Our DPA describes how we process data on behalf of our customers when they pass information to us.
For our customers requiring a signed version of our DPA you can request it right here
Appendix 1 - Data processing agreement (“DPA”) - Version 1.0 August 2019
between the Customer and Legal Monster (together with the Customer, the "Parties” and separately a “Party")
1.1 This DPA forms part of the Agreement in place between the Customer and Legal Monster and reflects the Parties' agreement with regard to the processing of personal data.
1.2 Legal Monster acts as a data processor for the Customer, as Legal Monster processes personal data for the Customer as set out in Annex 1.
1.3 The personal data to be processed by Legal Monster concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Annex 1.
1.4 "Personal data" means any information relating to an identified or identifiable natural person, see article 4(1) of Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation "GDPR"). If other confidential information than personal data is processed for the purpose of fulfilling the Agreement, e.g. information considered confidential according to the Financial Business Act, any reference to "personal data" shall include the other confidential information. Sensitive Data and Special Category Data will not be processed pursuant to this DPA and the Customer warrants and represents that the Customer will not be sharing, disclosing or otherwise transferring such data to Legal Monster.
2.1 Instructions: Legal Monster is instructed to process the personal data only for the purposes of providing the data processing services set out in Annex 1. Legal Monster may not process or use the Customer's personal data for any other purpose than provided in the instructions, including the transfer of personal data to any third country or an international organisation, unless Legal Monster is required to do so according to Union or member state law. In that case, Legal Monster shall inform the Customer in writing of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.2 If the Customer in the instructions in Annex 1 or otherwise has given permission to a transfer of personal data to a third country or to international organisations, Legal Monster must ensure that there is a legal basis for the transfer, e.g. the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries.
2.3 If Legal Monster considers an instruction from the Customer to be in violation of the GDPR, or other Union or member state data protection provisions, Legal Monster shall immediately inform the Customer in writing about this.
2.4 If Legal Monster is subject to legislation of a third country, Legal Monster declares not to be aware of the mentioned legislation preventing Legal Monster from fulfilling the Agreement. Legal Monster will notify the Customer in writing without undue delay, if Legal Monster becomes aware of such hindrance.
3.1 Legal Monster must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Legal Monster shall implement appropriate technical and organisational measures to prevent that the personal data processed is (i) accidentally or unlawfully destroyed, lost or altered, (ii) disclosed or made available without authorisation, or (iii) otherwise processed in violation of applicable laws, including the GDPR.
3.3 Legal Monster must also comply with the special data security requirements that apply to the Customer, see Annex 1, and with any other applicable data security requirements that are directly incumbent on Legal Monster; including the data security requirements in the country of establishment of Legal Monster or in the country where the data processing will be performed.
3.4 The appropriate technical and organisational security measures must be determined with due regard for (i) the current state of the art, (ii) the cost of their implementation, and (iii) the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.5 Legal Monster shall upon request provide the Customer with sufficient information to enable the Customer to ensure that Legal Monster complies with its obligations under the Agreement, including ensuring that the appropriate technical and organisational security measures have been implemented.
3.6 The Customer is entitled at its own cost to appoint an independent expert who shall have access to Legal Monster's office and receive the necessary information in order to be able to audit whether Legal Monster complies with its obligations under the Agreement, including ensuring that the appropriate technical and organisational security measures have been implemented. The Customer must give Legal Monster 30 days prior written notice of such request for access. The expert shall upon Legal Monster's request sign a customary non-disclosure agreement, and treat all information obtained or received from Legal Monster confidentially, and may only share the information with the Customer and Legal Monster.
3.7 Legal Monster must provide information related to the provision of the services to authorities or the Customer's external advisors, including auditors, if this is necessary for the performance of their duties in accordance with Union or member state law.
3.8 Legal Monster must give authorities who by union or member state law have a right to enter the Customer's or the Customer's supplier's facilities, or representatives of the authorities, access to Legal Monster's physical facilities against proper proof of identity.
3.9 Legal Monster must without undue delay after becoming aware of the facts in writing notify the Customer about: (i) any request for disclosure of personal data processed under the Agreement by authorities, unless expressly prohibited under Union or member state law, (ii) any suspicion or finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by Legal Monster under the Agreement, or (b) other material failure to comply with Legal Monster's obligations under Clause 3.2 and 3.3 in this Agreement.
3.10 Legal Monster must promptly assist the Customer with the handling of any requests from data subjects under Chapter III of the GDPR, including requests for access, rectification, restriction or deletion. Legal Monster must also assist the Customer by implementing appropriate technical and organisational measures, for the fulfilment of the Customer's obligation to respond to such requests.
3.11 Legal Monster must assist the Customer with meeting the other obligations that may be incumbent on the Customer according to Union or member state data protection law where the assistance of Legal Monster is implied, and where the assistance of Legal Monster is necessary for the Customer to comply with its obligations. This includes, but is not limited to, at request to provide the Customer with all necessary information about an incident under Clause 3.9 (ii), and all necessary information for an impact assessment in accordance with article 35 and 36 of the GDPR.
3.12 Any services from Legal Monster as set out in clause 3.6 to 3.8 and 3.10 to 3.11 are billable and will be charged in accordance with the price list made available to the Customer upon concluding this agreement.
3.13 In Annex 1, Legal Monster has stated the physical location of the servers and offices used to provide the data processing services. Legal Monster undertakes to keep the information about the location updated by providing a prior written notice of 30 days to the Customer. This does not require a formal amendment of Annex 1, prior written notice by mail or email suffices.
4.1 Legal Monster may engage a sub-data processor. At the time of the Agreement, Legal Monster uses the sub-data processors set out here. Legal Monster undertakes to inform the Customer of any intended changes concerning the addition or replacement of a sub-data processor by providing a 30 days prior written notice to the Customer. The Customer may object to the use of a sub-data processor if such objection is relevant and reasoned in regards to data protection issues. If the objection is relevant and reasoned Legal Monster may suggest a new sub-data processor in order for the Customer to accept that one or give the Customer the right to cancel the Agreement (in Legal Monster’s sole discretion).
4.2 Prior to the engagement of a sub-data processor, Legal Monster shall conclude a written agreement with the sub-data processor, in which at least the same data protection obligations as set out in the Agreement shall be imposed on the sub-data processor, including an obligation to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
4.3 The Customer has the right to receive a copy of Legal Monster's agreement with the sub-data processor as regards the provisions related to data protection obligations. Legal Monster shall remain fully liable to the Customer for the performance of the sub-data processor's obligations.
5.1 Legal Monster shall keep personal data confidential pursuant to the signed subscription service agreement in place between the parties.
6.1 The Parties may at any time agree to amend this Agreement. Amendments must be in writing and the Customer accepts that notifications about such amendments can be made via email.
6.2 Neither party may assign this Agreement without the prior written consent of the other party. Notwithstanding the foregoing, both parties may assign their rights and obligations under this Agreement in connection with a consolidation, merger, acquisition or sale of substantially all of its assets, shares or activities without the prior written consent of the other party.
7.1 The term of this DPA shall correspond to the term of the Agreement.
7.2 Regardless of the term of the Agreement, the Agreement shall be in force as long as Legal Monster processes the personal data, for which the Customer is data controller.
7.3 On the Customer's request Legal Monster shall immediately delete or anonymise personal data, which Legal Monster is processing for the Customer, unless Union or member state data protection law requires storage of the personal data.
8.1 If any of the provisions of the Agreement conflicts with the provisions of any other written or oral agreement concluded between the Parties, then the provisions of the Agreement shall prevail. However, the requirements in Clause 3 do not apply to the extent that the Parties in another agreement have set out stricter obligations for Legal Monster. Furthermore, the Agreement shall not apply if and to the extend the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries are concluded and such clauses set out stricter obligations for Legal Monster and/or for sup-suppliers.
8.2 This Agreement does not determine the Customer's remuneration of Legal Monster for Legal Monster's services according to the Agreement.
This Annex constitutes the Customer's instruction to Legal Monster in connection with Legal Monster's data processing for the Customer, and is an integrated part of the Agreement.
The processing of personal data a) Purpose and nature of the processing operations
b) Categories of data subjects I. Users
c) Categories of personal data Re b) I: Name, email address, IP address, what consent the user has given and when, if the user unsubscribes and when
d) Special categories of data None e) Location(s), including name of country/countries of processing
USA and EU - for more details see Sub-data processors.