Data Processing Agreement - Bilig Opex
English Ptesi - Cuma 09:00-18:00 +90 2167092987

Data Processing Agreement

Data Processing Agreement for BiLiG OPEX

“Data Processing Agreement”

 

1.  Scope and Applicability

 

  • This Data Processing Agreement applies to BİLİG OPEX’s Processing of Personal Information on Your behalf as a Processor for the provision of the Services specified in Your Services Agreement. Unless otherwise expressly stated in Your Services Agreement, this version of the Data Processing Agreement shall be effective and remain in force for the term of Your Services

2.  Responsibility for Processing of Personal Information and Your instructions

 

  • You are a Controller and BİLİG OPEX is a Processor for the Processing of Personal Information as part of the provision of the Each party is responsible for compliance with its respective obligations under Applicable Data Protection Law.
  • BİLİG OPEX will Process Personal Information solely for the purpose of providing the Services in accordance with the Services Agreement and this Data Processing
  • In addition to Your instructions incorporated into the Services Agreement, You may provide additional instructions in writing to BİLİG OPEX with regard to Processing of Personal Information in accordance with Applicable Data Protection Law. BİLİG OPEX will promptly comply with all such instructions to the extent necessary for BİLİG OPEX to (i) comply with its Processor obligations under Applicable Data Protection Law; or

(ii) assist You to comply with Your Controller obligations under Applicable Data Protection Law relevant to Your use of the Services.

  • BİLİG OPEX will follow Your instructions at no additional cost to You and within the timeframes reasonably necessary for You to comply with your obligations under Applicable Data Protection Law. To the extent BİLİG OPEX expects to incur additional charges or fees not covered by the fees for Services payable under the Services Agreement, such as additional license or third party contractor fees, it will promptly inform You thereof upon receiving Your instructions. Without prejudice to BİLİG OPEX’s obligation to comply with Your instructions, the parties will then negotiate in good faith with respect to any such charges or
  • Unless otherwise specified in the Services Agreement, You may not provide BİLİG OPEX with any sensitive or special Personal Information that imposes specific data security or data protection obligations on BİLİG OPEX in addition to or different from those specified in the Data Processing Agreement or Services

3.  Privacy Inquiries and Requests from Individuals

 

  • If You receive a request or inquiry from an Individual related to Personal Information processed by

BİLİG OPEX for the provision of Services, You can either (i) securely access Your Services environment that holds Personal Information to address the request, or (ii) to the extent such access is not available to You, submit a “service request” via My BİLİG OPEX Support (or other applicable primary support tool or support contact provided for the Services, such as Your project manager) with detailed written instructions to BİLİG OPEX on how to assist You with such request.

  • If BİLİG OPEX directly receives any requests or inquiries from Individuals that have identified You as the Controller, it will promptly pass on such requests to You without responding to the Individual. Otherwise, BİLİG OPEX will advise the Individual to identify and contact the relevant controller(s).

4.  BİLİG OPEX Affiliates and Third Party Subprocessors

 

  • To the extent BİLİG OPEX engages Third Party Subprocessors and/or BİLİG OPEX Affiliates to Process Personal Information, such entities shall be subject to the same level of data protection and security as BİLİG OPEX under the terms of the Services Agreement. BİLİG OPEX is responsible for the performance of the BİLİG OPEX Affiliates’ and Third Party Subprocessors’ obligations in compliance with the terms of this Data Processing Agreement and Applicable Data Protection

5.  Cross-border data transfers

 

  • Without prejudice to any applicable regional data center restrictions for hosted Services specified in Your Services Agreement, BİLİG OPEX may Process Personal Information globally as necessary to perform the Services.
  • To the extent such global access involves a transfer of Personal Information subject to cross-border transfer restrictions under Applicable Data Protection Law, such transfers shall be subject to (i) for transfers to BİLİG OPEX Affiliates, the terms of the BİLİG OPEX Intra-Company Data Transfer and Mandate Agreement, which requires all transfers of Personal Information to be made in compliance with Applicable Data Protection Law and all applicable BİLİG OPEX security and data privacy policies and standards globally; and (ii) for transfers to Third Party Subprocessors, security and data privacy requirements consistent with the relevant requirements of this Data Processing Agreement and Applicable Data Protection

6.  Security and Confidentiality

 

