itemis SaaS - Data Processing Addendum (DPA)

Where the Customer uses the itemis SaaS services in a customer-controlled usage scenario, the Customer acts as controller and ITEMIS acts as processor with respect to the processing of Personal Data on behalf of the Customer.

The subject matter, nature and purpose of the processing, the categories of Personal Data and the categories of data subjects result from:

The processing under this DPA is carried out for the duration of the Terms of Use, unless otherwise agreed or required by applicable law.

ITEMIS processes Personal Data solely on documented instructions from the Customer. The Customer’s instructions are determined by:

The Customer is responsible, in its role as controller, for ensuring that its instructions comply with applicable Data Protection Laws.

If ITEMIS becomes aware that an instruction infringes applicable Data Protection Laws, ITEMIS shall inform the Customer without undue delay. In such a case, ITEMIS is entitled to suspend the execution of the affected instruction until the Customer has confirmed or modified it.

ITEMIS is not obliged to actively monitor or assess the lawfulness of the Customer’s instructions beyond the notification obligation set out in Section 4.2.

Changes to the Customer’s instructions must be documented and agreed in accordance with the Terms of Use.

Where a change to the instructions requires additional technical measures, modifications to the services or results in additional effort or costs for ITEMIS, such changes may be subject to separate agreement between the parties.

Where ITEMIS is required to process Personal Data by Union law or the law of a Member State of the European Union to which ITEMIS is subject, such processing shall be deemed lawful for the purposes of this DPA and shall not require documented instructions from the Customer.

In such a case, ITEMIS shall inform the Customer of the relevant legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

ITEMIS ensures that all persons authorised to process Personal Data on its behalf are subject to an appropriate obligation of confidentiality, arising from contractual commitments or statutory duties.

ITEMIS grants access to Personal Data only to those persons who require such access for the performance of their tasks in connection with the provision of the itemis SaaS services.

Access rights are limited in accordance with the principle of least privilege and are reviewed on a regular basis.

Confidentiality obligations remain in effect after termination of the Terms of Use for as long as the persons concerned may have access to Personal Data.

ITEMIS implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account:

These measures are designed, in particular, to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

The security measures implemented by ITEMIS follow a risk-based approach and are reviewed and adjusted where necessary to maintain an appropriate level of protection.

Upon the Customer’s reasonable request, ITEMIS shall provide appropriate information regarding the technical and organisational measures implemented, to the extent necessary for the Customer to assess compliance with Article 32 GDPR.

Such information may be provided in summary or aggregated form and shall be subject to appropriate confidentiality obligations. ITEMIS is not required to disclose information that would compromise the security of the services or reveal trade secrets.

ITEMIS does not warrant that the security measures will prevent all security incidents. Security obligations under this DPA constitute obligations of means, not obligations of result, in accordance with applicable data protection laws.

The Customer grants ITEMIS a general authorisation to engage sub-processors for the purpose of providing and supporting the itemis SaaS services.

This authorisation is subject to the requirements and safeguards set out in this Section 7.

The sub-processors identified in the Privacy Policy for itemis SaaS, including their name, address, and function in the context of the processing, are deemed approved sub-processors within the meaning of Article 28 (2) GDPR. The Privacy Policy for itemis SaaS, as incorporated by reference, serves as the authoritative specification of such sub-processors for the purposes of this DPA. If personal data is transferred to a sub-processor in a third country, the transfer mechanisms specified in Section 7.1 of the Privacy Policy for itemis SaaS shall apply and are hereby incorporated into this DPA.

ITEMIS is authorised to engage other itemis entities as sub-processors, where such entities process Personal Data on behalf of the respective ITEMIS entity acting as processor, in accordance with the role allocation set out in Section 2 of the Privacy Policy for itemis SaaS. The Customer hereby grants its general authorisation within the meaning of Article 28 (2) GDPR for such group-internal sub-processing.

ITEMIS remains fully responsible to the Customer for the performance of any sub-processor’s obligations relating to the processing of Personal Data under this DPA.

