DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA“) forms part of the existing Terms of Service, Service Agreement, or other principal agreement (the “Principal Agreement“) entered into between:
Ioannis Orfanidis trading as OpenRMA Technologies, a company incorporated in the United Kingdom, with its registered office at 235 Newmarket Rd. Ashton-under-Lyne, OL7 9JS, Manchester (“Processor“);
and
Each entity that enters into a Principal Agreement with Processor for the use of the Service (“Controller“).
(Each a “Party” and together the “Parties”)
WHEREAS:
- The Controller uses the Processor’s OpenRMA as a Service program (the “Service”) to manage their customers’ repair information, including personal data.
- In providing the Service, the Processor processes personal data on behalf of the Controller.
- The Parties wish to set out their respective obligations concerning the processing of personal data to comply with the requirements of applicable data protection laws, including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“), the UK General Data Protection Regulation (UK GDPR), and other relevant national data protection legislation (collectively, “Data Protection Laws“).
NOW, THEREFORE, in consideration of the mutual covenants contained herein, the Parties agree as follows:
1. DEFINITIONS
1.1. Unless otherwise defined herein, capitalized terms used in this DPA shall have the meanings set forth in the Principal Agreement. The following terms shall have the meanings set forth below: * “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Supervisory Authority,” and “Special Categories of Personal Data” shall have the meanings ascribed to them in Data Protection Laws. * “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, or any successor clauses. * “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s Office, or any successor addendum. * “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the provision of the Service.
2. SCOPE AND APPLICABILITY OF THIS DPA
2.1. This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service under the Principal Agreement. 2.2. This DPA shall prevail over any conflicting terms of the Principal Agreement regarding the Processing of Personal Data.
3. ROLES AND RESPONSIBILITIES
3.1. Controller’s Responsibilities: * The Controller acts as the Controller of the Personal Data and determines the purposes and means of the Processing. * The Controller shall ensure that it has all necessary rights, consents, and legal bases to lawfully transfer the Personal Data to the Processor for Processing under the Principal Agreement and this DPA. * The Controller is responsible for the accuracy, integrity, and legality of the Personal Data provided to the Processor. * The Controller shall inform the Processor without undue delay of any instruction that infringes Data Protection Laws.
3.2. Processor’s Responsibilities: * The Processor acts as the Processor of the Personal Data and processes Personal Data solely on documented instructions from the Controller, including those specified in the Principal Agreement and this DPA, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. * The Processor shall not process Personal Data for any purpose other than those necessary for the provision of the Service to the Controller, as described in the Principal Agreement. * The Processor does not share any customer data or the data of the Controller’s customers with any third parties whatsoever, except as expressly required for the provision of the Service through authorized Sub-processors (as detailed in Section 9).
4. DETAILS OF PROCESSING
4.1. Subject-matter of the processing: The provision of the OpenRMA as a Service program to the Controller. 4.2. Duration of the processing: For the term of the Principal Agreement, or until such time as the Controller’s account is terminated and data is securely deleted in accordance with Section 10. 4.3. Nature and purpose of the processing: Processing necessary for the Controller to manage their repair shop operations, including customer information, repair orders, and related data within the OpenRMA platform. This includes storage, retrieval, display, organization, and deletion of data as initiated by the Controller. 4.4. Type of Personal Data: * Contact information (e.g., names, addresses, phone numbers, email addresses of the Controller’s customers). * Repair order details (e.g., device information, fault descriptions, repair history). * Payment information (if applicable and entered by the Controller, though Processor typically does not process raw payment card data directly). * Other data as input by the Controller into the OpenRMA Service. 4.5. Categories of Data Subjects: Individuals who are customers of the Controller, whose data is entered into the OpenRMA Service by the Controller.
5. SECURITY OF PROCESSING
5.1. The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate: * The pseudonymisation and encryption of Personal Data. * The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. * The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident. * A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. 5.2. The Processor shall take reasonable steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data does not process them except on instructions from the Controller, unless they are required to do so by applicable law. 5.3. The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. PERSONAL DATA BREACH NOTIFICATION
6.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. 6.2. The notification shall, to the extent possible, describe: * The nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned. * The likely consequences of the Personal Data Breach. * The measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. 6.3. The Processor shall provide the Controller with reasonable assistance and cooperation in relation to any Personal Data Breach, including providing information reasonably requested by the Controller to enable them to fulfill their obligations under Data Protection Laws.
