The Customer has appointed Omnilinx to
provide services related to the right to use the Software that is developed and
maintained by Omnilinx (the "Services"), pursuant to the
General Terms and Conditions and Services Agreement included in Omnilinx’s
subscription plan. All capitalized terms not defined herein shall have the
meanings set forth in the General Terms and Conditions.
This Schedule forms an integral part of
the General Terms and Conditions and reflects the agreements between the Parties
regarding the processing of Personal Data, including Customer Personal Data, in
accordance with the requirements of the Data Protection Legislation.
In the course of providing the Services
to the Customer pursuant to the General Terms and Conditions, Omnilinx shall
process Personal Data on behalf of the Customer.
The types of Personal Data and
categories of Data Subjects processed by Omnilinx when acting as a Processor
under this Schedule are further specified in Annex 1 hereto.
The following definitions and rules of
interpretation apply in this Schedule.
Controller", "Processor", "Data
Subject", "Processing", "Processing"
and "Processed" have the meanings set out in the Data
Protection Legislation" means Regulation (EU)
2016/679 ("GDPR") and any national legislation; as amended or
replaced from time to time or, in the absence of such laws, all legislation,
regulation and mandatory guidance or binding codes of practice applicable to
the Processing of Personal Data under the Agreement.
Commission Standard Contractual Clauses"
means an agreement setting out the clauses contained in the standard agreement
approved by the European Commission for the transfer of Personal Data outside
the EEA pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June
2021 on standard contractual clauses for the transfer of personal data to third
countries pursuant to Regulation (EU) 2016/679 of the European Parliament and
of the Council (as amended from time to time).
Data" has the meaning set out in the Data
Protection Legislation and refers only to Personal Data, or any part of such
Personal Data, that is:
to Omnilinx by or on behalf of the Customer; and/or
by or created by Omnilinx on behalf of the Customer in the course of providing
for which in each case the Customer is the Data Controller and Omnilinx is the
means a supervisory authority in the relevant jurisdiction with powers under
the Data Protection Legislation in respect of all or any part of the Processing
of Personal Data under the Annex.
Breach" means a breach of security
resulting in the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of or access to Personal Data transmitted, stored or
means any Processor engaged by Omnilinx that Processes Personal Data on behalf
of the Data Controller.
and Organisational Measures" means the
technical and organisational measures considered by the Parties in accordance
with Article 32 of the GDPR.
The Clauses, the Schedule and the
paragraph headings are without prejudice to the interpretation of this
includes a natural person, legal entity or unincorporated body (whether or not
having separate legal personality).
The Annexes are a part of this Schedule
and shall have effect as if fully incorporated herein. Any reference to this
Schedule includes the Annexes.
The term company shall include
any company, corporation or other corporate body, wherever and however formed
Unless the context otherwise requires,
words in the singular shall include the plural and the plural shall include the
singular, and reference to one grammatical gender shall include reference to
the other grammatical genders.
A reference to writing or written
shall include email.
In the event of any conflict or
ambiguity between any of the provisions of this Annex and the provisions of the
General Terms and Conditions, the provisions of this Annex shall prevail.
PROCESSING OF PERSONAL DATA
Roles of the Parties
Parties represent and agree that with respect to the Processing of Personal
Data, Customer is the Data Controller, Omnilinx is the Data Processor and that
Omnilinx has the right to engage Sub-Processors in accordance with the requirements
set forth in Section 4 below.
as a result of Omnilinx’s provision of the Services, either Party considers
that the relationship between the Parties is no longer consistent with the
qualities of the Parties set out in clause 2.1(a) above, it shall notify the
other Party and the Parties shall discuss and take such action as may be
necessary to determine the qualities, roles and relationship between the
Processing of Personal Data by the
instructions to Process Personal Data shall comply with the Data Protection
Legislation and shall not require Omnilinx to take unlawful Processing Actions
in order to comply with such instructions.
shall be solely responsible for the accuracy, quality and legality of the
Customer, as the Data Controller, shall ensure and secure during the Processing
of Personal Data by the Processor the existence of a valid and documented legal
basis for the Processing of the Personal Data entered into by the Customer, its
employees and/or agents, and any person to whom the Customer has granted access
to the Services. The legal basis for processing may be any of the grounds set
out in Art. 6(1) of the GDPR.
Customer represents and warrants that all Personal Data of individuals provided
to Omnilinx has been obtained from such individuals and has been provided by
the Data Controller to the Processor for Processing in a manner consistent with
the requirements of the Data Protection Legislation, including the GDPR, and is
truthful in content.
the extent that Customer, as the Data Controller, determines all aspects of the
Processing of Personal Data, the Parties agree that Omnilinx, as the Data
Processor, has no control over the Personal Data other than to perform storage
activities and obtain access in connection with maintenance of the Software,
and therefore the Data Processor shall not be responsible for compliance with
the legal requirements of the Data Protection Legislation for any other
activities relating to the Personal Data, including no responsibility for the
manner in which the Personal Data is collected. The Processor has no role in
the decision making process of the Controller to Process Personal Data, what
the processing is for and whether it is protected. Accordingly, the Processor’s
responsibility in this case is limited to compliance with the General Terms and
Conditions, but the Processor has no control over and no responsibility for the
Personal Data that the Controller processes.
Processor shall have the right to refuse to comply with an order of the
Controller if, in its opinion, such order breaches the Data Protection
Legislation and the Processor shall notify the Controller in a timely manner.
Customer represents and warrants that:
disclosure of Personal Data is limited to what is necessary for Omnilinx to
provide the Services to Customer;
Personal Data is accurate and current at the time it is provided to Omnilinx,
and Customer will promptly notify Omnilinx of any necessary corrections,
modifications, deletions or restrictions; and
and maintains the lawful grounds for Processing, including that it has obtained
all necessary consents and made all necessary notifications to enable Omnilinx
to lawfully Process the Personal Data for the duration and purposes of
providing the Services.
Processing of Personal Data by Omnilinx
shall Process Personal Data in strict compliance with the requirements of the
Data Protection Legislation only for the purposes of performing the General
Terms and Conditions and providing the Services to the Customer and in
accordance with the Customer’s instructions and to protect the legitimate
interests of the Parties in the event of a default.
will process Personal Data on behalf of and in accordance with Customer’s
written instructions, in each case to the extent permitted by law, and if Omnilinx
is unable to do so, Omnilinx shall promptly notify Customer.
Customer shall instruct Omnilinx to Process Personal Data for the purposes set
out in Annex 1, which may be amended or supplemented from time to time,
provided that the Customer’s instructions do not increase or modify the scope
of the Services.
Customer agrees that it will reimburse Omnilinx for any costs incurred or
payments made as a result of any claim by a Data Subject arising in connection
with Omnilinx’s compliance with Customer’s instructions.
Omnilinx reasonably believes that the instructions provided by Customer in
connection with the Processing are contrary to applicable Data Protection Law,
then Omnilinx will notify Customer and may suspend the Processing of Personal
Data until such time as Customer provides new written instructions to Omnilinx
that do not require it to violate applicable law and Omnilinx will be entitled
the Services so that they can be performed without requiring the relevant
Processing and without materially affecting the overall performance of the
providing the relevant portion of the Services that is dependent on the
Processing, and Omnilinx shall not be liable for any delay or failure to
perform Services that are dependent on such Processing.
warrants to the Customer that the persons within its entity authorized to
Process Personal Data have committed to confidentiality by signing a
confidentiality document or are required by law to maintain confidentiality.
has the right to disclose Personal Data to Sub-Processors engaged as described
in Section 4.
RIGHTS OF DATA SUBJECTS
Correction, Blocking and Erasure
will, to the extent permitted by law, notify Customer upon receipt of a
complaint or request (other than Data Subject Requests described in Section 3.2
or Regulator Inquiries described in Section 6) relating to (a) Customer’s
obligations under Data Protection Legislation; or (b) the Personal Data being
will, for the account of the Customer, comply with any commercially reasonable
written instructions from the Customer to secure any actions required under
section 3.1(a) within agreed timescales and to the extent Omnilinx is legally
entitled to do so.
Requests from Data Subjects
shall, to the extent permitted by law, promptly notify Customer if it receives
a request from a Data Subject to access, correct, amend, restrict or erase that
person’s Personal Data.
will provide Customer with reasonable assistance and support in connection with
the processing of requests from Data Subjects, within the agreed timeframes, to
the extent permitted by law, and to the extent Customer does not have access to
or the ability to correct, amend, restrict or delete such Personal Data.
Customer shall be responsible for all costs arising from Omnilinx’s provision
of such assistance.
Appointment of Sub-processor
represents and agrees that Omnilinx has general permission to engage third
party Sub-Processors in connection with the provision of the Services. Omnilinx
shall provide Customer with a current list of Sub-Processors engaged for the
relevant Services, constituting Annex 2 to the Schedule (the "Sub-Processor
List"). Omnilinx will notify Customer in advance of any planned change
to the Sub-Processor List.
Omnilinx engages a Sub-Processor with whom the same terms cannot reasonably be
imposed or negotiated (for example, but not limited to, where the Sub-Processor
is operating on fixed terms that are not subject to renegotiation), but such
terms are consistent with the obligations for the Sub-Processor under Article
28 of the GDPR, such Sub-Processor’s terms:
apply to the Processing carried out by the Sub-processor;
be deemed to represent the entire set of obligations and responsibilities of
Omnilinx with respect to the relevant Processing as if Omnilinx were performing
that Processing under those Sub-Processor Terms instead of the Sub-Processor;
be deemed by the Customer to have provided adequate safeguards and adequate
protection in relation to the Processing.
Liability of Sub-Processor
The Customer may
(provided that it has reasonable grounds to do so) object to the engagement of
a new Sub-Processor after it has received notice in accordance with section 4.1
above. The Customer will notify Omnilinx in writing, setting out the reasons
for the objection, within 5 Business Days of receipt of the notice. The
Customer’s failure to object in writing within the specified time period will
be deemed approval to use the new Sub-Processor.
In the event that
Customer objects to Omnilinx’s notification in accordance with Section 4.2(a)
above, Customer acknowledges and agrees that failure to use a particular
Sub-Processor may result in delay in performance of the Services, inability to
perform the Services and/or an increase in costs and Omnilinx shall not be
liable for any delay or failure to provide the affected Services. Omnilinx will
notify Customer in writing of any change in Services or costs resulting from
Omnilinx not using a particular Sub-Processor to which Customer has objected.
SECURITY AND BREACH NOTIFICATIONS
Omnilinx takes Technical and
Organizational Measures against accidental or unlawful damage, loss,
alteration, unauthorized disclosure or access. The measures shall include:
measures to ensure the ongoing protection of the confidentiality, integrity,
availability and resilience of Omnilinx’s systems and services; assist in the
timely restoration of access to Personal Data following an incident; perform
regular performance audits/testing. Omnilinx may update or modify the
Technical and Organizational Measures at specified intervals provided that such
operations and modifications will not result in a decrease in the overall
security and safety of the Services.
Omnilinx shall take appropriate steps to
ensure compliance with the Technical and Organizational Measures by its
employees, contractors and Sub-Processors to the extent necessary to perform
their jobs, including ensuring that all persons authorized to process Personal
Data are bound by confidentiality obligations or have a legal obligation to
The Customer has assessed the level of
security appropriate to the Processing in the context of its obligations under
the Data Protection Legislation and agrees that the Technical and
Organisational Measures are consistent with the assessment.
Omnilinx shall, without undue delay,
notify Customer upon becoming aware of a Security Breach and provide Customer
with information regarding such breach.
The Parties agree to coordinate in good faith the development of the
content of any public statements and any required notices relating to affected
Data Subjects and/or the relevant Regulator(s) in connection with a Security
Breach. Customer will make all notifications to Regulator(s) in accordance with
its obligations under the GDPR.
Omnilinx will, at Customer’s expense and
without unreasonable delay, take all reasonable steps to mitigate the effects
of the Security Breach.
Omnilinx will notify Customer in a
timely manner of any lawful request it receives for disclosure of Personal Data
from a Regulator, law enforcement agency or other governmental authority
relating to the Processing of Personal Data, the provision or receipt of the
Services, or either party’s obligations under this Schedule, unless prohibited
by law or by a Regulator.
Unless the Regulator requests in writing
to engage Omnilinx directly, or the Parties (acting reasonably and taking into
account the subject matter of the request) agree that Omnilinx, at the
Customer’s expense, will process the Regulator’s request itself, then the
Customer: (I) will be liable for all communications or correspondence relating
to the Processing of Personal Data and the provision or receipt of the
Services; (ii) will inform Omnilinx of such communications or correspondence to
the extent permitted by law; and (iii) will fairly represent Omnilinx in all
communications or correspondence.
RETURN AND ERASURE OF CUSTOMER DATA
termination or expiration of the Services, or upon written request by Customer,
Omnilinx (at Customer’s option) shall erase or return all Personal Data, unless
necessary to retain it to comply with legal or regulatory obligations. If
Customer elects erasure, Personal Data will be deleted within 30 days of
termination or expiration of the Services. In other cases, Omnilinx will stop
retaining any documents containing Personal Data when it determines that (a)
the purpose for which such Personal Data was collected is no longer served by
retaining the Personal Data; and (b) retention is no longer necessary for any
business purpose or is not required by law. The parties agree that evidence of
erasure of Personal Data shall be provided by Omnilinx to Customer only upon
Customer’s request. The Customer acknowledges and agrees that Omnilinx shall
not be liable for any loss resulting from Omnilinx’s inability to provide the
Services as a result of a erasure request made by the Customer pursuant to this
clause during the term of the General Terms and Conditions.
AUDIT AND COOPERATION
Omnilinx shall permit the Customer (or a
third party appointed by the Customer as auditor) to audit Omnilinx’s
compliance with this Schedule and to provide the Customer with any information
required by the Customer for such audit, provided that, that the Customer gives
Omnilinx reasonable notice of its intention to audit, and that the audit itself
will be conducted during business hours and all reasonable steps will be taken
to prevent interruption and/or disruption to the operations performed by
Omnilinx. Customer will not exercise its audit rights more than once every
twelve (12) calendar months unless and when required by a Regulatory
PERSONAL DATA PROTECTION IMPACT
In the event that Omnilinx considers and
determines that the Processing of Personal Data is likely to result in a high
risk to the rights and freedoms of Data Subjects, it shall inform the Customer
and provide reasonable cooperation to the Customer in connection with any data
protection impact assessment that may be required under the Data Protection
Notwithstanding the foregoing, Omnilinx
shall, at the Customer’s expense, provide the Customer with such assistance and
information as may be reasonably necessary to enable the Customer to comply
with any obligation to carry out a Data Protection Impact Assessment or to
consult a Regulator under the Data Protection Legislation.
TRANSFER OF DATA OUTSIDE THE EEA
Omnilinx will not process, store or
disclose Personal Data outside the European Economic Area ("EEA")
without prior written permission from the Customer. Omnilinx will be deemed to
have permission to transfer Data to a Sub-Processor outside the EEA, provided
that there is a European Commission decision on the adequate level of data
protection or other valid legal mechanism for the transfer (including European
Commission Standard Contractual Clauses), should it be necessary for the
provision of the Services.
Where a transfer takes place outside the
EEA, if the applicable delivery mechanism ceases to be valid, Omnilinx may, at
or procure that the Sub-Processor implements an appropriate alternative data
the Services so that they may be performed without requiring the relevant
transmission, without materially detracting from the overall performance of the
providing the relevant portion of the Services that is dependent on the
Omnilinx will not be liable for any delay or failure to provide Services
dependent on such Processing, except to the extent that it is responsible for
the failure to implement the Non-EEA Transmission Mechanism.
