clauses to be included in contracts between controllers and processors. These clauses can provide an easy way to ensure that contracts between controllers and processors are GDPR compliant. They can also be part of a certification scheme to prove compliant treatment if the schemes have been approved. A data processor may not process data in a manner that violates data protection regulations, including on the instructions of the data controller. In this way, both parties are expected to comply with compliant data protection standards.
(j) immediately provide the data exporter with a copy of any subcontracting agreement it enters into in accordance with the clauses. 4. The data exporter shall keep up to date a list of subcontracting agreements concluded in accordance with the clauses and notified by the data importer in accordance with point (j) of Clause 5, which shall be updated at least once a year. The list shall be made available to the data protection supervisory authority of the data exporter. One. The Parties acknowledge that, in accordance with FAQ II.1 of Article 29 of wp 176 of the Working Party`s document entitled “Frequently asked questions on the handling of certain issues raised by the entry into force of European Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors in third countries in accordance with Directive 95/46/EC”, the data exporter has general consent to further processing through the data. Importer. 11.1 The Processor may not transfer or authorise the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. Where personal data processed under this Agreement are transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected.
To do this, unless otherwise agreed, the parties rely on EU-approved standard contractual clauses for the transfer of personal data. To maintain the validity of these CCAs, it is important to note that they cannot be modified, but can be extended or included as part of a broader contract, provided that these additions do not contradict or divert the attention of these SCCs as written. Notwithstanding the above, these SCCs are no longer the only available means of processing personal data between controllers and processors under the GDPR. The parties are always free to conclude their own agreement for such processing, as long as the mandatory clauses described in the GDPR are included. Online replicas and backups: Whenever possible, production databases are designed to replicate data between at least 1 primary database and 1 secondary database. All databases are backed up and maintained using at least industry standard methods. (A) HubSpot does not transfer European data to countries or recipients that are not recognized as residents or recipients that offer an adequate level of protection of personal data (within the meaning of applicable European data protection laws), unless it first takes all necessary steps to ensure that the transfer is carried out in accordance with applicable European data protection laws. Such measures may include (but are not limited to) the transfer of such data to a recipient who falls under an appropriate framework or other legally appropriate transfer mechanism recognised by the competent authorities or courts as an adequate level of protection of personal data to a recipient who has obtained binding internal authorisation from the company in accordance with European data protection laws.
or to a recipient who, in each case, has executed appropriate standard contractual clauses that have been adopted or approved in accordance with applicable European data protection laws. So far, it has published two sets of standard contractual clauses for the transfer of data controllers in the EU to controllers based outside the EU or the European Economic Area (EEA). Note that the agreement mentions employees, agents, and contractors – a great way to cover all bases. b. Controller instructions. The parties agree that the Agreement (including this DPA), together with your use of the Subscription Service, in accordance with the Agreement, constitutes your complete and final instructions regarding the processing of personal data and that additional instructions outside the scope of the Instructions require prior written consent between us and you. In transit: We provide HTTPS encryption (also known as SSL or TLS) on each of the login interfaces and free of charge on each customer page hosted on HubSpot products. Our HTTPS implementation uses industry standard algorithms and certificates. Hibernation: We store user passwords in accordance with industry security policies.
We have implemented technologies to ensure that stored data is encrypted at rest. LinkedIn provides data processing services to marketing customers and makes the following statement in its standard DPA: b. The Parties further acknowledge that due to confidentiality restrictions imposed on sub-processors, the data importer may be prevented from disclosing other sub-processing agreements to the data exporter. Notwithstanding the foregoing, the data importer shall use reasonable efforts to require any sub-processor it undertakes to allow it to disclose the sub-processor agreement to the data exporter. For data importers who are subcontractors, as modules two and three also include the mandatory clauses of the GDPR, they are likely to be used only for transfers outside the EU to data processors (whereas the former CTCs were previously generally attached to a separate data processing agreement (“DPA”) that included the mandatory clauses of the GDPR). Modules two and three can reduce or even eliminate the need for a separate DPA, but it is important to note that since the SCC Set One remain valid, the SCC Set Two cannot be modified and all the conditions of a current DPA you have will be replaced by the SCC in case of conflict. .