Data Processing Terms :: enactia.com

Data Processing Terms (Data Processing Agreement)

Version 1.0 - 13 September 2019

PARTIES:

1. Company / Customer / Individual that registers via Enactia’s online Customer Registration and Trial form hereinafter referred to as the “Customer” or “Controller”, agreeing to these terms;

and

2. Enactia Ltd hereinafter referred to as the “Enactia” or “Processor”;

WHEREAS:

A. The Parties have entered into an Agreement hereinafter referred to as the “Service Agreement” (“Agreement”) for the provision of services from Enactia to the Controller.

B. During the provision of the services, Enactia may process personal data on behalf of the Controller.

C. The Parties intend to regulate the processing of personal data and the relationship between them by means of this agreement, in order to ensure compliance with the provisions of the Data Protection Laws. This Agreement set out the obligations of the Parties with regards to the processing of personal data and defines the conditions on which Enactia will process personal data subject to the Data Protection Laws.

D. This Agreement is added as an Addendum to the Service Agreement (Terms of Use, Disclaimer Refund Policy) and becomes an integral part of the Service Agreement.

IT IS HEREBY AGREED AS FOLLOWS:

1. Introduction

This Data Processing Agreement reflects the parties’ agreement with respect to the terms governing the processing and security of Customer Data under the applicable Agreement.

This agreement is made on the date of acceptance when registering in Enactia’s online Customer Registration and Trial form.

2. Definitions

The following terms have the meanings set out below for this Agreement:

2.1 “Additional Products” means products, services and applications that are not part of the Services but that may be accessible, via the Admin Console or otherwise, for use with the Services.

2.2 “Additional Security Controls” means security resources, features, functionality and/or controls that Customer may use at its option and/or as it determines. “Additional Security Controls” may include the Admin Console and other features and functionality of the Services such as two-factor authentication, security key enforcement and monitoring capabilities.

2.3 “Advertising” means online advertisements displayed by Enactia to End Users, excluding any advertisements Customer expressly chooses to have Enactia or any of its Affiliates display in connection with the Services under a separate agreement (for example, Enactia AdSense advertisements implemented by Customer on a website created by Customer using any Enactia Sites functionality within the Services).

2.4 “Affiliate” means any entity controlling, controlled by, or under common control with a party, where “control” is defined as: (a) the ownership of at least fifty per cent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.

2.5 “Alternative Transfer Solution” means a solution, other than the Model Contract Clauses, that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy Shield).

2.6 “Controller” means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

2.7 "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

2.8 “Customer Personal Data” means personal data contained within the Customer Data.

2.9 “Data Incident” means a breach of Enactia’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Enactia. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

2.10 “Data Protection Laws” means the Cyprus Data Protection Law 125 (I)/2018 and the Regulation (EU) 2016/679 (the “GDPR”) and any subordinate legislation made under such Act from time to time together with any guidance and/or codes of practice issued by the Commissioner for the Protection of Personal Data;

2.11 “Data Subject” means a Client or employee of the Data Controller or Partner or other natural person whose Personal Data are processed in the context of this Agree;

2.12 "EEA" means the European Economic Area;

2.13 “European Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).

2.14 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

2.15 "Effective Date" means that date that this Agreement comes into force;

2.16 “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

2.17 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;

2.18 "Processing of Personal Data” (or “Processing/Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2.19 “Processor” means a natural or legal person, public authority, agency or another body which processes Personal Data on behalf of a Controller;

2.20 "Recipient" means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

2.21 “Model Contract Clauses” or “MCCs” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.

2.22 “Non-European Data Protection Legislation” means data protection or privacy legislation in force outside the European Economic Area and Switzerland.

2.23 “Notification Email Address” means the email address(es) designated by Customer in the Admin Console or the Order Form to receive certain notifications from Enactia.

2.24 “Security Documentation” means all documents and information made available by Enactia under Section 7.5.1 (Reviews of Security Documentation).

