Data processing addendum (DPA)
- (A) This Data Protection Addendum (“DPA”) specifies the data protection obligations of the parties, which arise from contract data processing on behalf, as stipulated in ABBYY Cloud OCR SDK Developer Agreement https://ocrsdk.com/developer-agreement/ (the “Agreement”). It applies to all activities performed in connection with the Agreement in which the staff of ABBYY or a third party acting on behalf of ABBYY may come into contact with personal data of the principal (“Client”).
- (B) This DPA sets out the additional terms, requirements and conditions on which ABBYY will process Personal Data when providing services under the Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) for contracts between Clients who will be controllers and processors.
“Client” - refer to and include any person and/or any entity that is accepting the Agreement.
“Сontroller” has the same meaning under the Data Protection Laws.
“Data Protection Laws” means all applicable laws governing the protection of Personal Data including, but not limited to, the General Data Protection Regulation 2016/679 (“GDPR”) and all other laws implementing or supplementing the GDPR including the Germany Federal Data Protection Act 2017 (“BDSG”).
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable individual.
“Processing” means processing of Personal Data as defined under the Data Protection Laws, including the storage, amendment, transfer, blocking or erasure of personal data by the processor acting on behalf of the Client.
“Processor” has the same meaning under the Data Protection Laws.
“Processor” – means ABBYY Europe GmbH Landsberger Str. 300 80687 Munich Germany
“Instruction” means the written instruction, issued by Client to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, de-personalizing, blocking, deletion, making available). Instructions shall initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified or replaced by Client in separate written instructions (individual instructions).
“Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
This DPA is subject to the terms of the Agreement and is incorporated into the Agreement be reference. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this Agreement.
The Annexes form part of this DPA and will have effect as if set out in full in the body of this Agreement. Any reference to this DPA includes the Annexes.
A reference to writing or written includes faxes and email.
In the case of conflict or ambiguity between:
- (a) any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this DPA will prevail;
- (b) any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail;
2. Scope and Responsibility
2.1. The Client and ABBYY acknowledge that for the purpose of the Data Protection Laws, the Client is the controller and ABBYY is the processor. In some circumstances, Client may be a processor, in which case Client appoints ABBYY as Client’s sub-processor, which shall not change the obligations of either Client or ABBYY under this DPA, as ABBYY will always remain a processor with respect to the Client in such event.
2.2. Client retains control of the Personal Data and remains responsible for its compliance with its obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents for the lawful collection and processing of Personal Data made available to or otherwise transferred to ABBYY, and for the processing instructions it gives to the Processor.
2.3. Processor shall process Personal Data on behalf of Client. Processing shall include such actions as may be specified in the Agreement and in the scope of work. Within the scope of the Agreement, Client shall be solely responsible for complying with the statutory requirements relating to data protection, in particular regarding the transfer of Personal Data to the Processor and the Processing of Personal Data by Processor.
2.4. Based on this responsibility, Client shall be entitled to request that Processor, subject to the Data Protection Laws, rectifies, deletes, blocks and makes available Personal Data during and after the term of the Agreement at Client’s cost. Processor shall promptly comply with any of Client’s request or instruction requiring the Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized Processing.
2.5. The provisions of this DPA shall also apply if testing or maintenance of automatic processes or of Processing equipment is performed on behalf of Client.
3. Processor’s obligations
3.1. Processor shall collect, process and use Personal Data only within the scope of Client’s Instructions as set-out in this Agreement.
3.2. Processor shall keep the Personal Data confidential and shall ensure the reliability of its employees who have access to the Personal Data.
3.3. Processor will, at Client’s cost, reasonably assist Client with meeting Client’s compliance obligations with respect to the rights exercised by Data Subjects under the Data Protection Legislation, taking into account the nature of Client’s processing and the information available to the Processor, as well as, where reasonably feasible for Processor and at Client’s costs, to undertake data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Laws.
3.4. Processor shall implement appropriate technical and organizational measures with respect to the Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use. Such measures hereunder shall include, but are not limited to taking reasonable steps to achieve the following:
- (a) the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control),
- (b) the prevention of Personal Data Processing systems from being used without authorization (logical access control),
- (c) persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),
- (d) Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
- (e) the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems, (entry control),
- (f) Personal Data Processed are Processed in accordance with the Instructions (control of instructions),
- (g) Personal Data are protected against accidental destruction or loss (availability control),
- (h) Personal Data collected for different purposes can be processed separately (separation control).
A measure as referred to in lit. a) to h) above shall be in particular, but shall not be limited to, the use of appropriate encryption technology. An overview of the above-entitled technical and organizational measures are listed in Annex 2.
