This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Service Agreement between Squaretalk and the Customer. By using Squaretalk’s services, you agree to the terms of this DPA.
Introduction and Incorporation into the Agreement
This Data Processing Agreement, including its annexes and attachments (hereafter referred to as the “DPA”), is made and entered into by and between Squaretalk, as the Data Processor, and Customer, as the Data Controller. This DPA forms part of the existing Master Services Agreement or similar service agreement (referred to as the “Main Agreement”), under which Squaretalk agrees to provide certain contact center solutions to the Customer.
The purpose of this DPA is to reflect the parties’ agreement with respect to the processing of personal data in compliance with the requirements of the General Data Protection Regulation (GDPR) and any other applicable data protection laws. By entering into this DPA, Squaretalk and the Customer intend to ensure the lawful and secure processing of personal data, as required under such laws.
Any capitalized terms not defined herein shall have the meaning ascribed to them in the Main Agreement. In the event of a conflict between the terms of this DPA and the Main Agreement, the terms of this DPA shall prevail with respect to the parties’ data protection obligations.
Processing and Transfer of Personal Data
1 .Scope and Purpose of Processing: Squaretalk, as the Data Processor, shall process personal data only as necessary to provide the contact center services as outlined in the Main Agreement and this DPA. The processing shall be carried out in accordance with the documented instructions of the Customer (Data Controller), unless required by European Union or Member State law to which Squaretalk is subject.
2. Compliance with Laws: Both parties acknowledge their respective duties to comply with all applicable data protection laws, including the GDPR. Squaretalk shall inform the Customer if, in its opinion, an instruction from the Customer infringes upon data protection laws.
3. Data Transfer: Personal data may be transferred to, and stored at, a destination outside the European Economic Area (EEA) under the following conditions:
- The transfer is to a country that has been deemed to provide an adequate level of data protection by the European Commission.
- Appropriate safeguards, such as Standard Contractual Clauses, are in place in accordance with GDPR Article 46.
- The transfer is necessary for the performance of a contract between the Data Controller and Data Subject, or for pre-contractual measures taken at the Data Subject’s request.
4. Data Transfer to Third Countries: In the event of a transfer of personal data to a third country or an international organization, Squaretalk shall ensure that such transfers are subject to appropriate safeguards as mentioned above and that data subjects have enforceable rights and effective legal remedies.
5. Record-Keeping: Squaretalk shall maintain a record of all categories of processing activities carried out on behalf of the Customer, including transfers of personal data to a third country or an international organization, and provide this record to the Customer upon request.
6. Subsequent Changes: Squaretalk will notify the Customer of any changes in the legal or regulatory framework that may affect its processing of personal data, including changes affecting the transfer of personal data outside the EEA.
Roles and Responsibilities
1. Squaretalk as Data Processor:
- Squaretalk shall process personal data only on documented instructions from the Customer (Data Controller), including with regard to transfers of personal data to a third country or an international organization, unless required to do so by European Union or Member State law.
- Squaretalk shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Squaretalk shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.
2. Customer as Data Controller:
- The Customer shall ensure that its instructions for the processing of personal data shall comply with applicable laws, including the GDPR.
- The Customer is responsible for ensuring that the processing of personal data, as instructed to Squaretalk, is lawful and that the rights of the data subjects are protected.
- The Customer shall maintain a record of processing activities under its responsibility.
3. Joint Responsibilities:
- Both parties shall cooperate to respond to any requests from data subjects exercising their rights under the GDPR, such as the rights of access, rectification, erasure, and data portability.
- In the event of a personal data breach, both parties shall cooperate to ensure a prompt and adequate response, including any required notifications to supervisory authorities and data subjects.
- Both parties agree to provide each other with assistance in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR relating to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators.
4. Audit and Inspection:
- Squaretalk shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
- Any such audits shall be conducted with reasonable notice, subject to confidentiality obligations, and without disrupting Squaretalk’s business operations.
1. Use of Sub-Processors: Squaretalk may engage third-party sub-processors to process personal data under this DPA. The engagement of any sub-processor shall not relieve Squaretalk of any of its obligations under this DPA.
2. List of Current Sub-Processors and Notification of New Sub-Processors:
- Squaretalk shall maintain a list of sub-processors authorized to process personal data and provide this list to the Customer upon request.
- Squaretalk will inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes.
3. Sub-Processor Agreements:
- Squaretalk shall enter into a written agreement with each sub-processor containing data protection obligations no less protective than those in this DPA with respect to the protection of personal data.
- Squaretalk shall remain fully liable to the Customer for the performance of the sub-processor’s obligations.
4. Objection Right for New Sub-Processors:
- The Customer may object to Squaretalk’s use of a new sub-processor on reasonable grounds relating to data protection by notifying Squaretalk promptly in writing within a specified period after receiving notice of the engagement.
- Upon receipt of such objection, Squaretalk will use reasonable efforts to make available a commercially reasonable change in the provision of the services or recommend a commercially reasonable change to the Customer’s configuration or use of the services to avoid processing of personal data by the objected-to new sub-processor without unreasonably burdening the Customer.
