Data Processing Agreement
This Data Processing Agreement (“DPA”) sets out the obligations for the processing of personal data during the execution, and after the termination of, the Main Services Agreement or End User License Agreement (each, an “Agreement”), as required by article 28, no. 3 of GDPR (defined below). Notabene is qualified as a Processor (defined below) and this DPA shall apply where, while performing the Services under the Agreement, Notabene processes Customer Materials or End User Data, respectively, that are “personal data” or “personal information” under applicable data protection laws, on behalf of Customer/End User, which are not the names or professional contact details of the representatives of Customer/End User.
1. Definitions
1.1. In addition to the terms defined in the Agreement, in this DPA all the definitions set forth in article 4 of GDPR shall be adopted, namely the terms “Personal Data,” “Data Subjects,” “Processing,” “Personal Data Breach,” “Controller,” and “Processor.”
1.2. In addition to the above, the following definitions shall be adopted:
a. “Data Protection Law” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, commonly known as the “General Data Protection Regulation” or “GDPR” as well as any other applicable national rule and legislation on the protection of personal data in the European Union or locally that is already in force or that will come into force during the term of this DPA, including any measure, guideline and opinion issued by the European data protection authorities or by the European Data Protection Board.
b. “Persons in Charge of Data Processing” means the employees and any natural persons who, authorized by the Processor and/ or its sub-processors, if any, can process the Processed Data;
c. “Platform” means the relevant web, online platform or other software service or application developed by Notabene, and shall include any modifications, customizations and derivatives of the same;
d. “Processed Data” all the personal data processed by the Processor on behalf of the Controller under the Services, as better defined in Appendix 1 – Details of Processing Activities and Data Transfer;
e. “Security Measures” means the security measures and any other obligations under the Data Protection Law for the purposes of guaranteeing the security and confidentiality of the Processed Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures, as well as procedures and activities to be performed in case of a personal data breach to prevent and reduce the adverse effects of the breach on the affected data subjects, in particular, those described on Appendix 2 - Technical and Organisational Measures and as described on our security policies available in the Processor’s Trust Center at https://trust.notabene.id/;
f. “Sub-Processor” means the legal person, company or independent professional who, authorized by the Controller and engaged by the Processor, is allowed to carry out activities entailing the process of the Processed Data, as permitted under Data Protection Law and this DPA. Authorized sub- Processors are detailed in Appendix 3 – General Authorization for Sub-processing; and
g. “Standard Contractual Clauses” means the Standard Contractual Clauses based on the Commission Implementing Decision (EU) 2021/914, of 4 June 2021, as amended or updated from time to time (SCC or EU SCC), and similar clauses enacted pursuant to the Data Protection Law, incorporated into this DPA by reference.
2. Scope
2.1. Notabene shall act as the Processor (“Processor”) in relation to the processing of Processed Data on behalf of the Customer/End User which is qualified as the Controller (“Controller”), exclusively for the purposes of executing the Agreement or as required by law, according to the terms and conditions of this DPA and of the Data Protection Law.
2.2. The type of personal data and processing activities to be handled by the Processor are exhaustively described in Appendix 1 – Description of Processing. Any amendment to this list must be done in writing by the signature of both Parties, and a copy of said updated list must be enclosed on the final versions of this DPA.
2.3. In relation to any processing of Processed Data carried out by the Processor or by a Sub-processor, directly or through the respective Persons in Charge of Data Processing, for purposes other than those within the scope of this DPA and the Services engaged, and on the basis of different relationships with data subjects, the Processor or its subsequent Subcontractors shall not act as processors of the Controller in relation to the Processed Data, but as independent data controllers, or processors of entities other than the Controller, as the case may be.
3. Term
3.1. This DPA shall be effective from the date of acceptance of the Agreement up to the end of the transitional period of thirty (30) days granted after the termination of such Agreement or its related services.
3.2. During the transitional period the Controller will be able to delete, remove or transfer the Processed Data resulting from the Services. After such transitional period, the Processor may permanently delete all the Processed Data from the Platform and all the existing copies, unless any applicable law requires storage of the Processed Data.
