Download this page here.
THIS DATA PROCESSING AGREEMENT (“DPA”) IS ENTERED BETWEEN CUSTOMER AS STATED IN THE MONDA TERMS OF SERVICE (“MONDA TOS”) AS A CONTROLLER AND MONDA AS A PROCESSOR CONCERNING THE PROCESSING OF PERSONAL DATA UNDER THE MONDA TOS. THE TERMS AND CONDITIONS OF THIS DPA WILL BE LEGALLY BINDING ON THE PARTIES UPON THE EFFECTIVE DATE. UNLESS STATED TO THE CONTRARY HEREINAFTER, THE DEFINITIONS OF THE MONDA TOS SHALL APPLY. FOR THE AVOIDANCE OF DOUBT, IN CASE OF A CONFLICT BETWEEN THE PROVISIONS OF THIS DPAAND THE MONDA TOS, THE DPA SHALL PREVAIL.
(1) Controller-Processor Relationship. Providing Customer with functionality of the Platform requires the processing of Customer’s Data Offerings. If and inasmuch as such Data Offerings consist of or contain Personal Data within the meaning of Data Protection Laws, MONDA will act as a Processor regarding such data, whereas Customer remains the Controller regarding such data.
(2) Customer’s Responsibilities as a Controller. By means of the Platform, Customer submits and processes its own Data Offerings, largely controls the upload, and directly handles the use of any such Data Offerings that have been submitted to MONDA. Customer agrees and understands that, unless stated to the contrary in the MONDA ToS, MONDA will not monitor Data Offerings or Customer’s use of any such Data Offerings, unless Customer submits an explicit written request to MONDA to access Data Offerings. In any other case, only Customer knows which data comprise the Data Offerings. It is, therefore, the sole responsibility and liability of Customer to ensure that Data Offerings are collected and transmitted to MONDA in compliance with applicable Data Protection Laws and, in particular, (a) to always observe the principles relating to processing of Personal Data including, without limitation, the principles of purpose limitation and data minimization; (b) to have a legal basis for its Processing; and (c) to properly inform Data Subjects of the collection and Processing of their Personal Data. For the avoidance of doubt, these responsibilities shall come in addition to Customer’s responsibilities concerning Data Offerings as set forth in the MONDA ToS.
(3) MONDA’s Responsibilities as a Processor. Acting as a Processor, MONDA will Process Personal Data on Customer’s behalf only in accordance with the provisions of this DPA and the documented instructions received from Customer. MONDA shall not sell the Personal Data to or share with a third party. If MONDA is required to Process Personal Data otherwise than as instructed by Customer under the Applicable Laws to which it is subject, it shall inform Customer before such Processing occurs, unless the law requiring such Processing prohibits MONDA from informing Customer on an important ground of public interest, in which case MONDA shall notify Customer as soon as that law permits it to do so. MONDA shall ensure and regularly check that, in its area of responsibility, which includes any sub-processors employed in accordance with this DPA, the Processing of Personal Data is carried out in accordance with the provisions of this DPA and with applicable Data Protection Laws.
(1) Specification of Details. The details of the Processing are laid out in the following sections. However, if so required for a particular service under the MONDA ToS or due to the Processing activities concerning which Customer is making use of the Platform, the Parties may provide further details in a supplemental agreement to the MONDA ToS or this DPA to further specify the details of the Processing. In consideration of Customer’s responsibilities as a Controller, also the responsibility to request such further specification remains with Customer.
(2) Nature, Purpose and Subject Matter of the Processing. MONDA will Process Personal Data continuously during the Term to provide the Platform as further specified in the MONDA ToS.
(3) Duration of the Processing. MONDA will generally Process Personal Data for the Term, unless otherwise agreed upon in writing. However, notwithstanding expiry of the Term, the provisions of this DPA will remain in effect until, and will automatically expire upon, deletion of all Personal Data being Processed on behalf of Customer by MONDA and/or any applicable sub- processors.
(4) Categories of Data Subjects. Customer may submit Personal Data to the Platform, the extent of which is determined and controlled by Customer, and such data may include Personal Data relating to the following categories of Data Subjects: Customer’s employees, Representatives, external consultants, contractors, advisors, partners, agents or the like, or any other individuals whose Personal Data is submitted to MONDA by means of the Platform.
(5) Types of Customer’s Personal Data. Customer may submit Personal Data by means of the Platform, the extent of which is determined and controlled by Customer, and such data may only include the following categories of Personal Data: e-mail, name, country, job position, phone number, IP address.
