This Data Processing Agreement for Sharework Services (the “DPA”) details the parties’ obligations regarding the Processing of Personal Information on your behalf (hereinafter “Customer”) as part of the provision of Sharework Services as described in further detail in the Sharework’s General Terms of Service (hereinafter “GTC”). In the event of a conflict between the terms of the GTC and that of this DPA, the terms of this DPA shall prevail.
The Customer, as controller, and Sharework, as processor, undertake to respect the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) or other data privacy or data protection law or regulation that applies to the Processing of Personal Data under this DPA (such laws collectively with GDPR, “Applicable Data Protection Law”).
For the purpose of this DPA the following terms will have the same meaning as assigned under the Applicable Data Protection Law: “Data Subject”, “Process/Processing”, “Personal Information” or “Personal Data”, “Supervisory Authority”, “Controller”, “Processor” and “Binding Corporate Rules” (or any of the equivalent terms).
1. Definitions
“Services” means the product(s) and service(s) that are provided by Sharework to the Customer.
“Data Source” means a business database that is connected or uploaded by Customer to Sharework Services.
“Service Data” means all data produced by Sharework Services.
“CRM Data” means all data within Customer Data Source available to Sharework.
“Processed CRM Data” means CRM Data processed by Sharework Services.
“Customer Data” means the combination of Service Data, CRM Data and Processed CRM Data.
“Trusted Business Partner” means a Customer’s business partner invited to connect via Sharework for data sharing purposes
“Usage Data” means data & information about how the Customer uses the Services
2. Purpose of the Processing
Sharework provides Services allowing the Customer to connect a Data Source, process, store and share relevant CRM Data (“Processed CRM Data”) with Trusted Business Partners.
To deliver the Services, Sharework collects, processes and produces Customer Data which may include, without limitation, any information relating to an identified or identifiable natural person (‘data subject’) where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity of that natural person (such information, “Personal Data”)
3. Customer’s obligations
The Customer is responsible for complying with its obligations as a controller under this DPA and Applicable Data Protection Law, including the lawfulness of disclosing personal information to Sharework.
The Customer, who collects the Personal Data, remains responsible for informing the persons concerned of the transfer and processing of said data by Sharework, whose responsibility, as subcontractor of the processing, can only be engaged within this limit.
The Customer must document in writing his instructions regarding the processing of personal data to Sharework. The Customer’s instructions are reflected in the Contract and this DPA. The User has the right to reasonably provide additional instructions to Sharework. If the exercise of the right to issue reasonable instructions results in disproportionate efforts on part of Sharework which exceed the Services set forth in the Contract or Sharework’s duties under Applicable Data Protection Law, Sharework may comply with the instruction for a separate fee in relation to the efforts arising thereof.
4. Sharework’s obligations
Sharework will do its best efforts to:
5. Subprocessing
Sharework is authorized by the Customer to use sub processors for the performance of his contractual obligations, including the processing of personal data, provided that Sharework has concluded a written or electronic agreement with the subcontractor guaranteeing a level of protection equivalent to the level provided for in the DPA and, at the Customer’s request that main dispositions of this agreement be communicated to him.
The list of sub processors is available here.
Sharework must inform the Customer of any intended changes concerning the addition or replacement of a sub-processor, it being understood that the Customer may object to such changes if this subcontractor does not comply with GDPR mandatory dispositions, within eight days of being informed. Sharework has implemented and enforces a Vendor Management Policy.
6. Audit rights
The Customer is entitled to conduct an audit up to once per year to confirm compliance with the relevant controls under this DPA. Such audits and inspections should be a document audit. If this document audit does not satisfy the Customer, the Customer may conduct an on-site audit, during regular business hours, and without interfering with Sharework’s operations, upon at least 30 days prior notice and pursuant to an agreed-upon scope. Each party will bear its own costs in relation to the audit.
If the Customer would like a third party to conduct the audit, the third party must be mutually agreed to by the parties and must execute a written confidentiality agreement acceptable to Sharework.
The audit report or findings shall be confidential information under the Contract and the Customer will provide Sharework with a copy thereof. The Customer may use the audit reports and findings only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA.