Data Processing Annex
Effective starting: May 25th, 2018
1.1. This data processing annex (hereinafter the “DPA”) is an integral part of the service or subscription agreement (the “Agreement”) signed between the Customer and dRofus AS and/or its Subsidiary/Subsidiaries (dRofus AS and the Subsidiaries are referred to as "dRofus"). dRofus and the Customer is referred to as the “Parties”.
1.2. This DPA defines the data protection and data security of the personal data of the Customer that is processed by dRofus as required by the General Data Protection Regulation of the European Union (“GDPR”).
1.3. This DPA shall not be applied if the Parties have signed a separate data processing agreement.
1.4. In case of any discrepancy between this DPA, the Terms and the Agreement or any other appendices, the documents shall prevail in the following order: (i) this DPA, (ii) the Agreement and (iii) the Terms.
2 General Rights and Obligations
2.1. The terms “controller”, “processor”, “processing”, “personal data” and “personal data breach” shall be understood as defined in the applicable data protection legislation, including without limitation in the GDPR. The parties acknowledge and agreee that with regard to the Processing of the Personal Data under this Annex, the Customer is the controller and dRofus is the Processor.
2.2. To the extent the Customer Data contains personal data, the Customer shall act as a data controller under the applicable data protection laws and regulations. As the controller, the Customer shall acquire all permits, consents, and authorizations necessary for the Services; provide necessary information to the data subjects, notifications to the relevant authorities; and draft and maintain a record of processing activities under its responsibility. The Customer shall ensure that the personal data it provides to dRofus is accurate and correct.
2.3. As the processor, dRofus is entitled to process the Customer’s personal data only in compliance with this DPA, the Agreement, the Terms and the Customer’s reasonable written instructions and applicable laws and only as is necessary to provide the Services. dRofus maintains a service description or other record of all categories of processing activities carried out on behalf of the Customer as required by the GDPR. If the Customer’s written instructions regarding the processing of personal data increase the costs of dRofus, dRofus is entitled to charge Customer for this in accordance with its then current serice price.
2.4. dRofus shall immediately inform the Customer if, in its opinion, the Customer’s instruction is against applicable data protection laws.
2.5. The customer are in full control of all data that it submits to dRofus. And will be able to delete and or export all imported data. If customer needs assistance with this normal service fee from the dRofus support team will apply.
3 Confidentiality and Data Security
3.1. dRofus shall ensure that all persons authorised to process personal data are bound by a confidentiality obligation.
3.2. To ensure data security dRofus shall (in compliance with article 32a of the GDPR) taking into account the risks, maintain and implement appropriate technical and organizational measures as described in dRofus Data privacy description, as amended from time-to-time by dRofus, in line with prevalent industry practices as well as other data security measures agreed in writing with the Customer.
4 Other Obligations of dRofus Related to Personal Data of Customer
4.1. dRofus shall promptly forward to the Customer any request from a data subject relating to, for example, data subject’s rights to access, modify, correct, delete, or block his or her personal data, as well as any complaint about the Customer’s processing of personal data.
4.2. If permitted by applicable laws, dRofus shall direct all inquiries from data protection or other authorities to the Customer.
4.3. dRofus shall without undue delay notify the Customer if it becomes aware of any personal data breach.
4.4. dRofus shall at the Customer’s written request and at the Customer’s cost assist the Customer in complying with the Customer’s obligations under applicable data protection or privacy laws and regulations.
5 Use of Subcontractors Related to Processing of Personal Data
5.1. dRofus may engage Subcontractors i.e. sub-Processor(s) for the purpose of the Processing. The Subcontractors provide e.g. services for customer and technical support, contract management or other services needed to provide dRofus to the customer and Process the Personal Data on dRofus behalf for the purpose of providing the Services. A dRofus entity has entered into data processing agreement(s) with the Subcontractors, or the Processing by the Subcontractors can be based on dRofus legitimate interest where applicable under the Laws. The Subcontractors may use also their affiliates and/or subcontractors in the Processing of the Personal Data.
5.2. The customer may request to get an updated list of subcontractors from dRofus
5.3. dRofus shall use appropriate mechanisms to ensure the adequate level of data protection, such as the Privacy Shield certification in case of transfers to US or EU standard contractual clauses.
6 Audits Related to Processing of Personal Data
6.1. dRofus shall on request, make available to the Customer information necessary to demonstrate compliance with the obligations laid down in the Laws and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer to audit dRofus compliance with this Annex. dRofus shall inform the Customer if, in its opinion, the Customer’s instruction infringes the Laws. The Customer shall notify dRofus of the audit in writing at least thirty (30) days in advance. The auditor may not be a competitor of dRofus or other company in Nemetschek group of companies. The information regarding dRofus operations learnt during the audits are dRofus trade secrets. The Customer is liable for the auditor’s compliance with the terms of the Agreement.
6.2. If based on the Laws or any other applicable legislation, regulations or decisions of authorities or the Customer’s instructions, dRofus is at any time instructed or required to assist the Customer in performing the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights or is otherwise required to perform any other tasks or activities relating to the Personal Data or the Processing that are not dRofus Service duties, the Customer shall pay to dRofus a separate price for such tasks or activities on a time and material basis in accordance with dRofus service price list in force from time to time These tasks or activities can be e.g. providing information to a Data Subject on the Personal Data possessed by dRofus, or removing or transferring Personal Data or responding or reporting to data protection authorities or allowing audits or inspections.
7 Transfer of personal data to third countries
7.1. dRofus and the Subcontractors might transfer the Personal Data to countries outside the European Economic Area (EEA) and European Union (EU) (“Third Country”) for the purposes set out in this Annex.
7.2. The legal basis for the transfer of the Personal Data to Third Countries is dRofus or the Subcontractors’ Binding Corporate Rules, European Commission’s Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries (“Standard Contractual Clauses”), the EU-U.S. Privacy Shield Framework, alternative data export mechanisms for the lawful transfer of Personal Data (as recognized under EU data protection laws) or other legal basis.
7.3. Also, the Customer or a user of the Customer might use dRofus software or Services in Third Countries or the Customer or a user might contact dRofus in Service matters from locations in Third Countries. In such situations, it is deemed that the Customer has consented to the transfer of the relevant Personal Data to Third Countries.
8 LIABILITY FOR DAMAGES
8.1. Without limiting the validity of limitations of liability or disclaimer of warranties in the Agreement, dRofus shall have no liability for any indirect, incidental, consequential, special or exemplary damages, such as loss of profit, revenue or goodwill, business interruption, or punitive damages, cost of cover purchase or loss of data or for damages payable to third parties, even if dRofus has been advised of the possibility of such damages.
8.2. Without limiting the validity of limitations of liability or disclaimer of warranties in the Agreement, in no event shall dRofus aggregate maximum liability (including but not limited to price refunds and/or price discounts) arising out of or related to the Agreement and the Annex for any and all causes of action occurred during any calendar year exceed the amount of the net prices (without VAT or other taxes or duties) paid by the Customer to dRofus during the said calendar year.
8.3. dRofus shall not be liable for any failures or damages caused by (i) the non-performance or delay by the Customer or (ii) the inaccuracy, incorrectness or illegality of the Personal Data, materials, information, data or instructions provided by the Customer to dRofus or its sub-Processor.