Data Protection Agreement

Data Protection Agreement

Data Protection Agreement

This Data Protection Agreement ("Agreement") is incorporated by reference into the Elements Terms and Conditions ("Main Agreement") entered into by and between entity which is identified in the purchase order which this Agreement is annexed to ("Controller") and  Elements Global Inc., on behalf of itself and its affiliates ("Processor"). All defined terms contained herein shall have the same meaning as the definitions set forth in the Main Agreement.

Processor shall comply with the following in respect of personal data (as defined under Regulation (EU) 2016/679 (General Data Protection Regulation) ("PII" and "GDPR" respectively): 

  1. Controller's Compliance. Controller's instructions for processing of PII shall comply with all applicable privacy and data protection laws, including the GDPR. Controller shall have sole responsibility for the accuracy, quality and legality of PII and the means by which Controller acquired PII. 

  2. Details of Processing. The details of the processing activities to be carried out by Processor in respect of the Services are specified in Appendix 1

  3. Data Subjects Rights. Processor shall assist Controller, by using appropriate technical and organizational measures, in the fulfillment of Controller's obligations to respond to requests by data subjects in exercising their rights under applicable laws. 

  4. Confidentiality. Processor shall ensure that its personnel engaged in the processing of PII are bound by a confidentiality undertaking.   

  5. Data Breach. Processor will promptly notify Controller  after becoming aware of any suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, PII ("Data Breach"). 

  6. Records. Processor will maintain up-to-date written records of its processing activities, including, inter alia, Processor's and Controller's contact details, details of data protection officers (where applicable), the categories of processing, transfers of PII across borders and the technical and organizational security measures implemented by the Processor. Upon request, Processor will provide an up-to-date copy of these records to Controller.

  7. Sub-Processors. Controller acknowledges and agrees that Processor may engage any of the third-party sub-processors listed in Appendix 2, which Processor may update from time to time. Such sub-processors shall be bound by data protection obligations no less protective than those in this Agreement to the extent applicable to the nature of the Services provided by such sub-processor. If required for processing by any of Processor’s entities, the EU Standard Contractual Clauses attached hereto as Appendix 4 shall also apply hereto.  

  8. Assistance. Processor will assist Controller in ensuring compliance with Controller's obligations related to the security of the processing, notification and communication of Data Breaches, conduct of data protection impact assessments and any inquiry, investigation or other request by a supervisory authority.

  9. Possible Violation. Where Processor believes that an instruction would result in a violation of any applicable data protection laws, Processor shall notify the Controller thereof.

  10. Information. Processor will make available to Controller, upon request, information necessary to demonstrate compliance with the obligations set forth in this Agreement.

  11. Audits. Upon Controller's request, Processor shall cooperate with audits and inspections of its compliance with the requirements and obligations herein and/or under applicable law. Such audits and inspections may be conducted by Controller or by any third party designated by Controller. 

  12. Technical and Organizational Measures

    12.1 Processor shall implement and maintain all technical and organizational measures that are required for protection of the PII and ensure a level of security that is appropriate to for dealing with and protecting against any risks to the rights and freedoms of the data subjects, and as required in order to avoid accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to PII and/or as otherwise required pursuant to the GDPR, including, inter alia, the measures set forth in Appendix 3. When complying with Section 12 hereof, Processor shall take into consideration the state of technological development existing at the time and the nature, scope, context and purposes of processing as well as the aforementioned risks. 

    12.2. Processor shall regularly monitor its compliance with this Agreement and will provide Controller, upon request, with evidence that will enable verification of such monitoring activities. Processor shall promptly implement all changes to Appendix 3, as requested by Controller. Processor shall ensure that all persons acting under its authority or on its behalf and having access to the PII, do not process the PII except as instructed by Controller and permitted herein.

  13. Transfer of PII to Third Countries. Processor will not transfer PII to a recipient located in a country that is not a Member State of the European Union or European Economic Area, unless that country is considered by the European Commission to have an adequate level of protection or pursuant to an EU standard contractual clauses for the transfer of personal data to processors established in third countries (Commission Decision 2010/87/EC), before such transfer. 

  14. Return and Deletion of PII. On the Controller's request, Processor shall return or destroy PII to the extent allowed by applicable law.



Appendix 1 - Processing Details

  1. Nature, purpose and subject matter of the Processing. The nature, purpose and subject matter of the Processing is the provision of the Services set forth in the Main Agreement.

  2. Categories of Data Subjects. Employees of the Controller and relevant contact persons.

  3. Types of PII. Basic personal information, location data relevant information for the purpose of providing the services.


Appendix 2 - Sub-Processors


Appendix 3 - Technical and Security Measures

  1. The pseudonymisation of PII.

  2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

  3. The ability to restore the availability and access to PII in a timely manner in the event of a physical or technical incident.

  4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

© 2024 Elements Global, Inc. All rights reserved.

© 2024 Elements Global, Inc. All rights reserved.

© 2024 Elements Global, Inc. All rights reserved.