1. Introduction
1.1 This agreement regarding processing of data that may include personal data (the ”Data Processor Agreement”) regulates 10xpeers.com, which is owned by Abrige Corp. (the ”Data Processor”), when processing any personal data on behalf of a customer (the ”Data Controller”) located in an EU or EEA countries for compliance with GDPR. Also see Terms.
2. Processing of personal data
2.1 ”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”).
2.2 The 10xpeers.com application and private Member Login area (the “Service”) are intended to support business and leadership vibrancy through a peer group experience, with information shared on the website from the 10x! leader and from any applicant or member. As such, the Service may include processing of personal data on behalf of the Data Controller.
3. Instruction
3.1 The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the ”Instruction”). The Instruction at the time of entering into this Data Processor Agreement is that the Data Processor may only process Personal Data with the purpose of delivering the Service.
3.2 The Data Controller guarantees that the Personal Data transferred to the Data Processor is processed by the Data Controller in accordance with the Applicable Law, including the legislative requirements re lawfulness of processing.
4. The data Processor’s obligations
4.1 Confidentiality
4.1.1 The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Data Controller in writing has agreed hereto.
4.1.2 The Data Processor’s workforce shall be subject to an obligation of confidentiality that ensures that all the Personal Data under this Data Processor Agreement is treated with strict confidentiality.
4.2 Security
4.2.1 The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and applicable law.
4.3 The Data Processor shall ensure that access to the Personal Data is restricted to only authorized individuals to whom it is necessary and relevant to process the Personal Data in order for the Data Processor to perform its obligations under the subscription agreement Terms and this Data Processor Agreement.
4.4 Data protection impact assessments and prior consultation
4.4.1 If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments. Data Processor may apply a fee for this additional service.
4.5 Rights of the data subjects
4.5.1 If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under applicable law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor may charge a fee for this additional service and shall be given reasonable time to assist the Data Controller with such requests in accordance with applicable law.
4.5.2 If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under applicable law and such request is related to the Personal Data of the Data Controller, the Data Processor shall immediately forward the request to the Data Controller and shall refrain from responding to the person directly.
4.6 Personal Data Breaches
4.6.1 The Data Processor shall give immediate notice to the Data Controller if a breach of the data security occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).
4.7.2 The Data Processor shall have and maintain a register of all Personal Data Breaches. The register shall at a minimum include the following: (i) A description of the nature of the Personal Data Breach, including, if possible, the categories and the approximate number of affected Data Subjects and the categories and the approximate number of affected registrations of personal data.
(ii) A description of the likely as well as actually occurred consequences of the Personal Data Breach.
(iii) A description of the measures that the Data Processor has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.
4.7.3 The register of Personal Data Breaches shall be provided to the Data Controller in copy if so requested in writing by the Data Controller or the relevant Data Protection Agency.
4.8 Documentation of compliance
4.8.1 The Data Processor shall after the Data Controller’s written request hereof provide documentation substantiating that: (i) the Data Processor complies with its obligations under this Data Processor Agreement and the Instruction; and
(ii) the Data Processor complies with applicable law in respect of the processing of the Data Controller’s Personal Data.
4.8.2 The Data Processor’s documentation of compliance shall be provided within reasonable time.
4.9 Location of the Personal Data
4.9.1 The Data Processor shall not transfer the Personal Data to third parties.
5. Remuneration and costs
5.1 The Data Controller shall remunerate the Data Processor based on time spent to perform the obligations under section 4 of this Data Processor Agreement.
5.2 The Data Processor is also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to the Data Controller’s Instruction, including implementation costs and additional costs required to deliver the Service due to a change in Instruction. The Data Processor is exempted from liability for non-performance with the subscription service Terms if the performance of the obligations would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where the Data Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until relevant Terms and Agreements are changed to reflect the new Instruction.
5.3 If applicable law changes result in additional costs to the Data Processor, the Data Controller shall indemnify the Data Processor of such documented costs.
6 Limited Liability
6.1 Each party’s cumulated liability under this Data Processor Agreement is limited to the payments made under the subscription service agreement in the 12 months before the occurrence of the circumstances leading to a breach of contract. If the Data Processor Agreement has not been in force for 12 months before the occurrence of the circumstances leading to a breach of contract, the limited liability amount shall be calculated proportionately based on the actual performed payments.
6.2 The limitation of liability does not apply to the following: (i) Losses as a consequence of the other party’s gross negligence or willful misconduct. (ii) A party’s expenses and resources used to perform the other party’s obligations, including payment obligations, towards a relevant data protection agency or any other authority.
7. Duration
7.1 The Data processor Agreement shall remain in force until the subscription agreement (Terms) is terminated.
8. Termination
8.1 The Data Processor’s authorization to process Personal Data on behalf of the Data Controller shall be annulled at the termination of this Data Processor Agreement.
8.2 The Data Processor shall continue to process the Personal Data for up to three months after the termination of the Data Processor Agreement to the extent it is necessary and required under the Applicable Law. In the same period, the Data Processor is entitled to include the Personal Data in the Data Processor’s backup. The Data Processor’s processing of the Data Controller’s Personal Data in the three months after the termination of this Data Processor Agreement shall be considered as being in accordance with the Instruction.
8.3 At the termination of this Data Processor Agreement, the Data Processor shall return the Personal Data processed under this Data Processor Agreement to the Data Controller, provided that the Data Controller is not already in possession of the Personal Data. The Data Processor is hereafter obliged to delete all the Personal Data and provide documentation for such deletion to the Data Controller.
8.4 The Data Processor may charge for the additional services required at termination.
9. Contact
9.1 The contact information for the Data Processor and the Data Controller shall be provided, as appropriate, for any client applicant and/or member requiring compliance with GDPR.