Appendix 1
Data Processing Appendix

This Data Processing Appendix (DPA) is concluded between:

The user of Artec Cloud Services (hereafter the Client),

and

Artec Europe S.àr.l, a private limited liability company (société à responsabilité limitée) having its registered office at 20 rue des Peupliers L-2328 Luxembourg and registered with the Trade and Companies Register of Luxembourg under number B154428 (hereafter Artec).

(hereafter the Parties and each a Party).

1. Whereas

   • This DPA forms an integral part of the Terms of Use of Artec Cloud Services (the Agreement).
   • Whilst providing the services set forth in the Agreement, Artec, in capacity of as data processor, will carry out acts of processing on personal data on behalf of the Client, acting in capacity as data controller.
   • The Parties hereby agree to enter into the DPA to define their obligations regarding the processing of personal data in accordance with Article 28 of the General Data Protection Regulation.

2. Definitions

   Data Protection Legislation means (i) the EU General Data Protection Regulation 2016/679 of the European Parliament and the Council (GDPR), (ii) any data protection laws implementing or complementing the GDPR as well as (iii) as any other laws and regulations applicable to the Parties and containing rules for the protection of individuals with regard to the processing of personal data, as such legislation may be amended, replaced or repealed from time to time.

   Sub-processor(s) means any processor appointed by or on behalf of Artec to process personal data.

   The terms “personal data”, “data subject”, “data controller”, “processing” (including the verb “to process”) and “data processor” shall have the meaning given to them in the applicable Data Protection Laws.

3. Common Undertakings

   • Each Party shall at all times comply with its obligations under applicable Data Protection Legislation in relation to the personal data it processes in the course of performing its obligations under the DPA.

4. Undertakings of the Client

   • The Client provides Artec the instruction to process personal data on behalf of the Client for the purposes of performing its obligations under the Agreement. These instructions are detailed in Schedule 1 attached to the DPA.
   • The Client warrants that, in accordance with the Data Protection Legislation and other data protection laws that may apply to the Client, the Client acts as an independent controller with regard to processing of personal data delegated to Artec, and that the Client has notably the right to delegate the processing activities as described herein to Artec.
   • If the Client does not act as sole data controller, but as a joint data controller in the meaning of the GDPR, it shall inform Artec thereof and shall impose the same obligations on its joint controller as are imposed on the Client under this DPA.
   • The Client shall exercise all rights of itself and the joint controller towards Artec. Only where the joint controller can demonstrate that the Client did not exercise the rights in a way ensuring the compliance of the joint controller with GDPR, the joint controller may exceptionally exercise his rights directly towards Artec. The Client undertakes to document this restriction in the joint controllership agreement between the Client and his joint controller.
   • The Client shall indemnify and hold harmless Artec against all claims and damages that may arise due to a violation by the Client of this Section 4.

5. Undertakings of Artec

   • Within the limits of the processing description set out in the DPA and Schedule 1, Artec undertakes to take the necessary steps to comply with the following requirements:
     • Artec will only process personal data on Client’s documented instructions and notably those detailed in Schedule 1. Artec will inform the Client if an EU or EU Member State law, to which it is subject, requires it to process personal data other than on the Client’s instructions, unless that law prohibits such information on important grounds of public interest.
     • Artec will implement appropriate technical and organizational measures in compliance with Data Protection Laws and Artec’s internal policies to ensure the protection of the personal data;
     • Artec will impose a duty of confidentiality on staff and third parties with access to personal data that are not already subject to an appropriate statutory obligation of confidentiality;
     • Artec will not transfer personal data to a recipient located outside of the European Economic Area (the EEA), unless such transfer takes place in compliance with the Data Protection Legislation, notably if:
       • the transfer is subject to the terms of a contract incorporating the standard contractual clauses in the form adopted by the European Commission or an equivalent or replacement decision (the Model Clauses) signed between the Client or Artec acting on behalf of the Client and the non-EEA recipient of the personal data. For this purpose, the Client expressly authorizes Artec to enter into the Model Clauses on the Client’s behalf; or
       • the recipient is in a jurisdiction in relation to which there is a European Commission finding of adequacy.
     • A general authorization to engage Sub-processors and to continue to use Sub-processors already appointed by Artec as listed in Schedule 1 as at the date of the DPA are hereby granted by the Client. Artec will give the Client notice of any intended appointment of Sub-processors, thereby giving the Client the opportunity to object to such appointment, based on reasonable grounds. If the Client has not objected to the appointment of a Sub-processor based on reasonable grounds within thirty (30) days as of the receipt of the notice from Artec, the use of the Sub-processor will be deemed to have been accepted by the Client.
     • Artec will require that any Sub-processors that process personal data adhere to the same obligations as Artec has under this DPA, as applicable. Artec will remain fully liable for any breach by the sub-processor of its obligations in relation to the processing of personal data.
     • Artec will, at the Client’s expense, to the extent possible and taking into account the nature of the processing undertaken by Artec, assist the Client upon request in responding to data subjects’ requests to exercise their rights to information, access, rectification, erasure, restriction of processing, objection and portability provided for under the GDPR;
     • Artec will, at the Client’s request, assist the Client with respect to the application of the security measures appropriate to the risks of processing personal data, including inter alia as appropriate pseudonymisation, encryption, user access control, database segregation, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, as well as a process for regularly testing, assessing and evaluating the effectiveness of security measures;
     • Artec will, at the Client’s request, make available to the Client all relevant information regarding its data processing activities necessary to demonstrate compliance with this DPA and the GDPR and allow for to audits, including inspections, conducted by the Client or another auditor mandated by the Client. The Client shall give Artec reasonable notice of any audit or inspection to be conducted and shall make reasonable endeavours to avoid causing any damage, injury or disruption to Artec’s premises, equipment, personnel and business. Client’s right to audit is limited to the conduct of one (1) audit or inspection per calendar year, except for additional audits which the Client would consider necessary because of genuine concerns as to Artec’s compliance with this DPA. Such genuine concern shall be reasoned and notified beforehand to Artec in writing; when responding to audit or other information request, Artec will inform the Client if, in its opinion, an instruction from the Client to Artec would violate the GDPR or other EU or EU Member State laws;
     • Artec will notify the Client of any personal data breach without undue delay and, to the extent legally permissible, at the Client’s request, assist with breach investigation, mitigation (including assistance with notification of the supervisory authority and data subjects) and remediation; Artec will, at the Client’s request and expense, assist the Client with carrying out data protection impact assessments and related consultations with data protection authorities.
     • Upon the Client’s request and at the Client’s expense, Artec will, in Artec’s discretion, either return to the Client or delete, after the termination or expiry of the Agreement, all personal data that were processed by Artec on behalf of the Client without prejudice to any EU or EU Member State law requiring continued storage of such personal data.

6. Termination

   • The Parties agree that this DPA shall terminate between the Client and Artec upon termination of the Agreement.

7. Miscellaneous

   • The parties shall not be entitled to (i) unilaterally amend and/or (ii) terminate this DPA.
   • This DPA is without prejudice to any previously agreed terms on the subject matter of data protection, confidentiality, use of sub-contractors or delegates, entered into between the Client and Artec, except where such previous terms and the terms of this DPA conflict, in which case this DPA shall prevail.
   • This DPA does not preclude Artec from processing personal data as a data controller for other processing activities than those covered by this DPA.

8. Governing law and choice of jurisdiction

   • This Agreement shall be governed by law of the Grand Duchy of Luxembourg.
   • The competent jurisdiction shall be the one of the Grand Duchy of Luxembourg.

Personal Data Collected