Data Processing Addendum
Effective Date: 30 June, 2022
1.1. This Data Processing Addendum (hereinafter "DPA") applies to ABBYY TERMS AND CONDITIONS FOR PROFESSIONAL SERVICES ("Agreement").
1.2. This DPA sets out the additional terms, requirements and conditions on which ABBYY will process Personal Data for the purpose of its obligations under the Agreement.
1.3. ABBYY means ABBYY legal entity that a party to the Agreement, meaning that it is ABBYY Europe GmbH, a company duly incorporated under the laws of Germany with principal offices located at Landsberger Str. 300, 80687 Munich, Germany, or ABBYY UK Limited, a company duly incorporated under the laws of England and Wales with principal offices located at Centrum House, 36 Station Road, Egham, Surrey, TW20 9LF, UK (hereinafter "ABBYY"). Client means a customer of ABBYY's professional services (hereinafter "Customer").
1.4. General terms of business of the Client shall only apply if and insofar as ABBYY has explicitly accepted them in writing. Any references of ABBYY to correspondence from the Client containing or referring to the Client's general terms of business shall not constitute ABBYY's acceptance of the applicability to the contract of such general terms of business.
2.1. "Controller" has the same meaning under the Data Protection Laws.
2.2. "Data Subject" means the individual to whom Personal Data relates.
2.3. "Data Protection Laws" means all applicable laws governing the protection of Personal Data including, but not limited to, the General Data Protection Regulation 2016/679 ("GDPR") and all other laws implementing or supplementing the GDPR (e.g., the German Federal Data Protection Act 2017 ("BDSG"), the Data Protection Act 2018, UK GDPR). Where applicable references to "GDPR" shall mean "UK GDPR".
2.4. "Processing" means processing of Personal Data as defined under the Data Protection Laws, including the storage, amendment, transfer, blocking or erasure of personal data by the Processor acting on behalf of the Client.
2.5. "Processor" has the same meaning under the Data Protection Laws.
2.6. "Instruction" means the written instruction, issued by Client to ABBYY, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available). Instructions shall initially be specified in the Agreement and may, from time to time, thereafter, be amended, amplified or replaced by Client in separate written instructions (individual instructions).
2.7. "Personal Data Breach" a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
2.8. "Standard Contractual Clauses", "EU SCCs" – means the standard contractual clauses pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 or (if applicable) any future clauses issued by the EU for the transfer of personal data to non-EU (sub)processors, and replacing or modifying the clause in the wording as issued by the EU.
2.9. UK Addendum means the International Data Transfer Addendum to the EU SCC issued by the UK Information Commissioner under section 119A (1) Data Protection Act 2018.
2.10. A reference to writing or written includes faxes and email.
2.11. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail, unless other is not explicitly specified in writing in the Agreement.
3. Scope and Responsibility
3.1. The Client and ABBYY acknowledge that for the purpose of the Data Protection Laws, the Client is the controller and ABBYY is the Processor. In some circumstances, Client may be a Processor, in which case Client appoints ABBYY as Client's Sub-processor, which shall not change the obligations of either Client or ABBYY under this DPA, as ABBYY will always remain a Processor with respect to the Client in such event.
3.2. Client retains control of the Personal Data and remains responsible for its compliance with its obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents for the lawful processing of Personal Data made available to
or otherwise transferred to ABBYY, and for the processing instructions it gives to ABBYY.
3.3. ABBYY shall process Personal Data on behalf of Client. Processing shall include such actions as
may be specified in the Agreement and in the Statement of Work. Within the scope of the Agreement, Client shall be solely responsible for complying with the statutory requirements relating to the lawfulness of the data Processing. Purpose of processing: performance of the Agreement (implementation and quality checks purposes in Client's projects).
3.4. Based on this responsibility, Client shall be entitled to request that ABBYY, subject to the Data Protection Laws, rectifies, deletes, blocks and makes available Personal Data during and after the term of the Agreement at Client's cost. ABBYY shall promptly comply with any of Client's request or instruction requiring ABBYY to amend, transfer, delete or otherwise process the Personal Data,
or to stop, mitigate or remedy any unauthorized Processing.
