This Data Processing Agreement (“DPA“) reflects the agreement concerning protection of personal data on behalf of you (the “Data Controller or DC”, “Company or “you”) in connection with the GoodVision Services under the Terms of Services between you and us GoodVision (the “Data Processor or DP”, “GoodVision” or “us”). For the purpose of this DPA you and us together shall hereinafter refer to as the “Parties”.
This DPA is supplemental to, and forms an integral part of the Terms of Services. This DPA is effective as of its acceptance. In case of any conflict between this DPA and Terms of Service, the provisions of this DPA shall take precedence over the provisions of the Terms of Services to the extent of such conflict.
- GENERAL PROVISIONS
(A) The Company acts as a Data Controller.
(B) The Company wishes to subcontract certain Services in accordance with Terms of Service, which imply the processing of personal data, to the Data Processor.
(C) The Company accepted and is bound by the Terms of Services which are a contract that governs the Company’s use of the GoodVision’s services. Insofar as the services to be provided by GoodVision as Data Processor (“DP”) include or require the processing of personal data, such data shall be processed exclusively on the basis of this DPA pursuant to Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and on the repeal of Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”). It applies to all activities and services in which employees of the DP or third parties commissioned by the DP may come into contact with personal data of the Company as Data Controller (“DC”).
- DEFINITIONS
2.1 Personal data means any information concerning the personal or material circumstances of an identified or identifiable individual, pursuant to Art. 4 No. 1 GDPR.
2.2 Processing means any (set of) operations pursuant to Art. 4 No. 2 GDPR.
2.3 Instruction is any directive made by the DC to the DP concerning the processing of personal data. The DC may issue changes or amendments to existing instructions (e.g. from this DPA) or even completely replace individual instructions on a case by case basis.
2.4 Terms of Services means GoodVision’s Terms of Service at https://goodvisionlive.com/terms-of-service/ by acceptance of which the contractual relationship between you and us is established.
- SUBJECT-MATTER OF THE PROCESSING ACTIVITIES
3.1 This DPA governs the rights and obligations of the Parties regarding the processing of personal data by the DP on behalf of the DC within the meaning of Art. 28 GDPR.
3.2 The subject-matter of the processing activities is described in the Terms of Services this DPA is part of.
3.3 The DP will use the personal data provided for no other purposes than instructed by the DC, especially not for DP’s own purposes.
3.4 The DC is the responsible party within the meaning of Art. 4 No. 7 GDPR. The DC decides on the means and goals of the processing activities.
3.5 The DP will process all personal data in accordance with the DC’s instructions and with due regard to the general data protection provisions. The DP will especially commit himself to:
- the technical and organizational measures (Section 5)
- protection of all data subject rights (Section 6)
- additional data protection obligations (Section 7)
- provisions for sub-processing (subcontracting) (Section 8)
- the DC’s right to conduct compliance audits (Section 9)
- duty to report (Section 10)
- the DC’s right to issue instructions (Section 11)
- restitution and deletion of personal data (Section 12)
3.6 This DPA stays effective for the contractual period of the validity of Terms of Services between the Parties, provided that no further obligations arise from the provisions of this Agreement.
3.7 Even upon termination all contractual obligations between the Parties this DPA stays effective until completely fulfilled by both Parties as far as personal data is concerned.
3.8 Either Party may terminate this DPA for a justified reason without notice. Such a justified reason may be present in particular but not exclusively,
- if the DP grossly violates general data protection provisions or his obligations as set forth in this DPA, or
- if the DP disobeys instructions issued by the DC, or
- if the DP denies the DC’s or his representative or his data protection officer access to the relevant processing facilities or otherwise denies or unduly hinders the DC rights to audit the data protection compliance of the DP.
3.9 This DPA takes precedence if it conflicts with data protection related provisions of any other agreement unless the Parties mutually agree to explicitly derive from this principle.
