Data Processing Agreement
This Agreement is entered into between Synology Inc., a Taiwan corporation with its registration office at 9F, No. 1, Yuan Dong Rd., Banqiao, New Taipei 220632, Taiwan (the "Processor") and you as defined in the General Service Agreement of Synology C2 Services (the "Controller").
This Agreement is hereby incorporated into and form a part of the General Service Agreement of Synology C2 Services (hereinafter referred to as "Service Agreement").
Agreement means this Data Processing Agreement.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Cross-border processing means either:
- processing of Personal Data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- processing of Personal Data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
Data Protection Officer means an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.
Data Subject means a natural person whose Personal Data is processed by a controller or processor.
GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
Personal Data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.
Pseudonymisation means the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.
Recipient means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
Representative means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under the GDPR.
Reseller means a third-party service provider who subscribe Synology C2 service and pay the remuneration of such service directly to the Processor on behalf of the Controller.
Regulations mean the GDPR and other generally binding legal regulations relating to the area of Personal Data protection.
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process Personal Data.
Standard Contractual Clauses mean the standard contractual clauses set forth in Exhibit 1 for the transfer of Personal Data from a Data Controller in the European Economic Area to Processors established in third countries in the form set out in the Annex of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended by incorporating the description of the Personal Data to be transferred and the technical and organizational measures to be implemented as set out in the Appendix.
Supervisory authority means the government authority in charge of the relevant issues implicated under this Agreement.
II. Duration of the Agreement
The duration of this Agreement shall coincide with the Service Agreement.
III. Nature and Purpose of the Agreement
- Nature and Purpose of the intended Processing of Data
The nature and purpose of the processing of Personal Data by the Processor for the Controller are precisely defined in the Service Agreement.
- Type of Data
The Subject Matter of the processing of Personal Data comprises the following data types/categories:
- Personal Main Data: The controller may store data of any kind on the rented server at his own discretion. Synology has no influence and no access to such data.
- Contract Billing and Payments Data: Within the framework of the execution of the Service Agreement, Synology shall collect the personal contractual data including contact address, information on the payment method, and contact person of the relevant Service Agreement.
- Categories of Data Subjects
The Categories of Data Subjects comprise of Customers and Contact Persons of the Resellers.
IV. Obligations of the Processor
- The Processor processes Personal Data solely and in full compliance with the Regulations and instructions of the Controller or as otherwise required in this Agreement. This obligation also applies to transfers by the Processor of Personal Data to a third country or an international organisation, unless the Processor is required to do so by the Regulations or laws to which the Processor is subject. In such a case, the Processor shall inform the Controller of such legal requirements before processing, unless that law prohibits such information on important grounds of public interest.
- The Processor and Controller agree that this Agreement and the Service Agreement represents the Controller's complete and final instructions to the Processor. Processing outside the scope of this Agreement (if any) will require prior written agreement between both parties on additional instructions for processing. The Controller may terminate this Agreement if the Processor declines to follow instructions requested by the Controller that are outside the scope of this Agreement.
- In the performance of this Agreement, the Controller shall immediately confirm any oral instructions in writing.
- Copies or duplicates of the data processed on behalf of the Controller shall never be created without the knowledge of the Controller, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data under the Regulations.
- The Processor may not on its own authority rectify, erase, or restrict the processing of data that is being processed on behalf of the Controller or port/transfer any such data to any third party, but do so only on documented instructions from the Controller. When a Data Subject contacts the Processor directly concerning a rectification, erasure, or restriction of processing or to exercise the right of portability, the Processor will immediately forward the Data Subject's request to the Controller. Insofar as it is included in the scope of services, the erasure policy, 'right to be forgotten', rectification, data portability and access shall be ensured by the Processor in accordance with documented instructions from the Controller without undue delay.
- The Processor shall inform the Controller immediately if the Processor considers that an instruction of the Controller violates the Regulations. The Processor shall then be entitled to suspend the execution of the relevant instructions until the Controller confirms or changes them.
- In addition to complying with the rules set out in this Agreement, the Processor shall comply with the statutory requirements referred to in the Regulations. Accordingly, the Processor assures particularly compliance with the following requirements:
- The Processor entrusts only such employees with the data processing outlined in this Agreement who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Processor and any person acting under its authority who has access to Personal Data, shall not process that data unless on instructions from the Controller, which includes the powers granted in this Agreement, unless required to do so under the Regulations.
- The Processor must assist the Controller to comply with requests from individuals exercising their rights to access, rectify, port, erase or object to the processing of their Personal Data.
- The Processor must assist the Controller to comply with requests from the supervisory authority. The Controller and the Processor shall cooperate, on request, with the supervisory authority in performance of its tasks.
- Designation of Data Protection Officer, Contact Person, Representative
Synology's Data Protection Team can be contacted at https://www.synology.com/form/privacy_issue. The Controller shall be informed immediately of any change of Data Protection Officer.
- The Controller shall be informed immediately of any inspections and measures conducted by the relevant supervisory authority as described in Point IX of this Agreement, insofar as they relate to the processing of this Agreement.
- Insofar as the Controller is subject to an inspection by a supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Agreement data processing by the Processor, the Processor shall make every effort to support the Controller. Further assistance duties are described in Point X of this Agreement.
- The Processor shall assist the Controller in ensuring compliance with the obligations as described in Point IX of this Agreement.
- Implementation of and compliance with all Technical and Organisational Measures necessary for this Agreement, as detailed in the Appendix.
V. Notification duties
- The Processor shall immediately notify the Controller of any Personal Data breaches. Any justifiably suspected incidences are also to be reported. Any notification must, at the very least, contain the information provided for in the Regulations.
- The Controller must also be notified immediately of any significant disruptions when carrying out the task as well as violations against the legal data protection provisions or the stipulations in this Agreement carried out by the Processor or any individuals he/she employs.
- The Processor shall immediately inform the Controller of any inspections or measures carried out by supervisory authorities or other third parties if they relate to the commissioned data processing.
- The Processor shall ensure that the Controller is supported in these obligations, in accordance with the Regulations, to the extent required.
VI. International Data Transfer
- Data that Synology processes on behalf of the Customer as a Processor may be stored either within the European Union (EU) or outside it, based on the Customer's choice of data center.
- When Personal Data is transferred internationally to Processors in countries lacking adequate data protection, the following applies:
- The Parties undertake the Standard Contractual Clauses (Exhibit 1) to facilitate the transfer of Personal Data to countries not offering adequate data protection. These clauses are adopted to ensure appropriate safeguards for privacy, as well as the fundamental rights and freedoms of individuals. Within these clauses, 'Controller' will act as the 'Data Exporter', and 'Processor' as the 'Data Importer'. In instances of conflict between the Standard Contractual Clauses and this Data Processing Agreement, the Standard Contractual Clauses shall take precedence.
- Upon the Controller's request, the Parties shall replace the Standard Contractual Clauses and execute new ones for data transfers to processors in third countries, as adopted under GDPR Art. 46 (2) (c) or (d).
- If, and as long as, Personal Data is transferred to a country with an adequacy decision under Article 45(3) of the GDPR, Standard Contractual Clauses are not required. Should this adequacy decision be repealed or suspended, clauses (a) and (b) will automatically apply.
VII. Technical and Organisational Measures & Data Security
The technical and organizational measures are detailed in Appendix ─ Annex II.
- Subcontracting for the purpose of this Agreement is to be understood as services which relate directly to the provision of the principal service. This does not include subsidiary services, such as telecommunication services, postal/transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller's data, even in the case of outsourced subsidiary services.
- The Processor may authorize subcontractors only after prior explicit written or documented consent from the Controller. Notwithstanding the aforementioned, the Controller shall not withhold its consent without objectively justified reasons. In event of objection by the Controller to the appointment or replacement of any subcontractor, Processor will either not appoint or replace the subcontractors or, if this is not possible, Controller may suspend or terminate the Service(s) without prejudice to any fees incurred by Controller prior to such suspension or termination.
- Outsourcing to subcontractors or changing the existing subcontractor are permissible when:
- the Processor submits such an outsourcing to a subcontractor to the Controller in writing or in text form with appropriate advance notice; and
- the Controller has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to the Processor; and
- the same data protection obligations as set out in this Agreement shall be imposed on that other processor (subcontractor) by way of a contract/agreement or the subcontracting is based on a contractual agreement in accordance with the Regulations.
- The Processor will impose appropriate contractual obligations in writing upon the subcontractor that are no less protective than this Agreement or the legal requirements set out by the Regulations, including relevant contractual obligations regarding confidentiality, data protection, data security and audit rights.
- The transfer of Personal Data from the Controller to the subcontractor and the subcontractors commencement of the data processing shall only be undertaken after all compliance requirements has been achieved.
- The Processor will restrict the subcontractor's access to the data only to what is necessary to maintain the service of the subcontractor and will prohibit the subcontractor from accessing data for any other purpose.
- The Processor will remain responsible for its compliance with the obligations of this Agreement and for any acts or omissions of the subcontractor that cause the Processor to breach any of Processor's obligations under this Agreement.
- If the subcontractor provides the agreed service outside the EU/EEA, the Processor must ensure compliance with the Regulations by appropriate measures.
- Further outsourcing by the subcontractor requires the express consent of the Processor (at the minimum in text form); all contractual provisions in this Agreement shall be communicated to and agreed with each and every additional subcontractor.
IX. Obligations, Rights and Supervisory of the Controller
- The Controller shall be solely responsible for assessing the admissibility of the processing requested and for the rights of affected parties.
- The Controller has the right to carry out inspections on the Processor or to have them carried out by a mutually agreed upon auditor to be designated in each individual case at the Controller's cost. The Controller has the right to check the compliance with this Agreement by the Processor in its business operation times by means of random checks, which are ordinarily to be announced in reasonable time.
- Inspections at the Processor's premises must be carried out without any avoidable disturbances to the operation of Processor's business. Unless otherwise indicated for urgent reasons, which must be documented by the Controller, inspections shall be carried out after appropriate advance notice and during the Processor's business hours, and not more frequently than every 12 months. If the Processor provides evidence of the agreed data protection obligations being correctly implemented, as stipulated in chapter IX.-5 of this Agreement, any inspections shall be limited to samples.
