Data Processing Agreement
Last Updated: Jan 25, 2021
This Data Processing Agreement ("DPA") is valid from the date Myphoner's Corporate Client starts using the service, hence having accepted and agreed with both the Terms of Service as also the terms of this "DPA", that acts as an addendum to those.
The scope of this "DPA" is therefore the Service described in those Terms of Service between:
Each Myphoner Corporate Client, hereinafter called "the Controller"
Myphoner AS, established at Stationsvej 1 DK-3390 Hundested, Denmark (hereinafter called "the Processor") while both also referred to as the "Parties".
The Processor enables a platform that allows users defined by the Controller (staff members) to communicate via VOIP; book meetings; record meeting conversations; exchange text messages with prospective customers, therefore reaching out to those natural persons who may become customers (prospects) or are already customers of the Controller.
This DPA, including its Annexes, bears the objective of defining and documenting a mutual commitment (by the "Parties") towards the assurance of secure and confidential Processing activities with regards to Personal Data pertaining to 3rd party natural persons (Data Subjects) who are either staff members; prospects or customers, in full compliance with the European Union Regulation 2016/679, General Data Protection Regulation (the "GDPR") plus other applicable Personal Data Protection Legislation, namely yet not limited), as per specific marketplace and country: CCPA (California U.S.); POPIA (South Africa); LGPD (Brazil); PDPA (Singapore).
Since the GDPR is, at present date, the most comprehensive piece of Personal Data Protection legislation enforceable on the globe and its ruling does not collide with the ruling of other existing Personal Data Protection legislation; by continuing to using the Myphoner platform the "Controller" (as also does so the "Processor"), understands and is acknowledging to have entered into this mutual commitment to the extent required under the "GDPR" by itself as well as in the name and on behalf of their "Authorized Affiliates"/ "Partner" companies towards which each party resorts as an enabler of/ contributor to the enablement of contracted "Personal Data Treatment" services between the "Parties" (inclusively as sub-Processors).
Both "Parties" agree therefore that "GDPR" is the "Personal Data" Protection Regulation which primarily determines the entire herein described contractual scope and inherent obligations since it bears, at present date, the most comprehensive and demanding set of rules and requirements towards the insurance of "Personal Data" Privacy, Security, and Confidentiality.
Both "Parties" agree that this DPA ruling overrules the content of existing agreement laid out by the "Terms of Service" that are published on Myphoner website, where applicable and in case of a dispute.
"Affiliate" means any entity that directly or indirectly controls, is controlled by or is under common control with each Party. Whereas "Control ," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the Party.
"Agreement" means the existing "Services" contract between the "Parties" that rules the scope and purpose of mutual as well as each "Party" "Personal Data Treatment".
"Authorized Affiliate" means any of "Party'" "Affiliate(s)" which (a) is subject to the "GDPR", and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the "Agreement" between the "Parties" regardless of having or not signed its own DPA with one of the "Parties".
"Controller" means the "Party" which determines the "Personal Data" that is forward to the other "Party" under the "Services" scope, as well as the inherent "Personal Data Treatment" purposes, processes and/ or workflows which must be observed by the other "Party" within the mutual relationship.
"Data Protection Officer"/ "DPO" means the natural person within a company/ organization (herein ahead referred to simply as "organization") who bear the responsibility of ensuring corporate compliance towards "GDPR" (as per defined under this Regulation), both by means of monitoring compliance status as well as acting towards the organization and management structure informing those about existing non-conformity points and the need for the organization to act upon them in order to make them compliant with "GDPR" rules, guidelines and requirements.
"Data Subject" means the identified or identifiable natural person to whom "Personal Data" relates. Both Parties understand that the "Data Subject" is the sole owner of "Personal Data" which pertains to him/ her.
"Data Subjects' Rights" means the rights established towards the Data Subjects under the "GDPR" plus where applicable, the CCPA; POPIA and LGPD depending on the country of residence of the Data Subject.
"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the "Personal Data Treatment" and on the free movement of such data, while
Repealing and replacing the Directive 95/46/EC from May 25th, 2018 onwards.
"GDPR Training" means the mandatory necessary endeavor which the "Parties" must undertake to ensure in a documented manner and as per "GDPR" requirements that their staff who performs "Personal Data Treatment" activities is fully aware of "GDPR" rules and guidelines.
"IT Landscape" means the set of IT assets and services of and at the disposal of each "Party" that enables their "Personal Data Treatment" operation, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.
