3. ABBYY’s obligations

3.1. ABBYY shall process Personal Data only within the scope of Client’s Instructions as set-out in the Agreement, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which ABBYY is subject. In this case, ABBYY shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3.2. ABBYY will, insofar this is possible, by appropriate technical and organizational measures, reasonably assist Client with meeting Client’s compliance obligations with respect to the rights exercised by Data Subjects under the Data Protection Laws (particularly the Data Subject’s Rights stated in Chapter 3 of the GDPR and related to Data Subject’s requests), taking into account the nature of the data Processing. Taking into account the nature of Processing and any information available to ABBYY, ABBYY will further assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, in particular its obligations to undertake data protection impact assessments and report to and consult with supervisory authorities under the Data Protection Laws. In a situation where requested level of assistance will be excessive or unreasonably burdensome for ABBYY, any such assistance will be exercised at Client’s cost.

3.3. ABBYY shall implement appropriate technical and organizational measures required pursuant to Article 32 GDPR with respect to the Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use. Such measures hereunder shall include, but are not limited to taking reasonable steps to achieve the following:

  • (a) the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control),
  • (b) the prevention of Personal Data Processing systems from being used without authorization (logical access control),
  • (c) persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),
  • (d) Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
  • (e) the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems, (entry control),
  • (f) Personal Data Processed are Processed in accordance with the Instructions (control of instructions),
  • (g) Persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality,
  • (h) Personal Data are protected against accidental destruction or loss (availability control),
  • (i) Personal Data collected for different purposes can be processed separately (separation control).

A measure as referred to in lit. a) to i) above shall be in particular, but shall not be limited to, the use of appropriate encryption technology. These technical and organizational measures are listed in the Annex 2 to this DPA.

3.4. Contact information:

  • a) If you have chosen Data Processing Location in the EU:

    ABBYY Europe GmbH

    Landsberger Str. 300, 80687 Munich, Germany

    Phone: +49-89-69 33 330

    Email: privacy_eu@abbyy.com

  • b) If you have chosen Data Processing Location in the USA:

    ABBYY USA Software House, Inc.

    890 Hillview Court, Suite 300, Milpitas, CA 95035

    Phone: +49-89-69 33 330

    Email: privacy@abbyyusa.com

ABBYY Europe GmbH is ABBYY’s data protection representative for the European Economic Area, the United Kingdom, and Switzerland. The data protection representative of ABBYY can be reached at the following address:

ABBYY Europe GmbH

Landsberger Str. 300, 80687 Munich, Germany

Phone: +49-89-69 33 330

Email: privacy_eu@abbyy.com

3.5. Client’s Notification Email Address is the same address that is used by the Client for registration within the Service. “Notification Email Address” means the email address designated by Client to receive certain notifications from ABBYY relating to this DPA.

3.6. If applicable, Client shall retain title as to any carrier media provided to ABBYY as well as any copies or reproductions thereof. ABBYY shall store such media safely and protect them against unauthorized access by third parties. ABBYY shall, upon Client’s request, provide to Client all information on Client’s Personal Data and information. ABBYY shall be obliged to securely delete any test and scrap material based on an Instruction issued by Client on a case-by-case basis. Where Client so decides, ABBYY shall hand over such material to Client or store it on Client’s behalf.

3.7. ABBYY shall provide reasonable assistance to the Client with any data protection impact assessment which the Client is required to undertake in order to Comply with Articles 35 and 36 of the GDPR, in each case solely in relation to the processing of Personal Data and taking into account the nature of the Processing and information available to ABBYY and shall make available to Client on request such information as is reasonably necessary to demonstrate its compliance with this DPA and its obligations under Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client for the purpose of demonstrating compliance by ABBYY with its obligations under Data Protection Laws in respect of the Personal Data. ABBYY may object to the deployment of a specific auditor if such auditor (i) is not subject to confidentiality regarding the results of such audit (except vis-à-vis ABBYY and Client), (ii) is a competitor of ABBYY, (iii) is affiliated with a competitor of ABBYY.

3.8. ABBYY will store Personal Data for processing purposes (duration of the storage is subject to the clause 3.16 of the Agreement) either in the United States of America or in the European Union (depending on the Data Processing Location chosen by the Client).

3.9. Depending on the Data Processing Location chosen by the Client, the Personal Data of the Client may be processed in a third country pursuant to adequate safeguards under Art. 46 GDPR including, but not limited to execution of Standard Contractual Clauses or an approved code of conduct or other appropriate safeguards (for instance EU-U.S. Privacy Shield/Swiss-U.S. Privacy Shield mechanism). In the event of using the SCC, Client hereby (itself as well as on behalf of each Controller established within the EEA or Switzerland) accedes to the SCC between ABBYY and the sub-processor. ABBYY will enforce the SCC against the sub-processor on behalf of the Client or Data Subject if a direct enforcement right is not available under Data Protection Laws. Notwithstanding the above, ABBYY Europe GmbH will always have access to Personal Data and will process Personal data.