In order to easily track the changes of the present Data Processing Addendum, we summarized the changes in the below table including the effective dates and a short description of what has been changed:
December 23, 2019
Agreement on the processing of personal data ordered pursuant to GDPR between You as Controller and Us as Processor.
Authorized Representative – The technical contact given at the time of the purchase of the Atlassian Licence and the official representative of the Company who has signatory right shall be deemed as authorized representative. Any changes in the person of the Authorized Representative shall be sent to the following e-mail address: firstname.lastname@example.org
Customer – Who purchased a cloud deployment META-INF App through Atlassian Marketplace;
Customer Data – any personal data for which the Customer is the Controller and which shall be forwarded for processing to Processor.
DPA – the present Data Processing Addendum
GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Parties – Controller and Processor jointly.
Processor – META-INF Szolgáltató Korlátolt Felelősségű Társaság (seat: Taksony utca 6. fszt. 1., Budapest, 1192, Hungary, company registration number: 01-09-170431) who is the processor of the Customer Data;
Subcontractors – Any third party who are in contractual relationship with the Processor and who may also conduct processing activity in connection with the Customer Data. The actual list of the subcontractors who may conduct processing activity is accessible through the following link: List of sub data processors
2. Scope of the Agreement
2.2. The Processor declares that it shall process the personal data exclusively in a Member State of the European Union or in a state that is a party to the Agreement on the European Economic Area.
2.3. If the Processor has the processing of personal data handled in a third country (i.e. outside the European Union or outside a state that is a party to the Agreement on the European Economic Area), it shall require the Controller’s prior written or electronically documented consent and shall only occur to the extent that the special requirements of the GDPR are met, if the Commission decides that a third country offers an adequate level of data protection, no further authorisation is needed to transfer the Customer Data. The Processor informs the Controller that the Customer Data may be held outside the EU at a third country (as of the effective day of this DPA, the Customer Data held in the territory of United States of America in compliance with the regulations of the Privacy Shield framework), which country has an adequate level of protection (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en), therefore no written authorisation is required based on Section 45 of GDPR.
3. Nature, scope and purpose of the processing
3.1. The Processor shall process Customer Data only on behalf of the Controller and upon documented instructions from the Controller. By using the respective cloud deployment product, the Processor issues the instructions for data processing.
3.3. The Data processed by the Processor are described in Annex 1 of the present Agreement.
4. Authority of the Controller
4.1. The Processor shall exclusively process the Customer Data in accordance with the provisions contained in this Agreement and other instructions from the Controller.
4.2. The Controller shall issue all instructions and orders in a documented electronic format.
The Controller is obliged to confidentially treat all knowledge of the Processor’s business secrets and data security measures acquired within the framework of the contractual relationship. This obligation shall remain in force even after the termination of this Agreement.
4.3. As a rule, instructions are to be issued by the Controller’s Authorized Representative. The Processor informs the Controller that it only accepts instructions from the Authorized Representative. The Controller shall notify the Processor of any changes in those authorized to act or their substitutes, naming a representative as soon as possible via email@example.com
4.4. If the Processor has reasonable belief that an instruction from the Controller infringes this Agreement or the applicable data protection law, it must notify the Controller immediately. After timely prior notification to the Controller of at least a 14-day period, the Processor is to suspend implementation of the instruction pending confirmation or change of instruction by the Controller. If the Controller confirms the instructions with a brief justification in writing, the Processor is obliged to follow them. In this case, the Parties agree that the Controller alone shall be liable for the lawfulness of the processing.
5. Rights and duties of the Controller
5.1. Externally, in particular to third parties and data subjects, the Controller is solely liable for the assessment of the lawfulness of the personal data processing and for the protection of the rights of data subjects. Nevertheless, as far as legally permissible, the Processor is obliged to forward all requests by data subjects to the Controller, as far as these are recognizably directed to the Controller. The Processor shall assist the Controller appropriately in answering requests from data subjects (such as rectification, erasure and restriction of processing) and is entitled to charge reasonable compensation for this.
5.2. The Controller is the owner of the Customer Data and, in the relationship of the parties to each other, holder of any rights to the Customer Data.
5.4. In the event that a third party or data subject brings a claim directly against the Processor for violations of rights and/or related claims, the Controller undertakes to indemnify the Processor for all damages, costs/fees, including legal or other expenses or losses arising from the claim, to the extent that the Processor has notified the Controller of the assertion of the claim and has given it the opportunity to cooperate with the Processor in defending against the claim.
6. Rights and duties of the Processor
6.2. The Processor shall not use the Customer Data provided by the Controller for processing for any other purpose as described in this DPA, in particular for its own purposes. The Processor shall not make copies or duplicates of the Customer Data without the Controller’s prior written consent. Even with the prior written Consent of the Controller the Processor is not entitled to make copies or duplicates of the Customer Data except for data backup and cluster technology purposes.
6.3. The Processor shall not hand Customer Data over to third parties or other recipients without the Controller’s prior written consent. Exceptions to this include data transfers to Subcontractors whose assignment the Controller has accepted.
