DATA PROCESSING AGREEMENT (D.P.A.)
Under and according the new legal regime of the EU General Data Protection Regulation (GDPR)
EU - Regulation Law 2016/679 of 2016.04.27
- Relation between this DPA and different agreements non related with Personal Data Protection
- Relationship between the parties
- Specification of Assignments
- APP's responsibilities
- The subcontractor's responsibilities
- Confidentiality - Insider Regulations and Data Security
- Right of Audit
- Processing and Transfer of Personal Data
- End of Processing of Personal Data
- Validity of the Agreement, Amendments and Transfer of the Agreement
- Copies of the DPA
AP | BRAZIL / Apoio XXI LDA., head office at Av. João Crisóstomo, 30, 5º Andar, 1050-127 Lisboa, Portugal, Business ID (VAT): PT 504194739, hereinafter referred as APP and represented by Mário Júnior, CEO of APP, ID no. 11422154, valid until 2019.06.01 and VAT no 212566687,
Name (company or freelancer):
(hereinafter referred to as Subcontractor)
Business ID (VAT):
(no. ID, expiry, VAT)
With this agreement ("DPA") for subcontracting translation services, APP and the Subcontractor (hereinafter referred to jointly as "the Parties", each individually as "the Party") agree on the following:
1.1 - This DPA does not cancel, replace, modify or complement by any means, any other existing agreement between the parties, non related with personal data protection, nor support or implement any interpretation of the referred occasional agreements.
1.2 - Any doubts arising from this DPA regarding its relation with different agreements signed by the Parties, will be answered exclusively by APP, upon request by the Subcontractor.
2.1 - The Subcontractor is not employed by APP, but APP offers translation and/or proofreading assignments to the Subcontractor. The Subcontractor may accept or reject work offers received from APP. The fee separately agreed upon by the Parties is paid for translation and/or proofreading services purchased by APP from the Subcontractor.
2.2 - APP is not obligated to offer the Subcontractor any assignments in general under this DPA.
2.3 - Unless otherwise agreed by the Parties, the Subcontractor acts as an independent self- employed person and only charges APP for the translation and/or proofreading work performed, according to article 2.1 of this DPA.
2.4 - For the purposes of assignments referred to in this DPA, APP is a controller of the personal data processed for the company that is APP's customer and that determines the purposes and means of the processing of personal data as the controller. In this case, the Subcontractor is a sub-processor of personal data, processing the personal data on behalf of and by assignment of APP in accordance with the written instructions provided by APP's corporate customer acting as the controller, which are binding on APP.
2.5 - The Subcontractor undertakes to comply with the GDPR (EU 2016/679 of 2016.04.27), and regulations/guidelines issued by the authorities to the extent of the application of the GDPR once this DPA has been signed.
2.6 - Unless explicitly otherwise agreed in this DPA, the Subcontractor is liable for all costs incurred by the Subcontractor due to complying with this DPA and the GDPR.
3.1 - This DPA and its obligations aren't limited to translation and/or proofreading. This also applies to all the tasks arising from the subcontracting between APP and the Subcontractor, without exception.
3.2 - When APP offers translation and/or proofreading assignments to the Subcontractor, APP defines the assignment by specifying the extent, language pair and schedule of the assignment as accurately as possible.
3.3 - Where possible, APP notifies the Subcontractor of the purpose of use and target group of the job, as well as project/client specific instructions and resulting terminological and wording-related factors. In addition, the Parties agree on the tools to be used for the job.
3.4 - APP primarily submits work offers to the Subcontractor via its project management system, and the Subcontractor accepts or rejects the work offer primarily directly in project management system or secondarily by any other official mean of communication with APP, however, complying with the valid instructions provided in the job query.
3.5 - APP has the right to cancel the offered assignments before it has received the Subcontractor's reply or after having granted the assignment if the Subcontractor fails to comply with the agreed schedule.
3.6 - APP undertakes to ensure that the Subcontractor receives the materials required for the job as soon as possible after accepting the assignment. The Subcontractor undertakes to deliver the completed job according to the agreed schedule. Either Party must inform the other Party of a delay to the completion of a job or a force majeure event without delay.
4.1 - APP is responsible for the assignment-related basic information, instructions and orders it has reported to the Subcontractor.
4.2 - APP processes personal data in accordance with the GDPR and provides the Subcontractor with instructions complying with the instructions on the processing of personal data issued by APP's client acting as the controller. APP has the right to unilaterally amend or supplement the instructions it has issued. The Subcontractor must immediately inform APP if the Subcontractor considers the instructions issued by APP to be in breach of the GDPR.
4.3 - APP is responsible for contracts with the final customer, unless otherwise agreed on.
4.4 - In assignments divided between several subcontractors, APP is responsible for the project management of the translation and/or proofreading work and contacts between its subcontractors and the final customer.
5.1 - The Subcontractor shall execute the translation and/or proofreading task with the professional skill required for it in accordance with this DPA and APP's instructions. The Subcontractor must immediately inform APP if the instructions for the processing of personal data issued by APP are insufficient or unlawful.
