AGREEMENT ON COMMISSIONED DATA PROCESSING

 

October 4, 2019 (Last updated: October 15, 2019)

 

Contractual parties

This Agreement on Commissioned Data Processing (hereinafter referred to as “DP Agreement“) is entered into between Vidispine AB, Kista Alléväg 3, 164 55 Kista, Sweden (hereinafter referred to as the “Contractor” or “Vidispine”) and the client, who has registered for the Vidinet Portal under https://www.vidinet.net/register by accepting the Terms of Service for Vidinet SaaS, available under https://www.vidinet.net/terms (hereinafter referred to as the „Client”).

1. Preamble

This DP Agreement regulates the obligations of the contracting parties in connection with the processing of personal data on behalf of the Client by the Contractor within the framework of the Main Contract. This DP Agreement replaces previous data protection agreements between the parties within the mean-ing of § 11 BDSG old.

2. Definitions

The terms used in this DP Agreement correspond to the definitions of the GDPR, unless otherwise specified. Data of the Client shall exclusively mean Personal Data which, in connection with the Main Contract, has either been provided to the Contractor by the Client or collected by the Contractor exclu-sively for the Client on the Client’s behalf. Main Contract means the agreement for access to the Vidinet Portal, a cloud based platform which provides various software-as-a-service products and the usage of such software-as-a-service products, for which Client has registered under https://www.vidinet.net/reg-ister and has accepted the Terms of Service for Vidinet SaaS, available under https://www.vidinet.net/terms. TOM are technical and organizational measures available at https://www.arvato-systems.com/arvato-systems-en/privacy-policy/information-for-customers-and-in-terested-parties/arvato-systems-as-a-processor/technical-and-organizational-measures (as amended from time to time). Processing category means the categorization of processing operations carried out by the Contractor on behalf of the Client, the definition of which is given in the TOM.

3. Object and Duration of Processing; nature, purpose and means of Processing; nature of Personal Data and categories of Data Subjects

3.1 The respective civil law assignment by the Client is regulated in the Main Contract itself. Modalities (e.g. object, duration, type, purpose, means, categories of data) of Order Pro-cessing in the context of the Main Contract are set out in the Appendix Concretization of Processing (as amended from time to time). The present DP Agreement including its TOM forms a concrete DP agreement together with the (respective) Appendix Concretization of Processing and forms a contractual unit with the underlying Main Contract. For the sake of clarification, the parties note that the ‘Concretization of Processing’ may summarize similar operations (e.g. similar processing).

3.2 Within the framework of the performance of the Main Contract and in compliance with the provisions of these General Terms and Conditions, the Contractor shall be entitled to carry out all necessary processing steps with regard to the Client’s Data (e.g. duplication of data for loss protection, creation of log files, intermediate files and work areas) insofar as this does not lead to a content modification of the Client’s Data.

4. Obligation of the Contractor to follow instructions

4.1 The Contractor is a Processor as defined by Article 4 No. 8 GDPR and may only process the Client’s data within the framework of and for the purposes of the Main Contract, including this General Contract Terms and Conditions and the Client’s instructions, unless he is legally obliged to process them. In this case, the Contractor shall notify the Client of these legal requirements in writing or by e-mail (writing), unless the law in question prohibits such noti-fication because of an important public interest.

4.2 Instructions are the documented instructions of the Client directed at a specific processing of the Client’s data by the Contractor. They are initially determined by the Main Contract and the framework contract and can then be changed, supplemented or replaced by the Client by a single instruction (single instruction). The instructions of the Client must always be given in writing; in exceptional cases required verbal instructions must be confirmed by the Client immediately in writing. The contractor’s activities on the basis of instructions that go beyond the contractually agreed scope of services of the Main Contract shall be treated as requests for changes.

4.3 Persons authorized to issue instructions on the part of the Client and persons authorized to receive instructions on the part of the Contractor shall be notified to the other party. The respective party shall immediately inform the other party of any change of this person in writing.

4.4 The Contractor shall not be obliged under substantive law to inspect instructions issued by the Client. However, if the Contractor is of the opinion that an instruction of the Client violates data protection provisions, it shall inform the Client without delay. In this respect, the Con-tractor shall be entitled to suspend the execution of the relevant instruction until the Client has confirmed or amended it (at least in writing). If the Client adheres to the instructions given and if the Contractor considers that the implementation of such instructions continues to require the Client to act unlawfully, the Contractor shall be entitled not to carry out the processing.

