This Data Processing Agreement (“DPA”) forms part of the deli.gallery Terms of Service (“Agreement”) between deli.gallery and the User. The User entered into this DPA on behalf of itself, the purpose of this DPA is to reflect the parties’ agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Legislation as defined below.
(A) The User acts as a Data Controller.
(B) The User wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework for data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1. “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2. “User Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the User under or in connection with the Principal Agreement;
1.1.3. “Contracted Processor” means a Subprocessor;
1.1.4. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5. “EEA” means the European Economic Area;
1.1.6. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7. “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8. “Data Transfer” means:
1.1.8.1. a transfer of User Personal Data from the User to a Contracted Processor; or
1.1.8.2. an onward transfer of User Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9. “Services” means the media storage and delivery services the User provides.
1.1.10. “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the User in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2.1. Processor shall:
2.1.1. comply with all applicable Data Protection Laws in the Processing of User Personal Data; and;
2.1.2. not Process User Personal Data other than on the relevant User’s documented instructions.
2.2. The User instructs Processor to process User Personal Data.
3.1. Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the User’s Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant User Personal Data, as strictly necessary for the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the User Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, the Processor shall take into account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1 deli.gallery may use Subprocessors to process the User Personal Data. The use of Subprocessor to process the User Personal Data will be in compliance with Data Protection Legislation and will be governed by a contract between deli.gallery and Subprocessor.
5.2 Sub processors will be permitted to process personal data only to deliver the services deli.gallery has requested, and they shall be prohibited from using Personal Data for any other purpose. A list of our current Subprocessors is available upon request by sending an email to support@deli.gallery.com.
5.3 In the case where the sub-processor further engages with other processor to process Personal Data, they will respect the obligations set out in this DPA.
6.1. Taking into account the nature of the Processing, the Processor shall assist the User by implementing appropriate technical and organizational measures, insofar as possible, for the fulfillment of the User obligations, as reasonably understood by the User, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2. Processor shall:
6.2.1. promptly notify the User if it receives a request from a Data Subject under any Data Protection Law in respect of User Personal Data; and
6.2.2. ensure that it does not respond to that request except on the documented instructions of the User or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the User of that legal requirement before the Contracted Processor responds to the request.
7.1. Processor shall notify User without undue delay upon Processor becoming aware of a Personal Data Breach affecting User Personal Data, providing User with sufficient information to allow the User to meet