harmon.ie Data Processing Agreement (DPA)

Instructions on how to execute this Data Processing Agreement (DPA):

  1. This DPA consists of two parts: the main body of the DPA, and Schedule 1
  2. This DPA has been pre-signed on behalf of harmon.ie
  3. To complete this DPA, you must:
    1. Complete the missing information in the first paragraph of the DPA; and
    2. Send the completed and signed DPA to privacy@harmon.ie by email, including the Client’s Customer identification details, such as: account legal name, the Client’s most recent harmon.ie Purchase order number, and the Client Corporate URL

Upon receipt of the validly completed DPA by harmon.ie at privacy@harmon.ie, this DPA will become legally binding.

Data Processing Agreement

DATA PROCESSING AGREEMENT/ADDENDUM

This Data Processing Agreement (“DPA”) is made and entered into as of this ____ day of ____, 20__ , and forms part of the Harmon.ie Agreement dated _______, (the“Agreement”). You acknowledge that you,on behalf of ___________, incorporated under ______________________________ law ,with its principal offices located at ______________________ (“Organization”) (collectively, “You”,”Your”, “Client”,or “Data Controller”) have read and understood and agree to comply with this DPA, and are entering into a binding legal agreement with Harmon.ie as defined below (“Harmon.ie”, “Us”, “We”, “Our”,“ServiceProvider”or“DataProcessor”) to reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below) of GDPR-protected individuals. Both parties shall be referred to as the “Parties” and each, a “Party”.

WHEREAS, Harmon.ie shall provide the services set forth in the Agreement (collectively, the “Services”) for Client, as described in the Agreement; and

WHEREAS, In the course of providing the Services pursuant to the Agreement, we may process Personal Data on your behalf, in the capacity of a “DataProcessor”; and the Parties wish to set forth the arrangements concerning the processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:

1. INTERPRETATION AND DEFINITIONS

1.1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.

1.2 References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated.

1.3 Words used in the singular include the plural and vice versa, as the context may require.

1.4 Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.

1.5 Definitions:
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
(b) “Authorized Affiliate” means any of Client’s Affiliate(s) which (a) is subject to the Data Protection Laws And Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Client and Harmon.ie, but has not signed its own agreement with Harmon.ie and is not a “Client” as defined under the Agreement.
(c) “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term “Data Controller” shall include yourself, the Organization and/or the Organization’s Authorized Affiliates.
(d) “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
(e) “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
(f) “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
(g) “Harmon.ie” means the relevant Harmon.ie entity of the following Harmon.ie legal entities: harmon.ie
Corporation and harmon.ie R&D Ltd.
(h) “Harmon.ie Group” means Harmon.ie and its Affiliates engaged in the Processing of Personal Data.
(i) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(j) “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the avoidance of doubt, Client’s business contact information is not by itself deemed to be Personal Data subject to this DPA.
(k) “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(l) “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
(m) “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Client, as updated from time to time, and accessible via https://harmon.ie/legal/security-policy or as otherwise made reasonably available by Harmon.ie.
(n) “Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses for the transfer of Personal Data to Data processors established in third countries which do not ensure an adequate level of protection as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4, 2021, as available here, as updated, amended, replaced or superseded from time to time by the European Commission; or (ii) where required from time to time by a supervisory authority for use with respect to any specific restricted transfer, any other set of contractual clauses or other similar mechanism approved by such Supervisory Authority or by Applicable Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such Regulatory Authority or Data Protection Laws and Regulations;
(o) “Sub-processor” means any Processor engaged by Harmon.ie.
(p) “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
(q) “UK GDPR” means the Data Protection Act 2018, as updated, amended, replaced or superseded from time to time by the ICO.
(r) “UK Standard Contractual Clauses” or “UK SCCs” means the standard contractual clauses for the transfer of Personal Data to Data processors established in third countries which do not ensure an adequate level of protection as set out by the ICO, as available here, as updated, amended, replaced or superseded from time to time by the ICO.

