This Data Processing Agreement (“Agreement“) forms part of the Contract for Services under the BlackFog Terms of Service (the “Principal Agreement“). This Agreement is an amendment to the Principal Agreement and is effective upon its incorporation to the Principal Agreement, which incorporation may be specified in the Principal Agreement or an executed amendment to the Principal Agreement. Upon its incorporation into the Principal Agreement, this Agreement will form a part of the Principal Agreement.
We periodically update this Agreement. If you have an active BlackFog account, you will be informed of any modification by email.
The term of this Agreement shall follow the term of the Principal Agreement. Terms not defined herein shall have the meaning as set forth in the Principal Agreement.
For the data processing activities described in the respective Annex 1 of this agreement, where BlackFog acts as the Customer’s Processor, the parties agree to the following provisions on the commissioned processing of personal data (Data Processing Agreement, “DPA“) until further notice.
The DPA does not apply if the Customer is a natural person using the Software or the Services in the course of a purely personal or family activity (cf. Art. 2(2)(c) EU General Data Protection Regulation, “GDPR“).
2. Rights and obligations of BlackFog
2.1. Compliance with applicable laws
The obligations of BlackFog shall arise from this DPA and the applicable laws. The applicable laws shall in particular include the Federal Data Protection Act (“FDPA”) and the GDPR.
2.2. Processing on instructions only
To the extent this DPA is applicable, BlackFog shall only process personal data within the scope of this DPA and on documented instructions of the Customer, which are mutually agreed upon by the parties and especially defined by the Product functionality, unless BlackFog is required to do so by Union or the member state law to which BlackFog is subject; in such a case BlackFog shall inform the Customer of that legal requirement before processing, unless the respective law prohibits such information on important grounds of public interest. The Customer can give additional written instructions as far as this is necessary to comply with the applicable data protection law. The documentation on issued instructions shall be kept by the Customer for the term of the DPA.
2.3. Obligation of confidentiality
BlackFog shall ensure that the persons authorized to process the personal data have committed themselves to confidentiality unless they are subject to an appropriate legal obligation of secrecy.
2.4. Security measures according to Art. 32 GDPR
- 2.4.1. Principle
BlackFog will take the necessary measures for the security of the processing according to Article 32 GDPR (hereinafter referred to as “Security Measures”).
- 2.4.2. Scope
For the specific commissioned processing of personal data, a level of security appropriate to the risk to the rights and freedoms of the natural persons affected by the processing shall be guaranteed. To this end, the protection objectives of Art. 32 (1) GDPR, such as confidentiality, integrity and availability of systems and services and their resilience in terms of the nature, scope, as well as context of the processing shall be taken into account in such a way that the risks are mitigated permanently by appropriate Security Measures.
- 2.4.3. Security Measures
The adopted Security Measures are described in detail in the documentation of the Security Measures, which is attached to this DPA as Annex 2.
- 2.4.4. Procedure for reviewing
The documentation of the security measures also describes the procedures for the regular review, assessment, and evaluation of the effectiveness of the then-current Security Measures.
- 2.4.5. Changes
The Security Measures are subject to technical progress and further development. BlackFog shall be generally permitted to implement alternative appropriate measures. In doing so, the level of security may not fall below the level existing prior to this DPA on the basis of the Security Measures already implemented or to be implemented.
2.5. Assistance with safeguarding the rights of data subjects
BlackFog shall, taking into account the nature of the processing, assist the Customer as far as this is possible by appropriate technical and organizational measures in the fulfillment of requests to exercise the rights of affected data subjects as referred in Chapter III of the GDPR. Should a data subject contact BlackFog directly to exercise the data subject’s rights regarding the data processed on behalf of the Customer (as far as identifiable), BlackFog shall immediately forward such request to the Customer. The Customer shall remunerate BlackFog an hourly rate of 100 Euros for the effort resulting from such assistance, if and as far as permitted by applicable data protection laws.
2.6. Assistance with ensuring compliance with Art. 32 – 36 GDPR
Taking into account the type of processing and the information available to BlackFog, BlackFog shall support the Customer with appropriate technical and organizational measures to comply with the obligations mentioned in Article 32-36 GDPR, especially with regard to the security of the processing, the notification of personal data breach, the data protection impact assessment as well as the consultation with supervisory authorities. The Customer shall remunerate BlackFog an hourly rate of 100 Euros for the effort resulting from such assistance, if and as far as permitted by applicable data protection laws.
