Skip to content

Steward Data Processing Agreement V1

This Data Processing Agreement (“DPA”) supplements the KOBPIU Steward Agreement (“KSA”) between the KOB Consortia and Steward, as may be amended from time to time, and is hereby incorporated by reference into the KSA. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the KSA or in the KOBPIU Governance Framework. In the event of any inconsistency or conflict between this DPA and the KSA, this DPA will govern. This DPA will survive termination of the KSA as long as Steward Processes Personal Data. The KOB Consortia and Steward agree as follows:

1. Definitions.

  1. “GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.

  2. “Impermissible Personal Data” means the Personal Data that a Transaction Author writes to the KOBPIU Ledger and that a Steward Processes that is not Permissible Personal Data in accordance with the Transaction Author Agreement.

  3. “Permissible Personal Data” means the Personal Data expressly listed in Schedule 1 that a Transaction Author writes to the KOBPIU Ledger in accordance with the Transaction Author Agreement and that a Steward Processes through the Steward Node.

  4. “Personal Data” means information that relates, directly or indirectly, to a data subject, including without limitation, names, email addresses, postal addresses, identification numbers, location data, online identifiers, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the data subject.

  5. “Process” or “Processing” means any operation or set of operations which is performed on Node Data, whether or not by automated means, such as the access, collection, use, storage, disclosure, dissemination, combination, recording, organization, structuring, adaption, alteration, copying, transfer, retrieval, consultation, disposal, restriction, erasure and/or destruction of Node Data.

  6. “Node Data” means any information which includes any Personal Data that Steward Processes through the Steward Node.

  7. “Security Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Node Data or otherwise affecting Steward’s operation of the Steward Node in compliance with this DPA.

  8. “KOBPIU Governance Framework” means the KOB Foundation’s governance policies and rules available here. (check again)

  9. “Standard Contractual Clauses” means the standard contractual clauses, as agreed by the European Commission, for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2010) 593, as updated, amended replaced or superseded from time to time by the European Commission. (Check again)

  10. “Subprocessor” means any processor engaged by Steward who will access or receive Personal Data from Steward for Processing.

The terms “controller”, “data subject”, “personal data”, “processor”, and “supervisory authority” as used in this DPA will have the meanings ascribed to them in the GDPR.

2. Purpose of Processing Personal Data. In connection with performing its services obligations under the KSA (the “Services”) Steward may Process Node Data in accordance with this DPA. Specific details of the Processing activities including categories and type of Node Data that Steward will Process in connection with the KSA are set forth in Schedule 1 (Scope of Processing).

3. Processor and Controller Responsibilities.

  1. The KOB Consortia and Steward agree that the KOB Consortia is the legal entity that serves as the designated data controller for Personal Data written to the KOBPIU Ledger for the purpose of making decisions relating to the architecture, operation and governance of the KOBPIU Network and being the point of contact as explained in Section 3(c) below. Therefore, the parties acknowledge and agree that: (a) Steward is a processor of Node Data under the GDPR and (b) the KOB Consortia is the designated controller of Node Data under the GDPR and will be responsible for the lawfulness of the Processing of such data in compliance with the GDPR and other data privacy laws applicable to it as data controller.

  2. Transaction Authors are independent controllers of any Personal Data they write to the KOBPIU Ledger. Transaction Authors and the KOB Consortia independently determine the purposes and means of Processing Personal Data. In no event will Transaction Authors be deemed joint controllers with the KOB Consortia under Article 26 of the GDPR or deemed to jointly determine and control the purposes and means of Processing Personal Data. The KOB Consortia will provide the list of all other controllers (i.e., Transaction Authors) on behalf of which the Steward Processes Personal Data through the KOBPIU Ledger by referring Stewards to information available on the KOBPIU Ledger.

  3. As an accommodation to Steward, the KOB Consortia shall serve as the administrative coordinator for a Transaction Author’s exercise of its rights and performance of its obligations under the GDPR by serving as a single point of contact for Steward and by obtaining all necessary permissions from the other controllers (i.e., Transaction Authors) for the Processing of the Node Data. Steward shall be discharged of its obligation to inform or notify another Controller when it has provided such information or notice required under the GDPR to the KOB Consortia. Similarly, Steward will serve as a single point of contact for KOB Consortia with respect to its obligations as a processor under this DPA.However, in no event will the KOB Consortia be held liable for the actions or omissions of any Transaction Author arising out of any Personal Data that such Transaction Author writes to the KOBPIU Ledger in breach of the Transaction Author Agreement and the KOBPIU Governance Framework, including but not limited to any Impermissible Personal Data. Notwithstanding the foregoing, if a Transaction Author writes Permissible Personal Data to the KOBPIU Ledger in express compliance with the Transaction Author Agreement and the KOBPIU Governance Framework, the KOB Consortia is responsible for the lawfulness of such Processing once such Permissible Personal Data is written to the KOBPIU Ledger.

4. Steward Responsibilities. Steward will:

  1. Process Node Data only in accordance with the KOBPIU Governance Framework and other lawful documented instructions (“Additional Instruction”) from the KOB Consortia. If Steward notifies KOB Consortia that such other instruction is not feasible, the parties shall work together to find an alternative. If neither the Additional Instruction nor an alternative is feasible, the KOB Consortia may terminate the affected Services pursuant to the KSA. Steward will inform the KOB Consortia if it is aware or reasonably suspects that the KOB Foundation’s instructions regarding the Processing of Node Data may breach the GDPR and may suspend the performance of such instruction until the KOB Consortia has modified the instruction or confirmed its lawfulness in documented form;

  2. ensure that persons authorized to Process the Node Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality even if such Node Data is public or already in the possession of Steward;

  3. promptly notify and reasonably assist the KOB Consortia, if it receives a request from a data subject for access to, correction, amendment, deletion of or objection to the Processing of Node Data relating to such individual;

  4. assist the KOB Consortia, at the KOB Foundation’s request, in complying with the KOB Foundation’s obligations to respond to data subject requests and its compliance regarding Node Data Processed by Steward, to the extent technically feasible given the architecture of the KOBPIU Network taking into account the nature of the Processing and the information available to Steward;

  5. at the direction of the KOB Consortia, cooperate and assist the KOB Consortia in conducting a data protection impact assessment and related consultations with any supervisory authority; and

  6. comply with the GDPR and other data privacy laws applicable to Steward as a processor in Processing the Node Data and in the performance of the Services.

5. Subprocessors. The KOB Consortia generally authorizes the use of Subprocessors to Process Node Data in connection with fulfilling Steward’s obligations under the KSA and/or this DPA; provided that such Subprocessors meet the requirements set forth in the KOBPIU Governance Framework. Steward will remain fully responsible for fulfilment of its obligations under this DPA and will remain the primary point of contact regarding any Processing of Node Data. Steward will be responsible for the acts and omissions of its Subprocessors and anyone else to which the Processing of Node Data or operation of the Node has been delegated by it. Steward will impose contractual obligations on its Subprocessors that are at least equivalent to those obligations imposed on Steward under this DPA. Upon KOB Foundation’s request, KOB Consortia has the right to review and recommend changes to the relevant subprocessing contract between Steward and its 4 Subprocessors, and Steward will reasonably comply with such request. Steward will notify the KOB Consortia in writing (email acceptable) of any proposed changes to its Subprocessors and give the KOB Consortia the opportunity to object to such changes. Within thirty (30) days after Steward notifies the KOB Consortia of the intended change, the KOB Consortia can object to the addition of a Subprocessor on the basis that such addition would cause the KOB Consortia to violate the GDPR or other applicable privacy laws. Such objection shall be in writing and include specific reasons for its objection and reasonable options to mitigate, if any. If the KOB Consortia does not object within such period, the respective Subprocessor will be permitted to Process Node Data. If the KOB Consortia objects to the addition of a Subprocessor in accordance with this Section 5 and Steward cannot reasonably accommodate such objection, Steward will promptly notify it in writing stating in reasonable detail the reason for such inability to accommodate such objection. In such event, the parties shall cooperate in good faith to find a feasible workaround; provided that, if the parties are unable to find a feasible workaround within thirty (30) days of Steward’s notice, then the KOB Consortia may terminate the affected Services as set out in the KSA without any liability to Steward.

6. Data Transfers. For all Stewards not based in the European Economic Area (EEA) (check again), by signing this DPA, each party is deemed to have signed the Standard Contractual Clauses, attached hereto as Schedule 2, with the KOB Consortia, on its own and on behalf of the respective Transaction Authors, as the “Data Exporter” and Steward as the “Data Importer” (as each of these terms is defined in the Standard Contractual Clauses). If a Subprocessor of Steward is a Data Importer, Steward agrees that it will enter into the EU controller to non-EU or EEA processor Standard Contractual Clauses on behalf of such Subprocessor if it is an affiliate of Steward, otherwise Steward will enter into a written agreement imposing obligations on such Subprocessor at least as stringent as those imposed on Steward in accordance with Clause 11 of the Standard Contractual Clauses.