5. Duties of the Contractor

5.1 Within his area of responsibility, the Contractor shall meet TOM to adequately protect the Client’s data, which ensure the confidentiality, integrity, availability and resilience of the sys-tems and services in connection with this order processing in the long term and have the ability to quickly restore the availability of the personal data and access to them in the event of a physical or technical incident. The data protection concept described in the TOM repre-sents the selection of the technical and organizational measures by the Contractor in accord-ance with the risk determined by him, taking into account the protection objectives in accord-ance with the state of the art and in particular taking into account his own IT systems and processing methods. The Client has checked these data security measures offered by the Contractor in the TOM and assumes responsibility for ensuring that they are sufficient for his data at the time of conclusion of the contract.

5.2 The contractor reserves the right to change the TOM agreed upon, unless the level of pro-tection laid down therein is undershot.

5.3 The Contractor has established a procedure to regularly review the effectiveness of the TOM and to ensure the security of the processing.
Document version 2019/10 CONFIDENTIAL Page 3 of 9

5.4 The Contractor guarantees that the employees involved in processing the Client’s data and other persons working for the Contractor shall only process these data in accordance with the instructions of the Client, unless they are legally obliged to process them. The Contractor further guarantees that the persons employed by it to process the Client’s data have under-taken to maintain confidentiality or are subject to an appropriate statutory duty of confidenti-ality. This obligation continues to exist even after termination of the contract.

5.5 The Contractor shall inform the Client without delay if it becomes aware of any violations of the protection of the Client’s data. In this case, the contractor may temporarily and at his own discretion take appropriate measures within his area of responsibility to protect the Client’s data and to mitigate possible adverse consequences. The Contractor shall inform the Client as soon as possible of any measures taken by him.

5.6 The contact person at the contractor for any data protection questions that may arise is named in the Appendix Concretization of Processing.

5.7 The Contractor shall keep a list of processing activities in accordance with Article 30 para. 2 GDPR. He is authorized to make the list concerning this DP contract available to a supervi-sory authority at its request or the contracting authority can request this list from the contrac-tor if a supervisory authority so requests or if the contracting authority carries out audits or certifications.

5.8 The Contractor shall assist the Client, taking into account the nature of the processing and the information available to it, in complying with the obligations of the Client set out in Articles 32 to 36 GDPR.

5.9 Should the data of the Client be endangered by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Client shall be informed immediately by the Contractor, unless the law in question prohibits such notification due to an important public interest. The contractor shall immediately inform the third party that the sovereignty and “ownership of the data” lies solely with the Client.

6. Duties of the Client

6.1 The Client is responsible in the sense of the GDPR. Within the framework of these General Terms and Conditions, he shall bear undivided responsibility for compliance with the statu-tory provisions of the data protection laws, in particular for the legality of the transfer of data to the Contractor and for the legality of data processing. The contracting authority is respon-sible for fulfilling the obligations set out in Articles 32 to 36 of the GDPR.

6.2 The Client shall inform the Contractor immediately and completely if it detects errors or ir-regularities with regard to data protection regulations during the examination of the order results.

6.3 The contact person at the Client for data protection issues is named in the Concretization of the processing.

6.4 The Client shall provide the Contractor with all information required by the Contractor for the maintenance of the directory in accordance with Article 30 para. 2 GDPR.

6.5 The Client shall be responsible for evaluating and evaluating the effectiveness of the TOM agreed in order to guarantee the security of the processing. Insofar as TOM does not con-sider the TOM to be sufficient to guarantee the security of the processing (e.g. new risk assessment of the Client), the Parties shall agree on corresponding changes and their com-mercial effects and implement them on the basis of a corresponding written change agree-ment (if the Parties have agreed on a change procedure in the Main Contract, this shall apply).

6.6 In the event of a claim against the Contractor by an affected person or a body named in Article 80 GDPR with regard to any claims pursuant to Articles 79 or 82 GDPR, the Client undertakes to support the Contractor in defending the claims. In this context, the Contractor shall be entitled to disclose details of the General Contract Terms, data processing and in-structions of the Client to third parties for the purpose of defending these claims or for excul-pation pursuant to Article 82 para. 3 GDPR.

7. Protection of rights of Data Subjects

7.1 With regard to this DP Agreement, the Client is responsible for safeguarding the rights of the persons concerned provided for in Chapter III of the GDPR.
Insofar as the Contractor’s cooperation is necessary for the protection of the rights of the parties concerned (in particular with regard to information, correction, blocking or deletion) by the Client, the Contractor shall support the Client upon request. The same applies to the provision of information.

