Data Processing Agreement

Last updated on
January 4, 2021

This Data Processing Agreement for Sharework Services (the “DPA”) details the parties’ obligations regarding the Processing of Personal Information on your behalf (hereinafter “Customer”) as part of the provision of Sharework Services as described in further detail in the Sharework’s General Terms of Service (hereinafter “GTC”). In the event of a conflict between the terms of the GTC and that of this DPA, the terms of this DPA shall prevail.


The Customer, as controller, and Sharework, as processor, undertake to respect the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) or other data privacy or data protection law or regulation that applies to the Processing of Personal Data under this DPA (such laws collectively with GDPR, “Applicable Data Protection Law”).


For the purpose of this DPA the following terms will have the same meaning as assigned under the Applicable Data Protection Law: “Data Subject”, “Process/Processing”, “Personal Information” or “Personal Data”, “Supervisory Authority”, “Controller”, “Processor” and “Binding Corporate Rules” (or any of the equivalent terms).

1. Definitions

 

Services” means the product(s) and service(s) that are provided by Sharework to the Customer.

Data Source” means a business database that is connected or uploaded by Customer to Sharework Services.

Service Data” means all data produced by Sharework Services. 

CRM Data” means all data within Customer Data Source available to Sharework.

Processed CRM Data” means CRM Data processed by Sharework Services.

Customer Data” means the combination of Service Data, CRM Data and Processed CRM Data. 

Trusted Business Partner” means a Customer’s business partner invited to connect via Sharework for data sharing purposes

Usage Data” means data & information about how the Customer uses the Services

 

2. Purpose of the Processing


Sharework provides Services allowing the Customer to connect a Data Source, process, store and share relevant CRM Data (“Processed CRM Data”) with Trusted Business Partners.

 

To deliver the Services, Sharework collects, processes and produces Customer Data which may include, without limitation, any information relating to an identified or identifiable natural person (‘data subject’) where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity of that natural person (such information, “Personal Data”) 


3. Customer’s obligations


The Customer is responsible for complying with its obligations as a controller under this DPA and Applicable Data Protection Law, including the lawfulness of disclosing personal information to Sharework.


The Customer, who collects the Personal Data, remains responsible for informing the persons concerned of the transfer and processing of said data by Sharework, whose responsibility, as subcontractor of the processing, can only be engaged within this limit.


The Customer must document in writing his instructions regarding the processing of personal data to Sharework. The Customer’s instructions are reflected in the Contract and this DPA. The User has the right to reasonably provide additional instructions to Sharework. If the exercise of the right to issue reasonable instructions results in disproportionate efforts on part of Sharework which exceed the Services set forth in the Contract or Sharework’s duties under Applicable Data Protection Law, Sharework may comply with the instruction for a separate fee in relation to the efforts arising thereof.


4. Sharework’s obligations


Sharework will do its best efforts to:

  • process the personal data only on documented instructions from the Customer;
  • ensure that employees and contractors authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • considering the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject's rights. Sharework acknowledges that it is solely the responsibility of the Customer to respond to the requests of the data subjects;
  • assist reasonably the Customer in ensuring compliance with the obligations pursuant to security, personal data breach, data protection impact assessment and prior consultation, considering the nature of processing and the information available to Sharework
  • make available to the Customer information known and necessary to demonstrate compliance with the obligations laid down in the Article 28 GDPR and allow audits under the conditions set by article 5 of the DPA;
  • at the choice of the Customer, communicated to Sharework in writing, delete or return all the personal data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data;
  • notify the Customer without undue delay after becoming aware of a personal data breach. Sharework acknowledges that it is solely the responsibility of the Customer to notify the personal data breach to the supervisory authority competent and communicate the personal data breach to the data subject.


5. Subprocessing


Sharework is authorized by the Customer to use sub processors for the performance of his contractual obligations, including the processing of personal data, provided that Sharework has concluded a written or electronic agreement with the subcontractor guaranteeing a level of protection equivalent to the level provided for in the DPA and, at the Customer’s request that main dispositions of this agreement be communicated to him. 

The list of sub processors is available here.


Sharework must inform the Customer of any intended changes concerning the addition or replacement of a sub-processor, it being understood that the Customer may object to such changes if this subcontractor does not comply with GDPR mandatory dispositions, within eight days of being informed. Sharework has implemented and enforces a Vendor Management Policy.


6. Audit rights


The Customer is entitled to conduct an audit up to once per year to confirm compliance with the relevant controls under this DPA. Such audits and inspections should be a document audit. If this document audit does not satisfy the Customer, the Customer may conduct an on-site audit, during regular business hours, and without interfering with Sharework’s operations, upon at least 30 days prior notice and pursuant to an agreed-upon scope. Each party will bear its own costs in relation to the audit.


If the Customer would like a third party to conduct the audit, the third party must be mutually agreed to by the parties and must execute a written confidentiality agreement acceptable to Sharework.


The audit report or findings shall be confidential information under the Contract and the Customer will provide Sharework with a copy thereof.  The Customer may use the audit reports and findings only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA.




Last updated on
January 4, 2021