"Lawful Basis" means the enlisted lawful grounds that an organization has to entice "Personal Data Treatment" activities under "GDPR", namely (but not limited to) having documented: the "Data Subject'" Explicit Consent towards "Personal Data Treatment" activities; the organization Legitimate Interest in proceeding with "Personal Data Treatment" activities; accessory legal obligations that the organization must observe and which entitled it to proceed with "Personal Data Treatment" activities within the limits of such ruling and inherent obligations; other as per defined under "GDPR".
"Operational Landscape" means the set of Corporate Operational Policies, Processes, Procedures, Workflows, permissions given to staff over the access to "Personal Data", 3rd party contracts under the scope of Corporate Core Business and related to "Personal Data Treatment".
"Partner" means any 3rd party entity towards which each "Party" may resort in order to ensure "Personal Data Treatment" under a "Lawful Basis" (as established by "GDPR") and within the scope of agreed "Services".
"Party" means the companies that sign this DPA.
"Personal Data" means any data which by itself or when cross-referenced with other data enables one to univocally identify one given natural person, the "Data Subject".
"Personal Data Treatment" means any operation or set of operations which is performed on "Personal Data", whether or not by automated means, such as: collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).
"Personal Data Breach" means any "event" or "incident" (as per ITIL definition) which enables theaccidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to "Personal Data".
"Processor" means the entity which proceeds with authorized "Personal Data Treatment" (under this DPA and the "Agreement") on behalf of the "Controller".
"Services" means the scope of "Personal Data Treatment" activities ruled under the "Agreement" between the "Parties".
"Standard Contractual Clauses" means the clauses defined under the existing "Agreement" ratified by the "Parties".
"Sub-processor" means any "Processor" engaged by any of the "Parties" which performs complimentary "Personal Data Treatment" within the scope of the "Services".
"Supervisory Authority" means an independent public authority that is established by an EU Member State pursuant to the "GDPR" which acts as the responsible public entity for auditing and enforcing local "GDPR" compliance.
2. PERSONAL DATA TREATMENT
a. "Personal Data Treatment"
The "Parties" commit to proceed with "Personal Data Treatment" activities in full compliance with the requirements of the "GDPR" including (but not limited to) having a defined and documented "Lawful Basis"; bearing each the sole responsibility for maintaining "Personal Data" in their possession Accurate, Secure and Confidential during "Personal Data Treatment" operations and observing defined retention periods.
The lawful basis for "Personal Data Treatment" under the scope of contracted services from the side of the Processor is a Contractual Obligation that derives from Controller's hired services via the existing Services Contract (the "Agreement"), and the Controller commits to having a documented Lawfull Basis for processing such Personal Data that allows it to share the Personal Data with the Processor.
The Processor commits not to undergo any Personal Data Processing activities which exceed or are not within the scope of contracted services under the components of Personal Data, namely:
Hosting and retention period that exceed the lifecycle of contracted services;
Access to Personal Data under the scope of contracted services by individuals or entities that do not play an active and relevant role in the fulfillment/ delivery of such services;
Processing activities that exceed what is mandatory to enable the contracted services;
Sharing Personal Data under the scope of contracted services with unauthorized 3rd parties, meaning entities or individuals who are not relevant or required to enable the contract services fulfillment and delivery;
b. "Personal Data Treatment" Details
Each "Party" bears the exclusive responsibility of ensuring "Personal Data Treatment" full compliance with the subject matter towards their "Partners" (Processors/ Sub-Processors) either by establishing similar DPAs with those or any other similar contractual terms.
Please refer to this document' Annex 1 for a detailed description of "Personal Data Treatment" activities under the scope of this Agreement and the Service Contract in place.
3. "DATA SUBJECTS'" RIGHTS
Both "Parties" commit to promptly inform each other (within 3 calendar days) upon the event of having "Data Subjects" exercising their rights towards them as per defined under the "GDPR" that may affect the other party in the sense that action from it is required.
If and when feedback from or towards the other "Party" is required to address/ answer such "Data Subjects'" Rights request, both "Parties" hereby commit to ensuring full cooperation and making available required internal or "Partner" resources while bearing no cost towards the other "Party".
