Universal DPA with GDPR Addendum
This Data Processing Addendum together with the GDPR Addendum in Annex 1 (“DPA”) specify the data protection obligations of the parties, which arise from contract data processing on behalf of the Client, as stipulated in the ABBYY Terms of Service for “ABBYY FlexiCapture Cloud” and “ABBYY FlexiCapture Cloud API” Web-services https://www.abbyy.com/flexicapture/terms-of-service/ (“Terms”). It applies to all activities performed in connection with the Terms in which the staff of ABBYY or a third party acting on behalf of ABBYY may come into contact with Personal Data of the Client. All capitalized terms used herein and not otherwise defined herein shall have the meanings ascribed to such terms in the Terms.
The following definitions are used in this DPA:
“ABBYY” means the same ABBYY’s legal that is a party to the Terms.
“Data Protection Laws” means any applicable law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution, relating to data security, data protection and/or privacy.
“Client” refers to and include any person and/or any entity that is accepting the Terms.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and the free movement of such data.
“GDPR Addendum” means the addendum that meets the requirements of Article 28 of the GDPR.
“Processing” – any operation or set of operations performed on the Personal Data including, but not limited to the storage, amendment, transfer, blocking or erasure of Personal Data.
“Personal Data” means any information that is included in Uploaded Data and that relates to an identified or identifiable individual.
“Sub-processor” or “Subcontractor” means any third party engaged by ABBYY or ABBYY Affiliate, or any ABBYY Affiliate who is not a party to this DPA, to perform Processing of the Personal Data.
1. Personal Data
a. Privacy practices. ABBYY shall comply with applicable Data Protection Laws generally applicable to ABBYY’s provision of the Service. However, ABBYY is not responsible for compliance with Data Protection Laws applicable to Client or its industry and not generally applicable to information technology service providers or providers using critical infrastructure (e.g. financial or credit institutions, health and safety institutions, professional unions or associations, religious organizations). Client shall comply with its own obligations under applicable Data Protection Laws including, but not limited to, its use of the Service and the transfer of Personal Data to ABBYY and any ABBYY Affiliate and Subcontractor. Personal Data is protected under the European Data Protection Laws (GDPR / any other UK, Swiss or EEA data protection laws) and processed in accordance with this DPA (including GDPR Addendum in Annex 1).
b. Personal Data. ABBYY will process Personal Data in accordance with the provisions of this DPA and, except as stated in the Terms and this DPA, ABBYY (1) will acquire no rights in Personal Data and (2) will not use or disclose Personal Data for any purpose other than stated in this DPA.
Client instructs ABBYY to Process Personal Data as follows:
(i) Personal Data will be used to provide the Service to Client. This may include any Processing initiated by Client in its use of the Service. This may also include troubleshooting or technical support and maintenance aimed at preventing, detecting and repairing problems affecting the operation of the Service and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam) as well as upgrading and updating the Service.
(ii) To comply with Client’s other reasonable instructions to the extent they are consistent with the Terms.
(iii) ABBYY will not disclose Personal Data to a third party (including law enforcement, other government entity, or civil litigant; excluding Subcontractors) except as Client directs or unless required or permitted by the Terms, this DPA or by law or to ABBYY’s Subcontractors and other ABBYY Affiliates. Should a third-party contact ABBYY with a request for Personal Data, ABBYY will attempt to redirect the third party to request it directly from Client. As part of that, ABBYY may provide Client’s basic contact information to the third party. If compelled to disclose Personal Data to a third party, ABBYY will use commercially reasonable efforts to notify Client in advance of a disclosure unless legally prohibited.
c. Personal Data deletion or return. Upon expiration or termination of Client’s use of the Service, Client may receive Personal Data stored and ABBYY will, if technically possible, de-identify or, if required and to the extent technically feasible, delete Personal Data in accordance with the relevant retention periods or otherwise as required or permitted by this DPA or the Terms or under applicable laws.
d. Exclusive Trial Service provisions. Based on the provision 2.5. (f) of the Terms, ABBYY may use personal data for its own R&D purposes which go beyond of client instructions under this DPA. In such case ABBYY becomes independent data controller. Retention periods set out for Uploaded Data are only applicable for the data processing under the client’s instructions.
