This Data Processing Addendum specifies the data protection obligations of the parties, which arise from contract data processing on behalf of the Client, as stipulated in the ABBYY Cloud Service Agreement available through https://www.abbyy.com/legal/cloud-terms-of-service/ or other agreement between the Client and ABBYY governing the Client’s use of the ABBYY Services (the “Agreement”). It applies to all activities performed in connection with the Agreement in which the ABBYY staff or a third party acting on behalf of ABBYY may come into contact with Personal Data of the Client. All capitalized terms used herein and not otherwise defined herein shall have the meanings ascribed to such terms in the Agreement.
The following definitions are used in this DPA:
“ABBYY” in this DPA means the same ABBYY legal entity that is a party to the Agreement.
“Data Protection Laws” means any applicable law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution, relating to data security, data protection and/or privacy.
“Client” refers to and includes any person and/or any entity that is entering into the Agreement.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and the free movement of such data.
“GDPR Addendum” means the addendum that meets the requirements of Article 28 of the GDPR.
“Processing” means any operation or a set of operations performed on the Personal Data including, but not limited to the storage, amendment, transfer, blocking or erasure of Personal Data.
“Sub-processor” or “Subcontractor” means any third party engaged by ABBYY or ABBYY Affiliate, or any ABBYY Affiliate who is not a party to this DPA, to perform Processing of the Personal Data.
2. Personal Data
2.1. Privacy practices. ABBYY shall comply with applicable Data Protection Laws generally applicable to ABBYY’s provision of the Service. However, ABBYY is not responsible for compliance with Data Protection Laws applicable to Client or its industry and not generally applicable to information technology service providers or providers using critical infrastructure (e.g. financial or credit institutions, health and safety institutions, professional unions or associations, religious organizations). Client shall comply with its own obligations under applicable Data Protection Laws including, but not limited to, its use of the Service and the transfer of Personal Data to ABBYY and any ABBYY Affiliate and Subcontractor. Personal Data is protected under the European Data Protection Laws (GDPR / any other UK, Swiss or EEA data protection laws) and processed in accordance with this DPA (including GDPR Addendum to Universal DPA available at https://www.abbyy.com/legal/cloud-terms-of-service/dpa-universal-gdpr/ in accordance with the Agreement, if applicable).
2.2. Personal Data. ABBYY will process Personal Data in accordance with the provisions of this DPA and, except as stated in the Agreement, ABBYY will not use or disclose Personal Data for any purpose other than stated in this DPA. Client instructs ABBYY to Process Personal Data as follows:
i. Personal Data will be used to provide the Service to the Client. This may include any Processing initiated by the Client in its use of the Service. This may also include troubleshooting or technical support and maintenance aimed at preventing, detecting and repairing problems affecting the operation of the Service and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam) as well as upgrading, updating, training and improvement of the Service.
ii. To comply with the Client’s other reasonable instructions to the extent they are consistent with the Agreement.
iii. ABBYY will not disclose Personal Data to a third party (including law enforcement, other government entity, or civil litigant; excluding Subcontractors) except as Client directs or unless required or permitted by the Agreement, this DPA or by law or to ABBYY Subcontractors and ABBYY Affiliates. Should a third-party contact ABBYY with a request for Personal Data, ABBYY will attempt to redirect the third party to request it directly from Client. As a part of that, ABBYY may provide Client’s basic contact information to the third party. If compelled to disclose Personal Data to a third party, ABBYY will use commercially reasonable efforts to notify Client in advance of a disclosure unless such notification is legally prohibited.
2.3. Personal Data deletion or return. Upon expiration or termination of Client’s use of the Service, Client may receive Personal Data stored and ABBYY will, if technically possible, de-identify or, if required and to the extent technically feasible, delete Personal Data in accordance with the relevant retention periods or otherwise as required or permitted by this DPA or the Agreement or under applicable laws.
2.4. Exclusive Trial Skills and Royalty-free Sills provisions in ABBYY Vantage and Trial Service provisions. Based on the section 2.5. (f) of the Agreement, ABBYY may use Personal Data for its own R&D purposes. Retention periods set out for Uploaded Data are only applicable for the data processing under the client’s instructions.
