Schedule 6. Data Processing Agreement

(1) The Processor processes personal data within the meaning of the Data Protection Legislation on behalf of the Controller.

☒ in order to perform the following contract: Allfinanz Spark Subscription Agreement between the Parties.

The processing comprises the following: —

Subject matter of the processing: Use of Processor’s cloud-based proprietary software and digital Hosted Services for the following: —

(a) Hosted Services delivery: Facilitating the submission of applications for life and health insurance to the Controller and the assessment thereof by the Controller; 

(b) Maintenance and Support for the Hosted Services and the underlying Software for the provision of the said service; 

(c) Quality Assurance. Monitoring performance of Software and Services efficiency; identifying areas for cost reduction and process improvement; analysing third party data usage and value.

Duration of processing

☒ Pursuant to above-mentioned contract. 

including any amendments or extensions to contract (if still covered by section 1)

or

☐ any other duration, i.e.

including any amendments or extensions (if still covered by section 1)

Type (Article 4(1),(13),(15) of GDPR) and purpose of processing: 

☐ Pursuant to above-mentioned contract or other agreement

or

Type of personal data¹: 

☒ Key personal data (e.g. name and date of birth of natural persons)

☒ Communication and contact data (e.g. telephone number, address)

☒ Contract data (e.g. insured ratings, insurance start date, premium)

☒ Usage or protocol data (e.g. log files)

☒ Survey data

☒ Membership data 

☒ Data subject to professional secrecy (especially information obtained from private health, life or personal accident insurances)

☒ Data relating to criminal or administrative offences (e.g. data from criminal investigation files or proceedings for administrative offences)

☒ Data on racial or ethnic origin

☒ Genetic or biometric data

☒ Data about an individual’s sex life or sexual orientation

☒ Health data (e.g. information on illnesses, visits to physicians, curative treatment)

☒ Other

All data submitted by or on behalf of data subjects to the Controller for life and/or health insurance.  

¹Please tick the appropriate boxes.

Categories of data subject²: 

☒ Users of IT applications

☒ Applicants

☒ Insured persons

☒ Claimants

☒ Interested parties

☒ Doctors and other professionals subject to professional secrecy requirements

☒ Other

Applicants to the Controller for life and/or health insurance.

Should there be any conflict or ambiguity, this Agreement will take precedence over any civil law provisions³ between the Controller and the Processor where necessary for validity.

²Please tick the appropriate boxes.
³e.g. the other schedules of the Allfinanz Subscription Agreement.

The following persons are authorised by the Controller to give instructions/may be contacted:

As set out in the Key Terms

(First name, surname, unit, function, telephone, e-mail)

If the contact person changes or will not be available for a long period of time, the other party must be notified in writing without undue delay of the contact person’s deputy or replacement; this must also be done if the communication channel is changed. This will only apply for the data protection officer if the information is not available on the internet. 

For the purposes of this Agreement, the terms “in writing” or “written” also inlcude documented electronic formats, (e.g. e-mail). 

(1) The Controller of the personal data set out in section 1 of this Agreement must ensure that the processing of the personal data meets the requirements of the applicable Data Protection Legislation to which it is subject; the Controller must ensure that the rights and freedoms of the data subject are protected.

(2) The Controller will place all orders or partial orders in writing. Changes to processing or processes must be agreed in writing with the Processor, and determined and documented in accordance with section 1 and section 2 of this Agreement. The Controller has the right to issue instructions concerning the nature, scope and methods of data processing. Verbal instructions must be confirmed in writing without delay. 

(3) The Controller must advise the Processor without delay if it discovers errors or irregularities when inspecting the work results.

(1) The Processor may only process personal data within the framework of agreements in place and where documented instructions are received from the Controller, unless required to perform any other processing by applicable law to which the Processor is subject. In such a case, the Processor must inform the Controller of that legal requirement before processing, unless that law prohibits the provision of such information on important grounds of public interest. This applies also to any persons acting under the authority of the Processor who have access to the Controller’s personal data. The Processor undertakes to ensure compliance with this.

(2) The Processor must immediately inform the Controller if, in its opinion, an instruction infringes the Data Protection Legislation provisions or provisions of agreements in place. The Processor is entitled to delay carrying out the instructions concerned until they are confirmed or amended by the Controller.

(3) The Processor must only amend, erase or restrict the personal data covered by this Agreement if the Controller so requires in the Agreement in place or instructs it to do so.

(4) The Processor will keep the data processed for the Controller strictly separate from other datasets.

(5) The Processor undertakes to maintain strict confidentiality when processing the Controller’s personal data in line with this Agreement. The obligation to maintain the confidentiality of data will continue even after this Agreement has been terminated.

(6) The Processor will ensure that persons authorised to process the personal data have signed a confidentiality undertaking, or are subject to an appropriate statutory obligation of confidentiality, both during their period of involvement in the processing and after termination of their employment. Upon request, the Processor will demonstrate compliance with this to the Controller by providing signed confidentiality agreements or another suitable format. The Processor confirms that before it deploys persons to process the Controller’s personal data it will ensure that those persons are aware of the applicable data protection rules and that regular training is carried out and awareness-raising measures taken.

(7) The Processor will ensure that the necessary security measures pursuant to Data Protection Legislation are in place for data processing. The details of binding security measures for data processing are set out in the attached Annex. Technical and organisational measures may be adjusted in the course of processing to take account of technical and organisational developments. The level of security may not fall below the measures specified in the Annex. Any material changes must be documented in writing.

(8) The Processor is to make available - even before processing begins, where applicable - to the Controller all information necessary to demonstrate compliance with the Processor’s obligations of applicable law or in this Agreement, including any instructions issued, and –with prior notice – is to allow checks (including reasonable inspections on site) to be carried out by the Controller and/or its authorised third-party auditor (who must be bound to confidentiality), and is to provide assistance as required.

Where personal data is processed in a private residence:⁴

Where personal data is processed in private residences, the Processor is to ensure that the aforementioned controls can also be carried out in those residences.

The measures pursuant to Article 32 of the GDPR (security for processing) must also be taken in the cases mentioned above.If security measures put in place by the Processor do not meet the specifications, the Processor will inform the Controller immediately. 

(9) Taking into account the nature of the processing, the Processor will assist the Controller with appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in the Data Protection Legislation (particularly information, access, rectification, erasure, restriction on processing, data portability and objections where relevant in each case). If the data subject contacts the Processor directly, the Processor will inform the Controller of such contact immediately. The Processor may only itself provide information to the data subject or any third party with the Controller’s prior written consent. This shall also apply to any other enquiry that is recognisably addressed to the Controller. 

(10) Upon request, the Processor will give the Controller a Record of Processing Activities of the Controller.

(11) The Processor undertakes to assist the Controller in ensuring compliance with its obligations in respect of security of processing, data protection impact assessment, taking into account the nature of processing and the information available to the Processor. 

(12) The Processor must notify the Controller without delay on becoming aware of any personal data breach using the e-mail address of the Customer Data Protection Officer or (in if none) the Customer Contact Manager as set out in the Key Terms. This notification must contain at least the following information: 

(a) A description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; 

(b) The name and contact details of the data protection officer or other contact point where more information can be obtained; 

(c) A description of the likely consequences of the personal data breach; 

(d) A description of the measures taken or proposed by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. 

The Processor undertakes to assist the Controller in ensuring compliance with its obligations under Article 33–34 of the GDPR, taking into account the nature of processing and the information available to the Processor.  The Processor may make notifications for the Controller only after having been instructed to do so in accordance with section 2 of this Agreement.

(13) The processing of personal data by the Processor will take place in a member state of the European Union (“EU”) or European Economic Area (“EEA”). By agreement of the Parties, processing may take place in a third country outside the EU/EEA. Any performance of the service provided or parts of it in a third country requires the prior written consent of the Controller and may only take place if the specific requirements for the Transfers of Personal Data to Third Countries set out in the Data Protection Legislation are met.

The Controller is to be notified without undue delay if the processing is transferred from the EU/EEA to a third country, or vice versa, or if there is a change to the concrete measure to ensure an adequate level of data protection in the third country. The Processor is to continually monitor whether the prerequisites to an adequate level of data protection are met, and adjust, where necessary, the measure to ensure the appropriate level of data protection.

(14) At the discretion of the Controller, the Processor undertakes to delete or return all personal data to the Controller after the end of the provision of services relating to processing, and to delete existing copies unless applicable law requires storage of the personal data.  This applies also to test materials and waste materials. The deletion recorded and the documentation must be provided to the Controller upon request.