(1) Place of the Processing. Customer’s Personal Data will be Processed by MONDA at its own or its authorized sub-contractor’s premises. Usually, any Processing activities will, therefore, be carried out (a) in the member states of the European Union or in another state that is party to the Agreement on the European Economic Area (“EEA”); or (b), if Customer is located in the United States or Canada, in the United States.
(2) Cross-Border Transfers. In the event that Processing involves a cross-border transfer of Personal Data, MONDA shall ensure that such transfer is permitted under Data Protection Laws, including, if necessary, by imposing valid and enforceable obligations on each recipient to adequately protect such Personal Data as required by Data Protection Laws. In particular, MONDA shall observe the following paragraphs:
(a) Where the Processing is subject to the Regulation (EU) 2016/679 (EU General Data Protection Regulation; the “GDPR”), any transfer of Personal Data to a third country outside the EU/EEA shall
(i) be permissible only upon Customer’s instruction; and (ii) be carried out in accordance with an adequacy decision of the European Commission or, in the absence of such an adequacy decision,in accordance with another transfer mechanism pursuant to Art. 46 et seqq. of the GDPR. Where MONDA relies on the EU standard contractual clauses pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (“SCC”) for the transfer of Personal Data to third countries, Module Four (Processor to Controller) terms shall apply, and the SCC will be deemed completed as follows:
i) Clause 7 shall not apply;
ii) In Clause 11(a), the optional part shall not apply;
iii) In Clause 17, the SCC shall be governed by German law;
iv) In Clause 18, any disputes shall be resolved before the courts of Germany; and
v) the Annexes of the SCC shall be populated with the information set out in this DPA and the MONDA ToS.
(b) Where the Processing is subject to the UK Data Protection Act 2018 and the GDPR as implemented by such Act (“UK GDPR”), any transfer of Personal Data to a third country other than the UK shall (i) be permissible only upon Customer’s instruction; and (ii) be carried out in accordance with an adequacy decision of the competent authorities under the UK GDPR or, in the absence of such an adequacy decision, in accordance with another transfer mechanism pursuant to Art. 46 et seqq. of the GDPR (as implemented by the UK GDPR). Where MONDA relies on the SCC for the transfer of Personal Data to third countries, Module Four (Processor to Controller) terms shall apply as amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”), and the SCC and the UK Addendum will be deemed completed as follows:
i) Clause 7 shall not apply;
ii) In Clause 11(a), the optional part shall not apply;
iii) In Part 1, Table 4, only the Exporter may end the Addendum as set out in Section 19;
iv) the Annexes of the SCC shall be populated with the information set out in this DPA and the MONDA ToS.
(c) Where the Processing is subject to the Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz; “FDPA”), any transfer of Personal Data to a third country other than Switzerland shall (i) be permissible only upon Customer’s instruction; and (ii) be carried out in. accordance with an adequacy decision of the competent authorities under the FDPA or, in the absence of such an adequacy decision, in accordance with another transfer mechanism pursuant to Art. 16 et seqq. of the FDPA. Where MONDA relies on the SCC for the transfer of Personal Data to third countries, Module Four (Processor to Controller) terms shall apply as amended by the Recognition dated 27 August 2021 (”Swiss Addendum”), and the SCC and the Swiss Addendum will be deemed completed as follows:
i) Case 2, Option 2 shall apply;
ii) Clause 7 shall not apply;
iii) In Clause 11(a), the optional part shall not apply;
iv) In Clause 17, the SCC shall be governed by German law;
v) In Clause 18, any disputes shall be resolved before the courts of Germany.
(1) General Instructions. The Parties agree and Customer understands that the provisions of this DPA comprise Customer’s general instructions concerning the Processing of Personal Data under the MONDA ToS.
(2) Specific Instructions. Individual instructions which deviate from the provisions of this DPA, and which impose additional requirements on MONDA, require MONDA’s prior consent, such consent not to be unreasonably withheld, unless the individual instructions are mandatory in order for Customer or the Parties to comply with Data Protection Laws.
(3) Compliance with Data Protection Laws. Customer shall ensure that its specific instructions as per section 4(2) with relation to Data Offering comply with Data Protection Laws, and that the Processing of Data Offering in accordance with Customer’s instructions will not cause MONDA to be in breach of Data Protection Laws. If MONDA is of the opinion that a permissible specific instruction infringes Data Protection Laws, it shall inform Customer thereof as soon as possible. Furthermore, MONDA is entitled to suspend the execution of the instruction until Customer confirms the instruction.