- DATA SUBJECT, SCOPE, DATA CATEGORIES AND PURPOSE OF THE PROCESSING ACTIVITIES
4.1 Manner or type of processing (Art. 4 No. 2 GDPR):
- Collection and storage of video and Company identification data
- Collection of usage data, if necessary
- Analysis of video data
- Collection and use of Google user data. Use of Google user data is limited to the practices disclosed in this data processing agreement (Privacy Policy)
4.2 Data categories (Art. 4 No. 1, 13, 14 and 15 GDPR):
- Video data. When you upload your video files or camera streams into GoodVision Services, we automatically process the video content and perform anonymous video analytics. We store your video files if you select so. You can use GoodVision services without storing any video content.
- User and Company data (e.g. phone, address or email). When you interact with us via our websites, we may collect Personal Data and other information from you. We collect Personal Data from you when you submit web forms or interact with our websites, for example subscribing to a GoodVision blog or newsletter, signing up for a webinar, or requesting customer support. We may ask for your email address, first and last name, job title, and other similar business information. You are free to explore some of our websites without providing any Personal Data about yourself. When you register as inbound, we collect information such as name, address, phone number, and email address. We use this information to communicate with you and in some cases facilitate your registration.
- Traffic object trajectories data. From your video our algorithms extract traffic object trajectory data, namely space coordinates and timestamps, traffic object colors. We use this data for your analyses in the GoodVision Services.
- Usage data. We collect usage data when you or your users in your GoodVision account interact with GoodVision Services. We engage third-party providers to collect usage data, and we only share data with these providers in an unidentified manner. Usage data includes metrics and information regarding your use and interaction with the GoodVision Services such as what product features you use the most, and how often certain features are triggered in your account.
- Customer testimonials. We post customer testimonials and comments on our websites, which may contain Personal Data. We obtain each customer’s consent via email or through other agreements between customers and GoodVision prior to posting the customer’s name and testimonial.
- Billing data (billing address). We collect payment and billing information when you register for paid products or services. For example, we may ask you to provide a billing address, or a billing contact for your GoodVision account. If you give us payment information, we use it solely as authorized by you in accordance with this Privacy Policy. You may also provide payment information, such as a credit card number, when purchasing products or services. We use secure third-party payment service providers to manage payment processing, which is collected through a secure payment process as listed in 4.3. of the Terms of Service.
- Third party integration: Google. If you choose to integrate with Google Drive with GoodVision, you will be asked to give us the read-only access to information from your Google account. As part of connecting your Google Drive, GoodVision Services will be able to: see your files, download your files, and store file contents and titles. GoodVision uses these permissions to power the features of our automatic video processing tools, allowing you to upload and store your video files in Drive and then upload them directly to GoodVision for video processing.
- TECHNICAL AND ORGANISATIONAL MEASURES
5.1 In accordance with Art. 28 Sec. 1 & 5 GDPR the DP will provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
5.2 The DP will take appropriate technical and organizational measures that satisfy the statutory provisions set forth in Art. 32 GDPR to ensure an appropriate level of protection in regard to the underlying risks. The DP will support the DC with his obligations set forth in Art. 32 GDPR. The DP will contribute to the creation of data protection impact assessments (Art. 35 GDPR) in accordance with Art. 28 Sec. 3 f) GDPR as well as to the prior consultation of the supervisory authority as set forth in Art. 36 GDPR. Upon request the DP shall hand all data, information and documentation required to the DC. In pursuance of Art. 30 Sec. 2 GDPR the DP will compile records of all processing activities and hand those records to the DC unprompted.
5.3 If the DP is providing his services on the DC’s premises or via remote access the obligations of this Section 5 only apply to him as far as they are within his scope of responsibility.
5.4 All technical and organizational measures are subject to ongoing development and advancements. If statutory or contractual provisions require the amendment to the measures described in Attachment 1 the DP will conduct such changes without undue delay at his own expenses.
