Data Processing Agreement

Last Updated : 10 Jan, 2024

Welcome to GeeksforGeeks.

This Agreement is between Sanchhaya Education Pvt. Ltd., registered and headquartered at A-143, Sovereign Corporate Towers, 9th Floor, Sector-136, NOIDA, Gautam Buddha Nagar, Uttar Pradesh,201305, hereinafter referred to as ‘Company’ or GeeksforGeeks (“us”, “we”, or “our”) operates https://www.geeksforgeeks.org/ (hereinafter referred to as “Service”) and you, hereinafter referred to as  “ Data Processor”

Each a “Party” and together the “Parties”.

1. Definitions

a. In this agreement, unless otherwise defined or the context otherwise requires, the following expressions shall have the following meanings:

“Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data.

“Processing”, “Controller” and “Processor” shall have the meaning given to the terms “Processing”, “Controller” and “Processor” respectively in Article 4 of regulation (EU) 2016/679 (the General Data Protection Regulation).

“Personal Data” shall have the meaning given to the term “Personal Data” in Article 4 of regulation (EU) 2016/679 (the General Data Protection Regulation) and means all such Personal Data that is provided to the Processor by the Controller as described in section 3 of this agreement.

“Services” means those services or facilities described in clause 3.2.

b. Words imparting the singular number shall include the plural and vice versa

2. Application

a. This agreement applies to the Processing of Personal Data pursuant to Article 3 of regulation (EU) 2016/679 (the General Data Protection Regulation).

b. This agreement shall continue in force indefinitely, subject to termination in accordance with section 8 or any other provision of this agreement.

c. This agreement is supplemental to any other separate agreement entered into between the parties and introduces further contractual provisions to ensure the protection and security of data passed from the Controller to the Processor for processing.

d. If there is a conflict between this agreement and any other agreement entered into between the parties, then this agreement shall take precedence.

e. Any breach of this agreement shall be deemed a breach of any other agreement entered into between the parties.

3. Subject-Matter of the Processing Agreement

a. By virtue of these, the Processor is authorised to process Personal Data on behalf of the Controller, and for the purpose of this Agreement, the Processor is a Processor of such Personal Data.

b. The Processor shall provide any or all of the following services to the Controller:
Processing user information for advertising purposes. 

c. The Controller may provide the Processor with Personal Data concerning the following categories of data subjects:
Client customer, prospective customers and employee

d. The Controller may provide the Processor with the following types of Personal Data:
First name, last name, email address

4. Obligations of the Processor

a. The Processor shall:

i. Process Personal Data only for the purpose of fulfilling the terms of any contracts between the Controller and the Processor. In no event shall the Processor use any of this Personal Data for its own purposes or for any other purpose other than the specific purpose which the use of such Personal Data has been authorised for by the Controller.

ii. Process Personal Data on the documented instructions of the Controller, including with regards to any transfer of data to third countries or international organisations unless required to do so by Data Protection Law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

iii. Ensure that any person acting under the authority of the Processor, who has access to Personal Data is subject to a duty of confidentiality and that such individual’s process such data in accordance with the Processors instructions only.

iv. At all times, considering the nature of the processing, implement technical and organisational measures appropriate to the level of risk that shall provide:

  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
  • Security against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data,
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident,
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

v. Ensure that the security of Personal Data is backed up by robust policies and procedures and reliable, well-trained staff.

vi. Ensure that each of its employees, agents, subcontractors, or any other persons acting under the authority of the Processor are made aware of the Processors obligations and duties under this agreement with regard to the confidentiality, integrity and availability of the Personal Data and shall require that they enter into binding obligations with the Processor in order to maintain the levels of confidentiality, security and protection provided for in this agreement.

vii. Not divulge the Personal Data whether directly or indirectly to any third party without the express documented consent of the Controller.

viii. Not engage another sub-processor without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the Controller the opportunity to object to such changes.

ix. Ensure where the Processor engages another sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in clause 4 “Obligations of the Processor” shall be imposed on that sub-processor by way of a contract or other legal act under Data Protection Law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of Articles 32 and 28 of the General Data Protection Regulation. Where that other sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that other sub-processor’s obligations.

x. Assist the Controller by technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the General Data Protection Regulation.

xi. Assist the Controller in ensuring compliance with the Controllers obligations pursuant to Articles 32 through 36 of the General Data Protection Regulation in respect of security of processing, notification of Personal Data breaches to the appropriate supervisory authority, communication of Personal Data breaches to the data subject, Data Protection impact assessments and prior consultation with the appropriate supervisory authority where appropriate.

xii. Immediately and without undue delay notify the Controller if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable and restore such Personal Data at its own expense, or if there is any accidental, unauthorised, or unlawful processing of Personal Data, or of any Personal Data breach.

xiii. Make available to the Controller all information necessary to demonstrate compliance with the Article 28 of the GDPR and the obligations laid down in clause 4 of this agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

xiv. Immediately and without undue delay notify the Controller if in its opinion, it is asked to do something that infringes the General Data Protection Regulations or any other Union or Member State data protection provisions.

xv. Maintain a record of all categories of processing activities carried out on behalf of the Controller that is compliant with Article 30 of the General Data Protection Regulation.

xvi. Where applicable, cooperate with the appropriate supervising authority in the performance of its tasks.

xvii. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services in clause 3.2 relating to the processing and delete existing copies unless Data Protection Law requires storage of the Personal Data.

b. The Processor represents and warrants that it shall comply with the terms of this agreement and all applicable Data Protection Law.

5. Obligations of the Processor

a. The Controller represents and warrants that it shall comply with the terms of this agreement and all applicable Data Protection Law and that it has obtained any and all necessary authorisation to provide the Personal Data to the Processor.

b. The Controller shall implement appropriate technical and organisational measures that shall provide:

i. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,

ii. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,

iii. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

c. The Controller shall take steps to ensure any natural person acting under the authority of the Controller who has access to the Personal Data only processes the Personal Data on documented instructions of the Data Controller.

d. The Controller may provide the Processor with the Personal Data to which clause 3 of this agreement refers.

6. Personal Data Transfers

a. The Controller hereby authorises the Processor to make the following transfers of the personal data:

i. The Processor may transfer the Personal Data internally to its own members of staff, offices, and facilities

ii. The Processor may transfer the Personal Data to its sub-processors provided that such transfers are for the purposes of providing the services.

iii. The Processor may transfer the Personal Data to third countries or international organisations acting as sub-processors provided that such transfers comply with chapter 5 of the General Data Protection Regulation.

7. Liability

a. Both parties share joint and several liabilities for compensating individuals who suffer damages due to unauthorized or incorrect data processing within the scope of their contractual relationship.

b. Both parties agree that they will assume liability for any breaches of this DPA (data processing agreement) resulting from the actions, oversights, or negligence of its Sub-processors to the same degree, that you will be responsible for if it were directly providing the services of each Sub-processor as outlined in the DPA. This liability is subject to any restrictions set forth in the Terms of Service Agreement.

c. The parties also state that they shall be accountable for any breaches of this DPA (data processing agreement) that arise from the actions, omissions, or negligence of its Subsidiaries, as though these actions, omissions, or negligence were committed by us itself.

d. You are obligated to demonstrate that any damage is not the result of a circumstance for which it is accountable, as long as it has processed the relevant data in accordance with the terms of this agreement.

8. Termination

Contractual Penalty

a. In the event of a culpable breach of its obligations in terms of this Agreement, you incur a contractual penalty commensurate with the breach. In the case of ongoing infringements, each calendar month in which the infringement occurs in whole or in part shall be deemed an individual incident. The plea of continuation is excluded.

b. It is at our discretion to determine the amount of the contractual penalty.

c. The contractual penalty shall become due when we determine the amount, and if it is deemed reasonable

d. The contractual penalty has no influence on other claims.

9. Special Termination Right

a. We may terminate the Main Contract and this Agreement at any time without notice, if you have committed a serious breach of data protection regulations or the provisions of this Agreement, are unable or unwilling to carry out a lawful instruction from us or deny our rights of control in breach of the Agreement.

b. You shall reimburse us for all costs incurred by the latter as a result of the premature termination of this Agreement through extraordinary termination by us.

10. Miscellaneous

a. Both parties are obliged to treat as confidential all knowledge of business secrets and data security measures of the respective other party, acquired within the bounds of the contractual relationship beyond the termination of the Agreement as well. If there are doubts as to whether information is subject to confidentiality, it shall be treated as confidential until it is released by the other party in writing.

b. Collateral contracts must be in writing and must make express reference to this Agreement.

c. The defence of the right of retention in the sense of § 273 of the BGB is excluded in regards to the data to be processed and the associated data carriers.

11. Assignment

a. This agreement shall not be transferred or assigned by either party except with the prior written consent of the other.

12. Assignment

a. This agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by and construed in accordance with the law of EU, UK and any dispute, proceedings or claim between the parties relating to this agreement shall submit to the exclusive jurisdiction of those courts. 


Share your thoughts in the comments

Similar Reads