Data Processing Annex
Data Processing Annex
Last Updated August 2018
DATA PROCESSING ANNEX
1. General. This Data Processing Annex (“DPA”) is hereby incorporated as an attachment to the Agreement and is subject to all the terms and conditions of the Agreement. Capitalized terms not expressly defined here have the same meanings as in the Agreement.
a. “Personal Data” as used in this DPA, means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b. “Data Protection Laws” as used in this DPA, means the General Data Protection Regulation - Regulation (EU) 2016/679.
3. Obligations. The following obligations apply to the extent the processing of Personal Data contemplated in the Agreement is subject or otherwise covered by the Data Protection Laws:
a. Customer will provide Personal Data to Altisource, or instruct Altisource to collect or generate Personal Data, only to the extent permitted by, and in compliance with, the Agreement. To the extent the services provided by Altisource under the Agreement (the “Services”) involve processing of Personal Data under relevant Data Protection Laws, then the parties agree that: (i) Customer is the data controller; and (ii) Altisource is the data processor and will comply in all material respects with its obligations as a data processor under the Data Protection Laws. Customer notes that, in certain instances, Altisource will act as an independent controller, in particular for Services with specific local licensing requirements (the “Recipients”), the DPA will not apply to these situations.
b. Customer hereby instructs Altisource to collect and process the Personal Data in accordance with the Agreement or the instructions provided by Customer. Altisource will process the Personal Data only: (i) in accordance with the terms of the Agreement or such instructions; (ii) as needed to provide the Services; or (iii)
as needed to comply with applicable law. Customer represents and warrants that it is authorized to enter into the Agreement and give its instructions to Altisource under the Data Protection Laws.
c. Altisource has implemented and will maintain appropriate technical and organizational security measures to protect Personal Data against: (i) unauthorized or unlawful processing; (ii) accidental or unlawful destruction; (iii) accidental loss or alteration; and (iv) unauthorized disclosure or access. Customer was offered information on the security measures used by Altisource.
d. Altisource employees or representatives with access to the Personal Data will be subject to statutory or contractual obligations to protect, and keep confidential, such Personal Data.
e. Customer authorizes Altisource to: (i) commission the delivery of the Services, including the processing of Personal Data to its affiliates and/or third-party contractors (“Subprocessors”), (ii) revoke or appoint new Subprocessors; and (iii) transfer Personal Data to the United States and to other countries where
Subprocessors or Recipients are established, including the United States. Customer also authorizes Altisource to transfer Personal Data based on Customer’s instructions or as necessary to deliver the Services. Altisource will secure such transfers through contractual data transfer instruments aligned on model clauses validated by the European Commission or by other lawful means, Customer (i) may be a beneficiary to such instruments; and (ii) authorizes Altisource to enter into such data transfer instruments with Subprocessors. Altisource has made available a list of Subprocessors to Customer, Customer understands that this list is subject to change.
f. Upon termination or expiration of the Agreement, at the Customer’s written request, Altisource will delete or return the Personal Data to the Customer. Notwithstanding the foregoing, Customer hereby authorizes Altisource to retain back-up copies of Personal Data for Altisource’s archival, back-up and compliance purposes.
g. Altisource will provide Customer with reasonable access to its documentation in the event of an audit required by a government regulator, to the extent the audit is required for compliance with the Data Protection Laws. Additionally, Customer may exercise its audit rights under applicable Data Protection Laws. The parties will mutually agree on the timing and scope of these audits, which will be: (i) carried out in such a way as to mitigate any disruption to Altisource’s business and (ii) performed at Customer's sole expense.