IPRoyal

IPRoyal Data Processing Agreement

(1) Natural or legal person concluding this data processing agreement (“Data Controller”), and (2) IPRoyal (”Data Processor”)

Data Controller and Data Processor are hereinafter collectively referred to as the “Parties” and the “Party” if referred to separately,

Taking into account that:

  • Data Processor provides multiple IP address proxy infrastructure solutions, including IP addresses for the Clients to connect to the internet, and access to the Company’s data gathering and proxy management solutions (the “Services”).
  • Data Controller desires to purchase Data Processor’s Services.
  • The Parties have entered into an agreement under which Data Processor has agreed to provide Services (as described at Terms of Service ) (“Agreement”/”Master Agreement”).
  • In the course of providing Services to the Data Controller, the Data Processor has to process personal data on behalf of and for the interest of the Data Controller;

Have concluded this data processing agreement (“Data Processing Agreement”) and agreed as follows:

1. DEFINITIONS

1.1. Unless the context requires otherwise, the capitalised terms used in this Data Processing Agreement, including its Preamble and annexes, shall have the meanings indicated below:

Applicable Data Protection Laws means any national or internationally binding data protection laws or regulations applicable at any time during the term of this Data Processing Agreement.
Data Controller means an entity or a person that has accepted the Terms of Service and that determines the purposes and means of the processing of Personal Data.
Data Processor means IPRoyal which processes Personal Data on behalf of the Data Controller under this Data Processing Agreement.
Personal Data means any information relating to an identified or identifiable natural person.
Sub-processor means a third-party subcontractor engaged by the Data Processor which, as part of the subcontractor’s role of delivering the services, will process Personal Data on behalf of the Data Controller.
Services means the provision of multiple IP address proxy infrastructure solutions by the Company, including IP addresses for Clients to connect to the internet, and access to the Company’s data gathering and proxy management solutions. The Services are accessible and utilized via the website www.iproyal.com .

Other terms used in this Data Processing Agreement shall be interpreted as described in Master Agreement.

2. OBLIGATIONS OF THE PARTIES

2.1. The Data Controller agrees to fulfill its duties as a data controller according to the relevant Data Protection Laws concerning the handling of Personal Data and any processing directives issued to the Data Processor.

2.2. Data Controller has provided all the necessary privacy notices and/or obtained all consents and rights necessary under the Applicable Data Protection Laws for Data Processor to process Personal Data and provide Services pursuant to the Agreement and this Data Processing Agreement

2.3. Data Processor shall not knowingly take any action that would cause the Data Controller to violate the Applicable Data Protection Laws.

2.4. The Data Processor will not assess the legality or compliance of the Data Controller’s instructions. The Data Controller shall be solely responsible and liable for ensuring that their instructions are fully lawful and comply with applicable data protection laws. If the Data Processor reasonably believes that an instruction clearly violates applicable data protection laws, it will inform the Data Controller. The Data Processor is not responsible for complying with any data protection laws specific to the Data Controller or its industry that do not generally apply to the Data Processor.

2.5. In particular but without prejudice to the generality of the foregoing, the Data Controller acknowledges and agrees that it will be solely responsible for: (i) the accuracy, quality, and legality of the Data Controller’s Personal Data and the means by which it acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under Applicable Data Protection Laws for the collection and use of the Personal Data, including any necessary notifications, consents, and authorizations that are needed for the Data Controller’s use of Data Processor’s Services; (iii) ensuring it has the right to transfer, or provide access to, the Personal Data to the Data Processor for processing in accordance with the provisions of the Terms of Service (including this DPA); and (iv) ensuring that its instructions to Data Processor regarding the processing of Personal Data comply with applicable laws, including Applicable Data Protection Laws. Data Controller shall also inform Data Processor without undue delay if the Data Controller is not able to comply with its responsibilities under this Section.

3. DATA PROCESSING INSTRUCTIONS

3.1. Data Processor undertakes to process the Personal Data on documented Data Controller’s instructions, including with regard to transfers of Personal Data to a third country or an international organization unless required to do so by EU or EU Member State law to which the Data Processor is subject.