If Personal Data transferred between Customer
and Omnilinx requires the application of the European Commission Standard
Contractual Clauses to ensure compliance with the Data Protection Legislation,
the Parties undertake to complete all necessary details in the European
Commission Standard Contractual Clauses and to perform any other actions
necessary for the validity of the transfer. The Customer shall authorize
Omnilinx to enter into European Commission Standard Contractual Clauses with
Sub-Processors on Customer’s behalf and for Customer’s account where necessary
to justify an authorized transfer of or access to Personal Data outside the
LIABILITY AND INDEMNIFICATION
The parties agree that the provisions of
this Schedule shall not be subject to any limitations and/or exclusions of
liability and other terms and conditions set forth in the General Terms and
Conditions and applicable to the Services.
Nothing in this Schedule shall exclude
or in any way limit the liability of any Party for fraud or for death or
personal injury caused by its negligence or other liability to the extent that
such liability cannot be excluded or limited by law.
Subject to section 11.2, neither Party
shall be liable under this Schedule for any loss of actual or anticipated
income or profit, loss of contracts or for any indirect, consequential or
indirect loss or damage of any kind arising out of and caused by tort
(including negligence), breach of contract or otherwise, whether such loss or
damage is foreseeable, foreseen or known. Omnilinx’s liability with respect to
any breach of this Application shall be the direct losses incurred by the
Customer, but in no event more than the total fees for the Services used
actually paid by the Customer.
Subject to section 11.3. Omnilinx shall
indemnify the Customer against all damages, liabilities, claims, demands,
actions, penalties, fines, costs and expenses (including reasonable legal and
other professional expenses) and sanctions that Customer may incur as a result
of any claim, action, proceeding or proceeding by a Regulator against Customer
directly arising out of Omnilinx’s breach of this Application, except:
Omnilinx has acted in accordance with the Customer’s instructions, this
Schedule, the Data Protection Legislation or other applicable laws; and
the Customer or any third party acting on the Customer’s behalf has breached
this Schedule or applicable Data Protection Legislation.
In the event that a Data Subject suffers
damages from Personal Data unlawfully provided by the Customer, collected by
the Customer without a legal basis or for other reasons at the Customer’s sole
discretion for which Omnilinx’s Processing of Personal Data may be considered a
violation of the Data Subject’s rights, and Omnilinx compensates the Data
Subject for the damages suffered, then the Customer shall owe Omnilinx a
penalty equal to the full amount paid by Omnilinx to the Data Subject.
In the event that Omnilinx is subject to
a fine or other sanction by a competent governmental authority relating to
unlawful Processing of Personal Data done by Omnilinx as a result of unlawful
provision of Personal Data by the Customer, collected by the Customer without lawful
basis or for other reasons at the Customer, then the Customer shall owe
Omnilinx a penalty in the amount of the value of the entire penalty imposed and
paid by Omnilinx and/or in the amount of the value of the damage suffered by
Omnilinx as a result of the other penalty.
In order to claim the damages set forth
in this Schedule, the party making the claim shal:
the other party in writing of its claim, the proceeding, the proceedings or the
Regulator’s action as soon as reasonably practicable;
no liability in connection with the Regulator’s claim, suit, proceeding or
action without the prior written consent of the other party;
the other party to conduct the defense of the Regulator’s claim, suit,
proceeding or action; and
the other party’s expense, reasonably assist and assist in the defense of the
Regulator’s claim, action, proceeding or action.
This Schedule, together with the General
Terms and Conditions to which it is an integral part, constitutes the entire
agreement regarding the Processing of Personal Data between the Parties.
This Schedule and any dispute or claim
arising out of or in connection with it or its subject matter or conclusion
(including non-contractual disputes or claims) shall be governed by and
construed in accordance with the laws of the Republic of Bulgaria.
Each Party irrevocably agrees that the
courts of the Republic of Bulgaria shall have jurisdiction to settle any
dispute or claim arising out of or in connection with this Annex or its subject
matter or conclusion (including non-contractual disputes or claims).
In the event of any inconsistency or
conflict between the provisions of the General Terms and Conditions and the
provisions of this Annex, the latter shall prevail.