Privacy Policy

1.1. Processor agrees, under the terms of this Data Processing Agreement, to process personal data on behalf of Controller. Processing shall be done solely for the purpose of the Agreement and all purposes compatible therewith, or as amended in writing by the Parties. Moreover, processing may be done on the basis of a legal obligation. 

1.2. The processing sees the purposes as determined by the Controller, in regard to the categories of personal data and Data Subjects as set out in Appendix A to this Data Processing Agreement.

2.1. Processor shall only process the personal data for the purposes as mentioned in article 1 of this Data Processing Agreement.

2.2. Regarding the processing operations as referred to in article 1, Processor shall comply with the GDPR.

2.3. Processor shall inform Controller if in its opinion an instruction of Controller would violate the applicable legislation regarding the processing of personal data or is otherwise unreasonable.

2.4. Processor shall provide reasonable assistance to the Controller in fulfilling the Controller’s obligations under the GDPR, including where relevant under Articles 32–36, taking into account the nature of the processing and the information available to Processor.

2.5. All obligations of Processor under this Data Processing Agreement shall apply equally to any persons processing personal data under the supervision of Processor, including but not limited to employees.

3.1. Processor shall maintain the confidentiality of personal data provided by Controller. Processor ensures that the persons who are authorized to process the personal data, are contractually obliged to maintain the confidentiality of the personal data of which he or she is handling.

3.2. The confidentiality obligation shall not apply to the extent Controller has granted explicit permission to provide the information to third parties, the provision to third parties is reasonably necessary considering the nature of the assignment to Processor or the provision is legally required.

4.1. Controller is responsible at all times for notification of any personal data breaches, as referred to in Article 4 paragraph 12 of the GDPR (hereinafter: “Personal Data Breach”), to the competent supervisory authority, and for possible communication about the Personal Data Breach to Data Subjects.

4.2. In order to enable Controller to comply with this legal requirement, Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach. Processor will take reasonable measures to limit the consequences of the Personal Data Breach and to prevent further and future Personal Data Breaches.

4.3. A notification under the previous clause shall be made at all times, but only for actual Personal Data Breaches.

4.4. If necessary and reasonable, Processor will provide assistance to Controller, taking into account the reasonableness of the request, nature of the processing, and the information available to him, in regard to (new developments about) the Personal Data Breach.

4.5. The notification to Controller shall include, as far as known at that moment, at least:

1. the nature of the Personal Data Breach;
2. the (likely) consequences of the Personal Data Breach;
3. the categories of personal data concerned;
4. if and which security measures have been taken to protect the personal data;
5. the measures taken or proposed to be taken to address the Personal Data Breach and prevent future Personal Data Breaches;
6. the categories of Data Subjects concerned;
7. The number of Data Subjects concerned, or an approximation where the exact number cannot be determined at the time of notification.
8. where necessary the deviating contact details to address the notification.

5.1. In the event a Data Subject makes a request to exercise his or her legal rights under the GDPR (Articles 15-22) to Processor, Processor shall pass on such request to Controller within a maximum period of three working days after the request was received. Processor may inform the Data Subject of such request being forwarded. Controller will then further process the request independently.

5.2. In the event that a Data Subject makes a request to exercise his or her legal rights to Controller, Processor will, if Controller requires this, cooperate as far as possible and reasonable.

6.1. Processor shall use reasonable efforts to implement appropriate technical and organizational measures to secure the processing operations involved, against loss or any form of unlawful processing (in particular against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed).

6.2. Processor shall use best efforts to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

6.3. Controller shall only provide personal data to Processor for processing if it has ensured that the required security measures have been taken.

7.1. Upon written request, Processor shall make available to Controller documentation of its technical and organisational measures to demonstrate compliance with this Agreement. 

7.2. Where Controller has a reasonable and well-founded suspicion of a breach of this Agreement, communicated in writing, Controller may additionally arrange a formal compliance audit via an independent third party bound by confidentiality obligations, once per calendar year. The scope, timing and duration of any audit shall be agreed in advance and shall not unreasonably interfere with Processor’s operations. Where available, Processor may satisfy such audit request by providing relevant third-party audit reports or security documentation demonstrating compliance. The costs of the audit shall be borne by Controller, unless the audit reveals material non-compliance directly attributable to Processor, in which case Processor shall bear the reasonable costs of the audit.

7.3. Processor shall give its full cooperation to the audit and shall make available all reasonably relevant information, including supporting data such as system logs.

7.4. The audit findings shall be assessed by the Parties in joint consultation. The audit and the results thereof will be treated confidentially by both Parties.

8.1. Controller authorizes Processor to involve sub-processors in providing the services under this Data Processing Agreement.

8.2. A list of the sub-processors engaged by Processor at the time of entering into this Data Processing Agreement is set out in Appendix B of this Data Processing Agreement.

8.3. An up-to-date list of the sub-processors engaged by Processor is available on Appendix 1B. Changes to this list are governed by Article 8.4.

8.4 Processor will notify Controller of any changes to the list. Controller is entitled to object in writing on reasonable grounds to a specific new, or changing of, sub-processor(s) within thirty (30) days after Processor has sent the notification. Absence of objection within this period shall be deemed acceptance. If Controller makes an objection, the Parties will consult to reach a solution. If the Parties are unable to reach a solution within a reasonable period of time, Controller may terminate the affected services in accordance with the Agreement.

8.5. Processor imposes at least the same obligations on the engaged sub-processor(s) as agreed between Controller and Processor in this Data Processing Agreement.

8.6. Processor shall ensure that these third parties shall comply with the obligations under this Data Processing Agreement and is liable for any damages caused by violations by these third parties as if it committed the violation itself. Where the Processor engages subprocessors located outside the European Economic Area (EEA), the Processor shall ensure that such subprocessors provide appropriate safeguards in accordance with Chapter V of the GDPR. These safeguards may include certification under the EU-US Data Privacy Framework, the use of EU Standard Contractual Clauses (EU) 2021/914, or other legally recognized transfer mechanisms.

9.1. Processor may process the personal data in any country within the European Economic Area (EEA).

9.2. In addition, Processor may transfer the personal data to a country outside the EEA, provided that country ensures an adequate level of protection of personal data and complies with other obligations imposed on it under this Data Processing Agreement and the GDPR, including the availability of appropriate safeguards and enforceable Data Subject rights and effective legal remedies for Data Subjects. Such safeguards may include the EU Standard Contractual Clauses (EU 2021/914), the EU-US Data Privacy Framework, or other lawful transfer mechanisms recognized under Chapter V of the GDPR.

9.3. An up-to-date list of the processing locations is available on Appendix 1B.

10.1. Parties explicitly agree that regarding liability, the provisions as laid down in the Terms and Conditions apply.

11.1. This Data Processing Agreement is entered into for the duration set out in the Agreement.

11.2. Derogations from this Data Processing Agreement shall be binding only if they have been expressly agreed in writing between the Parties.

11.3. If changes in applicable law require amendments to this DPA, Processor shall implement such changes within a reasonable timeframe. The Parties shall consult in good faith on any additional voluntary changes.

11.4. This Data Processing Agreement may be amended by Sharefox by providing at least 30 days’ prior written notice to Controller by email. Continued use of the Services after the effective date constitutes acceptance of the amended DPA.

11.5. Upon termination of the Data Processing Agreement Sharefox shall, at the request, and at the expense, of Controller:

1. return to Controller in original format all personal data available to it; or
2. destroy or anonymise all personal data available to it, subject to standard system backup retention cycles and applicable legal retention obligations.

Upon termination, Controller will be provided with a 30-day window to export their data before data is inactivated. Data held in backup systems is not actively used or accessed following termination, and is deleted in accordance with Sharefox’s standard backup rotation. Written confirmation of deletion/anonymisation is available upon request from Controller.