ITEMIS ensures that each sub-processor is bound by contractual data protection obligations that are no less protective than those set out in this DPA.

Any changes to the list of sub-processors described in the Privacy Policy for itemis SaaS, including the addition or replacement of sub-processors, shall be subject to the following procedure:

If the objection is justified and cannot be resolved, the parties shall discuss appropriate measures in good faith, which may include changes to the services or termination of the affected services in accordance with the Terms of Use.

The engagement of sub-processors in accordance with this Section 7 does not require individual prior approval by the Customer.

This assistance includes, as applicable and to the extent required by law:

Where ITEMIS receives a request from a data subject relating to Personal Data processed on behalf of the Customer, ITEMIS shall, without undue delay, inform the Customer of such request.

ITEMIS shall not respond to the data subject directly, unless ITEMIS is legally required to do so.

Nothing in this DPA shall prevent ITEMIS from providing information to a data subject where ITEMIS is legally required to do so under mandatory provisions of applicable law, including applicable U.S. state privacy laws.

Where assistance requested by the Customer exceeds what is reasonably required for the standard provision of the services under the Terms of Use, ITEMIS may provide such assistance subject to reasonable compensation, unless otherwise required by applicable Data Protection Laws.

However, no compensation shall be due where such assistance is required as a result of a breach of this DPA or applicable Data Protection Laws by ITEMIS.

In the event of a personal data breach affecting Personal Data processed on behalf of the Customer, ITEMIS shall notify the Customer without undue delay after becoming aware of the breach.

The notification shall include, to the extent such information is available at the time:

The Customer remains solely responsible for assessing whether a personal data breach must be notified to a supervisory authority and whether affected data subjects must be informed.

ITEMIS is not obliged to notify supervisory authorities or data subjects directly, unless required to do so by applicable law.

Upon termination or expiry of the Terms of Use, ITEMIS shall, at the Customer’s choice, delete or return all Personal Data processed on behalf of the Customer. ITEMIS may retain Personal Data to the extent required by Union or Member State law. Any such retained Personal Data shall be subject to appropriate safeguards and shall be deleted once the relevant retention obligation or legal purpose no longer applies.

Where the Customer does not exercise this choice within 30 days after termination or expiry of the Terms of Use, ITEMIS may delete the Personal Data in accordance with its standard deletion processes.

Upon the Customer’s reasonable request, ITEMIS shall provide information sufficient to confirm the deletion or return of Personal Data in accordance with this Section 10.

Deletion of Personal Data shall be carried out in a manner that ensures the data can no longer be reconstructed or accessed in the ordinary course of business.

The deletion obligation applies to all Personal Data processed on behalf of the Customer, including copies, unless retention is required by Union or Member State law.

Where ITEMIS is required by Union or Member State law to retain certain Personal Data beyond the termination of the Terms of Use, ITEMIS shall inform the Customer of such retention requirement where legally permissible and ensure that the Personal Data is processed solely for the purpose of complying with such legal obligations.

Deletion and retention periods applicable to the itemis SaaS services are described in the Privacy Policy for itemis SaaS.

Personal Data contained in backup copies is deleted in accordance with the standard retention periods and technical processes of the backup systems, provided that such data is not restored and used for active processing.

ITEMIS shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR. This includes, in particular, the documentation of the technical and organizational measures implemented by ITEMIS.

Such information may be provided in an appropriate form, including policies, summaries of technical and organisational measures, certifications, audit reports, or comparable documentation.

The Customer may conduct audits of ITEMIS’ compliance with this DPA where required by applicable Data Protection Laws.

Audits may be conducted remotely or on-site, as appropriate.

Audits shall be agreed between the parties with appropriate prior notice, unless a shorter notice period is required due to a substantiated incident or a binding request by a supervisory authority.

Audits shall be:

ITEMIS may provide independent third-party audit reports or certifications (such as ISO 27001 or comparable standards) as a means of demonstrating compliance with this DPA.

The provision of such documentation may be taken into account when determining the scope, depth and frequency of any audit requested by the Customer.

Unless otherwise required by applicable law, audits requested by the Customer shall be conducted at the Customer’s expense.

