Data Processing Agreement
Data Processing Agreement (Licensees)
(October 2023 )
- General aspects
This Data Processing Agreement (“DPA”) is concluded - in accordance with the provisions of Regulation 2016/679 EU (hereinafter referred to as the “General Data Protection Regulation” - in short: “GDPR”). Capitalized terms used but not defined in this DPA will have the meanings provided in GDPR.
This DPA is incorporated into the License Agreement (that can be accessed here: https://www.maltego.com/license-agreement/) between Licensor and Licensee. Licensee shall be hereinafter referred to as “Controller” and Licensor shall be hereinafter referred to as “Processor”. (Processor and Controller hereinafter also referred to as “Party” and collectively referred to as the “Parties”)
- Subject and duration of the DPA
2.1. Processor processes personal data on behalf of the Controller.
2.2. The duration of this DPA corresponds to the duration of the License Agreement concluded between the Licensor and the Licensee.
2.3. The provision of the contractually agreed data processing shall take place in Germany or in any other country on the basis of sufficient Data Processing Agreements.
2.4. The following data types might be subject to the processing of personal data:
- name (including first, last, middle initial and any combination thereof);
- electronic identification information
- communication data (e.g. telephone, e-mail)
- contract data (contractual relationship, product interest)
- customer history
- contract billing and payment data
- internal database
- data provided in the context of search queries with Maltego software (date and time of request, IP address, query parameters, the Transform which was requested, API Key, user agent (e.g. Maltego Pro 4.2.19 on Windows 10), HTTP header information related to HTTP size, including body size).
2.5. The groups of persons affected by the processing include Licensee, Users, legal representatives, contact persons, Licensee’s employees, Licensee’s suppliers.
- Obligations of the Controller
3.1. The Controller is solely responsible for assessing the legal admissibility of the processing to be performed by the Processor with regard to GDPR provisions and other data protection regulations.
3.2. The Controller has the right to carry out inspections in consultation with the Processor or to have them carried out by an examiner appointed on a case-by-case basis. Moreover, the Controller has the right to verify whether the Processor in his company complies with this DPA. The performance of such spot checks shall be announced with reasonable notice. The Processor shall ensure that the Controller can convince itself of the Processor ́s compliance with regard to all the Processor’s obligations under Art. 28 GDPR. Upon request, the Processor undertakes to provide the Controller with all necessary information, particularly proof of the proper implementation of appropriate technical and organizational measures and obligations. The implementation of sufficient measures may be proven as follows:
- Compliance with a code of conduct in accordance with Art. 40 GDPR;
- Certification according to a recognised certification procedure in accordance with Art. 42 GDPR;
- Current certificates, reports or declarations by independent bodies (e.g. auditors, accountants, data protection officers, IT security department);
- Appropriate certification through IT-security or data protection audits such as e.g. ISO 27001.
The Processor shall be entitled to claim compensation for providing the Controller with the opportunity to perform his controls. The processing of data in private households/home offices is agreed as admissible. In such cases, the Processor must ensure that the applicable data protection regulations are complied with.
3.3. The Processor is obliged to inform the Controller without delay, if the Processor finds errors or irregularities in the data protection provisions in the course of the contractual relationship.
- Obligations of the Processor
Processor shall comply with all applicable Data Protection Laws in the Processing of Personal Data, particularly the obligations under Art. 28 to 33 GDPR. In particular, the Processor must ensure that he complies with the following requirements:
4.1. Written appointment of a data protection officer (DPO), if required by law. Changes to the appointment of a DPO and the contact details of the DPO shall be notified to the Controller without delay.
4.2. Confidentiality according to Art. 28 para. 2 lit. b, 29, 32 IV GDPR is guaranteed. The Processor will only employ and use employees who are informed about all relevant data protection regulations; moreover, the Processor confirms that all employees have been obliged to maintain written secrecy. This obligation applies beyond the duration of the termination of the License Agreement.
4.3. The Processor undertakes to implement and comply with all technical and organizational measures required in accordance with Art. 28 para. 3 sentence 2 lit. c, 32 GDPR.
4.4. The Controller and Processor will cooperate in fulfilling their duties in accordance with the applicable data protection regulations at the request of the supervisory authority.
4.5. The Processor undertakes to regularly monitor its internal processes and technical and organisational measures in order to ensure that any processing within its responsibility is carried out in accordance with the requirements of the applicable rules on data protection regulations and that the rights of the data subjects are protected at all times.
4.6. Unless the Processor is obliged to process data under the laws of the European Union or local laws to which the Processor is subject (e.g. investigations by law enforcement agencies or government agencies), the Processor will processes the personal data of the Controller only in accordance with the terms of the present DPA and the specific individual instructions of the Controller. In such a case, the Processor shall inform the Controller of these legal requirements prior to processing, unless the law prohibits such communication for an important public interest or other legal reason that the Processor is obliged to comply with. The Processor does not process data for other purposes and is not authorized to pass them on to third parties.
4.7. The Processor shall immediately inform the Controller, if he considers an instruction to be illegal. The Processor may suspend the execution of the instruction only until it has been confirmed or modified by the Controller‘s authorized personnel/ representatives, and the Controller shall bear all risks and costs associated with the execution of such instruction that prove to be illegal.
4.8. The Processor is obliged to provide the Controller with information as far as data and documents of the Controller are concerned at any time.
4.9. The Processor keeps records of processing activities in accordance with Art. 30 para. 2 GDPR and makes them available on request of the Controller. The Controller provides the Processor with necessary information.
4.10. The Processor moreover supports the Controller in preparing the data processing record required under Art. 30 para. 1 GDPR.