3.2. The Data Controller’s instructions to the Data Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects are as follows:

Subject Matter Provision of Services to the Data Controller.
Nature and Purpose of the Processing Data Processor will process Personal Data for the purposes of providing Services on behalf of a Controller and related services (if any) in accordance with and as described in the Agreement.
Categories of Data Subjects Natural persons whose Personal Data Data Controller chooses to process while using the Services and related services (if any).
Types of Personal Data Data relating to natural persons that the Data Controller chooses to process while using the Services and related services (if any).
Duration of Processing As long as the Data Controller uses Services and related services (if any).

3.3. Data Processor shall, when processing Personal Data under this Data Processing Agreement, comply with any Applicable Data Protection Laws and applicable recommendations by the data protection authorities or other competent authorities.

3.4. Data Controller entitles Data Processor to enter into agreements with Sub-processors on the Data Controller’s behalf for the performance of its obligations under this Data Protection Agreement. Data Processor shall maintain a list of Sub-processors used to fulfill its obligations as set forth in this Data Processing Agreement. The Data Controller may familiarize itself with the Sub-processors currently engaged by the Data Processor by requesting a list of such Sub-processors from the Data Processor in writing.

4. COOPERATION

4.1. To the extent reasonable, taking into account the nature of processing, Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Laws, including but not limited to the Data Controller’s obligation to respond to requests for exercising the data subject’s rights to request information and for Personal Data to be corrected, blocked or erased at their request.

4.2. In case of any requests made by data subjects, competent authorities, or any other third parties to Data Processor regarding the processing of Personal Data covered by this Data Processing Agreement, the Data Processor shall refer such requests to the Data Controller.

4.3. In the terms agreed between the Parties and to the reasonable extent, the Data Controller shall be entitled, in its capacity as the data controller, to take measures necessary to verify that the Data Processor is able to comply with its obligations under this Data Processing Agreement, and that Data Processor has in fact undertaken the measures to ensure such compliance.

4.4. In the terms agreed between the Parties and to the reasonable extent, the Data Processor shall assist the Data Controller in data protection impact assessments, prior consultations, and other communications with data protection authorities.

5. LIABILITY

5.1. Each Party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum whether in contract, tort, or under any other theory of liability, shall be subject to the limitations and exclusions set out in the Agreement .

5.2. Data processor shall have the right to any reimbursement of reasonable expenses, costs, and fees which were incurred as a result of Data Controllers (i) inaccurate, incomplete, or unlawful instructions; and/or (ii) requests for cooperation which are unfounded, excessive, and/or impose unreasonably disproportionate costs to Data Processor.

6. DATA SECURITY MEASURES

6.1. Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the Data Processor shall implement adequate technical and organizational measures.

6.2. Data Processor shall ensure that access to Personal Data is granted only to necessary employees by virtue of performing direct work functions under this Data Processing Agreement. Data Processor shall ensure that such employees respect confidentiality obligations to the same extent as the Data Processor under this Data Processing Agreement.

6.3. Data Processor undertakes not to, without the Data Controller’s prior written consent disclose or otherwise make Personal Data processed under this Data Processing Agreement available to any third party, except for Sub-processors engaged in accordance with this Data Processing Agreement.

6.4. The Data Processor shall take all necessary actions to assist and shall promptly notify the Data Controller in relation to any accidental or unauthorized access to Personal Data or any other security incidents (Personal Data breach) immediately if possible.

7. FINAL PROVISIONS

7.1. All definitions used in this Data Processing Agreement shall have the same meaning, as prescribed in the Agreement unless expressly provided otherwise in this Data Processing Agreement.

7.2. The provisions in this Data Processing Agreement shall apply during such time that Data Processor processes Personal Data in respect of which the Data Controller is the data controller.

7.3. This Data Processing Agreement shall apply as long as the Services are provided to the Data Controller as set out in the Agreement unless the Parties terminate the Agreement and/or this DPA earlier on the grounds provided therein.

7.4. Upon expiry of this Data Processing Agreement, the Data Processor shall, at the choice of the Data Controller as communicated to the Data Processor, delete or return all Personal Data to the Data Controller and shall ensure that any Sub-processor does the same.

7.5. This Data Processing Agreement shall be an integral part of the Agreement. Any matter not expressly governed by this Data Processing Agreement shall be governed by the Agreement.