Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the General Terms and Conditions of OpenSanctions Datenbanken GmbH – hereinafter referred to as the "Data Processor" – when the General Data Protection Regulation (EU) applies to certain customers – hereinafter referred to as the "Data Controller" and hereinafter collectively referred to as the "Parties".

1. Subject Matter

1.1 The subject matter of this Data Processing Agreement is to establish the data protection framework for the contractual relationship between the Parties.

1.2 The description of each specific task, including details of the task's scope, nature, purpose of data processing, types of personal data, and categories of data subjects, can be found in the annex under section 1.

2. Location of Data Processing

The contractually agreed data processing shall take place exclusively in a Member State of the European Union or another country party to the Agreement on the European Economic Area, unless otherwise specified in the annex. Any transfer of processing to a third country shall require the prior written consent of the Data Controller and shall only be carried out if the special conditions for transfers to third countries pursuant to Articles 44 ff. GDPR are met.

3. Duration

3.1 OpenSanctions processes data for the duration it provides its services to the Controller. When the Controller cancels its OpenSanctions subscription, the Processor will cease to process the data.

3.2 The Data Controller may terminate its subscription without notice if the Data Processor seriously breaches data protection regulations or the provisions of this Agreement. In particular, non-compliance with the obligations agreed in this Agreement and derived from Article 28 GDPR constitutes a serious breach.

4. Instructions

4.1 The Data Processor shall process personal data only within the scope of the contracts concluded between the Parties and the instructions given by the Data Controller. This shall not apply if the Data Processor is required to process the data by EU law or the laws of the Member State to which the Data Processor is subject. In such cases, the Data Processor shall inform the Data Controller of these legal requirements before processing, unless such notification is prohibited by the relevant law due to an important public interest.

4.2 If instructions alter, cancel, or supplement the specifications made in the annex to this Agreement, they shall only be valid if a corresponding new agreement is made in writing.

4.3 Regardless of the form of issuance, both the Data Processor and the Data Controller shall document every instruction from the Data Controller in written form, including via email, which is sufficient. These instructions shall be retained for the duration of the Agreement and for three years thereafter.

4.4 The Data Processor shall promptly notify the Data Controller if, in the Data Processor's opinion, an instruction from the Data Controller violates legal provisions. In such cases, the Data Processor shall have the right, upon timely prior notice to the Data Controller, to suspend the execution of the instruction until the Data Controller has amended or confirmed the instruction. If the Data Processor can demonstrate that processing according to the Data Controller's instructions may result in the Data Processor's liability under Article 82 GDPR, the Data Processor shall be entitled to suspend further processing until the liability between the Parties has been clarified.

5. Support Obligations of the Data Processor

5.1 Given the nature of the processing, the Data Processor shall implement appropriate technical and organizational measures to assist the Data Controller in responding to requests from data subjects under Articles 12 to 22 GDPR.

5.2 Taking into account the nature of the processing and the information available to it, the Data Processor shall support the Data Controller in fulfilling its obligations under Articles 32 to 36 GDPR. Specifically, this includes ensuring the security of processing, reporting data breaches to the supervisory authority, notifying data subjects of breaches, conducting data protection impact assessments, and consulting the relevant supervisory authority.

5.3 If a data subject or supervisory authority contacts the Data Processor directly regarding personal data processed under this Agreement, the Data Processor shall promptly inform the Data Controller and coordinate further steps with them.

6. Audit Rights of the Data Controller

6.1 Upon request, the Data Processor shall provide the Data Controller with all necessary information to demonstrate compliance with the obligations set out in this Agreement and Article 28 GDPR. In particular, the Data Processor shall provide the Data Controller with information about stored data and data processing programs.

6.2 The Data Controller or third parties appointed by them are entitled to verify compliance with the obligations arising from this Agreement and Article 28 GDPR, subject to prior agreement. The Data Processor shall facilitate this and cooperate accordingly.

6.3 Upon request, the Data Processor shall provide the Data Controller with suitable evidence of compliance with the obligations under Article 28(1) and (4) GDPR. Such evidence may be provided in the form of documents and certificates that reflect approved codes of conduct under Article 40 GDPR or approved certification mechanisms under Article 42 GDPR.

7. Data Protection Officer of the Data Processor

The Data Protection Officer of the Data Processor is listed in the annex to this Agreement, to the extent that a Data Protection Officer must be appointed or is voluntarily appointed for the Data Processor.

8. Confidentiality

8.1 The Data Processor confirms that it is familiar with the data protection regulations relevant to the data processing under the GDPR. When processing the Data Controller's personal data, the Data Processor shall maintain data confidentiality and confidentiality. This obligation shall continue to exist after termination of this contractual relationship.

8.2 The Data Processor shall ensure that employees involved in the work are familiarized with the relevant data protection regulations. The Data Processor shall oblige these employees in writing to maintain confidentiality during and after their employment, unless they are subject to an appropriate statutory duty of confidentiality. The Data Processor shall monitor compliance with data protection regulations within its company.

8.3 The Data Processor shall only provide information to third parties or data subjects with the prior written consent, or consent in electronic format, of the Data Controller.