e. Authorized User/ End User requests. ABBYY will not independently respond to requests from Client’s Authorized Users/ End Users without Client’s prior written consent, except where required by applicable laws and except for responses to Client’s Authorized Users requests with relation to providing the Service (e.g. Authorized User support or helpdesk).
f. Transfer of Personal Data; appointment. Personal Data that ABBYY Processes on Client’s behalf may be transferred to, and stored and Processed in, the European Union/European Economic Area/Switzerland, the United Kingdom, the United States, Australia. Client consents to appoint ABBYY performing any such transfer of Personal Data to any such country and to store and Process Personal Data.
g. ABBYY personnel. ABBYY personnel are obligated to maintain the confidentiality of any Personal Data and this obligation continues even after their engagement ends.
h. Subcontractor; transfer. For the purpose of processing of Personal Data specified in this DPA ABBYY may engage its Affiliates and other companies to provide limited services on its behalf. Any such Subcontractors will be permitted to obtain Personal Data only to deliver the limited services ABBYY has retained them to provide, and they are prohibited from using Personal Data for any other purpose. ABBYY remains responsible for its Subcontractors’ compliance with the obligations of this DPA. Any Subcontractors engaged by ABBYY to carrying out specific Processing activities will have obligations requiring the proper level of data protection with respect to Personal Data. Client consents to Processing of Personal Data by ABBYY’s Subcontractors as described in this DPA.
2. Responsibilities of the Client
Client must comply with all Data Protection Laws related to its use of the Service and Personal Data. Client is wholly responsible for implementing and maintaining privacy protections and security measures within the Client’s infrastructure. Client must have sufficient legal basis under the Data Protection Laws for Processing Personal Data and any other information of Authorized Users or any other party to provide such Personal Data and information to ABBYY in the course of using the Service in order to permit the processing of such data by ABBYY and ABBYY Affiliates, subcontractors and service providers as contemplated by this DPA. Client agrees that, other than ABBYY’s legal obligations as a processor of Personal Data, Client is solely responsible for complying with any laws, treaties, or regulations in connection with its collection, uploading, use, transfer and other control of any Personal Data, including personal or confidential data, and shall defend, indemnify, and hold harmless ABBYY, its Affiliates, subcontractors and service providers from and against any and all liabilities, obligations, claims, damages, fines, penalties, assessments, costs and expenses (including court costs, reasonable costs of investigation and reasonable attorneys’ fees and expenses) incurred by ABBYY, its Affiliates, subcontractors and service providers arising out of or in connection with Personal Data and/or Client’s use of Service alone or in combination with anything else violates the applicable legislation, this DPA or damages a third party.
ABBYY has implemented and will maintain for the Personal Data appropriate technical, administrative and physical security measures as provided by Data Protection Laws to protect Personal Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. Client is responsible for implementing and maintaining security within the Client’s infrastructure.
4. Order of precedence
If there is a conflict between any provision in this DPA and any provision on the Annex 1 to DPA, Annex 1 shall control. If there is a conflict between any provision in this DPA and any provision in the Terms, this DPA shall control. Notwithstanding the foregoing, the Terms and the terms of this DPA apply only between the parties and do not confer any rights to any third-party data subjects.
5. Entire Agreement
Except for changes made by this DPA, the Terms remain unchanged and in full force and effect.
6. Term and Termination
This DPA will terminate simultaneously and automatically with the termination of the Terms if otherwise is not required under Data Protection Laws.
This DPA shall be governed by the laws of the same jurisdiction stated in the Terms for governing the Terms, if otherwise is not required by Data Protection Laws. To the extent required by applicable Data Protection Laws, this DPA shall be governed by the law of the applicable jurisdiction.
GDPR ADDENDUM to DPA (hereinafter GDPR ADDENDUM)
The Parties are entering into this GDPR Addendum in order to comply with their respective obligations under Article 28 of GDPR.