2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, (i) Client is the Data Controller, (ii) Harmon.ie is the Data Processor and that (iii) Harmon.ie or members of the Harmon.ie Group may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
2.2 Client’s Processing of Personal Data. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations (including, without limitation, Article 24 of the GDPR). For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Client shall have sole responsibility for the means by which Client acquired Personal Data. Without limitation, Client shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies), and shall have any and all required legal bases in order to collect, Process and transfer to Data Processor the Personal Data and to authorize
the Processing by Data Processor of the Personal Data which is authorized in this DPA. Client shall defend, hold harmless and indemnify Harmon.ie, its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by Client and/or its authorized users of any Data Protection Laws and Regulations and/or this DPA and/or this Section.
2.3 Data Processor’s Processing of Personal Data.
2.3.1. Subject to the Agreement, Data Processor shall Process Personal Data in accordance with Client’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and this DPA and to provide the Services; (ii) Processing for Client to be able to use the Services; (iii) Processing to comply with other documented reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement; (iv) Processing as required by Union or Member State law to which Data Processor is subject; in such a case, Data Processor shall inform the Client of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.3.2. To the extent that Data Processor cannot comply with a request from Client and/or its authorized users (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind), Data Processor (i) shall inform Client, providing relevant details of the problem, (ii) Data Processor may, without any kind of liability towards Client, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Client shall pay to Data Processor all the amounts owed to Data Processor or due before the date of termination. Client will have no further claims against Data Processor (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
2.3.3. Harmon.ie will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Harmon.ie, to the extent that such is a result of Client’s instructions.
2.3.4. If Client provides Harmon.ie or any of the entities of the Harmon.ie Group with instructions, requests, suggestions, comments or feedback (whether orally or in writing) with respect to the Services, Client acknowledges that any and all rights, including intellectual property rights, therein shall belong exclusively to Harmon.ie and that such shall be considered Harmon.ie’s intellectual property without restrictions or limitations of any kind, and Client hereby irrevocably and fully transfers and assigns to Harmon.ie any and all intellectual property rights therein and waives any and all moral rights that Client may have in respect thereto.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by Data Processor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.

3. RIGHTS OF DATA SUBJECTS
3.1 Data Subject Request. Data Processor shall, to the extent legally permitted, promptly notify Client if Data Processor receives a request from a Data Subject to exercise its right as laid down in Chapter III of the GDPR (“Data Subject Request”). Taking into account the nature of the Processing, Data Processor shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, Data Processor shall upon Client’s request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent Data Processor is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from Data Processor’s provision of such assistance.

4. HARMON.IE PERSONNEL
4.1 Confidentiality. Data Processor shall ensure that its personnel engaged in the Processing of Personal Data have
committed themselves to confidentiality and non-disclosure.
4.2 Data Processor may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable Data Protection Laws and Regulations (in such a case, Data Processor shall inform the Client of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to its legal counsel(s), data protection advisor(s) and accountant(s).

5. AUTHORIZATION REGARDING SUB-PROCESSORS
5.1 Appointment of Sub-processors. Client acknowledges and gives general written authorization that (a) Data Processor’s Affiliates may be used as Sub-processors; and (b) Data Processor and/or Data Processor’s Affiliates respectively may engage third-party Processors in connection with the provision of the Services (“Sub-processor”).
5.2 List of Current Sub-processors and Notification of New Sub-processors.
5.2.1 Data Processor shall make available to Client the current list of Sub-processors used by Data Processor via https://harmon.ie/legal/sub-processor-list. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”). The Sub- processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Client.
5.2.2 Client may find on Data Processor’s webpage accessible via https://harmon.ie/legal/sub-processor-list a mechanism to subscribe to notifications of new Sub-processors, to which Client shall subscribe, and if Client subscribes, Data Processor shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.
5.3 Objection Right for New Sub-processors. Client may reasonably object to Data Processor’s use of a new Sub-processor for reasons related to the GDPR by notifying Data Processor promptly in writing within three (3) business days after receipt of Data Processor’s notice in accordance with the mechanism set out in Section 5.2.2 and such written objection shall include the reasons related to the GDPR for objecting to Data Processor’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within three (3) business days following Data Processor’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Client reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Data Processor will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Client. If Data Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Client may, as a sole remedy, terminate the applicable Agreement and this D P A with respect only to those Services which cannot be provided by Data Processor without the use of the objected-to new Sub-processor by providing written notice to Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Data Processor. Until a decision is made regarding the new Sub-processor, Data Processor may temporarily suspend the Processing of the affected Personal Data. Client will have no further claims against Data Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
5.4 Agreements with Sub-processors. Data Processor shall respect the conditions referred to in Articles 28.2 and 28.4 of the GDPR when engaging another processor for Processing Personal Data provided by Client. In accordance with Articles 28.7 and 28.8 of the GDPR, if and when the European Commission lays down the standard contractual clauses referred to in such Article, the Parties may revise this DPA in good faith to adjust it to such standard contractual clauses.

