Data Processing Agreement Template
ABC-based … VAT …, hereinafter referred to as “ABC”.
Perfetti Van Melle …, with registered office in…, hereinafter referred to as “PVM”.
Hereinafter jointly referred to as the “Parties” and individually as “Party”
- ABC carries out work duties and renders services for PVM (hereinafter referred to as “the
Services”) according to one or more separate agreements (hereinafter referred to as
- The performance of the Services by ABC implies access to and processing of personal data
of PVM (hereinafter referred to as “PVM Personal Data”);
- Pursuant to the General Data Protection Regulation (or any other applicable Data Protection
Laws) Parties are obliged to enter into a Data Processing Agreement in case the processing
of PVM Personal Data is outsourced;
- PVM pursuant to the aforementioned legislation is deemed “Controller” and ABC is deemed
- Parties therefore have agreed to sign this Data Processing Agreement subject to the following
IT IS AGREED AS FOLLOWS:
In this Agreement the following terms will have the following meanings:
- “Personal Data”: means any information relating to an identified or identifiable natural person
- “PVM Personal Data”: means the Personal Data Processed by ABC on behalf of PVM
pursuant to or in connection with the Principal Agreement.
- “Data Protection Laws”: means European Union or Member States Data Protection laws
and, to the extent applicable, the data protection or privacy laws of any other country.
- “GDPR”: means the Regulation (EU) 2016/679.
- “Controller”: the entity which determines the purposes and means of the Processing of PVM
- “Processing” means any operation or set of operations which is performed with regard to
PVM Personal Data, whether or not by automatic means, such as collection, recording,
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or
otherwise making available, alignment or combination, blocking, erasure or destruction.
- “Processor”: the entity which processes PVM Personal Data on behalf of the Controller.
- “Sub-processor”: means a third party contracted by Processor that processes the PVM
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data
transmitted, stored or otherwise processed.
2. PROCESSING OF PERSONAL DATA
ABC agrees to Process PVM Personal Data as a consequence of the performance of the Principal
Agreement in ac
- Process PVM Personal Data only following PVM’s documented instructions as they are
defined in Schedule 1 and not to apply or use PVM Personal Data for other purposes. In
case the Principal Agreement is changed or amended in such a way that Schedule 1 needs
amendments or changes, Parties agree to amend Schedule 1 accordingly.
- Not to give PVM Personal Data to natural or legal persons other than those that may have
been expressly authorized by PVM.
- Once the Principal Agreement has been terminated, PVM Personal Data will be returned to
PVM, as well as any supporting material or document which contain it, deleting existing
- ABC undertakes to take all reasonable steps to ensure the reliability of any employee, agent
or contractor who may have access to the PVM Personal Data, ensuring in each case that
access is strictly limited to those individuals who need to know / access the relevant PVM
Personal Data, as strictly necessary for the purposes of the Principal Agreement, and that all
such individuals are subject to confidentiality undertakings or professional or statutory
obligations of confidentiality.
- The personal data provided by PVM to ABC will not be disclosed to third parties without prior
approval of PVM, unless there is a written consent by the PVM, or unless it is necessary for
the execution of the Services, the performance of a legal obligation, a request from an
authority, or judicial ruling.
4. TECHNICAL AND ORGANIZATIONAL MEASURES
- ABC shall in relation to the PVM Personal Data implement appropriate technical and
organizational measures to ensure a level of security appropriate to that risk, including, as
appropriate and when applicable, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, ABC shall take into account the particular risks
that are presented by Processing.
- The Security Measures implemented are further described in Schedule 2.
- ABC shall also assist PVM in ensuring compliance with the obligations pursuant to article 32
to 36 of the GDPR where applicable.
- ABC may engage a Sub-Processor provided that an agreement with the same content of this
Data Processing Agreement is signed between ABC and the Sub-processor.
- The list of Sub-processors is attached to this Agreement as Schedule 3. This schedule
should be updated any time there is a new Sub-processor appointed by ABC after having
received the written approval of PVM.
- Where that Sub-processor fails to fulfil its data protection obligations, ABC shall remain fully
liable to PVM for the performance of that Sub-processor’s obligations.
- Failure to comply with the above obligation by ABC will give a right to PVM to terminate
immediately the Agreement.
6. DATA SUBJECTS RIGHTS
- ABC shall assist PVM by implementing appropriate technical and organisational measures,
insofar as this is possible, for the fulfilment of PVM’ obligations to respond to requests to
exercise Data Subject’s rights (“the Data Subject’s Rights”) under the Data Protection
- ABC shall:
- promptly notify PVM if ABC receives a request from a Data Subject to exercise the Data
- ABC undertakes not to answer to Data Subject request without prior approval of PVM except
for the cases in which ABC is obliged to answer by Law. In this last case ABC will promptly
7. PERSONAL DATA BREACH
- ABC shall notify only PVM without undue delay upon ABC becoming aware of a Personal
Data Breach affecting PVM Personal Data, providing PVM with sufficient information to allow
PVM to meet any obligation to report or inform Data Subjects of the Personal Data Breach
under the Data Protection Laws.
- ABC shall co-operate with PVM and take such reasonable steps as are directed by PVM to
assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. AUDIT RIGHTS
- PVM may, by itself or through third parties, audit and inspect ABC’s premises during normal
office hours, to verify compliance by ABC with the provisions of this Data Processing
- At PVM request, ABC shall make available to PVM the supporting documentation for
compliance with this Data Processing Agreement.
9. GOVERNING LAW AND VENUE
This Agreement will be governed by the law of India and the venue is the Court
of the place where PVM resides.
The Parties have executed this Data Processing Agreement in two copies.
Perfetti Van Melle … ABC
The Processor can process and use the PVM Personal Data only according to the purposes set forth
in the Principal Agreement.
Only the category of the Data Subjects indicated in the Principal Agreement can be subject of the
Only the categories of Personal Data expressly provided by the Principal Agreement can be
processed according to this Agreement.
In order to protect PVM Personal Data ABC declares to have implemented the following technical
and organizational security measures:
- Personal Data Protection security policy.
- a Personal Data Protection security policy has been adopted and is available for
- this policy has been made known to all employees and relevant parties.
- Security awareness.
- all processor’s employees and, where applicable, other relevant parties have been
trained and are informed about security procedures adopted by the processor.
- Security of equipment.
- the equipment is physically protected against unauthorized access, damage and
- Access security.
- ABC has in place procedures to control all the authorized users accessing the
information, the equipment and the whole ABC’s systems and services.
- the procedures map all the access and activities of the authorizes users until their
- special attention will be given to managing user access rights with extra rights, such
as system administrators.
- Logging and control.
- activities which users perform with PVM Personal Data are recorded in log files as
well as unauthorized access or defaults that can cause damage or loss of personal
- the log files are periodically checked.
- Correct processing in application systems.
- In all application systems are security measures built-in.
- The part of the system processing special categories of data are subject to
dedicated security measures.
- Incidents management.
- ABC has implemented an incident management system to check, collect incidences
and report without delay any incidents and security vulnerabilities.
- Services continuity management.
- All the above described measures concur to monitor and warrant the continuity of
the Services in case of natural disasters, accidents, loss of equipment or willful
misconduct or any other event.