fbpx
Start for free

Accountable Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Terms & Conditions (“Agreement”) between the User and Accountable in relation to the Processing of Personal Data and forms an integral part of the Agreement.  

For the purposes of the Processing of Personal Data under the Agreement, Accountable acts as the Processor and the User acts as the Controller, to the extent the User determines the purposes and means of Processing of Personal Data of other individuals when uploading, entering, or otherwise providing such data through the Accountable App. In that capacity, the User is responsible for ensuring that it has a lawful basis to process such Personal Data and to provide it to Accountable.

Definitions

  1. The definition of Personal Data, Special Categories of Personal Data (Sensitive Personal Data), Processing of Personal Data, Data Subject, Controller and Processor is equivalent to how the terms are used and interpreted in applicable data protection and privacy legislation, including the EU 2016/679 General Data Protection Regulation (“GDPR”).
  2. All capitalized terms not defined in this Data Processing Agreement will have the meaning set forth in the Terms & Conditions.

Scope

  1. The DPA regulates the Processor's Processing of Personal Data on behalf of the Controller and outlines how the Processor shall contribute to ensure privacy on behalf of the Controller and its registered Data Subjects, through technical and organisational measures according to applicable data protection and privacy legislation, including the GDPR.
  2. The purpose behind the Processor’s Processing of Personal Data on behalf of the Controller is to fulfill the Services under the Agreement. 
  3. This DPA takes precedence over any conflicting provisions regarding the Processing of Personal Data in the Terms & Conditions or in other former agreements or written communication between the Parties. 

The Processor’s rights and obligations

  1. The Processor shall only Process Personal Data on behalf of and in accordance with the Controller’s written instructions. By entering this DPA, the Controller instructs the Processor to process Personal Data in the following manner; i) only in accordance with the applicable law, ii) to fulfill all obligations according to the Agreement, iii) as further specified via the Controller’s ordinary use of the Processor’s Services and iv) as specified in this DPA.  
  2. The Processor has no reason to believe that legislation applicable to it prevents the Processor from fulfilling the instructions mentioned above. The Processor shall, upon becoming aware of it, notify the Controller of instructions or other Processing activities by the Controller which in the opinion of the Processor, infringes applicable data protection and privacy legislation.
  3. The categories of Data Subject’s and Personal Data subject to Processing according to this DPA are outlined in Appendix A. 
  4. The Processor shall ensure the confidentiality, integrity and availability of Personal Data are according to the data protection and privacy legislation applicable to the Processor. The Processor shall implement systematic, organisational and technical measures to ensure an appropriate level of security, taking into account the state of the art and cost of implementation in relation to the risk represented by the Processing, and the nature of the Personal Data to be protected.
  5. The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible and taking into account the nature of the Processing and the information available to the Processor, in fulfilling the Controller’s obligations under applicable data protection and privacy legislation with regards to request from Data Subjects, and general data protection compliance under the GDPR article 32 to 36.   
  6. If the Controller requires information or assistance regarding security measures, documentation or other forms of information regarding how the Processor processes Personal Data, and such requests exceed the standard information provided by the Processor to comply with applicable data protection and privacy legislation, the Processor may charge the Controller for such request for additional services. 
  7. The Processor and its staff shall ensure confidentiality concerning the Personal Data subject to Processing in accordance with the DPA. This provision also applies after the termination of the Agreement. 
  8. The Processor will, by notifying the Controller without undue delay, enable the Controller to comply with the legal requirements regarding notification to data authorities or Data Subjects about privacy incidents. Further, the Processor will to the extent it is appropriate and lawful notify the Controller of
    • requests for the disclosure of Personal Data received from a Data Subject;
    • or requests for the disclosure of Personal Data by governmental authorities.
  9. The Processor shall ensure that persons that have the right to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  10. The Processor will not respond directly to requests from Data Subjects unless authorised by the Controller to do so. The Processor will not disclose information tied to this DPA to governmental authorities such as the police, hereunder Personal Data, except as obligated by law, such as through a court order or similar warrant.
  11. The Processor does not control if and how the Controller uses third party integrations through the Processor's API or similar, and thus the Processor has no ownership to risk in this regard. The Controller is solely responsible for third party integrations. 
  12. The Processor might Process Personal data about Controllers’ use of the Services when it is necessary to obtain feedback and improve the Services. The Controller grants the Processor the right to use and analyze aggregated system activity data associated with the use of the Services for the purposes of optimizing, improving or enhancing the way the Processor provides the Services and to enable the Processor to create new features and functionality in connection with the Services. Accountable shall be considered the Controller for such processing and the processing is therefore not subject to this DPA.
  13. When using the Services, the Controller may upload or input data into the App  (“User Data”). The Controller acknowledges and agrees that the Processor may use User Data in an aggregated and anonymized form provided that such data cannot be used to identify the Controller or any Data Subject, for the limited purposes of improving and developing the Services, conducting analytics, research, training, educational and/or statistical purposes. No Personal Data shall be used for these purposes unless it has been irreversibly anonymised in accordance with applicable data protection and privacy legislation. 