4. PARTIES' STAFF
The "Parties" will ensure to have established towards their staff, who are involved in "Personal Data Treatment", proper written confidentiality agreements (e.g. a work contract addendum under "GDPR").
b. Limitation of Access
The "Parties" shall ensure that their staff' access to "Personal Data" is limited to those personnel performing relevant/ required internal operational tasks which contribute towards the execution of agreed "Services" and/ or which are done so under a "Lawful Basis" towards the "Data Subject", further having set in place the appropriate access permissions that exclusively allow each staff member to access "Personal Data" which is relevant under the scope of their individual contribution towards those "Services".
c. "Data Protection Officer"
Both "Parties" commit to having appointed a capable "Data Protection Officer", meaning having both provided proper training as well as corporate status awareness to that natural person as per defined under "GDPR".
d. "GDPR Training"
Both "Parties" commit to ensuring that their staff, who are involved in "Personal Data Treatment", are trained on GDPR and properly informed about the requirements posed by "GDPR", having documented the degree of acquired knowledge and awareness by their staff towards "GDPR" via an individual test.
a. Appointment of "Sub-processors"
The Parties agree that both may resort to "Partners" that enable the provision of agreed "Services" towards the "Data Subject", hence entities that will proceed with "Personal Data Treatment" activities on behalf of that "Party" and are, therefore "Sub-processors" within this scope.
Both "Parties" commit to either have by themselves or having their "Affiliates" entered into a written agreement with each "Partner" that acts as "Sub-processor" containing data protection obligations not less protective than those in this DPA with respect to the protection of "Personal Data" to the extent applicable to the nature of the "Services" provided by such "Sub-processor".
b. List of Current "Sub-processors" and Notification of New "Sub-processors"
The "Parties" will make mutually available their current list of "Sub-processors" for the "Services" jointly provided towards "Data Subjects" which involve their "Personal Data Treatment".
Such "Sub-processor" lists shall include the identities of those "Sub-processors" and their country of location (Infrastructure and "Sub-processor" compliance Documentation) as well as appointed "DPO" contacts (if applicable by law) or one responsible person before "Personal Data Treatment".
c. Objection Right for New "Sub-processors"
The "Parties" may object to the use by the other "Party" of a new "Sub-processor" by promptly notifying the other "Party" in writing within ten (10) business days after receipt of notice in accordance with the mechanism set out in the previous point.
The objecting "Party" shall inform the other "Party'" "DPO" or defined elected authorized representative (in the case under "GDPR" the DPO is not required), in writing towards the herein defined contact email address of the reasons for such objection to the nomination of a given "Sub-processor".
Such objection must clearly convey a valid motive for the objection which shall be limited to either having the complaining "Party" assessed that such "Sub-processor" does not operate in conformity with "GDPR" or the existence of relevant professional incompatible grounds between the complaining "Party" and that "Sub-processor", by means of unresolved corporate affairs or if the "Sub-processor" is a direct competitor of the complaining "Party", which would render its Corporate Core Business at risk by having one part (services, Corporate Data, Personal Data is treated by the complaining "Party", other) exposed to a competitor.
In the event one "Party" objects to a new "Sub-processor" nomination by the other "Party", as permitted and found legitimate under the preceding sentence, the "Party" which had nominated that "Sub-processor" will use reasonable efforts to make available to the complaining "Party" either a change in the "Services" or recommend a new "Sub-processor" or yet use of the "Services" in a manner that prevents "Personal Data Treatment" by the objected-to new "Sub-processor" without burdening the complaining "Party".
If the "Party" which has been informed of the objection by the other "Party" to such "Sub-processor" is unable to make the required change available within a reasonable period, which shall not exceed thirty (30) days, the complaining "Party" may terminate the "Agreement" with justifiable cause.
As determined under "GDPR" both "Parties" shall be mutually liable as well as towards the acts and omissions of their "Sub-processors".
a. Controls for the Protection of Customer Data
Both "Parties" commit to implement and maintain (by regularly monitoring those) appropriate technical and organizational measures that ensure the Security, Integrity and Confidentiality of "Personal Data Treatment" while fully aligned with "GDPR" requirements as set forth in both companies Privacy Policies and/ or Code of Conduct under and as per defined by "GDPR".
The "Parties" declare having undergone a proper and suitable internal assessment towards their "Personal Data Treatment" operations as per defined and ruled under "GDPR" Article 35.
Such assessment mandatorily covered four main operational areas, being those: corporate IT Landscape; Operational Landscape; Existing Service Contracts with partners that act as "Controllers" or "Processors" under "GDPR" within the scope of shared "Personal Data" and "GDPR Training" to those staff members who perform "Personal Data Treatment" activities.
Besides this, both "Parties" also commit to having in place an elected "DPO" with roles and attributions as per defined under "GDPR".
Each "Party" commits to making available to the other "Party" and upon request the existing "GDPR" compliance documentation as long as it does not reveal Corporate sensitive and Core Business related confidential information.