3.5. The provisions of this DPA shall also apply if testing or maintenance of automatic processes or of Processing equipment is performed on behalf of Client.
3.6. ABBYY may use Personal Data for developing and improving ABBYY's products (“R&D Purposes”). These R&D Purposes may also include troubleshooting and maintenance aimed at preventing, detecting and repairing problems affecting the operation of ABBYY products and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam) as well as upgrading and updating ABBYY products. ABBYY may engage its affiliates and other companies to perform such processing. Upon expiration or termination of the Agreement, Client grants ABBYY rights to continue to keep and process Personal Data for R&D Purposes.
4. ABBYY's obligations
4.1. ABBYY shall process Personal Data only within the scope of Client's Instructions as set-out in this Agreement, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the ABBYY is subject. In this case, the ABBYY shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
4.2. ABBYY will, insofar this is possible, by appropriate technical and organizational measures, reasonably assist Client with meeting Client's compliance obligations with respect to the rights exercised by Data Subjects under the Data Protection Laws (particularly the Data Subject's Rights stated in Chapter 3 of the UK GDPR and related to Data Subject's requests), taking into account the nature of data Processing. Taking into account the nature of Processing and any information available to ABBYY, ABBYY will further assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 the UK GDPR, in particular its obligations to undertake data protection impact assessments and report to and consult with supervisory authorities under the Data Protection Laws. In a situation where, requested level of assistance will be excessive or unreasonably burdensome for ABBYY, any such assistance will be exercised at Client's cost.
4.3. ABBYY shall implement appropriate technical and organizational measures required pursuant to Article 32 the UK GDPR with respect to the Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use. Such measures hereunder shall include, but are not limited to taking reasonable steps to achieve the following:
A) the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control),
B) the prevention of Personal Data Processing systems from being used without authorization (logical access control),
C) persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),
D) Persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality,
E) Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
F) the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems, (entry control),
G) Personal Data Processed are Processed in accordance with the Instructions (control of instructions),
H) Personal Data collected for different purposes can be processed separately (separation control).
A measure as referred to in lit. (a) to (h) above shall be in particular, but shall not be limited to, the use of appropriate encryption technology.
4.4. Contact information:
ABBYY UK Limited
70 Gracechurch Street, 3rd Floor, London, EC3V 0HR, UK
Phone: +44 870 6000 231 Email: firstname.lastname@example.org
Attn. Legal Department, or
ABBYY Europe GmbH
Landsberger Str. 300, 80687 Munich, Germany
Phone: +49-89-69 33 330 Email: email@example.com
Attn. Legal Department
Client's Notification Email Address is the e-mail address specified specified in the applicable Quote or SoW. “Notification Email Address” means the email address (if any) designated by Client to receive certain notifications from ABBYY relating to this DPA.
4.5. If applicable, Client shall retain title as to any carrier media provided to ABBYY as well as any copies or reproductions thereof. ABBYY shall store such media safely and protect them against unauthorized access by third parties. ABBYY shall, upon Client's request, provide to Client all information on Client's Personal Data and information. ABBYY shall be obliged to securely delete any test and scrap material based on an Instruction issued by Client on a case-by-case basis. Where Client so decides, ABBYY shall hand over such material to Client or store it on Client's behalf.
4.6. ABBYY shall provide reasonable assistance to the Client with any data protection impact assessment which the Client is required to undertake in order to Comply with Articles 35 and 36 of the UK GDPR, in each case solely in relation to the processing of Personal Data and taking into account the nature of the Processing and information available to ABBYY and shall make available to Client on request such information as is reasonably necessary to demonstrate its compliance with this DPA and its obligations under Article 28 of the UK GDPR and shall allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client for the purpose of demonstrating compliance by ABBYY with its obligations under Data Protection Laws in respect of the Personal Data. ABBYY may object to the deployment of a specific auditor if such auditor (i) is not subject to confidentiality regarding the results of such audit (except vis-a-vis ABBYY and Client), (ii) is a competitor of ABBYY, (iii) is affiliated with a competitor of ABBYY.
5. Client's obligations
5.1. Client shall be separately responsible for conforming with such statutory data protection regulations including the Data Protection Laws as are applicable to it and shall ensure that the Personal Data may lawfully be processed by ABBYY under this Agreement.
