Data Processing Agreement
01Introduction
1.1 This data processing agreement (the "DPA") governs the processing of Personal Data in the course of the provision of the Services provided by Uncle Louis or its Affiliates to the Subscriber and forms part of the Agreement between the Parties.
1.2 This DPA regulates the Subscriber's rights and obligations in its capacity as data controller or processor as well as Uncle Louis's rights and obligations in its capacity as data processor or sub-processor when Uncle Louis processes Personal Data on behalf of the Subscriber under the Agreement.
1.3 The purpose of this DPA is to regulate the processing of Personal Data in accordance with the requirements set forth by Applicable Data Protection Laws. Concepts, terms, and expressions in this DPA shall be interpreted in accordance with Applicable Data Protection Laws (as defined below).
1.4 In case of any conflict between the rest of the Agreement and this DPA (including the documents specified under Clause 1.5), the wording of this DPA shall prevail.
1.5 The following shall form part of the DPA:
a) Specification of Data Processing
b) Pre-approved Sub-processors
1.6 Capitalized terms that are used but not defined in this document shall have the meaning set out in the Agreement Order Form or the General Terms and Conditions Uncle Louis AI.
02Processing of Personal Data
2.1 Uncle Louis undertakes to process Personal Data for purposes set forth in this DPA (including specification of data processing) and in accordance with the Subscriber's written instructions, unless otherwise required by Applicable Data Protection Laws. The Subscriber's instructions to Uncle Louis regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects, and the rights and obligations of both Parties are set forth in this DPA and in Specification of Data Processing.
2.2 As data processor, Uncle Louis undertakes to:
a) Comply with all Applicable Data Protection Laws that are applicable to it as a processor of the Personal Data;
b) Cooperate with audits conducted by the Subscriber; and
c) Inform the Subscriber promptly if Uncle Louis determines that an instruction from the Subscriber violates Applicable Data Protection Laws.
2.3 Any transfer of Personal Data to Uncle Louis using the Services shall be made using secure, reasonable, and appropriate mechanisms for data transfers.
2.4 Uncle Louis shall, without undue delay, inform the Subscriber of any communication with any Data Protection Authority that relates to Uncle Louis's processing of Personal Data under this DPA, and Uncle Louis will provide reasonable assistance to the Subscriber if the Subscriber receives a request from such authority or is subject to a regulatory investigation. In addition, if data subjects, competent authorities or any other third parties request information from Uncle Louis regarding the processing of Personal Data covered by this DPA, Uncle Louis shall refer such requests to the Subscriber to the extent permissible under applicable law.
2.5 Uncle Louis shall provide reasonable assistance to the Subscriber, through appropriate technical and organizational measures, with the Subscriber's compliance obligations to implement reasonable security procedures and practices appropriate to the nature of the Personal Data.
2.6 Uncle Louis's assistance to the Subscriber in accordance with Clause 2.4 and 2.5 will be provided at the Subscriber's reasonable expense, unless the reason for the assistance is a direct result of an act or omission by Uncle Louis or its Affiliates.
2.7 Uncle Louis certifies that it will not:
a) retain, use, or disclose Personal Data outside the context of the relationship between Uncle Louis and the Subscriber, other than to provide the Services in accordance with the Agreement and this DPA, or as otherwise permitted by Applicable Data Protection Laws;
b) sell or share Personal Data; or
c) combine Personal Data Uncle Louis obtains in the performance of the Services with any personal information that Uncle Louis collects from other sources, except as permitted by Applicable Data Protection Laws.
03Obligations of the Subscriber
3.1 The Subscriber shall ensure that it has a valid legal basis, and all necessary rights, consents, and authorizations, to provide the Personal Data to Uncle Louis and to authorize Uncle Louis to process that Personal Data in accordance with this DPA, the Agreement and/or other processing instructions provided by the Subscriber to Uncle Louis.
3.2 The Subscriber shall comply with all Applicable Data Protection Laws that are applicable to it as controller of the Personal Data.
3.3 The Subscriber shall limit the provision of Personal Data to Uncle Louis to what is necessary for the purpose of the Agreement. For example, the Subscriber shall not include Personal Data, other than technical contact information, in technical support tickets.
04Sub-processors
4.1 Uncle Louis is, subject to Clause 4.2, and Clause 5 entitled to engage subcontractors acting as sub-processors, and under the condition that they are bound by a written agreement which impose on them materially the same data processing obligations as the obligations under this DPA in respect of data protection.