5. Audits and Inspections of Sub-Processors:
- Squaretalk shall ensure that its agreements with sub-processors include the right for Squaretalk and, where applicable, the Customer, to conduct audits and inspections to ensure compliance with GDPR and other data protection laws.
- Such audits shall be conducted in accordance with the terms specified in the “Audit and Inspection” section of this DPA.
Data Subject Rights
1. Assistance with Data Subject Requests: Squaretalk shall assist the Customer in ensuring compliance with the obligations concerning the rights of data subjects under the GDPR and other data protection laws. This includes assistance in responding to requests for exercising the data subject’s rights such as the right to access, rectify, erase, restrict, transfer, or object to the processing of their personal data.
2. Notification and Cooperation:
- Squaretalk shall promptly notify the Customer if it receives a direct request from a data subject to exercise their data subject rights under the GDPR or any other applicable data protection law.
- Squaretalk shall not respond to any such data subject request without the Customer’s prior written consent, except as required by law.
3. Procedure for Handling Requests:
- Upon receiving a request from a data subject, Squaretalk shall relay the request to the Customer without undue delay.
- Squaretalk shall provide the Customer with cooperation and assistance for the Customer to fulfill such data subject requests. This may include technical and organizational measures to enable the Customer to respond effectively.
4. Documentation and Record Keeping:
- Squaretalk shall maintain records of all data subject requests and the actions taken in response to such requests. These records will be provided to the Customer upon request to demonstrate compliance with data protection laws.
- Squaretalk will ensure that such records are kept in a manner that respects the confidentiality and security of the data subject’s information.
5. Training and Awareness:
- Squaretalk shall ensure that its staff involved in the processing of personal data are informed and trained to handle data subject requests in a manner that complies with GDPR and other relevant data protection laws.
Data Transfers and International Considerations
1. General Requirements for Data Transfer: Squaretalk shall not transfer personal data processed under this DPA to any country outside of the European Economic Area (EEA) without ensuring that such transfers are compliant with the GDPR and other applicable data protection laws.
2. Transfers to Adequate Jurisdictions: If Squaretalk transfers personal data to a country that the European Commission has determined provides an adequate level of protection for personal data, Squaretalk will ensure that such transfers comply with GDPR requirements.
3. Transfers Under Standard Contractual Clauses (SCCs):
- In the absence of an adequacy decision, Squaretalk may transfer personal data to a third country or an international organization, provided it has implemented the Standard Contractual Clauses adopted by the European Commission.
- Squaretalk shall ensure that the SCCs are fully executed and any additional measures necessary to ensure that the data transfer complies with the GDPR are implemented.
4. Data Transfer Impact Assessments:
- Prior to transferring personal data to a third country or international organization, Squaretalk shall conduct and document a transfer impact assessment, considering the circumstances of the transfer and the legal framework in the recipient country.
- Squaretalk shall provide the Customer with the results of such assessments upon request.
5. Notification of Changes in Law:
- Squaretalk shall promptly inform the Customer if it becomes aware of changes in the legislation of a third country that might affect its compliance with the SCCs or GDPR.
- In such an event, Squaretalk and the Customer shall work together to find a practical solution to address the impact of the change in legislation.
6. Subsequent Processing in Third Countries:
- Any processing of personal data by Squaretalk in a third country shall only occur if the conditions of this section are met and shall be subject to the same data protection obligations as set out in this DPA.
7. Liability for Data Transfers:
- Squaretalk shall remain fully liable to the Customer for any breaches of this DPA that occur during the transfer of personal data to a third country or an international organization, including breaches by any sub-processors.
Confidentiality and Security Measures
1. Commitment to Confidentiality:
- Squaretalk shall ensure that all personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2. Implementation of Security Measures:
- Squaretalk agrees to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the data processing activities, in accordance with Article 32 of the GDPR. These measures shall be designed to prevent unauthorized or unlawful processing, accidental loss, destruction, or damage to personal data.
- The security measures shall include, as appropriate, the encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, regular testing and evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing, and measures for user identification and authorization.
3. Security Incident Management:
- In the case of a personal data breach, Squaretalk shall notify the Customer without undue delay after becoming aware of the breach, in compliance with GDPR requirements.
- Squaretalk shall provide timely information relating to the personal data breach as it becomes known or as is reasonably requested by the Customer.
4. Documentation and Compliance:
- Squaretalk shall maintain records and information necessary to demonstrate compliance with the obligations set out in this section and allow for audits by the Customer or the Customer’s designated auditor.
- Squaretalk shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other data protection provisions.
5. Regular Reviews and Updates to Security Measures:
- Squaretalk commits to regularly reviewing and updating its security measures in line with technological developments and evolving threats to ensure continued compliance with GDPR.
6. Sub-Processor Obligations:
- Squaretalk shall ensure that any sub-processors engaged for the processing of personal data are bound by similar confidentiality and security measures as set forth in this DPA.
Data Breach Notification
1. Notification of Data Breach:
- In the event of a personal data breach (as defined under the GDPR) affecting any data processed under this DPA, Squaretalk shall without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the Customer of the data breach.
