Where a processor is entrusted with processing activities, it should only use processors that offer sufficient guarantees, in particular in terms of expertise, reliability and resources, to implement technical and organisational measures in accordance with the requirements of this Regulation, including as regards the security of the processing. Online replicas and backups: Whenever possible, production databases are designed to replicate data between at least 1 primary database and 1 secondary database. All databases are backed up and maintained using at least industry standard methods. g. Demonstrate compliance. We will provide you with all information reasonably necessary to demonstrate compliance with this DPA and we will allow and assist in audits, including inspections by you, to assess compliance with this DPA. You acknowledge and agree that you will exercise your audit rights under this DPA by requiring us to comply with the audit measures described in this subsection (g). You acknowledge that the Subscription Service is hosted by our data center partners who maintain independently validated security programs (including SOC 2 and ISO 27001) and that our systems are regularly tested by independent contractors for penetration testing. Upon request, we will provide you (on a confidential basis) with a summary of the penetration test reports so that you can verify our compliance with this DPA. In addition, upon your written request, we will provide written responses (on a confidential basis) to any reasonable request for information from you necessary to confirm our compliance with this DPA, provided that you do not exercise this right more than once per calendar year. Deletion or return in case of termination.
Upon termination or expiration of the Agreement, Mailchimp (at Customer`s option) will delete or return to Customer all Customer Data (including copies) in its possession or control, except that this requirement does not apply to the extent that Mailchimp is required by applicable law to provide all or part of the Customer Data or Customer Data, that it has archived on backup systems. what customer data Mailchimp securely isolates, protects against further processing, and ultimately deletes it in accordance with Mailchimp`s deletion policy, unless required by applicable law. 2.1 Role of the Parties. Where the EU Data Protection Act or LGPD applies to the processing of Customer Data by either party, the parties acknowledge and agree that, with respect to the processing of Customer Data, the Customer is the Controller and Mailchimp is a processor acting on behalf of the Customer, as further described in Appendix A (Data Processing Details) of this DPA. For the avoidance of doubt, this DPA does not apply to cases where Mailchimp is the controller (within the meaning of European data protection law), unless otherwise specified in Annex D. There are also some great credible online resources, like this DPA model from GDPR.eu, to make sure your agreements are GDPR compliant. First steps to be taken to prepare the drafting of a DPAException of definitionsMost data protection authorities would inevitably contain a lot of legal jargon, but in the end, the agreement should be clearly understandable to all parties. To ensure that even those who do not have a legal degree or data protection practice have a stable understanding of the data protection authority, it may be useful to provide the EDPS glossary, which is easily accessible from here. Then have an open discussion with everyone involved. (i) in the case of further sub-processing, the processing activity referred to in Clause 11 is carried out by a sub-processor who ensures at least the same level of protection of personal data and the rights of the data subject as the data importer in accordance with the Clauses; and contacts: identification and contact details (name, date of birth, gender, general, professional or other demographic information, address, title, contact details, including e-mail address); personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); Computer information (IP addresses, usage data, cookie data, online browsing data, location data, browser data); Financial information (credit card details, account details, payment information).
It`s likely that your customer, who is also a data controller, will only tell you what to do. In addition, as a data processor, you will need to take all the measures of the organization and meet the technical requirements set out in the DPA. In some cases, it may be necessary for a processor to pass certification or develop corporate rules approved by EU regulators. .