6. SECURITY
6.1 Controls for the Protection of Personal Data. Data Processor shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or
alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by Client. Data Processor regularly monitors compliance with these measures. Upon the Client’s request, Data Processor will assist Client, at Client’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Data Processor.
6.2 Third-Party Certifications and Audits. Upon Client’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Data Processor shall make available to Client (or Client’s independent, third-party auditor that is not a competitor of Data Processor) a copy of Data Processor’s then most recent third-party audits or certifications (if any), as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Client to assess compliance with this DPA and/or with applicable Data Protection Laws and Regulations, and shall not be used for any other purpose or disclosed to any third party without Data Processor’s prior written approval and, upon Data Processor’s first request, Client shall return all records or documentation in Client’s possession or control provided by Data Processor in the context of the audit and/or the certification). At Client’s cost and expense, Data Processor shall allow for and contribute to audits, including inspections of Data Processor’s, conducted by the controller or another auditor mandated by the controller (who is not a direct or indirect competitor of Data Processor) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. In the event of an audit or inspections as set forth above, Client shall ensure that it (and each of its mandated auditors) will not cause any damage, injury or disruption to Data Processor’s premises, equipment, personnel, and will not interrupt Data Processor’s business while conducting such audit or inspection. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, personal data that does not belong to Client.

7. PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
Data Processor maintains security incident management policies and procedures specified in Security Documentation and, to the extent required under applicable Data Protection Laws and Regulations, shall notify Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Data Processor or its Sub-processors of which Data Processor becomes aware (a “Personal Data Incident”). Data Processor shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Data Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Data Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Client or Client’s users. In any event, Client will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).

8. RETURN AND DELETION OF PERSONAL DATA
Subject to the Agreement, Data Processor shall, at the choice of Client, delete or return the Personal Data to Client after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Data Processor may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. If the Client requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Data Processor’s Clients.

9. AUTHORIZED AFFILIATES
9.1 Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Data Processor. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Client.
9.2 Communication. The Client shall remain responsible for coordinating all communication with Data Processor
under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.

10. TRANSFERS OF PERSONAL DATA
10.1 Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”) and the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
10.2 Transfers to other countries. If the Processing of Personal Data includes transfers from the EEA or the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with the below terms:
a) When applicable, with respect to the EU transfers of Personal Data, Client as a Data Exporter (as defined in the SCCs) and Data Processor on behalf of itself and each Data Processor Affiliate (as applicable) as a Data Importer (as defined in the SCCs) hereby enter into the Standard Contractual Clauses set out in Schedule 2. To the extent that there is any conflict or inconsistency between the terms of the Standard Contractual Clauses and the terms of this DPA, the terms of the Standard Contractual Clauses shall take precedence.
b) When applicable, with respect to the UK transfers of Personal Data (from the UK to other countries which have not been subject to a relevant Adequacy Decision), Client as a Data Exporter (as defined in the SCCs) and Data Processor on behalf of itself and each Data Processor Affiliate (as applicable) as a Data Importer (as defined in the SCCs), hereby enter into the UK Standard Contractual Clauses set out in Schedule 2.

11. COLLABORATION WITH CLIENT’S DATA PROTECTION IMPACT ASSESMENT
At Client’s cost, with reasonable cooperation and assistance needed to fulfil Client’s obligation under the GDPR to carry out a data protection impact assessment related to Client’s use of the Services, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Data Processor. Data Processor shall provide, at Client’s cost, reasonable assistance to Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this DPA, to the extent required under the GDPR.

12. TERMINATION
This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided.

13. RELATIONSHIP WITH AGREEMENT
In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. Notwithstanding anything to the contrary in the Agreement, this DPA and/or the agreements between the parties: (A) Our and Our Affiliates’ entire, total and aggregate liability (including any indemnification obligation (if any) regarding data protection or privacy), for or related to any breach of this DPA and/or Data Protection Laws and Regulations shall be limited to the amounts paid to us by you under the Agreement during the twelve (12) months preceding the day on which the claim arouse. This limitation of liability is cumulative and not per incident; (B) In no event will we and/or our affiliates or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) The foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if we, our Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).

14. AMENDMENTS
This DPA may be amended at any time by a written instrument duly signed by each of the Parties.

15. LEGAL EFFECT
This DPA shall only become legally binding between Client and Data Processor when the formalities steps set out in the Section “INSTRUCTIONS ON HOW TO EXECUTE THIS DPA” below have been fully completed.

16. SIGNATURE
The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA.
You, as the signing person on behalf of Client, represent and warrant that you have, or you were granted, full authority to bind the Organization and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to, bind the Organization and/or its Authorized Affiliates, you shall not supply or provide Personal Data to Harmon.ie.
By signing this DPA, Client enters into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent that Harmon.ie processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”.

INSTRUCTIONS ON HOW TO EXECUTE THIS DPA:

  1. This DPA consists of two parts: the main body of the DPA, Schedule 1 and Schedule 2.
  2. This DPA has been pre-signed on behalf of Harmon.ie.
  3. To complete this DPA, you must complete the missing information in the first paragraph of the DPA; and
  4. Send the completed and signed DPA to privacy@harmon.ie by email, including the Client’s Customer identification details, such as: account legal name, the Client’s most recent harmon.ie Purchase order number, and the Client Corporate URL.