  • BİLİG OPEX has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Information designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal These security measures govern all areas of security applicable to the Services, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures. Additional details regarding the specific security measures that apply to the Services You have ordered are set out in the relevant security practices for these Services:
  • For Cloud      Services:      BİLİG OPEX’s             Hosting             &                Delivery      Policies, available            at …………
  • All BİLİG OPEX and BİLİG OPEX Affiliates employees, as well as any Third Party Subprocessors that Process Personal Information, are subject to appropriate written confidentiality arrangements, including confidentiality agreements, regular training on information protection, and compliance with BİLİG OPEX policies concerning protection of confidential

7.       Audit Rights

 

  • You may audit BİLİG OPEX’s compliance with its obligations under this Data Processing Agreement up to once per In addition, to the extent required by Applicable Data Protection Law, You or Your Regulator may perform more frequent audits.
  • If a third party is to conduct the audit, the third party must be mutually agreed to by You and BİLİG OPEX (except if such third party is a Regulator). BİLİG OPEX will not unreasonably withhold its consent to a third party auditor requested by You. The third party must execute a written confidentiality agreement acceptable to BİLİG OPEX or otherwise be bound by a statutory or legal confidentiality
  • To request an audit, You must submit a detailed proposed audit plan to BİLİG OPEX at least two weeks in advance of the proposed audit The proposed audit plan must describe the proposed scope, duration, and start date of the audit. BİLİG OPEX will review the proposed audit plan and provide You with any concerns or questions. BİLİG OPEX will work cooperatively with You to agree on a final audit plan.
  • The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and BİLİG OPEX’s health and safety or other relevant policies, and may not unreasonably interfere with BİLİG OPEX business
  • Upon completion of the audit, You will provide BİLİG OPEX with a copy of the audit report, which is subject to the confidentiality terms of Your Services Agreement. You may use the audit reports only for the purposes of meeting Your regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement.
  • Each party will bear its own costs in relation to the audit, unless BİLİG OPEX promptly informs you upon reviewing Your audit plan that it expects to incur additional charges or fees in the performance of the audit that are not covered by the fees payable under Your Services Agreement, such as additional license or third party contractor The parties will negotiate in good faith with respect to any such charges or fees.
  • Without prejudice to the rights granted in Section 1 above, if the requested audit scope is addressed in audit report issued by a qualified third party auditor within the prior twelve months and BİLİG OPEX provides such report to You confirming there are no known material changes in the controls audited, You agree to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.

8.  Incident Management and Breach Notification

 

  • BİLİG OPEX has implemented controls and policies designed to detect and promptly respond to incidents that create suspicion of or indicate destruction, loss, alteration, unauthorized disclosure or access to

Personal Information transmitted, stored or otherwise Processed. BİLİG OPEX will promptly define escalation paths to investigate such incidents in order to confirm if a Personal Information Breach has occurred, and to take reasonable measures designed to identify the root cause(s) of the Personal Information Breach, mitigate any possible adverse effects and prevent a recurrence.

  • BİLİG OPEX will notify you of a confirmed Personal Information Breach without undue delay but at the latest within 24 hours. As information regarding the Personal Information Breach is collected or otherwise reasonably becomes available to BİLİG OPEX, BİLİG OPEX will also provide You with (i) a description of the nature and reasonably anticipated consequences of the Personal Information Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; and (iii) where possible, information about the types of Personal Information that were the subject of the Personal Information Breach. You agree to coordinate with BİLİG OPEX on the content of Your intended public statements or required notices for the affected Individuals and/or notices to the relevant Regulators regarding the Personal Information

9.  Return and Deletion of Personal Information

 

  • Upon termination of the Services, BİLİG OPEX will promptly return, including by providing available data retrieval functionality, or delete any remaining copies of Personal Information on BİLİG OPEX systems or Services environments, except as otherwise stated in the Services
  • For Personal Information held on Your systems or environments, or for Services for which no data retrieval functionality is provided by BİLİG OPEX as part of the Services, You are advised to take appropriate action to back up or otherwise store separately any Personal Information while the production Services environment is still active prior to

10.  Legal Requirements

 

  • BİLİG OPEX may be required by law to provide access to Personal Information, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities for national security and/or law enforcement
  • BİLİG OPEX will promptly inform You of requests to provide access to Personal Information, unless otherwise required by

11.  Definitions

 

Applicable Data Protection Law” means all data privacy or data protection laws or regulations globally that apply to the Processing of Personal Information under this Data Processing Agreement, which may include Applicable European Data Protection Law.