(4) Text Form. Specific instructions from Customer shall in principle be issued in text form by the dedicated contact persons of Customer communicated to MONDA under the MONDA ToS. Oral instructions must be confirmed immediately in writing or in text form by Customer to be effective.
(1) Employees. MONDA employees: (a) who have access to Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (b) shall Process Personal Data only as instructed to by Customer, unless otherwise required to do so by Applicable Laws; and (c) shall be provided training as necessary from time to time with respect to MONDA’s obligations under this DPA and under Data Protection Laws.
(2) Copies; Data Backups. MONDA shall not make any copies or duplicates of Data Offering without Customer’s prior consent. However, copies are excluded from this, insofar as they are required to ensure proper data processing and to properly provide the Platform and/or any services agreed under the MONDA ToS (including data backups), as well as insofar as copies are required to comply with statutory retention obligations.
(3) Data Protection Officer. MONDA shall appoint a competent and reliable data protection officer if and as long as the legal requirements for an appointment obligation are met. The contact details of such data protection officer will be made publicly available and provided to Customer upon request.
(1) Implementation and Maintenance. Prior to the commencement of the Processing, MONDA shall implement the technical and organizational measures listed in Enclosure 1 and maintain them during the term of the present DPA. These are data security measures to ensure a level of protection appropriate to the risk regarding the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes of Processing as well as the varying likelihood and severity for the rights and freedoms of natural persons must be taken into account.
(2) Alternative Measures. Since the technical and organizational measures are subject to technical progress and technological development, MONDA is permitted to implement alternative and adequate measures, provided that the safety level of the measures specified in Enclosure 1 is not compromised. MONDA shall document such changes. Material changes to the measures require the prior written consent of Customer and must be documented by MONDA and made available to Customer for examination.
(1) Pre-approved Sub-processors. MONDA may not subcontract Processing operations under this DPA without Customer’s prior written consent. Customer hereby grants authorization to MONDA to subcontract Processing operations to the following sub-processors:
(2) MONDA’s Liability. MONDA shall impose privacy, confidentiality and data security obligations on any sub-processor that are equivalent to those set forth in this DPA. Where a sub- processor fails to fulfil its data protection obligations with respect to the Processing of Personal Data, MONDA shall remain fully liable to Customer for the performance of that sub-processor’s obligations.
(3) Appointment of New Sub-processors. MONDA shall give Customer written notice of the appointment of any new sub-processor. If, within fourteen (14) days of receipt of that notice, Customer notifies MONDA in writing of any reasonable objection to the proposed appointment, the Parties shall negotiate in good faith a mutually acceptable alternative. If no such alternative is agreed within four (4) weeks of the objection, Customer will have the right to terminate the Agreement to the extent it relates to services which require use of the proposed sub-processor.
(4) No Sub-processing. The Parties agree that ancillary service providers of MONDA are no sub-processors within the meaning of Data Protection Laws; this includes in particular transport services of postal or courier companies, cash transport services, telecommunication services, security services and cleaning services. However, MONDA shall enter into customary confidentiality agreements with such service providers.
(5) Sub-processors in Third Countries. The provisions of this section 7 shall also apply if MONDA appoints a sub-processor in a third country outside the EU/EEA. Conditional upon Customer’s consent with the appointment of such sub-processor, MONDA will ensure that a transfer mechanism in accordance with Data Protection Laws is in place and that the transfer of Personal Data be carried out accordingly.
(1) Investigations of a Supervisory Authority. Upon Customer’s written request, MONDA will assist Customer in the event of an investigation by or request from any regulator, including a competent supervisory authority, or similar authority, if and to the extent that such investigation or request relates to the Processing of Personal Data under this DPA. MONDA will take steps reasonably requested by Customer to assist Customer in complying with any obligations in connection with such an investigation or request. If an investigation by or a request from any regulator, including a competent supervisory authority, or similar authority, affects MONDA itself, it shall inform Customer hereof without undue delay if so permitted and shall co-operate within the course of such investigation or request.
(2) Data Breaches. MONDA shall inform Customer without delay, if it discovers a data breach, in particular where such data breach has led to or is likely to cause the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data that MONDA is Processing on behalf of Customer under this DPA. If Customer, as a result of such data breach, is obliged by law to provide information due to a risk to the rights and freedoms of natural persons, MONDA shall assist Customer in fulfilling its duties to provide information to the extent reasonable and necessary at the latter's request.
(3) Data Protection Impact Assessment. MONDA will cooperate and assist Customer in complying with the Customer’s obligations as a Controller under Data Protection Laws, in particular but not limited to data protection impact assessments or with any regulatory consultations that Customer is legally required to make in respect of such data protection impact assessments, taking into account the nature of the processing and the information made available to MONDA.
(4) Data Subjects’ Requests. MONDA shall notify Customer without undue delay about any complaint, communication or request received directly by MONDA from a Data Subject and pertaining to his or her Personal Data, without responding to that request, unless MONDA has been otherwise authorized to do so by Customer. MONDA shall provide Customer with reasonable assistance in relation to any complaint, communication or request received from a Data Subject.
(1) Return or Deletion. Upon Customer’s written request during the Term of the MONDA ToS, or upon termination or expiration of the MONDA ToS, and when MONDA is no longer required to retain all or part of Personal Data included in the Data Offerings, MONDA shall return or destroy such Personal Data. If Data Protection Laws to which MONDA is subject prevent MONDA from returning or destroying all or part of Personal Data, MONDA warrants that it will guarantee the confidentiality of Personal Data and will not actively Process Personal Data anymore, and it will guarantee the return or destruction of Personal Data as requested by Customer when the legal obligation to not return or destroy the Personal Data is no longer in effect.
(2) Reporting. MONDA shall draw up a report on any erasure or destruction of Personal Data, which shall be submitted to Customer upon request.
(1) On-premise Audits. During normal business hours (Monday to Friday from 9 a.m. to 5 p.m. at MONDA’s location), Customer is entitled to enter MONDA’s business premises in which Personal Data are processed on behalf of Customer, at Customer’s own expense, without disrupting operations and with strict confidentiality of MONDA’s trade secrets, in order to audit compliance with this DPA. Customer shall inform MONDA in good time (generally at least two weeks in advance) of all circumstances relating to the execution of an audit.
(2) Number of Audits. As a rule, Customer may carry out one inspection per calendar year. This does not affect Customer’s right to carry out further audits in the event of special incidents.
(3) Third-Party Auditors. If Customer commissions a third party to carry out the audit, Customer must oblige the third party in writing in the same way as Customer is obligated towards MONDA on the basis of this DPA. In addition, Customer must oblige the third party to secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of MONDA, Customer shall provide the latter without delay with the confidentiality agreements concluded with the third party. Customer must not appoint a direct competitor of MONDA to carry out the inspection.
(4) Audit Reports. MONDA shall assist the Customer by providing all information necessary to demonstrate compliance with Customer’s obligations under Data Protection Laws. The demonstration of compliance with this DPA and Customer’s obligations under Data Protection Laws may also be verified by adherence to an approved code of conduct, a certification in accordance with an approved certification mechanism and the presentation of appropriate, up-to-date certificates, reports or report extracts from independent bodies (e.g. auditor, revision, data protection officer, IT security department, data protection auditors or quality auditors), or by a suitable certification after an IT security or data protection audit – e.g. according to ISO 27001 – (“Audit Report"), if and inasmuch as the Audit Report allows Customer to convince itself in an appropriate way of MONDA’s compliance with this DPA.
(5) Remuneration. If and inasmuch as MONDA did not force an audit by fault, support during such audit shall be provided only against a remuneration to be calculated in accordance with the Agreement.
(1) Governing Law; Jurisdiction. This DPA will be governed by the same law as the MONDA ToS, and the competent courts agreed between the Parties under the MONDA ToS shall have the sole jurisdiction concerning all conflicts arising out of or in connection with this DPA as well.
(1) Severability. If any provision of this DPA is held by a court of competent jurisdiction to be invalid or unenforceable, all other provisions shall remain in full force and effect.
(2) Written Form Requirement. No modification or amendment of this DPA shall be effective unless in writing. If “written form” is required in this DPA, or if it is stipulated in this DPA that declarations of the Parties are to be made “in writing”, the Parties acknowledge and agree that this written form requirement shall also be satisfied (a) in case of signing by means of electronic signature (for example via DocuSign); (b) by electronic exchange of scanned handwritten signed documents; or (c) electronic messages sent via the Platform. However, the sending of a simple e-mail or other electronic message, other than electronic messages sent via the Platform, does not comply with the agreed form.
Sign up to our newsletter for unique thought leadership and to be the first to know about every product update and event.