The Controller’s rights and obligations

By entering into the DPA, the Controller confirms that:

    1. it has the lawful basis and authority to collect, process, and disclose the Personal Data to the Processor (and any authorised sub-processors) for the purposes set out in this DPA.
    2. it has the responsibility for the accuracy, integrity, content, reliability and lawfulness of the Personal Data disclosed to the Processor. 
    3. The Controller has fulfilled its duties to provide relevant information to Data Subjects and authorities regarding Processing of Personal Data according to mandatory data protection and privacy legislation.
    4. The Controller shall, when using the Services provided by the Processor under the Agreement, not communicate any Sensitive Personal Data to the Processor, unless this is explicitly agreed in Appendix A to this DPA.

    Use of sub-processors and transfer of data

    1. As part of the delivery of Services, the Processor will make use of sub-processors, and the Controller gives its general authorisation to the use of such sub-processors. A list of pre-approved sub-processors is included in Appendix B. The Processor shall ensure that sub-processors agree to undertake responsibilities corresponding to the obligations set out in this DPA. 
    2. Where a sub-processor is located outside the EU/EEA, the Controller authorises the Processor to transfer Personal Data to such sub-processor, provided that the Processor ensures that a valid transfer mechanism under Chapter V of the GDPR is in place. This includes the use of EU Standard Contractual Clauses, an adequacy decision, or any other lawful transfer safeguard adopted or approved by the European Commission.
    3. The Controller shall be notified in advance of any changes of sub-processors that Process Personal Data. If the Controller objects to a new sub-processor within 30 days after a notification is given, the Processor and Controller shall review the documentation of the sub-processors compliance efforts in order to ensure fulfillment of applicable privacy legislation. If, after this review, the Controller still has reasonable grounds to object, and the nature of the Services does not allow the Processor to offer the Services without the use of the proposed sub-processor, the Controller may terminate the portion of the Agreement affected by the use of such sub-processor. 

    Security

    1. The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures shall include, as applicable, measures to protect the confidentiality, integrity, availability and resilience of Processing systems and services, and shall be regularly tested, assessed and updated.
    2. The Controller shall be responsible for the appropriate and adequate security of the equipment and the IT environment under its responsibility.

    Personal data breaches

    1. In the event of a Personal Data Breach and irrespective of its cause, the Processor shall notify the Controller without undue delay, providing the Controller with sufficient information and in a timescale, which allows the Controller to meet any obligations to report a Personal Data Breach under the applicable data protection and privacy legislation. Such notification shall as a minimum specify: 
      • the nature of the Personal Data Breach;
      • the nature or type of Personal Data implicated in the Personal Data Breach, as well as the categories and numbers of Data Subjects concerned; 
      • the likely consequences of the Personal Data Breach;
      • as the case may be, the remedial actions taken or proposed to be taken to mitigate the effects and minimize any damage resulting from the Personal Data Breach;
      • the identity and contact details of the Data Protection Officer or another contact person from whom more information can be obtained. 
    2. The Processor shall without undue delay further investigate the Personal Data Breach and shall keep the Controller informed of the progress of the investigation and take reasonable steps to further minimize the impact. Both Parties agree to fully cooperate with such investigation and to assist each other in complying with any notification requirements and procedures.
    3. The meaning of a “Personal Data Breach” is comprised of an effectively unauthorized disclosure of or an actual access to Personal Data that is uploaded by the Controller for the Services of the Data Processor, or of a breach of the Data Processor’s systems that the Data Processor determines is reasonably likely to result in such disclosure or access, which is caused by failure of the Data Processor’s security measures. This however excludes any unauthorized disclosure or access caused by the Controller, including, but not limited to, the Controller’s failure to adequately secure equipment or accounts.
    4. An unsuccessful Personal Data Breach does not fall under the scope of this clause 8. An unsuccessful Personal Data Breach is defined as not resulting in any actual unauthorized access to Personal Data of the Controller or to any actual unauthorized access to any of the Data Processor’s equipment or facilities storing Personal Data of the Controller, and may include, without limitation, unsuccessful log-on attempts, port scans, DoS attacks (denial of service attacks), pings and other broadcast attacks on firewalls or edge servers, or other unauthorized access to traffic data that does not result in access beyond headers, or similar incidents.

