1.1 "Service Level Agreement" means the level of availability or operation of the Products and Additional Services for the CLIENT and the minimums which NTT DATA must comply with when delivering the Products or providing the Additional Services.
1.2 “CLIENT” means the entity entering into this Agreement and ordering Products and/or Additional Services from NTT DATA in accordance with an Order Form.
1.3 “Body of the Agreement” means the general clauses of this Framework Agreement for contracting NTT DATA Products and Additional Services, excluding the Order Form and its annexes, appendices and supplements.
1.4 “Framework Agreement” or “Agreement” means the Body of the Agreement together with the Order Form(s), the annexes, the appendices and the supplements. In the event of any discrepancy between the Body of the Agreement and the Order Form, the provisions of the Body of the Agreement will prevail, unless otherwise expressly authorised in the Body of the Agreement.
1.5 “Third Party Content” means the components, standards, rules and good practices of third parties, which have been obtained by NTT DATA from publicly available sources or from their legitimate owners and which are governed by their own terms and conditions.
1.6 “CLIENT Data” means any data, information or other material (which is owned exclusively, and which is subject of copyright or other rights) which is uploaded, introduced, created or provided in any other way by the CLIENT, or created by NTT DATA based on CLIENT data, while the Product is used, including, among others, any third-party data obtained by the CLIENT and any personal data. For the avoidance of doubt, CLIENT Data does not include comments and improvements.
1.7 “Personal Data” means any information about an identified or identifiable natural person, as defined in the relevant legislation, in particular REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”) and other Applicable Data Protection Laws (together interpreted as the “Applicable Data Protection Legislation” or “ADPL”).
1.8 “Intellectual Property Rights” means each and all of the following: (a) registered patents, designs, trademarks, utility models, copyrights, know-how and rights over databases; (b) any other intellectual property right and similar or equivalent rights in any part of the world, which exist now or in the future; (c) applications for registration, extensions and renewals relating to any of the aforementioned rights and (d) the expression of any original work or creation, in any format, whether tangible or intangible, including, among others, computer programmes, source codes, object codes, technical documentation, instructions manuals, training materials, technical specification documents, plans, moulds, technical codes or references and/or parts thereof, data formats, sketches, designs, logos, as well as the result of any transformation, amendment, update, adaptation, new versions or alterations of such works or creations.
1.9 “Technical Documentation” means the technical help and user documentation (in any form) for the Products which is provided and/or made available by NTT DATA. In particular, it does not include the source code.
1.10 “Order Form” means the document containing details of the Product and/or Additional Services acquired by the CLIENT, which is attached to the Body of the Agreement and forms an inseparable part of the Framework Agreement.
1.11 “Incidents” means any technical incidents which prevent the CLIENT from using the Products in a normal fashion.
1.12 “Confidential Information” means, among others, technical, commercial or financial documentation relating to the Products and services of NTT DATA or the commercial relationship between the Parties, which is confidential due to its nature, or which is designated confidential by the Disclosing Party, or any other information exchanged by the Parties in the framework of this Agreement and which, given its nature and the circumstances of its disclosure, should be treated as confidential. Confidential Information does not include information which is (a) which is in the public domain, but not as a result of disclosure by the Receiving Party or by any of its representatives in breach of this Agreement; (b) which is in the possession of the Receiving Party before its disclosure by the Disclosing Party; (c) which is acquired by the Receiving Party from a third party without any confidentiality obligation; (d) which is developed independently by the Receiving Party without reference to the Confidential Information received from the Disclosing Party; or (e) the disclosure of which is expressly authorised by the Disclosing Party to the Receiving Party. The Party concerned shall provide evidence of the aforementioned reasons.
1.13 “Disclosing Party” means the Party disclosing Confidential Information to the other Party.
1.14 “Receiving Party” means the Party receiving Confidential Information from the other Party.
1.15 “Licence” means the right granted by NTT DATA to the CLIENT to use the On-Premise Products while this Agreement is in force and in accordance with its relevant provisions.
1.16 “Maintenance” means the technical services provided by NTT DATA or an Affiliate for the purposes of allowing the CLIENT to maintain the Product in good working condition, avoiding its breakdown, expiry or deterioration.
1.17 "Pre-existing NTT DATA Intellectual Property" or “Pre-existing IP” means any technology and information, elements to be delivered, methodologies, data, designs, ideas, concepts, know-how, techniques, CLIENT interfaces, templates, documentation, software, hardware, modules, development tools and any other tangible or intangible technical material or information which NTT DATA possessed before this Agreement enters into force or which it develops independently of the activities subject of this Agreement, as well as any by-product, modification or improvement of any of the foregoing.
1.18 "Product" means the product owned by NTT DATA identified in the Order Form.
1.19 "On-Premise Product" means the Products or components of a Product which are provided on premise pursuant to a Licence, and the corresponding Technical Documentation, excluding the Third Party Content.
1.20"SaaS Product" means a model of distributing and granting user rights used for delivering the Product by Internet, that is, like a subscription mode service.
1.21"Development Services" or "Development" means professional services consisting of the inclusion of new functionalities or adapting existing ones at the request of the CLIENT.
1.22"Implementation Services" or "Implementation" means professional services consisting of taking the necessary measures for the Product to develop any or all its envisaged functionalities (as described in the technical documentation of the Product) in the CLIENT’s devices or infrastructure.
1.23"Support Services" or "Support" means the services to be provided by NTT DATA to the CLIENT for the purpose of maintaining the Product in accordance with the agreed service levels.
1.24"Additional Services" means the Maintenance, Development, Implementation or Support services.
1.25"Affiliate" means an entity which controls, is controlled by, or is jointly controlled with, a Party, where “control” means, at least, a 50% holding in that entity, or the ability to direct the management of that entity, whether through the ownership of securities carrying voting rights or by way of contract or in any other way.
1.26"Subscription" means the right to use the SaaS Product granted by NTT DATA to the Client during a certain period.
1.27"Fees" means the financial amount which NTT DATA will receive as consideration for the use by the CLIENT of the Product in any distribution modality, and/or for the provision of Additional Services by NTT DATA or its Affiliates to the CLIENT, in accordance with the provisions of the relevant Order Form.
1.28"Territory" means the Territory specified in each case in the Order Form.
1.29"Authorised User" means a specific person authorised by the CLIENT (for example, employees or collaborators of the CLIENT) to access and use the Product on behalf of and for the benefit of the CLIENT, whether or not these persons are actively using the Product. The Fees will be associated with the number of Authorised Users requested by the CLIENT.
2.1 Products. Subject to the terms and conditions of the Framework Agreement, NTT DATA will make the Products available to the CLIENT in accordance with the provisions of the Order Form, in the following modalities:
2.2 On-Premise Product. NTT DATA will make available to the CLIENT the On-Premise Products in accordance with this Framework Agreement and subject to payment of the Fees. NTT DATA grants the CLIENT, who unconditionally accepts, a Licence to install, access and use the On-Premise Products specified in each Order Form and all its components, in the Territory, during the term of the Licence. This Licence is non-exclusive, non-transferable, revocable and non-assignable (unless otherwise expressly provided in this Agreement), and is granted solely for the internal commercial transactions of the CLIENT in the Territory on the terms and conditions established herein and in the relevant Order Form. Moreover, the use of the On-Premise Product is restricted to the number of Authorised Users for which the CLIENT has acquired Licences, as provided in the Order Form.
2.3 SaaS Products. NTT DATA will make available to the CLIENT the Subscriptions in accordance with this Framework Agreement, subject to payment of the Fees, during the term of the same in the Territory and subject to the terms and conditions of the relevant Order Form. Unless otherwise provided in the Body of the Agreement or in the Order Form, NTT DATA shall not be responsible for the eventual unavailability of the SaaS Products located in the cloud caused by circumstances beyond the reasonable control of NTT DATA, including, by way of illustration, but without limitation, external forces affecting the reliability or availability of Internet, the IT systems or other devices or means through which the CLIENT accesses the SaaS Products, or the temporary unavailability or interruption of the functioning of the services of the SaaS Products, in which case, the CLIENT shall continue to be obliged to pay the Fees.
2.4 Third Party Content. To the extent that Third Party Content is made available to the CLIENT as part of the Products, the CLIENT acknowledges and accepts that it shall not copy, publish or distribute any Third-Party Content independently from its use of the Products, nor transfer it to any third party, unless otherwise provided in the terms and conditions governing the Third Party Content. The CLIENT shall not grant licences or sell the Third-Party Content and shall not eliminate or alter any notice relating to copyright, trademarks or other notice of property appearing in the Third-Party Content or within the same. The CLIENT acknowledges and accepts that (a) the Third-Party Content may be added to, modified or eliminated at any time by NTT DATA; and (b) NTT DATA is not responsible for nor has any control over Third Party Content, other than making it available in relation to the Products.
2.5 Technical Documentation. To the extent that the Technical Documentation is necessary for the proper use of the Products, NTT DATA grants the CLIENT a non-exclusive, non-transferable, non-assignable and royalty-free licence in the Territory to use and show hard or electronic copies of the Technical Documentation solely for the purposes of reading and using it exclusively to the extent that the Technical Documentation is necessary for the use of the Products. The reproduction, re-labelling, distribution, offer, importation, sale, translation, modification and making derived works from the Technical Documentation are strictly prohibited. The relevant Technical Documentation shall be delivered to the CLIENT upon signature of this Agreement.
3.1 This Framework Agreement allows the use of the Products exclusively for the use for which they were designed, as provided in the Technical Documentation supplied by NTT DATA. The Licence or Subscription granted to the CLIENT only allows the use of the Products for the purposes described in this Agreement. The terms of this Agreement shall also apply to any update or modification of the Products, unless otherwise provided in the relevant Order Form.
3.2 Notwithstanding that the Products may be subject to different licensing and operating terms and conditions which will be described in the Order Form or in its Annexes, the Parties agree that the following common conditions shall apply to all of them:
3.2.1 If applicable, the CLIENT shall be entitled to access and use the Products up the maximum number of Licences/Subscriptions which it has acquired.
3.2.2 The CLIENT shall be responsible for determining the number of Licences or Subscriptions and for notifying the Authorised Users of the conditions for the use of the Products and ensuring the compliance thereof.
3.2.3 The CLIENT shall provide accurate, up-to-date and complete information when activating its Licence or Subscription account for a Product. NTT DATA shall not be responsible for any problems which the CLIENT may have in using the Products as a result of not fulfilling this obligation. The CLIENT shall keep confidential all the identifiers of the Authorised Users, the passwords and other account information. The CLIENT will keep the registration of Authorised Users up to date, shall follow the principle of the least privilege when assigning access permits for the Products, and shall require its Authorised Users to change their passwords periodically. The CLIENT shall be responsible for all activity in its Authorised User accounts, and for any complaint, problem or dispute arising as a result of the actions or omissions of its Authorised Users. The CLIENT shall inform NTT DATA immediately upon becoming aware of any unauthorised use of any Product or account information and if such unauthorised use is by an Authorised User, the CLIENT shall take the necessary measures to prevent such use and minimise its consequences.
3.2.4 Third Party use: NTT DATA acknowledges and accepts that the Authorised Users of the CLIENT may, subject to the terms and conditions of this Agreement, include third party providers of services, independent contractors and consultants of the CLIENT, provided that (a) the CLIENT has informed NTT DATA of the name of that third party, the need for access and the security mechanism that the CLIENT will implement to protect the Confidential Information and the Intellectual Property Rights of NTT DATA; (b) the third party is not a direct competitor of NTT DATA and NTT DATA does not oppose such access in the five (5) business days following the date on which the CLIENT has communicated the identity of such third party; (c) the third party agrees to comply with the terms and conditions of this Agreement and notifies its Authorised Users thereof (ensuring its compliance); and (d) such third party uses the Products exclusively for the benefit of the internal commercial transactions of the CLIENT. The CLIENT shall provide a list of any third parties which are using a Product in accordance with this clause for the purposes of managing the Licences/Subscriptions granted and the Products. The CLIENT shall be directly responsible before NTT DATA for the appropriate use of the Products by such third parties in accordance with this Agreement.
3.2.5 Handling security breaches: Both Parties will have a procedure for handling security breaches. If the CLIENT has indications or knowledge that there has been a security breach relating to a Product or which could potentially affect a Product, it will notify this to NTT DATA without undue delay. In the case of a security breach, NTT DATA shall completely or partially block communication between the resources of the CLIENT and the resources of NTT DATA as an immediate preventative response action in the face of the breach. Both Parties agree to cooperate to investigate and resolve security breaches; and, if appropriate, they shall share relevant information which allows suitable measures to be adopted to contain, eradicate, recover or prevent the breach.
3.3 Restrictions on the Use of the Products. The CLIENT shall only use the Products in accordance with the provisions of this Framework Agreement and shall not (a) use the Products in a manner that infringes any applicable laws or regulations; (b) consciously send or store material that is in breach of any regulations, threatening, defamatory or in any other way unlawful or criminal, including material in breach of the privacy rights of any person; (c) interfere with or interrupt the integrity or performance of the Products or of the data contained in them; (d) attempt to obtain unauthorised access to the Products or to related systems or networks; (e) use any other type of robot, scraper, deep link or other automated tools for collecting or extracting data, programme, algorithm or methodology for accessing, acquiring, copying or supervising any part of the Products; (f) attempt to publish or transmit any file containing viruses, computer worms, Trojans or any other characteristic which is contaminating or destructive or interferes in any way with the proper functioning of the Products; (g) carry out any test or analysis on the security or performance of the Products without the prior consent in writing of NTT DATA, or publicly disclose the results of such tests or analyses; (h) publicly announce or disclose the source code, object code, Technical Documentation, performance information or analysis of the Products, including any result of the referred tests performed on the Products, decompile, apply reverse engineering, or disassemble or create works derived from any Product; (i) attempt in any other way to reduce the Products from the object code or source code or reconstruct or discover any source code, underlying ideas, algorithms, file formats or programming interfaces of any Product by any means (unless and solely to the extent that the applicable legislation prohibits or limits reverse engineering restrictions); (j) use any Product to develop works or jobs which are functionally comparable or competitive with any Product, or create works or jobs derived from the Product (the use of the Product to produce reports or other tasks permitted by such Product shall not be considered works or jobs derived from the Product); (k) lease, rent, lend, sell, sub-license or distribute the Products (independently or as part of a package with other software) outside the CLIENT’s organisation to a third party (including the use of the Product on a time share regime, for service office purposes, or for the provision of a service generating fees directly or indirectly to third parties); (l) use any computer, device, software or other means designed to avoid or eliminate any security mechanism, or any form of protection against copy or use, used by NTT DATA or its third party licensors in relation to the Products; (m) combine the Products with any other kind of software (including open code software), if the combined programme is subject to any FOSS licence which requires that the combined programme or the Product and its source code are available free of charge. NTT DATA reserves the right to suspend the use of the Products by the CLIENT or to take other appropriate corrective measures to deal with any breach or suspected breach of the obligations contained in this clause.
4.1 The CLIENT shall be responsible for studying the opportunity to purchasing Additional Services of Support, Maintenance, Development or Implementation offered by NTT DATA in relation to the Products in view of its needs and requirements. If any of these services are contracted, the legal terms and conditions, as well as the technical and financial terms and conditions, shall be governed specifically for each service in the relevant Order Form.
5.1 NTT DATA warrants that the Products will work or be available (as appropriate) while the Licence or Subscription is in force in accordance with the essential functionalities included in the Order Form and in the Technical Documentation applicable to the Product. NTT DATA does not guarantee that the use of the Products will be uninterrupted or free from errors. If the essential functionalities of a Product do not match with the Order Form or its Technical Documentation, the CLIENT shall notify this in writing so that NTT DATA can, as it deems fit and unilaterally, take such steps as are reasonably possible from a commercial point of view to quickly repair or replace the Product or part of it or any other remedy envisaged in this Agreement.
5.2 This warranty shall not apply and, therefore, NTT DATA shall have no obligation to carry out corrections or repairs, or to replace the Products or part of it, in the event of (i) fault or negligence of the CLIENT; (ii) the use of the Product in a manner not specified in the Technical Documentation; (iii) causes not relating to the Product; or (iv) its inability to function with other systems or applications of the CLIENT.
5.3 EXCEPT FOR THE EXPRESS WARRANTIES CONTAINED IN THIS AGREEMENT, THE PRODUCTS, TECHNICAL DOCUMENTATION, THIRD-PARTY CONTENT AND ANY OTHER SERVICES PROVIDED PURSUANT TO THIS AGREEMENT ARE PROVIDED “AS IS” AND ARE NOT GUARANTEED TO BE FREE FROM ERRORS, AND THE CLIENT ACCEPTS ALL RISK IN RELATION TO QUALITY, PERFORMANCE, RELIABILITY, ACCURACY AND RESULTS OF THEIR USE.