5.2. Client shall inform ABBYY without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data detected during a verification of the results of such Processing or otherwise arising following the date of this DPA.
5.3. Client shall be obliged to maintain the register as defined in Article 30 of the UK GDPR.
5.4. Client shall be responsible for fulfilling the duties to inform resulting from Articles 33 and 34 of the UK GDPR.
5.5. Client shall promptly notify ABBYY of the exercise of any rights by Data Subjects affecting the Processing of Personal Data by ABBYY.
5.6. Client shall, upon termination or expiration of the Agreement and by way of issuing an Instruction, stipulate, within a period set by ABBYY, the measures to return data carrier media or to delete stored data.
5.7. Any additional cost arising out of ABBYY's performance under Instructions outside the Agreement's scope of work or otherwise not contemplated by this DPA shall be borne by Client.
6. Audit Obligations
6.1. ABBYY shall provide a copy of its most current security report upon Client's written request and subject to the confidentiality provisions of the Agreement. If Client requires additional firstname.lastname@example.org to request an on-site audit of the architecture, systems and procedures relevant to the protection of Client Personal Data that are controlled by ABBYY. Notwithstanding of the above, if an audit is excessive or unreasonably burdensome for ABBYY, then Client shall reimburse ABBYY for such excessive or unreasonably burdensome audit at ABBYY's then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such audit, Client and ABBYY will mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. Client shall promptly notify ABBYY with information regarding any non-compliance discovered during the course of an audit.
7.1. Client agrees that ABBYY may engage ABBYY's Affiliates and third-party Sub-processors (collectively, "Sub-processors") to Process the Personal Data on ABBYY's behalf. Client acknowledges that ABBYY's contractual obligations hereunder, or the parts of the services, will be performed by a subcontractor and consents to use of Sub-processors to fulfil its contractual obligations under the Agreement. ABBYY Sub-processors approved by Client under Agreement are listed at this link: List of approved Sub-processors
7.2. ABBYY undertakes to enter into a written agreement with its Sub-processors and will contain data protection obligations that are no less protective than those contained in this DPA ABBYY will remain responsible for its compliance with the obligations stated herein and for any acts or omissions of the Sub-processors.
7.3. ABBYY may, by giving no less than thirty (30) days' notice to Client via publishing list of Sub-processors at the dedicated webpage, add the Sub-processors. Client may object to the appointment of an additional Sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, in which case ABBYY shall have the right to cure the objection through one of the following options (to be selected at ABBYY's sole discretion):
A) ABBYY will cancel its plans to use the Sub-processor with regard to Personal Data or will offer an alternative to fulfil its obligations under the Agreement without such Sub-processor; or
B) ABBYY will take the corrective steps requested by Client in its objection (which remove Client's objection) and proceed to use the Sub-processor with regard to Personal Data; or
C) ABBYY may cease to provide services under the Agreement or Client may agree not to use (temporarily or permanently) ABBYY's services obligations under the Agreement that would involve the use of such Sub-processor with regard to Personal Data, subject to a mutual agreement of the parties to adjust the remuneration for the Agreement considering the reduced scope of the Agreement.
7.4. If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after ABBYY's receipt of Client's objection, either party may terminate the Agreement.
7.5. ABBYY may replace a Sub-processor if the need for the change is urgent and necessary to fulfil its obligations under the Agreement and the reason for the change is beyond ABBYY's reasonable control. In such instance, ABBYY shall notify Client of the replacement as soon as reasonably practicable, and Client shall retain the right to object to the replacement Sub-processor pursuant to the abovementioned.
8. Data Breach
8.1. ABBYY will without undue delay notify Client if it becomes aware of any Personal Data Breach in accordance with applicable Data Protection Laws.
8.2. Immediately following any Personal Data Breach, the parties will coordinate with each other to investigate the matter. ABBYY will reasonably co-operate with Client in Client's handling of the matter.
8.3. ABBYY will not inform any third party of any Personal Data Breach without first obtaining Client's prior written consent, except when required to do so by Data Protection Laws or any other applicable Union or Member State laws.
8.4. ABBYY will cover all reasonable expenses associated with the performance of the obligations under this section 8 unless the matter arose from Client's specific instructions, negligence, willful default or breach of this Agreement, in which case Client will cover all reasonable expenses.
8.5. ABBYY will also reimburse Client for actual reasonable expenses that Client incurs when responding to a Personal Data Breach to the extent that ABBYY caused such a Personal Data Breach, including all costs of notice and any remedy.
9.1. Where Client's Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being Processed, ABBYY shall inform Client without undue delay. ABBYY shall, without undue delay, notify to all pertinent parties in such action, that any Personal Data affected thereby is in Client's sole property and area of responsibility that Personal Data is at Client's sole disposition.
9.2. To the extent required by applicable Data Protection Laws, this DPA shall be governed by the law of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the same jurisdiction stated in the Agreement for governing the Agreement.
9.3. The term of this DPA shall follow the term of the Agreement. Upon termination or expiration of the Agreement, if requested by Client in writing and to the extent technically feasible, ABBYY will delete or de-identify Personal Data within the reasonable amount of time save to the extent ABBYY is required by any applicable Data Protection Laws to retain some or all of the Personal Data.
9.4. ABBYY may act as a Data Controller in the following cases:
- When processing the professional contact details of the Client’s employees and contractors it deals with in the context of the Agreement for the purposes of client/contract management and negotiation;
- When the processing is necessary for compliance with a regulatory obligation to which the processing party is subject to; and
- When processing Personal Data for its legitimate business interests (such as billing; account management and administration; operational communication; product support; R&D Purposes; IT management (activities related to managing the operability, availability and security of a particular product, service or IT system)
The parties acknowledge that, in relation to the above-mentioned processing of personal data, each party will be free to determine the lawful purpose and the means of such processing and therefore will act as separate data controller. In no event will this Clause imply that the parties can be considered joint controllers.
10. International Data Transfers
10.1. ABBYY is authorized to process Personal Data itself as well as including its engagement of Sub-processors in accordance with this DPA outside the country in which the Client is located including countries where the data protection may not be as stringent in the country of Client's domicile or registered address or the EEA, Switzerland or UK.
10.2. ABBYY shall process Personal Data outside of the EEA, Switzerland or UK as permitted under the Data Protection Laws as follows:
(i) the Personal Data of an EEA, UK or Swiss based Client is processed in a country outside the EEA, Switzerland, UK (a “third country”) that is determined by the European Union to have adequate level of data protection under Art. 45 the UK GDPR; or
the Personal Data of Client is processed in a third country pursuant to adequate safeguards under Art. 46 the UK GDPR including, but not limited to execution of Standard Contractual Clauses or an approved code of conduct or an approved certification mechanism.
(ii) ABBYY has valid and actual Processor-to-Processor SCCs in place with all sub-processors located outside the European Economic Area where required. or another country accepted by the European Union as adequate in accordance with Art. 45 GDPR. Where personal data is transferred from the UK to a third country in the absence of other safeguards provided by art. 46 of the UK GDPR, ABBYY has UK Addendum that apply in addition to the EU SCCs, in respect of such transfers with its sub-processors.
11. List of Personal Data elements and Purpose
11.1. Purpose of the processing: for the purpose of performance of the Agreement.
11.2. Nature of the processing (includes, but not limited to):
11.3. Data types/categories that may be processed by ABBYY (not closed list, excluding special categories of data):
- Contact Data
- Key Contract Data (Contractual/Legal Relationships, Contractual or Product Interest)
- Customer History
- Contract Billing and Payments Data
- Disclosed Information from third parties, e.g. names, addresses, telephones, emails
- Financial Data, e.g. account numbers
Client should not instruct ABBYY to process any information about criminal convictions and offences or other special categories of data of personal data. Client shall be liable for any Personal Data that is provided or otherwise made available to ABBYY in excess of the categories of data described above ("Excess Data"). ABBYY obligations under the Agreement of this DPA shall not apply to any such Excess Data.
11.4. Data Subjects categories that may be processed by ABBYY (not closed list):
- Contact Persons
- Potential Customers
- Client’s Employees
- Suppliers and Contractors
- Other Data Subjects about whom information included in Sample Data provided by the Client