7.2 If a Data Subject contacts the Contractor with the assertion of Data Protection rights regu-lated in the GDPRGDPR, the Contractor shall inform the Client if it is possible to assign the Data Subject inquiry to the Client according to the information provided by the Data Subject.

8. Subcontractors

8.1 The Client agrees that the Contractor may involve third parties (“subcontractors”) in the per-formance of its contractually agreed services directly vis-à-vis the Client and the related pro-cessing of data, insofar as the requirements of Paragraph 8.2 are guaranteed.
Approval will be granted for the involvement of a company affiliated with the contractor pur-suant to §§ 15ff. AktG within the Arvato Systems Group (listed at www.arvato-sys-tems.com/Subprocessors).
The subcontractors used for the Client at the time of the conclusion of the contract are named in the (respective) Appendix “Concretization of Processing”.
The Contractor shall inform the Client of any further subcontractors and any intended com-missions of further subcontractors. Information on subcontractors appointed by the Client shall be sent to the person authorized to issue instructions (see Appendix “Concretization of Processing”) of the Client or via publication on the website listed in the Appendix “Concreti-zation of Processing”.
The Client may object to changes made by subcontractors for important data protection rea-sons to the person authorized to receive instructions (at least in writing). If no objection is made within a reasonable period of time, consent to the amendment shall be deemed to have been given. If there is an important Data Protection reason and an amicable solution between the parties is not possible, the contractor may terminate the Main Contract and the DP Agreement for an important reason.

8.2 The Contractor shall subject the subcontractors commissioned by him to the same contrac-tual data protection obligations to which he himself is subject in accordance with this DP Agreement.
If necessary, the Contractor shall conclude contracts with subcontractors on the basis of EU standard contracts, taking into account Article 44 et seq. GDPR. If and to the extent that data collection and/or use by the subcontractor outside the EU, or of the EEA, the Principal hereby authorizes the Contractor to conclude the EU Standard Contract Controller to Processor on behalf of the Principal with the subcontractor in such a way that either (i) the Principal joins an EU Standard Contract existing between the subcontractor (as Processor) and the Con-tractor (as Controller) and acquires the same rights as the Contractor under the EU Standard Contract, or (ii) the contracting authority concludes an EU standard contract directly with the subcontractor and the contractor enters into it, so that the latter acquires the same rights in this respect as the contracting authority under the EU standard contract.

8.3 If the subcontractor does not comply with his data protection obligations, the contractor shall be liable to the Client for compliance with the obligations of that subcontractor as for his own fault.

9. Evidence from the Contractor, Inspections

9.1 The Contractor shall prove to the Client compliance with the obligations laid down in this DP Agreement by submitting appropriate certificates (e.g. ISO 27001) or by submitting/perform-ing a self-audit or self-assessment.

9.2 If, in individual cases, further inspections or checks required under data protection law should be necessary by the Client or an independent external auditor commissioned by the Client, whose name is communicated to the Contractor in good time in advance, (e.g. If the Con-tractor has reasonable doubts about a self-audit submitted by the Contractor or a violation of the Protection of Personal Data), these will be carried out in the presence of an employee of the Contractor during normal business hours and without disrupting the course of business at the Contractor’s premises after registration, taking into account an appropriate lead time (which is usually 4 weeks; unless faster execution is required for data protection reasons). The Contractor may make these inspections or checks dependent on the signing of an ap-propriate declaration of confidentiality with regard to the data of other Clients and the tech-nical and organizational measures set up. If the inspector commissioned by the Client or its Client is in a competitive relationship with the Contractor or its subcontractors, the contractor can refuse an inspection by the inspector.

9.3 The Client may demand that an audit be carried out in accordance with this clause even without a concrete data protection reason. The contracting entity may audit once within a 12-month period, unless mandatory data protection law requires more frequent audits. If more far-reaching regulations for carrying out audits between the parties have been agreed (audit guideline), these must also be taken into account.

9.4 The Client shall provide the Contractor with a copy of the complete audit report in digital form. In particular, the Contractor may also provide the audit report to its subcontractors.

