1. Data Processor shall process personal data on behalf of Data Controller in relation to Data Processors provision of an online solution for easy indoor climate monitoring and control by processing indoor climate data from Data Controller.
2. Personal data being processed by the Data Processor relates to employees and occupants of monitored buildings (such as pupils and teachers in a school) and includes in particular:
   • Ordinary non-sensitive personal data, including information on location and whether the data subjects are close to the sensors; and
   • Sensitive personal data, including data concerning health.
3. In pursuance of Regulation (EU) 2016/679 of 27 April 2016 ("General Data Protection Regulation") the Data Controller has the following obligations and rights:
   • Data Controller is responsible for ensuring that the processing of personal data takes place in accordance with applicable data protection laws and this Data Processing Agreement.
   • Data Controller has the obligation to make decisions about the purposes and the means by which the processing of personal data takes place.
   • Data Controller shall ensure that the processing of personal data, which Data Processor is instructed to carry out, is legal, including that the processing is based on a legal basis pursuant to applicable data protection laws.
4. In pursuance of Regulation General Data Protection Regulation Data Processor shall comply with all requirements incumbent on Data Processor as set out in the General Data Protection Regulation:
   • Data Processor shall process personal data on behalf of the Data Controller and may only process personal data on documented instructions from Data Controller unless required to do so by the European Union or member state law to which Data processor is subject. In that case Data Processor must notify Data Controller of such legal requirement before the processing unless the relevant laws prohibits such notification on important grounds of public interests.
   • Data Processor must immediately notify Data Controller if, in Data Processor's opinion, an instruction from Data Controller is contrary to the applicable data protection legislation in force from time to time. In such cases the Parties shall in good faith aspire to find a solution in accordance with applicable data protection laws.
   • Data Processor must ensure that the persons it has authorised to process personal data on behalf of the Data Controller under this data processing agreement ("Data Processing Agreement") have either committed themselves to confidentiality or are subject to a proper statutory duty of confidentiality.
   • Data Processor shall take all measures required pursuant to Article 32 of the General Data Protection Regulation in relation to security of the processing.
   • Taking into account the nature of the processing, Data Processor shall assist Data Controller by appropriate technical and organisational measures with the fulfilment of Data Controller's obligation to respond to requests for exercising the data subject's rights laid down in the General Data Protection Regulation.
   • Taking into account the nature of processing and the information available to Data Processor, Data Processor warrants that it will assist Data Controller in ensuring compliance with any of Data Controller's obligations pursuant to the General Data Protection Regulation, including Article 32 (Security of processing), Article 33-34 (Notification and communication of a personal data breach), and potential obligations under Article 35 and Article 36 (Data protection impact assessment and Prior consultation) of the General Data Protection Regulation.
   • The Parties agree that at the termination of the data processing, Data Processor shall, at the choice of Data Controller, either (i) return all data processed to Data Controller, or (ii) delete all data processed and any copies thereof, unless European Union and/or member state law requires storage of such personal data.
   • Data Processor shall, upon request from Data Controller, provide access to all necessary information in order for Data Controller to ensure compliance with the obligations laid down in the General Data Protection Regulation. Data Processor shall also allow for, and contribute to, supervisions and audits, including inspections, conducted by Data Controller or an auditor mandated by Data Controller.

By signing this Data Processing Agreement, Data Controller accepts that Data Processor may transfer personal data to a country outside the EEA. Data Processor will be required to ensure that such transfer is at all times lawful, including that there is an adequate level of protection pursuant to the General Data Protection Regulation. prior to the transfer of personal data to a country outside the EEA. The same obligation applies in relation to Data Processor's use of sub-processors in third countries, cf. clause 3 in this Data Processing Agreement.

1. By signing this Data Processing Agreement, Data Controller authorises the Data Processor to engage sub-processors to assist with the performances of the Data Processor. At the time of signing this Data Processing Agreement, Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521 is engaged as sub-processor(s).
2. In case of replacements or engagements of new sub-processors, Data Processor shall, where possible, notify Data Controller no less than seven (7) calendar days prior to the change. If Data Controller wishes to object against the change, Data Controller shall state so within five (5) calendar days after receiving the notification of the Data Processor. The objection of the Data Controller must be well-founded. Absence of any objections from Data Controller shall be deemed a consent to the sub-processing.
3. Data Processor warrants and ensure that the sub-processing is lawful and that any and all sub-processors undertake and are subject to the same terms and obligations as Data Processor as set out in this Data Processing Agreement. Should the sub-processors not comply with their obligations, Data Processor shall remain responsible towards Data Controller for all acts and omissions of its sub-processors.