Introduction

This Data Processing Agreement including its Exhibits (the “DPA”) details the parties’ obligations on the protection of Personal Data associated with Our Processing of Your Personal Data within the scope of the applicable Order or any agreement between You And Acssel IPL for providing Services (hereinafter, the “Agreement”).

1.Processing of Personal Data

1. With regard to the Processing of Personal Data, You are the controller and determine the purposes and means of Processing of Personal Data You provide to Us (“Controller”) and You appoint Us as a processor (“Processor”) to process such Personal Data (hereinafter, “Data”) on Your behalf (hereinafter, “Processing”).
2. The details of the type and purpose of Processing are defined in the Exhibits attached hereto. Except where the DPA stipulates obligations beyond the Term of the Agreement, the duration of this DPA shall be the same as the Agreement Term or subscription period.
3. You shall be solely responsible for compliance with Your obligations under the applicable Data Protection Laws, including, but not limited to, the lawful disclosure and transfer of Personal Data to Us by upload of source data into the Cloud Service or otherwise.
4. Processing shall include all activities detailed in this Agreement and the instructions issued by You. You may, in writing, modify, amend, or replace such instructions by issuing such further instructions to the point of contact designated by Us. Instructions not foreseen in or covered by the Agreement shall be treated as requests for changes. You shall, without undue delay, confirm in writing any instruction issued orally. Where We believe that an instruction would be in breach of applicable law, We shall notify You of such belief without undue delay. We shall be entitled to suspend performance on such instruction until You confirm or modify such instruction.
5. We shall ensure that all personnel involved in Processing of Customer Data and other such persons as may be involved in Processing shall only do so within the scope of the instructions. We shall ensure that any person Processing Customer Data is subject to confidentiality obligations similar to the confidentiality terms of the Agreement. All such confidentiality obligations shall survive the termination or expiration of such Processing.

2. Data Security

1. We shall implement technical and organizational measures and safeguards that ensure the adequate protection of Customer Data, confidentiality, integrity, availability and resilience of processing systems and services and shall implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. It shall be Your responsibility to familiarize Yourself with these measures and to assess whether they ensure a level of security appropriate to the risk.
2. We reserve the right to modify the measures and safeguards implemented, provided, however, that the level of security shall not materially decrease during a Subscription Term.

3. Our Obligations

1. We shall notify You without undue delay after We become aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, stored or otherwise processed by Us or Our sub-processors (“Security Incident”).
2. We shall use best efforts to identify the cause of such Security Incident and take the measures We deem necessary and within Our control for remediating and securing Customer Data; We shall coordinate such efforts with You without undue delay. We shall correct or erase Customer Data if instructed by You and where covered by the scope of the instructions permissible. Where an erasure, consistent with data protection requirements, or a corresponding restriction of Processing is impossible, We shall, based on Your instructions, and unless agreed upon differently in the Agreement, destroy, in compliance with data protection requirements, all data or return the same to You.
3. In specific cases designated by You, such Customer Data shall be stored or handed over. The associated cost for doing so and protective measures to put in place shall be agreed upon separately, unless already agreed upon in the Agreement. We shall, upon termination of Processing and upon Your instruction, return all Customer Data, carrier media and other materials to You or delete the same.
4. Where a data subject asserts any claims against You in accordance with mistake you do, We shall, where possible, support You in defending against such claims, at Your cost.

4. Your Obligations

1. You shall notify Us without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by You in the results of Our work.
2. Where a data subject asserts any claims against Us in accordance with problems from our part, You shall, where possible, support Us in defending against such claims, at Our cost.
3. You shall notify Our point of contact listed in here for any issues related to data protection arising out of or in connection with the Agreement.

5. Data Subjects Rights

1. Where a data subject asserts claims for rectification, erasure or access to Us, and where We are able to correlate the data subject to You, based on the information provided by the data subject, We shall refer such data subject to You without undue delay. We shall support You, where possible, and based upon Your instruction insofar as agreed upon. We shall not be liable in cases where You fail to respond to the data subject’s request completely, correctly, or in a timely manner. Notwithstanding the foregoing, if Your employee submits a data subject request in relation to Online Training Cloud, You agree that we can fulfil such request without Your further approval.
2. We shall support You, in so far as is agreed upon by the parties, and where possible for Us, in fulfilling data subjects’ requests and claims.
   i. We shall document and, upon request, provide such documentation of Our compliance with the obligations agreed upon in this DPA by appropriate measures.
   ii. If You require an audit of our compliance under this DPA, such audits and inspections will be conducted upon 30 days prior written notice, at most once per calendar year, during regular business hours, without interfering with Our operations, and subject to the execution of a confidentiality agreement. We shall be entitled to reject auditors that are competitors of Ours. You hereby consent to the appointment of an independent external auditor by Us, provided that We provide a copy of the audit report to You.
   iii. Where a data protection or other applicable supervisory authority conducts an audit, para. 2 above shall apply mutatis mutandis. The execution of a confidentiality agreement shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations whose breach is sanctionable under the applicable criminal code.

7. Sub-processing

1. We shall not sub-process any of Our obligations under this Agreement except as set forth in this DPA.
2. You here by consent to Our use of the sub-processors listed in this DPA in connection with the performance of the Agreement. We shall, prior to the use of further sub-processors, obtain Your prior approval, such approval not to be withheld except for important reasons related to compliance with Data Protection Laws. In such case, We or the respective sub- processor will enter into a written agreement with each sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such sub-processor.
3. We shall conclude, with such sub-processors, contractual terms necessary to ensure an appropriate level of data protection and information security and in compliance with all Data Protection Laws.
4. We will be liable for the acts and omissions of Our sub-processors to the same extent We would be liable if we were performing the Services for each sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.

7. Sub-processing

1. Where Customer Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Our control, We shall notify You of such action without undue delay. We shall, without undue delay, notify all pertinent parties in such action, that any Customer Data affected thereby is Your sole property and area of responsibility, that Customer Data is at Your sole disposition, and that You are the responsible body under the GDPR.
2. No modification of this DPA, including but not limited to, Our representations and obligations, if any, shall be valid and binding unless made in writing, and only if such modification expressly states that such modification applies to the terms of this DPA. The foregoing shall also apply to any waiver or change of this mandatory written form.
3. In case of any conflict, the terms of this DPA shall take precedence over the terms of the Agreement. Where individual terms of this DPA are invalid or unenforceable, the validity and enforceability of the other terms of this DPA shall not be affected.

9. Software Subscription Agreement

This DPA is subject to the laws of the Member State in which the Controller is established, and for all other cases subject to the laws applicable pursuant to the Agreement and the parties submit to the exclusive jurisdiction of those courts for any disputes arising out of or in connection with this DPA. The Limitation of Liability Section of the Terms shall apply except as explicitly agreed otherwise in this DPA.