10. Return and Deletion of data upon termination of the Main Contract

10.1 After termination of the Main Contract, the Contractor shall, if technically possible and com-missioned by the Client, surrender the data of the Client. Electronically stored data are to be released on request and instruction in a format customary in the market on data carriers, whereby the Client bears the shipping risk, or are to be transmitted in encrypted form online to the Client, whereby the Client bears the transmission risk.

10.2 The Contractor shall delete all electronically stored data of the Client which the Client does not wish to be surrendered or for which surrender is not technically possible or, in the case of backups or log files, shall ensure that data processing is restricted until the time of deletion. The Contractor shall confirm the deletion in writing to the Client at the Client’s request.

10.3 Data of the Client which are not stored in electronic form (e.g. data on CDs, paper docu-ments) and which the Client does not wish to be surrendered will be destroyed by the Con-tractor in accordance with data protection regulations.

10.4 The obligation to surrender or delete does not exist if the Contractor is legally obliged to store or otherwise store this data.

10.5 The Client must inform us of the request to delete or surrender the data in writing at the latest by the time of completion. If this does not occur, the Contractor will delete all data of the Client after termination of the contract, as far as there are no legal obligations of the Con-tractor for the storage of this data.

10.6 If the Client wishes his data to be stored beyond the end of the contract, this requires a separate agreement between the parties. The parties will agree on the respective services and commercial implications and will specify them in a corresponding written amendment agreement (if the parties have agreed on an amendment procedure in the Main Contract, this shall apply).

11. Control rights of supervisory authorities or other sovereign supervi-sory authorities of the Client; cooperation with supervisory authori-ties; legal disputes

11.1 Should a data protection supervisory authority or any other sovereign supervisory authority of the Client carry out an inspection of the Contractor, the provisions of Clause 9.2 and Clause 9.4 Sentence 1 of the DP Agreement shall apply mutatis mutandis. In this case, it is not necessary to sign the confidentiality agreement.

11.2 The contracting parties shall inform each other immediately of all official enquiries/rulings and procedures, all measures taken by one of the bodies mentioned in Article 80 GDPR (such as complaints, warnings, assertion of claims) and all threatened or ongoing court pro-ceedings relating to the cooperation regulated in this DP Agreement, shall cooperate closely in connection with these enquiries, orders, measures or procedures and shall make all nec-essary documents and information available to each other. In this context, each party shall be entitled to disclose all information and documents relating to this DP Agreement, including details of data processing, to the supervisory authority responsible for it or to other third parties to the extent required from the party’s point of view.

12. Final Provisions

12.1 If, according to this agreement, the Contractor has to carry out support actions or incur ex-penses which are not attributable to a misconduct of the Contractor (e.g. individual instruc-tions, expenses within the scope of rights of affected parties, audits), these shall be treated as requests for changes in accordance with the provisions of the Main Contract.

12.2 If no deviating agreements have been made in this DP Agreement, the agreements made between the parties in the Main Contract shall apply. Should individual parts of this DP Agreement be invalid, this shall not affect the validity of the remaining DP Agreement.

12.3 Amendments and supplements to this General Insurance Contract and its components must be made in writing (in accordance with eIDAS). This also applies to the waiver of this formal requirement.

12.4 The parties agree on the validity of Swedish law for this DP Agreement to the exclusion of the provisions of international private law. The exclusive place of jurisdiction shall be that of the Main Contract.

13. Appendix

The following Appendices constitute components of this DP Agreement
Appendix Concretization of Processing

Appendix Concretization of Processing

1. Subject matter, Main Contract

This Appendix specifies the modalities of Order Processing in connection with the Main Contract and is integral part of the DP Agreement.
The subject matter of Processing is:

1.1 Vidinet
Vidinet is Vidispine’s cloud-based platform for providing software-as-a-service products to business Cli-ents. Vidinet itself consists of a set of highly sophisticated and scalable software components created and operated by Vidispine AB. These components are running in the Amazon Web Services cloud plat-form, utilizing several AWS services, in or-der to provide a fail-safe, reliable and distributed architecture.
The Vidinet platform provides the Client the ability to buy Vidispine software (such as Vidispine API Server, Vidispine Server Agent and more) as well as third party software (such as AWS Elemental Transcoding, Tektronix QC and more) as fully managed services, in several physical locations (“re-gions”) around the globe. Vidinet contains a self-service portal for the Client to buy and manage all services offered on the Vidinet platform.
The Client is charged on a per-usage basis for Vidinet services, e.g. per day for Vidispine API Server, per processed content minute for Vidispine Transcoder. The Client will once a month receive an invoice for their total Vidinet service usage. The Client can at any given time check their current usage spending in the Vidinet management dash-board, available at www.vidinet.net.