6.4. The Processor shall only provide third parties or authorities with information about personal Customer Data from this contractual relationship, to the extent legally permissible, after prior written or electronically documented instructions or approval by the Controller.
6.5. If the Controller is obliged to provide information about the Customer Data or the processing thereof to a governmental body, data subject or another person, the Processor is obliged to assist the Controller in the provision of such information, at first request, in particular by immediately providing all information and documents concerning the contractual processing of the Customer Data, including the technical/organisational measures taken by the Processor, the technical procedure in using the Customer Data, the locations where the Customer Data is used and the employees involved in the processing.
6.6. The Parties further agree that in this case if there is a request from a third party regarding a Customer Data processed on behalf of the Controller, the Processor will forward such request to the Controller, to the e-mail address of the technical contact. Any communication sent to this e-mail shall be deemed as official communication. The Controller has 7 working days to make the necessary actions regarding the request. Failing to fulfil this obligation is the sole liability of the Controller, and it must exonerate the Processor for any liability.
6.7. The Processor undertakes to:
a) fulfil the rights of the data subjects,
b) fulfil the obligation under GDPR,
c) prepare directories of processing activities,
6.8. The Processor undertakes to cooperate to the extent necessary and adequately assisting the Controller as much as possible. The respective information required for this shall be forwarded to the Controller upon its written request.
6.9. The Processor shall be obliged to rectify, erase or restrict the processing of personal data resulting from this contractual relationship if the Controller so requests by means of a written or electronically documented instruction and this does not conflict with the Processor’s legitimate interests, in particular the observance of statutory provisions.
6.10. The Processor informs the Controller that some of its META-INF Apps process e-mail messages, therefore if the Costumer Data intended to be deleted could be found in the body of the e-mail message, the Processor would only be able to fulfil the request of the Controller if the Controller shows the exact e-mail message, in which the Customer Data can be found. The Processor fulfils its obligation to erase it by deleting the entire e-mail.
6.11. Both the Controller and the Processor shall agree on making any changes in the processing subject matter only by their mutual agreement. The Parties further agree that the Processor is entitled to make changes in the processing procedure by its sole discretion, but such change shall not be more disadvantageous than the former procedure. These changes (change in processing subject or in processing procedure) shall be recorded in writing or in a documented electronic format.
6.12. The Processor is entitled to process data outside the office premises (e.g. with the Processor’s employees working from home).
7. Confidentiality obligation and observance of secrecy rules
7.1. The Processor confirms that it is familiar with the relevant GDPR data protection regulations, in particular with regards to order processing.
7.2. The Processor undertakes to maintain confidentiality in the orderly processing of the Controller's personal data. This shall continue after the termination of the Agreement.
7.3. The Processor warrants that it shall familiarize those employed in carrying out the data processing, prior to commencing the activity, with the data protection provisions relevant to them. For the term of their employment and after termination of employment, these employees must undertaken to maintain the appropriate confidentiality.
8. Technical and organisational measures
8.1. The Processor shall take all technical and organisational measures required to maintain the necessary processing levels during the contractual period to ensure that the level of protection of the rights and freedoms of individuals affected by the processing is appropriate for the specific processing agreed. The protection objectives, such as confidentiality, integrity and availability of systems and services, as well as resilience in terms of the nature, scope, circumstances and purpose of the processing shall be taken into account in order to minimize risk during the contract period.
8.2. The Processor shall undertake a review, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure processing security quarterly. The results concerning contractual data as well as the complete inner audit report shall be made available to the Controller, through the website of the Processor located at: Internal audits.
8.3. The Processor shall notify the Controller if the measures taken by the Processor do not meet the Controller’s requirements.
8.4. During the contractual relationship, the Processor is entitled to adapt measures to technical and organisational developments, provided that these do not fall below the standards agreed upon.
9. Notification obligations of the Processor in case of processing disruptions and breaches in personal data protection
9.1. With regards to Customer Data processing, the Processor is obliged to notify the Controller of any disruptions or breaches of data protection regulations or the provisions hereof by the Processor (or those with access to Customer Data employed by the latter).
9.2. The Processor is further obliged to notify the Controller immediately of any data breaches or major irregularities in the processing of the Controller’s personal data, in particular if there is evidence - for whatever reason - that a third party may have obtained unlawful knowledge of the Customer Data or if the integrity or confidentiality of the Controller's data is endangered in any other way.
9.3. Notifications pursuant to Articles 33 (Notification of a personal data breach to the supervisory authority) and 34 (Communication of a personal data breach to the data subject) of GDPR may only be made by the Processor to the Controller upon prior written or electronically documented instructions. For these support actions, the Processor is entitled to charge a reasonable fee.
10. Control rights of the Controller
10.1. Before beginning the processing and regularly thereupon, the Controller is entitled to verify, in an appropriate way, with the compliance of the technical and organisational measures taken by the Processor and the obligations set out herein, as well as with the relevant legal data protection provisions. If the Controller ascertains errors or irregularities in this or in any other examination of the agreed outcomes, the Processor shall be notified immediately thereof.
