DATA PROCESSING AGREEMENT

Subheading to be provided - or it can be deleted

GENERAL SYSTEM DATA PROCESSING AGREEMENT

1. ADDITIONAL DEFINITIONS AND INTERPRETATION.

1.1 In this Data Processing Agreement (the “DPA”), the following terms shall have the meanings set out in this Paragraph 1.1, unless expressly stated otherwise:

(a) “Cessation Date” has the meaning given in Paragraph 9.1.

(b) “Customer Personal Data” means any Personal Data Processed by or on behalf of General System on behalf of Customer under this Agreement.

(c) “Data Protection Legislation” means, collectively: (i) the GDPR; and (ii) all other applicable laws relating to the collection, Processing and protection of Personal Data and privacy that may exist in any relevant jurisdiction.

(d) “Data Subject” means the identified or identifiable natural person located in the European Economic Area or the United Kingdom to whom Customer Personal Data relates. 

(e) “Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR.

(f) “EEA” means the European Economic Area.

(g) “GDPR” means, as applicable: (i) the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (“EU GDPR”); (b) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and/or (c) any legislation, and/or regulation implementing or made pursuant to them or which amends, replaces, re-enacts or consolidates any of them. References to “Articles” and “Chapters” of the GDPR shall be construed accordingly.

(h) “Relevant Body” means: (i) in the context of the UK GDPR, the UK Information Commissioner’s Office; and/or (ii) in the context of the EU GDPR, the European Commission

(i) “Restricted Country” means: (i) in the context of the UK, a country or territory outside the UK; and (ii) in the context of the EEA, a country or territory outside the EEA, in each case that the Relevant Body has not deemed to provide an ‘adequate’ level of protection for Customer Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR. 

(j) “Restricted Transfer” means the disclosure, grant of access or other transfer of Customer Personal Data to any person located in: (i) in the context of the EEA, a Restricted Country outside the EEA (an “EEA Restricted Transfer”); and/or (ii) in the context of the UK, a Restricted Country outside the UK (a “UK Restricted Transfer”).

(k) “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision EU 2021/914. 

(l) “Subprocessor” means any third-party appointed by or on behalf of General System to Process Customer Personal Data.

(m) “UK Transfer Addendum” means the template Addendum B.1.0 issued by the UK Information Commissioner’s Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the Mandatory Clauses included in Part 2 thereof (the “Mandatory Clauses”).

1.2 In this DPA:

(a) the terms “Data Controller”, “Data Processor”, “Personal Data”, “Personal Data Breach”, “Process” (and its derivatives) and “Supervisory Authority” shall have the meaning ascribed to the corresponding terms in the GDPR; and

(b) unless otherwise defined in this DPA, all capitalised terms shall have the meaning given to them in this Agreement.

2. PROCESSING OF CUSTOMER PERSONAL DATA.

2.1 In respect of Customer Personal Data, the parties acknowledge that:

(a) General System acts as a Data Processor; and 

(b) Customer acts as the Data Controller.

2.2 General System shall:

(a) comply with all applicable Data Protection Legislation in Processing Customer Personal Data; and

(b) not Process Customer Personal Data other than:

            i) on Customer’s instructions; and 

            ii) as required by applicable law.

 

2.3 Customer instructs General System to Process Customer Personal Data as necessary for the purpose of providing the Software to it. Where General System receives an instruction from Customer that, in its reasonable opinion, infringes Data Protection Legislation, General System shall inform Customer.

2.4 Customer represents and warrants on an ongoing basis that there is, and will be throughout the term of this Agreement, a valid legal basis for the Processing by General System of Customer Personal Data in accordance with this DPA. In particular and without prejudice to the foregoing, Customer represents and warrants on an ongoing basis that all Customer Personal Data was collected lawfully (including in accordance with applicable Data Protection Legislation).

2.5 Appendix 1 (Data Processing Details) sets out certain information regarding General System’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.

3. General System PERSONNEL.

General System shall take reasonable steps to ensure the reliability of any General System personnel who Process Customer Personal Data, ensuring that: 

(a) access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data for the purposes described in this DPA; and

(b) all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. SECURITY.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk for the rights and freedoms of natural persons, General System shall, in relation to Customer Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk.

