This Data Processing Agreement (“DPA“) forms part of the Terms of Service between you (“Customer”) and MOCA System Inc. (“MOCA”). This Agreement applies only to the extent to which Personal data are processed during your access to the Services, which depends solely on how you as a Controller set up the Service.
For the purpose of this DPA, the following terms shall have the meanings set out below. Any capitalized term used but not defined in this DPA has the meaning provided to it in the Agreement.
1.1 “Applicable Laws” means any applicable laws and regulations to a given situation, regardless of the jurisdiction or subject of the law or regulation;
1.2 “Customer Data” means any data uploaded or provided by the Customer. MOCA may process Customer Data in order to provide the Services.
1.3 “Data Protection Laws" means all laws and regulations, including the GDPR, applicable to the Processing of Personal Data under the Agreement;
1.4 “Deletion” shall mean to remove or obliterate Personal Data such that it cannot be recovered orreconstructed, and therefore, excludes encryption and similar techniques.
1.5 “EU Applicable Laws" means any applicable laws and regulations to a given situation, to the extent that these are recognized in the European Union;
1.6 “GDPR” means Regulation (EU)2016/679 ("EU GDPR") or, where applicable, the "UK GDPR" as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018;
1.7 “Personal Data” means any information relating to an identified or identifiable natural person and includes similarly defined terms in Applicable Data Protection Laws;
1.8 “Process” or “Processing” means any operation or set of operations that are performed upon Personal Dataor on sets of Personal Data, whether or not by automatic means, such as access, collection, recording, organization, structuring, storage, adaptation oralteration, retrieval, consultation, use, disclose by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1.9 “Data Subject”, “MemberState”, “Controller”, “Processor”, “Supervisory Authority”, “Recipients” and “Personal Data Breach” shall have the meaning set forth in the GDPR;
1.10 “Restricted Transfer" means (i) a transfer of Personal Data from MOCA to a Subprocessor, or another establishment of MOCA; (ii) an onward transfer of Personal Data from a Subprocessor to another Subprocessor oranother establishment, in each case, where such transfers would be prohibited by Data Protection Laws, such as in the absence of a proper mechanism pursuant to Art. 44 and seq. GDPR. For avoidance of doubt and without limitation to thegenerality of the foregoing, the Parties to this DPA intend that transfers of Personal Data to or from the United Kingdom, following any exit by the United Kingdom from the European Union, shall be considered Restricted Transfers, unless and until an Adequacy Decision or another agreement of the sort has beenestablished.
1.11 "Subprocessor” means any legal or natural person appointed pursuant to Section 7 to Process Personal Data.
2.1 Purpose and scope.
MOCA shall provide Services to the Company in accordance with the Terms of Services. In providing the Services, MOCA shall process the Customer Data on behalf of the Customer. CustomerData may include personal data. Therefore, the Customer shall be:
i. Data Controller with respect to the Customer Data; or
ii. Data Processor, where the Customer processes personal data on behalf of a third party. For the purposes of this DPA and Terms of Services, MOCA is a Data Processor. The Data Processor will process and protect such Personal Data inaccordance with the terms of this DPA and Terms of Service.
iii. This Addendum applies with respect to any Personal Data of which Company is the Controller or Processor within the scope of the Data Protection Law and MOCA is Processor or sub-Processor for Company as the case may be (the"Data").
2.2 Types of Personal Data.
MOCA shall process Personal Data of such categories of data subjects that the Customer uploads or submits when using the Services. This may include, but is not limited to, name, surname, organization, position, personal code, phone number etc. Depending on the nature and contents of the Customer Dataprovided by the Customer, it may vary in every case.
2.3 Duration of the Processing.
MOCA shall process the Customer Data fromthe moment the Customer uploads or submits it when using the Services until theearlier of
i. removal thereof by the Customer,
ii. expiry/terminationof the Agreement, or
iii. the date upon which processing is no longer necessary for the purposes of either Party performing its obligations under the Agreement (to the extent applicable).
3.1 MOCA shall process Personal Data only according to the documented instructions ofthe Customer, unless processing is required by applicable Data Protection Laws,in which case, to the extent permitted by applicable Data Protection Laws, MOCAshall inform the Customer of such legal requirements before processing. MOCA shall comply with all applicable Data Protection Laws in processing of PersonalData.
