Data Processing Agreement - GVZH Advocates

GVZH Advocates

Data Processing Agreement

  1. The subject matter of the processing, type of personal data and category of data subject shall be in accordance with the services GVZH has been engaged to provide in terms of this Engagement. 
  2. The obligations and rights of the Client and GVZH are set out in the Letter of Engagement. 
  3. The duration of the processing shall be for the duration of the Engagement. 
  4. When acting as a data processor for the Client, GVZH shall: 
    1. Subject to the provisions of clause 5 hereof, act only upon the strict instructions of the Client (the data controller) and not process any personal data that may be transferred to it by the Client except as may be necessary for the performance of any service or task provided by GVZH to/for the Client and, in particular, process the said personal data only on documented instructions from the Client, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Maltese law;
    2. Ensure that persons authorised to process the personal data (including but not limited to GVZH employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    3. Implement appropriate technical and organisational measures to protect any personal data that may be processed on behalf of the Client to ensure a level of security appropriate to the risk relating to its processing of the personal data;
    4. Not engage another data processor without prior specific or general written authorisation of the Client. In the case of general written authorisation, GVZH shall inform the Client of any intended changes concerning the addition or replacement of other processors, thereby giving the Client the opportunity to object to such changes. Where GVZH engages another processor for carrying out specific processing activities on behalf of the Client, the same data protection obligations as set out in this clause shall be imposed on that other processor or sub-processor by way of a contract or other legal act under EU or Maltese law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor or sub-processor fails to fulfil its data protection obligations, GVZH shall remain fully liable to the Client for the performance of that other processor or sub-processor’s obligations;
    5. To the extent that this is reasonable, provide the Client with assistance and cooperation in attending to Data requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, taking into account the nature of the processing;
    6. To the extent required by the Data Protection Laws, assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security obligations, notification of personal data breach to the supervisory authority obligation, communication of a personal data breach to the data subject obligation, data protection impact assessment obligation and prior consultation with the supervisory authority obligation) taking into account the nature of processing and the information available to GVZH;
    7. Inform the Client without undue delay, and provide reasonable assistance, as soon as it becomes aware of a personal data breach relating to personal data in GVZH’s possession or control;
    8. At the reasonable request of the Client, delete or return all the personal data to the Client at the termination of the Engagement, save to the extent GVZH is legally required to retain any personal data in accordance with applicable law;
    9. At all times be permitted to store personal data included in routine backups in accordance with standard GVZH company policy.
    10. Make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this clause and in the Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client. In this regard, GVZH shall immediately inform the Client if, in its opinion, an instruction infringes the GDPR or other EU or Maltese data protection provisions; and
    11. Take all such measures necessary to ensure that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects.
  5. In addition to any processing carried out in accordance with the Engagement, GVZH may also process personal data as a controller for the purpose of, or in connection with, applicable legal or professional or regulatory requirements, requests from competent authorities and administrative, accounting and client relationship purposes. The provisions of the foregoing clause 4 shall not apply to any personal data processed in accordance with this clause 5, provided that GVZH shall, insofar as this is possible, advise the Client of any request for personal data made by the competent authorities.