7. Security Safeguards. Steward will implement, maintain and monitor a comprehensive written information security policy that contains appropriate technical and organizational measures (the “Steward TOMs”) to protect the security and confidentiality of Node Data. The Steward TOMs will be appropriate to the Node Data that Steward Processes and will meet the requirements set forth in Article 32 of the GDPR, the KSA and the KOBPIU Governance Framework. The Steward TOMs will meet the standards in Appendix 2 of the Standard Contractual Clauses attached hereto and the Steward Technical and Organizational Policies as set forth in the KOBPIU Governance Framework (the “Steward TOPs”). The parties agree the Steward TOPS satisfy the requirements of this Section 7. The KOB Consortia may update the Steward TOPs pursuant to the KOBPIU Governance Framework in light of the development and progression of technology. Such updates will be communicated to Steward via electronic communication and/or notification on the KOB Consortia website. Accordingly, Steward reserves the right to implement Steward TOMs that exceed the requirements of the Steward TOPs; provided that the functionality and security of the Services are not degraded.

8. Audits. Upon reasonable notice to Steward, the KOB Consortia may conduct or may engage an independent third party which shall not be a direct competitor of Steward and shall be bound to obligations of confidentiality (“Auditor”) to conduct an information security audit of Steward to meet its audit requirements under Article 28 of the GDPR and its obligations under Articles 32 to 36 of the GDPR. Prior to commencement of the audit, the parties will agree in writing to the terms and conditions governing the conduct of the audit. Steward will reasonably cooperate with the KOB Consortia and/or its Auditor in conducting such audit; provided that, nothing in this DPA will require Steward to provide information to the KOB Consortia that is publicly available on the KOBPIU Ledger. KOB Consortia agrees to reimburse reasonable and documented expenses incurred by Steward related to any information security audit initiated by KOB Consortia.

9. Security Breach. Without undue delay after becoming aware, Steward will notify the KOB Consortia in writing of any actual Security Breach. Steward will promptly investigate any Security Breach and is obligated to expend no more than an amount mutually agreed between KOB Consortia and Steward. Any additional amount of required expenditure will be the obligation of KOB Consortia consistent with Section 13 below. Steward will provide the KOB Consortia with reasonable assistance to satisfy any legal obligations of the KOB Consortia in relation to such Security Breach (including any obligation to notify data protection authorities or data subjects). In the event of a Security Breach, the KOB Consortia has the right to control the breach notification process, unless the GDPR dictates otherwise.

10. Return or Destruction of Node Data. Upon termination or expiration of the KSA and to the extent technically feasible given the architecture of the KOBPIU Network, Steward will return to the KOB Consortia or destroy all Node Data and all copies thereof in its possession or under its control as specified in the Steward TOPs, except to the extent that Steward is required under the GDPR to keep a copy of the Node Data.

11. Records. In addition to the record provided by the KOBPIU Ledger, Steward will keep at its normal place of business all information relating to Steward’s Processing of Node Data as described in the Steward TOPs and in this DPA pursuant to Article 28(h) of the GDPR. Steward will make such documents and all other information necessary to demonstrate compliance with its obligations in Article 28(h) of the GDPR available to the KOB Consortia upon request.

12. Limitation of Liability. Notwithstanding anything to the contrary in the KSA, a party’s liability for breach of its obligations including any claims arising from this DPA or the Standard Contractual Clauses, will be limited as set forth below.

  1. EXCEPT IN THE EVENT OF EITHER PARTY’S GROSS NEGLIGENCE, WILFUL MISCONDUCT OR FRAUD, IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, EXEMPLARY, PUNITIVE, SPECIAL, OR OTHER CONSEQUENTIAL DAMAGES UNDER THIS DPA,INCLUDING, WITHOUT LIMITATION, ANY LOST PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR DATA, OR OTHERWISE, EVEN IF THE OTHER PARTY IS EXPRESSLY ADVISED OF THE POSSIBILITY OR LIKELIHOOD OF SUCH DAMAGES. EXCEPT IN THE EVENT OF EITHER PARTY’S GROSS NEGLIGENCE, WILFUL MISCONDUCT OR FRAUD, IN NO EVENT SHALL EITHER PARTY’S LIABILITY UNDER THIS DPA EXCEED $250,000 USD IN THE AGGREGATE. IN THE EVENT OF EITHER PARTY’S GROSS NEGLIGENCE, SUCH PARTY’S LIABILITY UNDER THIS DPA SHALL NOT EXCEED $500,000 USD IN THE AGGREGATE. IN THE EVENT OF EITHER PARTY’S WILFUL MISCONDUCT OR FRAUD, THERE SHALL BE NO DOLLAR CAP ON SUCH PARTY’S LIABILITY UNDER THIS DPA. (Check the figures again)

  2. However, in the event of any conflict between the Standard Contractual Clauses and this Section 12, the Standard Contractual Clauses will prevail but only with respect to claims arising from the Standard Contractual Clauses.

  3. As the KOB Consortia is entering into this DPA on behalf of itself and the Transaction Authors, the KOB Consortia will secure a Transaction Author’s consent to the limitation of liability set forth in this Section 12 through the Transaction Author Agreement. Therefore a Transaction Author will be considered a “party” as used in this Section 12 for the purpose of interpreting this limitation of liability.

  4. Without prejudice to Art. 82 of GDPR and for the avoidance of doubt, no controller will be jointly and severally liable with any other controller to Steward or vice versa.

13. Assistance: The KOB Consortia will make a written request to Steward for any assistance referred to in this DPA. Steward and the KOB Consortia will mutually agree in writing to a reasonable charge for Steward to perform such assistance or an Additional Instruction. If the parties do not mutually agree to such reasonable charge, the parties agree to reasonably cooperate to find a feasible solution.

14. Disputes. The parties will make good faith efforts to first resolve internally any dispute under this DPA. Neither party will seek any external remedies until thirty (30) days have elapsed from the initiation of such good faith efforts. At the conclusion of any such thirty (30) day period, each party shall be entitled as a matter of right to seek remedies for any dispute, controversy, or claim arising out of, relating to, involving, or having any connection with this DPA, including any question regarding the validity, interpretation, scope, performance, or enforceability of this dispute resolution provision, in any court of competent jurisdiction, in equity or otherwise. The rights conferred upon the parties by the preceding sentence shall not be exclusive of any other rights or remedies which each party may have at law, in equity or otherwise.










The Parties hereto have caused this DPA to be executed by their duly authorized representatives as of the Effective Date.


KOB Consortia

By: ____________

Name: ____________

Title: ____________

Date: ____________

Steward

By: ____________

Name: ____________

Title: ____________

Date: ____________









SCHEDULE 1 Scope of Processing

Subject Matter of Processing: The context for the Processing of Node Data is Steward’s operation, maintenance and hosting of a Node under the KSA.

Duration of Processing: The Processing will begin on the effective date of the KSA and will continue through the period from expiration of the KSA until deletion of all Node Data by Steward in accordance with this DPA.

Nature and Purpose of Processing: Steward will Process Node Data solely as necessary to operate, maintain and host a Node in accordance with the KSA and the KOBPIU Governance Framework.

Types of Personal Data:

Permissible Personal Data: Public DIDs, public keys, and any other Personal Data that a Transaction Author writes to the KOBPIU Ledger in accordance with the Transaction Author Agreement.

Impermissible Personal Data: The KOBPIU Governance Framework prohibits writing of Impermissible Personal Data to the KOBPIU Ledger. If Impermissible Personal Data is written to the KOBPIU Ledger, Steward has no obligation or liability with respect to such Impermissible Personal Data, except to promptly notify the KOB Consortia in writing.

Categories of Data Subjects: Node Data may belong to any of the following categories of data subjects:

  • Transaction Authors who are natural persons

Order of precedence

The KOB Consortia may update the content of this Schedule 1 (Scope of Processing), including the types of Permissible Personal Data and Impermissible Personal Data, from time to time by updating the KOBPIU Governance Framework. Solely with reference to the details of the Processing of the Node Data included in this Schedule 1, in case of conflict, the KOBPIU Governance Framework will prevail over the present Schedule 1.









TODO: Check the entire schedule 2 again
Schedule 2 - Standarad Contractual Clauses
Commission Decision C (2010)593

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation:

The KOB Consortia, on its own behalf and on behalf of applicable Transaction Authors who may act as independent controllers for purposes of these clauses.

(the data exporter)

And

The Steward named in the KSA

(the data importer)


each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.









TODO: Clause 1 Page:10









Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

  2. that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

  3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

  4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

  5. that it will ensure compliance with the security measures;

  6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC (check again);

  7. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

  8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

  9. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

  10. that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

  3. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

  4. that it will promptly notify the data exporter about:

  5. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

  6. any accidental or unauthorised access, and

  7. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

  8. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

  9. at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

  10. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

  11. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

  12. that the processing services by the subprocessor will be carried out in accordance with Clause 11;

  13. to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the date exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

  2. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

  3. to refer the dispute to the courts in the Member State in which the data exporter is established.

  4. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses( ). Where the sub-processor fails to fulfil its data protection obligations 3 under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.



On behalf of the data exporter:

Name (written out in full): The KOB Consortia on its own behalf and on behalf of applicable

Transaction Authors

On behalf of the data importer:

Name (written out in full): ……………………………………….

Position: ……………………………………….

Address:











APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

See Schedule 1 to this DPA.











APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Please see the Steward TOPs as set forth in the KOBPIU Governance Framework.