2.7. Records of processing activities
BlackFog will provide the Customer with the information necessary to maintain the records of processing activities.
2.8. Deletion and return at the end of processing
At the choice of the Customer, BlackFog shall delete or return the personal data that is processed on behalf of the Customer, if and to the extent that the law of the European Union or a member state to which BlackFog is subject does not provide for an obligation to store the data.
2.9. Information to demonstrate compliance with data protection obligations and inspections
BlackFog shall provide the customer with all information necessary to demonstrate compliance with the obligations resulting from Sections 2 and 3 of this DPA.
2.10. Obligation to notify in case of doubts about instructions
BlackFog shall inform the Customer immediately if BlackFog is of the opinion that the execution of an instruction could lead to a violation of the applicable data protection law. BlackFog is entitled to suspend the execution of the relevant instruction until it is confirmed in writing or changed by the Customer after the review.
2.11. Obligation to notify breaches
If BlackFog detects violations of the applicable data protection law, this DPA, or instructions of the Customer regarding the commissioned processing of personal data, BlackFog shall inform the Customer immediately.
2.12. Appointment of a data protection officer
BlackFog has appointed a data protection officer, who can be reached at firstname.lastname@example.org, or at BlackFog, Inc, for the attention of the Data Protection Officer, 1712 Pioneer Av. Cheyenne, WY 82001, USA.
2.13. Data transfers to a third country
BlackFog will generally only transfer personal data processed within the scope of this DPA to a country outside the EU or the European Economic Area (EEA) for which no adequacy decision of the EU Commission in the sense of Art. 45 para. 3 GDPR exists (“unsafe third country”), provided that:
- a. the Customer or the Customer’s user gives BlackFog instructions for such a transfer, e.g., by requesting BlackFog to establish a connection to an endpoint located in an unsafe third country (in such cases the Customer is responsible for ensuring that the data transfer is carried out in accordance with Art. 44 et seq. GDPR), or
- b. BlackFog is obliged to do so according to the law of the European Union or a member state to which BlackFog is subject; in such a case BlackFog will inform the Customer about these legal requirements prior to processing, unless the respective law prohibits such a communication on important grounds of public interest.
Furthermore, BlackFog shall be entitled to utilize Subprocessors in a third country to process personal data, insofar the requirements of Art. 44 GDPR are met.
3.1. Subprocessors engaged upon conclusion of the DPA
BlackFog utilizes the services of a number of another processors (hereinafter, “Subprocessors”). The list of Subprocessors used by BlackFog for each of the BlackFog products can be found under the following link as Annex 3. By concluding the DPA, the Customer agrees to the engagement of the Subprocessors that are included in Annex 3 at the time of concluding the DPA for the relevant BlackFog Product.
3.2. Notification regarding further Subprocessors
If BlackFog wishes to commission further or other Subprocessors to provide the contractually agreed services (e.g., hosting), such Subprocessors have to be selected with the required care and due diligence. BlackFog shall update Annex 3 with the appointment of any new Subprocessors.
3.3. Subprocessors in third countries
Subprocessors in third countries may only be engaged if the special requirements of Art. 44 et seq. GDPR are fulfilled.
3.4. Obligations of Subprocessors
- 3.4.1. Structuring Contracts According to the Requirements of the DPA
BlackFog shall structure the contracts with Subprocessors in a way that they comply with the requirements of the applicable data protection laws and this DPA.
- 3.4.2. Engagement of additional or different Subprocessors
BlackFog shall oblige the Subprocessors not to commission additional or different Subprocessors with the processing of personal data without observing the provisions of section 3.2 towards BlackFog.
- 3.4.3. Subprocessor guarantees
BlackFog shall contractually impose obligations on the Subprocessors providing sufficient guarantees that the appropriate technical and organizational measures will be implemented in such a way that the processing is carried out in accordance with the requirements of the GDPR and this DPA.
4. Changes to this DPA
BlackFog is generally entitled to amend the provisions of this DPA. BlackFog will inform the Customer about the planned change and the content of the new DPA at least twenty-eight (28) days before such changes become effective.
Reference is made to Art. 82 of the GDPR.
For the rest, it is agreed that the regulations on limitation of liability from the corresponding license agreement shall apply.