The Terms of Use were revised to ensure compliance with the European Union’s + Digital Services Act (DSA) and to improve transparency about how Wikibase Cloud operates.
+In addition to terms defined elsewhere in this + Agreement, the following terms have the following meanings:
+1.1 “Manager Account” or “Account”: The personal Account provided by Wikibase.cloud + to the User on the Platform after the User’s registration.
+1.2 “Content”: Any type of media (for example text, video files) uploaded to the + Platform by a User.
+1.3 “User”: A natural person that registers for and + uses the Platform.
+1.4 “Wikimedia”: Wikimedia Deutschland – Gesellschaft + zur Förderung Freien Wissens e. V.
+1.5 “Wikibase Instance” or “Site”: an open knowledge base that can be + created and run by anyone on Wikibase.cloud. +
+2.1 Wikimedia, Tempelhofer Ufer 23/24, 10963 Berlin, provides
+ Wikibase.cloud (the „Platform“), a free cloud-based Platform that hosts
+ instances of Wikibase. It offers collaborative space to pool, edit and
+ curate information and is accessible under
2.2 These Terms of Use govern the legal relationship between Wikimedia + and the User and apply to all actions of the User and Wikimedia on or in + connection with the Platform (the „Agreement“).
+3.1 To use the Platform, the
+ User must open a Manager Account. Opening a Manager Account is free of
+ charge for the User. The User can sign up directly by visiting the
+ website
3.2 When registering, the User is required to provide certain basic + information, including an email address and a password.
+3.3 By clicking + on “Create Account”, the User requests Wikimedia to create an Account on + the Platform. Wikimedia will send an email with a legally binding offer + to open the Account and to confirm the user’s email address. By clicking + on “verify email”, the User accepts the offer, concludes the Agreement + with Wikimedia and opens the Account.
+3.4 The User shall keep the Account + information, in particular the chosen password, confidential and shall + not disclose it to third parties. Any misuse or suspected misuse must be + reported to Wikimedia Deutschland immediately.
+3.5 The User can access + the latest version of these Terms at any time on the Platform. The + Agreement is concluded in English and the Terms are only available in + English.
+4.1 After creating a Manager Account and logging into it, the User can + create a Wikibase Instance on their dashboard page.
+4.2 To create a + Wikibase Instance, the User is required to provide certain basic + information, including Site Name, Site Domain and Username.
+4.3 By + clicking on “Create Wiki”, the User submits the form. Once the form has + been successfully submitted, the Wikibase Instance will be created and + become available on the dashboard.
+4.4 Wikimedia will send the User an + email with Account details, including the username and a temporary + password. After logging in with the provided password, the User is + prompted to create a new password.
+4.5 The User shall keep the Account + information, in particular the chosen password, confidential and shall + not disclose it to third parties. Any misuse or suspected misuse must be + reported to Wikimedia immediately.
+4.6 Once the Wikibase Instance has + been created, the basic functions are available to the User, which may + change from time to time. For example, the User can create a main page, + add a logo and create their own legal terms for their Wiki. The User can + also manually enter, import or delete data or any other information or + media (the “Content”) using the tools provided. Wikibase is a + collaborative Platform. The User can enable other persons to register + for an Account on their Wikibase Instance or upload Content.
+5.1 The User may only use the Platform in accordance with + the Terms of Use and the additional rules laid down in the Hosting + Policy, which is hereby explicitly incorporated into the Agreement. In + particular, the User may not create, post, share, link to or otherwise + interact with Content that violates our rules or any laws.
+5.2 The User + is responsible for any Content that they or other persons publish on + their registered Wikibase Instance. The User shall take all reasonable + steps to inform other persons using their Wikibase Instance of all + restrictions laid down in these Terms of Use and to ensure that these + restrictions are obeyed. The User must have all the necessary rights to + create, publish or share Content. The User agrees not to upload or share + any Content on their Wikibase Instance that infringes the intellectual + property rights of third persons or that is otherwise unlawful.
+5.4 The User should be aware that the sites + may be edited by the public and, as such, may contain inappropriate + Content at any time.