6.1 NTT DATA shall be authorised to carry out audits (at least once a year and in accordance with NTT DATA’s standard procedures, which may include audits in the CLIENT’s facilities and/or remote audits) of the use of the Products and of the Technical Documentation. The CLIENT must provide reasonable cooperation in the performance of such audits. If an audit discloses that (i) the CLIENT has paid less Fees than those due and/or that (ii) the CLIENT has made a use of the Software that exceeds the amount of Licences or Subscriptions or the levels specified in the offer, the CLIENT shall pay the shortfall in Fees and/or the excess use based on the offered Fees, and shall sign an additional Order Form to include the necessary Licences or Subscription for any additional amount or level. The CLIENT shall pay the reasonable costs of the NTT DATA audit if the results of the audit show that the use or levels permitted by the Licence or Subscription have been exceeded. NTT DATA reserves all rights to claim the payment of shortfalls in Fees and the excess of quantities or levels of use permitted by the Licence or Subscription by the CLIENT.
6.2 NTT DATA reserves the right to incorporate software security mechanisms in the Products to supervise its use with the aim of ensuring compliance of the Agreement and its ownership of the Products. The CLIENT shall not take any measure to avoid or invalidate the purpose of any of such measures.
7.1 All Intellectual Property Rights over or in relation to the Products, the Technical Documentation and the Pre-existing IP of NTT DATA shall continue to be Intellectual Property Rights or trade secrets exclusively owned by NTT DATA. NTT DATA may incorporate such measures it deems appropriate in a Product or resource to avoid its unauthorised use. The CLIENT shall be responsible for any breach of Intellectual Property Rights arising as a result of a breach of this Agreement. In particular, the CLIENT is not authorised to access the source code of the Product.
7.2 NTT DATA reserves all the Intellectual Property Rights and the other rights not expressly granted to the CLIENT in this Agreement. Consequently, no provision of this Agreement shall limit in any way the right of NTT DATA to develop, use, license, improve, modify, create derivative works or use the Products in any other way, or to allow third parties authorised by NTT DATA to do so.
7.3 NTT DATA shall not be prevented in any way from using its general knowledge, skills and experience, as well as any ideas, concepts, know-how and techniques acquired or used during the course of this Agreement, or from re-using any general knowledge which is public and common to different companies in the same sector.
7.4 The CLIENT shall not attempt to apply, register or claim by any mean as its own, in any jurisdiction, the Intellectual Property Rights owned by NTT DATA or third parties, whether not protected in the Territory or in any other country at any time.
7.5 The CLIENT shall not suppress or alter in any way copyright or trademark notices or other notices of ownership of NTT DATA in the Products and Technical Documentation.
7.6 The Parties shall not use any registered trademark, logo, trade name, Internet domain name or other distinctive sign of the other Party, without its prior express consent in writing. This consent will not be necessary for NTT DATA to use the aforementioned of the CLIENT in any proposal and/or presentation to third parties, as a mere commercial reference, or on NTT DATA’s internal Intranet, which only employees access, provided there is no breach of the confidentiality obligations contained in this Agreement.
7.7 If Third-Party Content is licensed under a Free Open Source (FOSS) Licence, the applicable terms and conditions of the FOSS licence will prevail over any other terms and conditions covering the Product and, therefore, such components may only be used in accordance with the applicable licence and not in accordance with the terms and conditions of this Agreement. All Third-Party Content subject to a FOSS licence will be provided with the Product (together with their respective licence) are listed in the applicable Order Form.
7.8 The CLIENT may at any time provide suggestions, requests for improvements or characteristics or other comments to NTT DATA with respect to the Products, services or related documentation (notwithstanding such products, services or documentation are being disclosed or delivered by NTT DATA to the CLIENT under this Agreement or not) (together, the “Comments”). The CLIENT accepts that all Comments are voluntary and delivered to NTT DATA in a entirely voluntary manner. NTT DATA may use, disclose, reproduce, license or distribute and exploit the Comments at its discretion, with no restrictions or obligations of any type or nature. The Comments shall, even if they are designated confidential by the CLIENT, not create any confidentiality obligation for NTT DATA unless NTT DATA expressly agrees in writing. To the extent that the CLIENT, or any Authorised User, makes any suggestion in relation to any characteristic, functionality or performance which NTT DATA adopts for any of its Products (expressly excluding the Confidential Information of the CLIENT), the CLIENT and such Authorised User hereby grant to NTT DATA a non-exclusive, royalty-free, worldwide, perpetual and irrevocable right and licence to freely copy, use, make use, publish, adapt, distribute, sell, licence, create derivative works and exploit in any other manner such suggestions, including incorporating them in future versions of the Products or services.
7.9 The CLIENT is authorised to print and make a reasonable number of copies of the Technical Documentation for its internal use in accordance with the Agreement, provided that the CLIENT reproduces in such copies all the copyright and other ownership notices found in the original copy of such Technical Documentation.
7.10 If the Product consists, in whole or in part, of a database, the CLIENT shall not be entitled to extract and/or re-use the whole or a substantial part (evaluated qualitatively and/or quantitatively) of such database. This exclusion shall only affect the original data provided by NTT DATA and shall not prevent the CLIENT from using the results of using the Product.
8.1 Confidentiality. Each Party may have access to Confidential Information relating to the Product, the needs of the CLIENT or the Agreement. Each Party recognises that Confidential Information is private and valuable to the Disclosing Party and that any unauthorised disclosure or use of the same will cause irreparable loss and damage to the Disclosing Party. The Receiving Party undertakes to keep the Confidential Information belonging to the Disclosing Party confidential while this Agreement is in force until the Receiving Party returns or destroys all Confidential Information in its possession or under its control. Without prejudice to the foregoing, the Parties undertake that all Confidential Information exchanged for the purposes of the Agreement before entering into it shall be subject to the confidentiality provisions contained in this clause.
In addition, the confidentiality obligation assumed by the Parities pursuant to this Agreement shall remain in force for a period of five (5) years following termination of the Agreement.
No Party shall disclose Confidential Information belonging to the other Party to any third party or use such Confidential Information for any purpose other than the performance of this Agreement, except to the extent required by law, governmental order or valid court order in accordance with Clause 8.2 below. The Receiving Party shall be liable, together with its employees, agents and third parties for whom it is responsible, for any loss or damage arising as a result of the breach of the confidentiality obligation, without prejudice to any action that the Disclosing Party may take against the Receiving Party or against third parties under any applicable legislation. The Receiving Party undertakes to use the Confidential Information solely for the purpose of complying with the Agreement, unless otherwise agreed by the Parties in writing.
8.2Compulsory disclosure. Each Party undertakes, moreover, to adopt reasonable security measures when sending Confidential Information. If the applicable law or any legal proceedings demand or require the Receiving Party to disclose any Confidential Information belonging to the Disclosing Party, the Receiving Party, shall, before such compulsory disclosure, inform the Disclosing Party (to the extent legally permitted to do so) and shall reasonably assist the Disclosing Party, at the expense of the latter, if the Disclosing Party wishes to oppose the disclosure. Any disclosure of this kind shall be limited to the required extent and shall be subject to confidentiality protections to the extent reasonably feasible. Disclosure of Confidential Information required by applicable legislation or by legal proceedings shall not constitute a breach of this Agreement.
8.3Details of signatories
8.3.1 Purposes of processing. The personal data of the representatives, collaborators or employees of the User, to which NTT DATA has access by virtue of the contractual relationship, will be used exclusively for the purpose of executing, fulfilling and requesting the fulfillment of the obligations and responsibilities arising from the Contract, and managing the relationship between the Parties, as well as, where appropriate, for the defense of NTT DATA's interests, legal advice and compliance systems.
The above personal data will be processed, respectively, by NTT DATA, which will act, independently, as data controller. Said data will be processed for the purpose of complying with the rights and obligations of the Contract, without automated decisions being taken that may affect the data subjects. Consequently, the legal basis for the processing is the fulfillment of the contractual relationship. The data will be kept for the duration of the contractual relationship and will only be processed by NTT DATA and by those third parties to whom it is legally or contractually obliged to communicate them.
8.3.2 Data Processing agreement. Where Client’s use of the Products includes the processing of Client’s Data by NTT DATA it will be subject to the General Data Protection Regulation (EU) 2016/679 (GDPR) or other ADPL. This data processing by NTT DATA, as data processor, complies with the requirements of the aforementioned legislation. NTT DATA shall process personal data on behalf of and in accordance with Client’s instructions consistent with this Agreement. Hence, Schedule A shall govern the aforementioned data processing and the parties shall specify the details of the processing of personal data within the relevant Order Form.