However, ITEMIS shall bear the reasonable costs of the audit if the audit is verifiably necessitated by a breach of this DPA or applicable Data Protection Laws by ITEMIS, or if the audit reveals a material breach of this DPA by ITEMIS.

Where Personal Data is transferred to, or accessed from, a country outside the European Union or the European Economic Area in the course of providing the services, ITEMIS ensures that such transfer takes place in compliance with applicable Data Protection Laws.

Where required under applicable Data Protection Laws, international transfers of Personal Data are subject to appropriate safeguards, which may include, as applicable, an adequacy decision, standard contractual clauses, or other lawful transfer mechanisms recognised under applicable Data Protection Laws.

Information on international data transfers relevant to the itemis SaaS services is described in the Privacy Policy for itemis SaaS.

Where required, ITEMIS shall provide the Customer with additional information reasonably necessary to assess compliance with applicable requirements for international transfers.

This Section 13 applies only to the extent that ITEMIS processes Personal Data on behalf of the Customer that is subject to applicable United States state privacy laws.

Where this Section 13 applies, ITEMIS acts as a service provider or processor, as defined under the respective U.S. state privacy laws.

ITEMIS shall process Personal Data on behalf of the Customer solely for the purpose of performing the services under the Terms of Use and strictly in accordance with the Customer’s instructions.

In particular, ITEMIS shall not sell Personal Data, share Personal Data for cross-context behavioural advertising, or retain, use or disclose Personal Data for purposes other than performing the services under the Terms of Use, except as permitted under applicable U.S. state privacy laws.

The assistance and cooperation obligations set out in Section 8 apply irrespective of Section 13 and, where applicable U.S. state privacy laws apply, shall be construed to include any additional mandatory assistance requirements under such laws.

In the event of a conflict between this Section 13 and other provisions of this DPA, this Section 13 shall prevail solely with respect to matters governed by applicable U.S. state privacy laws, provided that nothing in this Section 13 shall be construed to reduce or limit ITEMIS’ obligations under the GDPR or other applicable Data Protection Laws, or to permit processing beyond what is permitted under this DPA and the Customer’s instructions.

Notwithstanding Section 10, ITEMIS may retain Personal Data to the extent required by applicable U.S. federal or state law, provided that such retention is permitted under applicable Data Protection Laws and does not conflict with mandatory requirements of the GDPR regarding the processing of data within the scope of the European Union.

ITEMIS processes Personal Data solely for the limited and specified purposes of performing the services under the Terms of Use and as permitted under applicable U.S. state privacy laws, and not for any other commercial purpose.

In the event of any conflict or inconsistency between the Terms of Use, this DPA and the Privacy Policy for itemis SaaS, the following order of precedence shall apply:

(a) this DPA; (b) the Terms of Use; (c) the Privacy Policy for itemis SaaS.

Notwithstanding the foregoing, where this DPA expressly refers to the Privacy Policy for itemis SaaS as a descriptive specification (in particular with respect to approved sub-processors), the relevant provisions of the Privacy Policy for itemis SaaS shall prevail for that limited purpose.

This DPA becomes effective upon the effective date of the Terms of Use and remains in force for the duration of the processing of Personal Data by ITEMIS on behalf of the Customer.

Termination or expiry of the Terms of Use automatically results in the termination of this DPA, subject to Section 10 (Deletion and return of Personal Data).

ITEMIS may amend this DPA where such amendments are required to comply with changes in applicable Data Protection Laws or binding guidance from competent supervisory authorities.

Any amendments shall be notified to the Customer in advance and shall become effective in accordance with the Terms of Use.

This DPA is governed by the law governing the Terms of Use.

The courts specified in the Terms of Use shall have jurisdiction over disputes arising out of or in connection with this DPA, unless mandatory data protection laws provide otherwise.

If any provision of this DPA is held invalid or unenforceable, the validity and enforceability of the remaining provisions are not affected.

The parties shall replace any invalid or unenforceable provision with a valid provision that comes closest to the intended economic and legal effect of the original provision.