1. ABBYY is a data Processor with respect to the “Personal Data” (as defined under the GDPR/ any other EEA data protection laws (together the “European Data Protection Laws”)) provided to or submitted to ABBYY in the context of using the Service and through the use of the Service by, or on behalf of, Client under the Terms. Client is a Controller (as defined in GDPR). In some circumstances, Client may be a Processor, in which case Client appoints ABBYY as Client’s Sub-processor, which shall not change the obligations of either Client or ABBYY under this DPA, as ABBYY will always remain a Processor with respect to the Client in such event.
2. The categories of Personal Data and data subjects are set-out in the para 8 of this GDPR Addendum.
3. ABBYY shall be entitled, with the Client’s general authorization, to engage Sub-processors to process any Personal Data. ABBYY shall, at all times, remain liable for the acts and omissions of the sub-processors as regards the processing of the Personal Data.
4. ABBYY shall (and shall procure that its Sub-processors shall) comply with European Data Protection Laws as applicable to data Processors and shall also comply with the following provisions:
4.1. process the Personal Data only on instructions of the Client and in accordance with the Terms;
4.2. keep the Personal Data confidential;
4.3. taking into account the state of the art, costs of implementation and the nature, scope, context and purposes of processing, implement appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risks of processing;
4.4. use the Personal Data obtained as a result of the Terms to provide the Service to Client. This may include any Processing initiated by Client in its use of the Product and the other purposes described in the DPA.
4.5. notify the Client without undue delay on becoming aware of a personal data breach as defined under applicable European Data Protection Laws;
4.6. taking into account the nature of the Processing, implement appropriate technical and organizational measures, so far as possible, to provide reasonable assistance with requests of Client to fulfil its obligations of providing to data subjects restriction, anonymisation, deletion and/or rectification of or access to their Personal Data under the European Data Protection Laws; and
4.7. allow the Client the right to audit its processing operations, systems and/or facilities where reasonably required by the Client to assess ABBYY’s compliance with this Addendum and upon the agreed appointment of an auditor (at the Client’s costs) or, at the Client’s option, co-operate with reasonable requests of the Client for information to demonstrate ABBYY’s compliance with this Addendum.
5. On the termination of the Terms, and subject to the DPA and per Client’s specific and written request , ABBYY shall return all copies of the Personal Data to the Client or delete all copies of the Personal Data subject to applicable legal obligations on the ABBYY to retain any such documents containing Personal Data.
6. ABBYY shall not transfer Personal Data outside the European Economic Area without the prior written consent of the Client or where a permitted derogation or safeguard under the GDPR applies. The Client has authorised ABBYY’s transfers of Personal Data as follows: to its affiliates and current subcontractors engaged by ABBYY and ABBYY shall be entitled to process Personal Data pursuant to adequate safeguard under Art. 46 GDPR including, but not limited to execution of Standard Contractual Clauses or an approved code of conduct or other appropriate safeguards. In the event of using the SCC, Client hereby (itself as well as on behalf of each Controller established within the EEA or Switzerland) accedes to the SCC between ABBYY and Sub-processors. ABBYY will enforce the SCC against Sub-processors on behalf of the Client if a direct enforcement right is not available under Data Protection Laws.
7. This GDPR Addendum is governed by and construed in accordance with the laws of the Terms.
8. Categories of Personal Data, data subjects and purpose of Processing:
8.1. The purpose of the data Processing by ABBYY is the provision of the services to Client. ABBYY provides for Client’s use the FlexiCapture Cloud Web-service.
8.2. The following types/categories of data are processed:
• Documents, images, and other files that were uploaded to the Service (to the extent that these comprise Personal data). E.g. name, contact information.
Neither Client nor Authorized Users shall use the Service to process Special Categories of Personal Data about (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor will Client/Authorized Users process or give instructions to process any information about criminal convictions and offences.
Client is liable for any Personal Data that is provided or otherwise made available to ABBYY in excess of the categories of data described above ("Excess Data"). ABBYY’s obligations under the Terms shall not apply to any such Excess Data.
8.3. The Categories of data subjects comprise:
• Client’s Employees
• Authorized Users
• End Users
• Other data subjects about whom Personal Data was provided by the Client/Authorized Users/ End Users as a part of Uploaded Data.
8.4. Types of the data processing operations: