Data processing agreement
Data Controller and Data Processor hereinafter collectively referred to as "Parties"
and separately as a "Party".
DATA PROCESSING AND OBLIGATIONS OF THE DATA PROCESSOR
- Data Processor shall process personal data on behalf of Data Controller in
relation to Data Processors provision of an online solution for easy indoor
climate monitoring and control by processing indoor climate data from Data
- Personal data being processed by the Data Processor relates to employees and
occupants of monitored buildings (such as pupils and teachers in a school)
and includes in particular:
- Ordinary non-sensitive personal data, including information on
location and whether the data subjects are close to the sensors; and
- Sensitive personal data, including data concerning health.
- In pursuance of Regulation (EU) 2016/679 of 27 April 2016 ("General Data
Protection Regulation") the Data Controller has the following obligations
- Data Controller is responsible for ensuring that the processing of
personal data takes place in accordance with applicable data
protection laws and this Data Processing Agreement.
- Data Controller has the obligation to make decisions about the
purposes and the means by which the processing of personal data
- Data Controller shall ensure that the processing of personal data,
which Data Processor is instructed to carry out, is legal, including
that the processing is based on a legal basis pursuant to applicable
data protection laws.
In pursuance of Regulation General Data Protection Regulation Data Processor
shall comply with all requirements incumbent on Data Processor as set out in
the General Data Protection Regulation:
- Data Processor shall process personal data on behalf of the Data
Controller and may only process personal data on documented
instructions from Data Controller unless required to do so by the
European Union or member state law to which Data processor is
subject. In that case Data Processor must notify Data Controller of
such legal requirement before the processing unless the relevant
laws prohibits such notification on important grounds of public
- Data Processor must immediately notify Data Controller if, in Data
Processor's opinion, an instruction from Data Controller is contrary
to the applicable data protection legislation in force from time to
time. In such cases the Parties shall in good faith aspire to find a
solution in accordance with applicable data protection laws.
- Data Processor must ensure that the persons it has authorised to
process personal data on behalf of the Data Controller under this
data processing agreement ("Data Processing Agreement") have either
committed themselves to confidentiality or are subject to a proper
statutory duty of confidentiality.
- Data Processor shall take all measures required pursuant to Article
32 of the General Data Protection Regulation in relation to security
of the processing.
- Taking into account the nature of the processing, Data Processor
shall assist Data Controller by appropriate technical and
organisational measures with the fulfilment of Data Controller's
obligation to respond to requests for exercising the data subject's
rights laid down in the General Data Protection Regulation.
- Taking into account the nature of processing and the information
available to Data Processor, Data Processor warrants that it will
assist Data Controller in ensuring compliance with any of Data
Controller's obligations pursuant to the General Data Protection
Regulation, including Article 32 (Security of processing), Article
33-34 (Notification and communication of a personal data breach),
and potential obligations under Article 35 and Article 36 (Data
protection impact assessment and Prior consultation) of the General
Data Protection Regulation.
- The Parties agree that at the termination of the data processing,
Data Processor shall, at the choice of Data Controller, either (i)
return all data processed to Data Controller, or (ii) delete all
data processed and any copies thereof, unless European Union and/or
member state law requires storage of such personal data.
- Data Processor shall, upon request from Data Controller, provide
access to all necessary information in order for Data Controller to
ensure compliance with the obligations laid down in the General Data
Protection Regulation. Data Processor shall also allow for, and
contribute to, supervisions and audits, including inspections,
conducted by Data Controller or an auditor mandated by Data
TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY
By signing this Data Processing Agreement, Data Controller accepts that Data
Processor may transfer personal data to a country outside the EEA. Data
Processor will be required to ensure that such transfer is at all times lawful,
including that there is an adequate level of protection pursuant to the General
Data Protection Regulation. prior to the transfer of personal data to a country
outside the EEA. The same obligation applies in relation to Data Processor's use
of sub-processors in third countries, cf. clause 3 in this Data Processing
- By signing this Data Processing Agreement, Data Controller authorises the Data Processor to
engage sub-processors to assist with the performances of the Data Processor. At the time of
signing this Data Processing Agreement, Microsoft Ireland Operations Limited, One Microsoft
Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 is engaged as
- In case of replacements or engagements of new sub-processors, Data Processor shall, where
possible, notify Data Controller no less than seven (7) calendar days prior to the change. If
Data Controller wishes to object against the change, Data Controller shall state so within five
(5) calendar days after receiving the notification of the Data Processor. The objection of the
Data Controller must be well-founded. Absence of any objections from Data Controller shall be
deemed a consent to the sub-processing.
- Data Processor warrants and ensure that the sub-processing is lawful and that any and all
sub-processors undertake and are subject to the same terms and obligations as Data Processor as
set out in this Data Processing Agreement. Should the sub-processors not comply with their
obligations, Data Processor shall remain responsible towards Data Controller for all acts and
omissions of its sub-processors.