3.2 The Customer shall ensure that appropriate legal basis for processing of Customer Data by MOCA exists.
3.3 The Customer instructs MOCA to process Personal Data as required to perform its obligations under the Service Terms, and follow all information security, confidential and privacy requirements as required under this DPA. Additional Customer instructions outside the scope of the Documented Instructions require prior written agreement between the Parties.
3.4 MOCA shall immediately inform the Customer if the Customer’s instructions are in conflict with the GDPR or other applicable Data Protection Laws. This clause does not in any way impose MOCA with the duty to monitor Customer Data and/or to take any additional steps and/or to acquire additional information toevaluate the lawfulness of the Customer’s instructions.
4.1 Customer acknowledges and agrees that, in connection with the performance of the services under the Agreement, Personal Data will be transferred to a sub-processor located in the Republic of Korea, the European Commission-approved country providing ‘adequate’ data protection.
4.2 To the extent Data Transfer result in transfers of UK Personal Data, either directly or via onward transfer, Standard Contractual Clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs") at Exhibit1 will also apply.
5.1 MOCA shall take reasonable steps to ensure the reliability of any employee, agent, Subprocessor or any third party who may have access to the Personal Data, ensuring in each case that access is limited to those individuals who need to know / access the relevant the Personal Data, as necessary for the purposes of the Agreement. All such individuals must be subject to confidentiality undertakings or professional or statutory obligations of confidentiality which must survive to the term of their employment, mandate or engagement with MOCA.
5.2 According to this Agreement, each Party shall retain any information received regarding this Agreement and the other Party ("Confidential Information"), and shall not disclose the Confidential Information without the prior written consent of the other Party, except for in the following circumstances:
(a) When it is required by law
(b) When any relevant information is already disclosed
6.1 MOCA shallimplement appropriate technical and organizational measures to protect theCustomer Data. MOCA shall select technical and organizational measures takinginto account the state of the art, the costs of implementation and the nature,scope, context and purposes of Processing as well as the risk of varyinglikelihood and severity for the rights and freedoms of natural persons.
6.2 MOCA hasimplemented and certified by accredited auditor information security managementsystem according to international security standard. The information securitymanagement system provides for a number of security measures, including, butnot limited to:
(i) pseudonymisation and encryption of personal data;
(ii) measures to ensure the ongoing confidentiality, integrity, availability and resilience of data processing systems and services;
(iii) measures to ensure the timely restoration of availability andaccess to personal data in the event of a physical or technical event;
(iv) measures to protect access (including remote access) to personal data;
(v) measures for the physical security of the facilities where personal data is processed and retained; The effectiveness of these security measures is evaluated at least annually.
6.3 MOCA may update the technical and organizational measures from time to time provided that any such updates and modifications do not reduce the overall level of protection afforded to Customer Data by MOCA under this DPA.
7.1 Customer grants MOCA general authorization to engage Subprocessor specified below. Forthe avoidance of doubt, the foregoing authorization constitutes Customer’s prior written consent to the subprocessing for purposes of Clause 11 of the Standard Contractual Clauses, Exhibit 1.
7.2 MOCA will inform Customer in advance of any proposed additions or replacements to the Subprocessors it uses to Process Customer Personal Data, including any information reasonably necessary to enable Customer to assess the Subprocessor (“Subprocessor Notice”) and exercise its right to object, stating reasonable grounds in writing within fourteen (14) days of receipt of the "Subprocessor Notice".
7.3 Prior to allowing a subprocessor to process the Personal Data, MOCA will conclude a data processing agreement with the Subprocessor which corresponds to the requirementsof Art. 28 GDPR and contains terms and conditions similar to those set forth in this DPA.
7.4 Unless required or approved by the Client, MOCA shall not appoint any sub-processor (or disclose any personal data of the Company).
8.1 Data Subject Rights. Upon Customer’s request, MOCA will provide reasonable additional and timely assistance to assist Customer in complying with its data protection obligations with respect to Data Subject rights under Applicable DataProtection Law. If MOCA receives a request from a Data Subject in relation to the Processing of Customer Personal Data here under, MOCA will promptly notify Customer and will not respond to such request itself but instead ask the Data Subject to redirect its request to Customer.
8.2 Impact Assessments and Consultations. Upon Customer’s request, MOCA will provide reasonable cooperation to Customer in connection with any data protection impact assessment or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
8.3 Third Party Requests. If MOCA receives a request to retain, disclose or otherwise Process Customer Personal Data from a third party, including law enforcement or a government entity (“Third Party Request”), then MOCA, where possible, will refer the Third Party Request to Customer. If MOCA cannot redirect the ThirdParty Request to Customer, MOCA will, to the extent legally permitted, use reasonable efforts to notify Customer prior toresponding to the Third Party Request so that Customer may seek appropriatelegal remedies.
8.4 Without limiting the generality of the Sections 8.1 through 8.3, each Party shall make commercially reasonable efforts to support the other Party’s efforts to comply with Data Protection Laws, including answering promptly and diligently anyrequests for information.
9.1 After becoming aware of any Data Breach, MOCA will take reasonable measures to mitigate the harmful effects of the Data Breach and prevent further unauthorized access or disclosure.
9.2 MOCA will notify Customer without undue delay and provide reasonable information inits possession to assist Customer to meet Customer’s obligations to report a Data Breach as required under Applicable Data Protection Law. The notificationswill include the following:
(i) a description of the nature of the Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
(ii) a description of the likely consequences of the Personal Data Breach;
(iii) a description of the measures taken or proposed to be taken by MOCA to address the Personal Data Breach, including, where appropriate, measures to mitigate possible adverse effects.
9.3 MOCA may provide such information in phases as it becomes available. MOCA’s notification of or response to a Data Breach under this Section 9 will not beconstrued as an acknowledgement by MOCA of any fault or liability with respect to the Data Breach.
10.1 This DPA shall come into force upon the entry into force of the Terms of Service and shall be valid for as long as the latter remains in force.
10.2 Upon termination or expiry of the DPA or completion of the Service, other than tothe extent required to comply with applicable law, MOCA will delete all Personal Data (including copies thereof) processed pursuant to this DPA.
10.3 MOCA shall delete the Client's data and provide the Client with the deletion records within 10 business days after the date MOCA stops data-processing services for the Client.
11.1 MOCA shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits conducted by the Customer or another auditor mandated bythe Customer as set forth in this Section 11.
11.2 The Customer shall give a reasonable notice of at least thirty (30) days prior to proceed with an audit. The Customer will ensure that such audit is only carried out to the extent necessary so as not to inappropriately disturb MOCA’s operations.
11.3 MOCA shall be obliged to provide information to the Customer to the extent necessary for auditing pursuant to Section 11.1.
11.4 The audit pursuant to Section 11.1 shall be conducted no more than once every calendar year, except for any additional audits which:
(i) Customer reasonably considers necessary due to genuine concerns as to MOCA’s compliancewith this DPA and any documented instructions regarding the Processing of Personal Data;
(ii) Customeris required to carry out by Supervisory Authority or Applicable Laws;
(iii) Customer decides to conduct after an audit performed pursuant to paragraph 11.1 revealedsome concerns.
11.5 Audits pursuant to this section shall be conducted at the Client’s expense.
11.6 Notwithstanding, this Section 11 does not entitle Customer to perform a physical audit of any MOCA facilities or and/or sub-processor.
12.1 The Customer, at its own discretion and responsibility, shall determine the categories of the data subjects (including, but not limited to, employees,contractors, business partners, service providers) whose personal data and thecategories of personal data to be provided to MOCA and shall provide to MOCA only personal data necessary for proper provision of the Services by MOCA.
12.2 The Customer represents and warrants that it has obtained and shall retain during the entire validity period of the Terms of Service all necessary permissionsand authorizations required for the provision of the Customer Data to MOCA and engage MOCA for the processing of personal data under the Terms of Service and this Data Processing Agreement.
12.3 The Customer shall maintain technical and organizational security measures sufficient to comply at least with the obligations imposed on a Controller by Data Protection Law.
12.4 If the Client uses the service to register and manage their personal information, the policies of the Client or the Client's company may be applied, and the Client has complete authority over the processing of their personal information. MOCA shall not use any personal information registered by the Client and shall not be responsible for protecting any personal information that MOCA is unable to control.
13.1 Governing Law. To the extent required by Applicable Data Protection Law, this DPA will be governed by the laws of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction set forth in the Terms of Service.
13.2 Liability and Indemnity. Nothing in this DPA shall be interpreted as relieving the Customer ofits own direct responsibilities and liabilities under Data Protection Laws.