+ +6.1 Wikimedia does not + monitor Content on the Platform, but reserves the right to conduct + random checks, particularly if there are indications of violations. + Wikimedia does not use any automatic moderation technology or similar + tools that automatically scan, edit, block or remove Content.
+6.2 Wikimedia may remove or restrict access to Content and/or delete or + restrict access to the User’s Account and/or delete or restrict access + to the Wikibase Instance if Wikimedia has reasonable grounds to believe + that Content violates the Agreement or applicable law.
+6.3 If Wikimedia + removes or restricts access to Content, Wikimedia will notify the User + immediately and explain the reasons for the decision, unless to do so + would harm Wikimedia, or other third parties, or Wikimedia is legally + prevented from notifying the User.
+6.4 Wikimedia will always proceed + carefully, objectively and proportionately when examining Content and + implementing measures, and will take into account the rights and + legitimate interests of all parties involved.
+7.1 The User grants + Wikimedia the rights of use to the uploaded Content for the purpose of + Wikimedia’s provision of the Platform.
+7.2 Wikimedia reserves the right to close, move, merge, or rename a site + for any reason. Wikimedia shall not be held liable for any modification, + suspension or discontinuance of any site, or of the Platform as a whole.
+ +8.1 The terms of this Agreement commence upon the + User’s registration.
+8.2 The User can delete their Account by contacting
+ Wikimedia, for example, via
8.3 Wikimedia can (i) terminate the contract, (ii) suspend single instances, + (iii) permanently delete single instances, and/ or (iv) transfer + ownership of single instances to another User at any time and without + cause, provided that two weeks’ notice is given.
+8.4 The User can delete + their Wikibase Instance at any time through the settings. All data and + Content associated with this Wikibase Instance will be permanently + deleted after 30 days. The domain may not be available for reuse.
+8.5 Wikimedia may terminate or suspend any use of the Platform and the + User’s Account immediately, without notice or liability, if the User + breaches any of the terms and conditions of the Terms of Use. Upon + termination of the User’s Account, the User’s right to use the Platform + will immediately cease.
+ +9.1 Wikimedia shall implement appropriate measures to ensure the availability and + error free functionality of the Platform. However, the User acknowledges + that for technical reasons and due to the dependence on external + influences, Wikimedia cannot guarantee the uninterrupted availability of + the Platform.
+9.2 Wikimedia will occasionally carry out maintenance work + to ensure the functionality or expansion of the Platform. These tasks + may result in a temporary impairment of the usability of the Platform. + Insofar Wikimedia shall carry out the maintenance work during periods of + low use.
+ +10.1 Wikimedia provides a free service that allows + the User to create their own Wikibase Instance. Wikimedia assumes no + responsibility for any material posted by the User. However, in + accordance with Art. 16 DSA Wikimedia provides a mechanism for the User + and third parties to report illegal Content hosted on the Platform.
+10.2 Users are solely responsible for their Content and must ensure + compliance with applicable German laws.
+10.3 The User agrees to indemnify + and hold harmless Wikimedia from any claims by third parties arising + from Content they publish or actions they take while using our Platform.
+ +11.1 For comprehensive information on how Wikimedia
+ collects, processes or uses personal data of the User, please refer to
+ our
11.2 To the extent that the Content provided by the + User or by contributors and users of the User’s Wikimedia Instance + contains personal data of third parties, the User remains the controller + of such data and Wikimedia acts as the processor of the User’s personal + data under the GDPR. To this end, the Parties enter into the Standard + Contractual Clauses (Commission Implementing Decision (EU) 2021/915 of 4 + June 2021) attached hereto in the Appendix 1.
+11.3 If and to the extent that the User + resides and/or processes personal data in a state outside of the EU and + the data transfers between Wikimedia and the User constitute an + international data transfer according to Chapter 5 of the GDPR, the User + and Wikimedia enter into the Standard Contractual Clauses for transfers + of personal data to third countries as laid down in the Commission + Implementing Decision (EU) 2021/914 4 June 2021, attached hereto as + Appendix 2 (the “International Standard Contractual Clauses”) in form of + Module 4 (Processor to Controller). The Annexes I, II, III and IV of + Appendix 1 apply accordingly.
+ +12.1 This Agreement is + governed by, and shall be interpreted in accordance with, the laws of, + and directly applicable in, the Federal Republic of Germany, excluding, + however, the provisions of the United Nations Convention on Contracts + for the International Sale of Goods and any conflict of law provisions + that would require the application of the material law of another + country.
+12.2 The Parties hereby irrevocably submit to the exclusive + jurisdiction of the courts of Berlin, Germany, for all disputes or + claims arising out of or in connection with this Agreement made + hereunder.
+12.3. If any provision of this Agreement is invalid or + unenforceable in whole or in part, this shall not affect the validity + and enforceability of any other provision of this Agreement. The invalid + or unenforceable provision shall be deemed replaced by a valid and + enforceable provision that comes as close as possible to the economic + purpose that both parties had in mind with the invalid or unenforceable + provision.
+ +(a) The purpose of these Standard + Contractual Clauses (the Clauses) is to ensure compliance with Article + 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and + of the Council of 27 April 2016 on the protection of natural persons + with regard to the processing of personal data and on the free movement + of such data, and repealing Directive 95/46/EC (General Data Protection + Regulation).
+(b) The controllers and processors listed in Annex I have + agreed to these Clauses in order to ensure compliance with Article 28(3) + and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of + Regulation (EU) 2018/1725.
+(c) These Clauses apply to the processing of + personal data as specified in Annex II.
+(d) Annexes I to IV are an + integral part of the Clauses.
+(e) These Clauses are without prejudice to + obligations to which the controller is subject by virtue of Regulation + (EU) 2016/679 and/or Regulation (EU) 2018/1725.
+(f) These Clauses do not + by themselves ensure compliance with obligations related to + international transfers in accordance with Chapter V of Regulation (EU) + 2016/679 and/or Regulation (EU) 2018/1725.
+ +(a) The Parties undertake not to modify the Clauses, except for + adding information to the Annexes or updating information in them.
+(b) This does not prevent the Parties from including the standard + contractual clauses laid down in these Clauses in a broader contract, or + from adding other clauses or additional safeguards provided that they do + not directly or indirectly contradict the Clauses or detract from the + fundamental rights or freedoms of data subjects.
+ +(a) Where these Clauses use the terms defined in Regulation (EU) + 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall + have the same meaning as in that Regulation.
+(b) These Clauses shall be + read and interpreted in the light of the provisions of Regulation (EU) + 2016/679 or Regulation (EU) 2018/1725 respectively.
+(c) These Clauses + shall not be interpreted in a way that runs counter to the rights and + obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) + 2018/1725 or in a way that prejudices the fundamental rights or freedoms + of the data subjects.
+ +In the event of a contradiction + between these Clauses and the provisions of related agreements between + the Parties existing at the time when these Clauses are agreed or + entered into thereafter, these Clauses shall prevail.
+ +The details of the processing operations, in particular the categories of + personal data and the purposes of processing for which the personal data + is processed on behalf of the controller, are specified in Annex II.
+ +(a) The processor + shall process personal data only on documented instructions from the + controller, unless required to do so by Union or Member State law to + which the processor is subject. In this case, the processor shall inform + the controller of that legal requirement before processing, unless the + law prohibits this on important grounds of public interest. Subsequent + instructions may also be given by the controller throughout the duration + of the processing of personal data. These instructions shall always be + documented.
+(b) The processor shall immediately inform the controller + if, in the processor’s opinion, instructions given by the controller + infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the + applicable Union or Member State data protection provisions.
+The processor shall process the personal data only + for the specific purpose(s) of the processing, as set out in Annex II, + unless it receives further instructions from the controller.
+Processing by the processor + shall only take place for the duration specified in Annex II.
+(a) The processor shall at least implement the + technical and organisational measures specified in Annex III to ensure + the security of the personal data. This includes protecting the data + against a breach of security leading to accidental or unlawful + destruction, loss, alteration, unauthorised disclosure or access to the + data (personal data breach). In assessing the appropriate level of + security, the Parties shall take due account of the state of the art, + the costs of implementation, the nature, scope, context and purposes of + processing and the risks involved for the data subjects.
+(b) The + processor shall grant access to the personal data undergoing processing + to members of its personnel only to the extent strictly necessary for + implementing, managing and monitoring of the contract. The processor + shall ensure that persons authorised to process the personal data + received have committed themselves to confidentiality or are under an + appropriate statutory obligation of confidentiality.
+If the processing involves personal data revealing racial or ethnic + origin, political opinions, religious or philosophical beliefs, or trade + union membership, genetic data or biometric data for the purpose of + uniquely identifying a natural person, data concerning health or a + person’s sex life or sexual orientation, or data relating to criminal + convictions and offences (“sensitive data”), the processor shall apply + specific restrictions and/or additional safeguards.
+(a) The Parties shall be able to demonstrate compliance + with these Clauses.
+(b) The processor shall deal promptly and adequately + with inquiries from the controller about the processing of data in + accordance with these Clauses.
+(c) The processor shall make available to + the controller all information necessary to demonstrate compliance with + the obligations that are set out in these Clauses and stem directly from + Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the + controller’s request, the processor shall also permit and contribute to + audits of the processing activities covered by these Clauses, at + reasonable intervals or if there are indications of non-compliance. In + deciding on a review or an audit, the controller may take into account + relevant certifications held by the processor.
+(d) The controller may + choose to conduct the audit by itself or mandate an independent auditor. + Audits may also include inspections at the premises or physical + facilities of the processor and shall, where appropriate, be carried out + with reasonable notice.
+(e) The Parties shall make the information + referred to in this Clause, including the results of any audits, + available to the competent supervisory authority/ies on request.
+(a) GENERAL WRITTEN AUTHORISATION: The processor + has the controller’s general authorisation for the engagement of + sub-processors from an agreed list. The processor shall specifically + inform in writing the controller of any intended changes of that list + through the addition or replacement of sub-processors at least two + months in advance, thereby giving the controller sufficient time to be + able to object to such changes prior to the engagement of the concerned + sub-processor(s). The processor shall provide the controller with the + information necessary to enable the controller to exercise the right to + object.
+(b) Where the processor engages a sub-processor for carrying out + specific processing activities (on behalf of the controller), it shall + do so by way of a contract which imposes on the sub-processor, in + substance, the same data protection obligations as the ones imposed on + the data processor in accordance with these Clauses. The processor shall + ensure that the sub-processor complies with the obligations to which the + processor is subject pursuant to these Clauses and to Regulation (EU) + 2016/679 and/or Regulation (EU) 2018/1725.
+(c) At the controller’s + request, the processor shall provide a copy of such a sub-processor + agreement and any subsequent amendments to the controller. To the extent + necessary to protect business secret or other confidential information, + including personal data, the processor may redact the text of the + agreement prior to sharing the copy.
+(d) The processor shall remain + fully responsible to the controller for the performance of the + sub-processor’s obligations in accordance with its contract with the + processor. The processor shall notify the controller of any failure by + the sub-processor to fulfil its contractual obligations.
+(e) The processor shall agree a third party beneficiary clause with the + sub-processor whereby - in the event the processor has factually + disappeared, ceased to exist in law or has become insolvent - the + controller shall have the right to terminate the sub-processor contract + and to instruct the sub-processor to erase or return the personal data.
+(a) Any transfer of data to a third country + or an international organisation by the processor shall be done only on + the basis of documented instructions from the controller or in order to + fulfil a specific requirement under Union or Member State law to which + the processor is subject and shall take place in compliance with Chapter + V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
+(b) The controller agrees that where the processor engages a sub-processor in + accordance with Clause 7.7. for carrying out specific processing + activities (on behalf of the controller) and those processing activities + involve a transfer of personal data within the meaning of Chapter V of + Regulation (EU) 2016/679, the processor and the sub-processor can ensure + compliance with Chapter V of Regulation (EU) 2016/679 by using standard + contractual clauses adopted by the Commission in accordance with of + Article 46(2) of Regulation (EU) 2016/679, provided the conditions for + the use of those standard contractual clauses are met.