7. PERSONAL DATA BREACH INCIDENT MANAGEMENT AND NOTIFICATION
Both Parties commit to maintaining security incident management policies and procedures specified in Corporate Security, Privacy, Operational Processes and "IT Landscape" Documentation.
In the event of a "Personal Data Breach", the "Party" where it originated shall notify without undue delay the other "Party" after becoming aware of such "Personal Data Breach" if and when it affects or is related to mutual "Personal Data Treatment" operations.
The notification about a "Personal Data Breach" shall be done by e-mail to the email address of the other "Party'" "DPO" and include the type of incident (unauthorized access, unlawful destruction, other) plus inherent potential effects (as per above defined), the list of affected "Data Subjects" as well as the root cause and estimated potential impact towards the other "Party", plus enticed mitigation actions and if any mitigation action from the other "Party" is deemed necessary.
The herein described obligations shall not apply to incidents where the root cause is documented as having been caused by "Data Subject'" actions.
Please refer to Annex 2 for the detailed form of having the Corporate Client under its Controller role become informed of a Data Breach that had its root cause from the Processor's side.
8. PERSONAL DATA RETURN AND DELETION
Upon being informed by the other "Party" of the need to return or erase "Personal Data" under processing the informed "Party" shall, to the extent allowed by applicable law, erase Data Subject'" "Personal Data" in accordance with the procedures and timeframes specified in the Security, Privacy, Operational Processes and "IT Landscape" Documentation.
When one "Party" informs the other of the need to return or erase "Personal Data" from a given "Data Subject" it must also convey the "Lawful Basis" for such a request (e.g. Data Subject opt-out; existing services contract termination; other).
If the "Party" is requested to proceed with "Personal Data" return or deletion has a "Lawful Basis"/ motive that objects to fulfilling such request, it must inform the requesting "Party" of such lawful motive within a period of 5 working days (as per the Germany labor work schedule).
The informed "Party" shall reply to the requesting "Party" via both "DPOs" email addresses of having received the request within a maximum period of 72 hours.
"Personal Data" return and/ or deletion shall be assured by the informed "Party" within 15 working days of having acknowledged the request.
9. "AUTHORIZED AFFILIATES"
a. Contractual Relationship
The "Parties" acknowledge and agree that, by executing this DPA, both enter into the DPA on behalf of themselves and, as applicable, in the name and on behalf of their "Authorized Affiliates".
To avoid doubt, an "Authorized Affiliate" is not and does not become a party to the existing Contract/ Agreement and is only a party to this DPA.
Both "Parties" commit to inform each other in the event of "Personal Data Breaches" originated from themselves or one of its "Authorized Affiliates" that may impact the other "Party" as well as acting as communication bridges towards any relevant "Personal Data Treatment" actions by their "Authorized Affiliates" that may impact the other "Party".
10. LIMITATION OF LIABILITY
Under this DPA the "Parties" Liability is limited to what is ruled under "GDPR".
11. LEGAL EFFECT
Both "Parties" acknowledge that once signed this DPA becomes legally binding.
- Annex 1: Detailed description of Personal Data Treatment activities
- Annex 2: Personal Data Breach notification form
- Annex 3: Specific terms for those Corporate Clients that use the Refract Service
ANNEX 1 - Detailed description of Personal Data Treatment activities
Purpose and Scope
Myphoner allows Corporate Clients to reach out and maintain communication with both prospects as well as customers, acting as a CRM that enables the communication between the parties.
Categories of data
With regards to the Corporate Client staff members, the Processor will be processing Personal Data pertaining to the following categories:
- Identification Data: First and last name, email address, Company name, other…;
- Operational Data: phone number, tech setting preferences other...
The Personal Data hosted by Myphoner on its platform that pertains to the Corporate Client´s prospects and customers may have other identifiers that are defined by the Corporate Client in addition to the above mentioned; however, that must be mirrored by and be reflected on the Corporate Client compliance documentation and it is of the sole responsibility of each Corporate Client.
Categories of Data Subjects
Myphoner shall be processing Personal Data pertaining to:
- Corporate Client's staff members who are registered on Myphoner;
- Corporate Client´s prospect customers and customers
The Processor performs:
- Hosting of Personal Data
- Enabling the Controller to use the platform functionalities over a segregated instance
- Identifying, monitoring the usage of the platform by, and communicating with Corporate Client users (staff).
The Controller performs:
- Collection and Processing of Personal Data pertaining to those Data Subjects who are either its prospects or customers under a CRM context;
- Scheduling and management of interactions such as meetings or deliverables timelines.
