1. DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws” means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Contract.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means any Customer Data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“the Company” means the Analyticom entity which is a party to this DPA, being Analyticom d.o.o., a company incorporated in the Republic of Croatia.

“Analyticom Group” means the Company and its Affiliates engaged in the Processing of Personal Data.

“Sub-processor” means any entity engaged by the Company or a member of the Analyticom Group to Process Personal Data in connection with the Services.

“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.

2. PROCESSING OF PERSONAL DATA

2.1. Roles of the Parties

The parties acknowledge and agree that with regard to the Processing of Personal Data, the Customer is the Controller, the Company is the Processor and that the Company or members of the Analyticom Group will engage Sub-processors pursuant to the requirements set forth in Section 4 Sub-Processors below.

2.2. Customer’s Processing of Personal Data

Customer shall, in its use of the Services and provision of instructions, process Personal Data in accordance with the requirements of applicable Data Protection Law. The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.

2.3. The Company’s Processing of Personal Data

As the Customer’s Processor, the Company shall only process Personal Data for the following purposes:

• Processing in accordance with the Contract and other applicable agreements between the Parties
• Processing initiated by Workspace Members in their use of the Services; and
• Processing to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Contract

All aforementioned purposes shall individually and collectively, be referred to as the “Purpose”. The Company acts on behalf of and on the instructions of Customer in carrying out the Purpose.

2.4. Details of the Processing.

The subject-matter of Processing of Personal Data by the Company is as described in the Purpose in Section 2.3., while the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Exhibit A (Description of Processing Activities) to this DPA.

3. RIGHTS OF DATA SUBJECTS

3.1. Data Subject Requests

The Company shall, to the extent legally permitted, promptly notify the Customer if the Company receives any requests from a Data Subject to exercise Data Subject rights afforded to the Data Subject under applicable Data Protection Law in relation to Personal Data, including, as applicable, the following: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data Subject Request”).

3.2. Processor Assistance

Taking into account the nature of the Processing, the Company shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to a Data Subject Request as required by applicable Data Protection Laws. In addition, to the extent the Customer, in its use of the Services, does not have the ability to address a Data Subject Request, the Company shall, upon the Customer’s request, provide commercially reasonable efforts to assist the Customer in responding to such Data Subject Request, to the extent the Company is legally permitted to do so and the response to such Data Subject Request is required under applicable Data Protection Laws. To the extent legally permitted, the Customer shall be responsible for any costs arising from the Company’s provision of such assistance, including any fees associated with provision of additional functionality.

4. SUB-PROCESSORS

4.1. Appointment of Sub-processors

Customer acknowledges and agrees that:

• the Company’s Affiliates may be retained as Sub-processors through written agreement with the Company and
• the Company may engage third-party Sub-processors in connection with the provision of Services.

As a condition to permitting a third-party Sub-processor to Process Personal Data, the Company or a Company Affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor.

4.2. List of Current Sub-processors and Notification of New Sub-processors

A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is accessible in the Exhibit B (List of Sub-processors) to this DPA.  Notification of new Sub-processors will done be by email to the e-mail address provided by the Customer, although we may instead choose to provide notice to the Customer through the Service. Notices to the Company shall be sent to dpo@analyticom.com

4.3. Objection Right for New Sub-processors.

The Customer may reasonably object to the Company’s use of a new Sub-processor (e.g., if making Personal Data available to the Sub-processor may violate applicable Data Protection Law or weaken the protections for such Personal Data) by notifying the Company promptly in writing within ten (10) business days after receipt of the Company’s notice. Such notice shall explain the reasonable grounds for the objection. In the event the Customer objects to a new Sub-processor, as permitted in the preceding sentence, the Company will use commercially reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If the Company is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate without penalty the applicable Contract with respect only to those Services which cannot be provided by the Company without the use of the objected-to new Sub-processor by providing written notice to the Company.

4.4. Liability

The Company shall be liable for the acts and omissions of its Sub-processors to the same extent the Company would be liable if performing the Services of each Sub-processor directly under the terms of this DPA.

5. SECURITY

5.1. Controls for the Protection of Personal Data

The Company shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access
to, Personal Data), confidentiality and integrity of Personal Data.

5.2. Information and Audit Rights

Subject to this Article, the Company shall make available to the Customer, on request, all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of Personal Data. The information and audit rights only arise under this Section to the extent that this DPA does not otherwise provide the Consumer with information meeting the relevant requirements of Data Protection Law. Before the commencement of any such audit, the Customer and the Company shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which the Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the Company. The Customer shall promptly notify the Company with information regarding any non-compliance discovered during the course of an audit, and the Company shall use commercially reasonable efforts to address any confirmed non-compliance.

6. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION

6.1. The Company shall notify the Customer without undue delay of any breach relating to Personal Data (within the meaning of applicable Data Protection Law) of which the Company becomes aware and which may require a notification to be made to a Supervisory Authority or Data Subject under applicable Data Protection Law or which the Company is required to notify to Customer under applicable Data Protection Law (a “Personal Data Incident”).

6.2. The Company shall provide commercially reasonable cooperation and assistance in identifying the cause of such a Personal Data Incident and take commercially reasonable steps to remediate the cause to the extent the remediation is within the Company’s control. Except as required by applicable Data Protection Law, the obligations herein shall not apply to incidents that are caused by the Customer, Customer’s Workspace Members, Customer’s affiliates, representatives or contractors or other persons (legal or otherwise) under the control of the Customer.

7. DATA TRANSFER

7.1. The Data Processor may not transfer or authorize the transfer of Customer Personal Data to countries outside the EU and/or the European Economic Area (EEA) without prior notification of intent of such a data transfer to the Customer. The Customer may oppose such a transfer, in writing, within 15 days of notification of the intent of transfer, in which case the transfer shall not be executed, and the Parties shall seek to find another mutually satisfactory solution to implement the proposed data transfer.

7.2. If the Customer’s Personal Data Processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Personal Data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Personal Data.

7.3. In cases where a Personal Data transfer is being executed to a country outside of the EEA but deemed by the EU as a country offering adequate level of data protection per Art. 45. of the GDPR, prior notification of the Customer by the Data Processor as described herein shall not be required.

8. RETURN AND DELETION OF PERSONAL DATA

8.1. Upon termination of the Services for which the Company is Processing Personal Data, the Company shall, upon Customer’s request, and subject to the limitations described in the Contract and the COMET PLAY Privacy Policy, return all Personal Data in the Company’s possession to Customer or securely destroy such Personal Data and demonstrate to the satisfaction of Customer that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Personal Data. For clarification, depending on the Service plan purchased by Customer, access to export functionality may incur additional charge(s) and/or require purchase of a Service upgrade.

9. LIMITATION OF LIABILITY

9.1. As this DPA is an integral part of the Contract, the limitation of liability as defined in the Contract shall apply in aggregate to any and all claims that may arise out of the Contract. To avoid doubt, this means that should a claim be filed due to perceived Company liability arising out of other provisions of the Contract and a separate claim be filed due to perceived Company liability arising out of this DPA, both claims in aggregate cannot exceed the limitation of liability set forth in the Contract.

10. DATA PROTECTION IMPACT ASSESSMENT

10.1. Upon the Customer’s request, the Company shall provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to the Company. The Company shall provide reasonable assistance to the Customer in the cooperation or prior consultation with the Supervisory Authority, to the extent required under the GDPR. In cases where excessive expenses (monetary or temporal) may be incurred for the Company, the Company shall request a reasonable fee and coverage of such expenses.

11. LEGAL EFFECT

11.1. By accepting and entering into the Contract, of which this DPA is an integral part, the Customer has accepted and entered into this DPA. If the Customer has previously executed a “data processing addendum” with the Company, this DPA supersedes and replaces such prior Data Processing Addendum.

12. GOVERNING LAW

12.1. This DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of the Republic of Croatia.

List of Exhibits

• Exhibit A: Description of Processing Activities
• Exhibit B: List of Sub-processors

EXHIBIT  A – DESCRIPTION OF PROCESSING ACTIVITIES

1. DATA SUBJECTS

The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer and which may include, but is not limited to, personal data relating to the following categories of data subject:

• Workspace Members;
• employees of the Customer;
• representatives of the Customer;
• contractors of the Customer;
• agents of the Customer; and/or
• third parties with which the Customer conducts business.

2. CATEGORIES OF DATA

The Personal Data transferred concern the following categories of data:

• Any Personal Data comprised in Customer Data, as defined in the Contract.

3. SPECIAL CATEGORIES OF DATA

The Customer may submit personal data to the Company through the Services, the extent of which is determined and controlled by the Customer in compliance with applicable Data Protection Laws and which may concern the following special categories of data, if any:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade-union membership;
• genetic or biometric data;
• health; and
• sex life.

4. PROCESSIONG OPERATIONS

The personal data transferred will be processed in accordance with the Contract and may be subject to the following processing activities:

• storage and other processing necessary to provide, maintain, and update the Services provided to the Customer;
• to provide customer and technical support to the Customer; and
• disclosures in accordance with the Contract, as compelled by law.

EXHIBIT  B – LIST OF SUB-PROCESSORS

Analyticom GmbH, Waldhofer Str. 102, 69123 Heidelberg, Germany