Powerfront社提供システムのData Processing Agreementについて

DATA PROCESSOR AGREEMENT 

This Data Processor Agreement (the "DPA") is entered into between:
A)Client (the "Data Cotroller")
and
B)Powerfront Inc(the "Data Processor"),
and shall form a part of the LICENSE AND SERVICES AGREEMENT (the "Agreement") between the Data Controller and Gaprise.

1. BACKGROUND
1.1 The Data Controller and the Data Processor have entered into the Agreement under which the Data Processor shall provide certain services to the Data Controller. Within the scope and for the purpose of the performance of the services defined and detailed in the Agreement, the Data Processor will process personal data on behalf of the Data Controller.
1.2 The Data Controller and the Data Processor have entered into this DPA in order to fulfill the requirement of a written agreement between a data controller and a data processor of personal data as set out in applicable data protection legislation. In addition to what may be set out in the Agreement, the following shall apply in relation to the Data Processor’s processing of personal data on behalf of the Data Controller. 

2. DEFINITIONS
The following terms and expressions in this DPA shall have the meaning set out below:
“applicable data protection legislation”means any national or internationally binding data protection laws or regulations (including but not limited to the European Data Protection Regulation 2016/679) applicable at any time during the term of this DPA on, as the case may be, the Data Controller or the Data Processor;
“Data Controller” means the legal entity which, under this DPA, determines the purposes and means of the processing of personal data;
“Data Processor” means the legal entity processing personal data on behalf of the Data Controller under this DPA;
“personal data” means any information relating to an identified or identifiable living, natural person;
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and
“Data Protection Authorities” means any national data protection authority responsible for enforcing data privacy laws as well as supervising, as the case may be, the Data Controller or the Data Processor.

3. PROCESSING OF PERSONAL DATA
3.1 The Data Processor undertakes to process personal data only in accordance with documented instructions communicated from time to time by the Data Controller. The Data Controller’s initial instructions to the Data Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set forth in this DPA and in Appendix 1.
3.2 If the services are altered during the term of the Agreement and such altered services involve new or amended processing of personal data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate before or at the latest in connection with the commencement of such processing or change.
3.3 The Data Processor has no obligation to fulfil requirements or follow instructions from the Data Controller that go beyond what is stipulated in applicable data protection legislation and/or recommendations from the competent data protection authority.
3.4 The Data Processor shall provide reasonable assistance to the Data Controller in fulfilling its legal obligations under applicable data protection legislation, including but not limited to the Data Controller’s obligation to respond to requests for exercising the data subject's individual rights and providing information to competent authorities. The Data Processor shall be entitled to reasonable compensation for such assistance.
3.5 The Data Processor shall without undue delay inform the Data Controller if the Data Processor does not have sufficient instructions on how to process personal data in a particular situation or if instructions provided under this DPA, in the Data Processor’s reasonable opinion, violates applicable data protection legislation.
3.6 If data subjects, competent authorities or any other third parties request information from the Data Processor regarding the processing of personal data covered by this DPA, the Data Processor shall refer such request to the Data Controller. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose personal data or any other information relating to the processing of personal data to any third party. In the event the Data Processor, according to applicable laws and regulations, is required to disclose personal data that the Data Processor processes on behalf of the Data Controller, the Data Processor shall be obliged to inform the Data Controller thereof and shall request confidentiality in conjunction with the disclosure of requested information.


4. OBLIGATIONS OF THE DATA CONTROLLER
The Data Controller warrants and represents that
(i) all processing of personal data under this DPA is consistent with and necessary for the purpose for which the personal data was collected;
(ii) all processing instructions shall at all times be in accordance with applicable data protection legislation; and
(iii) all personal data transferred by the Data Controller to the Data Processor is necessary, accurate and up-to-date.


5. SUB-PROCESSORS
5.1 The Data Processor will engage the sub-processors set out in Appendix 1 for the purposes specified therein. The Data Processor undertakes to ensure that all sub-processors are bound by written agreements that require them to comply with corresponding data processing obligations to those contained in this DPA.
5.2 In the event the Data Processor wants to engage a sub processor other than those specified in Appendix 1, the Data Processor shall without undue delay and at the latest 2 weeks prior to transferring any Personal Data to such sub-processor, inform the Data Controller, in writing, of the identity of such sub processor as well as the purpose for which it will be engaged. The information shall also include information about the location of sub-processor and may not involve transfer of the Personal Data outside of the European Economic Area unless approved by the Data Controller according to section 6 below.
5.3 The Data Processor shall be fully liable to the Data Controller for the performance of any sub-processor.