Location of Processing Operations
This is a process that is exclusively constituted by purely Digital proceedings over the Internet.Personal Data shall be:
- Hosted by the Processor and Processed by the Processor over its EU established Data Center infrastructure;
Identity of sub-contractors
- Amazon Web Services the Hosting Partner (Germany)
- Elastic Search (Ireland)
- Telegenta (Germany)
- Refract (Germany): A 'Google' style search of the contents of every call - what did your Clients or prospects say, actions taken, topics discussed, and insights such as talk/ listening or questions asked.
- FoundKit (Netherlands): A partner acting as a Processor which provides Outsourced 1st level support services to Myphoner users (incidents troubleshooting and user support)
Allow Corporate Clients to use a CRM enabling tool that operated by them allows the management of Business Opportunities/ customer care operations and enticing communication with those prospects/ customers.
The duration of the Processing activities under the scope of this contact as well as the agreement between the parties will endure for the duration of the service.
If one of the "Parties", their Affiliate or Partner companies that act as "Sub-processors" is established in a European Union/ EEA member state or the United Kingdom, "Personal Data Treatment" undergone by such entity must be fully compliant with both "GDPR" and local accessory legislation not merely towards European Union resident "Data Subjects" but all "Data Subjects" which "Personal Data" is being treated by those entities regardless of their nationality or geographic residence for such is "GDPR" ruling.
If such an organization is established in another country, then "Personal Data treatment" regarding EU resident "Data Subjects" must be fully compliant with "GDPR" and existing national legislation.
Proof of compliance
Both the "Parties" as well as their "Affiliates" or "Partner" companies that act as "Sub-processors" and treat "Personal Data" from EU resident "Data Subjects" under existing service agreements with the "Parties" must have a set of documentation which enables the proof of established compliance with Applicable Data Protection Laws (where GDPR is included) and Regulations as per herein defined (including the registry of ongoing interactions under Personal Data Treatment activities).
The Processor must make such proof of compliance (either pertaining to itself or its sub-Processors) available for the Controller to Audit upon request and with a delay that should not exceed 15 calendar days.
Both "Parties" are exclusively Liable for their own faults which may lead to a "Personal Data" incident or breach that exposes it to unauthorized 3rd parties as well as regarding any existing non-compliance points towards "GDPR".
ANNEX 2 - Personal Data Breach notification form
Personal Data Breaches (both potential as well as verified as effective) need to be reported by the Processor to the DPO of the Controller within 36 hours of having been detected, in writing to the contact email described in this document and containing details as per the bullet points below:
1. Nature of the personal data breach
- insert a description of the breach including, how and when this occurred.
- insert details of the categories and volume of personal data compromised.
- insert details of the categories and volume of data subjects impacted.
2. Contact details
- confirm contact details of the DPO or another individual responsible for compliance with the data protection who can be contacted in relation to the personal data breach.
3. Consequences of the personal data breach
- insert a description of the likely consequences (from Processor's perspective) of the personal data breach for example identity theft, fraudulent activity, unauthorized access to accounts, etc.
4. Mitigation and containment
- insert details of the measures taken or proposed to be taken to mitigate and contain the personal data breach and its effect, as well as to prevent it from happening again in the future.
This initial report will be followed by a final full and detailed version definite report from the Processor to the Controller 60 hours after the incident has been detected by the Processor.
ANNEX 3 - Specific Terms for those Corporate Clients that use the Refract Service
The Refract Service (https://www.refract.ai) is a service that allows the connection (via an API) to the segregated area of the Corporate Client in Myphoner and collects recordings for both transcription as well as analytics processing.
Refract will therefore collect information from Myphoner (that is likely to contain Personal Data pertaining to that Corporate Client customers and staff alike) and process it in an automated manner, returning a transcript and some analytics.
The Corporate Client will be sharing Myphoner's API with Refract so the connection can be established.
Since the Corporate Client is the Controller before Myphoner and Myphoner acts as a Processor, where the Corporate Client is onboarding a new Processor (Refract) this becomes a Processor before the Controller and not Myphoner; for Myphoner is NOT providing any processing instructions towards Refract, the Corporate Client is.
Given what is herein mentioned, it is up to the Corporate Client to ensure that those Data Subjects whose Personal Data will undergo processing by Refract are informed about that fact and that the Controller has a documented lawful basis for such processing activities, plus the Controller must establish a Data Processing Agreement with Refract that mirrors the commitment towards Personal Data Protection and the law.