2.25 “Security Measures” has the meaning given in Section 9 (Security of Processing).

2.26 “Special Categories Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation, as well as any other type of data that will be considered to be sensitive according to any future revision of EU Data Protection Law;

2.27 “Subprocessor” means the entity located within or outside Europe engaged by Enactia or any further Sub-Contractor to process Personal Data on behalf of and under the instructions of the Controller;

2.28 "Supervisory authority" means an independent public authority which is established by a Member State pursuant to Article 51 of the “GDPR”;/ means the Cypriot Commissioner of the Protection of Personal Data.

2.29 "Third-party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data;

All capitalized terms not defined herein shall have the meaning set forth in the service agreement.

3. Scope of Data Protection Legislation

3.1 Application of European Legislation. The parties acknowledge and agree that the European Data Protection Legislation will apply to the processing of Customer Personal Data if, for example:

(a) the processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA; and/or

(b) the Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behaviour in the EEA.

3.2 Application of Non-European Legislation. The parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data.

3.3 Application of Data Processing Agreement. Except to the extent this Data Processing Agreement states otherwise, the terms of this Data Processing Agreement will apply irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies to the processing of Customer Personal Data.

4. Obligations of Controller (Customer)

The Controller has the obligations to:

a) Comply with the provisions of Data Protection Laws;

b) Provide Enactia with lawful instructions;

c) Relies on a valid legal ground under GDPR including obtaining data subjects’ appropriate consent if required or appropriate under GDPR.

d) Ensures that Personal Data is accurate, complete and current; adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed;

e) Cooperates with Enactia to fulfil their respective data protection compliance obligations in accordance with Data Protection Laws.

5. Obligations of Processor (Enactia)

5.1 Enactia shall:

a) only process Controller’s personal data and in accordance with the written instruction of the Controller or as agreed in the Service Agreement (Terms of Use) unless Enactia is obliged to further process Controller’s personal data by the applicable law. In such a case, Enactia shall notify the Controller about such legal obligation before the processing, unless the law prohibits such notification;

b) immediately inform the controller if, in its opinion, an instruction infringes Data Protection Laws;

c) ensure that access to personal data will be granted to its employees and/or agents and/or subprocessors (“Personnel”) on a need to know basis and that only appropriately trained personnel shall have access to the personal data;

d) ensure that the persons authorised to process the personal data have entered into confidentiality agreements or are under an appropriate statutory obligation of confidentiality;

e) ensure that the Personal Data is not in any way used, manipulated, distributed, copied or processed for any other purpose than for the fulfilment of the contractual obligations as explicitly agreed upon and arising from this Agreement;

f) maintain a record of the personal data processing activities carried out on behalf of the Controller if applicable, in accordance with the Data Protection Laws;

g) appoint a Data Protection Officer, if is subject to the Article 37 of the GDPR and inform the Controller of the appointment of a Data Protection Officer, where applicable;

h) not disclose personal data to non-authorized/indicated third parties and/or service providers by the Controller;

i) comply with all other provisions of the Data Protection Laws which Enactia is subject.

5.2 Enactia shall provide to the Controller all information necessary to demonstrate compliance with its obligations laid down in the Data Protection Laws and shall allow and contribute to audits and inspections performed by the Controller or another auditor appointed by the Controller.

6. Processing of Data

6.1 Roles and Regulatory Compliance; Authorization.

6.1.1 Processor and Controller Responsibilities. If the European Data Protection Legislation applies to the processing of Customer Personal Data, the parties acknowledge and agree that:

a) The subject matter and details of the processing are described in Appendix 1;

b) Enactia is a processor of that Customer Personal Data under the European Data Protection Legislation;

c) Customer is a controller or processor, as applicable, of that Customer Personal Data under the European Data Protection Legislation; and

d) Each party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Customer Personal Data.

6.1.2 Authorization by Third Party Controller. If the European Data Protection Legislation applies to the processing of Customer Personal Data and Customer is a processor, Customer warrants to Enactia that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Enactia as another processor, have been authorized by the relevant controller.

