Data Processing Agreement
This Data Processing Agreement (“Agreement”) is made effective as of [Insert Date] (“Effective Date”) by and between:
Nexwinds Solutions Lda, with its principal place of business at Rua Engenheiro João Tallone, n.º 80, 4470-516 Maia, Porto, Portugal (“Data Processor” or “Nexwinds”),
AND
[Insert Client Name], with its principal place of business at [Insert Client Address] (“Data Controller” or “Client”).
1. Definitions
For the purpose of this Agreement, the following definitions shall apply:
- “Personal Data”: Any information relating to an identified or identifiable natural person (“Data Subject”).
- “Processing”: Any operation or set of operations which is performed on Personal Data, such as collection, storage, use, or deletion.
- “Controller”: The entity that determines the purposes and means of processing Personal Data.
- “Processor”: The entity that processes Personal Data on behalf of the Controller.
- “Subprocessor”: Any third party appointed by the Processor who processes Personal Data on behalf of the Controller.
- “Data Subject”: An individual whose personal data is processed.
2. Subject Matter and Scope of Processing
2.1 Purpose of Processing: Nexwinds, as the Data Processor, will process Personal Data on behalf of the Data Controller in accordance with the terms of this Agreement. The scope of processing includes the provision of services related to [Specify Services such as Website Development, Marketing, Software Development, etc.] and is necessary for the fulfillment of the business relationship between Nexwinds and the Client.
2.2 Type of Personal Data Processed: The types of Personal Data processed under this Agreement may include, but are not limited to, names, email addresses, phone numbers, billing information, IP addresses, and any other data necessary for the performance of services.
2.3 Categories of Data Subjects: The Personal Data processed may relate to employees, customers, and/or end-users of the Data Controller.
2.4 Duration of Processing: The duration of the processing shall be determined by the duration of the relationship between the Data Processor and the Data Controller, as per the scope of the services provided. The Data Processor shall process Personal Data only for as long as necessary to fulfill the terms of this Agreement or as required by law.
3. Obligations of the Data Processor
3.1 Compliance with Data Protection Laws: Nexwinds will process Personal Data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and any applicable national data protection laws.
3.2 Data Security: Nexwinds will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to prevent unauthorized access, disclosure, alteration, or destruction of Personal Data.
3.3 Use of Subprocessors: Nexwinds may engage Subprocessors to perform specific processing tasks on its behalf. Nexwinds will inform the Data Controller of any Subprocessors it intends to use and shall obtain the Data Controller’s prior written consent for any such Subprocessors. Any Subprocessor will be bound by the same data protection obligations as those imposed on Nexwinds under this Agreement.
3.4 Assisting the Data Controller: Nexwinds will assist the Data Controller in ensuring compliance with its obligations under the GDPR, including assisting with Data Subject rights (e.g., access, correction, erasure, and objection to processing), data impact assessments, and notifications of data breaches.
3.5 Data Breach Notification: Nexwinds shall promptly inform the Data Controller of any data breaches that may affect the Personal Data processed on behalf of the Controller. In such cases, Nexwinds will provide all necessary information to the Data Controller to meet any legal obligations regarding breach notifications under the GDPR.
3.6 Access Requests: Nexwinds will assist the Data Controller in responding to Data Subject access requests in accordance with applicable law.
3.7 Data Return or Deletion: Upon termination of this Agreement or upon the Data Controller’s request, Nexwinds will, at the choice of the Data Controller, either return or delete all Personal Data processed on behalf of the Data Controller, except where retention is required by law.
4. Obligations of the Data Controller
4.1 Lawful Basis for Processing: The Data Controller warrants that it has the necessary lawful basis to process Personal Data under the GDPR, including obtaining consent from Data Subjects where required.
4.2 Data Subject Rights: The Data Controller is responsible for responding to requests made by Data Subjects under their data protection rights, such as the right to access, correct, or erase their Personal Data.
4.3 Instructions to Processor: The Data Controller shall provide clear and documented instructions to Nexwinds regarding the processing of Personal Data. These instructions may be given in writing, by email, or by other agreed means.
4.4 Notification of Data Breaches: The Data Controller is responsible for notifying the relevant authorities and Data Subjects in the event of a Personal Data breach involving data under their control.
5. Subprocessors
5.1 Approval of Subprocessors: The Data Controller acknowledges and agrees that Nexwinds may use Subprocessors for the performance of certain services. Nexwinds shall inform the Data Controller of any new Subprocessor engaged and provide the opportunity for the Data Controller to object.
5.2 Liability of Subprocessors: Nexwinds shall remain fully responsible for ensuring that any Subprocessor complies with the obligations of this Agreement and the GDPR.
6. Audit and Inspection Rights
6.1 The Data Controller has the right to audit Nexwinds’ compliance with this Agreement and data protection obligations, provided that such audits are reasonable and conducted in a manner that does not unduly interfere with the operations of Nexwinds.
6.2 Nexwinds agrees to cooperate with the Data Controller during any audits or inspections carried out in connection with this Agreement.
7. International Transfers
7.1 Transfers Outside the EEA: If Personal Data is transferred outside the European Economic Area (EEA), Nexwinds shall ensure that adequate safeguards are in place, such as the use of Standard Contractual Clauses or reliance on an adequacy decision issued by the European Commission.
8. Term and Termination
8.1 Term: This Agreement will remain in effect as long as Nexwinds processes Personal Data on behalf of the Data Controller.
8.2 Termination: Either party may terminate this Agreement upon written notice if the other party breaches any material provision of this Agreement and fails to cure such breach within thirty (30) days of receiving written notice.
8.3 Effect of Termination: Upon termination of this Agreement, Nexwinds shall return or delete all Personal Data in accordance with Clause 3.7. If return or deletion is not possible, Nexwinds shall ensure the security of the data for as long as it is retained.
9. Liability
9.1 Liability: Each party will be liable for any damages arising from a breach of this Agreement or the GDPR. Nexwinds’ liability for any claim arising out of or in connection with the processing of Personal Data will be limited to the fees paid by the Data Controller for the relevant services provided under this Agreement.
10. Miscellaneous
10.1 Governing Law: This Agreement will be governed by the laws of Portugal.
10.2 Entire Agreement: This Agreement, together with any related agreements, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements or understandings.
IN WITNESS WHEREOF, the parties have caused this Data Processing Agreement to be executed by their respective authorized representatives as of the Effective Date.
Data Controller:
Signature: ___________________________
Name: _______________________________
Title: ________________________________
Date: ________________________________
Data Processor (Nexwinds Solutions Lda):
Signature: ___________________________
Name: _______________________________
Title: ________________________________
Date: ________________________________