(15) If the Controller is subject to an enquiry or investigation by the supervisory authority or any other authority, to administrative or criminal proceedings, to a liability claim from a data subject or third party, or any other claim in connection with this Agreement, the Processor is to do its best to provide support to the Controller, upon request.

(16) If property of the Controller or the personal data to be processed is endangered by third-party measures at the Processor (such as attachment or seizure), by insolvency or composition proceedings, or by other events, the Processor must inform the Controller immediately.

⁴Please tick the appropriate box.

(1) Sub-contractual relationships within the meaning of this Agreement refers to services that are directly related to the performance of contractual provisions. It does not generally cover ancillary services that the Processor uses, such as telecommunications, post and transportation, maintenance, help desks and other measures designed to ensure the confidentiality, availability, integrity and resilience of hardware and software for data processing centres. However, for such outsourced services the Processor is required to conclude appropriate and legally binding contractual arrangements and carry out checks in order to guarantee data protection and the data security of the Controller’s personal data.

(2) The Controller grants the Processor a general authorisation to use subcontractors. The Processor must always give the Controller notice of any intended changes concerning the addition or replacement of other processors (stating company, country, type of subcontracted service and the legal basis for transferring data in accordance with section 4(13)), and the Controller has, in accordance with section 2, the right to object to any such changes within one month, in which case the Processor may not engage the services of the subcontractor concerned. The engagement of the subcontractor is deemed to be authorised upon expiry of the notice period where express written authorisation has not already been given. The notice period starts with access to the information at the Controller.

The Processor will inform the Controller of the change of subcontractors in the following manner: By providing advance notice to the Controller. 

The subcontractors listed in the Annex are authorised (company, country, type of subcontracted service and information pursuant to section 4(13) to the extent relevant). 

(3) If the Processor engages another processor in order to carry out certain processing services on behalf of the Controller, the Processor must bind the new processor by a written contract or other legal act under applicable law to the same data protection obligations as those set out in this Agreement, and in particular there must be adequate safeguards to ensure that technical and organisational measures can be implemented in such a way that processing meets the requirements of the Data Protection Legislation. The right of audit under section 4(8) must also be accordingly ensured, if necessary.; The type and scope of the Processor’s right of audit are to be taken into account in this regard.

The Processor’s liability to the Controller for loss or damage culpably caused by the Processor, its staff and/or persons or subcontractors tasked with performance of this Agreement in processing the Controller’s personal data is governed by clause 15 of Schedule 1 of the ALLFINANZ SPARK Subscription Agreement.

The Processor is not liable to the Controller for loss or damage caused by the Processor if it merely carried out the Controller’s instructions and if it complied with the procedure in section 4 (2) of this agreement.

(1) The Controller may terminate this Agreement at any time without notice if there is a significant breach of data protection provisions or the provisions of or duties under this Agreement by the Processor, if the Processor cannot or will not carry out the Controller’s instructions, or if the Processor in contravention of this Agreement denies the Controller its right to perform checks. The notice of termination must be in writing.

The Processor may terminate this Agreement with one month’s notice if it can no longer meet its contractual obligations, particularly  if the Controller does not authorise subcontractors to be engaged as per section 5(2).  The notice of termination must be in writing.

The parties’ termination rights are otherwise set out in schedule 1 of the Allfinanz SPARK Subscription Agreement.

(2) Any supplement to this Agreement must be made in writing.

(3) Should any provision of this Agreement be invalid, this shall not affect the validity of the remaining provisions of the Agreement.

(4) This Data Processing Agreement shall be governed and construed in accordance with the laws of Ireland. Any disputes or claims arising out of or in connection with this Data Processing Agreement shall be submitted to the exclusive jurisdiction of the courts of Ireland.

Annexes:

☒ Pursuant to section 4(7) (Security of processing): As per Information Security Program.

☐ Pursuant to section 4(8) (Conditions for Mobile Working)

☐ Pursuant to section 4(13) (Measures to ensure an adequate level of data protection)

☒ Pursuant to section 5(2) (List of authorised sub- contractors):

Amazon Web Services (AWS)
Purpose: Cloud-Hosting via Cloud-Services platform.
Location: Singapore/ USA/ Canada/ Ireland/ Germany and any other AWS hub selected by Supplier.
Term: Subscription Term.