5.2 - The Subcontractor is responsible for having adequate professional skills for the task when accepting it and the Subcontractor being able to deliver the service according to the agreed terms and conditions.
5.3 - Other responsibilities of the Subcontractor and its consequences are described and predicted on the due contract signed between the Parties, with the assignment.
5.4 - The Subcontractor agrees to comply with its responsibilities pursuant to this DPA and when acting as a sub-processor of personal data in accordance with articles 2 of this DPA (Relation between the parties).
5.5 - Considering the nature of the processing of personal data, the Subcontractor assists and supports APP by using appropriate technical and organisational measures so that APP can fulfill its obligation to respond to requests for exercising the following data subject's rights as laid down in chapter 3 of the GDPR:
5.5.1 - right of access to personal data,
5.5.2-right to have personal data corrected and erased,
5.5.3-right to restriction of processing of personal data,
5.5.4-right to personal data portability, and
5.5.5-right to object to the processing of personal data.
5.6 - Considering the nature of the processing of personal data, the Subcontractor assists APP in ensuring that APP can fulfill its obligations under the GDPR. The Subcontractor assists APP in complying with the following obligations set out in articles 32 to 36 of the GDPR:
5.6.1 - guaranteeing the safety of the processing of personal data by appropriate technical and organisational measures,
5.6.2-reporting data breaches to supervisory authorities and data subjects,
5.6.3-participating in the data protection impact assessment at APP's request, and participation in prior consultation of the supervisory authority at APP's request.
5.7 - In matters relating to the task, and especially in case of problems, the Subcontractor must immediately contact APP's contact person and agree on the required measures when observing a potential problem.
6.1 - All the confidentiality arising from this DPA, its insider regulations and data security is ruled by the NDA (Non disclosure Agreement) signed by the Parties within the global assignment delivered by APP to the Subcontractor.
6.2 - The Subcontractor agrees to comply with the GDPR in the processing of personal data and to report any data breaches to APP without delay.
6.3 - The Subcontractor is liable, at its own cost, to see to adequate data security, including antivirus protection of computer software and firewall so that the materials and confidential information provided by APP to the Subcontractor for translation and/or proofreading work remain protected.
6.4 - The Subcontractor ensures that only designated persons employed by the Subcontractor have access to the personal data processed, and that only persons employed by the Subcontractor with the need to process personal data based on their duties are designated as such persons. The Subcontractor sees to the required measures to ensure that such persons will only process personal data in compliance with this DPA and instructions provided by APP at each time.
6.5 - If requested by APP in writing, the Subcontractor must immediately provide APP with a written account of how the above-mentioned measures are realised. If the measures implemented by the Subcontractor are not, in APP's view, adequate enough to guarantee the data security of personal data as required by the GDPR, the Subcontractor must implement the additional measures proposed by APP to ensure data security without this incurring additional costs to APP.
6.6 - The Subcontractor takes all of the required measures to protect the personal data provided by APP against unauthorized access to the data, accidental or unlawful erasure, loss, modification, disclosure, transfer or other unlawful processing of or access to personal data.
6.7 - If requested by APP in writing, and at the latest upon the expiry of this DPA, the Subcontractor undertakes to return all confidential information and erase copies of it as well as materials containing confidential information. A written certificate of the erasure must be provided to APP.
7.1 - The Subcontractor is liable for any subcontractor used by the Subcontractor processing personal data in compliance with this DPA and the GDPR. The agreement between the Subcontractor and the subcontractor used by it must correspond with what is agreed upon in this DPA at the least.
7.2 - In particular, the Subcontractor ensures that the subcontractor used fulfils all appropriate technical and organisational measures so that the processing of personal data meets the requirements laid down in this DPA and the GDPR. If requested by APP in writing, the 7.3-Subcontractor must provide a reliable account of how the Subcontractor has ensured that its subcontractor complies with the above- mentioned obligations and provide APP with the agreement between the Subcontractor and subcontractor.
7.3 - APP has the right to cancel its consent given to the Subcontractor concerning the use of subcontractors if APP has reason to suspect that the Subcontractor's subcontractor does not process personal data in compliance with this DPA and/or the GDPR. The Subcontractor must immediately inform APP if the Subcontractor's subcontractor fails to comply with its agreed obligations in the processing of personal data.
7.4 - The Subcontractor regularly monitors the operations of its subcontractor to ensure that the subcontractor complies with its obligations in the processing of personal data. In the agreement between the Subcontractor and its subcontractor, the Subcontractor also ensures that APP has the right to audit the subcontractor's functions in accordance with article 8 (Right of audit) of this DPA.
7.5 - The Subcontractor is fully liable for the processing of personal data by the subcontractor used.
8.1 - The Subcontractor provides APP with all of the information required to prove that the Subcontractor complies with the requirements of this DPA and the GDPR.
8.2 - APP and an independent expert appointed by it, which may not be a competitor of the Subcontractor, has the right to verify at any time during the validity of this DPA that the Subcontractor complies with the obligations imposed on the Subcontractor by this DPA. APP informs the Subcontractor of the audit twenty one (21) days in advance, unless APP has reason to suspect that the Subcontractor does not process personal data in compliance with this DPA, in which case APP has the right to perform the audit without informing the Subcontractor of it in advance. In addition to this, the Subcontractor must always allow audits of the functions of personal data processor by the authority supervising APP's operations. This DPA is applied to audits by the authorities where applicable.
