Effective Date: 03/24/2021
DATA PROCESSING AGREEMENT
Attached to the Subscription Agreement
for the following offered Minitab Services, when applicable:
- Minitab® Statistical Software – Web App
- Minitab Engage™
- Quality Trainer by Minitab®
- Minitab Connect™
- Companion by Minitab®
This Data Processing Agreement is intended to satisfy legal requirements under data protection and data privacy laws under Directive 95/46/EC, Article 28 of Regulation (EU) 2016/679 (“GDPR”). The terms “personal data,” “processing,” and “data subject” have the meaning given in the GDPR.
1. You (the “Controller”) hereby instruct Minitab, LLC (the “Processor”) to process personal data for providing the services described in the Subscription Agreement. Processor is not entitled to use personal data for its own purposes. Processor may only process personal data on behalf of the Controller and solely for the purposes identified in Section 1 of this Data Processing Agreement.
2. Processor will meet or exceed the technical and organizational data security measures described in Appendix 2 of the Standard Contractual Clauses appended hereto in Annex 1.
3. Controller generally authorizes and consents to Processor engaging subprocessors, as needed, to fulfill Processors contractual obligations under this DPA, provided that Processor:
- provides prior notice to Controller and gives Controller an opportunity to object to the addition or replacement of subprocessors (provided that Controller will not object except with reasonable cause). The Processor website (currently posted at https://minitab.com/legal/data-processing-agreement/subprocessors) is updated as needed from time to time and lists sub-processors that are currently engaged by Processor to carry out processing activities on Controller’s personal data.
- executes a written contract with each subprocessor with the same or more protective obligations and data protection measures contained in this Data Processing Agreement and Appendix 2 of the Standard Contractual Clauses appended hereto in Annex 1, and provide a copy of such contracts to Controller upon request; and
- remains fully responsible and liable for any actions and omissions of subprocessors.
Processor will comply with all requirements of this Data Processing Agreement, the GDPR and applicable national laws with respect to all personal data received from or processed for Controller. Without limiting the generality of the foregoing, Processor will:
- process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by law to which the Processor is subject; in such a case, the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all measures required pursuant to Article 32 of the GDPR;
- respect the conditions referred to in Article 28 paragraphs 2 and 4 of the GDPR for engaging another Processor;
- taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under the GDPR or applicable national data protection laws;
- assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor;
- make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
Processor will immediately inform the Controller if, in its opinion, an instruction from Controller infringes the GDPR or applicable national data protection laws, or if Processor believes that it cannot comply with any instruction or any requirements under this Data Processing Agreement.
5. Processor will without undue delay, and within the period specified by applicable law, inform the Controller of any loss or breach of security of the personal data. Processor will, at a minimum, provide the following details:
- the nature of the loss or breach; and
- an estimation of the number of data subjects involved, and, where possible, their names.
Processor will promptly investigate such loss or breach and will provide Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify data protection authorities or data subjects) of Controller in relation to such loss or breach.
6. This Data Processing Agreement will remain effective as long as Processor provides services for Controller or processes personal data received from Controller or in the context of providing services for Controller. Upon termination of the Subscription Agreement (in whole or in part) or earlier upon Controller’s request, and at Controller’s choice, Processor will, unless any applicable law, competent court, or supervisory or regulatory body prevents Processor from returning or destroying the personal data transferred:
- destroy all personal data processed and any copies thereof and certify to Controller on request that Processor has done so; or
- in accordance with Controller’s instructions, return all personal data processed and the copies thereof to Controller or other recipient identified by Controller.
7. Processor will monitor and self-audit its own compliance with its obligations under applicable national data protection law, the GDPR and this Data Processing Agreement and will provide Controller with periodic reports, at least annually.
