CLIENT GENERAL TERMS AND CONDITIONS

Last updated 19.04.2024

We are Esgrid Technologies OÜ (“we”, “us”, or “our”), a company registered in Estonia at Marati 5, Tallinn 11712.

We provide an ESG data management platform for businesses (the “Platform”) available at https://esgrid.com (the “Site”), as well as other related products and services that refer or link to these Client General Terms and Conditions (the “Terms”) (collectively, the “Service(s)”). 

These Terms constitute a legally binding agreement made between you (“you”) and us (individually “Party”, together the “Parties”), concerning your access to and use of the Services. 

Supplemental terms and conditions, as well as other documents, that are made available to you on or outside of the Platform about or in relation to the Services from time to time (the “Supplemental Documents") are hereby expressly incorporated herein and supplement these Terms. These Supplemental Documents include, but are not limited to:

1. any amendments or supplements to these Terms;

2. our offer (if any) accepted by you on or outside the Platform or any other agreement made between us on or outside the Platform that reflects any changes to our standard products to be made at your request, any additional Services to be provided to you and/or the more specific terms and conditions of the Services (that include but are not limited to prices, Service content and volumes, etc.) (the “Special Terms”);

3. documents made available by us from time to time on the Platform concerning the methodology used to carry out our assessments;

4. other documents made available by us to you on or outside the Platform that specify the content, terms and provision of the Services.

In the case of any discrepancy between these Terms and the Supplemental Documents, the provisions of the Supplemental Documents shall prevail. 

You agree and confirm that by acceptance of these Terms or the Special Terms (whether on or outside of the Platform) or by accessing the Services (in case both are done, then whichever is earlier), you have read, understood, and agreed to be bound by these Terms as well as any Supplemental Documents. If you do not agree to this, then you are expressly prohibited from using the Services and you must discontinue use immediately. The discontinuance of the use of the Services shall not release you from the obligations arising from the Terms, Special Terms and other Supplemental Documents.

Any reference in these Terms to Terms also includes the Supplemental Documents unless the context requires otherwise. 

It is your responsibility to periodically review these Terms, the Supplemental Documents, as well as any information made available on the Platform about or in relation to the Services to stay informed of updates.

TABLE OF CONTENTS

1 OUR SERVICES

2 USER ACCOUNT AND REGISTRATION

3 USER REPRESENTATIONS

4 INTELLECTUAL PROPERTY RIGHTS

5 CONFIDENTIALITY

6 SERVICE FEE

7 PROHIBITED ACTIVITIES

8 SERVICES MANAGEMENT

9 CHANGES AND INTERRUPTIONS TO SERVICES

10 PERSONAL DATA PROCESSING

11 TERM AND TERMINATION

12 AMENDMENTS

13 DISCLAIMER

14 LIMITATIONS OF LIABILITY AND INDEMNIFICATION

15 USER DATA

16 NOTICES

17 GOVERNING LAW AND DISPUTES

18 MISCELLANEOUS

19 CONTACT US

ANNEX I – data processing agreement

1 Processing of the personal data

2 Rights and obligations of the controller

3 Rights and obligations of the processor

4 Auditing rights

5 Use of sub-processors

6 Data transfers outside the eu/eea

7 Deletion or return of personal data

8 Miscellaneous

DPA Annex 1 – Details of Data Processing

1 subject-matter of the processing

2 Nature of the processing

3 Categories of data subjects

4 Types of personal data

5 Duration of processing

1. OUR SERVICES

   1. As part of the Services via our Platform, we offer Value Chain ESG assessments. This Service enables you to collect and assess ESG data on your value chain by inviting your customers, suppliers and other value chain entities to complete the surveys and participate in the assessments on the Platform. 

   2. The Services are provided to you in accordance with the Terms, the Special Terms or other Supplemental Documents. More details on the Services and available packages can also be found on our Site. 

   3. The above-referenced Services are provided (and the ESG assessments are carried out) pursuant to the methodology published on our Platform. The relevant methodology is subject to change (among others in line with any developments and changes in the applicable ESG legislation and standards). 

   4. We may offer additional Services that are available on our Site and/or on which we have agreed on with you in Special Terms. These Terms also apply to any such Services unless expressly provided otherwise.

   5. The Services are intended for use by legal persons only.

2. USER ACCOUNT AND REGISTRATION

   1. To use the Services, you are required to register a user account. You agree to keep your password confidential and will be responsible for all use of your account and password, including any misuse of your user account.

3. USER REPRESENTATIONS

   1. By using the Services, you represent and warrant that: 

      1. all registration information you submit will be true, accurate, current, and complete; 

      2. you will maintain the accuracy of such information and promptly update such registration information as necessary; 

      3. the person accepting the Terms, the Special Terms or other Supplemental Documents has the authority to enter into legally binding agreements on behalf of you for using the Platform and all Terms, the Special Terms or other Supplemental Documents accepted by such person are legally binding on you;

      4. you and the persons having access to the Platform shall use the Services and access the Platform in accordance with the Terms, the Special Terms or other Supplemental Documents and in compliance with all laws and regulations and only for the purposes for which the Services are provided to you.

4. INTELLECTUAL PROPERTY RIGHTS

   1. Your use of our Services

      1. Subject to your compliance with these Terms, the Special Terms or other Supplemental Documents and against payment of the service fee we grant you for the duration of your use of the Services a worldwide, non-exclusive, non-transferable, non-sublicensable, revocable licence to access and use the Services for the purposes stated in these Terms, the Special Terms or other Supplemental Documents and our Site.

      2. Except as set out in our Terms, the Special Terms or other Supplemental Documents no part of the Services or any content on the Platform or generated by the Platform may be copied, reproduced, aggregated, republished, uploaded, posted, publicly displayed, encoded, translated, transmitted, distributed, sold, licensed, or otherwise exploited for any commercial purpose whatsoever, without our prior permission provided in a form reproducible in writing.

      3. We reserve all rights not expressly granted to you in and to the Services or any content on the Services.

   2. Value Chain Entity’s Submissions

      1. The Platform enables you to invite your customers, suppliers and other value chain entities (each “Value Chain Entity”) to complete the surveys and questionnaires made available to them via the Platform in line with the Services package chosen by you and to participate in the relevant ESG assessments.  You shall submit the list of the selected Value Chain Entities to us prior to inviting the relevant Value Chain Entities to participate in the ESG assessment. To be able to participate in the assessment, the Value Chain Entity must create an account on the Platform and accept the relevant terms of service (the “Value Chain Entity Terms”). 

      2. Subject to authorisation by the Value Chain Entity granted in accordance with the Value Chain Entity Terms and subject to the confidentiality undertakings included in these Terms, during the validity of the Terms you can access all your Value Chain Entities’ ESG assessments started, in progress and completed on the Platform (“Value Chain Entity’s Submission(s)”), including the Value Chain Entity’s Submissions for ESG assessments initiated by a third party.

      3. The Value Chain Entity is solely liable for any documents and information made available on the Platform as part of the Value Chain Entity’s Submissions. We do not check or verify the accuracy or correctness of documents and/or information unless it is explicitly part of the Service, we have agreed on with you.

   3. Deliverables

      1. Copyright and other intellectual property rights in any documents generated by the Platform as a result of and/or in the course of your use of our Services (the “Deliverables”) belong to us. However, you may use such Deliverables (including the Value Chain Entity’s Submissions contained therein) indefinitely and only for your value chain ESG assessments, as well as for complying with the ESG reporting obligations applicable to you pursuant to laws and regulations.

   4. Any breach by you of Section 3 or 4 will constitute a material breach of our Terms.

5. CONFIDENTIALITY

   1. During the validity of these Terms in respect to you and perpetually after the expiration of these Terms, you are obliged to keep the information received as part of or in relation to the Services from us, any Value Chain Entities or third persons on or outside of the Platform and otherwise through use of the Services confidential. "Confidential Information" is any information regarding the Service’s technical information (including information about intellectual property objects, IT systems, source code and software and information related to the above), any other information shared by us with you in connection with provision of the Services, as well as any information and documents included in the Value Chain Entity’s Submissions (except for the information that is publicly available).

   2. You will ensure that you:

      1. use the Confidential Information only to fulfil your rights and obligations arising from the Terms and for your value chain ESG assessments, as well as for complying with the ESG reporting obligations applicable to you pursuant to laws and regulations. The use of Confidential Information for purposes other than those described above is carried out only on the basis of permission provided in a form reproducible in writing by us or the Value Chain Entity, as appropriate;

      2. keep Confidential Information confidential and do not disclose it to third parties or the public without our or the Value Chain Entity’s (as appropriate) permission provided in a form reproducible in writing;

      3. take all reasonable measures to prevent disclosure of Confidential Information to third parties or the public as a result of your actions or inaction.

   3. For the purposes of these Terms, the following are not third parties or persons to whom the disclosure of Confidential Information is restricted: a) your employees and other persons participating in the receipt of the Services and value chain ESG assessments, provided that the Confidential Information is disclosed to these persons only to the extent that the persons need the information, and you ensure that these persons keep Confidential Information confidential; and b) your auditors, legal advisers and banks who are subject to similar confidentiality obligations under law.

