Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Agreement for Services between News Studio ("Processor") and the Customer ("Controller"). It reflects the parties' agreement with regard to the processing of personal data.

The Processor and Controller are individually referred to as "Party" and collectively as the "Parties".

2. Definitions

For the purposes of this DPA, terms like "Personal Data", "Processing", "Data Subject", "Data Controller", and "Data Processor" shall have the meanings given to them in the General Data Protection Regulation (GDPR).

3. Subject Matter & Duration

The subject matter of the processing under this DPA is the Personal Data of the Controller which is processed in connection with the provision of services by the Processor to the Controller.

The duration of the processing under this DPA shall be for the term of the Agreement plus the period until the return or deletion of the data as set out in this DPA.

4. Roles & Instructions

The Controller acts as the Data Controller and the Processor acts as the Data Processor. The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.

5. Processor Obligations

The Processor shall:

• Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
• Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights.
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.

6. Sub-processors

The Controller provides a general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

7. Security of Processing

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures are described in our Security Overview.

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay after becoming aware of the breach. The notification shall include relevant information to help the Controller fulfill their reporting obligations.

9. International Data Transfers

The Processor shall ensure that any transfer of Personal Data to a third country or an international organization is carried out in accordance with applicable data protection laws.

10. Deletion or Return of Data

At the choice of the Controller, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.

11. Audits & Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

12. Limitation of Liability

Each Party's liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement.

13. Contact DPO

For any inquiries related to data processing, please contact our Data Protection Officer: