Effective Date: July 24, 2018.
This Yola Data Processing Addendum forms part of, and is subject to the provisions of, the Yola Terms of Service. Capitalized terms not defined here have the meanings set forth in the Terms of Service.
We, the Processor, technically operate a website and/or online shop on our systems located in countries including the US on behalf of you, the Controller.
We may also be an independent Controller for some personal data relating to you or your End Users. Please see our Privacy Policy and Terms of Service for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a Controller, you acknowledge and confirm that this Data Processing Addendum does not create a joint-Controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your End Users’ interactions with Your Site, you receive that as an independent data Controller and are responsible for compliance with EU Data Protection Law in that regard.
The Processor shall process personal data for the Controller in terms of Article 4(2) and Article 28 of the GDPR based on this Agreement.
The contractually stipulated service shall be performed exclusively in a Member State of the European Union or in a contracting state of the Agreement on the European Economic Area. Any relocation of the service or parts thereof to another country shall only take place if the specific requirements of Article 44 and subsequent Articles of the GDPR are met (e.g. adequacy decision by the Commission, standard data protection clauses, approved codes of conduct). We are a certified member of the EU-US and Swiss-US privacy shield. The processing of personal data by the Processor for the Controller, which is located in the USA is carried out within the framework of these adequacy decisions.
We ensure that your website and/or online shop is accessible to users via the Internet within the framework of our Terms of Service. Furthermore, we process all information in connection with user orders and make it available to you. You are then responsible for the execution of the contracts concluded with your users.
Processing is the collection, storage and use of personal data which are necessary for the operation of the respective website and/or online shop.
Data subjects are users of the respective website and/or online shop.
The Controller shall alone be responsible for assessing the lawfulness of processing pursuant to Article 6(1) of the GDPR and for safeguarding the rights of data subjects in accordance with Articles 12-22 of the GDPR. Nevertheless, the Processor shall be obligated to forward to the Controller all such inquiries without undue delay insofar as they are recognizably intended for the Controller exclusively.
Modifications of the subject of processing and changes in procedures are to be coordinated between the Controller and the Processor and defined in writing or in a documented electronic format.
The Controller shall generally issue all orders, partial orders and instructions in writing or in a documented electronic format. Verbal instructions are to be confirmed in writing or in a documented electronic format without undue delay. The Controller shall be entitled to convince itself adequately of the Processor's adherence to technical and organizational measures taken by the Processor and with the obligations defined herein prior to commencement of the processing and on a regular basis thereafter, as set down in Section 4 hereof.
The Controller shall notify the Processor without undue delay if the Controller finds errors or irregularities when reviewing the results of the processing.
The Controller shall be obligated to treat all knowledge of business secrets and data security measures of the Processor obtained thereby within the framework of the contractual relationship confidentially. This obligation shall remain in effect even after the Termination of this Agreement.
The Controller's authorized issuers of instructions and communication channel for this Agreement shall be:
The Processor shall process personal data exclusively within the bounds of the agreements reached by the Parties and the Controller's instructions, unless it is obligated to conduct processing otherwise by the laws of the EU or of the Member States to which the Processor is subject (e.g. investigations by law enforcement and state security authorities); in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Article 28(3) Sentence 2 character a of the GDPR).
The Processor hereby warrants that all measures stipulated herein in connection with the processing of personal data under this Agreement will be taken in accordance with this Agreement. The Processor hereby warrants that the data processed for the Controller will be kept strictly separate from other data.
The data storage media originating from or used for the Controller shall be specially labelled. The arrival, departure and ongoing use thereof shall be documented.
The Processor shall be required to participate to a necessary extent and provide the Controller with reasonable assistance to the extent possible in safeguarding the rights of data subjects in accordance with Articles 12-22 of the GDPR, in compiling records of processing activities and in necessary impact assessments by the Controller (Article 28(3) Sentence 2 character e and f of the GDPR). The Processor shall provide the necessary information in this regard without undue delay in each case to the Controller. The Controller informs the Processor in writing immediately after conclusion of this DPA, which office of the Controller shall be addressed.
The Processor shall inform the Controller without undue delay if, in its opinion, an instruction issued by the Controller violates statutory provisions (Article 28(3) Sentence 3 of the GDPR). The Processor shall be entitled to delay performance of the relevant instruction until it is confirmed or amended by the Controller's controller after review. The Processor shall be required to modify, delete or restrict processing of personal data arising from the contractual relationship if the Controller makes such request by means of an instruction unless such is opposed by legitimate interests of the Processor.
The Processor may not provide personal data arising from the contractual relationship to third parties or the data subjects without the prior instruction or approval from the Controller.
The Processor shall notify the Controller by posting on Yola.com without undue delay of disruptions and violations by the Processor or the persons employed by it of provisions of data protection law or the provisions of the Agreement, as well as of the suspicion of data protection violations or irregularities in the processing of personal data. This shall apply above all with respect to possible notification and communication obligations of the Controller in accordance with Article 33 and Article 34 of the GDPR. The Processor hereby warrants that it will adequately assist the Controller with its obligations in accordance with Article 33 and Article 34 of the GDPR (Article 28(3) Sentence 2 character f of the GDPR). Notifications on behalf of the Controller under Articles 33 or 34 of the GDPR may only be executed by the Processor after prior instruction pursuant to Section 4 of this Agreement.
The Processor may engage third parties and/or subcontractors for the Processing of Personal Data under this Processor Agreement.
The Processor is responsible for these third parties and/or subcontractors and shall impose upon the third parties and/or subcontractors the same conditions, duties and responsibilities as mentioned in this Processor Agreement. Upon written request by Controller, the Processor is to provide information regarding the obligations of its sub-processors relevant to data protection at any time.
A level of security adequate to the risk for the rights and freedoms of natural persons affected by the specific processing shall be ensured. To this end, the protective goals of Article 32(1) of the GDPR, such as the confidentiality, integrity and availability of systems and services and the resilience thereof with regard to the nature, scope, context and purpose of the processing shall be taken into account so that the risk is mitigated in a lasting manner through appropriate technical and organizational measures.
Upon written request from the Controller, and no more than once per calendar year, the Processor will make available to the Controller all information necessary to demonstrate compliance with its obligations under the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Any reviews of information, audits, or inspections conducted pursuant to this Section shall be at the Controller’s sole expense.
The Processor is responsible for the implementation of the measures as set out in this Data Processing Addendum. The Processor is not liable if these measures turn out to be insufficient. The Controller indemnifies the Processor against claims of third parties, including data protection authorities, ensuing for any reason whatsoever from the Processing of Personal Data as set out in this Data Processing Addendum.
Any liability of the Processor on account of imputable failure to perform the agreement or on any other ground, is governed by the limitation of liability as agreed upon in the Yola Terms of Service.