1.2 Vidispine Server
Vidispine Server is an API-based media asset management platform. The feature rich RESTful API allows Clients to focus on application development instead of video technology. Vidispine Server scales from prototype to a global enterprise system.
It’s is metadata-driven, allowing the Client to specify multiple generic and configurable metadata models in the same repository, capturing all information they need on any object in the database. The metadata granularity spans from repository down to objects in a video frame, giving the Client perfect control over all content.
Vidispine Server handles all the complexity of storage for the Client, being completely agnostic to the underlying storage technology. Use local and network storage together with cloud-based storage and third-party (object) storage vendors. The rule-based storage management gives the Client complete control over what goes where for all the storage locations, on item level, with automatically triggered file movements.

1.3 VidiXplore
VidiXplore is a lightweight video content management system in a browser. Leave originals where they are, on-premise or in cloud storage – tag, search, manage and share in the cloud. VidiXplore scales

from a personal tool to a global enterprise system. Keep the originals in where they are, in cloud storages such as Dropbox or AWS S3, on local servers or somebody’s personal computer. It’s also possible to upload directly into VidiXplore and store your originals there. Organize the content using collections, spanning all storage locations. VidiXplore tag collections and items, make timecoded comments, harvest existing metadata when importing assets and add custom metadata schema.

2. Type, purpose and means of Processing

The type and purpose of the processing by the Contractor is to provide the services agreed in the Main Contract, such as maintaining the operational readiness as well as the maintenance and optimization of the installed software and to provide secure IT operation. Therefore the Contractor may create, collect store, compare and delete Personal Data and may have access to software, protocols, log and database files or other stored objects with Personal Data that are required for error analysis or trouble shooting. As part of the administration of authorizations, the Contractor shall record, change or delete authoriza-tion information about individual users on behalf of the Client. The Contractor does not carry out any direct processing of Personal Data, but might have access to personal data within the scope of the commissioned activities and services.

The processing of Personal Data will be done via Contractor (Vidinet), AWS, Microsoft Azure and Google Cloud Platform.

3. Type of Personal Data, categories of data subjects

The Client shall decide exclusively and under its own responsibility which types of Personal Data it will have processed by the Contractor and for which categories of data subjects.
The following types of Personal Data are processed:
First name, last name, Address Data, Personal Master Data, Communication Data, Contract Data, Bill-ing Data, information, Payment Data,.
The personal data transferred concern the following categories of data subjects: Data subjects include the individuals about whom data is provided to Vidispine via the Services.
The following categories of natural persons are affected by this Order Processing:

Clients, interested parties, employees, suppliers, contact persons, subscribers, sales representatives.

4. Contractor’s Person Authorized to Receive Instructions (“Contractor’s Authorized Person”)

The person authorized to receive instructions (role sufficient) on the part of the Contractor is:
Support Manager, CTO, Head of Platform Delivery Head of R&D and COO.

5. Contact for data protection issues arising within the framework of the contract on the part of the Contractor

The contact person for data protection enquiries arising within the framework of the contract on the part of the Contractor can be reached via the e-mail address Datenschutz@arvato-systems.de or by calling +49 5241 80-70785.

6. Engagement of subcontractors

At the time of the conclusion of the contract, the Client gives his consent that the partial services de-scribed below are carried out with the involvement of the following subcontractors:

6.1 AWS Amazon Web Services EMEA SARL, Luxenbourg
Description of the partial performance: Cloud based storage

6.2 Microsoft Azure – Microsoft Corporation, Redmond,USA
Description of the partial performance: Cloud based storage

6.3 Google Cloud Platform – Google LLC, California, USA
Description of the partial performance: Cloud based storage

6.4 Atlassian – Atlassian Corporation Plc, Sydney, Australia
Description of the partial performance: Support, Software development & collaboration.

6.5 Further subcontractors that can be used by the Contractor to provide standard services are listed at www.arvato-systems.com/Subprocessors.

7. Determination of the category of Processing

This Annex is based on the following processing category (multiple answers possible; definitions are given in the TOM):

☐ Data Center Arvato Systems
☐ Business Process Services
☒ Data Center Public Cloud
☒ Application Management & Services
☒ Data Center Customer
☒ Platform Services
☐ Workplace Services
☐ Security Operations Center