Data Protection


  1. Regarding the personal data to which ONYX may access during the execution of this Agreement (the “Personal Data”), Parties undertake the followings:
    1. The Customer contracts the services provided by ONYX (described and agreed in this Agreement) in the context of the activities that ONYX develops in favor of its Customer. As a consequence of these services ONYX may access to certain Personal Data.
    2. The Customer is the entity legally responsible of the Personal Data to which ONYX may access by virtue of this Agreement (the Customer will be referred as the “Controller” and ONYX as the “Processor”).

      It should be noted that the access of ONYX to the Personal Data will not be considered as a data communication since the access is necessary to provide a service to the Controller. However, it will be considered that data communication exists when the purpose of the access by ONYX is to establish a new link with the data subject.

    3. ONYX complies with the EU-US Privacy Shield Framework as set forth by the US Department of commerce regarding the collection, use and retention of personal information transferred from the European Union to the United States, being adhered to the EU-US Privacy Shield Framework.
  2. This Agreement will be governed by the Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data(General Data Protection Regulation) (“GDPR”). Notwithstanding the foregoing, since the Customer and/or its establishments could have a different nationality than ONYX, the Personal Data could be subject to different legislations. Parties undertake to comply with any applicable legislation (jointly with GDPR and any other rules in force regarding the Personal Data, the “DP Laws”).


    1. Customer undertakes having obtained all the consents and/or authorizations requested by DP Law in order to give access ONYX to the Personal Data.
    2. Where ONYX processes Personal Data on behalf of the Customer, ONYX shall:

      procure that any person acting under its authority who has access to Personal Data shall process the Personal Data only on and in accordance with the Customer documented instructions (“Processing Instructions”); and

      immediately inform the Customer of any legal requirement that would require ONYX to process the Personal Data otherwise than only on the Processing Instructions, or if any Customer instructions infringes DP Laws.

    3. ONYX shall implement and maintain, appropriate technical and organisational measures in relation to the processing of Personal Data:

      – such that the processing will meet the requirements of DP Laws and ensure the protection of the rights of data subjects;

      – so as to ensure a level of security in respect of Personal Data processed by it is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

    4. Without prejudice to point iii) above, ONYX shall, in respect of all Personal Data processed by it under this Agreement, comply with the requirements regarding security of processing set out in DP Laws, all relevant Customer’s policies and in this Agreement.
    5. ONYX shall not engage another subprocessor to perform specific processing activities in respect of the Personal Data on behalf of or the Customer without prior written consent of the Customer and, if the Customer gives its consent, ONYX shall appoint its subprocessor under a binding written contract which imposes the same data protection obligations as are contained in this Agreement on the Subprocessor. Notwithstanding the foregoing, the Customer expressly authorizes ONYX to subcontract the services of conservation or storage of the personal data by a third party(in a Datacenter, iCloud or similar). ONYX shall inform to the Customer, through the Legal Notice in the ONYX Network, about the details of the outsourcing service, giving the Customer the opportunity to object to any changes, and undertake to sign a contract with the third party in accordance with DP Laws and with this Agreement
    6. ONYX shall ensure that ONYX personnel processing Personal Data have signed agreements requiring them to keep Personal Data confidential, and take all reasonable steps to ensure the reliability of ONYX personnel processing Personal Data and that ONYX personnel processing Personal Data receive adequate training on compliance with this clause and the DP Laws applicable to the processing.
    7. ONYX shall implement and maintain, appropriate technical and organisational measures to assist the Customer in the fulfillment of the Customer’s obligations to respond to data subject requests relating to Personal Data (exercising any right of data subject under DP Laws), including to ensure that all data subject requests it receives are recorded and then referred to the Customer within three (3) business days of receipt of the request.
    8. ONYX shall provide reasonable assistance, information and cooperation to ONYX’s Customers to ensure compliance with their obligations under DP Laws.
    9. ONYX shall not transfer any Personal Data to any third party without prior written consent of the Customer, and under its instructions.
    10. ONYX shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer containing such information as required under DP Laws and any other information the Customer reasonably require (“Processing Records”),and shall make available to the Customer on request in a timely manner such information (including the Processing Records) as is reasonably required by the Customer to demonstrate compliance by ONYX with its obligations under DP Laws and this Agreement, which the Customer may disclose to the Supervisory Authority or any other relevant regulatory authority.
    11. ONYX shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer for the purpose of demonstrating Customer’s compliance with its obligations under DP Laws and this Agreement, subject to Customer giving ONYX reasonable prior notice of such audit and/or inspection, and ensuring that any auditor is subject to binding obligations of confidentiality and that such audit or inspection is undertaken so as to cause minimal disruption to ONYX’s business and other customers.
    12. In respect of any personal data breach (actual or suspected) related to this Agreement, ONYX shall notify the Customer of the breach without undue delay (but in no event later than 12 hours after becoming aware of the personal data breach) and provide the Customer without undue delay (wherever possible, within 24 hours of becoming aware of the breach) with such details relating to the breach as reasonably requires.
    13. ONYX shall without delay, at the Customer written request, either securely delete or return all the Personal Data to the Customer in hard copy or electronic form after the end of the provision of the relevant Services related to processing or, if earlier, as soon as processing by ONYX of any Personal Data is no longer required for the Customer’s performance of its obligations under this Agreement, and securely delete existing copies (unless storage of any data is required by law, and if so ONYX shall notify the Customer of this).
    14. Parties agree and undertake to hold the other party harmless from any claim that may be filed as a result of the breach of the guarantees contained in this clause, and agree to pay any amounts that the other party may be obliged to pay as a result of such breach in the form of penalties, fines, indemnification, damages, loss and interest.