GDPR Data Processing Addendum

This Data Processing Addendum (“Addendum”) forms part of the agreement between you, as customer of Orckestra C1 CMS and Orckestra A/S, a Danish corporation (NO. 21744409) (“Orckestra”) and applies to the extent that Orckestra Processes Personal  Data on your behalf in the course of providing Services to you.

By accessing or using our Services, you acknowledge and agree that you have read, understood, and agree to be bound by this Addendum. We may update this Addendum from time to time; by continuing to use the Services after we publishes notice of a modification on https://c1.orckestra.com, you thereby accept the modification. If you do not agree with the terms outlined in this Addendum, you should immediately discontinue using the Services.

  1. Definitions

(a) “Agreement” means the agreement by which Orckestra provides you the Services, including, without limitations, the Commercial C1 CMS License Agreement, the Composite 3.X Standard Terms & Conditions, the Mozilla Public License (MPL 1.1), the Hosting Terms and any other agreement which amends or replaces the foregoing.

(b) “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC, and any legislation and/or regulation implementing or made pursuant to them, or which amends or replaces any of them (including the General Data Protection Regulation, Regulation (EU) 2016/679), as well as any other similar data protection laws and regulations applicable to Orckestra;

(c) “Data Subject”, “Controller”, “Processor”, “Processing”, and “Supervisory Authority” shall be interpreted in accordance with applicable Data Protection Legislation;

(d) “Subprocessor” means a Processor engaged by another Processor for carrying out specific processing activities on behalf of the Controller.

(e) “Personal Data” as used in this Addendum means information provided by you to Orckestra or which is otherwise Processed by Orckestra in the course of providing you with the Service and which relates to an identifiable or identified Data Subject.

(f) "Sensitive Data" means (a) social security number, passport number, driver's license number, or similar identifier (or any portion thereof), (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords; (f) date of birth; (g) criminal history; (h) mother's maiden name; and (i) any other information that falls within the definition of "special categories of data" under Data Protection Legislation or any other applicable law relating to privacy and data protection.

(g) "Services” means any cloud service offering or customer support services provided by Orckestra to you under the Agreement.

  1. Data Protection

2.1. When Orckestra Processes Personal Data in the course of providing the Services, Orckestra will:

  • 2.2.1. Process the Personal Data as a Processor, only for the purpose of providing the Services in accordance with instructions from you (provided that such instructions are commensurate with the functionalities of the Services), and as may subsequently be agreed to by you. If Orckestra is required by law to Process the Personal Data for any other purpose, Orckestra will provide you with prior notice of this requirement, unless Orckestra is prohibited by law from providing such notice;
  • 2.2.2. notify you if, in Orckestra’s opinion, your instruction for the processing of Personal Data infringes applicable Data Protection Legislation;
  • 2.2.3. notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Data Subject or Supervisory Authority relating to Orckestra’s Processing of the Personal Data;
  • 2.2.4. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
  • 2.2.5. provide you, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing Orckestra’s data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable you to assess compliance with the terms of this Addendum;
  • 2.2.6. notify you promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;
  • 2.2.7. ensure that our personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Personal Data; and
  • 2.2.8. retain Personal Data only for as long as necessary to perform the Services, or as required by applicable laws.

2.2 In the course of providing the Services, you acknowledge and agree that Orckestra may use Subprocessors to Process the Personal Data. Orckestra’s use of any specific Subprocessor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Orckestra and Subprocessor.

2.3 Orckestra shall not Process Personal Data outside the European Economic Area (EEA) or outside any jurisdiction considered by the European Commission to afford an adequate level of protection to Personal Data, including, without limitations, Canada and the United States (under the Privacy Shield Program) or otherwise in accordance with Data Protection Legislation.

2.4 You acknowledge that Personal Data transferred to Orckestra for Processing is determined and controlled by you. As such, Orckestra has no control over the volume and sensitivity of Personal Data processed through its Services. You shall be responsible for ensuring that (i) you comply with Data Protection Legislation, as Data Controller, in your use of the Services; and (ii) you have the right to transfer, or provide access to the Personal Data to Orckestra for Processing in accordance with the terms of the Agreement and this Addendum. You also agree not to provide (or cause to be provided) any Sensitive Data to Orckestra for Processing under the Agreement, and Orckestra will have no liability whatsoever for Sensitive Data, whether in connection with a data security breach or otherwise. For the avoidance of doubt, this Addendum will not apply to Sensitive Data.

2.5 Orckestra will have the right to collect, extract, compile, synthesize and analyze aggregated, non-personally identifiable data or information (data or information that does not identify Company or any other entity or natural person as the source thereof) resulting from Company's use or operation of the Services («Service Data”). To the extent any Service Data is collected or generated by Orckestra, such data will be solely owned by Orckestra and may be used by Orckestra for any lawful business purpose without a duty of accounting to you. For the avoidance of doubt, this Addendum will not apply to Service Data.

  1. Miscellaneous

3.1 In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement.

3.2 Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.

3.3 The terms of this Addendum shall be governed by and interpreted in accordance with the laws of Denmark applicable therein, without regard to principles of conflicts of laws.