3.3. The Processor shall ensure that all Persons in Charge of Data Processing, its Sub-Processors, if any, and their Persons in Charge of Data Processing, comply with the obligations laid down in this DPA, as applicable, in the manner and in accordance with the timing indicated thereunder.
4. Obligations of the Controller
4.1. The Controller undertakes to:
4.1.1. Ensure that the collection and further processing of all Processed Data is done in a lawful manner;
4.1.2. Provide clear and timely written instructions to the Processor regarding the Processed Data;
4.1.3. Assist and cooperate, within a reasonable manner, with the Processor whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy and/or security of the Processed Data;
4.1.4. Inform the Processor of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority;
4.1.5. Keep the Processor up to date about the Processed Data or any other relevant information for its processing by the Processor or by its Sub-processors, namely about any notification or request for information from a relevant data supervisory authority.
5. Obligations of the Processor
5.1. The Processor undertakes to:
5.1.1. Process the Processed Data for the sole purpose of performing the Services, subject to the limits and in the manner provided for by the Agreement between Controller and Processor for the provision of such Services, this DPA and the Data Protection Law, and in strict compliance with the written instructions given by the Controller and shall immediately inform in writing the Controller should it deem that any of the aforesaid instructions is in breach of the Data Protection Law or, in general, of any applicable law;
5.1.2. Process exclusively the Processed Data that is strictly necessary for correctly and fully performing the Services or meeting the obligations provided for by Data Protection Law or other applicable law;
5.1.3. Process the Processed Data lawfully, fairly and in full compliance with the principles applicable to data processing, with the requirements laid down by the Data Protection Law and the information on the processing of the Processed Data provided to the relevant data subjects by the Controller;
5.1.4. Assist and cooperate, within a reasonable manner, with the Controller whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy and/or security of the Processed Data;
5.1.5. Inform the Controller of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority, unless if prohibited by law;
5.1.6. Keep the Controller up to date about the Processed Data or any other relevant information, namely about any notification or request for information from a relevant data supervisory authority;
5.1.7. Cooperate with and assist the Controller in the response to any notifications from a supervisory authority in connection with the Processed Data, including, without limitation, the provision of supporting documentation to be submitted to the relevant supervisory authority as evidence that the Processor is legally bound by the terms of this DPA;
5.1.8. Provide to the Controller, upon request, all the information in its possession or control referring to the processing of the Processed Data under this DPA, namely for the latter to assess whether such processing is carried out in accordance with this DPA;
5.1.9. Disclose the information reasonably required by the Controller for the performance of privacy impact assessments concerning the processing activities and cooperate on the implementation of mitigation actions agreed by the Parties to address privacy risks which may have been identified; and
5.1.10. Permit, provide information for and cooperate with the Controller regarding audits, including any inspections conducted by the Controller or another auditor mandated by the Controller.
5.2. With regard to the Persons in Charge of Data Processing, the Processor further undertakes to:
5.2.1 guarantee that the Persons in Charge of Data Processing can access and process only the Processed Data that is strictly necessary for correctly and fully performing the Services or meeting the legal requirements, in each case, subject to the limits and in accordance with the conditions of this DPA, the principal agreement between Controller and Processor for the provision of the Services and the Data Protection Law;
5.2.2. guarantee that the Persons in Charge of Data Processing are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
5.2.3. consent that the Processed Data are processed only by the Persons in Charge of Data Processing who (i) on the basis of their experience, capabilities and training, can ensure compliance with the Data Protection Law and need to access the data for the purpose of performing the Services; and (ii) attended periodically training courses on the obligations prescribed by the Data Protection Law;
5.2.4. adopt any physical, technical and organizational measure aimed at enabling:
5.2.4.1. each Person in Charge of Data Processing to access exclusively the Processed Data that he/she is authorized to process, by taking into account the activity that he/she is required to carry out to perform the Services;
5.2.4.2. any processing of the Processed Data that is in breach of the DPA and/or the Data Protection Law to be promptly identified and reported to the Controller; and
5.2.4.3. upon termination of the Services and, with respect to each Person in Charge of Data Processing, upon termination of the appointment of such Person in Charge of Data Processing, including, without limitation, when the employment or collaboration relationship between the Person in Charge of Data Processing and the relevant Processor or Sub-Processor is terminated, ensure total confidentiality, availability and integrity of the Processed Data.