5.5 Should the Parties fail to agree on the technical and organizational measures to be taken or the suitability of such, the DC may terminate all agreements and contracts between both Parties which concern the processing of personal data at a term of 14 days to the end of the month. In further consequence either Party may terminate any remaining agreements between the Parties if adherence would place undue hardship on one of them.
- RIGHTS OF THE DATA SUBJECT AND CAUSE OF ACTION
6.1 The DP has been instructed to notify the DC without undue delay if a data subject assumes their rights in pursuance of Art. 15 – 21 GDPR. Likewise, the DP will notify the DC without undue delay if legal action taken against him within the meaning of Art. 82 GDPR.
6.2 The DP shall only react to such inquiries of data subjects as instructed by the DC.
6.3 The provisions of 6.1 and 6.2 apply accordingly for inquiries from or audits by the supervisory authorities, as far as personal data of the DC is at least remotely affected by such action.
6.4 The DP ensures that blocking of personal data as well as restrictions on processing activities will be upheld in conformity with the law.
- ADDITIONAL DATA PROTECTION OBLIGATIONS OF THE DP
7.1 Data Secrecy (Confidentiality): Persons employed in data processing shall not collect, process or use personal data without authorization. The DP will place every person employed for processing personal data under the obligation of data secrecy within the meaning of Art. 28 Sec. 3 S. 2 lit. b GDPR. This committal must be conducted in a suitable and verifiable way. The obligation to data secrecy must persist infinitely even after termination of the employment. If additional secrecy obligations must be uphold in connection with the processing activities (e.g. secrecy of telecommunications), the DP will place the persons employed under such obligations in the same way.
The DP will carefully choose the people employed for processing data and ensure that all processing activities are conducted compliantly with the statutory provisions. The DP will especially ensure that personal data handed to him won’t be forwarded to unauthorized third parties and won’t be used for different purposes than instructed by the DC (Art. 29 GDPR).
Upon notice by the DC the DP will provide a current and complete list of all employees under the obligation of data secrecy within five days (First and Last names as well as a verifiable record of the actual responsibility).
7.2 The DP will assist the DC in compiling and updating records of processing activities that fall in his area of responsibility. This only includes processing activities that are conducted by the DP for the DC.
7.3 By taking appropriate technical and organizational measures the DP will assist the DC in protecting the data subjects’ rights (Chapter 3 GDPR) in pursuance of Art. 28 Sec. 3 lit. e GDPR.
- SUBCONTRACTORS AND SUBPROCESSING
DP shall not appoint (or disclose any Company Personal Data to) any Subprocessor other than subprocessors listed in 4.3. of the Terms of Service, other Subprocessors unless required or authorized by the Company.
- THE DC´S RIGHT TO CONDUCT COMPLIANCE AUDITS
9.1 The DC, his representative or the data protection officer of the DC shall have the right to audit the DP’s compliance with all obligations and instructions on his premise if being notified in writing at least fourteen (14) days before any such audit is conducted.
9.2 The DC’s audit rights especially include the right to review all technical and organizational measures in advance to any data processing activities of the DP, as well as additional audits thenceforward.
9.3 The DP shall tolerate such audits and cooperate, if necessary, by providing access to data processing facilities and documentation as well as providing relevant information.
9.4 The audit results shall be documented and signed by the Parties or their representatives.
- NOTIFICATION DUTIES OF THE DP
10.1 The DP shall notify the DC without undue delay of any requests by data subjects or the supervisory authorities in relation to the subject-matter, especially in any case of section 6.1.
10.2 The DP shall notify the DC without undue delay in case of data loss, service interruptions, (possible) data protection violations or any other irregularities in connection with the processing of personal data.
The DP acknowledges that the DC is obliged to report such incidence within 72 hours to the data protection authority and in certain cases to the data subject (Art. 33 GDPR). The DP shall support the DC in complying with his obligation to notify should any such incident occur. The DPs notice to the DC will at least include the following:
- A description of the incident and the affected data categories as well as an estimate on the data subjects and data records affected.
- Name and contact information of a contact person at the DP.
- A description of the likely consequences of the incident.
- A description of the already conducted measures to remedy or mitigate the incident.
10.3 Notifications in pursuance of sections 10.1 and 10.2 shall be delivered without undue delay but not later than 24 hours in text format (e.g. letter post, telefax or email).
11 DC’S RIGHT TO ISSUE INSTRUCTIONS & INDEMNIFICATION
11.1 The DP shall process personal data in accordance with this DPA and the instructions of the DC.
11.2 The DC may issue further instructions via nuncupative, by phone, post mail, telefax or email. Instruction received in other form than writing shall be documented by the DP.
11.3 The DC’s management as well as the appointed contact persons are authorized to give instructions to the DP.
11.4 The DP shall notify the DC in writing without undue delay if he comes to the conclusion that the DC’s instructions violate one or more provisions of GDPR or any other law relevant to data protection. The DP has the right to postpone the execution of any such instruction until the DC has confirmed the compliance of his instruction with the relevant data protection provisions.
11.5 If the DP’s negligence of duty results in recoverable claims, the DP will indemnify the DC of any such claims. In addition, the DP will cover the costs of legal defense for the DC.
- RESTITUTION AND DELETION OF PERSONAL DATA
12.1 As long as no different instructions are given the DP will hand back any documents and data storage devices to the DC after termination of this DPA or the underlying Terms of Services.
12.2 Furthermore, the DP will delete or otherwise destroy any personal data given to or gathered for the DC after termination of this DPA or the underlying Terms of Services. Alternatively, the DP may hand back or out the personal data to the DC.
12.3 Upon request by the DC the DP will confirm in writing the deletion or destruction or return of all personal data.
12.4 Documentation that is proof of the proper data processing activities of the DP shall be retained by the DP for at least three years after their respective validity period. The DP may hand out such documentation to the DC for his own relief.
12.5 The duty of deletion or destruction may apply with reservation to all statutory retention obligations.
- LIABILITIES AND DAMAGES
13.1 DC shall indemnify and keep indemnified and defend at its expense DP against all costs, claims, damages or expenses incurred by the DP or for which the DP may become liable due to any failure by the DC or its employees or agents to comply with the obligations under this DPA.
13.2 DP shall indemnify and keep indemnified and defend at its expense DC against all costs, claims, damages or expenses incurred by the DC or for which the DC may become liable due to any failure by the DP or its employees or agents to comply with the obligations under this DPA.
13.3 Notwithstanding the liability set out in section 13.1 and 13.2, neither party shall be liable for any indirect or consequential damages of the other Party, such as (but not limited to) loss of revenue, loss of profit, loss of opportunity, loss of goodwill and third-party claims.
13.4 No limitation of liability shall apply in case of gross negligence or willful intent.
13.5 In case that supervisory authority finds infringement of GDPR, the Party liable for those infringement shall pay fines, penalties and damages that are imposed by supervisory authority.
- GOVERNING LAW AND JURISDICTION
14.1 This DPA is subject to the provisions of United Kingdom law.
14.2 Disputes regarding the interpretation and application of this DPA shall be resolved by a United Kingdom common court in London, UK.
- FINAL PROVISIONS
15.1 Should the DP’s property be subject to an attachment of claim by a third party the DP will immediately notify the DC of such imminent action. Personal data the DC is liable for is excluded from all rights of retention.
15.2 Accessory agreements must be mutually agreed on in written form. This also applies to requirements of the written form. Additional instructions on the commissioned processing may be issued in electronic form (Art. 28 Sec. 9 GDPR).
15.3 This DPA maybe updated from time to time.
15.3 In case of any contradiction between the provisions of the Terms of Services and this DPA, this DPA shall take precedence for all data protection related issues.
Valid from Feb 8th 2022