Applicable European Data Protection Law” means (i) the EU General Data Protection Regulation ………….. as supplemented by applicable EU Member State law and as incorporated into the EEA Agreement; (ii) the ………………… on Data Protection, as amended; and (iii) the …………………….

Individual” shall have the same meaning as the term “data subject” or the equivalent term under Applicable Data Protection Law.

Process/Processing”, “Controller”, “Processor” and “Binding Corporate Rules” (or the equivalent terms) have the meaning set forth under Applicable Data Protection Law.

BİLİG OPEX Affiliate(s)” means the subsidiar(y)(ies) of BİLİG OPEX Corporation that may Process Personal Information as set forth in Section 4.

BİLİG OPEX Intra-Company Data Transfer and Mandate Agreement” means the BİLİG OPEX Intra-Company Data Transfer and Mandate Agreement for Customer Services Personal Information entered into between BİLİG OPEX Corporation and the BİLİG OPEX Affiliates.

BİLİG OPEX Processor Code” means BİLİG OPEX’s Privacy Code for Processing Personal Information of Customer Individuals referenced in the European DPA Addendum.

BİLİG OPEX” means the BİLİG OPEX Affiliate that has executed the Services Agreement.

Personal Information” shall have the same meaning as the term “personal data”, “personally identifiable information (PII)” or the equivalent term under Applicable Data Protection Law.

Personal Information Breach” means a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed on BİLİG OPEX systems or the Services environment that compromises the security, confidentiality or integrity of such Personal Information.

Regulator” shall have the same meaning as the term “supervisory authority”, “data protection authority” or the equivalent term under Applicable Data Protection Law.

Services” or the equivalent terms “Service Offerings” or “services” means the Cloud, Advanced Customer Support, Consulting, or Global Technical Support services specified in the Services Agreement.

Services Agreement” means (i) the applicable order for the Services you have purchased from  BİLİG OPEX;

(ii) the applicable master agreement referenced in the applicable order, and (iii) the Service Specifications.

Third Party Subprocessor” means a third party, other than an BİLİG OPEX Affiliate, which BİLİG OPEX subcontracts with and which may Process Personal Information as set forth in Section 4.

You” means the customer entity that has executed the Services Agreement.

Other capitalized terms have the definitions provided for them in the Services Agreement.

Exhibit 1: European Data Processing Addendum for BİLİG OPEX Services

(“European DPA Addendum”)

 

 

This European DPA Addendum supplements the Data Processing Agreement to include additional Processor terms applicable to the Processing of Personal Information subject to Applicable European Data Protection Law.

Except as expressly stated otherwise in the Data Processing Agreement, the Services Agreement, this European DPA Addendum or the BİLİG OPEX Processor Code, in the event of any conflict between these documents, the following order of precedence applies (in descending order): (i) the BİLİG OPEX Processor Code;

(ii) this European DPA Addendum; (iii) the body of the Data Processing Agreement; and (iv) the Services Agreement.

1.       Cross-Border Data Transfers – BİLİG OPEX Processor Code

 

  • The BİLİG OPEX Processor Code (Binding Corporate Rules for Processors) applies to the Processing of Personal Information by BİLİG OPEX on Your behalf in its role as a Processor as part of the provision of Services under the Services Agreement and this European DPA Addendum, where such Personal Information is:

(i) subject to any data transfer restrictions under Applicable European Data Protection Law; and (ii) processed by BİLİG OPEX or an BİLİG OPEX Affiliate in a country outside Europe.

  • The most current version of the BİLİG OPEX Processor Code is available on ………………………….. and is incorporated by reference into the Services Agreement and this European DPA Addendum. BİLİG OPEX has obtained EEA authorization for its Processor Code and will maintain such authorization for the duration of the Services Agreement.
  • Transfers to Third Party Subprocessors shall be subject to security and data privacy requirements consistent with the BİLİG OPEX Processor Code, the Data Processing Agreement and the Services

2.       Description of Processing

 

  • Duration of processing activities. BİLİG OPEX may Process Personal Information during the term of the Services Agreement and to perform its obligations under Section 9 of the Data Processing Agreement, unless otherwise required by applicable
  • Processing BİLİG OPEX may Process Personal Information as necessary to perform the Services, including where applicable for hosting and storage; backup and disaster recovery; service change management; issue resolution; applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; IT security purposes including incident management; maintenance and performance of technical support systems and IT infrastructure; and migration, implementation, configuration and performance testing.
  • Categories of Personal Information. In order to perform the Services and depending on the Services You have ordered, BİLİG OPEX may Process some or all of the following categories of Personal Information: personal contact information such as name, home address, home telephone or mobile number, fax

number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers; IP addresses and online behavior and interest data.