6. Sub-processors
6.1. Regarding the Processed Data, the Processor undertakes to engage and work only with sub- processors to which the Controller did not reasonably oppose in writing to said collaboration.
6.2. Sub-Processors identified in Appendix 2 – General Authorization for Sub-processing are hereby authorized by the Controller to process Processed Data provided that said Sub- Processor:
6.2.1. has committed to confidentiality obligations and enters into a written agreement providing the same data protection obligations as set out in this DPA and other obligations as may be required by the Controller under the instructions of the Processor.
6.2.2. acts exclusively on behalf of the Controller or the Processor instructions;
6.2.3. provides adequate guarantees with reference to the technical and organizational measures adopted for the processing of the Processed Data, including, without limitation, ensuring that the Sub-Processor immediately ceases the processing of the Processed Data should such guarantee be no longer available.
6.3. In case of any intended changes concerning the addition or replacement of any of the Sub- Processors identified in Appendix 2 – General Authorization for Sub-processing, the Processor undertakes to notify the Controller, giving the Controller the opportunity to reasonably object to such change within 30 (thirty) days counting from said notification. If the Controller notifies the Processor of any objection to the proposed appointment, the Parties shall work together to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed sub-processor. Costs related to this change, if any, will be borne by the Controller.
6.4. The Processor shall completely adopt all the Security Measures in compliance with the Data Protection Law and this DPA.
7. Security measures
7.1. Without limiting the foregoing, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of the Processed Data, and the likelihood and severity of the risk to the rights and freedoms of natural persons, Processor shall implement appropriate technical and organizational measures to ensure a level of security that is proportionate to the risk associated with the processing of the Processed Data, including, without limitation, the measures provided for by Article 32, paragraph 1 of the GDPR, and particularly including, but not limited to, the measures set forth in Section 7.2.
7.2. Processor shall maintain and enforce various policies, standards and processes, available in the Processor’s Trust Center at https://trust.notabene.id/, which are designed to secure personal data and other data to which Processor employees are provided access, and updates such policies, standards, and processes from time to time consistent with industry standards. Without prejudice to the rules contained within Section 7.1 above, the Processor shall implement appropriate technical and organizational measures, available in the Processor’s Trust Center at https://trust.notabene.id/. These measures ensure a level of security adequate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects. These measures shall ensure full compliance with Article 32 of the GDPR.
8. Processed Data Breach
8.1. In the event of a Personal Data Breach or any other incidents that may compromise the security of the Processed Data (such as loss, damage or destruction of the Processed Data in an electronic or hard copy format, third party unauthorized access to the Processed Data or any other breach of the Processed Data) including, without limitation, any breach or other incident resulting from the conduct of, if any, the Processor’s Sub-Processors and/or its Persons in Charge of Data Processing, the Processor shall:
8.1.1. without undue delay, not to exceed within forty-eight (48) hours, inform the Controller by email which shall include at least information regarding the type and description of the Personal Data Breach, identification of the Processed Data and the Data Subjects affected and potential consequences of said breach, as well as any remedies already put in place (if any). Where and insofar is not possible to provide all the relevant information at the same time, the information may be provided in phases without undue delay; and
8.1.2. in collaboration with the Controller, adopt immediately, and in any case without undue delay, all necessary measures to minimize any type of risk that may derive for the Data Subjects from such breach or incident, remedy such breach or incident and mitigate any possible adverse effect.