        Audit rights

        1. The Controller may audit the Processor’s compliance with this DPA up to once a year. If required by legislation applicable to the Controller, the Controller may request audits more frequently. To request an audit, the Controller must submit a detailed audit plan at least four weeks in advance of the proposed audit date to the Processor, describing the proposed scope, duration, and start date of the audit. If any third party is to conduct the audit, it must, as a main rule, be mutually agreed between the Parties. However, if the processing environment is a multitenant environment or similar, the Controller gives the Processor authority to decide, due to security reasons, that audits shall be performed by a neutral third-party auditor of the Processor’s choosing.
        2. If the requested audit scope is addressed in an ISAE, ISO or similar assurance report performed by a qualified third party auditor within the prior twelve months, and the Processor confirms that there are no known material changes in the measures audited, the Controller agrees to accept those findings instead of requesting a new audit of the measures covered by the report. 
        3. In any case, audits must be conducted during regular business hours at the applicable facility, subject to the Processors policies, and may not unreasonably interfere with the Processors business activities.
        4. The Controller shall be responsible for any costs arising from the Controller’s requested audits. Requests for assistance from the Processor may be subject to fees.

        Term and termination

        1. This DPA takes effect upon acceptance of the Terms & Conditions and remains in force for as long as the Processor Processes Personal Data on behalf of the Controller.
        2. Upon termination of this DPA, the Processor shall, at the choice of the Controller, either delete or return all Personal Data processed on behalf of the Controller and shall delete any existing copies unless EU or national law requires storage of the Personal Data. The Processor shall carry out such deletion or return within a reasonable period after termination.
        3. Standard deletion of Personal Data shall be provided at no additional cost. If the Controller requests a non-standard return of Personal Data (including specific formatting, extraction, or secure transfer methods beyond the Processor’s standard export functionality), the Processor may charge reasonable fees based on the time and resources required, provided such fees are agreed in advance in writing.

        Liability

        1. Each Party will indemnify the other Party against any and all losses, damages, costs, expenses and other liabilities incurred by or awarded against the latter in connection with any claim or action brought by any Data Subject, any third party or any supervisory authority resulting from and attributable to the former and with regard to the Processor also to its sub-processors, it being understood that the indemnity obligations of the Parties will be capped to the amount agreed upon in the Terms & Conditions (the “Liability Cap”). 
        2. For the avoidance of doubt, Parties agree that the Liability Cap shall only be applicable to the contractual relationship between the Parties under the Agreement and that such Liability Cap shall in no event limit a Party’s liability towards a Data Subject or the supervisory authority. In respect of the foregoing, the Data Subject or the supervisory authority shall at all times be entitled to receive full compensation for any material or non-material damages suffered by the latter resulting from a breach by the Controller or the Processor of this DPA or of any applicable data protection and privacy legislation.

        Miscellaneous 

        1. If there is new guidance or a change in the data protection and privacy legislation or case law that renders all or part of the Services illegal,  the Processor may terminate the Agreement unless the Parties reach agreement to change the Services whereby the Services are no longer illegal. 
        2. If a provision of this DPA is proven to be invalid or unenforceable in whole or in part, it will be regarded as severable (insofar as it is invalid or unenforceable) and the validity of the other provisions of this DPA and the remainder of the provisions in question will remain unaffected. If the invalid provision is of fundamental importance for achieving the goal of this DPA, the Parties shall negotiate in good faith to remedy the invalidity, illegality or unenforceability of the provision or otherwise change this DPA to achieve its purpose.

        Governing law and legal venue

        1. This DPA is subject to the governing law and legal venue as set out in the Agreement.   

        Appendix A: Data subjects, Types of personal data, Purpose, Nature, Duration

        A.1 Categories of Data Subjects

        Customer-Affiliated Individuals: Individuals whose Personal Data is entered into the App by Users for the User’s tax management and compliance purposes.

        A.2 Categories of Personal Data

        A.3 Special categories of Personal Data (Sensitive Personal Data)  

        In some specific cases, depending on the situation and data entry from Controller, the Processor may be led to processing Sensitive Personal data:

        The Processor shall on behalf of the Controller, process information regarding:YesNo
        racial or ethnic origin, or political, philosophical or religious beliefs,x
        health information (e.g. possibly part of or complete name of patient)x
        sexual orientation,x
        trade union membership (e.g. invoice from such organization)x
        genetic or biometric datax

        A.4 Purpose of the processing

        The purpose of the Processor’s processing of personal data on behalf of the Controller is delivering the Services in accordance with the terms of the Agreement. 

        A.5 Nature of the processing

        The Processor’s processing of personal data on behalf of the Controller shall mainly pertain to (the nature of the processing): storing/hosting, registering, testing, changing/editing, reporting, sending, anonymizing, aggregating, deleting, archiving, etc. ].

        A.6 Duration of the processing:

        Personal data will be processed for as long as the Agreement remains in effect.

        Appendix B: Overview of sub-processors

        The sub-processors of the Processor with access to the Controller’s Personal Data upon signing this Agreement can be found in the Privacy Policy