3.5. Processor shall notify to Client the contact details of Processor’s data protection officer. The Processor’s data protection official is:
TÜV SÜD Sec-IT GmbH
Tel. +49 89 500 84 868
3.6. If applicable, Client shall retain title as to any carrier media provided to Processor as well as any copies or reproductions thereof. Processor shall store such media safely and protect them against unauthorized access by third parties. Processor shall, upon Client’s request, provide to Client all information on Client’s Personal Data and information. Processor shall be obliged to securely delete any test and scrap material based on an Instruction issued by Client on a case-by-case basis. Where Client so decides, Processor shall hand over such material to Client or store it on Client’s behalf.
3.7. Processor shall provide reasonable assistance to the Client with any data protection impact assessment which the Client is required to undertake in order to Comply with Articles 35 and 36 of the GDPR, in each case solely in relation to the processing of Personal Data and taking into account the nature of the processing and information available to Processor and shall make available to Client on request such information as is reasonably necessary to demonstrate its compliance with this DPA and shall reasonably allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client and approved by Processor for the purpose of demonstrating compliance by Processor with its obligations under Data Protection Laws in respect of the Personal Data.
3.8. Processor shall return or, and to the extent technically possible, at the Client’s written request, delete and procure the deletion of all copies of the Personal Data after Processing by Processor of any Personal Data is no longer required for the purpose of Processor’s performance of its relevant obligations under this DPA.
4. Client’s obligations
4.1. Client shall be separately responsible for conforming with such statutory data protection regulations including the Data Protection Laws as are applicable to it and shall ensure that the Personal Data may lawfully be processed by the Processor under this Agreement.
4.2. Client shall inform Processor without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data detected during a verification of the results of such Processing or otherwise arising following the date of this DPA.
4.3. Client shall be obliged to maintain the publicly available register as defined in Article 30 of the GDPR.
Client shall be responsible for fulfilling the duties to inform resulting from Article 33 of the GDPR.
Client shall promptly notify Processor of the exercise of any rights by Data Subjects affecting the Processing of Personal Data by Processor.
Client shall, upon termination or expiration of the Agreement and by way of issuing an Instruction, stipulate, within a period set by Processor, the measures to return data carrier media or to delete stored data.
4.4. Any additional cost arising out of Processor’s performance under Instructions outside the Agreement’s scope of work or otherwise not contemplated by this DPA shall be borne by Client.
5. Audit Obligations
Processor shall provide a copy of its most current security report upon Client’s written request and subject to the confidentiality provisions of the Agreement. If Client requires additional information beyond that which is stated in the Report, Client may contact Processor at email@example.com to request an on-site audit of the architecture, systems and procedures relevant to the protection of Client Personal Data that are controlled by Processor. Client shall reimburse Processor for any time expended by Processor for any such audit at Processor's then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such audit, Client and Processor will mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. Client shall promptly notify Processor with information regarding any non-compliance discovered during the course of an audit.
6.1. Client agrees that Processor may engage Processor’s Affiliates and third party sub-processors (collectively, "sub-processors") to Process the Personal Data on Processor's behalf. Client acknowledges that Processor’s contractual obligations hereunder, or the parts of the services, will be performed by a subcontractor and consents to use of sub-processors by Processor as described in this section 6 to fulfil its contractual obligations under the Agreement a and to provide certain services on Processor's behalf such as support services. The list of current sub-processors authorized by Client is provided in the Annex 1 hereof.
6.2. Processor undertakes to enter into a written agreement with any applicable sub-processors and such obligations will in no event be less protective than stated herein. Processor will restrict its sub-processors' access to only what is necessary to maintain the Service or to provide the Service to Client and its End Users. Processor will remain responsible for its compliance with the obligations stated herein and for any acts or omissions of the sub-processors.
6.3. Processor may, by giving no less than thirty (30) days’ notice to Client, add or make changes to the Sub-processors. Client may object to the appointment of an additional sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, in which case Processor shall have the right to cure the objection through one of the following options (to be selected at Processor’s sole discretion):
- (a) Processor will cancel its plans to use the Sub-processor with regard to Personal Data or will offer an alternative to provide the Subscription Services without such Sub-processor; or
- (b) Processor will take the corrective steps requested by Client in its objection (which remove Client’s objection) and proceed to use the Sub-processor with regard to Personal Data; or
- (c) Processor may cease to provide or Client may agree not to use (temporarily or permanently) the particular aspect of the Subscription Services that would involve the use of such Sub-processor with regard to Personal Data, subject to a mutual agreement of the parties to adjust the remuneration for the Subscription Services considering the reduced scope of the Subscription Services.
Objections to a Sub-processor shall be submitted to Processor by following the directions set forth in the Sub-processor List.
If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after Processor’s receipt of Client’s objection, either party may terminate the Agreement and Client will be entitled to a pro-rata refund for prepaid fees for Subscription Services not performed as of the date of termination.