5. SUBPROCESSING.

5.1 Customer hereby authorises General System to appoint Subprocessors in accordance with this Paragraph 5.

5.2 General System may continue to use those Subprocessors already engaged by General System as at the date of this Agreement, subject to General System meeting within a reasonable timeframe (or having already met) the obligations set out in Paragraph 5.4 below. 

5.3 General System shall give Customer prior written notice of the appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within ten (10) days of receipt of that notice, Customer notifies General System in writing of any objections (on reasonable grounds) to the proposed appointment:

(a) General System shall use reasonable efforts to make available a commercially reasonable change in the provision of the Software which avoids the use of that proposed Subprocessor; and

(b) where such a change cannot be made, General System may by written notice to Customer terminate this Agreement with immediate effect and without further liability.

5.4 With respect to each Subprocessor, General System shall ensure that the arrangement between General System and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this DPA (including those set out in Paragraph 4).

6. DATA SUBJECT RIGHTS.

6.1 Taking into account the nature of the Processing, General System shall (at Customer’s sole cost) provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances to assist Customer in fulfilling its obligation to respond to Data Subject Requests.

6.2 General System shall:

(a) promptly notify Customer if General System receives a Data Subject Request; and

(b) ensure that General System does not respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s sole cost) or as required by applicable law.

7. PERSONAL DATA BREACH.

7.1 General System shall notify Customer without undue delay upon General System becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information, insofar as such information is at such time available to General System, to allow Customer to meet any obligations under Data Protection Legislation to report the Personal Data Breach.

7.2 General System shall co-operate with Customer and take such reasonable commercial steps as may be directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. DATA PROTECTION IMPACT ASSESSMENTS AND PRIOR CONSULTATION.

General System shall provide reasonable assistance to Customer (at Customer’s sole cost) with any data protection impact assessments and prior consultations with Supervisory Authorities, in each case solely in relation to the Processing of Customer Personal Data by General System.

9. DELETION. 

9.1 Subject to Paragraphs 9.2, 9.3 and 9.4 below, upon the date of cessation of Customer’s access to the Software (the “Cessation Date”), General System shall immediately cease all Processing of Customer Personal Data for any purpose other than for storage.

9.2Customer hereby acknowledges and agrees that, due to the nature of the Customer Personal Data Processed by General System, return (as opposed to deletion) of Customer Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Customer agrees that (for the purposes of Article 28(3)(g) of the GDPR) it is hereby deemed (at the Cessation Date) to have irrevocably selected deletion, in preference of return, of Customer Personal Data.

9.3 To the fullest extent technically possible in the circumstances, within thirty (30) days after the Cessation Date, General System shall securely delete all Customer Personal Data then within General System’s possession.

9.4 General System may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that General System shall ensure the confidentiality of all such Customer Personal Data.

10. AUDIT RIGHTS.

10.1 General System shall make available to Customer on request such information as General System (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this DPA. 

10.2 Subject to Paragraph 10.3 below, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by General System pursuant to Paragraph 10.1 above is not sufficient to demonstrate General System’s material compliance with this DPA, General System shall allow for and contribute to audits by Customer or an auditor mandated by Customer during General System’s normal business hours in relation to the Processing of Customer Personal Data by General System (but not more than once in every twelve (12)-month period). Customer shall bear any costs in connection with such inspection or audit and reimburse General System for all costs incurred by General System in connection with any such inspection or audit. 

10.3 Customer shall give General System reasonable notice of any audit or inspection to be conducted (which shall in no event be less than thirty (30) days’ notice) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies General System in respect of, any damage, injury or disruption to General System’s premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of General System’s other customers or the availability of General System’s services to such other customers) while its personnel and/or its auditor’s personnel (if applicable) are on those premises in the course of any on premise inspection.