8.2. The Controller is fully liable, whenever required, for notifying such Personal Data Breach to the relevant data protection supervisory authority and to the Data Subjects, if applicable.
9. Data Subjects’ Rights
9.1. The Controller shall ensure that the rights granted to the Data Subjects by the Data Protection Law are effectively executed. The Processor undertakes to notify the Controller in writing within 5 (five) Business Days of receipt of any request made in this respect by the Data Subjects.
9.2. The Processor shall cooperate with the Controller to ensure that all requests by Data Subjects exercising their rights under the Data Protection Law (including, without limitation, the right to object to the processing and the right to the Processed Data portability) are complied with within the time period and in accordance with all other requirements provided for by the Data Protection Law.
10. Audits
The Processor acknowledges and accepts that the Controller may assess the organizational, technical and security measures adopted by the Processor in the processing of the Processed Data by way of audit no more frequently than annually (unless in the context of a Processed Data Breach). To this end, upon no less than ten (10) Business Days’ prior written notice (except if there is a reasonable urgency of the Controller for an earlier prior notice), the Controller will be entitled to access, directly or through any authorized third-party, the premises, computers and any other IT system/file of the Processor and its Sub-Processors, if, at its sole discretion, the Controller deems it necessary to verify compliance by the Processor and/or one of its Sub-Processors with this DPA and the Data Protection Law or to ascertain any breach of the Processed Data.
11. Transfers of Processed Data outside the EEA
11.1. The Processor will carry out the processing only in the European Economic Area (“EEA”) and agrees not to transfer the Processed Data outside the EEA, without the Controller's prior written consent or unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
11.2. When the Processor transfers personal data with the Controller’s consent, as provided for in clause 11.1 above, such transfer is made in accordance with the provided for in Chapter V of the GDPR and with the instructions given by the Controller in relation to such transfer.
11.3. In case the Processor transfers data outside the EEA, the Processor, acting as data exporter, shall ensure that (1) whenever there is no adequacy decision in place as set forth in article 45 of the GDPR, it will execute additional safeguards, including but not limited to, the Standard Contractual Clauses as timely approved by the European Commission; and (2) will provide appropriate safeguards in relation to the transfer which grant the Data Subject enforceable rights and effective legal remedies.
11.4. If any of the Sub-Processors engaged by the Processor is based out of the EEA or transfers Processed Data to any country that is not in the EEA, the Processor will execute with such Sub-Processor the equivalent Standard Contractual Clauses model as required by law.
12. Local Law.
12.1. As of the Effective Date, Notabene has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data prevent Notabene from fulfilling its obligations under this DPA. In the event either Party is legally required to amend this Agreement in order to comply with applicable privacy laws, the Parties will negotiate such amendments in good faith.
12.2. If Notabene receives a legally binding request from a public authority to access Personal Data that Notabene processes on behalf of the Customer/End User, Notabene shall, unless otherwise legally prohibited, promptly notify the Customer/End User including a summary of the nature of the request.
13. European Union Specific Provisions
13.1. The parties agree that transfers of Personal Data, which are processed in accordance with the GDPR, from the Data Exporter (Controller) to the Data Importer (Processor) outside of the European Economic Area, are made pursuant to the Module Two (Controller to Processor) EU Standard Contractual Clauses https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, which are deemed entered into (and incorporated into this DPA by this reference). For Module Two (Controller to Processor) of the Standard Contractual Clauses, the following applies:
a. The optional docking clause in Clause 7 does not apply;
b. In Clause 9, Option 2 (general written authorisation) applies;
c. In Clause 11, the optional language does not apply;
d. All square brackets in Clause 13 are hereby removed;
e. In Clause 17 (Option 1), the EU SCCs will be governed by Irish law;
f. In Clause 18(b), disputes will be resolved before the courts of Ireland;
g. Appendix 1, to this DPA contains the information required in Annex I of the SCCs;
h. Appendix 2 to this DPA contains the information required in Annex II of the SCCs; and
i. Appendix 3 to this DPA contains the information required in Annex III of the SCCs.
Appendix 1 - Details of Processing Activities and Data Transfer
1. LIST OF PARTIES:
Data exporter(s): Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union
Name: […]
Address: […]:
Contact person's name, position, and contact details: […]
Activities relevant to the data transferred under these clauses: Provision of the Services pursuant to the Agreement
Data importer(s): Identity and contact details of the data importer(s), including any contact person with responsibility for data protection
Name: Notabene, Inc.
Address: 25 Kent Avenue, Suite 401, Brooklyn, New York 11249 USA
Contact person's name, position, and contact details:
Adam Brogden
Instant EU GDPR Representative Ltd
+353 15 549 700
Office 2, 12A Lower Main Street, Lucan Co.
Dublin, Ireland
K78 X5P8
Activities relevant to the data transferred under these clauses: Provision of the Services pursuant to the Agreement
2. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS PROCESSED AND TRANSFERRED:
- Controller(s) – customers, end users, and ultimate counterparties of value transfers
- Authorised Users – employees and contractors of controller
3. CATEGORIES OF PERSONAL DATA PROCESSED AND TRANSFERRED:
- Name
- Address
- Nationality
- Account number
- E-mail address
4. SENSITIVE DATA:
The parties do not anticipate the processing (including transfer) of sensitive data under the Agreement.
5. FREQUENCY OF THE TRANSER
Data is processed transferred on a continuous basis depending on the use of the Services by Customer/Affiliated Entities/End Users .
6. NATURE OF THE PROCESSING:
- Nature of the processing: collection, analysis, transmission, and record keeping of personal identifying information of originator and beneficiary of a value transfer; collection and further processing of name, email addresses and activities of Controllers employees in software dashboard is the provision of the Services pursuant to the Agreement.
- Brief description of the processing activities: the data processing activities are performed in order to allow the controller to benefit from the services, according to the purposes further explained below.
7. PURPOSE OF THE PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSING
The provision of the Services requires two data processing activities:
- Enabling the Controller to perform counterparty verification using FATF Recommendation 16 and its implementation in local regulation;
- Granting authorization of access to dashboard and PII of controller’s customers/end users to only authorized staff.
8. DURATION OF PROCESSING:
Processor will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing or required by law. Upon termination of the Services by either party, Processor shall cease processing Personal Data on behalf of Customer/Affiliated Entities/End User upon completion of the termination provisions described herein (unless required by law to keep processing such data). Provider shall provide written confirmation of deletion or return of Personal Data to Client.
9. SUB-PROCESSOR TRANSFERS:
Sub-processor(s) set forth at https://trust.notabene.id/subprocessors will process Personal Data as necessary to provide the Services pursuant to the Agreement. Subject to the provisions of this DPA specific to Sub-processors, the Sub-processor(s) will process Personal Data for the duration of the Agreement, unless otherwise agreed by Customer/Affiliated Entities/End User in writing.
10. COMPETENT SUPERVISORY AUTHORITY
Data competent supervisory authority: Irish Data Protection Commission
Appendix 2 - Technical and Organisational Measures
- Without limiting the foregoing, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of the Processed Data, and the likelihood and severity of the risk to the rights and freedoms of natural persons, Processor shall implement appropriate technical and organizational measures to ensure a level of security that is proportionate to the risk associated with the processing of the Processed Data, including, without limitation, the measures provided for by Article 32, paragraph 1 of the GDPR, and particularly including, but not limited to, the measures set forth in Section 2 below.
- Processor shall maintain and enforce various policies, standards and processes, available in the Processor’s Trust Center at https://trust.notabene.id/, which are designed to secure personal data and other data to which Processor employees are provided access, and updates such policies, standards, and processes from time to time consistent with industry standards. Without prejudice to the rules contained within Section 1 above, the Processor shall implement appropriate technical and organizational measures available in the Processor’s Trust Center at https://trust.notabene.id/. These measures ensure a level of security adequate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects. These measures shall ensure full compliance with Article 32 of the GDPR.