Sims.tel

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Sims.tel ("Processor") and the customer ("Controller") and applies to the extent that Sims.tel processes Personal Data on behalf of the customer in the course of providing services.

Definitions

The terms "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Appropriate Technical and Organizational Measures", and "Supervisory Authority" shall have the meanings given to them in applicable Data Protection Laws, including the General Data Protection Regulation (GDPR).

Processing of Personal Data

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
2. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. Take all measures required pursuant to Article 32 of the GDPR (Security of Processing);
4. Respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights;
6. Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor;
7. At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Sub-processors

The Controller hereby provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

Data Subject Rights

The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under applicable Data Protection Laws. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to a Data Subject request.

Data Protection Impact Assessment

Upon the Controller's request, the Processor shall provide the Controller with reasonable cooperation and assistance needed to fulfill the Controller's obligation under the GDPR to carry out a data protection impact assessment related to the Controller's use of the Services, to the extent the Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Processor.

Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. Such notification shall include, to the extent possible, the details of the Personal Data Breach, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.

Deletion or Return of Personal Data

Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return to the Controller all Personal Data processed on behalf of the Controller and delete existing copies, unless applicable law requires storage of the Personal Data.

Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

International Transfers

The Processor shall not transfer Personal Data outside of the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Laws, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

Contact Information

For questions about this Data Processing Agreement, please contact our Data Protection Officer:

Data Protection Officer
Sims.tel
Email: dpo@sims.tel
Phone: +1 (555) 123-4567