Effective Date: 03/24/2021
DATA PROCESSING AGREEMENT
Attached to the Subscription Agreement
for the following offered Minitab Services, when applicable:
This Data Processing Agreement is intended to satisfy legal requirements under data protection and data privacy laws under Directive 95/46/EC, Article 28 of Regulation (EU) 2016/679 (“GDPR”). The terms “personal data,” “processing,” and “data subject” have the meaning given in the GDPR.
1. You (the “Controller”) hereby instruct Minitab, LLC (the “Processor”) to process personal data for providing the services described in the Subscription Agreement. Processor is not entitled to use personal data for its own purposes. Processor may only process personal data on behalf of the Controller and solely for the purposes identified in Section 1 of this Data Processing Agreement.
2. Processor will meet or exceed the technical and organizational data security measures described in Appendix 2 of the Standard Contractual Clauses appended hereto in Annex 1.
3. Controller generally authorizes and consents to Processor engaging subprocessors, as needed, to fulfill Processors contractual obligations under this DPA, provided that Processor:
Processor will comply with all requirements of this Data Processing Agreement, the GDPR and applicable national laws with respect to all personal data received from or processed for Controller. Without limiting the generality of the foregoing, Processor will:
Processor will immediately inform the Controller if, in its opinion, an instruction from Controller infringes the GDPR or applicable national data protection laws, or if Processor believes that it cannot comply with any instruction or any requirements under this Data Processing Agreement.
5. Processor will without undue delay, and within the period specified by applicable law, inform the Controller of any loss or breach of security of the personal data. Processor will, at a minimum, provide the following details:
Processor will promptly investigate such loss or breach and will provide Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify data protection authorities or data subjects) of Controller in relation to such loss or breach.
6. This Data Processing Agreement will remain effective as long as Processor provides services for Controller or processes personal data received from Controller or in the context of providing services for Controller. Upon termination of the Subscription Agreement (in whole or in part) or earlier upon Controller’s request, and at Controller’s choice, Processor will, unless any applicable law, competent court, or supervisory or regulatory body prevents Processor from returning or destroying the personal data transferred:
7. Processor will monitor and self-audit its own compliance with its obligations under applicable national data protection law, the GDPR and this Data Processing Agreement and will provide Controller with periodic reports, at least annually.
8. At Controller’s written request, Processor will allow an audit (on-site or remotely) to verify Processor’s and any of its subprocessors’ compliance with obligations under applicable national data protection law, the GDPR and this Data Processing Agreement, to be carried out either (a) by an independent Certified Public Accountant bound by a duty of confidentiality selected by Controller and approved by Processor (which approval will not unreasonably be withheld or delayed) and where applicable, in agreement with the competent data protection authority, or (b) by a competent data protection authority. The audit will be carried out in close cooperation with Processor’s Data Protection Office at 1829 Pine Hall Road, State College, PA 16801; dpo@minitab.com. The parties will agree on the scope of the audit in advance. Controller will notify Processor in writing a minimum of ten (10) business days prior to any audit being carried out. Controller will bear the costs of the audit unless the audit uncovers compliance deficits that are not immaterial, in which case Processor will reimburse Controller for the costs of the audit. If Controller requests Processor to incur out-of-pocket costs to assist Controller in the audit, then Processor is entitled to a reasonable, pre-approved reimbursement for its costs of the audit incurred by Processor, to be paid by Controller only if the audit does not uncover compliance deficits that are not immaterial.
9. Processor will assist Controller, to the extent reasonably possible, to comply with applicable law in a reasonable time. Without limiting the generality of the foregoing, Processor will assist Controller with any data protection impact assessment and consultation procedures, if any that relate to the services provided by Processor to Controller and the personal data that Processor handles for Controller.
10. Processor will assist Controller with any data subject access, portability, correction, erasure or blocking requests and objections. If Processor receives any request from data subjects, data protection authorities, or others relating to its data processing, Processor will immediately inform Controller and assist Controller with developing a response (but Processor will not itself respond, except per instructions from Controller). Processor will also assist Controller with the resolution of any request or inquiries that Controller receives from data protection authorities relating to Processor and, if and to the extent requested by Controller, cooperate with any authorities’ requests.
