This Data Processing Addendum (the “Addendum”) is made by and between Dafar DMCC (“Dafar”, “Company” “we”, “us”, “our”) and you. This Addendum is incorporated into the Terms of Service or other written agreement (“Agreement”) between Dafar and you that incorporates this Addendum. Your use of the Service constitutes your acceptance of the Agreement and this Addendum. This Addendum applies in respect of Dafar’s provision of the Services to you if the Processing of Customer Personal Data (as defined below) is subject to the GDPR, only to the extent you are a Controller and Dafar is a Processor of Customer Personal Data. This Addendum is intended to satisfy the requirements of Article 28(3) of the GDPR. This Addendum shall be effective for the term of the Agreement.
1.1 For the purposes of the Addendum:
1.1.1. Customer Personal Data means the Personal Data described under Section 2 of this Addendum, in respect of which you are the Controller;
1.1.2. Data Protection Legislation means the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
1.1.3. GDPR means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; and
1.1.4. Personal Data, Data Subject, Personal Data Breach, Process, Processor and Controller will each have the meaning given to them in the GDPR.
1.2 Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2.1 Categories of Data Subjects. This Addendum applies to the Processing of Customer Personal Data relating to the clients that you interact with through the Services.
2.2 Types of Personal Data. Customer Personal Data includes Personal Data, the extent of which is determined and controlled by you in your sole discretion, such as names, contact information, and financial information.
2.3 Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by Dafar is the provision of the Services to you that involves the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities which Dafar needs to perform in order to provide the Services pursuant to the Agreement.
2.4 Purpose of the Processing. Customer Personal Data will be Processed by Dafar for purposes of providing and improving the Services set out into the Agreement.
2.5 Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 11 of this Addendum.
3.1 The parties acknowledge and agree that you are the Controller of Customer Personal Data and Dafar is the Processor of that data. Dafar will only Process Customer Personal Data as a Processor on behalf of and in accordance with this Addendum and your prior written instructions, including with respect to transfers of personal data. You hereby instruct Dafar to Process Customer Personal Data to the extent necessary to enable Dafar to provide the Services in accordance with the Agreement.
3.2 If Dafar cannot process Customer Personal Data in accordance with your instructions due to a legal requirement under any applicable European Union or Member State law, Dafar will (i) promptly notify you of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as you issue new instructions with which Dafar is able to comply. If this provision is invoked, Dafar will not be liable to you under the Agreement for failure to perform the Services until such time as you issue new instructions.
3.3 The parties will comply with their respective obligations under the Data Protection Legislation. You shall ensure that you have obtained (or will obtain) all rights and consents (if required) which are necessary for Dafar to Process Customer Personal Data in accordance with this Addendum.
4.1 In connection with the performance of the Agreement, Customer authorizes Dafar to Process Customer Personal Data associated with Data Subjects from the European Economic Area and/or Switzerland (collectively “EEA”) in the United Arab Emirates, whether Dafar transfers Customer Personal Data from the EEA or whether it receives Customer Personal Data from the EEA that was already transferred by Customer.
4.2 Dafar will provide an adequate level of protection for Customer Personal Data, wherever processed, in accordance with the requirements of applicable data protection law.
Dafar will ensure that any person whom Dafar authorizes to Process Customer Personal Data on its behalf is subject to confidentiality obligations in respect of that Customer Personal Data.
6.1 Dafar will implement appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
6.2 Dafar will, at your request and subject to you paying all of Dafar’s fees at prevailing rates, and all expenses, provide you with reasonable assistance as necessary for the fulfilment of your obligation to keep Customer Personal Data secure.
7.1 You authorize Dafar to appoint sub-Processors to perform specific services on Dafar’s behalf which may require such sub-Processors to Process Customer Personal Data. Dafar will inform you of any intended changes concerning the addition or replacement of any sub-Processors and You will have an opportunity to object to such changes on reasonable grounds within fifteen (15) business days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
7.2 Dafar will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Dafar under this Addendum. Where any of its sub-Processors fails to fulfil its data protection obligations, Dafar will be liable to you for the performance of its sub-Processors’ obligations.
Dafar will, at your request and subject to you paying all of Dafar’s fees at prevailing rates, and all expenses, provide you with assistance necessary for the fulfilment of your obligation to respond to requests for the exercise of Data Subjects’ rights. Dafar shall not respond to such requests without your prior written consent and written instructions. You shall be solely responsible for responding to such requests.
Dafar will notify you as soon as practicable after it becomes aware of any of any Personal Data Breach affecting any Customer Personal Data. At your request and subject to you paying all of Dafar’s fees at prevailing rates, and all expenses, Dafar will promptly provide you with all reasonable assistance necessary to enable you to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if you are required to do so under the GDPR. You are solely responsible for complying with data incident notification requirements applicable to you and fulfilling any third-party notification obligations related to any data incidents.
Dafar will, at your request and subject to you paying all of Dafar’s fees at prevailing rates, and all expenses, provide you with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if you are required to engage in such activities under the GDPR, and solely to the extent that such assistance is necessary and relates to the Processing by Dafar of the Customer Personal Data, taking into account the nature of the Processing and the information available to Dafar.
Dafar will return or delete, at your choice, Customer Personal Data to you after the end of the provision of Services relating to the Processing, and delete existing copies unless the applicable European Union or member state law requires storage of the data.
Dafar will, at your request and subject to you paying all of Dafar’s fees at prevailing rates, and all expenses, provide you with all information necessary to enable you to demonstrate compliance with your obligations under the GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, to the extent that such information is within Dafar’s control and Dafar is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with reasonable notice during regular business hours not more often than once per year. Dafar will immediately inform you if, in its opinion, an instruction from you infringes the Data Protection Legislation.
13.1 Each party’s liability towards the other party under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
13.2 You acknowledge that Dafar is reliant on you for direction as to the extent to which Dafar is entitled to Process Customer Personal Data on behalf of you in performance of the Services. Consequently, Dafar will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by Dafar, to the extent that such action or omission resulted directly from your instructions or from your failure to comply with your obligations under the Data Protection Legislation.
With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.
Is there anything we can help you with?