4.11. The Processor shall assist the Controller in fulfilling all obligations from Art. 32 to 36 GDPR.
4.12. The Processor may seek compensation for any support action he takes for the benefit of the Controller, if such action is not part of the contractual duties of the Processor and if such action is not required to be taken as consequence of any misbehaviour of the Processor with respect to this Contract.
4.13. The Processor must inform the Controller immediately of all actions and measures taken by supervisory authorities, insofar as such relate to this DPA. This also applies in the event that a competent authority initiates administrative or criminal proceedings against the Processor for the data processing activities performed by the Processor.
4.14. In the event that the Controller is subject to an inspection by the supervisory authority, administrative or criminal proceedings, the Processor shall support the Controller to the best of his ability with regard to claims by affected persons or third parties or other claims in connection with data processing under the present DPA.
4.15. All additional costs incurred by the Processor as a result of the aforementioned measures shall be borne by the Controller.
- Return and deletion
Copies or duplicates of data may not be made without the knowledge of the Controller. Excluded from this are copies, to the extent necessary for proper data processing, and copies, which are necessary for compliance with legal retention periods. After termination of the contractually agreed services or earlier, if requested so by the Controller, and latest upon termination of the License Agreement, the Processor shall either hand over to the Controller all documents and processing (usage) results as well as data records in connection with this DPA in his own possession or in the possession of third parties or, if the Controller has given his prior consent, delete such data in accordance with the requirements of data protection law. The same applies to test and scrap material. The Processor shall keep documents which provide evidence of orderly and proper data processing in accordance with the respective retention periods even after expiry of this DPA. In order to relieve himself, the Processor may hand over such documents to the Controller after termination of this DPA.
- Sub-contractual relations
6.2. For important data protection reasons, the Controller may object to such changes within a reasonable period (not longer than two weeks) and contact the Processor. If there is no objection within the deadline, the acceptance of the change is deemed to have been given. It shall be understood and agreed that a limitation of the service owed under this contract resulting from an unfounded objection shall not be the responsibility of the Processor. In exceptional cases, agreement may be reached in the subsequent period.
6.3. If the subcontractor provides agreed service(s) outside the EU, the Controller and Processor shall take appropriate measures to ensure that data protection is permissible and complied with.
6.4. Subcontracting in the sense of this Agreement always refers to services that directly relate to the provision of the principal service. This does not include other (ancillary) services provided by the Processor, such as the disposal of data carriers and other measures to ensure confidentiality, availability, integrity and resilience of hard- and software of data processing systems. However, the Processor shall be obliged to enter into appropriate and legally compliant contractual agreements and control measures for outsourced ancillary services in order to ensure the data protection and data security of the Controller‘s data.
Data processing is carried out exclusively within the framework of the agreements made and according to the instructions of the Controller. The Controller does not issue a specific instruction in case of data processing relating to onboarding purposes, to inquire about customer satisfaction, to undertake measures for improving customer loyalty and to offer additional services such as training sessions. The Controller shall generally issue all instructions and orders in writing or in a documented electronic format. Within the framework limits of this DPA, the Controller reserves a wide-ranging right to instructions regarding type, scope and procedure of data processing, which may be based on individual/detailed instructions. Changes to the subject matter of this DPA as well as procedural changes must be jointly agreed and documented in written or electronic form. Oral instructions must be confirmed immediately by the Controller in writing or in a documented electronic format.
- Rights of data subjects
8.1. The Processor may not correct, delete or restrict the processing of the data processed on behalf of the Controller unless the Controller has issued a corresponding and documented instruction. In case that a data subject directly contacts the Processor in this regard, the Processor must immediately forward such request to the Controller.
8.2. The Processor shall be entitled reimbursement of the additional costs arising from his contribution to the measures pursuant to para 8 .1.
- Technical and organizational measures
9.1. The Processor must ensure security according to Art. 28 para. 3 lit. c, 32 GDPR, in particular in connection with Art. 5 para. 1,2 GDPR. In general, the measures which can be taken consist of data security measures and measures that shall guarantee a level of protection appropriate to the risk in relation to confidentiality, integrity, availability and resilience of the systems. In this regard, state-of-the-art technology, implementation costs and the nature, scope and purpose of the processing as well as the varying probability and severity of the risk for rights and freedoms of individuals in the sense of Art. 32 para. 1 GDPR shall be considered.
9.2. Technical and organizational measures are subject to technical progress and further development. In that regard, the Processor is permitted to implement appropriate alternative measures. In doing so, the safety level shall correspond to the measures laid down. Significant changes shall be documented.
9.3. As far as security measures taken by the Processor do not meet the requirements of the Controller, he shall inform the Controller immediately. The same applies to malfunctions, violation committed by the Processor or his staff if such violation is a breach of applicable rules on data protection or contractual obligations. Such information shall also be issued in the event of suspicion of a data breach or irregularity.
Liability for breaches of the data protection provisions or this Agreement shall be governed by the applicable provisions of data protection law, unless the contractual agreements applicable to the underlying services contain a special liability provision.
11.1. Changes and amendments to this DPA and all of its components - including potential assurance provided by the Processor - shall be made either in writing or in electronic form (text form).
11.2. The statutory seat of the Processor shall be the place of jurisdiction for both Parties.
11.3. Should parts of this DPA be or become invalid or unenforceable, this shall not affect the validity of the Agreement as such. In place of the invalid or unenforceable provision, such legally valid and enforceable provision shall apply which reflects as closely as commercially possible the spirit and purpose of the invalid or unenforceable provision.