4.2 Uncle Louis shall inform the Subscriber of any new sub-processors by updating the subprocessor list and give the Subscriber the opportunity to object to such changes. Such objections by the Subscriber shall be based on grounds regarding the new sub-processor's ability to comply with Applicable Data Protection Laws and be made in writing within 30 days from posting. Uncle Louis may not engage a new sub-processor before the 30-day period has ended. Uncle Louis shall upon request provide the Subscriber with such information available to Uncle Louis that the Subscriber may reasonably request to assess the new sub-processor's ability to comply with Applicable Data Protection Laws. If Uncle Louis, despite the Subscriber's objection, wishes to engage the sub-processor, the Parties shall in good faith discuss and try to find an alternative solution which is reasonably acceptable to both Parties. If the Parties cannot find an alternative solution and the Subscriber still objects to the appointment of the sub-processor, and if the Subscriber's objection would result in additional costs or expenses for Uncle Louis, then Uncle Louis is entitled to adjust its fees under the Agreement to ensure that Uncle Louis is compensated for such additional and/or increased costs or expenses. Notwithstanding the previous sentence, if the Subscriber's objection would result in costs or operational consequences which, in Uncle Louis's opinion, would not be commercially reasonable, Uncle Louis may terminate the Agreement upon reasonable written notice.
05Third country transfers
5.1 The Subscriber acknowledges that it may transfer Personal Data or make Personal Data available by remote access to Uncle Louis in the EU, in order for Uncle Louis to provide the Services. Uncle Louis will process Personal Data only within the EU/EEA. Where Uncle Louis engages sub-processors that are headquartered outside the EU/EEA but process within the EU/EEA, Uncle Louis shall implement Standard Contractual Clauses. The Subscriber's consent to such sub-processors shall be considered given if the Subscriber has not objected within the time set out in Clause 4.2.
5.2 To the extent any transfer described in Clause 5.1 constitutes a Restricted Transfer, Uncle Louis shall upon request provide all reasonably relevant information regarding the Restricted Transfer to enable the Subscriber to make an informed decision, including details of the country or territory to which the Personal Data will be transferred.
5.3 If Standard Contractual Clauses are used as a Data Transfer Mechanism under this DPA, they shall be implemented as follows:
a) Uncle Louis shall ensure that the Restricted Transfer is subject to adequate safeguards as stated in Chapter V of the GDPR and may for this purpose rely on the Standard Contractual Clauses provided that the clauses, including supplementary security measures, ensure an essentially equivalent level of protection.
b) The Parties acknowledge and agree that Uncle Louis or its Sub-processor, as applicable, shall apply module 3 of the Standard Contractual Clauses.
5.4 Uncle Louis represents and warrants that Uncle Louis has no reason to believe that legislation or practices applicable to it or its sub-processors, including in any country to which Personal Data is transferred either by itself or through a sub-processor, prevents it from fulfilling its obligations under Applicable Data Protection Laws, this DPA or its obligations in the Standard Contractual Clauses. In the event Uncle Louis is unable to fulfil its obligations in this Clause 5.4, Uncle Louis agrees to immediately notify the Subscriber.
06Information security and confidentiality
6.1 Uncle Louis shall protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. The Personal Data shall also be protected against other forms of unlawful processing.
6.2 Uncle Louis shall ensure that only staff and other representatives who require access to Personal Data to fulfil Uncle Louis's obligations under the Agreement have access to such information. Uncle Louis shall guarantee that all persons authorized to process the Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, all persons authorized to process Personal Data shall receive sufficient and necessary training covering awareness of GDPR and data processing agreements.
07Data breach notifications
7.1 Uncle Louis shall inform the Subscriber without undue delay from becoming aware of a Personal Data breach.
7.2 Uncle Louis shall assist the Subscriber with any information reasonably required to fulfil the Subscriber's data breach notification requirements under Applicable Data Protection Laws. Any costs associated with such assistance will be subject to the limitations of liability in the General Terms and Conditions.
08Data protection impact assesments and prior consultations
Uncle Louis shall, at the Subscriber's reasonable expense, considering the nature of the processing and the information available to Uncle Louis, assist the Subscriber in fulfilling the Subscriber's obligation to, when applicable, carry out data protection impact assessments and prior consultations with the Data Protection Authority.
09Audit rights
9.1 Subscriber shall have the right to perform audits of Uncle Louis's processing of Subscriber's personal data to verify Uncle Louis's compliance with this DPA and Applicable Data Protection Laws. This audit right is limited to once per 12-month period unless the Subscriber has clear reasons to believe that Uncle Louis has materially breached its obligations under this DPA.
9.2 Uncle Louis undertakes to make available to the Subscriber all information and other assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by an authorized and reputable auditor mandated by the Subscriber, provided that the individuals performing the audits enter into confidentiality agreements or are bound by statutory obligations of confidentiality.
