Processor Obligations

This section details the obligations Incision has as a processor of data. The processor shall:

  1. process the personal data only as instructed by the controller and on the controller’s behalf;
  2. inform the controller promptly if the processor cannot comply with any instructions from the controller for whatever reasons;
  3. ensure that persons authorized by the processor to process the personal data on behalf of the controller have committed themselves to confidentiality or are under an appropriate obligation of confidentiality and that such persons that have access to the personal data Process such personal data in compliance with the controller’s instructions.
  4. implement the technical and organizational security measures which will meet the requirements of the applicable data protection law before processing of the personal data and ensure to provide sufficient guarantees to the controller on such technical and organizational security measures.
  5. assist the controller by appropriate technical and organizational measures, insofar as this is feasible, for the fulfilment of the controller’s obligation to respond to requests for exercising the Data Subjects rights concerning information, access, rectification and erasure, restriction of processing, notification, data portability, objection and automated decision making; to the extent such feasible technical and organizational measures require changes or amendments to the technical and organizational measures, the processor will advise the controller on the costs to implement such additional or amended technical and organizational measures. Once the controller has confirmed to bear such costs, the processor will implement such additional or amended technical and organizational measures to assist the controller to respond to data subject’s requests.
  6. make available to the controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections conducted by the controller or another auditor mandated by controller. The controller is aware that any in-person on-site audits may significantly disturb the processor’s business operations and may entail high expenditure in terms of cost and time. Hence, the controller may only carry out an in-person on-site audit if the controller reimburses the processor for any costs and expenditures incurred by the controller due to the business operation disturbance.
  7. notify the controller without undue delay:
    1. about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
    2. about any complaints and requests received directly from the Data Subjects (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless it has been otherwise authorized to do so;
    3. if, in the processor’s opinion, an instruction infringes the Applicable Data Protection Law; upon providing such notification, the processor shall not be obliged to follow the instruction, unless and until the controller has confirmed or changed it; and
    4. after the processor becomes aware of a personal data breach at the processor. In case of such a personal data breach, the processor upon the controller’s written request will assist the controller with the controller’s obligation under Applicable Data Protection Law to inform the data subjects and the supervisory authorities, as applicable, and to document the personal data Breach.
  8. assist the controller with any Data Protection Impact Assessment as required by Art. 35 of the GDPR that relates to the Services provided by the processor to the controller and the personal data processed by the processor on behalf of the controller.
  9. that, to the extent that the processor is required and requested to correct, erase and/or block personal data processed under this Agreement, the processor will do so without undue delay. If and to the extent that personal data cannot be erased due to statutory retention requirements, the processor shall, in lieu of erasing the relevant personal data, be obliged to restrict the further processing and/or use of personal data, or remove the associated identity from the personal data (hereinafter referred to as “blocking”). If the processor is subject to such a blocking obligation, the processor shall erase the relevant personal data before or on the last day of the calendar year during which the retention term ends.