Data Processing Agreement

Annex 1 – Data processing Agreement

This Data Processing Agreement is an annex to the Terms and forms an integral part of the Agreement between the Parties. This Annex 1 sets out the additional terms, requirements, and conditions under which Loxygen (acting in the capacity of Processor or Sub-processor) will process Personal Data on behalf of the Client (acting in the capacity of Controller or Processor) in the execution of the Agreement. This Annex contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation 2016/679 (hereinafter referred to as “GDPR”) for agreements between Controllers and Processors.

1)  Insofar no definition is provided in the Agreement, the capitalized terms in this Annex shall have the definition that they are given under the GDPR.

2)  Loxygen agrees:

a)  to Process the Personal Data only on documented instruction from the Client in accordance with Appendix A, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which Loxygen is subject; in such a case, Loxygen shall inform the Client of that legal requirements before Processing, unless that law prohibits this;

b)  to immediately inform the Client if, in Loxygen opinion, an instruction infringes the GDPR or other applicable data protection provisions;

c)  not to make available Personal Data to third parties without the Client’s prior written approval;

d)  that persons authorized to Process the Personal Data are committed to confidentiality by an agreement or are under an appropriate statutory obligation of confidentiality;

e)  to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk (e.g. against the unauthorized or unlawful Processing of the Personal Data and against the accidental loss, destruction of or damage to such data) as set out in Appendix A;

f)  taking into account the general written authorization given by the Client to engage other Sub-processors, to inform the Client if Loxygen intends to appoint another Sub-processor than the ones set out in Appendix A and allow the Client to object to this appointment within fourteen (14) days in writing and on reasonable grounds supported by documentary evidence. If the Client did not submit a written, well-reasoned objection to the engagement of any additional Sub-Processors, within the aforementioned time, the engagement of the additional Sub-Processors shall be deemed authorized; 

g)  to impose the same data protection obligations as set out in this Annex to authorized Sub-processor by way of a contract in such a manner that the Processing will meet the requirements of the GDPR; 

h)  that where appointed Sub-processors fail to fulfil their data protection obligations, Loxygen shall remain fully liable to the Client for the performance of that Sub-Processor’s obligations;

i)  to reasonably assist the Client by appropriate technical and organizational measures (i) for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject’s rights or (ii) the Client’s compliance with any other obligation under the GDPR;

j)  to take into account as much as possible the principles in respect of data protection by design and default when Processing Personal Data;

k)  to notify the Client of any Personal Data Breach without undue delay after becoming aware of such breach and to reasonably assist the Client with mitigating and resolving such Personal Data Breach;

l)  not to Process Personal Data outside the EEA without the Client’s written consent and only subject to the safeguards required under the GDPR;

m)  not to keep the Personal Data any longer than required for the performance of the Agreement, unless another storage period is instructed by the Client or applies pursuant to applicable law;

n)  to delete or return (at the choice of the Client) all the Personal Data to the Client after termination of the Agreement; and to delete existing copies unless applicable law requires storage of the Personal Data;

o)  to make available to the Client all information reasonably necessary to demonstrate compliance with the obligations laid down in this Annex; and to reasonably allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.

3)  The Parties acknowledge and agree, in the event it would be necessary, regardless of the reason (such as, but not limited to, any (prospective) changes to the applicable data protection legislation or any amendments to the scope of the Services, cooperation or the Agreement), to enter into a more extensive data processing agreement as may be necessary.

4)  To the extent permitted under applicable law, any limitations and/or exclusions of liability in the Agreement shall apply to this Annex. In addition, Loxygen shall only be liable under this Annex if it has: (i) failed to comply with its specific obligations under the GDPR; or (ii) acted outside or in breach of the Client's lawful instructions

5)  This Annex is governed by all miscellaneous clauses of the Terms, including the competent court and applicable law provisions, unless the context would require otherwise.