  • Categories of Data Subjects. Categories of Data Subjects whose Personal Information may be Processed in order to perform the Services may include, among others, Your representatives and end users, such as Your employees, job applicants, contractors, collaborators, partners, suppliers, customers and
  • Additional or more specific descriptions of Processing activities, categories of Personal Information and Data Subjects may be described in the Services

3.       Your Instructions

 

  • Your right to provide instructions to BİLİG OPEX as specified in Section 2 of the Data Processing Agreement encompasses instructions regarding (i) data transfers as set forth in Section 1 of this European DPA Addendum; and (ii) assistance with Data Subject requests to access, delete or erase, restrict, rectify, receive and transmit (data portability), block access to or object to Processing of specific Personal Information or sets of Personal Information as described in Section 3 of the Data Processing
  • To the extent required by the Applicable EEA Data Protection Law, BİLİG OPEX will immediately inform You if, in its opinion, Your instruction infringes Applicable European Data Protection Law. You acknowledge and agree that BİLİG OPEX is not responsible for performing legal research and/or for providing legal advice to You.

4.       Notice and Objection Right to New BİLİG OPEX Affiliates and Third Party Subprocessors

 

  • Subject to the terms and restrictions specified in this Section 4 of the European DPA Addendum and Section 4 of the Data Processing Agreement, You provide BİLİG OPEX general written authorization to engage BİLİG OPEX Affiliates and Third Party Subprocessors to assist in the performance of the
  • Within fourteen (14) calendar days of BİLİG OPEX providing such notice to You under Section 4.2 above, You may object to the intended involvement of a Third Party Subprocessor or BİLİG OPEX Affiliate in the performance of the Services, providing objective justifiable grounds related to the ability of such Third Party Subprocessor or BİLİG OPEX Affiliate to adequately protect Personal Information in accordance with the Data Processing Agreement or Applicable European Data Protection Law in writing by submitting a “service

request” via (i) My BİLİG OPEX Support (or other applicable primary support tool) or (ii) for ACS and Consulting Services, the project manager for the Services. You and BİLİG OPEX will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Third Party Subprocessor’s or BİLİG OPEX Affiliate’s compliance with the Data Processing Agreement or Applicable European Data Protection Law, or delivering the Services without the involvement of such Third Party Subprocessor. To the extent You and BİLİG OPEX do not reach a mutually acceptable resolution within a reasonable timeframe, You shall have the right to terminate the relevant Services (i) upon serving thirty (30) days prior notice; (ii) without liability to You or BİLİG OPEX and (iii) without relieving You from Your payment obligations under the Services Agreement up to the date of termination. If the termination in accordance with this Section 4.3 only pertains to a portion of Services under an order, You will enter into an amendment or replacement order to reflect such partial termination.

5.       Information and Assistance

 

  • For hosted Services, Your audit rights under Section 7 of the Data Processing Agreement include the right to conduct inspections of the applicable Services data center facility that hosts Personal
  • In addition, You may request that BİLİG OPEX audit a Third Party Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist You in obtaining a third-party audit report concerning the Third Party Subprocessor’s operations) to verify compliance with the Third Party Subprocessor’s You will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of BİLİG OPEX’s agreement with any Third Party Subprocessors and BİLİG OPEX Affiliates that may Process Personal Information.
  • BİLİG OPEX provides You with information and assistance reasonable necessary for You to conduct Your data protection impact assessments or consult with Your Regulator(s), by granting You electronic access to a record of Processing activities and any available privacy & security functionality guides for the Services.

6.       Data Protection Officer

 

  • BİLİG OPEX has appointed a Global Data Protection Officer and, in some European countries, a local Data Protection Officer. Further details on how to contact BİLİG OPEX’s Global Data Protection Officer and, where applicable, the local Data Protection Officer, are available………………
  • If You have appointed a Data Protection Officer, You may request BİLİG OPEX to include the contact details of Your Data Protection Officer in the relevant Services
wpChatIcon