- The Processor shall ensure that the Controller is able to verify compliance with the obligations of the Processor in accordance with the Regulations. The Processor undertakes to give the Controller the necessary information on request, to demonstrate the execution of the Technical and Organizational Measures.
- Evidence of such measures, which concern not only this Agreement, may be provided by current auditor's certificates, reports or excerpts from reports provided by independent bodies (e.g., auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor).
- The Processor may claim remuneration for enabling Controller inspections.
X. Assistance and Information Duties of the Processor
- The Processor shall assist the Controller in complying with the obligations concerning the security of Personal Data, reporting requirements for data breaches, data protection impact assessments and prior consultations. These include:
- Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
- The obligation to report a Personal Data breach immediately to the Controller.
- The duty to assist the Controller with regard to the Controller's obligation to provide information to the Data Subject concerned and to immediately provide the Controller with all relevant information in this regard.
- The duty to assist the Controller with regard to the Controller's obligation to provide information to the supervisory authority. The Controller shall cooperate, on request, with the supervisory authority in performance of its tasks.
- Supporting the Controller with its data protection impact assessment.
- Supporting the Controller with regard to prior consultation of the supervisory authority.
- The Controller shall be informed immediately of any inspections and measures conducted by a supervisory authority, insofar as they relate to the processing of data related to this Agreement. This also applies insofar as the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any law or administrative rule or the Regulations regarding the processing of data in connection with the processing of this Agreement. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the data processing by the Processor under this Agreement, the Processor shall make every effort to support the Controller and provide all documentation, resources, and support as the Controller may require. Where data concerning this Agreement becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by the Processor, the Processor will inform the Controller without undue delay. The Processor will, without undue delay, notify and update the Controller without undue delay of all developments and updates in such actions, and shall take all measures in response to such actions as required by the Controller.
- The Processor may claim compensation for support services which are not included in the description of the services hereof and which are not attributable to failures of the Processor, provided that such compensation are approved in advance in writing by the Controller.
The Processor's remuneration for its services rendered under this Agreement is conclusively stipulated in the Service Agreement. There is no separate remuneration or reimbursement provided in this Agreement.
XII. Liability and Indemnification
- The Controller and the Processor shall be respectively liable for damages caused by any unauthorised party or for incorrect data processing within the scope of this Agreement in accordance with the applicable laws.
- In no event shall either party be liable to the other for any indirect, punitive, special, incidental, or consequential damages in connection with or related to this agreement (including loss of profits, use, data, or other economic advantage), however arising, whether for breach of this agreement, including breach of warranty or in tort, even if that party has been previously advised of the possibility of such damage.
XIII. Termination, Return and Deletion of data
- After termination of this Agreement or the termination of the underlying Service Agreement or upon request by the Controller, the Processor shall hand over to the Controller or – subject to prior consent of the Controller – destroy all data, processing and utilization results and data sets related to this Agreement or Service Agreement that have come into the Processor's possession, in a data protection compliant manner in compliance with the Regulations. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided to the Controller upon completion of the destruction or deletion or at any time as requested by the Controller.
- Documentation which is used to demonstrate orderly data processing in accordance with this Agreement shall be stored by the Processor beyond the duration of this Agreement in accordance with the respective retention periods under the Regulations. The Processor may hand such documentation over to the Controller at the end of the duration of this Agreement or at any time as requested by the Controller.
- The Processor is obligated to immediately ensure the return or deletion of data from subcontractors.
- The Processor must provide proof of the data being properly destroyed by the Processor or subcontractors and immediately submit this proof to the Controller.
- Both Parties are obligated to treat all knowledge of trade secrets and data security measures, which have been obtained from the other party within the scope of the contractual relationship, confidentially, even after this Agreement has expired. If there is any doubt as to whether information is subject to confidentiality, it shall be treated confidentially until written approval from the other party has been received. No ownership interest in intellectual property rights shall pass from the Controller to the Processor under this Agreement.
- Any amendments to this Agreement shall be in writing and be agreed by both Parties.
- Any exemption to the right of retention under applicable laws is hereby ruled out with regard to the data processed and the associated data carriers.
- Should any parts of this Agreement be invalid, this will not affect the validity of the remainder of this Agreement.
- This Agreement shall be governed by and construed in accordance with the laws of the Federal Republic of Germany, without giving effect to any principles of conflicts of law.
- All disputes arising out of or in connection with this Agreement shall be referred to and finally resolved by the court of competent jurisdiction in Dusseldorf, North Rhine-Westphalia, Germany, excluding the UN Convention on Contracts for the International Sale of Goods. If the client is a merchant according to § 1 paragraph 1 of the German Commercial Code (HGB), a legal entity of public law or a special fund of public law, the courts in Düsseldorf have jurisdiction over any disputes arising from or in connection with this contractual relationship.
Sign up for the C2 newsletter
Register now to get the latest updates about C2 services, technical insights, activities, and events.
To ensure you receive our newsletter, we will create a Synology Account for you using the email address provided.