Effective Date: 10/20/2020
DATA PROCESSING AGREEMENT
Attached to the Subscription Agreement
for the following offered Minitab Services, when applicable:
This Data Processing Agreement is intended to satisfy legal requirements under data protection and data privacy laws under Directive 95/46/EC, Article 28 of Regulation (EU) 2016/679 (“GDPR”). The terms “personal data,” “processing,” and “data subject” have the meaning given in the GDPR.
1. You (the “Controller”) hereby instruct Minitab, LLC (the “Processor”) to process personal data for providing the services described in the Subscription Agreement. Processor is not entitled to use personal data for its own purposes. Processor may only process personal data on behalf of the Controller and solely for the purposes identified in Section 1 of this Data Processing Agreement.
2. Processor will meet or exceed the technical and organizational data security measures described in Appendix 2 of the Standard Contractual Clauses appended hereto in Annex 1.
3. Controller generally authorizes and consents to Processor engaging subprocessors, as needed, to fulfill Processors contractual obligations under this DPA, provided that Processor:
Processor will comply with all requirements of this Data Processing Agreement, the GDPR and applicable national laws with respect to all personal data received from or processed for Controller. Without limiting the generality of the foregoing, Processor will:
Processor will immediately inform the Controller if, in its opinion, an instruction from Controller infringes the GDPR or applicable national data protection laws, or if Processor believes that it cannot comply with any instruction or any requirements under this Data Processing Agreement.
5. Processor will without undue delay, and within the period specified by applicable law, inform the Controller of any loss or breach of security of the personal data. Processor will, at a minimum, provide the following details:
Processor will promptly investigate such loss or breach and will provide Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify data protection authorities or data subjects) of Controller in relation to such loss or breach.
6. This Data Processing Agreement will remain effective as long as Processor provides services for Controller or processes personal data received from Controller or in the context of providing services for Controller. Upon termination of the Subscription Agreement (in whole or in part) or earlier upon Controller’s request, and at Controller’s choice, Processor will, unless any applicable law, competent court, or supervisory or regulatory body prevents Processor from returning or destroying the personal data transferred:
7. Processor will monitor and self-audit its own compliance with its obligations under applicable national data protection law, the GDPR and this Data Processing Agreement and will provide Controller with periodic reports, at least annually.
8. At Controller’s written request, Processor will allow an audit (on-site or remotely) to verify Processor’s and any of its subprocessors’ compliance with obligations under applicable national data protection law, the GDPR and this Data Processing Agreement, to be carried out either (a) by an independent Certified Public Accountant bound by a duty of confidentiality selected by Controller and approved by Processor (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (b) by a competent data protection authority. The audit will be carried out in close cooperation with Processor’s Data Protection Office at 1829 Pine Hall Road, State College, PA 16801; email@example.com. The parties will agree on the scope of the audit in advance. Controller will notify Processor in writing a minimum of ten (10) business days prior to any audit being carried out. Controller will bear the costs of the audit unless the audit uncovers compliance deficits that are not immaterial, in which case Processor will reimburse Controller for the costs of the audit. If Controller requests Processor to incur out-of-pocket costs to assist Controller in the audit, then Processor is entitled to a reasonable, pre-approved reimbursement for its costs of the audit incurred by Processor, to be paid by Controller only if the audit does not uncover compliance deficits that are not immaterial.
9. Processor will assist Controller, to the extent reasonably possible, to comply with applicable law in a reasonable time. Without limiting the generality of the foregoing, Processor will assist Controller with any data protection impact assessment and consultation procedures, if any that relate to the services provided by Processor to Controller and the personal data that Processor handles for Controller.
10. Processor will assist Controller with any data subject access, portability, correction, erasure or blocking requests and objections. If Processor receives any request from data subjects, data protection authorities, or others relating to its data processing, Processor will immediately inform Controller and assist Controller with developing a response (but Processor will not itself respond, except per instructions from Controller). Processor will also assist Controller with the resolution of any request or inquiries that Controller receives from data protection authorities relating to Processor and, if and to the extent requested by Controller, cooperate with any authorities’ requests.
11. Processor will notify Controller without undue delay:
12. In case Processor is established in, or transfers or makes accessible any personal data to any subprocessors outside of, any country other than the Member States of the European Economic Area or Switzerland, by agreeing to this Data Processing Agreement, Processor agrees that it: (a) is certified under EU-US Privacy Shield and where applicable Swiss-US Privacy Shield (collectively “Privacy Shield”) for any processing that is performed in the United States or, as may be required, a similar framework that provides approved safeguard for data transfers (as recognized under the Data Protection Laws) or a European Commission finding of adequacy (the Privacy Shield and similar frameworks are collectively referred to as a “Privacy Framework”) ; or (b) if Processor is not certified under a Privacy Framework, or if the Privacy Framework under which the Processor is certified is deemed invalid by an applicable regulatory body, then the parties agree that the Standard Contractual Clauses approved by the EU authorities under Data Protection Laws and set out in Annex 1 will apply in respect of that processing, and Processor will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and Controller will comply with the obligations of the 'data exporter'.
13. All obligations under this Data Processing Agreement apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Processor.
14. The parties agree that Controller’s affiliates are intended third-party beneficiaries of this Data Processing Agreement and such provisions are intended to inure to the benefit of the affiliates. Without limiting the foregoing, Controller affiliates will be entitled to enforce this Data Processing Agreement as if each was a signatory to this Data Processing Agreement.
15. In case of any conflict or inconsistency, the order of precedence in respect of the processing of personal data shall be: the Annexes to this Data Processing Agreement, this Data Processing Agreement, and then the Subscription Agreement.
16. This Data Processing Agreement shall not restrict the GDPR or any other applicable data protection laws. If any provision in this Data Processing Agreement is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
17. Processor guarantees the prompt and satisfactory performance of its obligations and responsibilities under this Data Processing Agreement by Processor, and Processor agrees that it shall be responsible for all costs associated with its compliance of such obligations.
Annex 1 - Standard Contractual Clauses
Directorate C: Fundamental rights and Union citizenship
Unit C.3: Data protection
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
You (as defined in the Data Processing Agreement)
(the data exporter)
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
Obligations of the data exporter
The data exporter agrees and warrants:
Obligations of the data importer
The data importer agrees and warrants:
to the Standard Contractual Clauses
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is (please specify briefly your activities relevant to the transfer):
The individual or entity (defined as “You”) that has entered into the Agreement with Minitab, LLC for the provision of Services as described in the Agreement.
The data importer is (please specify briefly activities relevant to the transfer):
Minitab, LLC, which processes personal data upon the instruction of the data exporter in accordance with the Agreement.
The data subjects may include Your customers, employees, suppliers, and end-users.
Categories of Data
The personal data transferred concern the following categories of data (please specify):
Your Content uploaded to the Services under Your accounts
The personal data transferred will be subject to the following basic processing activities (please specify):
The purpose, nature and subject matter of the Processing of Personal Data by Processor, under this Data Processing Agreement, are those Processing operations, which are necessary to provide the Services, which are referred herein.
The Processing of Personal Data referred to under this Data Processing Agreement shall occur throughout the term of this Data Processing Agreement and the provision of Services.