9. Technical and Organizational Measures

9.1 The Data Processor shall implement appropriate technical and organizational measures to ensure that processing is in accordance with the requirements of the GDPR and that the rights of data subjects are protected. The Data Processor shall organize its internal processes to meet the specific data protection requirements and achieve an appropriate level of protection. In particular, the Data Processor shall ensure the appropriate security of processing, including confidentiality (including encryption), availability, integrity, and resilience of the systems and services used for data processing, taking into account the state of the art in technology.

9.2 Technical and organizational measures may be adapted to technical developments during the term of the contractual relationship. The adapted measures must at least meet the security level of the measures agreed upon in the annex. Significant changes shall be agreed upon in writing or electronic format.

10. Information Obligations of the Data Processor and Breach of Personal Data Protection

10.1 The Data Processor shall immediately inform the Data Controller of any breaches or suspected breaches of this Agreement or regulations related to the protection of personal data.

10.2 The Data Processor shall assist the Data Controller in investigating, limiting the damage, and rectifying breaches.

10.3 If the personal data processed under this Agreement is endangered at the Data Processor's premises through seizure or confiscation, insolvency or composition proceedings, or other events or actions by third parties, the Data Processor shall immediately inform the Data Controller. The Data Processor shall also promptly inform all relevant parties that control over the data is with the Data Controller.

10.4 If supervisory authorities conduct audits, the Data Processor undertakes to inform the Data Controller of the results as far as they concern the processing of personal data under this Agreement. The Data Processor shall rectify any deficiencies identified in the audit report without delay and inform the Data Controller accordingly.

10.5 This section 10 applies mutatis mutandis to incidents in processes performed by subcontractors.

11. Subcontractors

11.1 The engagement of subcontractors by the Data Processor shall only take place with the written or electronic consent of the Data Controller.

11.2 The Data Processor shall contractually ensure that the provisions agreed in this Agreement also apply to subcontractors. The contract between the Data Processor and the subcontractor must be in writing or electronic format.

11.3 Engagement of subcontractors in third countries shall only occur if the special conditions of Articles 44 ff. GDPR are met.

11.4 The Data Controller hereby gives its consent to the engagement of subcontractors listed in the annex.

11.5 The Data Processor shall ensure that the Data Controller has the same rights of instruction and control over subcontractors as it has over the Data Processor under this Agreement. If a subcontractor fails to fulfill its data protection obligations, the Data Processor shall be liable to the Data Controller for the performance of those obligations.

12. Deletion and Return of Personal Data

12.1 After the completion of the processing activities specified in the main contract(s), the Data Processor is obligated to either return or delete all personal data received during the data processing, as chosen by the Data Controller. This includes, in particular, the results of data processing, provided documents, and data carriers, as well as copies of personal data. The obligation to delete or return does not apply if, under EU law or the laws of the Member States, the Data Processor is legally obligated to continue storing the data. If further storage is required, the Data Processor shall limit processing and use the data only for the purposes for which storage is required. The obligations for data security shall remain in effect for the duration of storage. The Data Processor shall delete the data without undue delay once the obligation to store it ceases.

12.2 Deletion shall be performed in such a way that the data cannot be reconstructed.

12.3 The processes shall be logged, including the date and the person conducting them. The logs and evidence of completion in written form shall be made available to the Data Controller within 48 hours of the completion of the processes.

13. Liability

The Data Processor shall be liable within the scope of statutory provisions for damages resulting from culpable violations of data protection regulations or this Data Processing Agreement. The Data Processor shall also be liable for the culpable conduct of its subcontractors and their subcontractors.

14. Final Provisions

14.1 The right to assert a right of retention in accordance with Section 273 of the German Civil Code (BGB) is excluded with regard to data processed for the Data Controller.

14.2 The annex or, in the case of multiple main contracts, the annexes to this Agreement form an integral part of it.

14.3 Changes or ancillary agreements require written or electronic format. This also applies to changes to this form requirement.

14.4 If a provision of this Agreement is found to be invalid, this shall not affect the validity of the remaining provisions of the Agreement.

14.5 This Agreement is subject to the laws of the Federal Republic of Germany. The place of jurisdiction is the registered office of the Data Processor.

ANNEX TO THE DATA PROCESSING AGREEMENT

1.1 Subject Matter and Nature of the Processing

The Processor offers a hosted API service that its customers can use to query the OpenSanctions dataset. OpenSanctions does not store the query data beyond the period of the processing required to generate a response.

1.2 Type of Data and Categories of Data Subjects

The data types and categories of data subjects depend on the queries the Controllers send to the OpenSanctions dataset using the hosted API.

2. Data Protection Officer

The processor is not obliged to appoint a data protection officer.

Point of contact for questions is Chief Business Officer Frederik Richter, E-Mail frederik@opensanctions.org.

3. Subcontractors

The approved subcontractors at the time of concluding this Agreement are documented here.

4. Technical and Organizational Measures according to GDPR Art 32

The technical and organizational measures at the time of concluding this Agreement are documented here.