MC+A Data Processing

This Data Processing Addendum ("DPA") is effective upon execution of an Order Form to which this DPA is attached (each, an "Agreement"), by and between Michael Cizmar & Associates, LTD. ("MC+A") and the party named as End User in the Agreement. Capitalized terms used but not defined in this DPA shall have the meanings given to them in the Agreement. The parties intend this DPA to be an extension of the Agreement that will outline certain requirements for the processing of personal data provided or made available by End User, or collected or otherwise obtained by MC+A, while providing Services to End User.

  1. Definitions.
    1. Data Protection Legislation means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts, or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/279)).
    2. Good Industry Practice means, in relation to any activity and under any circumstance, exercising the same skill, expertise, and judgment and using facilities and resources of a similar or superior quality as would be expected from a person who: (a) is skilled and experienced in providing the services in question, seeking in good faith to comply with his contractual obligations, and seeking to avoid liability arising under any duty of care that might reasonably apply; (b) takes all proper and reasonable care and is diligent in performing his obligations; and (c) complies with all applicable legislation and any applicable industry standards including any recognized industry quality standards and applicable law.
    3. data controller, data processor, subprocessor, data subject, personal data, processing, and appropriate technical and organizational measures shall be interpreted in accordance with Directive 95/46/EC, or other applicable Data Protection Legislation, in the relevant jurisdiction.
    4. standard contractual clauses shall mean the model controller-to-processor contract for the transfer of personal data to third countries issued by the European Commission on the basis of Article 26(4) of Directive 95/46/EC pursuant to Decision 2010/87/EU.
  2. Scope. The parties agree that, as between the parties, End User is a data controller and MC+A is a data processor in relation to personal data that MC+A processes on behalf of End User in the course of providing the services under the Agreement (the "Services"). The subject-matter of the data processing, the types of personal data processed, and the categories of data subjects will be defined by, and/or limited to that necessary to carry out the Services described in the Agreement. The processing will be carried out until the date MC+A ceases to provide the Services to End User.
  3. Data Protection. In respect of personal data processed in the course of providing the Services, MC+A shall adhere to the following requirements:

    MC+A will process the personal data only in accordance with the written instructions from End User and only in compliance with Data Protection Legislation. Such instructions may be specific or of a general nature as set out in this DPA, the Agreement, or as otherwise notified by End User to MC+A in writing from time to time. The nature and purposes of the processing shall be limited to that necessary to carry out such instructions, and not for MC+A's own purposes, or for any other purposes except as required by law. If MC+A is required by law to process the personal data for any other purpose, MC+A will inform End User of such requirement prior to the processing unless prohibited by law from doing so.

    MC+A will process the personal data only to the extent, and in such manner, as is necessary for the provision of the Services. MC+A may only correct, delete, or block the personal data processed on behalf of End User as and when instructed to do so by End User.

    MC+A will implement and maintain appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures shall take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage, or theft of the personal data and having regard to the nature of the personal data which is to be protected and as a minimum shall be in accordance with the Data Protection Legislation and Good Industry Practice. Such measures shall include, as appropriate:

    • the pseudonymisation and encryption of personal data;
    • the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
    • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
    • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

    MC+A will not give access to or transfer any personal data to any third party (including any affiliates, group companies, or subcontractors) without giving End User prior notice and a reasonable opportunity to object, which, if not exercised within thirty (30) days of receipt of such notice shall be deemed to constitute an approval of such access or transfer. Where End User does not object in good faith on grounds related to data protection to MC+A engaging a sub-contractor to carry out any part of the Services, MC+A must ensure the reliability and competence of such third party, and its employees or agents who may have access to the personal data processed in the provision of the Services, and must include in any contract with such third party provisions in favor of End User which are substantially equivalent to those in this DPA and the Agreement and as are required by applicable Data Protection Legislation. For the avoidance of doubt, where a third party fails to fulfill its obligations under any sub-processing agreement or any applicable Data Protection Legislation, MC+A will remain fully liable to End User for the fulfillment of its obligations under this DPA and the Agreement.

    MC+A will take reasonable steps to ensure the reliability and competence of any MC+A personnel who have access to the personal data. MC+A will ensure that all MC+A personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this DPA.

    MC+A will take all reasonable steps to assist End User in meeting End User's obligations under applicable Data Protection Legislation, including End User's obligation to respond to requests by data subjects to exercise their rights with respect to personal data, adhere to data security obligations, respond to data breaches and other incidents involving personal data, conduct data protection impact assessments, and consult with supervisory authorities. MC+A will promptly inform End User in writing if it receives: (i) a request from a data subject concerning any personal data or (ii) a complaint, communication, or request relating to End User's obligations under Data Protection Legislation.

    MC+A will not retain any of the personal data for longer than is necessary to provide the Services. At the end of the Services, or upon End User's request, MC+A will securely destroy or return (at End User's election) the personal data to End User.

    With regard to personal data related to data subjects located in the European Economic Area, MC+A will not process such personal data in a location outside the European Economic Area, except:

    • with the prior written consent of End User and on the documented instructions of End User (including to the extent set forth in the Agreement);
    • by taking such steps as may reasonably be required by End User on an ongoing basis to ensure there is adequate protection for such personal data in accordance with applicable Data Protection Legislation; and
    • pursuant to the standard contractual clauses, which the parties will enter into.

    MC+A will allow End User and its respective auditors or authorized agents to conduct reasonable audits and inspections during the term of the Agreement, solely to allow End User to verify that MC+A is processing personal data in accordance with its obligations under this DPA, the Agreement, and applicable Data Protection Legislation.

    If MC+A becomes aware of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by MC+A in the course of providing the Services under the Agreement (a "Security Breach"):

    • it shall, within seventy-two (72) hours and without undue delay, notify End User and provide End User with: a detailed description of the Security Breach; the type of data that was the subject of the Security Breach; the identity of each affected person; and the steps MC+A takes in order to mitigate and remediate such Security Breach, in each case as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information End User may reasonably request relating to the Security Breach); and
    • take action immediately, at its own expense, to investigate the Security Breach and to identify, prevent, and mitigate the effects of the Security Breach and, with the prior written approval of End User, to carry out any recovery or other action necessary to remedy the Security Breach.

    MC+A shall comply at all times with and assist End User in complying with its applicable obligations under Data Protection Legislation. MC+A shall provide any information requested by End User to demonstrate compliance with the obligations set out in this DPA. MC+A shall not perform its obligations under the Agreement or this DPA in such a way as to cause End User to breach any of its obligations under applicable Data Protection Legislation.

    MC+A will notify End User immediately if, in MC+A's reasonable opinion, an instruction for the processing of personal data given by End User infringes applicable Data Protection Legislation.