6. TRANSFER TO THIRD COUNTRIES
6.1 The location(s) of the personal data is set out in Appendix 1. The Data Processor may not transfer, or otherwise directly or indirectly disclose, personal data outside the European Economic Area without the prior written consent of the Data Controller (not to be unreasonably withheld, conditioned or delayed) and provided that adequate protection of the Personal Data in the receiving country is secured.
6.2 The Data Processor will have access to the Personal Data from outside the European Economic Area for support and maintenance purposes. As such this DPA incorporates the European Commission’s Standard Contractual Clauses (processors) in Appendix 2.


7. INFORMATION SECURITY AND CONFIDENTIALITY
7.1 The Data Processor shall be obliged to take appropriate technical and organizational measures to protect the personal data against accidental or unauthorized or unlawful access, disclosure, alteration, loss, damage and destruction. The Data Processor shall thereby follow any written information security requirements or policies communicated by the Data Controller from time to time. The measures shall at least result in a level of security which is appropriate taking into consideration:
(iv) existing technical possibilities;
(v) the costs for carrying out the measures;
(vi) the particular risks associated with the processing of personal data; and
(vii) the sensitivity of the personal data which is processed.
7.2 The Data Processor shall without undue delay notify the Data Controller of any accidental or unauthorized access to personal data or any other security incidents (personal data breach) upon becoming aware of such incidents.
7.3 The Data Processor will furthermore provide the reasonable assistance requested by the Data Controller in order for the Data Controller to investigate the personal data breach and notify it to the Data Protection Authorities and/or the data subjects as required by applicable data protection legislation.
7.4 The Data Processor undertakes to not disclose or otherwise make the personal data processed under this DPA available to any third party, without the Data Controller’s prior written approval. Notwithstanding the above, disclosure to a sub-processor listed in Appendix 1 or subsequently notified to the Data Controller in accordance with section 5.2 above is permitted. This section 7.4 shall not apply if the Data Processor is required by applicable laws and regulations to disclose personal data that the Data Processor processes on behalf of the Data Controller, in which case what is set out in section 3.6 shall apply.
7.5 The Data Processor undertakes to ensure that access to personal data under this DPA is restricted to those of its personnel who directly require access to the personal data in order to fulfill the Data Processor’s obligations in accordance with this DPA and the Agreement. The Data Processor shall take reasonable steps to ensure that such personnel (whether employees or others engaged by the Data Processor) do not process personal data other than in accordance with the Data Controller’s instructions and maintain the security and confidentiality of any personal data to which they have access.


8. AUDIT RIGHTS
8.1 The Data Processor undertakes to make available to the Data Controller such information and assistance that is reasonably necessary for the Data Controller to verify that the Data Processor is in compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
8.2 Any audit or inspection shall be subject to reasonable written advance notice from the Data Controller and shall be conducted during normal business hours and with minimal disruption to the Data Processor’s business.
8.3 The cost of such audit or inspection shall be borne by the Data Controller.


9. INDEMNIFICATION
9.1 Liability under this DPA shall be settled in accordance with the provisions of Art. 82 GDPR to the compensation for damage suffered by a data subject as a result of unauthorised Data Processing in the course of the execution of the Agreement. In all other cases the Parties shall be mutually liable in accordance with applicable law. The parties shall reasonably assist each other in a defence against unjustified claims.

10. TERM
The provisions in this DPA shall apply as long as the Data Processor processes personal data for which the Data Controller is the data controller.


11. NOTICES
Any notice or other communication to be provided by one Party to the other Party under this DPA, shall be provided in accordance with the notices provision of the Agreement.


12. MEASURES UPON COMPLETION PROCESSING OF PERSONAL DATA
Upon expiry of this DPA, the Data Processor shall delete all personal data (including any copies thereof) to the Data Controller and shall take reasonable measures to ensure that any sub-processor does the same.