6.1.3 Responsibilities under Non-European Legislation. If Non-European Data Protection Legislation applies to either party’s processing of Customer Personal Data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that Customer Personal Data.

6.2 Scope of Processing

6.2.1 Customer’s Instructions. By entering into this Data Processing Agreement, Customer instructs Enactia to process Customer Personal Data only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as further specified via Terms of Use of the Services (including the Customer Portal Console and other functionality of the Services) and related technical support; (c) as documented in the form of the applicable Agreement, including this Data Processing Agreement; and (d) as further documented in any other written instructions given by Customer and acknowledged by Enactia as constituting instructions for purposes of this Data Processing Agreement.

6.2.2 Enactia’s Compliance with Instructions. As from the Full Activation Date (at the latest), Enactia will comply with the instructions described in Section 5.2.1 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Enactia is subject requires other processing of Customer Personal Data by Enactia, in which case Enactia will inform Customer (unless that law prohibits Enactia from doing so on important grounds of public interest) via the Notification Email Address. For clarity, Enactia will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services.

7. Data Subjects Rights

Taking into account the nature of the processing, Enactia shall implement appropriate technical and organisational measure, insofar as this is possible, to assist the Controller to respond to a request for exercising the data subjects’ rights set out in the Data Protection Laws.

In the event that Enactia will receive a request for exercising a right from a data subject, Enactia shall notify the Controller and shall not take any action against the request unless the Controller instructions specifies otherwise.

7.1 Data Export.

7.1.1 Access; Rectification; Restricted Processing; Portability. During the applicable Term, Enactia will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Enactia as described in Section 15 (Deletion and Return), and to export Customer Data.

7.1.2 Data Subject Requests.

a) Customer’s Responsibility for Requests. During the applicable Term, if Enactia receives any request from a data subject in relation to Customer Personal Data, Enactia will advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.

b) Enactia’s Data Subject Request Assistance. Customer agrees that (taking into account the nature of the processing of Customer Personal Data) Enactia will assist Customer in fulfilling any obligation to respond to requests by data subjects, including if applicable Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by:

i. Providing the Additional Security Controls and;

ii. Complying with the commitments set out in Section 7.1.1 (Access; Rectification; Restricted Processing; Portability) and Section 7.1.2 (Customer’s Responsibility for Requests).

8. Data Protection Impact Assessment (DPIA) and Consultations

Enactia Ltd shall provide reasonable assistance to the Controller with any data protection impact assessments, and when necessary, prior consultations with Supervisory Authority, which the Controller reasonably considers to be required by article 35 or 36 of the GDPR, in each case solely in relation to the processing of personal data by Enactia.

9. Security of Processing

Enactia Ltd must implement appropriate technical and organizational measures to protect personal data processed on behalf of the Controller against accidental or unlawful destruction or accidental loss, alteration, dissemination, unauthorized disclosure or access, and against all other unlawful forms of processing.
The measures referred below shall ensure a level of security appropriate to the risks embedded in the processing, the nature of the personal data processed as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, including, as appropriate and where required:

a) the pseudonymization and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing.

10. Incidents - Personal Data Breach

10.1 Enactia shall implement appropriate technical and organisational measure to prevent, detect and respond to any personal data breach prior to the processing of personal data.

10.2   In case where Enactia suffers a personal data breach, Enactia shall:
a)   Notify the Controller in writing immediately and no later than 24 hours after becoming aware of the breach,
b)   Take immediate actions to respond to the breach. Such actions shall aim to minimize the potential impact that the breach may result to the rights and freedoms of data subjects affected by the personal data breach.

10.3 The notification that Enactia shall provide to the Controller shall include at least the following information:

a) description of the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned;

b) the name and contact details of the contact point where more information can be obtained;

c) description of the likely consequences of the Personal Data breach;

d) description of the measures taken or proposed to be taken by Enactia to address Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

10.4 Enactia shall provide reasonable assistance to the Controller in order to notify the personal data breach to the Supervisory Authority, to communicate the breach to the data subject if necessary and to further investigate, mitigate and remediate the breach.