Upon receipt of the validly completed DPA by harmon.ie at this email address, this DPA will become legally binding.

The parties’ authorized signatories have duly executed this Agreement:

CLIENT:
Signature:
Client Legal Name: Print
Name:
Title:
Date:

Harmon.ie Corporation
Signature:


 

Print Name: Yael Yemini
Title: CFO
Date: 2/4/2024

Harmon.ie R&D Ltd.
Signature:


 

Print Name: Yael Yemini
Title: CFO
Date: 2/4/2024

SCHEDULE 1 – DETAILS OF THE PROCESSING

Subject matter

Data Processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Client in its use of the Services.

Nature and Purpose of Processing

  1. Providing the Service(s) to Client.
  2. Setting up an account/account(s) for Client.
  3. Setting up profile(s) for users authorized by Clients.
  4. For Client to be able to use the Services.
  5. For Data Processor to comply with documented reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement.
  6. Performing the Agreement, this DPA and/or other contracts executed by the Parties.
  7. Providing support and technical maintenance, if agreed in the Agreement.
  8. Resolving disputes.
  9. Enforcing the Agreement, this DPA and/or defending Data Processor’s rights.
  10. Management of the Agreement, the DPA and/or other contracts executed by the Parties, including fees payment, account administration, accounting, tax, management, litigation; and
  11. Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
  12. All tasks related with any of the above.

Duration of Processing

Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Data Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

Type of Personal Data

Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First name
  • Last name
  • Address
  • Phone number
  • Email address
  • Company
  • Title
  • Business information
  • Any other Personal Data or information that the Client decides to provide to the Data Processor.

The Client and the Data Subjects shall provide the Personal data to Data Processor by supplying the Personal data to Data Processor’s Service or through communications with Data Processor.

Categories of Data Subjects

Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Client’s customers and/or clients
  • Client’s users authorized by Client to use the Services
  • Employees, agents, advisors, freelancers of Client (who are natural persons)
  • Prospects, Clients, business partners and vendors of Client (who are natural persons)
  • Employees or contact persons of Client’s prospects, Clients, business partners and vendors

The frequency of the transfer

Continuous basis or one-off.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

As described in this DPA and/or the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As detailed in the following link https://harmon.ie/legal/sub-processor-list.

SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSES

EU SCCs. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses as follows:
a) The Standard Contractual Clauses (Controller-to-Processor and/or Processor to Processor) if applicable, will apply, with respect to restricted transfers between Client and Data Processor that are subject to the EU GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between Client (as Data Exporter) and Data Processor (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to the Client, as informed by Client to Data Processor; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland; and (vi) In Clause 18(b) the Parties choose the courts of Ireland, as their choice of forum and jurisdiction.
c) Annex I.A: With respect to Module Two: (i) Data Exporter is Client as a data controller and (ii) the Data Importer is Data Processor as a data processor. With respect to Module Three: (i) Data Exporter is Client as a data processor and (ii) the Data Importer is Data Processor as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the Irish supervisory authority.
f) Annex II of the Standard Contractual Clauses shall be completed as described and agreed between the parties in the Agreement and/or this DPA.
g) Annex III of the Standard Contractual Clauses shall be completed with the authorized sub-processors available here: https://harmon.ie/legal/sub-processor-list.

UK SCCs. If the Processing of Personal Data includes transfers from the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018. The Parties hereby agree to execute the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as follows:
a) The UK Standard Contractual Clauses (Controller-to-Processor and/or Processor to Processor) if applicable, will apply with respect to restricted transfers between Client and Data Processor that are subject to the UK GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between Client (as Data Exporter) and Data Processor (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of England and Wales; and (v) In Clause 18(b) the Parties choose the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts, as their choice of forum and jurisdiction. Which Parties may end this Addendum as set out in Section 19: Importer and/or Exporter, in accordance with the agreed terms of the DPA.
c) Annex I.A: With respect to Module Two: Data Exporter is Client as a data controller and the Data Importer is Data Processor as a data processor. With respect to Module Three: Data Exporter is Client as a data processor and the Data Importer is Data Processor as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these UK Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the UK Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the UK Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the ICO supervisory authority.
f) Annex II of the UK Standard Contractual Clauses shall be completed as described and agreed between the parties in the Agreement and/or this DPA.
g) Annex III of the UK Standard Contractual Clauses shall be completed with the authorized sub-processors available here: https://harmon.ie/legal/sub-processor-list.