8.3 - The audit concerns the Subcontractor's documentation pertaining to the processing of personal data and the systems and facilities used in the processing of personal data. The Subcontractor takes part in and contributes to the performance of the audit. If requested by APP, the Subcontractor also takes part in an audit by the supervisory authority concerning APP and provides the supervisory authority with the information required for performing the audit.
8.4 - Each Party is liable for the costs incurred by it due to the audit. If it is found in the audit that the Subcontractor has not complied with this DPA or the GDPR, the Subcontractor is liable for all costs incurred due to the audit.
9.1 - The Subcontractor is responsible for APP being able to record, store and process personal data concerning persons employed by the Subcontractor in APP's subcontractor data file and related software. APP complies with the GDPR and only processes the personal data of persons employed by the Subcontractor to the extent required by this DPA.
9.2-Persons employed by the Subcontractor have the right to view their personal data stored in APP's subcontractor data file via the subcontractor interface of the business process management system or by contacting APP.
9.3 - Upon the expiry of this DPA or when requested by the Subcontractor, APP erases the personal data of persons employed by the Subcontractor from its subcontractor data file and related software to the extent required by the GDPR and other legislation not requiring the storage of the data.
9.4 - The Subcontractor must not transfer personal data provided by APP outside the EU or EEA without APP's written advance consent. If the Subcontractor transfers personal data provided by APP outside the referred EU and EEA areas at the written request of APP or with APP's written advance consent, APP and the Subcontractor agree on the required contractual arrangements and other procedures before the transfer of the personal data.
9.5 - The Subcontractor is liable for the personal data being processed outside the EU or EEA in accordance with the requirements of this DPA and applicable data protection legislation.
9.6 - The Subcontractor must inform APP in writing in which countries personal data provided by APP will be processed (including the countries from which the personal data may be accessed).
9.7 - The Subcontractor maintains a record of its processing of personal data on behalf of APP. The record includes the following information:
a) Name and contact details of APP, the Subcontractor and the Subcontractor's
b)Data Protection Officer and information about any subcontractors;
c) Processing of personal data activities performed on behalf of APP;
d)Information about the transfer of personal data outside the EU or EEA, including the third parties concerned and an account of how the adequate level of data protection has been guaranteed and;
e)A description of the technical and organisational security measures carried out by the Subcontractor in accordance with article 10 (End of processing of personal data) of this DPA.
9.8-If requested by APP in writing, the Subcontractor must provide the record on the processing of personal data to APP.
10.1 - The Subcontractor undertakes to, when requested by APP in writing and without undue delay, return all personal data provided by APP to the Subcontractor to APP or third party designated by APP in the format and form requested by APP and/or to erase the personal data for no separate charge. The Subcontractor must return and/or erase the personal data at the latest upon the expiry of this DPA. At this time, the Subcontractor must also erase all existing copies of the personal data unless the Subcontractor must store said personal data due to compulsory legislation.
10.2 - The Subcontractor agrees not to process the personal data after it has been successfully handed over to APP or third party designated by APP or after it has been successfully erased.
11.1 - The Subcontractor is liable for any direct losses incurred by APP due to a breach of this DPA by the Subcontractor. Furthermore, the Subcontractor is liable for any claims, losses and expenses by third parties or data subjects towards APP and administrative fines imposed by the supervisory authority incurred by APP due to the Subcontractor breaching this DPA or the GDPR.
11.2 - APP is liable for any direct losses incurred by the Subcontractor due to a breach of this DPA by APP.
12.1 - This DPA come into force once both Parties have signed it, or digitally validated through the current digital validation system used by APP. This DPA shall be valid until further notice.
12.2 - Either Party may terminate this DPA in writing with immediate effect. However, the Subcontractor is obligated to complete any translation and/or proofreading work already ordered.
12.3 - The provisions on confidentiality, processing of personal data, competing activities and damages shall continue after the expiry of this DPA.
12.4 - Amendments to this DPA are valid only if they are made in writing and confirmed by both Parties with their signatures.
12.5 - This DPA supersedes all previous oral and/or written agreements, quotes, commitments and other expressions of intent between the Parties, regarding the protection of personal data.
12.6 - The Subcontractor is not entitled to transfer this DPA or part thereof or its rights or obligations under it to a third party without APPs advance written consent.
13.1 - This DPA is governed by the laws of Portugal.
13.2 - In case any eventual conflicts fail to be friendly resolved, any disputes arising from this DPA shall be adjudicated in a Court of Porto Judicial District, in Portugal, and shall be submitted in Portuguese.
This DPA has been drafted in two copies, one for each Party.
I have carefully read this DPA and accordingly, I accept its terms and conditions:
[Place and date] _______________________________________________
AP | BRAZIL; [Name] [Title]
[SUBCONTRACTOR'S NAME] [Name] [Title]