Processor may replace a sub-processor if the need for the change is urgent and necessary to provide the Subscription Services and the reason for the change is beyond Processor’s reasonable control. In such instance, Processor shall notify Client of the replacement as soon as reasonably practicable, and Client shall retain the right to object to the replacement sub-processor pursuant to the above.
7. Data Breach
Processor will without undue delay notify Client if it becomes aware of any Personal Data Breach.
Where Processor becomes aware of a Personal Data Breach, it shall, without undue delay, also provide Client upon request with the following information:
- (a) description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned;
- (b) the likely consequences; and
- (c) description of the measures taken, or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.
Immediately following any unauthorized or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Processor will reasonably co-operate with Client in Client's handling of the matter, including:
- (a) assisting with any investigation;
- (b) providing Client with physical access to any facilities and operations affected;
- (c) facilitating interviews with Processor's employees, former employees and others involved in the matter;
- (d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Client; and
- (e) taking reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
Processor will not inform any third party of any Personal Data Breach without first obtaining Client's prior written consent, except when required to do so by Data Protection Laws.
Processor agrees that Client has the sole right, subject to Data Protection Laws, to determine:
- (a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Client's discretion, including the contents and delivery method of the notice; and
- (b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
Processor will cover all reasonable expenses associated with the performance of the obligations under this section 7 unless the matter arose from Client's specific instructions, negligence, willful default or breach of this Agreement, in which case Client will cover all reasonable expenses.
Processor will also reimburse Client for actual reasonable expenses that Client incurs when responding to a Personal Data Breach to the extent that Processor caused such a Personal Data Breach, including all costs of notice and any remedy.
8. Duties to Inform, Mandatory Written Form, Choice of Law, Duration
8.1. Where Client’s Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being Processed, Processor shall inform Client without undue delay. Processor shall, without undue delay, notify to all pertinent parties in such action, that any Personal Data affected thereby is in Client’s sole property and area of responsibility that Personal Data is at Client’s sole disposition.
8.2. No change of or amendment to this DPA and all of its components, including any commitment issued by Processor, shall be valid and binding unless made in writing and unless they make express reference to being a change or amendment to these regulations. The foregoing shall also apply to the waiver of this mandatory written form.
8.3. To the extent required by applicable data protection laws, this DPA shall be governed by the law of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the same jurisdiction stated in the Agreement for governing the Agreement.
8.4. The term of this DPA shall follow the term of the Agreement. Upon termination or expiration of the Agreement, Processor shall, in accordance with the terms of the Agreement, delete or make available to Client for retrieval all relevant Personal Data (including copies) in Processor’s possession, save to the extent that Processor is required by any applicable law to retain some or all of the Personal Data. In such event, Processor shall extend the protections of the Agreement and this DPA to such Personal Data and limit any further processing of such Personal Data to only those limited purposes that require the retention, for so long as Processor maintains the Personal Data.
9. List of Personal Data elements and Purpose
9.1. The Processor provides for the Client the following service:
Document recognition, document conversion, and data capture service using OCR (optical character recognition) technologies.
9.2. The following types of data are processed:
The Subject Matter of the processing of personal data comprises the following data types/categories (List/Description of the Data Categories)
- Documents, images, and other files that the data subjects choose to upload to the Service (to the extent that these comprise personal data)
- First and last name
- Contact information (title, position, company, email, phone, physical business address)
- Birthdate and place
- ID document number and related data
- social security number
- Invoice and receipt data
Neither Client nor Data Subjects authorized by Client shall use the Service to process Special Categories of Personal Data about (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor will Client process or give instructions to process any information about criminal convictions and offences.
Client shall be liable for any personal data that is provided or otherwise made available to the Processor in excess of the categories of data described above ("Excess Data"). Processor’s obligations under the Agreement of this DPA shall not apply to any such Excess Data.
9.3. The following people and groups of people are affected:
The Categories of Data Subjects comprise:
- Potential Customers
- End Users
- Authorised Users
- Contact Persons
Client acknowledges that Processor’s contractual obligations hereunder, or the parts of the deliverables defined below, will be performed by a subcontractor, namely:
Microsoft Ireland Operations Ltd.
Sandyford, Dublin 18, Ireland
1. Technical and organizational measures
The Processor will process the data in the European Union only.
The Processor and the Client agree that the technical and organizational measures of the data center operator are an integral and an effective part of this DPA. This applies subject to the provision that these technical and organizational measures may be adopted to the newest developments from time to time. The Processor will inform without any further delay the Client about any changes of the security guidelines of the data center operator.
Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Processes are in place to ensure that authorized users have the appropriate authorization to add, delete, or modify users.
All users access Processor’s systems with a unique identifier (user ID).
1.2. Technical and organizational measures of the data center:
The implemented technical and organizational measures of the data center operator are listed in the Online Services Terms, SLA and other agreement related documents, which are available at http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46 and incorporated hereto by reference.