This Data Processing Addendum describes specific terms in respect of the processing of Personal Data (as defined hereafter) by Future Brain in connection with the provision of Services (as defined in the Terms of Service). 

 

 

1. DEFINITIONS

 

 

1.1  For the purposes of this Data Processing Addendum, the following terms, whether used in singular or plural, shall have the following meaning:

“Controller” shall have the meaning ascribed to it in Article 4(7) GDPR.

“Data Protection Regulations” means the EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”) as well as any implementing or supplementary legislation, including the Greek relevant legislation, and any other applicable data protection or privacy legislation, as amended or updated from time to time.

“Data Subject” shall have the meaning ascribed to it in Article 4(1) GDPR.

“Personal Data” shall have the meaning ascribed to it in Article 4(1) GDPR.

“Personal Data Breach” shall have the meaning ascribed to it in Article 4(12) GDPR.

“Processing” shall have the meaning ascribed to it in Article 4(2) GDPR.

“Processor” shall have the meaning ascribed to it in Article 4(8) GDPR.

“Restricted Country” means a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission.

“Restricted Transfer” means a transfer of Personal Data from the EEA to a Restricted Country.

“Supervisory Authority” shall have the meaning ascribed to this term in Article 4 GDPR.

 

1.2  Unless otherwise defined in this Data Processing Addendum, any terms used or referenced within this Data Processing Addendum shall have the meaning ascribed to them in the relevant Client Framework Agreement.

 

 

2. SPECIFICATION OF DATA PROCESSING

 

 

2.1  Any Processing of Personal Data in connection with and for the purpose of the Services shall be performed in accordance with applicable Data Protection Regulations.

 

2.2  For the performance and provision of the Services, Client shall be the Controller and Future Brain the Processor acting on behalf of Client.

 

2.3  As Processor, Future Brain will process Personal Data only upon Client’s written instructions. The following is deemed to be written instruction by Client to Process Personal Data: (a) Processing made in connection with and for the purposes of the Services; and (b) Processing initiated by an Authorized User (as defined in the Future Brain Platform Terms).

 

2.4  Client is entitled to issue instructions regarding the type, scope and methods of the Data Processing. At the request of Future Brain, verbal instructions must be confirmed immediately by the Controller in writing or in text form (e.g. by email).

 

2.5  Future Brain will immediately inform the Client if, in its opinion, an instruction infringes applicable Data Protection Regulations. Future Brain shall be entitled to suspend the relevant instruction until it is confirmed or amended by Client.

 

2.6  The duration of the Processing corresponds with the Term (as defined in the relevant Framework Agreement), unless otherwise instructed by Client, and can continue after termination of the Framework Agreement for a period of up to thirty (30) days as indicated in Section 6 below.

2.7  The subject-matter, nature, and purpose of the Processing as well as the type of Personal Data concerned, and the categories of Data Subjects affected are described in Schedule 1 to this Data Processing Addendum.

 

 

3. DATA SUBJECT RIGHTS

 

 

3.1  Client shall facilitate the exercise of Data Subject rights and shall ensure that adequate information is provided to Data Subjects about the Processing hereunder in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

3.2  Future Brain shall support Client, as far as reasonably possible, in fulfilling its obligations under applicable Data Protection Regulations in case of Data Subject requests, including requests made by a Data Subject to exercise their right of access, rectification, erasure, restriction of Processing or data portability or their right to object. In case of a Data Subject request for access or portability of data that is retained by Future Brain, Future Brain shall make the relevant data records available to Client promptly within ten (10) working days in a structured, commonly used, and machine-readable format.

3.3  If a Data Subject contacts Future Brain directly for the purpose of exercising any of their Data Subject right(s), Future Brain shall forward such request to Client promptly within ten (10) working days.

 

 

4. CONTROL OBLIGATIONS OF FUTURE BRAIN

 

 

4.1  Future Brain shall ensure by appropriate means that Personal Data is processed in accordance with the terms of this Data Processing Addendum and Client’s corresponding instructions.

4.2  Future Brain may designate in the future and throughout the term of this Data Protection Addendum a data protection officer in compliance with applicable Data Protection Regulation.

4.3  Future Brain shall support Client, as far as reasonably possible, in complying with its obligations under Articles 32 to 36 GDPR, taking into account the nature of the Processing and the information available to Future Brain.