8. At Controller’s written request, Processor will allow an audit (on-site or remotely) to verify Processor’s and any of its subprocessors’ compliance with obligations under applicable national data protection law, the GDPR and this Data Processing Agreement, to be carried out either (a) by an independent Certified Public Accountant bound by a duty of confidentiality selected by Controller and approved by Processor (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (b) by a competent data protection authority. The audit will be carried out in close cooperation with Processor’s Data Protection Office at 1829 Pine Hall Road, State College, PA 16801; firstname.lastname@example.org. The parties will agree on the scope of the audit in advance. Controller will notify Processor in writing a minimum of ten (10) business days prior to any audit being carried out. Controller will bear the costs of the audit unless the audit uncovers compliance deficits that are not immaterial, in which case Processor will reimburse Controller for the costs of the audit. If Controller requests Processor to incur out-of-pocket costs to assist Controller in the audit, then Processor is entitled to a reasonable, pre-approved reimbursement for its costs of the audit incurred by Processor, to be paid by Controller only if the audit does not uncover compliance deficits that are not immaterial.
9. Processor will assist Controller, to the extent reasonably possible, to comply with applicable law in a reasonable time. Without limiting the generality of the foregoing, Processor will assist Controller with any data protection impact assessment and consultation procedures, if any that relate to the services provided by Processor to Controller and the personal data that Processor handles for Controller.
10. Processor will assist Controller with any data subject access, portability, correction, erasure or blocking requests and objections. If Processor receives any request from data subjects, data protection authorities, or others relating to its data processing, Processor will immediately inform Controller and assist Controller with developing a response (but Processor will not itself respond, except per instructions from Controller). Processor will also assist Controller with the resolution of any request or inquiries that Controller receives from data protection authorities relating to Processor and, if and to the extent requested by Controller, cooperate with any authorities’ requests.
11. Processor will notify Controller without undue delay:
- about any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
- about any complaints and requests received directly from data subjects (e.g., regarding access, rectification, erasure, data portability, objection to processing of data, automated decision-making), and assist Controller with a response and resolution of the request, but not respond until Controller provides instructions;
- if Processor becomes aware of a data protection breach at Processor or its subprocessors; without limiting any other obligations under applicable law, the GDPR or contracts, Processor will assist Controller with investigating the breach and satisfying Controller’s obligations to inform data subjects, authorities and others, and handle documentation and other requirements.
12. In case Processor is established in, or transfers or makes accessible any personal data to any subprocessors outside of, any country other than the Member States of the European Economic Area or Switzerland, by agreeing to this Data Processing Agreement, Processor agrees that it: (a) is certified under EU-US Privacy Shield and where applicable Swiss-US Privacy Shield (collectively “Privacy Shield”) for any processing that is performed in the United States or, as may be required, a similar framework that provides approved safeguard for data transfers (as recognized under the Data Protection Laws) or a European Commission finding of adequacy (the Privacy Shield and similar frameworks are collectively referred to as a “Privacy Framework”) ; or (b) if Processor is not certified under a Privacy Framework, or if the Privacy Framework under which the Processor is certified is deemed invalid by an applicable regulatory body, then the parties agree that the Standard Contractual Clauses approved by the EU authorities under Data Protection Laws and set out in Annex 1 will apply in respect of that processing, and Processor will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and Controller will comply with the obligations of the 'data exporter'.
13. All obligations under this Data Processing Agreement apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Processor.
14. The parties agree that Controller’s affiliates are intended third-party beneficiaries of this Data Processing Agreement and such provisions are intended to inure to the benefit of the affiliates. Without limiting the foregoing, Controller affiliates will be entitled to enforce this Data Processing Agreement as if each was a signatory to this Data Processing Agreement.
15. In case of any conflict or inconsistency, the order of precedence in respect of the processing of personal data shall be: the Annexes to this Data Processing Agreement, this Data Processing Agreement, and then the Subscription Agreement.
16. This Data Processing Agreement shall not restrict the GDPR or any other applicable data protection laws. If any provision in this Data Processing Agreement is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
17. Processor guarantees the prompt and satisfactory performance of its obligations and responsibilities under this Data Processing Agreement by Processor, and Processor agrees that it shall be responsible for all costs associated with its compliance of such obligations.