+ +(a) The processor shall promptly notify the + controller of any request it has received from the data subject. It + shall not respond to the request itself, unless authorised to do so by + the controller.
+(b) The processor shall assist the controller in + fulfilling its obligations to respond to data subjects’ requests to + exercise their rights, taking into account the nature of the processing. + In fulfilling its obligations in accordance with (a) and (b), the + processor shall comply with the controller’s instructions
+(c) In addition to the processor’s obligation to assist the controller pursuant + to Clause 8(b), the processor shall furthermore assist the controller in + ensuring compliance with the following obligations, taking into account + the nature of the data processing and the information available to the + processor:
+(1) the obligation to carry out an assessment of the impact + of the envisaged processing operations on the protection of personal + data (a ‘data protection impact assessment’) where a type of processing + is likely to result in a high risk to the rights and freedoms of natural + persons;
+(2) the obligation to consult the competent supervisory + authority/ies prior to processing where a data protection impact + assessment indicates that the processing would result in a high risk in + the absence of measures taken by the controller to mitigate the risk;
+(3) the obligation to ensure that personal data is accurate and up to + date, by informing the controller without delay if the processor becomes + aware that the personal data it is processing is inaccurate or has + become outdated;
+(4) the obligations in Article 32 of Regulation (EU) + 2016/679.
+(d) The Parties shall set out in Annex III the appropriate technical and organisational measures by which + the processor is required to assist the controller in the application of this Clause as well as the scope + and the extent of the assistance required.
+In the event of a personal data + breach, the processor shall cooperate with and assist the controller for + the controller to comply with its obligations under Articles 33 and 34 + of Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation + (EU) 2018/1725, where applicable, taking into account the nature of + processing and the information available to the processor.
+In the event of a + personal data breach concerning data processed by the controller, the + processor shall assist the controller:
+(a) in notifying the personal + data breach to the competent supervisory authority/ies, without undue + delay after the controller has become aware of it, where + relevant/(unless the personal data breach is unlikely to result in a + risk to the rights and freedoms of natural persons);
+(b) in obtaining + the following information which, pursuant to Article 33(3) of Regulation + (EU) 2016/679, shall be stated in the controller’s notification, and + must at least include:
+(1) the nature of the personal data including + where possible, the categories and approximate number of data subjects + concerned and the categories and approximate number of personal data + records concerned;
+(2) the likely consequences of the personal data + breach;
+(3) the measures taken or proposed to be taken by the controller + to address the personal data breach, including, where appropriate, + measures to mitigate its possible adverse effects.
+Where, and insofar as, it is not possible to provide all this information at the same time, the initial + notification shall contain the information then available and further information shall, as it becomes + available, subsequently be provided without undue delay.
+(c) in complying, pursuant to Article 34 of Regulation (EU) 2016/679, + with the obligation to communicate without undue delay the personal data + breach to the data subject, when the personal data breach is likely to + result in a high risk to the rights and freedoms of natural persons.
+ +In the event of a + personal data breach concerning data processed by the processor, the + processor shall notify the controller without undue delay after the + processor having become aware of the breach. Such notification shall + contain, at least:
+(a) a description of the nature of the breach (including, where + possible, the categories and approximate number of data subjects and + data records concerned);
+(b)the details of a contact point where more information concerning the + personal data breach can be obtained;
+(c) its likely consequences and the measures taken or proposed to be + taken to address the breach, including to mitigate its possible adverse + effects.
+Where, and insofar as, it is not possible to provide all this + information at the same time, the initial notification shall contain the + information then available and further information shall, as it becomes + available, subsequently be provided without undue delay.
+The Parties + shall set out in Annex III all other elements to be provided by the + processor when assisting the controller in the compliance with the + controller’s obligations under Articles 33 and 34 of Regulation (EU) + 2016/679.
+ +(a) Without prejudice to any provisions of Regulation + (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that the + processor is in breach of its obligations under these Clauses, the + controller may instruct the processor to suspend the processing of + personal data until the latter complies with these Clauses or the + contract is terminated. The processor shall promptly inform the + controller in case it is unable to comply with these Clauses, for + whatever reason.
+(b) The controller shall be entitled to terminate the + contract insofar as it concerns processing of personal data in + accordance with these Clauses if:
+(1) the processing of personal data by + the processor has been suspended by the controller pursuant to point (a) + and if compliance with these Clauses is not restored within a reasonable + time and in any event within one month following suspension;
+(2) the + processor is in substantial or persistent breach of these Clauses or its + obligations under Regulation (EU) 2016/679 and/or Regulation (EU) + 2018/1725;
+(3) the processor fails to comply with a binding decision of + a competent court or the competent supervisory authority/ies regarding + its obligations pursuant to these Clauses or to Regulation (EU) 2016/679 + and/or Regulation (EU) 2018/1725.
+(c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal + data under these Clauses where, after having informed the controller that its instructions infringe + applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with + the instructions.
+(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all + personal data processed on behalf of the controller and certify to the controller that it has done so, or, + return all the personal data to the controller and delete existing copies unless Union or Member State law + requires storage of the personal data. Until the data is deleted or returned, the processor shall continue + to ensure compliance with these Clauses.
+ ++ Controller(s): [Identity and contact details + of the controller(s), and, where applicable, of the controller’s data + protection officer] +
+The User as specified in the Terms of Use.
+ +Processor(s): + [Identity and contact details of the processor(s) and, + where applicable, of the processor’s data protection officer]
+Wikimedia + Deutschland e. V., Tempelhofer Ufer 23-24, 10369 Berlin
+ ++ For processing by (sub-) processors, also specify subject matter, nature + and duration of the processing +
+ +Technical and organisational measures including technical + and organisational measures to ensure the security of the data
+ ++ You may obtain a copy of our technical and organisational measures on request, + to do so please send an email to: datenschutz@wikimedia.de. +
+ +List of sub-processors
+EXPLANATORY NOTE:
+ +This Annex needs to + be completed in case of specific authorisation of sub-processors (Clause + 7.7(a), Option 1).
+The controller has authorised the use of the + following sub-processors:
+ +1. Name: Google Ireland Ltd.
+Address: Gordon House, Barrow Street, Dublin 4
+ +Contact person’s name, position and contact details: Please contact Wikimedia for the contact + information
+ +Description of the processing (including a clear delimitation of + responsibilities in case several sub-processors are authorised): Hosting + of the Wikibase.cloud service
+2. Name: Mailgun Technologies, Inc
+ +Address: 112 E Pecan St #1135, San Antonio, TX 78205
+Contact person’s name, position and contact details: Please contact Wikimedia for the + contact information
+ +Description of the processing: Email service + provisioning
+(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of
+ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
+ natural persons with regard to the processing of personal data and on the free movement of such data
+ (General Data Protection Regulation)
(b) The Parties:
+(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter + “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), +
+and
+(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or + indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data + importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
+(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
+(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of + these Clauses.
+ ++ (a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective + legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with + respect to data transfers from controllers to processors and/or processors to processors, standard + contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, + except to select the appropriate Module(s) or to add or update information in the Appendix. This does not + prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider + contract and/or to add other clauses or additional safeguards, provided that they do not contradict, + directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects. +
++ (b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of + Regulation (EU) 2016/679. +
+ ++ (a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data + exporter and/or data importer, with the following exceptions: +
++ (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; +
++ (ii) Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), + (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); + Module Four: Clause 8.1 (b) and Clause 8.3(b); +
++ (iii) Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e); +
++ (iv) Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f); +
++ (v) Clause 13; +
++ (vi) Clause 15.1(c), (d) and (e); +
++ (vii) Clause 16(e); +
++ (viii) Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18. +
++ (b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679. +
+ ++ (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the + same meaning as in that Regulation. +
++ (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) + 2016/679. +
++ (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided + for in Regulation (EU) 2016/679. +
+In the event of a contradiction between these Clauses and the + provisions of related agreements between the Parties, existing at the + time these Clauses are agreed or entered into thereafter, these Clauses + shall prevail.
+ +The details of the transfer(s), and in particular the categories of + personal data that are transferred and the purpose(s) for which they are + transferred, are specified in Annex I.B.