To that extent, Future Brain shall:

   (a)  assist Client in carrying out data protection impact assessments or prior consultations with Supervisory Authority in accordance with Articles 35 and 36 GDPR, by providing necessary information;
   (b) notify Client of any suspected Personal Data Breach promptly within forty-eight (48) hours after having become aware of the breach;
   (c) reasonably assist Client in implementing actions to remediate a Personal Data Breach; and
   (d) where necessary, provide Client with information allowing Client to comply with its notification obligations under Article 33 and 34 GDPR.

 

 

5. LOCATION OF PROCESSING

 

 

5.1  Subject to Sections 5.2 and 9.1 below, Personal Data will be stored within the region of the Netherlands or in another state that is party to the Agreement on the European Economic Area.

5.2  The relocation of Personal Data to a third country outside the European Economic Area requires Client´s approval and shall conform with the data transfer requirements set forth under Article 44 et seq. GDPR.

 

 

6. DELETION AND RETURN OF PERSONAL DATA

 

 

At the latest within thirty (30) days upon termination of the Services, Future Brain shall either erase or return to Client Personal Data Processed on behalf of Client, provided that the erasure of the data does not conflict with Future Brain’s statutory retention obligations.

 

 

7. CONTROL RIGHTS OF CLIENT

 

 

Following timely prior notification, not less than three (3) weeks, during normal business hours and without interrupting the operations of Future Brain or endangering the safeguards for other clients of Future Brain, Client shall be entitled to audit, at its own expenses, Future Brain’s compliance with applicable Data Protection Regulations and the terms of this Data Processing Addendum, to the extent required to do so under applicable Data Protection Regulations. Such audit may also be carried out by accessing industry-standard certifications of Future Brain, current audit reports or reports from an independent party (such as a certified accountant, external data protection officer or auditor) or via self-reporting. Future Brain shall provide reasonable assistance to carry out the audit.

 

 

8. TECHNICAL AND ORGANIZATIONAL MEASURES

 

 

8.1  Future Brain has implemented and will maintain appropriate technical and organizational measures intended to protect Personal Data or the systems that Process Personal Data against accidental, unauthorized, or unlawful access, disclosure, alteration, loss, or destruction, and, as appropriate, the technical and organizational measures described in Article 32 GDPR. These measures shall take into account and be appropriate to the state of the art, nature, scope, context and purposes of the Processing and the risk of harm which might result from unauthorized or unlawful Processing or accidental loss, destruction or damage to Personal Data.

 
8.2  The technical and organizational measures currently implemented by Future Brain are described in Schedule 2 to this Data Processing Addendum. Future Brain may update and amend these measures provided that such update and/or amendment does not significantly reduce the level of security and protection of the Personal Data.

 
8.3  Upon Client’s written request, Future Brain shall provide Client with an updated description of its implemented technical and organizational measures within fourteen (14) calendar days after receipt of Client’s request.

 

 

9. SUB-PROCESSORS

 

 

9.1  Client authorizes Future Brain to use sub-processors by way of a general written authorisation pursuant to Article 28(2) GDPR and agrees to Future Brain’s engagement of all sub- processors as indicated in Schedule 3 of the present document.

9.2  Future Brain has entered or will enter into written agreements with its sub-processors which contain obligations no less protective than those contained in this Data Processing Addendum.

9.3  Future Brain shall be entitled to engage additional sub-processors or to replace sub-processors already engaged by other sub-processors. In such a case, Future Brain will notify Client in advance of the intended addition or replacement of a sub-processor allowing Client to object to the new sub-processor in writing within fourteen (14) days after receipt of Future Brain’s notification.

 

9.4  In the event of an objection by Client under Section 9.3, Future Brain may, at its own discretion, continue providing the Services without the engagement of the new sub-processor or propose a different sub-processor in accordance with Section 9.3.

9.5  Should the provision of Services without the new sub-processor not be reasonable for Future Brain (for example, due to disproportionate expenses on side of Future Brain), Future Brain may terminate the Framework Agreement and/or its Annexes by giving the Client one (1) month written notice.

 

 

10. OTHER RESPONSIBILITIES OF CLIENT

 

 

10.1  Client shall comply with all applicable laws and regulations, including applicable Data Protection Regulations.

10.2  Client remains responsible for the lawfulness of the Processing of Personal Data including, where required, obtaining the consent of Data Subjects to the Processing of their Personal Data.

10.3  Client shall take reasonable steps to keep Personal Data up to date to ensure the data is not inaccurate or incomplete with regard to the purposes for which they are collected.

10.4  With regard to components that Client provides or controls, including but not limited to workstations connecting to the Services, data transfer mechanisms used, and credentials issued to the Client’s personnel, Client shall implement and maintain the required technical and organizational measures for the protection of Personal Data.