9.1 CLIENT Data. The CLIENT has and shall maintain the ownership and control of all CLIENT Data. The CLIENT shall not introduce, upload, process or store CLIENT Data in or with a Product, unless the CLIENT has obtained them legally and complied with all applicable laws regarding its use of such Data. NTT DATA shall have no obligation or responsibility in respect of the Data introduced, uploaded, processed or stored by the CLIENT in the Product(s).
9.2 Usage Data. NTT DATA may collect, use, process and store technical data relating to the use of computers, mobile telephones or other devices which the CLIENT uses to download, install and access the Products, for its improvement, for the purpose of providing assistance and in order to verify the Products. The foregoing may include, among others, IP addresses and other information such as Internet service, location, browser type and modules used and/or accessed (“Usage Data”). The CLIENT accepts that NTT DATA may process Usage Data to create and compile collections of anonymous and aggregated data and/or statistics about the Products, for the purposes of maintaining, supervising and improving the performance and integrity of NTT DATA’s Products.
9.3 Product improvement. NTT DATA may use the CLIENT Data and the Usage Data generated and obtained during the use of the Products by the CLIENT for the purpose of analysing and identifying possible areas for improvement of the Products. If the CLIENT Data or Usage Data include personal data within the meaning of the GDPR, NTT DATA shall previously anonymise the information irreversibly and prior to its use for the purposes of improving the Products.
10.1 Fees. The CLIENT shall pay the Fees set out in each Order Form. Unless otherwise provided in the relevant Order Form, the Fees shall be paid no later than thirty (30) days following the date of the invoice and may not be cancelled or reimbursed.
10.2 Taxes. All applicable taxes (excluding taxes on net income of NTT DATA), rights or other governmental levies are additional and payable by the CLIENT, and are based on the delivery address specified in the Order Form.
If the CLIENT is obliged to pay any mandatory withholding, charge or duty in relation to any payment owing to NTT DATA pursuant to this Agreement, the CLIENT shall calculate the payments to be made in such a way that NTT DATA receives the amounts due in accordance with this Agreement in full and free from any deduction by way of withholding, charge or duty. NTT DATA shall not charge any tax from which the CLIENT is exempt if the CLIENT is an institution or entity exempt from taxes and the CLIENT provides evidence thereof by way of the relevant tax exemption certificate. The CLIENT recognises that the Order Form contains its invoicing and delivery addresses.
10.3 Delay in payment of Fees. If any payment of Fees is delayed by more than (30) days, NTT DATA may, without limiting any other rights and actions available to it, suspend or finalise access to and use of the Products by the CLIENT, or of related services, in respect of which payment of the Fees is outstanding until such amounts have been paid in full. NTT DATA shall provide at least seven (7) days’ notice that payment of the Fees is outstanding before any suspension, and shall not exercise such right if the CLIENT, reasonably and in good faith, disagrees and has complained about the applicable Fees, and is cooperating diligently to find a solution to the disagreement. Furthermore, if payment has not been made within the thirty (30) days following the issue date of the invoice, NTT DATA may invoice delay charges which will be calculated by applying a monthly 3% on the delayed amount during the days of delay, unless otherwise provided by law. Such charges shall not limit any other claim which may be available to NTT DATA.
10.4 Modification of Fees. NTT DATA reserves the right to change, update or modify the Fees set out in each Order Form upon prior notice in writing of such price modification to the CLIENT (i) in the case of Order Forms with a duration of more than one (1) year, with at least two (2) months’ notice before applying such change and, (ii) in the case of Order Forms with a duration of one (1) year or less, when renewing such Order Form.
11.1 Duration and renewal of Framework Agreement. The Framework Agreement shall enter into force on the day on which it is signed by both Parties and shall have an initial duration of twelve (12) months counting from such date, and shall be tacitly and automatically renewed for successive periods of identical duration, unless either Party expresses its will not to renew by way of ninety (90) days’ written notice prior to the initial termination date or the termination date of any of its annual renewals. Termination or expiration of this Framework Agreement shall not affect any Licences or Subscriptions then in force which are being performed. The provisions of the Framework Agreement shall continue to be in force until the last Order Form is concluded.
11.2 Duration of Licence or Subscription. A Licence or Subscription of the CLIENT for a Product, whether a On Premise Product or a SaaS Product, shall have the duration set out in the relevant Order Form. If no duration is specified in the Order Form, the Licence or Subscription shall have a duration of one (1) year starting on the date of the Order Form.
11.3 Duration of Additional Services. The Additional Services shall have the duration set out in the relevant Order Form. If no duration is specified, the Additional Services will have the same duration as the associated Licence or Subscription.
11.4 Renewal of Licence, Subscription or Additional Services. Unless otherwise provided in the Order Form, the Licence, Subscription and/or Additional Services shall be renewed at the end of each term for a new term of one (1) year unless: (a) NTT DATA receives a notice of non-renewal from the CLIENT at least thirty (30) days before the end of the current term; or (b) NTT DATA delivers to the CLIENT a notice of non-renewal at least sixty (60) days before the end of the then current term.
12.1 Early termination. Either Party may terminate the Framework Agreement and/or Order Form immediately if the other Party materially fails to comply with its obligations under the Agreement and, within thirty (30) days following receipt of written notice from the other Party, the Party in breach does not remedy the breach, or does not make significant progress, reasonably satisfactory to the other Party. Unless otherwise provided in the relevant Order Form, either Party may voluntarily terminate the Agreement at any time way of written notice at least thirty (30) days prior to the intended termination date; nevertheless, any Fees paid in advance shall not be reimbursed and the CLIENT shall continue to be responsible for the outstanding Fees during the remaining term.
12.2 Termination due to breach. NTT DATA may, as well as suspending access to the Product and/or interrupting the provision of Additional Services, choose to terminate the Agreement and/or the Order Form immediately if the CLIENT fails to comply with any of its obligations in the following cases: (i) use of the Product by the CLIENT contrary to the content of the Order Form and its Technical Documentation, (ii) failure to pay the Fees, (iii) breach of any representation or warranty by the CLIENT in relation to its obligations or its Compliance Programme (Clause 17). If NTT DATA terminates the Agreement due to any such breach by the CLIENT, without prejudice to any compensation for loss or damage which may by due, the CLIENT shall continue to be liable for all outstanding Fees which must be paid during the term of the Licence, the Subscription, and the Additional Services. If the CLIENT terminates the Agreement due to a breach by NTT DATA, NTT DATA shall reimburse any Fee paid in advance calculated from the effective termination date until the end of the paid term.
12.3 Effects of termination. Upon termination of an Order Form, Licence, Subscription or this Agreement, access to and use of the Products by the CLIENT shall cease. The CLIENT shall destroy or delete the original and all copies of such Products and of the Technical Documentation that are in its possession or controlled by it. NTT DATA reserves the right to choose one of the following options:
(a) At the written request of NTT DATA, an authorised representative of the CLIENT shall certify in writing to NTT DATA, no later than thirty (30) days following such request, that the original and all copies of the Products and the Technical Documentation have been destroyed or returned to NTT DATA.
(b) NTT DATA or a third party designated by NTT DATA may, upon one day’s prior notice, access the CLIENT’s facilities to check that the original and all copies of the Product and of the Technical Documentation have been destroyed.
12.4 Return of Confidential Information. Each Party shall immediately return to the other Party all Confidential Information belonging to the other Party that is in its possession or controlled by it. If the CLIENT is responsible for erasing all Client Data from the SaaS Products following termination of the Subscription, NTT DATA shall allow the CLIENT to access the SaaS Products for a period of thirty (30) days following termination to allow the CLIENT to make such erasure. In the event that the CLIENT has not such obligation, NTT DATA shall erase all CLIENT Data provided under this Agreement.
12.5 Survival. Termination of this Agreement shall not constitute a waiver of any of the Fees, amounts or charges owed by the CLIENT, nor shall such termination limit or compromise in any way any other rights of either Party under this Agreement. Notwithstanding the termination of this Agreement for any reason, the Parties agree that certain provisions, given their nature, shall remain in force following termination of this Agreement including, among others, those relating to Confidential Information, personal data protection and Intellectual Property Rights.
13.1 Exclusion of liability. EXCEPT FOR THE EXPRESS WARRANTIES CONTAINED IN THIS AGREEMENT, NEITHER NTT DATA NOR ITS LICENSORS SHALL BE HELD LIABLE FOR ANY OTHER REPRESENTATION, WARRANTY OR CONDITION, EXPRESS OR IMPLIED, BY LAW OR IN ANY OTHER WAY, IN RELATION TO THE PRODUCTS, THE TECHNICAL DOCUMENTATION, THE THIRD PARTY CONTENT AND ANY SERVICE PROVIDED PURSUANT TO THIS DOCUMENT, INCLUDING, AMONG OTHERS, THEIR SUITABILITY FOR ANY PARTICULAR PURPOSE, MARKETABILITY, DURABILITY AND NON-BREACH. NO VERBAL OR WRITTEN INFORMATION PROVIDED BY NTT DATA, ITS LICENSORS, OR THEIR RESPECTIVE EMPLOYEES, OFFICERS, DIRECTORS, AFFILIATES, CONTRACTORS, DISTRIBUTORS OR AGENTS, SHALL EXTEND THE SCOPE OF THE EXPRESS WARRANTIES CONTAINED IN THIS AGREEMENT, NOR CREATE NEW REPRESENTATIONS, WARRANTIES OR CONDITIONS.
13.2 Limitation of liability for loss or damage. THE TOTAL AGGREGATE LIABILITY OF NTT DATA (AND OF ITS RESPECTIVE LICENSORS, AFFILIATES, EMPLOYEES, OFFICERS, DIRECTORS, CONTRACTORS, DISTRIBUTORS AND AGENTS) FOR ANY CLAIMS ARISING FROM OR IN RELATION TO THIS AGREEMENT, SHALL BE LIMITED SOLELY TO DIRECT LOSSES OR DAMAGES, PROVEN AND EXCLUSIVELY ATTRIBUTABLE TO NTT DATA AND SHALL NOT EXCEED THE LOWER OF THE FOLLOWING AMOUNTS: THE FEES PAID BY THE CLIENT IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM OR THE TOTAL AMOUNT SET OUT IN THE ORDER FORM, IN BOTH CASES FOR THE PRODUCT OR SERVICE GIVING RISE TO THE LOSS OR DAMAGE. NTT DATA, ITS LICENSORS AND AFFILIATES (INCLUDING THEIR RESPECTIVE EMPLOYEES, OFFICERS, DIRECTORS, CONTRACTORS, DISTRIBUTORS AND AGENTS) SHALL NOT BE LIABLE TO THE CLIENT FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGE OR LOSS, INCLUDING, AMONG OTHERS, LOSS OF PROFITS OR LOSS OF INCOME, THE INTERRUPTION OF BUSINESS, LOSS OF TECHNICAL DOCUMENTATION OR THE CORRUPTION OR LOSS OF DATA OR THE COST OF REPLACEMENT GOODS OR SERVICES, WHICH ARISE FROM OR ARE RELATED TO THE USE OR INABILITY OF THE CLIENT TO USE THE PRODUCTS, THE TECHNICAL DOCUMENTATION, THE THIRD PARTY CONTENT, ANY SERVICE PROVIDED PURSUANT TO THE AGREEMENT OR ANY TRANSACTION ENVISAGED BY IT, REGARDLESS OF THE TYPE OF LIABILITY (CONTRACTUAL, NON-CONTRACTUAL OR ANY OTHER) AND EVEN IF THE OTHER PARTY HAS BEEN INFORMED OF THE POSSIBILITY OF INCURRING SUCH LOSS OR DAMAGE. THE LIMIT OF DIRECT LOSSES OR DAMAGES ENVISAGED IN THIS CLAUSE SHALL NOT APPLY TO (I) OBLIGATIONS TO INDEMNIFY PURSUANT TO CLAUSE 13.4 (II) ANY BREACH AFFECTING THE INTELLECTUAL PROPERTY RIGHTS OF NTT DATA IN RELATION TO THE PRODUCTS (IV)THE AMOUNTS RELATING TO FEES OUTSTANDING ON THE TERMINATION DATE (V) ANY GROSS NEGLIGENCE OR WILFUL MISCONDUCT OF THE PARTIES (VI) LIABILITY FOR DEATH OR PERSONAL INJURY.
13.3 Liability for Third Party Content. THE USE OF THIRD-PARTY CONTENT IS SUBJECT TO ITS PARTICULAR TERMS AND CONDITIONS. WHEN USING IT, THE CLIENTS SHALL HOLD NTT DATA AND ITS LICENSORS FREE FROM ALL LIABILITY WHICH MAY ARISE IN RELATION TO SUCH USE. IN PARTICULAR, NTT DATA SHALL HAVE NO LIABILITY IN RELATION TO THIRD PARTIES CONTENT BASED ON FOSS LICENCES.
13.4 Liability of NTT DATA for third party claims. NTT DATA shall defend the CLIENT in respect of any legal claim brought against the CLIENT alleging that a Product or an Additional Service, when used in accordance with this Agreement, infringes any Intellectual Property Right of a third party in the Territory, and shall indemnify the CLIENT for any actual damages (including reasonable legal fees) which are eventually awarded against the CLIENT in respect of such claim, or for an amount agreed to settle such claim, provided that: (a) the CLIENT notifies NTT DATA without undue delay of the claim received; (b) NTT DATA has exclusive control of the defence of the claim and of all the negotiations for its resolution or settlement (provided this does not require an admission of fault or liability by the CLIENT); and (c) the CLIENT provides reasonable assistance to NTT DATA to defend the claim. NTT DATA shall have no obligation to the CLIENT if the claim for breach is based or related to: (a) the continuous use by the CLIENT of a version of the Product which NTT DATA no longer distributes commercially, if NTT DATA has a new version of the Product available which would avoid or reduce the claim for breach; (b) the use or the combination of any Product or Additional Services with other programmes, components, products or services not provided or authorised by NTT DATA, if such use or combination gives rise to a claim for breach; (c) the improper use, misappropriation or improper disclosure of the CLIENT Data by the CLIENT; or (d) the use of a Product or Additional Service in breach of the Agreement, or such that it does not comply with the terms and conditions of the Agreement or which is not in accordance with the applicable Technical Documentation.
13.5 Action against third party claims. Following the notification of a claim for breach or if, in the opinion of NTT DATA, it is likely that such a claim will be brought, NTT DATA shall be entitled, if it so decides and at its expense, to (a) ensure that the CLIENT has the right to continue using the Product or Additional Service concerned; or (b) substitute or modify that Product or Additional Service such that it materially provides a functionality and performance equal to or greater than that of the Product or Additional Service concerned. If, in the opinion of NTT DATA, neither of these options is commercially reasonable, NTT DATA may terminate the Agreement and/or the Order Form by giving thirty (30) days’ written notice to the CLIENT and shall reimburse the Fees paid in advance and not used for the rest of the current term in a pro rata manner. The prorated reimbursement shall be calculated from the date on which NTT DATA receives notification of the claim for breach until the rest of the term.
13.6 Liability of the CLIENT for third party claims. The CLIENT shall defend and indemnify NTT DATA (including, by way of illustration and without limitation, the members of its group of companies, Affiliates, and their employees, directors, agents and representatives) against any loss or damage arising from any claim brought against them which arises from or is related to: (a) the collection and use by the CLIENT of the CLIENT Data in connection with the Product or (b) the failure by the CLIENT to comply with its obligations in relation to Third Party Content or the restrictions of the Products. The indemnity contained in this clause includes damages (including legal defence costs) which are eventually awarded against NTT DATA with respect to any claim of this nature, or for the amount agreed to settle such claims, provided that (a) NTT DATA notifies the CLIENT without undue delay of the claim; (b) the CLIENT has exclusive control of the defence and of all the negotiations for its resolution or settlement (provided this does not require an admission of fault or liability by NTT DATA); and (c) NTT DATA provides reasonable assistance to the CLIENT to defend the claim. This indemnity shall not apply to the extent that such claim arises exclusively from the Product itself or is caused by a breach of this Agreement by NTT DATA.
13.7 Liability for Force Majeure: Neither of the Parties shall be liable for any delays in performance or failure to perform due to force majeure or unforeseeable circumstances, as defined by applicable legislation.
14.1 Access to Systems: For the CLIENT to access the Products or for NTT DATA to provide Additional Services, NTT DATA may require access to the CLIENT’s systems, therefore the CLIENT undertakes to provide NTT DATA access and connection to its systems subject to the following conditions:
(a) In all cases, NTT DATA shall follow and comply with the security policies agreed with the CLIENT and applicable at the time this Agreement enters into force, and which will be notified in writing by the latter.
(b) The CLIENT shall configure and provide NTT DATA with permissions for access and connection to its systems, limited to the members of the team which require it at any given time. In the case of rotation in the team, the accesses and passwords assigned to members of the team shall be deactivated in the forty-eight hours following their leave.
(c) NTT DATA shall only access the CLIENT’s systems to install the Products and/or provide the Additional Services.
(d) The remote provision of Products or Additional Services by NTT DATA shall require a VPN or similar connection to the CLIENT’s systems.
(e) If the CLIENT makes available to NTT DATA any facility, software, hardware, infrastructure or other resources for NTT DATA to carry out the installation of the Products and/or Additional Services, the CLIENT shall ensure that it obtains any licences or approvals relating to such resources which may be necessary for NTT DATA to use them and comply with its obligations under the Order Form and this Agreement. NTT DATA shall not be liable for any breach of any obligation as a result of the CLIENT’s failure to obtain such licences or approvals.
(f) If NTT DATA makes available to the CLIENT any software or tools for the latter to receive the Products or Additional Services, NTT DATA shall ensure that it obtains any licences or approvals relating to such resources which may be necessary for the CLIENT to receive the Products and/or Additional Services. The CLIENT shall not be liable for any breach of any obligation as a result of the NTT DATA’s failure to obtain such licences or approvals.
14.2 Security. The Parties shall cooperate at all times to ensure the security of the systems and data handled by the CLIENT. The CLIENT shall therefore implement the security measures suggested by NTT DATA for the proper use of the Products and Additional Services and, in accordance with any proposal contained in the Order Form, for reinforcing its systems and protecting the Products.
15.1 Any notice, request, requirement, instruction, notification or other type of communication given or sent in the context of this Agreement must be in writing and sent by ordinary mail (with acknowledgment of receipt), by email or delivered to the relevant Party at the address appearing in each Order Form at the time of subscription or renewal of the Licence or Subscription. Notices shall be deemed to have been validly received, if delivered personally, at the time of such delivery, if delivered by ordinary mail, at the time proof of such delivery to the addressee is obtained; and, if delivered by email, when express acknowledgment of receipt of the same is obtained or when non-repudiation is technically feasible.
15.2 Reasonable notice of any change in address for the purposes of notices must be given to the other Party in accordance with this clause.
16.1 This Agreement shall be governed and interpreted in accordance with the legislation specified in the Order Form. In the absence of explicit regulation, it shall be the governing law applicable to where the NTT DATA entity signing this Agreement is established.
16.2 Any conflict, dispute or claim arising from or in connection with this Agreement, or with the breach, termination or invalidity of this Agreement, shall be settled by the courts specified in the Order Form. In the absence of explicit regulation, competent courts will be those of where the NTT DATA entity signing this Agreement is established.
17.1 The Parties undertake to comply with all legislation in force (including international legislation) which may be applicable to this Agreement while it is in force, in particular anticorruption law, anti-money laundering law, labour law, environmental law and competition law.
17.2 Each Party represents that it has implemented a Compliance Programme which involves carrying on professional activity in accordance with certain ethical parameters, contained in its own Ethical Code, the essential purpose of which is to identify risks relating to legislative compliance in the organisation, as well as their prevention and control.
17.3 Each Party undertakes to comply in full with the provisions of its Compliance Programme, including, among other things, observing the values, principles and guidelines for conduct contained in its Code of Conduct, as well as its other internal policies and procedures. In particular, both Parties agree to prohibit any action or conduct which could directly or indirectly involve corruption or bribery of any kind, in both the public and the private sector.
17.4 In addition, in the framework of this contractual relationship, the Parties agree to avoid any conflicts of interest, whether personal or professional.
17.5 Any breach of this clause, provided there is due evidence thereof, shall entitle the Party not in breach to automatically terminate this Agreement, as well as to make any claims to which it is legally entitled if affected by such breach.
18.1 Entire agreement. This Agreement includes all the obligations, representations and warranties arising from the agreement between the Parties with respect to the use of the Products and the Additional Services, and replaces any previous conversation or agreement, verbal or written, between the Parties, with the express exclusion of any order terms and conditions of the CLIENT or any general terms and conditions of the CLIENT, which shall not bind the Parties and shall not be construed so as to modify this Agreement. Any amendment of this Agreement shall take place in writing and shall be signed by authorised representatives of both Parties.
18.2 Partial invalidity. If any of the clauses of this Agreement is declared invalid or unenforceable, such clause shall be deemed to be excluded from the Agreement, without implying the invalidity of the Agreement. In this case the Parties shall use their best efforts to find an equivalent solution which is valid, and which duly reflects their intentions.
18.3 Waiver. No failure by a Party to exercise any right under this Agreement shall be construed as a waiver of such right.
18.4 Assignment of contractual position. NTT DATA may assign its contractual position under this Agreement by giving one (1) month’s written notice to the CLIENT. The CLIENT shall not be entitled to assign this Agreement without the prior written consent of NTT DATA, except to a corporate successor due to a merger, purchase of assets and assumption of liabilities, acquisition, reorganisation, or other means, provided that the CLIENT gives prior notice thereof to NTT DATA and such corporate successor agrees to be bound by this Agreement. Furthermore, the CLIENT may only assign this Agreement if the assignee is not a competitor of NTT DATA, the CLIENT ceases to use the Products, and the use does not exceed the number of Licenses or Subscriptions purchased by the CLIENT. This Agreement shall be for the benefit of the Parties and shall be binding upon their respective successors, executors, heirs and authorised assignees.
18.5 Absence of third-party beneficiaries. Unless otherwise expressly provided in this Agreement, no person other than a Party to this Agreement shall be entitled to demand compliance with any provision of this Agreement.
18.6 Mutual respect. The Parties undertake to act in good faith and with utmost consideration for each other’s interests in the performance of this Agreement, and undertake to respect their respective Intellectual Property Rights, goodwill, directors, workforce and all assets and securities which make up market value.
NTT DATA will sign this Data Processing Agreement (hereinafter, the “DPA”) in its own name and on behalf of its affiliates. In addition, the other party acknowledges and agrees that NTT DATA will be the sole point of contact on behalf of the Affiliates of personal data. As other Affiliates may have certain direct rights against the other Party NTT DATA shall use its reasonable endeavours to bring all claims or actions against the other Party for itself and on-behalf of any other Affiliates to the extent possible. The other Party shall be discharged of its obligations to inform or notify another affiliates when the other party has provided such information or notice to NTT DATA.
“Affiliates”: This term refers to the NTT DATA companies listed in Annex A.
“Data Subject”: means an identified or identifiable person. An identifiable person is one who can be identified either directly, or indirectly.
“Personal Data”: means any information relating to a Data Subject.
“Data Breach” or “Personal Data Breach”: means any event leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data, by any third Party.
“Processing” or “Process” or “Processed”: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data Controller” or “Controller” means the natural or the legal person, which determines the purposes and means of the Processing of Personal Data.
“Data Processor” or “Processor”: means the natural or the legal person, which Processes Personal Data on behalf of the Data Controller.
“Sub-processor”: means any authorized natural or legal person Processing Personal Data on behalf of the Data Processor.
“Data Protection Impact Assessment”: means an assessment aiming to identify and minimize the Data protection risks arising from a Personal Data Processing activity, when such Processing activity is likely to result in a risk to Data Subjects’ rights and freedoms.
(a) The purpose of this DPA, together with the corresponding clauses of the Order Forms that may be signed by the parties, is to ensure compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and any local derogation and/or requirement possibly in force in their jurisdiction, such as the 2018 UK Data Protection Act as amended and supplement by the exit Regulations (including but not limited to UK GDPR, the Federal Data Protection Act - FDPA- in Switzerland etc. - the “Applicable Data Protection Laws” or “ADPL”).
(b) The Parties have agreed to this DPA in order to ensure compliance with the ADPL in their respective role as may be identified, at any time, with the corresponding Order Form.
(c) The DPA applies to the Processing of Personal Data needed for the execution of the Agreement, as well as for the delivery of the Product and the execution of the Additional Services that could be determined on each Order Form, without prejudice of the amendments that could be included in the latter. The DPA, as well as the obligations regarding data protection included on each Order Form are subject to change and update as agreed by the Parties if new type of Data or Processing occurs.
(d) The Data Protection Annexes attached to each Order Form are an integral part of the DPA.
(e) This DPA is without prejudice to obligations to which the parties are subject by virtue ADPL.
(f) This DPA does not ensure compliance with obligations related to international transfers in accordance with ADPL for which the Parties shall agree and implement any appropriate transfer tools in, as required by the relevant ADPL.
(a) The Parties undertake not to modify this DPA, except any modifications that may be made to the specific Order Forms for adding and/or updating information in them.
(b) The obligation under letter a) above does not prevent the Parties from including this DPA as Annex to a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict this DPA or detract from the fundamental rights or freedoms of Data Subjects.
(c) The Parties may agree on special conditions to supplement or amend this DPA by adding them in each Order Form.
(a) Where this DPA uses the terms defined in the ADPL respectively, those terms shall have the same meaning as in that ADPL.
(b) This DPA shall be read and interpreted in the light of the provisions of ADPL.
(c) This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in ADPL or in a way that prejudices the fundamental rights or freedoms of the Data Subjects.
(d) Any capitalised term shall have the meaning set out in Clause 1, unless otherwise defined in the body of the DPA.
In the event of a contradiction between this DPA, the provisions of each Order Form and the provisions of related agreements between the Parties existing at the time when this DPA and the Order Forms are agreed or entered into thereafter, they shall prevail as follows.
(a) Data Protection Annexes of each Order Form.
(b) This DPA.
(c) Other Annexes.
(a) Any entity that is not a Party to this DPA may, with the agreement of all the Parties, accede to this DPA at any time in the specific role by completing and signing Data Protection Annex of the Order Form.
(b) Without prejudice to Clause 8.7, where a party is acting as Processor under this DPA, it may engage another Processor either by:
(i) asking the other processor to accede to this DPA and to any Order Form by completing and signing the Annex I according to this Clause 6.a); or
(ii) entering into a separate DPA with the party acting as other Processor in which case adding the name of the other Processor to Data Protection Annex of the corresponding Order Form.
(c) In case of letter b, number (i) above, the party acting as Controller shall have no right and claim against the Processor for any breach of the acceding party unless:
(i) the Controller has formally and unsuccessfully brought the claim before the acceding party; and
(ii) the Controller has notified the Processor of such breach, its intention to bring a claim against the acceding party as well as the fact that the claim was not successful.
In such case the Processor shall have step in right in the claim against the acceding party to recover any loss or expense or damages the Processor has paid to the Controller.
(d) Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to this DPA and the corresponding Order Form and have the rights and obligations of a controller, processor or joint controller as applicable, in accordance with its designation in Data Protection Annex of the corresponding Order Form.
(e) The acceding entity shall have no rights or obligations resulting from this DPA from the period prior to becoming a Party likewise the orignal parties shall have no right and obligations before the acceding party under this DPA from the period prior to becoming a Party.
(f) This clause is optional, so if it is chosen, it shall be indicated in the Order Form.
The details of the Processing operations, in particular the categories of Personal Data and the purposes of Processing for which the Personal Data is Processed in the respective role of each Party, must be specified in Data Protection Annex of each Order Form.
Where a Party wishes to engage the other Party in different Processing activities (either as Controller or as Processor of a Party’s client acting as Controller) it may do so by completing and signing an appendix to Data Protection Annex of the affected Order Form containing details of: (i) Parties’ respective roles; (ii) type of Processing and Personal Data and Data Subject affected; (iii) any other special conditions to amend or supplement this DPA and/or the specific Order Form for that specific Processing.
Once executed, the Data Protection Annex of each Order Form, as well as its appendix if applicable, will become an integral part of this DPA to regulate the Processing of Data specified therein.
8.1 General obligations
(a) Where a Party acts as Processor, it shall Process Personal Data only on documented instructions from the Controller, unless required to do so by ADPL to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. Subsequent instructions may also be given by the Controller throughout the duration of the Processing of Personal Data. These instructions shall always be documented.
(b) The Processor shall immediately inform the Controller if, in the Processor’s opinion, instructions given by the Controller infringe any ADPL.
(c) The Processor will inform the Controller without undue delay, if it becomes aware of:
- any legally binding request for disclosure of Controller Personal Data by a law enforcement authority, unless the Processor is otherwise forbidden by law to inform Controller, for example to preserve the confidentiality of an investigaton by law enforcement authorities;
- any notice, inquiry or investigation by a supervisory authority with respect to Controller’s Personal Data.
(d) Where the Parties act as autonomous Controllers, they shall comply with any legal and technical requirements provided for in the ADPL, including, by way of mere example; (i) provide a comprehensive privacy notice to the relevant Data Subjects; (ii) manage any DSR request; (iii) maintain and update the Personal data register to the extent required by ADPL; (i) perform a Data Protection Impact Assessment (DPIA) or Data Protection by Design (DPbD) assessment if required by ADPL; (v) ensure that any authorised Processor complies with the ADPL and instructions; (vi) cooperate with the relevant Data Protection Authority, and (vii) promptly manage any Personal Data Breach and cooperating each other in ensuring compliance with the ADPL.
8.2. Purpose limitation
Each Party shall Process the Personal Data only for the specific purpose(s) of the Processing, as set out in Data Protection Annex of each Order Form, and in case a Party acts as processor, unless it receives further instructions from the Controller.
8.3. Duration of the Processing of Personal Data
Processing shall only take place for the duration specified in each Order Form regarding the Products or Additional Services required by Customer.
8.4. Security of Processing
(a) Where a Party acts as Processor:
(i) it shall as a minimum implement the technical and organisational measures specified in Data Protection Annex of each Order Form to ensure the security of the Personal Data. This includes protecting the Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the Data (Personal Data Breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved for the Data Subjects.
(ii) it shall grant access to the Personal Data undergoing Processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The Processor shall ensure that persons authorised toProcess the Personal Data received (i) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, including after the termination of their respective employment, contract, or assignments, and (ii) comply with the terms in this DPA.
(b) Where the parties acts as autonomous controllers (i) each Party is responsible for implementing any technical and organizational measure to protect confidentiality, integrity and availability of the personal data.
8.5. Special category of Data or Data relating to criminal offence and convictions
If the Processing involves Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, Data concerning health or a person’s sex life or sexual orientation, Data relating to criminal convictions and offences, or any other similar data considered to be a special category of data under the ADPL (“sensitive Data”), each Party shall apply specific restrictions and/or additional safeguards as further specified in the Data Protection Annex of each Order Form.
8.6 Documentation and compliance
(a) The Parties shall be able to demonstrate compliance with this DPA, as well as with the obligation assumed in each Order Form.
(b) Each Party shall deal promptly and adequately with inquiries from the other Party about the Processing of Data in accordance with this DPA and/or with each Order Form.
(c) Where a Party acts as Processor of the other Party (the Requesting Party), it shall make available to the Requesting Party all information necessary to demonstrate compliance with the obligations that are set out in this DPA, in the correspoding Order Form and in the ADPL. At the Requesting Party’s request, the Processor shall also permit and contribute to audits of the Processing activities covered by this DPA and by the corresponding Order Form, every year or sooner if there are indications of non-compliance. In deciding on a review or an audit, the Processor may ask for the Requesting Party to take into account relevant certifications held by the Processor.
(d) The Requesting Party may choose to conduct the audit by itself or mandate an independent auditor provided that it is not providing a service or product which is directly or indirectly competing with the Processor’s business. Audits may also include inspections at the premises or physical facilities of the Processor/Subprocessor and shall, where appropriate, be carried out no more than once per year and subject to at least 30 days’ prior notice, in agreement with the Processor/Subprocessor and trying to avoid any disruption in the business of the Processor/Subprocessor.
(e) The costs of the audit shall be borne by the Requesting Party.
(f) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
8.7. Use of sub-processors
(a) Where a party act as Processor, the Processor has a general authorisation for the engagement of Sub-processors from an agreed list attached as Data Protection Annex of each Order Form. The Processor shall specifically inform in writing the other Party of any intended changes of that list through the addition or replacement of Sub-processors at least 60 days in advance.
(b) Where the Processor engages another Sub-processor for carrying out specific Processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Sub-processor, in substance, the same data protection obligations as the ones imposed on the data Processor in accordance with this DPA and the corresponding Order Form. The Processor shall ensure that the Sub-processor complies with the obligations to which the Processor is subject pursuant to this DPA, the corresponding Order Form and the ADPL.
(c) Upon request of the other Party to this DPA, the Processor shall provide a copy of such a Sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secret or other confidential information, including Personal Data, the Processor may redact the text of the agreement prior to sharing the copy.
(d) Subject to clause 6 letter b) (i) and letter (c), the processor shall remain fully responsible to the other party for the performance of the Sub-processor’s obligations in accordance with its contract with the Processor. The Processor shall notify the other Party of any failure by the Sub-processor to fulfil its contractual obligations.
(e) The Processor shall agree a third party beneficiary clause with the Sub-processor whereby - (i) the other Party has a direct right of action against the Sub-processor in order to exercise its right under the Sub-processing agreement; and (ii) in the event the Processor has factually disappeared, ceased to exist in law or has become insolvent - the other Party shall have the right to terminate the Sub-processor contract and to instruct the Sub-processor to erase or return the Personal Data.
8.8. International transfers
(a) Any transfer of Data to a third country or an international organisation by a Party acting as Processor shall be done only on the basis of documented instructions and authorisation from the other Party and in compliance with the approved transfer tools set out in the ADPL (e.g. Chapter V of Regulation (EU) 2016/679 or UK GDPR, FDPL etc.) as further described below.
(b) Where a Party acting as Processor engages a Sub-processor in accordance with Clause 8.7. for carrying out specific Processing activities (on behalf of the other party) and those Processing activities involve a transfer of Personal Data, the Processor and the Sub-processor can ensure compliance with the ADPL by using any permitted transfer tool (including for example the standard contractual clauses adopted by the European Commission in accordance with the Article 46(2) of Regulation (EU) 2016/679 (“SCCs”), or International Data Transfer Addendum to the European SCCs ('UK Addendum"), or the International Data Transfer Agreement (“IDTA”)), provided the conditions for the use of those transfer tools clauses are met.
- [THIS PARAGRAPH SHALL APPLY WHENEVER THERE IS A PERSONAL DATA TRANSFER FROM EEA:] In particular, in case of transfers of Personal Data outside the EEA authorized by the other Party, it will be done (i) towards a country recognised by European Commission as ensuring an adequate level of protection of Personal Data, or (ii) based on the terms of the SCCs, provided that these clauses cover the Personal Data concerned and are signed by the Processor with its Sub-processors in the name and on behalf of the other Party, or (iii) based on Data Processors’ Binding Corporate Rules approved by Data protection supervisory authorities, or (iv) based on any other legal means allowed by ADPL, provided this alternative means is expressly approved in writing by the other Party.
- [THIS PARAGRAPH SHALL APPLY WHENEVER THERE IS A PERSONAL DATA TRANSFER FROM UK:] In case of transfers of Personal Data outside the UK, it will be done (i) towards a country recognised by UK Information Commissioner as ensuring an adequate level of protection of Personal Data or (ii) based on the terms of the “UK Addendum” alongside SCCs, provided that it covers the Personal Data concerned and are signed by the Processor with its Sub-processors in the name and on behalf of the other Party, or (iii) based on the terms of the IDTA, or (iv) based on Data Processors’ Binding Corporate Rules approved by UK Data protection supervisory authorities, or (iv) based on any other legal means allowed by ADPL, provided this alternative means is expressly approved in writing by the other Party.
The Parties shall also implement any other supplementay measures in addition to these safeguards, if required by ADPL. In this respect, the Processor (i) shall inform the other Party if it transfers or intends to transfer the Personal Data towards countries in which local laws or practices allow access by public authorities to Personal Data which may go beyond what is necessary or proportionate in a democratic society and (ii) shall not engage into any such transfers of Personal Data outside the EEA or UK (or shall stop any such transfer), if supplementary measures as required by ADPL cannot be implemented in practice.
The other Party reserves the right to carry out any checks it deems useful in order to confirm that the obligations resulting from this Clause are being fulfilled.
(a) A Party acting as Controller shall promptly notify the other Party acting as Controller of any request it has received from the Data Subject and unless such Party acts as autonomous Controller, it shall not respond to the request itself, unless authorised to do so by the other Party.
(b) A Party acting as Processor or Sub-processor shall promptly notify the other Party acting as Controller of any request it has received from the Data Subject and shall assist the Controller in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights, taking into account the nature of the Processing. In fulfilling its obligations, the Processor shall comply with the Controller’s instructions.
(c) In addition to the Processor’s obligation to assist the Controller pursuant to Clause 10(b), the Processor shall furthermore assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the Data Processing and the information available to the Processor:
(1) the obligation to carry out an assessment of the impact of the envisaged Processing operations on the protection of Personal Data (a ‘Data Protection Impact Assessment’), where a type of Processing is likely to result in a high risk to the rights and freedoms of natural persons;
(2) the obligation to consult the competent supervisory authority/ies prior to Processing where a Data Protection Impact Assessment indicates that the Processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
(3) the obligation to ensure that Personal Data is accurate and up to date, by informing the Controller without delay if the Processor becomes aware that the Personal Data it is Processing is inaccurate or has become outdated;
(4) the obligations in the ADPL regarding the implementation of appropriate technical and organizational measures (including those set out in article 32 Regulation (EU) 2016/679 or article 32 of UK GDPR or similar provisions in the relevant DPL).
(d) The Parties shall set out in the Data Protection Annex of each Order Form the appropriate technical and organisational measures in the application of this Clause as well as the scope and the extent of the assistance required. Data Protection Annex of each Order Form will be kept accurate and updated with the security measures taking into account the Data Processing activity carried out under that Order Form.
In the event of a Personal Data Breach, each Party shall cooperate with and assist the other Party to comply with its obligations under the ADPL, taking into account the nature of Processing and the information available to such Party.
10.1 Data Breach concerning Data Processed by the Controller
In the event of a Personal Data Breach concerning Data Processed by a Party as Controller, and the other Party acting as Processor, to the extent possible, the latter shall assist the Controller:
(a) in notifying the Personal Data Breach to (i) the competent supervisory authority/ies, without undue delay after the Controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons) and (ii) the Data Subjects without undue delay when the Personal Data Breach is likely to result in a high risk to the rights and freedoms of natural persons;
(b) in obtaining the following information which, pursuant to the ADPL, shall be stated in the Controller’s notification, and must at least include:
(1) the nature of the Personal Data including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(2) the likely consequences of the Personal Data Breach;
(3) the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(c) in complying, pursuant to the ADPL with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
10.2 Data breach concerning Data Processed by the Processor
In the event of a personal data breach concerning data processed by a party as processor, the latter shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:
(a) a description of the nature of the Breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);
(b) the details of a contact point where more information concerning the Personal Data Breach can be obtained;
(c) its likely consequences and the measures taken or proposed to be taken to address the Breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Data Protection Annex of each Order Form all other elements to be provided to ensure compliance with the oligations under the relevant ADPL.
This DPA shall be subject to the liability regime included in the Agreement signed between the Parties, or in the applicable Order Forms which governs the specific project or service related to the personal data concerned.
(a) Without prejudice to any provisions of the ADPL, in the event that a Party is in breach of its obligations under this DPA or under any Order Form, the other Party may suspend the Processing of Personal Data of this DPA and/or of the affected Order Form until the latter complies with this DPA and/or with the affected Order Form. Each party shall promptly inform the other in case it is unable to comply with this DPA, for whatever reason.
(b) Unless otherwise terminated by either Party according to this Clause 11, this DPA shall be valid and enforceable form the effective date stated on top of the first page until the end of the main contract and/or during the Processing of Personal Data is required to fulfill the contractual obligation of the Processor under the Agreement and/or the Order Forms that may be signed between the parties.
(c) A Party shall be entitled to terminate this DPA and/or any Order Form insofar as it concerns Processing of Personal Data if:
(1) the Processing of Personal Data by the other Party has been suspended pursuant to point (a) and if compliance with this DPA and/or an Order Form is not restored within a reasonable time and in any event within the timing set out and communicated by the terminating party;
(2) the other Party is in substantial or persistent breach of this DPA and the ADPL;
(3) the other Party fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to theis DPA or the ADPL.
Failure to comply with any of the obligations established in a specific Order Form, and its non-rectification in the terms indicated in the preceding sections of this clause, will not grant the affected party, in any case, the right to terminate the CTD in its entirety, nor any other Order Form.
(d) A party acting as Processor shall be entitled to terminate this DPA and/or an Order Form insofar as it concerns processing of personal data where, after having informed the other party that its instructions infringe applicable legal requirements in accordance with Clause 8.1 (b), the other party insists on compliance with the instructions.
(e) Following termination of this DPA and the termination of the different Order Forms, each party shall delete all personal data received by the other party, or, return all the personal data to the other party and delete existing copies unless ADPL requires storage of the personal data. Such destruction must consist of irreversible deletion of all copies of the other party’s personal data found on any of its equipment or media in its possession.
The parties agree that these Terms shall be governed in accordance with the law specified in the Order Form. In the absence of express regulation in the Order Form, the applicable law shall be the law of the place where the NTT DATA entity entering into the Agreement is established.
(a) Any dispute arising from these Clauses and/or with the Order Forms shall be resolved by the courts of the location where NTT DATA is established, unless otherwise expressly stated in the Order Form.
(b) A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(c) The Parties agree to submit themselves to the jurisdiction of such courts.