10.5 Appropriate technical and organizational measure to prevent, detect and respond to any personal data breach shall be implemented by Enactia prior to the processing of personal data.

10.6 Enactia will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Without prejudice to Enactia’s obligations under this Section, Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident(s).

10.7 Enactia’s notification of or response to a Data Incident under this Section will not be construed as an acknowledgement by Enactia of any fault or liability with respect to the Data Incident.

11. Customer’s Security Responsibilities and Assessment

11.1 Customer’s Security Responsibilities. Customer agrees that without prejudice to Enactia’s obligations under Section 9 (Security of Processing) and Section 10 (Incidents - Personal Data Breach):

a) Customer is solely responsible for its use of the Services, including:

i. making appropriate use of the Services and the Additional Security Controls to ensure a level of security appropriate to the risk in respect of the Customer Data;

ii. securing the account authentication credentials, systems and devices Customer uses to access the Services; and

iii. retaining copies of its Customer Data as appropriate; and

b) Enactia has no obligation to protect copies of Customer Data that Customer elects to store or transfer outside of Enactia’s and its Subprocessors’ systems (for example, offline or on-premise storage), or to protect Customer Data by implementing or maintaining Additional Security Controls except to the extent Customer has opted to use them.

11.2 Customer’s Security Assessment.

11.2.1 Customer is solely responsible for reviewing the Security Documentation and evaluating for itself whether the Services, the Security Measures, the Additional Security Controls and Enactia’s commitments under this Section 9 (Security of Processing) will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.

11.2.2 Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Enactia as set out in Section 9 (Security of Processing) provide a level of security appropriate to the risk in respect of the Customer Data.

12. Reviews and Audits of Compliance

12.1 Reviews of Security Documentation.
In addition to the information contained in the applicable Agreement including this Data Processing Amendment, Enactia will make available for review by Customer the following documents and information to demonstrate compliance by Enactia with its obligations under this Data Processing Amendment:

a) Relevant the certificates issued in relation to the Information Security and/or Data Privacy;

b) Other types of Audit or Third-Party Assurance reports.

12.2 Customer’s Audit Rights.

a) If the European Data Protection Legislation applies to the processing of Customer Personal Data, Enactia will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Enactia’s compliance with its obligations under this Data Processing Agreement in accordance with Section 12.3 (Additional Business Terms for Reviews and Audits). Enactia will contribute to such audits.

b) If Customer has entered into Model Contract Clauses as described in Section 13.2 (Transfers of Data Out of the EEA), Enactia will, without prejudice to any audit rights of a supervisory authority under such Model Contract Clauses, allow Customer or an independent auditor appointed by Customer to conduct audits as described in the Model Contract Clauses in accordance with Section 12.2 (Additional Business Terms for Reviews and Audits).

c) Customer may also conduct an audit to verify Enactia’s compliance with its obligations under this Data Processing Amendment by reviewing the Security Documentation (which reflects the outcome of audits conducted by Enactia’s Third Party Auditor).

12.3 Additional Business Terms for Reviews and Audits

a) Enactia may charge a fee (based on Enactia’s reasonable costs) for any audit. Enactia will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such review or audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

b) Enactia may object in writing to an auditor appointed by Customer to conduct any audit if the auditor is, in Enactia’s reasonable opinion, not suitably qualified or independent, a competitor of Enactia, or otherwise manifestly unsuitable. Any such objection by Enactia will require Customer to appoint another auditor or conduct the audit itself.

13. Data Transfers

13.1 Data Storage and Processing Facilities. Customer agrees that Enactia may, subject to Section 13.2 (Transfers of Data Out of the EEA), store and process Customer Data in any other country in which Enactia or any of its Subprocessors maintains facilities. Enactia Data Centers are located in EEA, in Cyprus and Netherlands (within EEA).