9.3 In this context, it is noted that among Uncle Louis's customers there may be entities which are subject to statutory and/or bar association rules on confidentiality in relation to client/customer matters (e.g. banks, financial institutions, law firms, etc.). Hence, the Subscriber acknowledges that audits under this DPA shall not include access to information pertaining or belonging to Uncle Louis's other customers.
9.4 The Subscriber is responsible for all costs associated with audits, save for when an audit concludes a material breach of Uncle Louis's undertakings in violation of the Agreement. If so, Uncle Louis shall compensate the Subscriber for reasonable and verified costs associated with the audit.
10Term of Agreement
The provisions of this DPA shall apply as long as Uncle Louis processes Personal Data for which the Subscriber is data controller or until such time this DPA is replaced with another data processing agreement.
11Measures upon completion of processing of Personal Data
11.1 Before the expiration of this DPA, Uncle Louis shall, at the choice and instruction of the Subscriber, securely delete or return all Personal Data to the Subscriber, unless Applicable Data Protection Laws require Uncle Louis to store the Personal Data in which case the obligations set out in Clause 11.4(a)–(c) shall apply.
11.2 If return or destruction is impracticable or incidentally prohibited by a valid legal requirement, Uncle Louis shall take measures to inform the Subscriber and block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required under Dutch or EU law) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control and, where any authorized sub-processor continues to possess Personal Data, require the authorized sub-processor to take the same measures that would be required of Uncle Louis.
11.3 Upon request by the Subscriber, Uncle Louis shall provide a written notice of the measures taken regarding the Personal Data upon completion of the processing as set out in Clause 11.1.
11.4 If Uncle Louis is legally required to retain archival copies of any specific data belonging to the Subscriber for tax or similar regulatory purposes, Uncle Louis shall:
a) inform the Subscriber thereof in writing specifying the legal obligation and the affected Subscriber data,
b) not use the archived information for any other purpose than to strictly comply with the applicable legal obligation; and
c) remain bound by its obligations under the Agreement, including this DPA, including, its confidentiality and security obligations under the Agreement and the obligations under this DPA to protect the information using appropriate safeguards and to notify the Subscriber of any security incident involving the information.
12Amendments
12.1 Any amendments to this DPA shall, to be valid, be agreed in writing and duly signed by authorized representatives of both Parties.
12.2 Notwithstanding Clause 12.1, the Subscriber is entitled to make updates to its written instructions regarding the processing set out in the Specification of Data Processing. Uncle Louis shall be entitled to remuneration for any reasonable and verified additional costs that Uncle Louis incurs due to the Subscriber having made amendments to its written instructions regarding the processing. Notwithstanding the aforesaid, no remuneration shall be payable due to amendments in the written instructions directly due to, or directly based on, regulatory requirements.
13Liability
The liability provisions and limitations thereof set out in the General Terms and Conditions Uncle Louis AI shall apply to this DPA.
14Governing law and settlement of disputes
14.1 Except as otherwise required by Applicable Data Protection Laws, this DPA shall be governed by and construed in accordance with the governing law provision in the GTCs.
14.2 Any dispute, controversy, or claim arising out of or in connection with this DPA, or the breach, termination, or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision set out in the General Terms and Conditions Uncle Louis AI.
15Definitions
"Applicable Data Protection Laws" means any nationally or internationally binding data protection laws, case law, and regulations, including those (i) applicable within the European Union (the "EU"), including the EU General Data Protection Regulation ("EU GDPR"), the United Kingdom General Data Protection Regulation, which is the EU GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), and all other privacy and data protection laws of the European Economic Area ("EEA") and the United Kingdom and (ii) those applicable in the United States, including the California Consumer Privacy Act, and applicable subordinate legislation and regulations implementing those laws in (i) and (ii), as amended and supplemented from time to time.
"Data Transfer Mechanism" means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under Applicable Data Protection Laws. This includes transfer mechanisms that are required under Applicable Data Protection Laws in the EEA, UK, and Switzerland such as the Data Privacy Framework, the Standard Contractual Clauses, the UK International Data Transfer Addendum and any data transfer mechanism available under Applicable Data Protection Laws.
"Data Protection Authority" means a regulatory authority, supervisory authority, or other government agency authorized to enforce Applicable Data Protection Laws.
"Personal Data" means any Subscriber Content that (i) relates to an identified or identifiable natural person, or (ii) constitutes "personal data", "personal information" or any similar term within the meaning of Applicable Data Protection Laws.
"Restricted Transfer" means any transfer of Personal Data that requires a Data Transfer Mechanism.
"Standard Contractual Clauses" means the European Commission's standard contractual clauses adopted 4th of June 2021 or any clauses thereafter replacing such standard contractual clauses.
The terms "data controller" and "data processor" have the meanings accorded to them under Applicable Data Protection Laws.