10.2. To carry out the checks, the Controller is entitled to enter the Processor's business premises where the Customer Data is processed during normal business hours (according to the Marketplace Listing of the product at marketplace.atlassian.com) at its own expense, without disrupting operations, and strictly maintaining the secrecy of the Processor’s business- and trade secrets.
10.3. The Controller shall notify the Processor in due time (usually at least two weeks in advance) of all circumstances related to carrying out the inspection. As a rule, the Controller may carry out one inspection per calendar year. Notwithstanding this, the Controller’s right remains to carry out further checks in the event of special occurrences.
10.4. The Processor shall grant the Controller all rights of information and inspection required by the Processor to carry out the inspection. In particular, the Processor undertakes to grant the Controller access to the data processing equipment, files and other documents to enable the monitoring and verification of the relevant data processing equipment, files and other documentation related to Customer Data processing as stipulated below, through its employee:
a) The Controller is granted the possibilities of investigation only at the premise located at HUNGARY, 1061, Budapest, Kiraly utca 14;
b) The Controller will provide a dedicated employee, who has full, unlimited access to the Customer Data;
c)The dedicated employee may retrieve all data regarding the respective Customer Data in case of the explicit inquiry of the Controller;
The Processor further informs the Controller, that it – indirectly - grants all access and fulfils its obligation through its employee, which means the Processor will not grant direct access to any files, documents etc. to the Controller. All inspection has to be made through the Processor’s employee.
10.5. The Processor shall provide the Controller with all information required for the inspection. The Controller hereby takes due consideration of the Processor’s operating procedures and legitimate confidentiality interests.
10.6. The Processor shall receive a reasonable lump-sum allowance from the Controller for each of its inspections within the scope of these checks.
10.7. If the Controller commissions a third party to carry out the inspection, the Controller must oblige the third party, in writing, as the Controller is also obliged to the Processor. In addition, the Controller must oblige the third party to confidentiality and compliance with rules to protect confidential information, unless the third party is already subject to a professional confidentiality obligation. At the Processor’s request, the Controller must immediately provide it with the confidentiality agreements with the third party. The Controller undertakes not to entrust the inspection to any competitor of the Processor.
10.8. Upon written request, the Processor shall provide the Controller with the current certifications, if such certification exists, and/or test reports, if the Controller has commissioned a test report in order to regularly review the effectiveness of the technical and organisational measures.
11. Subcontracting relationships
11.1. The Processor is only permitted to commission subcontractors for the Controller’s data processing with the Controller’s prior written consent. This approval shall be given by the authorized person or representative in writing (electronically or in paper), but not verbally.
11.2. The Processor shall conclude subcontracting agreements in writing. This form of requirement is also met if it is in electronic format.
11.3. The Processor shall ensure that the subcontractor(s) are obliged in the subcontracting agreement to provide a standard in writing that does not fall short of the standard agreed herein. Furthermore, the Processor ensures that the responsibilities between Processor and subcontractor and also between multiple subcontractors are clearly delineated. The Processor shall ensure that the Controller is entitled to carry out an appropriate evaluation and inspection with subcontractors, also on site, if necessary, or have these carried out by third parties commissioned by it, unless proof of GDPR compliance can be provided by certification or approval.
12. Data return and deletion
12.1. The Processor is prohibited from actively processing Customer Data after the termination of this Agreement; further storage of the Customer Data only remains permitted until the Processor has provided this Customer Data to the Controller as intended, or deleted or destroyed it; in this case, the provisions of this Agreement shall continue to apply even after termination of the Agreement, until such time as the Processor no longer has any Customer Data.
12.2. The Controller may delete its Customer Data and/or create a copy until the expiration of the contractual relationship only through using the functionality of the META-INF App within its limitations (if the META-INF App grants the possibility thereto). If the META-INF App does not provide the option of deletion for the Controller regarding a specific Customer Data processed by the Processor the Controller may request the deletion of the said Customer Data in writing or in a documented electronic format from the Processor. The Processor shall immediately but within 8 days at the latest delete the Customer Data which was requested by the Controller in accordance with the above. After the end of the Agreement, the Processor shall delete all personal Customer Data unless legal requirements require a longer retention period. The data shall then be deleted, no later than 45 days after the end of the Agreement, earlier upon corresponding instructions.
12.3. The Processor is entitled to charge a reasonable fee for cancellation and destruction regarding the processed Customer Data.
13. Entry into force; contract duration and termination
13.1. This Agreement shall enter into force with effect from 23 December, 2019
14. Final Provisions
14.1. Amendments, additions to and the termination of this Agreement must be in writing or agreed upon in a documented electronic format. This also applies to a change or cancellation of the written form requirement.
14.2. If individual provisions of this Agreement are or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The parties undertake to replace the ineffective provision with a legally permissible provision that comes closest to the purpose of the invalid provision and best meets the requirements.