13.2 Transfers of Data Out of the EEA.
Personal data shall only be transferred outside EEA if the conditions set out in Articles 44-49 of GDPR are fulfilled. Enactia shall transfer personal data to a country without adequacy decision only if the Controller has been informed by Enactia about the conditions on which the transfer will be based and the Controller has consented to the transfer.

Enactia warrants that prior to the execution of any transfer of personal data outside EEA the conditions of the GDPR will be complied and that Enactia will inform the Controller about the transfer and the conditions which apply to the transfer.

13.2.1 Enactia’s Transfer Obligations. If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EEA and the European Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”) under any Agreement, Enactia will, in relation to Transferred Personal Data under all Agreements:

a) if requested to do so by Customer, ensure that Enactia as the data importer of the Transferred Personal Data enters into Model Contract Clauses with Customer as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses; and/or

b) offer an Alternative Transfer Solution, ensure that the transfers are made in accordance with such Alternative Transfer Solution, and make information available to Customer about such Alternative Transfer Solution.

13.2.2 Customer’s Transfer Obligations. In respect of Transferred Personal Data under any Agreement, Customer agrees that:

a) if under the European Data Protection Legislation Enactia reasonably requires Customer to enter into Model Contract Clauses in respect of such transfers, Customer will do so; and

b) if under the European Data Protection Legislation Enactia reasonably requires Customer to use an Alternative Transfer Solution offered by Enactia, and reasonably requests that Customer take any action (which may include execution of documents) strictly required to give full effect to such solution, Customer will do so.

13.3 Disclosure of Confidential Information Containing Personal Data. If Customer has entered into Model Contract Clauses as described in Section 13.2 (Transfers of Data Out of the EEA), Enactia will, notwithstanding any term to the contrary in the applicable Agreement, ensure that any disclosure of Customer's Confidential Information containing personal data, and any notifications relating to any such disclosures, will be made in accordance with such Model Contract Clauses.

14. Sub-processing

14.1 Consent to Subprocessor Engagement. Customer specifically authorizes the engagement as Subprocessors of: (a) those entities listed that can be provided upon request (Information about Subprocessors); and (b) all other Enactia Affiliates from time to time. In addition, Customer generally authorizes the engagement as Subprocessors of any other third parties (“New Third Party Subprocessors”). If Customer has entered into Model Contract Clauses as described in Section 13.2 (Transfers of Data Out of the EEA), the above authorizations will constitute Customer’s prior written consent to the subcontracting by Enactia of the processing of Customer Data if such consent is required under the Model Contract Clauses.

14.2 Information about Subprocessors. Information about Subprocessors, including their functions and locations can be made available upon request (as may be updated by Enactia from time to time in accordance with this Data Processing Agreement).

14.3 Requirements for Subprocessor Engagement. When engaging any Subprocessor, Enactia will:

(a) ensure via a written contract that:

(i) the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable Agreement (including this Data Processing Agreement) and any Model Contract Clauses entered into or Alternative Transfer Solution adopted by Enactia as described in Section 13.2 (Transfers of Data Out of the EEA); and

(ii) if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this Data Processing Amendment, are imposed on the Subprocessor; and

(b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

14.4 Opportunity to Object to Subprocessor Changes.

(a) When any New Third Party Subprocessor is engaged during the applicable Term, Enactia will, at least 30 days before the New Third Party Subprocessor processes any Customer Data, inform Customer of the engagement (including the name and location of the relevant subprocessor and the activities it will perform) by sending an email to the Customer’s registered Email Address with Enactia

(b) Customer may object to any New Third Party Subprocessor by terminating the applicable Agreement immediately upon written notice to Enactia, on condition that Customer provides such notice within 90 days of being informed of the engagement of the subprocessor as described in Section 11.4(a). This termination right is Customer’s sole and exclusive remedy if Customer objects to any New Third Party Subprocessor.