+ ++ (a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these + Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and + signing Annex I.A. +
++ (b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to + these Clauses and have the rights and obligations of a data exporter or data importer in accordance with + its designation in Annex I.A. +
++ (c) The acceding entity shall have no rights or obligations arising under these Clauses from the period + prior to becoming a Party. +
+The data exporter warrants that it has used reasonable efforts to + determine that the data importer is able, through the implementation of + appropriate technical and organisational measures, to satisfy its + obligations under these Clauses.
+ ++ (a) The data exporter shall process the personal data only on documented instructions from the data + importer acting as its controller. +
++ (b) The data exporter shall immediately inform the data importer if it is unable to follow those + instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member + State data protection law. +
++ (c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling + its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards + cooperation with competent supervisory authorities. +
++ (d) After the end of the provision of the processing services, the data exporter shall, at the choice of + the data importer, delete all personal data processed on behalf of the data importer and certify to the + data importer that it has done so, or return to the data importer all personal data processed on its + behalf and delete existing copies. +
+
+ (a) The Parties shall implement appropriate technical and organisational measures to ensure the security
+ of the data, including during transmission, and protection against a breach of security leading to
+ accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter
+ “personal data breach”). In assessing the appropriate level of security, they shall take due account of
+ the state of the art, the costs of implementation, the nature of the personal data
+ (b) The data exporter shall assist the data importer in ensuring appropriate security of the data in + accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by + the data exporter under these Clauses, the data exporter shall notify the data importer without undue + delay after becoming aware of it and assist the data importer in addressing the breach. +
++ (c) The data exporter shall ensure that persons authorised to process the personal data have committed + themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. +
++ (a) The Parties shall be able to demonstrate compliance with these Clauses. +
++ (b) The data exporter shall make available to the data importer all information necessary to demonstrate + compliance with its obligations under these Clauses and allow for and contribute to audits. +
+The Parties shall assist each other in responding to enquiries and + requests made by data subjects under the local law applicable to the + data importer or, for data processing by the data exporter in the EU, + under Regulation (EU) 2016/679.
+ ++ (a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any + breach of these Clauses. +
++ (b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive + compensation, for any material or non-material damages that the Party causes the data subject by breaching + the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the + data exporter under Regulation (EU) 2016/679. +
++ (c) Where more than one Party is responsible for any damage caused to the data subject as a result of a + breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data + subject is entitled to bring an action in court against any of these Parties. +
++ (d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim + back from the other Party/ies that part of the compensation corresponding to its / their responsibility + for the damage. +
++ (e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own + liability. +
++ (a) The data importer shall promptly inform the data exporter if it is unable to comply with these + Clauses, for whatever reason. +
++ (b) In the event that the data importer is in breach of these Clauses or unable to comply with these + Clauses, the data exporter shall suspend the transfer of personal data to the data importer until + compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f). +
++ (c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing + of personal data under these Clauses, where: +
+ ++ (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to + paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any + event within one month of suspension; +
++ (ii) the data importer is in substantial or persistent breach of these Clauses; or +
++ (iii) the data importer fails to comply with a binding decision of a competent court or supervisory + authority regarding its obligations under these Clauses. + In these cases, it shall inform the competent supervisory authority of + such non-compliance. Where the contract involves more than two Parties, + the data exporter may exercise this right to termination only with + respect to the relevant Party, unless the Parties have agreed + otherwise. +
++ (d) Personal data collected by the data exporter in the EU that has been transferred prior to the + termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, + including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. + Until the data is deleted or returned, the data importer shall continue to ensure compliance with these + Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the + transferred personal data, the data importer warrants that it will continue to ensure compliance with + these Clauses and will only process the data to the extent and for as long as required under that local + law. +
++ (e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission + adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of + personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal + framework of the country to which the personal data is transferred. This is without prejudice to other + obligations applying to the processing in question under Regulation (EU) 2016/679. +
+These Clauses shall be governed by the law of a country allowing for + third-party beneficiary rights. The Parties agree that this shall be the + law of Germany (specify country).
+ +Any dispute arising from these Clauses shall be resolved by the + courts of Germany (specify country).
+ +
+
+