11. RESTRICTED TRANSFERS. 

11.1 Customer acknowledges and agrees that General System may store and Process Customer Personal Data outside the EEA or the UK. The parties agree that, to the extent Customer transfers Customer Personal Data to General System in a Restricted Country, it shall be effecting a Restricted Transfer. To allow such Restricted Transfer to take place without breach of Data Protection Legislation, the parties agree as follows:

11.2 in the event of an EEA Restricted Transfer, the parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (1) populated in accordance with Part 1 of Appendix 2 (Population of SCCs); and (ii) entered into by the parties and incorporated by reference into this DPA; and

11.3 in the event of a UK Restricted Transfer, the parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be: (1) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum; (2) populated in accordance with Part 2 of Appendix 2 (Population of SCCs); and (iii) entered into by the parties and incorporated by reference into this DPA.

Appendix 1
Data Processing Details

This Appendix 1 to the DPA includes certain details of the Processing of Customer Personal Data by General System as required by Article 28(3) GDPR.

Subject Matter of the Processing

General System’s provision of the Software to Customer.

Duration of the Processing

The Licence Term, plus the period from the end of the Licence Term until deletion of all Customer Personal Data by General System in accordance with the DPA.

Nature and Purpose of the Processing

General System will Process Customer Personal Data for the purposes of providing the Software to Customer in accordance with the DPA.

Types of Customer Personal Data to be Processed

Personal Data relating to individuals provided to General System via the Software, by (or at the direction of) Customer or its users.

Categories of Data Subjects to whom Customer Personal Data relates

Data Subjects include the individuals about whom data is provided to General System via the Software by (or at the direction of) Customer or its user

Appendix 2
Population of SCCs

Notes:

  • In the context of any EEA Restricted Transfer, the SCCs populated in accordance with Part 1 of this Appendix 2 are incorporated by reference into, and form an effective part of, the DPA.
  • In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Appendix 2 are incorporated by reference into, and form an effective part of, the DPA.


PART 1: EEA RESTRICTED TRANSFERS

1. SIGNATURE OF THE SCCs.

Where the SCCs apply in accordance with Paragraph 11 of the DPA, each party is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.

2. MODULE.

Module Two (Controller to Processor) of the SCCs shall apply to any EEA Restricted Transfer.

3. POPULATION OF THE BODY OF THE SCCs.

3.1 The SCCs shall be populated as follows:

   a) The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.

   b) In Clause 9: 

      i) OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement           of Subprocessors shall be the advance notice period set out in Paragraph 5 of the DPA; and

      ii) OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to            the SCCs. 

   c) In Clause 11, the optional language is not used and is deleted. 

   d) In Clause 13, all square brackets are removed and all text therein is retained. 

   e) In Clause 17: OPTION 1 applies, and the parties agree that the SCCs shall be governed by the laws of Ireland in relation to any EEA Restricted        Transfer; and OPTION 2 is not used and that optional language is deleted. 

   f) For the purposes of Clause 18, the parties agree that any dispute arising from the SCCs in relation to any EEA Restricted Transfer shall be        resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.    

4. POPULATION OF ANNEXES TO THE SCCs.

4.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Appendix 1 (Data Processing Details), with Customer being ‘data exporter’ and General System being ‘data importer’.

4.2 Part C of Annex I to the Appendix to the SCCs is populated as below:

      Data Protection Commission

      21 Fitzwilliam Square South

     Dublin 2

     D02 RD28

     Ireland

4.3 Annex II to the Appendix to the SCCs is populated by reference to Paragraph 4 of the DPA.

PART 2: UK RESTRICTED TRANSFERS

Where relevant in accordance with Paragraph 11 of the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below:

   

   a) Part 1 of the UK Transfer Addendum.  As permitted by Section 17 of the UK Transfer Addendum, the parties agree that:

      i) Tables 1, 2 and 3 of Part 1 of the UK Transfer Addendum are deemed populated with the corresponding details set out in Appendix 1 (Data          Processing Details) and the foregoing provisions of Part 1 of this Appendix 2 (subject to the variations effected by the Mandatory Clauses          described in (b) below); and 

      ii) Table 4 of Part 1 of the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked. 

   

   b) Part 2 of the UK Transfer Addendum.  The parties agree to be bound by the Mandatory Clauses of the UK Transfer Addendum.

In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs shall be read as a reference to those SCCs as varied in the manner set out in this Part 2.

General System
Privacy Policy
|
terms of service
|
Carbon Reduction Plan
|
human trafficking statement
support.generalsystem.com
© Year General System
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept