(1) Natural or legal person concluding this data processing agreement (“Data Controller”), and
(2) Oxylabs (”Data Processor”)
Data Controller and Data Processor are hereinafter collectively referred to as the “Parties” and the “Party” if referred to separately,
Taking into account that:
(A) The Parties have entered into an agreement under which Data Processor has agreed to provide Services (as described at https://oxylabs.io/legal/oxylabs-general-conditions) and related technical support to the Data Controller (“Agreement”);
(B) In the course of providing Services to the Data Controller, the Data Processor has to process personal data on behalf of and for the interest of the Data Controller;
(C) Article 28(3) of the European Union Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”) requires that processing by a processor shall be governed by a contract or other legal act under the EU or the EU Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller;
Have concluded this data processing agreement (“Data Processing Agreement”) and agreed as follows:
1.1. Unless the context requires otherwise, the capitalised terms used in this Data Processing Agreement, including its Preamble and annexes, shall have the meanings indicated below:
|Applicable Data Protection Laws
|means any national or internationally binding data protection laws or regulations applicable at any time during the term of this Data Processing Agreement to, as the case may be, the Data Controller or the Data Processor, including GDPR;
|means an entity or a person that has accepted the General Conditions and that determines the purposes and means of the processing of Personal Data;
|means Oxylabs which processes Personal Data on behalf of the Data Controller under this Data Processing Agreement;
|means any information relating to an identified or identifiable natural person;
|means one (or a few of) automatic data gathering tools (as described in the General Conditions) provided by Oxylabs under the Agreement;
|means a third-party subcontractor engaged by the Data Processor which, as part of the subcontractor’s role of delivering the services, will process Personal Data on behalf of the Data Controller.
2. DATA CONTROLLER’S OBLIGATIONS
2.1. Data Controller shall comply with its obligations as a data controller under the Applicable Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to Data Processor.
2.2. Data Controller has provided all the necessary privacy notices and/or obtained all consents and rights necessary under the Applicable Data Protection Laws for Data Processor to process Personal Data and provide Services pursuant to the Agreement and this Data Processing Agreement.
3. DATA PROCESSING INSTRUCTIONS
3.1. Data Processor undertakes to process the Personal Data on documented Data Controller’s instructions, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by EU or EU Member State law to which the Data Processor is subject.
3.2. The Data Controller’s instructions to the Data Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects are as follows:
|Provision of SAPI Services to the Data Controller
|Nature and Purpose of the Processing
|Data Processor will process Personal Data for the purposes of providing SAPI Services and related services (if any) in accordance with the Agreement
|Categories of Data Subjects
|Natural persons whose Personal Data Data Controller chooses to process while using the SAPI Services and related services (if any).
|Types of Personal Data
|Data relating to natural persons that Data Controller chooses to process while using the SAPI Services and related services (if any).
|Duration of Processing
|As long as the Data Controller uses SAPI Services and related services (if any).
3.3. Data Processor shall, when processing Personal Data under this Data Processing Agreement, comply with any Applicable Data Protection Laws and applicable recommendations by the data protection authorities or other competent authorities.
3.4. Data Controller entitles Data Processor to enter into agreements with Sub-processors on the Data Controller’s behalf for the performance of its obligations under this Data Protection Agreement. Data Processor shall maintain a list of Sub-processors used to fulfil its obligations as set forth in this Data Processing Agreement. The Data Controller may familiarize itself with the Sub-processors currently engaged by the Data Processor by requesting a list of such Sub-processors from the Data Processor in writing.
4.1. To the extent reasonable, taking into account the nature of processing, Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable Data Protection Laws, including but not limited to the Data Controller’s obligation to respond to requests for exercising the data subject's rights to request information and for Personal Data to be corrected, blocked or erased at their request.
4.2. In case of any requests made by data subjects, competent authorities or any other third parties to Data Processor regarding the processing of Personal Data covered by this Data Processing Agreement, the Data Processor shall refer such requests to the Data Controller.
4.3. In the terms agreed between the Parties and to the reasonable extent, the Data Controller shall be entitled, in its capacity as the data controller, to take measures necessary to verify that the Data Processor is able to comply with its obligations under this Data Processing Agreement, and that Data Processor has in fact undertaken the measures to ensure such compliance.
4.4. In the terms agreed between the Parties and to the reasonable extent, the Data Processor shall assist the Data Controller in data protection impact assessments, prior consultations and other communications with data protection authorities.
5. DATA SECURITY MEASURES
5.1. Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. The Personal Data shall also be protected against all other forms of unlawful processing. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the Data Processor shall implement adequate technical and organizational measures.
5.2. Data Processor shall ensure that access to Personal Data is granted only to necessary employees by virtue of performing direct work functions under this Data Processing Agreement. Data Processor shall ensure that such employees respect confidentiality obligations to the same extent as the Data Processor under this Data Processing Agreement.
5.3. Data Processor undertakes not to, without the Data Controller’s prior written consent disclose or otherwise make Personal Data processed under this Data Processing Agreement available to any third party, except for Sub-processors engaged in accordance with this Data Processing Agreement.
5.4. The Data Processor shall take all necessary actions to assist and shall promptly notify the Data Controller in relation to any accidental or unauthorized access to Personal Data or any other security incidents (Personal Data breach) immediately if possible.
6. FINAL PROVISIONS
6.1. All definitions used in this Data Processing Agreement shall have the same meaning, as prescribed in the Agreement unless expressly provided otherwise in this Data Processing Agreement.
6.2. The provisions in this Data Processing Agreement shall apply during such time that Data Processor processes Personal Data in respect of which the Data Controller is the data controller.
6.3. Upon expiry of this Data Processing Agreement, the Data Processor shall, at the choice of the Data Controller as communicated to the Data Processor, delete or return all Personal Data to the Data Controller and shall ensure that any Sub-processor does the same.
6.4. This Data Processing Agreement shall be an integral part of the Agreement. Any matter not expressly governed by this Data Processing Agreement shall be governed by the Agreement.
Last updated on December 1, 2022
GET IN TOUCH
Certified data centers and upstream providers
Connect with us
Advanced proxy solutions