4.1 Processing by the Processor in Adherence to the GDPR. The Processor and its Sub-processors adhere to the requirements of the GDPR. The Processor complies with the following conditions:
4.1.1 Processing in Adherence to the Agreement and the DPA. The Processor processes Personal data only in the extent and in such a manner which is required to provide services set out in the DPA and the Agreement and in adherence to instructions from time to time provided by the Controller.
4.1.2 Assistance to the Controller. The Processor provides reasonable assistance to the Controller in connection with the processing of Personal data, i.e., the following:
(a) The Processor helps the Controller fulfil the obligation to respond to requests for the exercise of the Data Subject’s rights provided for in Chapter III of the GDPR. For this purpose, the Processor informs the Controller about the Data Subject’s requests and forwards them to the Controller. The Processor helps to respond to the Data Subject’s requests upon receiving such instructions from the Controller if the request is connected to the processing done by the Processor.
(b) The Processor helps to fulfil the obligations set forth in Articles 32-36 of the GDPR.
The Processor has the right to request a fee for the assistance provided in accordance with the separate agreement between the Parties, except in cases where the need of such assistance is caused by the actions or omissions of the Processor and/or Sub-processor(s) in violation of the requirements of the Agreement or the DPA.
4.1.3 Return and/or Deletion of Personal data. Upon a respective request by the Controller, the Processor returns to the Controller or deletes all Personal data in the Processor’s power, possession, or control, unless retention of a copy is required by law. Returns and/or deletions are undertaken within a reasonable period of time.
4.2 Data Processing Agreement with Sub-processor. The Processor undertakes to conclude a data processing agreement with its Sub-processor if the Sub-processor has access to the Personal data processed based on the Agreement. The respective data processing agreement protects the rights of the Data Subject and Personal data at least as much as this DPA.
4.3 Responding to the Controller’s Personal Data Related Inquiries. The Processor responds to the Controller’s inquiries related to the processing of Personal data within seven (7) working days at the latest (except for situations listed in Section 8.1.3). If it is a voluminous request, the Processor may extend the deadline for submitting a response to a reasonable extent, but not more than additional twenty (20) days.
4.4 Non-adherence to the GDPR. Where the Processor identifies the following situations:
(a) that it is for some reason unable to perform the obligations arising from this DPA and it cannot remedy such non-performance; or
(b) the Processor learns of any circumstance or change in applicable data protection legislation that is likely to materially impair the ability of the Processor to perform its obligations under this DPA;
(c) the Processor notifies the Controller thereof, after which both Parties have the right to temporarily suspend processing until the processing is reorganized in a manner that allows the non-compliance to be remedied. If such reorganization is not possible, the Processor will have the right to terminate the processing, including right to extraordinarily terminate the Agreement.
4.5 Change of Role of the Processor to Controller. If the Processor processes Personal data, which processing conditions are not regulated by the DPA and Annex 1, then the Processor is considered a separate Controller within the scope of the specific processing activity. Also, in the case of processing for different purpose(s) than indicated in the DPA and the Agreement, the Parties may be separate Controllers, if the requirements of the GDPR are met.