   4. You shall immediately inform us in the event that Confidential Information is or may be disclosed to a person who does not have the right to receive such information.

   5. Any breach by you of this Section 5 will constitute a material breach of our Terms

6. SERVICE FEE

   1. Use of the Services shall be subject to the payment of the service fee (“Service Fee”) agreed in the Special Terms. Unless provided otherwise by the Special Terms, the Service Fee is paid as an advance payment. We offer various payment methods on our Site or as agreed in Special Terms. 

   2. The actual Service Fee and payment methods available at the specific time may vary and you will be informed of the applicable Service Fee and specific payment methods available at our Site or in the Special Terms before purchasing the subscription for the Services.

   3. We may change our Service Fee and subscription plans from time to time; however, any Service Fee changes or changes to your subscription plans will apply no earlier than your next Service subscription term. If you do not wish to accept the Service Fee change or change to your subscription plan, you can terminate your subscription (terminate the Terms in respect of you) before the change takes effect.

7. PROHIBITED ACTIVITIES

   1. You may not access or use the Services for any purpose other than that for which we make the Services available.

   2. As a user of the Services, you agree not to:

      1. trick, defraud, or mislead us and other users, especially in any attempt to learn Confidential Information;

      2. circumvent, disable, or otherwise interfere with security-related features of the Services, including features that prevent or restrict the use or copying of any content on the Platform or enforce limitations on the use of the Services and/or the content contained therein;

      3. disparage, tarnish, or otherwise harm, us and/or the Services;

      4. use the Services in a manner inconsistent with any applicable laws or regulations;

      5. upload or transmit (or attempt to upload or to transmit) viruses, Trojan horses, or other material, that interferes with any party’s uninterrupted use of the Services or modifies, impairs, disrupts, alters, or interferes with the use, features, functions, operation, or maintenance of the Services;

      6. attempt to impersonate another user or person;

      7. interfere with, disrupt, or create an undue burden on the Services or the networks or services connected to the Services;

      8. attempt to bypass any measures of the Services designed to prevent or restrict access to the Services, or any portion of the Services;

      9. copy or adapt the Platform’s software, including but not limited to Flash, PHP, HTML, JavaScript, or other code;

      10. delete the copyright or other proprietary rights notice from any Deliverables;

      11. except as permitted by applicable law, decipher, decompile, disassemble, or reverse engineer any of the software comprising or in any way making up a part of the Services and Platform;

      12. except as may be the result of standard search engine or Internet browser usage, use, launch, develop, or distribute any automated system, including without limitation, any spider, robot, cheat utility, scraper, or offline reader that accesses the Services and/or retrieves/gathers data or content from the Services, or use or launch any unauthorised script or other software;

      13. use the Services as part of any effort to compete with us or otherwise use the Services and/or any content of the Platform for any revenue-generating endeavour or commercial enterprise;

      14. sell or otherwise transfer your profile without notifying us first and without our express consent to such transfer;

      15. use the Services to advertise or offer to sell goods and services.

   3. Any breach by you of this Section 7 will constitute a material breach of our Terms

8. SERVICES MANAGEMENT

   1. We reserve the right, but not the obligation, to: 

      1. monitor the Services for violations of these Terms, the Special Terms and/or the Supplemental Documents; 

      2. take appropriate legal action against anyone who, in our sole discretion, violates the law or these Terms the Special Terms and/or the Supplemental Documents, including without limitation, reporting such user to law enforcement authorities;  

      3. in our sole discretion and without limitation, refuse, restrict access to, limit the availability of, or disable (to the extent technologically feasible) part of or all of the Services if you breach any of the terms herein;

      4. remove or edit any Contributions at any time without notice if in our reasonable opinion we consider such Contributions harmful or in breach of these Terms. If we remove or edit any such Contributions, we may also suspend or disable your account and report you to the authorities; 

      5. in our sole discretion and without limitation, notice, or liability, to remove from the Services or otherwise disable all files and content that are excessive in size or are in any way burdensome to our systems; and 

      6. otherwise manage the Services in a manner designed to protect our rights and property and to facilitate the proper functioning of the Services.

9. CHANGES AND INTERRUPTIONS TO SERVICES

   1. We cannot guarantee the Services are available at all times. We may experience hardware, software, or other problems or need to perform maintenance related to the Services, resulting in interruptions, delays, or errors. We endeavour to notify you of the interruptions and delays as far in advance as reasonably possible or, if advance notification is not possible due to the urgency of the reasons requiring interruption or delay, without undue delay. You agree that we have no liability whatsoever for any loss, damage, or inconvenience caused by your inability to access or use the Services during any such downtime.

   2. We reserve the right to change, revise, update, suspend, discontinue, or otherwise modify the Services at any time or for any reason. Nothing in these Terms will be construed to obligate us to maintain and support the Services or to supply any corrections, updates, or releases in connection therewith. 

   3. If the change, modification or termination of the Services negatively impacts you, we will strive to reasonably notify you before its implementation. If you do not wish to continue using the Services after such change, modification or termination of the Services, you can terminate your subscription (terminate the Terms in respect of you) before the change takes effect.

10. PERSONAL DATA PROCESSING

    1. We process your representatives’ personal data as a controller if we determine the purposes and means of processing this data, including but not limited to if we conclude the Terms with you. For more information on how we process your personal data as a controller, please see the privacy notice available at our Site. 

    2. We process personal data as a processor on your behalf when providing the Services, including but not limited to, when we distribute the surveys on behalf of you. The processing of such personal data is governed by the data processing agreement, which is incorporated as an annex to these Terms (Annex 1 – data processing agreement). 

11. TERM AND TERMINATION

    1. You have the right to use the Services during the validity of your subscription as provided in the Special Terms. Unless notified by either Party at least thirty (30) days prior the end of your subscription period, these Terms and applicable Special Terms or Supplemental Documents shall automatically extend for another subscription period and so on for each following period. 

    2. We have the right to terminate your subscription to the Services without prior notice and to limit your access to the Services and Platform if you violate these Terms, Special Terms or Supplemental Documents or any applicable law. In this case you have no right to request any refund of the Service Fee. In case you have agreed to pay in monthly instalments, you must pay the Service Fee until the end of your Service subscription period.  

    3. You may terminate your subscription to the Services without cause at any time, after which you will continue to have access to the Platform and the Services through the end of your Service subscription period indicated in the Special Terms (for which you have paid for). In this case you have no right to request any refund of the Service Fee. In case you have agreed to pay in monthly instalments, you must pay the Service Fee until the end of your Service subscription period.  

    4. You may also terminate your subscription if we have breached the Term, Special Terms or Supplemental Documents and despite the notification received from you, we have not remedied such breach within 30 days as of receipt of the notification. In this case you have right to request refund of the paid Service Fee for the period you are unable to use the Services. 

    5. The expiration or termination of these Terms will not discharge either Party of any rights and obligations that are intended to survive including, but not limited to, Subsections 4.2, 4.3 and Section 5.

12. AMENDMENTS

    1. We have the right to unilaterally amend these Terms including, but not limited to, in the following situations:

       1. if required by applicable law;

       2. if it is required by amendments in applicable law or court practices, a decision by a state institution, an injunction or a court judgment entered into force;

       3. if it is caused by technical or substantial developments in certain Services, including, but not limited to, abandoning the use of certain technical solutions or Services or changing or upgrading them or technical innovation; creating additional or better opportunities for you to use Services; or the need to specify circumstances related to the provision and use of Services; or changing of circumstances related to the business environment or input costs concerning the provision of the Services, or

       4. other conditions occur.

    2. We will notify you at least 30 days before amendments of these Terms come into force. 

    3. If you do not wish to continue using the Services after any amendment(s) to the Terms and/or the Services are implemented, you may terminate your use of the Services in accordance with Subsection 11.3 of these Terms.

    4. If the amendments of these Terms negatively impact you and you do not wish to continue using the Services under the amended Terms, you can terminate your use of the Services and the Terms applicable to you before the amended Terms take effect. In this case, you have a right to request refund of the Service Fee for the unused Services.

    5. You will be subject to and will be deemed to have been made aware of and to have accepted, the changes in any revised Terms by your continued use of the Services after the date such revised Terms are made available at the Site.

    6. There may be information on the Services that contains typographical errors, inaccuracies, or omissions, including descriptions, pricing, availability, and various other information. We reserve the right to correct any errors, inaccuracies, or omissions and to change or update the information on the Services at any time, without prior notice.

13. DISCLAIMER

    1. You acknowledge that we are not a law, accounting, auditing or similar firm and do not provide legal, financial, tax, commercial or other advice as part of the Services. Accordingly, no Services or Deliverables should be construed to be legal, financial, tax, commercial or other advice nor compatible with other requirements that may be applicable to you, and you should always consult with the appropriate professional regarding any legal, tax, financial, commercial or other requirements you may be subject to.

    2. The output produced by us as part of the Service is not intended for public disclosure or for distribution by subscription or other means within the purposes of Proposal for a Regulation of the European Parliament and of the Council on the transparency and integrity of environmental, social and governance (ESG) rating activities. We do not issue or present, and have not applied for, any license or permit to issue or present ESG ratings, scores and/or opinions for public use or for distribution. We provide our outputs pursuant to an individual order and provided exclusively to the person who placed the order.

    3. We may use third parties to offer you the Services, third-party content or services may be made available to you on or with the Services. Any third-party opinions, advice, statements, services, offers, or other information made available on or incorporated into our Services are those of the respective author(s) or publisher(s), and not ours. We are not responsible or liable for and make no representations as to any aspect of such third-party content or services. You irrevocably waive any claim against us with respect to such third-party content or services.

    4. The Services are provided on an “as-is” and “as-available” basis. We make no warranties or representations about the accuracy or completeness of the Services' content and we will assume no liability or responsibility for any (1) errors, mistakes, or inaccuracies in Services' content, (2), any unauthorised access to or use of our secure servers and/or any and all personal information and/or financial information stored therein, (3) any interruption or cessation of the Services, (4) any bugs, viruses, trojan horses, or the like which may be transmitted to or through the Services by any third party, and/or (5) any errors, omissions or compliance with legal acts applicable to you in any content, materials or documents that you may receive as a result of using our Services (6) third-party input, advice, statements, services, offers, or other information made available to you in relation to or incorporated into our Services (7) any information, documents, input submitted by the Value Chain Entity as part of the Value Chain Entity’s Submissions (8) Value Chain Entity’s or any other third party’s breach of the Value Chain Entity’s Terms or any other applicable terms related to the use of the Platform.

14. LIMITATIONS OF LIABILITY AND INDEMNIFICATION

    1. Without prejudice to the disclaimers contained in clause 13, we shall not be liable for breach of our obligations under the Terms, Special Terms or Supplemental Documents or any damages caused to you due to your use of the Platform or Services, unless such breach is intentional or caused by gross negligence. To the extent permitted by laws, our liability is limited to only direct material damages in the maximum amount of the Service fee paid by you for the Services for the twelve (12) months’ period preceding the event giving rise to the claim. You agree that we accept no liability for any non-patrimonial damage, loss of profits, loss of revenue, loss of data or any indirect or incidental damages arising from your use of the services, even if we have been advised of the possibility of such damages. 

    2. You agree to defend, indemnify, and hold us harmless, including our subsidiaries, affiliates, and all of our respective officers, agents, partners, and employees, from and against any loss, damage, liability, claim, or demand, including reasonable attorneys’ fees and expenses, made by any third party due to or arising out of: (1) your Contributions; (2) use of the Services; (3) breach of these Terms; (4) any breach of your representations and warranties set forth in these Terms; (5) your violation of the rights of a third party, including but not limited to intellectual property rights; or (6) any overt harmful act toward any other user of the Services with whom you connected via the Services. Notwithstanding the foregoing, we reserve the right, at your expense, to assume the exclusive defence and control of any matter for which you are required to indemnify us, and you agree to cooperate, at your expense, with our defence of such claims. We will use reasonable efforts to notify you of any such claim, action, or proceeding which is subject to this indemnification upon becoming aware of it.

15. USER DATA

    1. We will maintain certain data that you transmit to the Platform for the purpose of providing the Services to you, managing the performance of the Services, as well as data relating to your use of the Services. Although we perform regular routine backups of data, you are solely responsible for all data that you transmit or that relates to any activity you have undertaken using the Services. You agree that we shall have no liability to you for any loss or corruption of any such data, and you hereby waive any right of action against us arising from any such loss or corruption of such data.

16. NOTICES

    1. We may provide any notice to you under these Terms by: (i) sending a message to the email address you provide to us and consent to us using; or (ii) posting on the Platform. Notices sent by email will be effective when we send the email and notices we provide by posting will be effective upon posting. It is your responsibility to keep your email address current and check for incoming messages regularly.

    2. To give us notice under these Terms, you must contact us by email at info@esgrid.com.

17. GOVERNING LAW AND DISPUTES

    1. These Terms are governed by the laws of the Republic of Estonia.

    2. Any dispute, controversy or claim arising out of or in connection with these Terms, or the breach, termination, or invalidity thereof, which the Parties fail to solve through amicable negotiations, will be settled in Harju County Court (Harju Maakohus) located in Tallinn, Estonia, as the court of first instance.

18. MISCELLANEOUS

    1. These Terms, Special Terms and other Supplemental Documents constitute the entire agreement and understanding between you and us. 

    2. No delay or failure on our part in performing an obligation or in exercising a right under these Terms will mean exemption of such obligation or waiver of such right, nor will separate or partial exercise of any right exclude further exercise of such right or any other right, unless the provisions or the context of these Terms requires otherwise. 

    3. Invalidity or nullity of a single provision of these Terms will not cause invalidity or nullity of the entire Terms or of other provisions of these Terms, unless as a result of the invalidity or nullity of any provision of these Terms the Parties lose their interest in the Terms or unless the deletion of such provision would result in such a material change so as to cause the transactions contemplated herein to be manifestly unreasonable. Should the Parties detect an invalid provision, they will make their best efforts to amend such provision in order that it complies with the applicable law to the extent that it remains closest to the original intention of the Parties.

19. CONTACT US

In order to resolve a complaint regarding the Services or to receive further information regarding use of the Services, please contact us at:

Esgrid Technologies OÜ
Marati 5
Tallinn 11712
Estonia
info@esgrid.com

These Terms were initially created using Termly's Terms and Conditions Generator.

All Rights reserved

ANNEX I – data processing agreement

This data processing agreement (“DPA”) governs the personal data processing conducted by us (“Processor”) on behalf of you (“Controller”) within providing the Services under the Terms, Special Terms, annexes and any policies referred to in the Terms. 

This DPA forms an integral part of the Terms. For matters not stipulated in this DPA, the Terms apply, including but not limited to termination, governing law etc. In the event of a conflict or ambiguity between the DPA and Terms, this DPA will prevail. All and every term, unless specifically defined herein, is being used in the meaning given in the Terms or the GDPR.

The Parties acknowledge that this DPA and personal data processing activities conducted under the Terms are governed by the Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), and other relevant legislative acts, or supervisory authorities’ guidelines, governing the processing of personal data in the Republic of Estonia (altogether with the GDPR “Legislation”).

1. Processing of the personal data 

   1. The Processor shall process personal data only in accordance with the documented instructions of the Controller, including the instructions provided by the Controller in the Terms, Special Terms, DPA and annexes thereto, unless required to do so by the Legislation to which the Processor is subject. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless the Legislation prohibits this on important grounds of public interest.

   2. The Processor’s personal data processing’s subject-matter, nature, types of personal data, categories of data subjects and duration are specified in Annex 1 (Annex 1 – details of data processing). 

2. Rights and obligations of the controller 

   1. The Parties hereby agree that the Controller shall: 

      1. ensure that all instructions for the processing of the personal data shall comply with the Legislation, and such instructions will not in any way cause the Processor to be in breach of the Legislation;

      2. comply with the Legislation, including ensure the accuracy, quality and lawfulness of the personal data processed by the Processor and inform the data subjects of the processing operations carried out by the Processor;

      3. notify the Processor prior to concluding the Terms if the Controller requires the Processor to adopt specific procedures, regulations, security measures or similar. Notwithstanding the foregoing, the Processor is entitled to invoice the Controller separately for complying with any such requests of the Controller.

3. Rights and obligations of the processor 

   1. The Parties hereby agree that the Processor shall:

      1. process the personal data on behalf of the Controller based on documented (e.g., received via e-mail or any other documented form) instructions given, received and updated (including the ones regulated herein), from time to time, from the Controller and in accordance with the Legislation; 

      2. notify the Controller without undue delay if in the Processor’s opinion instructions given by the Controller pursuant to Subsection 1.1 of this DPA infringe the Legislation;

      3. ensure that all of its employees, subcontractors, members of the management board, or other persons to whom the Processor has provided access to the personal data are subject to confidentiality obligation or to an appropriate statutory confidentiality obligation and are aware of their duties and obligations in relation to the personal data processing;

      4. make available to the Controller all information necessary to prove the fulfilment of the obligations arising from the DPA and the Legislation, and contribute to audits performed in accordance with Section 4; 

      5. engage sub-processors only in accordance with Section 5 of the DPA;

      6. not transfer personal data outside the European Union or European Economic Area (“EU/EEA”), except in case such transfer is in accordance with Section 6 of the DPA;

      7. take measures required pursuant to Article 32 of the GDPR and the Legislation, including implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk related to processing of the personal data and avoid alteration, loss or non-authorized processing thereof or access thereto. The Processor has the right to change and update from time to time and as seen necessary by the Processor any and all technical and organizational measures applied at the moment of concluding this DPA;

      8. not communicate to the data subjects nor perform the data subject’s request directly and independently. The Processor shall forward any requests received from the relevant data subjects for exercising any of their rights to the Controller as soon as reasonably possible after the receipt of such a request;

      9. provide assistance to the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to the data subject’s requests for exercising their rights laid down in Chapter III of the GDPR;

      10. support the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, to the extent that it is reasonable, appropriate and not unduly burdensome while taking into consideration the nature of personal data processing and the information available to the Processor;  

      11. notify the Controller in a form reproducible in writing without undue delay, but no later than within 48 hours after becoming aware of a personal data breach concerning personal data processed by the Processor on the basis of the DPA. Such notification shall contain at least the description of the nature of the breach, categories and approximate number of data subjects and data records concerned (as required in Article 33 (3) of the GDPR). For clarity, a personal data breach as such shall not automatically mean the Processor’s infringement of this DPA and the Legislation, provided that the necessary procedures as defined in this DPA and the Legislation have been duly applied by the Processor;

      12. delete or return personal data to the Controller according to Section 7 of the DPA. 

   2. The Processor is entitled to invoice the Controller for additional costs and remuneration, in addition to the fees provided for the Services, for fulfilling its obligations under Subsections 3.1.4, 3.1.9 and 3.1.10 of the DPA in case the Processor assesses the costs for fulfilling its obligations to be excessive and unreasonable (e.g. due to the repetitive nature of the requests, volume of data to be processed, necessity to compile systematically structured data sets according to the instructions of the Controller which requires additional work). The Processor shall notify the Controller of such costs in advance and prior to issuing such invoices. 

   3. The Processor acknowledges that according to Article 28 (10) of the GDPR the Processor shall be considered a separate controller if it goes beyond the instructions of the DPA and thus itself determines the purposes and means of processing. 

4. Auditing rights 

   1. Upon the Controller’s reasonable request in a form reproducible in writing, the Processor shall provide the Controller with all information necessary (which may be redacted to remove confidential commercial information not relevant to the requirements of this DPA) to demonstrate compliance with the obligations laid down in the DPA, within thirty (30) calendar days of receipt of such request. 

   2. Where, in the reasonable opinion of the Controller, such information is not sufficient to meet the obligations of Article 28 of the GDPR, the Controller may, upon sixty (60) calendar days prior notice in a form reproducible in writing to the Processor and upon reasonable grounds, conduct an audit by an independent third-party auditor mandated by the Controller. Any costs for conducting the audit shall be borne by each Party themselves.

   3. Any audit shall be solely limited to confirming the Processor’s compliance with its data protection obligations under this DPA, and shall exclude all information, data and content which relates to: (i) any other clients, agents, or partners of the Processor; (ii) any of the Processor’s internal accounting or financial information; (iii) any trade secrets; (iv) any data that is being accessed for any reason other than the good faith fulfilment of the Controller’s rights under this DPA.

   4. The notification provided according to Subsection 4.2 shall contain a proposal for an auditing plan. If parts of the requested scope of the audit are covered by an audit report carried out by a qualified third-party auditor within the last twelve (12) months, the Processor is entitled to provide to the Controller such report instead of the proposed audit.

   5. Any audit shall be performed during the Processor’s regular business hours and the performance of the audit must not interrupt the Processor’s business. Furthermore, in order to minimize the operational disturbances, the Processor can combine the audit with audits conducted on behalf of other clients or resellers. 

   6. Any audit must be carried out in a manner that does not disrupt, delay or interfere with the Processor’s performance of its business and in accordance with the Processor’s internal policies. The Controller shall ensure that all participants of the audit are subject to written confidentiality obligation. Unless prohibited by the Legislation, the Controller must provide a copy of the audit report to the Processor.

5. Use of sub-processors

   1. The Processor is permitted to engage sub-processors for the provision of the Services under the Controller’s authorization (general written authorization pursuant to Article 28 (2) of the GDPR) provided hereby. 

   2. Should the Processor wish to engage a new sub-processor or replace a current sub-processor with a new sub-processor, then the Processor is obliged to inform the Controller in a form reproducible in writing. Upon having reasonable grounds, the Controller may object, in a form reproducible in writing, to any such additions, changes or replacement within thirty (30) days as of the Processor informing the Controller. If the Controller does not object during such time period, the addition, change or replacement shall be deemed accepted.  

   3. In case the Controller exercises, pursuant to Subsection 5.2 above, its opportunity to object to the addition or replacement of sub-processor and the Processor does not, under reasonable grounds, agree with such objections, both Parties have the right to terminate the DPA by notifying the other Party thirty (30) calendar days in advance. Until the termination of the DPA, the Processor has the right to use the sub-processor to which the Controller has issued its objections, for providing the Services and performing the DPA.  

   4. In the event the Processor engages or replaces a current sub-processor, the Processor shall engage such sub-processor under an agreement at least in a form reproducible in writing containing equivalent obligations as those set out in this DPA and remain fully liable to the Controller for the performance of each sub-processor’s obligations.

6. Data transfers outside the eu/eea

   1. The Controller allows the Processor to transfer personal data outside of the EU/EEA, including engage any sub-processors, if the Processor transfers personal data to countries in relation to which the European Commission has issued an adequacy decision or if the Processor uses other appropriate safeguards set out in Chapter V of the GDPR (e.g., standard contractual clauses adopted by the European Commission).

   2. The Controller is entitled to request information from the Processor regarding the countries to which the personal data is transferred to and of the existence or absence of an adequacy decision by the European Commission, or reference to the appropriate safeguards.

   3. In the event that any of the measures referred to in Subsection 6.1 are no longer sufficient to satisfy the requirements of the Legislation applicable to the processing of personal data under the DPA to legalize the transfer of personal data outside the EU/EEA, the Processor shall use any reasonable efforts to implement either an alternative transfer mechanism which satisfies the requirements of the Legislation applicable to the processing of personal data under this DPA in order to legalize the transfer of personal data outside the EU/EEA or cease with such transfer.

7. Deletion or return of personal data 

   1. After the receipt of the Controller’s request in a form reproducible in writing the Processor shall delete or return all of the personal data processed by the Processor as a data processor for the provision of the Services (and any existing copies thereof), unless storage of any personal data is required by the Legislation. 

   2. In the event that the Controller does not render a request as specified in Subsection 7.1 to either delete or return the personal data, the Processor shall delete permanently all of the relevant personal data within six (6) months as of the end of the provision of the Services to the Controller, unless otherwise agreed upon in a form reproducible in writing. The foregoing cannot be considered an obligation of the Processor to retain the said personal data for a period of six (6) months and the Processor has the right to delete the said data earlier. The Controller takes note that after the period stipulated herein, the said personal data is permanently deleted. The prior obligation does not apply to anonymised data, usage statistics, technical parameters and analyses.

   3. The Controller acknowledges that the deletion of personal data after the termination of this DPA does not exclude the Processor’s right to retain the said data in its backup systems. The Processor shall ensure that applicable safeguards are in place, the personal data is put beyond use in the backup systems and the personal data is subsequently deleted as soon as possible, i.e., on the Processor’s next deletion/destruction cycle.

   4. The Controller acknowledges that the Processor has the right to retain all instructions and other material which relates to the processing of personal data.

8. Miscellaneous

   1. The Controller shall indemnify the Processor and hold the Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Processor and arising directly or indirectly out of or in connection with breach of Legislation or the provisions of this DPA by the Controller.

   2. This DPA becomes effective upon entering into the Terms and is valid until the termination of the Terms. 

   3. The termination of the DPA takes place according to the Terms. Termination of the DPA causes automatic termination of the Terms and vice versa. Termination of this DPA does not exempt the Parties from fulfilling their obligations as specified in the Legislation.

   4. The confidentiality obligation set out in Subsection 3.1.3 applies indefinitely even after the termination of the DPA.

   5. The Processor is entitled to unilaterally amend this DPA by giving the Controller a prior notification of fourteen (14) calendar days in case it is necessary to comply with the Legislation or any changes thereto. If the Controller declines to accept such amendments, the Processor is entitled to immediately extraordinarily terminate the Terms and this DPA in order to comply with the Legislation. If necessary to comply with the Legislation, in the period between the issuing of the termination notice and until the end of the termination of the Terms, the amendments giving rise to the termination shall be applied fully.

DPA Annex 1 – Details of Data Processing

1. subject-matter of the processing

The Processor will process the personal data as necessary to provide the Services (e.g. create an account for the Controller’s employee, distribute the questionnaire to the Value Chain Entities, including receive the contact details of the Value Chain Entities’ representatives). 

2. Nature of the processing

The Processor may conduct the following processing activities: receiving data, using data for the provision of the Services, retaining data, erasing data. 

3. Categories of data subjects

The Processor may process personal data of the following categories of data subjects: Controller’s employees and Value Chain Entities’ representatives. 

4. Types of personal data

The Processor may process the following types of personal data: name, name of employer, occupation, phone number and e-mail address. The Processor does not process sensitive personal data.

5. Duration of processing

The Processor will process the personal data as long it is necessary for the provision of the Services.