2. Contents of Notification:
- The notification shall, to the extent possible, include:
- The nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
- The name and contact details of Squaretalk’s data protection officer or other contact point where more information can be obtained.
- The likely consequences of the personal data breach.
- The measures taken or proposed to be taken by Squaretalk to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
3. Obligation to Assist:
- Squaretalk shall cooperate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each such personal data breach.
4. Customer’s Notification Obligation:
- The Customer is responsible for complying with any data breach notification laws applicable to them and for fulfilling any third-party notification obligations related to any data breach.
5. Record of Data Breaches:
- Squaretalk shall maintain records of all data breaches, including the facts relating to the personal data breach, its effects, and the remedial action taken, and shall make such records available to the Customer upon request.
6.No Admission of Liability:
- The reporting or notification of a data breach under this section shall not be construed as an admission by Squaretalk of any fault or liability with respect to the data breach.
1. Right to Conduct Audits:
The Customer shall have the right to conduct audits, including inspections, to verify Squaretalk’s compliance with its obligations under this DPA and applicable data protection laws. These audits may be conducted by the Customer or an auditor appointed by the Customer.
2. Audit Procedure:
To exercise this right, the Customer shall provide reasonable notice to Squaretalk of its intention to conduct an audit.
Audits shall be conducted during normal business hours, with minimal disruption to Squaretalk’s operations.
The scope of the audit shall be agreed upon in advance and shall be limited to data processing operations relevant to the services provided under the Main Agreement.
3. Confidentiality and Security:
- The Customer and its appointed auditor shall maintain confidentiality of all information obtained through the audit process and shall comply with Squaretalk’s security policies while on its premises.
- All findings and reports generated from such audits shall be treated as confidential information.
4. Costs of Audit:
- The Customer shall bear the costs associated with the conduct of these audits, unless the audit reveals a material non-compliance by Squaretalk, in which case Squaretalk shall bear the reasonable costs of the audit.
5. Audit Frequency:
- Audits under this section shall be limited to once per year, unless there are reasonable grounds to believe Squaretalk is in breach of its obligations under this DPA or applicable data protection laws.
- Squaretalk shall cooperate fully with such audits and shall provide all reasonable assistance necessary to conduct the audit, including access to relevant premises, personnel, and data.
- If any audit reveals non-compliance with this DPA or applicable data protection laws, Squaretalk shall promptly remedy such non-compliance at its own expense.
Termination and Data Return or Deletion
1. Termination of Agreement:
This DPA shall automatically terminate upon the expiration or termination of the Main Agreement between Squaretalk and the Customer.
2. Return or Deletion of Personal Data:
- Upon termination of the Main Agreement, Squaretalk shall, at the Customer’s choice, return all personal data to the Customer or delete all personal data processed under this DPA, unless European Union or Member State law requires storage of the personal data.
- The choice of return or deletion of the personal data shall be communicated by the Customer to Squaretalk in writing within a reasonable period following the termination of the Main Agreement.
3. Procedure for Data Return:
- In case the Customer opts for return of personal data, Squaretalk shall return all personal data in a commonly used and machine-readable format.
- Squaretalk shall ensure that the data is returned securely and in a manner that preserves the integrity of the data.
4. Procedure for Data Deletion:
- In case the Customer opts for deletion of personal data, Squaretalk shall delete all personal data in its possession or control. This deletion will be in accordance with secure deletion practices, ensuring that the data cannot be reconstructed or read.
- Squaretalk shall confirm in writing to the Customer that all personal data has been deleted as requested.
5. Retention for Legal Obligations:
- Notwithstanding the above, Squaretalk may retain certain personal data if required by European Union or Member State law. Such retention shall be for the period specified by law and Squaretalk shall ensure that the retained data is processed only as necessary for the purposes specified in the applicable law.
6. Certification of Compliance:
- Upon completion of the data return or deletion, Squaretalk shall provide a certificate to the Customer confirming that all actions required under this section have been completed in full compliance with the DPA.
Legal Compliance and Jurisdiction
1. Compliance with Laws:
- Both Squaretalk and the Customer shall comply with all applicable laws, statutes, regulations, and codes relating to data protection, privacy, and security in the performance of their respective obligations under this DPA.
2. Changes in Data Protection Laws:
- In the event of any changes in data protection laws that materially affect the processing of personal data under this DPA, both parties agree to negotiate in good faith to amend this DPA as necessary to comply with such laws.
3. Conflict of Laws:
- In the case of any conflict between the provisions of this DPA and any national laws, regulations, or other legal requirements, the parties agree to resolve the conflict in a manner that ensures compliance with all applicable data protection laws.
4. Jurisdiction and Governing Law:
- This DPA shall be governed by and construed in accordance with the laws of the EU, without regard to its conflict of law principles.
- Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the EU.
5. Authority to Enter DPA:
- Each party warrants that it has the legal authority to enter into this DPA and that this DPA has been duly authorized, executed, and delivered and constitutes a legal, valid, and binding obligation, enforceable against it in accordance with its terms.
6. Entire Agreement:
- This DPA constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior or contemporaneous agreements, understandings, and communications, whether written or oral.