14.5 Processor shall give Controller prior notice of the appointment of any new Subprocessor, including full details of the processing to be undertaken by the Subprocessor, in order to provide the Controller with an opportunity to object to the change or to terminate the Agreement before the Personal Data is communicated to the new Sub-Processor.

14.6 With respect to each Subprocessor, Enactia shall:

14.6.1 before the Subprocessor first processes Controller’s Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Controller’s Personal Data required by this Agreement;

14.6.2 ensure that the arrangement between Enactia and the Subprocessor, is governed by a written contract including terms as those set out in this Agreement and meet the requirements of article 28 of the GDPR;

14.6.3 if that arrangement involves transfers of personal data outside EEA, Enactia shall ensure that the provisions of section 9 of this Agreement are fulfilled before the Subprocessor first processes Controllers Personal Data procure that it enters into any necessary agreement; and

14.6.4 at the request of the Controller, provide the agreements and any other relevant document (such as SCCs, audit reports etc.) with Subprocessors for review.

14.7 Enactia shall ensure that each Subprocessor performs the obligations under this Agreement, as they apply to the processing of Controller’s Personal Data carried out by that Subprocessor, as if it were a party to this Agreement in place of Processor.

14.8 Notwithstanding any authorisation by the Controller, Enactia shall remain fully liable vis-à-vis the Controller for the performance of any such Sub-Processor that fails to fulfil its data protection obligations.

15. Deletion and Return

15.1 Upon termination of the Service Agreement or upon the Controller’s written request, or at the end of the provision of services relating to processing, Enactia shall, at the choice of the Controller, deletes or returns all the personal data to the Controller and deletes any existing copies of thereof unless Enactia is obliged by the applicable law to store the personal data.

15.2 Enactia shall notify all third parties involved in the processing activities of the termination of the processing activities and shall ensure that all such third parties shall either destroy or return the personal data to the Controller, at the choice of the Controller.

15.3 Upon the request of the Controller, Enactia shall provide the Controller with a certification of destruction of the personal data.

16. Confidentiality

16.1 Enactia shall keep professional secrecy concerning the personal data transferred by the Controller or accessed or processed on its behalf, in accordance with the Controller´s instructions pursuant to the Agreement.

16.2 The obligation of secrecy referred in 15.1 shall be kept by Enactia after the termination of the Agreement, regardless of the reason of the termination.

17. Liability and Indemnity

17.1 Enactia indemnifies the Controller and holds the Controller harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Controller and arising directly or indirectly out of or in connection with a breach of this Agreement and/or the Applicable Data Protection Law by Enactia.

17.2 The Controller indemnifies Enactia and holds the data process harmless against all claims, actions, third party claims, losses, damages and expenses incurred by Enactia and arising directly or indirectly out of or in connection with a breach of this Agreement and/or the Applicable Data Law by the Data Controller.

18. Duration and Termination

18.1 Notwithstanding 15.2 above, this Agreement remains in force during the provision of Services by Enactia to the Controller.

18.2 The duration of this Agreement depends on the term of use of the Service Agreement. This Agreement will be terminated on the date of termination of the Service Agreement unless Parties agree otherwise in writing.

19. Applicable Law

This Agreement is governed by the Republic of Cyprus (“Cyprus”) law. Any dispute in respect of this Agreement or execution thereof shall be submitted to the courts of Cyprus.

Appendix 1: Subject Matter and Details of the Data Processing

Subject Matter
Enactia’s provision of the Services and related technical support to Customer.

Duration of the Processing
The applicable Term plus the period from expiry of such Term until deletion of all Customer Data by Enactia in accordance with the Data Processing Agreement.

Nature and Purpose of the Processing
Enactia will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing Amendment.

Categories of Data
Personal data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may include the following categories of data: user IDs, email, documents, presentations, images, calendar entries, email communications, tasks and other data.

Data Subjects
Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: End Users including Customer’s employees and contractors; the personnel of Customer’s customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.