2.5. Authorized User/ End User requests. ABBYY will not independently respond to requests from Client’s Authorized Users/ End Users without Client’s prior written consent, except where required by applicable laws and except for responses to Client’s Authorized Users requests with relation to providing the Service (e.g., Authorized User support or helpdesk).
2.6. Transfer of Personal Data; appointment. Personal Data that ABBYY Processes on Client’s behalf may be transferred to, and stored and processed in the European Union/European Economic Area/Switzerland, the United Kingdom, the United States, Australia, Japan. Client consents to appoint ABBYY performing any such transfer of Personal Data to any such country and to store and Process Personal Data.
2.7. ABBYY personnel. ABBYY personnel are obligated to maintain the confidentiality of any Personal Data and this obligation continues even after their engagement ends.
2.8. Subcontractor; transfer. For the purpose of processing of Personal Data specified in this DPA ABBYY may engage its Affiliates and other companies to provide limited services on its behalf. Any such Subcontractors will be permitted to obtain Personal Data only to deliver the limited services ABBYY has retained them to provide, and they are prohibited from using Personal Data for any other purpose. ABBYY remains responsible for its Subcontractors’ compliance with the obligations of this DPA. Any Subcontractors engaged by ABBYY to carrying out specific Processing activities will have obligations requiring the proper level of data protection with respect to Personal Data. Client consents to Processing of Personal Data by ABBYY’s Subcontractors as described in this DPA.
3. Responsibilities of the Client
Client must comply with all Data Protection Laws related to its use of the Service and Personal Data. Client is wholly responsible for implementing and maintaining privacy protections and security measures within the Client’s infrastructure. Client must have sufficient legal basis under the Data Protection Laws for Processing Personal Data and any other information of Authorized Users or any other party to provide such Personal Data and information to ABBYY in the course of using the Service in order to permit the processing of such data by ABBYY and ABBYY Affiliates, subcontractors and service providers as contemplated by this DPA. Client agrees to comply with additional terms set out in the Agreement in relation to End User consent for data processing in ABBYY Proof of Identity. Client agrees that, other than ABBYY’s legal obligations as a processor of Personal Data, Client is solely responsible for complying with any laws, treaties, or regulations in connection with its collection, uploading, use, transfer and other control of any Personal Data, including personal or confidential data, and shall defend, indemnify, and hold harmless ABBYY, its Affiliates, subcontractors and service providers from and against any and all liabilities, obligations, claims, damages, fines, penalties, assessments, costs and expenses (including court costs, reasonable costs of investigation and reasonable attorneys’ fees and expenses) incurred by ABBYY, its Affiliates, subcontractors and service providers arising out of or in connection with Personal Data and/or Client’s use of Service alone or in combination with anything else violates the applicable legislation, this DPA or damages a third party.
ABBYY has implemented and will maintain for the Personal Data appropriate technical, administrative and physical security measures as provided by Data Protection Laws to protect Personal Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. Client is responsible for implementing and maintaining security within the Client’s infrastructure.
5. Order of precedence
If there is a conflict between any provision in this DPA and any provision on the GDPR Addendum (if applicable in accordance with the Agreement) to DPA, GDPR Addendum shall control. If there is a conflict between any provision in this DPA and any provision in the Agreement, this DPA shall control. Notwithstanding the foregoing, the Agreement and the Agreement of this DPA apply only between the parties and do not confer any rights to any third-party data subjects.
6. Entire Agreement
Except for changes made by this DPA, the Agreement remain unchanged and in full force and effect.
7. Term and Termination
This DPA will terminate simultaneously and automatically with the termination of the Agreement if otherwise is not required under Data Protection Laws.
This DPA shall be governed by the laws of the same jurisdiction stated in the Agreement for governing the Agreement, if otherwise is not required by Data Protection Laws. To the extent required by applicable Data Protection Laws, this DPA shall be governed by the law of the applicable jurisdiction.