7. DATA SUBJECT RIGHTS
7.1. Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising Data Subject rights under Data Protection Laws (e.g., rights of access, rectification, erasure, restriction, data portability, objection). 7.2. In the event that a Data Subject makes a request directly to the Processor concerning Personal Data processed on behalf of the Controller, the Processor shall promptly inform the Controller of the request and shall not respond to the Data Subject directly unless expressly authorized to do so by the Controller or required by law.
8. ASSISTANCE TO THE CONTROLLER
8.1. The Processor shall provide reasonable assistance to the Controller in ensuring compliance with the Controller’s obligations under Data Protection Laws, taking into account the nature of processing and the information available to the Processor, including: * Assistance with data protection impact assessments (DPIAs) where required. * Assistance with prior consultation with a Supervisory Authority where required. 8.2. Any additional assistance requested by the Controller that goes beyond the Processor’s standard provision of the Service and the obligations outlined in this DPA may be subject to additional fees.
9. SUB-PROCESSING
9.1. The Controller hereby provides general authorization for the Processor to engage Sub-processors. 9.2. The Processor currently uses Google Cloud Platform (GCP) as its primary data platform for hosting servers and data in the United States. Google’s commitment to data protection and compliance can be found in their relevant documentation, including their own DPAs and data processing terms which include SCCs. 9.3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors (beyond GCP), thereby giving the Controller the opportunity to object to such changes. The Controller’s objection must be based on reasonable grounds related to data protection. If the Controller objects, the Parties shall work in good faith to resolve the issue. If the issue cannot be resolved, the Controller may terminate the Principal Agreement, provided that such termination shall not relieve the Controller of any accrued obligations to pay fees. 9.4. Where the Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract or other legal act under Data Protection Laws, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Laws. 9.5. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.
10. RETURN AND DELETION OF DATA
10.1. Upon termination or expiration of the Principal Agreement, or upon the Controller’s written request, the Processor shall, at the Controller’s choice: * Delete all Personal Data processed on behalf of the Controller. * Return all Personal Data to the Controller and delete existing copies. 10.2. The Processor shall carry out the deletion or return within a reasonable timeframe (e.g., 30-90 days) after the termination of the Principal Agreement, unless applicable law requires retention of the Personal Data. 10.3. The Processor shall ensure that all Personal Data is irretrievably deleted from its systems and the systems of any Sub-processors, unless otherwise legally required.
11. AUDIT RIGHTS
11.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws. 11.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, provided that: * The Controller shall give the Processor reasonable advance notice (e.g., 30 business days) of any audit or inspection. * Audits shall be conducted during normal business hours and in a manner that does not unreasonably disrupt the Processor’s operations. * The Controller shall bear all costs of the audit. * The Controller shall ensure that the auditor is bound by confidentiality obligations. * The scope of any audit shall be limited to assessing the Processor’s compliance with this DPA.
12. INTERNATIONAL DATA TRANSFERS
12.1. The Processor’s servers and data platform are located within the United States, hosted on Google Cloud Platform (GCP). 12.2. If the Controller is established within the European Economic Area (EEA) or the United Kingdom and transfers Personal Data to the Processor (established in the UK, but processing data in the US), the Parties agree to rely on the applicable Standard Contractual Clauses (for EEA data) and/or the UK Addendum (for UK data) as adopted or approved by the European Commission and the UK Information Commissioner’s Office, respectively. The Controller acknowledges that the Processor’s engagement with GCP is under terms that incorporate appropriate data transfer safeguards, including Google’s adherence to relevant data protection frameworks and, where applicable, the implementation of SCCs between Google and its customers. 12.3. The Parties agree to execute the relevant Standard Contractual Clauses and/or the UK Addendum upon request, which shall form part of this DPA.
13. LIABILITY
13.1. The liability of each Party under this DPA shall be subject to the limitations of liability set forth in the Principal Agreement.
14. GOVERNING LAW AND JURISDICTION
14.1. This DPA shall be governed by and construed in accordance with the governing law clause of the Principal Agreement. 14.2. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts specified in the Principal Agreement.
IN WITNESS WHEREOF, the Parties have executed this Data Processing Addendum as of the date first written above.
FOR AND ON BEHALF OF Ioannis Orfanidis trading as OpenRMA Technologies (Processor):
Signature: Name: Ioannis Orfanidis Title: [OpenRMA Technologies ]