11. Processor will notify Controller without undue delay:
12. In case Processor is established in, or transfers or makes accessible any personal data to any subprocessors outside of, any country other than the Member States of the European Economic Area or Switzerland, by agreeing to this Data Processing Agreement, Processor agrees that it: (a) is certified under EU-US Privacy Shield and where applicable Swiss-US Privacy Shield (collectively “Privacy Shield”) for any processing that is performed in the United States or, as may be required, a similar framework that provides approved safeguard for data transfers (as recognized under the Data Protection Laws) or a European Commission finding of adequacy (the Privacy Shield and similar frameworks are collectively referred to as a “Privacy Framework”) ; or (b) if Processor is not certified under a Privacy Framework, or if the Privacy Framework under which the Processor is certified is deemed invalid by an applicable regulatory body, then the parties agree that the Standard Contractual Clauses approved by the EU authorities under Data Protection Laws and set out in Annex 1 will apply in respect of that processing, and Processor will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and Controller will comply with the obligations of the 'data exporter'.
13. All obligations under this Data Processing Agreement apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Processor.
14. The parties agree that Controller’s affiliates are intended third-party beneficiaries of this Data Processing Agreement and such provisions are intended to inure to the benefit of the affiliates. Without limiting the foregoing, Controller affiliates will be entitled to enforce this Data Processing Agreement as if each was a signatory to this Data Processing Agreement.
15. In case of any conflict or inconsistency, the order of precedence in respect of the processing of personal data shall be: the Annexes to this Data Processing Agreement, this Data Processing Agreement, and then the Subscription Agreement.
16. This Data Processing Agreement shall not restrict the GDPR or any other applicable data protection laws. If any provision in this Data Processing Agreement is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
17. Processor guarantees the prompt and satisfactory performance of its obligations and responsibilities under this Data Processing Agreement by Processor, and Processor agrees that it shall be responsible for all costs associated with its compliance of such obligations.
Annex 1 - Standard Contractual Clauses
EUROPEAN COMMISSION
DIRECTORATE-GENERAL JUSTICE
Directorate C: Fundamental rights and Union citizenship
Unit C.3: Data protection
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
You (as defined in the Data Processing Agreement)
(the data exporter)
And
MINITAB, LLC
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
Clause 6
Liability
Clause 7
Mediation and jurisdiction
Clause 8
Cooperation with supervisory authorities
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
Clause 12
Obligation after the termination of personal data processing services
Appendix 1
to the Standard Contractual Clauses
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
The individual or entity (defined as “You”) that has entered into the Agreement with Minitab, LLC for the provision of Services as described in the Agreement.
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
Minitab, LLC, which processes personal data upon the instruction of the data exporter in accordance with the Agreement.
Data Subjects
The data subjects may include Your customers, employees, suppliers, and end-users.
Categories of Data
The personal data transferred concern the following categories of data (please specify):
Your Content uploaded to the Services under Your accounts
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
The purpose, nature and subject matter of the Processing of Personal Data by Processor, under this Data Processing Agreement, are those Processing operations, which are necessary to provide the Services, which are referred herein.
The Processing of Personal Data referred to under this Data Processing Agreement shall occur throughout the term of this Data Processing Agreement and the provision of Services.
Appendix 2
to the Standard Contractual Clauses
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Information Security Program Minimum Security Elements
"Security Obligations" is defined as:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Minitab implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
In furtherance of the above definition, Minitab takes the following specific measures to ensure that it meets the Security Obligations prescribed in Section 4 of the Agreement.
1. Physical Access Control
Measures to prevent unauthorized persons from gaining access to data processing systems for processing or using the Personal Data:
2. Logical Access and Security Controls
Measures to prevent that unauthorized persons use data processing equipment and –procedures:
3. Data Access Control
Measures that ensure that persons entitled to use a data processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights:
4. Data Transfer Control
Measures to ensure that the Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of the Personal Data by means of data transmission facilities can be established and verified.
5. Entry Control
Measures to ensure that it is possible to check and ascertain whether Personal Data have been entered into, altered or removed from data processing systems and if so, by whom:
6. Availability Control
Measures to ensure that the Personal Data is protected against accidental destruction or loss:
7. Control of Data Set Separation