Skip to Content Skip to footer


  • No Suggestions



Annex to End-User License Agreement – Data Processing Agreement


This Data Processing Agreement (“DPA”) between you as the Controller and ACCO as the Processor supplements the Agreement. This DPA is entered into between you (or the company you represent) and ACCO.

  • ACCO provides services to you as the Controller that may require ACCO to Process Personal Data on Controller’s behalf (the “Services”).
  • The respective Services are outlined in the Agreement.
  • The parties now desire to enter into this DPA to provide protections for Personal Data (as defined below), which ACCO may Process (as defined below) in the performance of the Services.

NOW, THEREFORE, in consideration of the mutual promises contained in this DPA, the parties agree as follows:

    1. As used in this Agreement:
      1. Cross-Border Transfer” means any transfer of Personal Data between countries.
      2. Damages” means any and all claims, losses, liabilities, damages and expenses (including reasonable attorneys' fees) arising from or in connection with an indemnifiable event under Section 8, including expenses associated with (i) investigating a Data Breach, (ii) providing notice to data protection authorities regarding a Data Breach, and (iii) providing notice to individuals regarding a Data Breach.
      3. Data Protection Laws” means all applicable laws regarding privacy and data protection;
      4. Privacy Requests” means a request from an individual to exercise that individual’s rights under Data Protection Laws regarding Personal Data, including the rights of access, rectification, erasure, objection, and portability;
      5. Processing” or “Process” means any operation or set of operations related to the collection, organization, structuring, storage, usage, alteration, disclosure, or erasure of Personal Data;
      6. Subprocessor” means any entity engaged by ACCO to Process Personal Data on behalf; and
      7. Written Instructions” mean this DPA and the Agreement that constitute User’s documented instructions regarding ACCO’s processing of Persona Data on behalf of the Controller.
    2. Unless otherwise defined in in this DPA, all capitalised terms used shall have the meanings given to them in the EU General Data Protection Regulation (“GDPR”).


    1. The Processing under this DPA is that which is necessary for the provision of the Services described in the Agreement.
    2. The Processing by this DPA shall last for the effective term of the Agreement and a reasonable time thereafter for ACCO to delete or return Personal Data to the Controller.
    3. ACCO shall engage in Processing necessary to provide the Services described in the Agreement.
    4. The Processing by this DPA concerns the categories of data subjects provided in the Agreement.
    5. The Processing by this DPA concerns the categories of Personal Data provided in the Agreement.


    1. ACCO shall comply with Data Protection Laws when Processing Personal Data, as described Section 2. ACCO shall make available to Controller all information reasonably necessary to demonstrate its compliance with Data Protection Laws.
    2. ACCO shall only Process Personal Data to the extent required to provide the Services or to fulfil Controller’s Written Instructions.
    3. ACCO shall not sell, share, rent, use, or Process Personal Data for any other purpose, except as required for the provision of the Services or as required by law. 
    4. If ACCO is required by law to Process Personal Data for any other purpose, ACCO shall notify Controller before engaging in the Processing, unless prohibited by law. 
    5. If ACCO believes Controller’s instructions violate Data Protection Laws, it shall notify Controller in writing (by email), unless prohibited by law, and shall not engage in the Processing.
    6. In accordance with Data Protection Laws, ACCO shall implement adequate technical and organizational measures to ensure an appropriate level of security appropriate to the risk, including inter alia as appropriate:
      1. the pseudonymisation and encryption of personal data;
      2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
      3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
      4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
    7. ACCO shall ensure personnel authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
    8. ACCO shall provide written notice (email is sufficient) to Controller without undue delay:
      1. if ACCO receives any Privacy Requests.  ACCO shall not respond and shall not be responsible to respond to Privacy Requests unless directed to do so by Controller;
      2. of any legally binding request for disclosure of Personal Data by a law enforcement authority, unless prohibited by law;
      3. of any violations of Data Protection Laws or this DPA by ACCO or its employees or Subprocessors in connection with this DPA; or
      4. if it determines it can no longer comply with Data Protection Laws or this DPA. 
    9. ACCO shall reasonably assist Controller with its obligations under Data Protection Laws, including assisting Controller with:
      1. conducting data protection impact assessments,
      2. fulfilling Privacy Requests, and
        responding to and conducting prior consultations with data protection authorities.


    1. Controller gives ACCO a general authorization to engage Subprocessors, provided that ACCO complies with all the following requirements:
      1. ACCO shall notify Controller of any intended changes concerning the addition or replacement of Subprocessors by updating the subprocessor list in Section 4.2;
      2. ACCO shall give Controller 10 business days to object to the addition or replacement of a Subprocessors.  If Controller objects, the parties shall negotiate in good faith to resolve the objection;
      3. ACCO shall remain fully liable to Controller for the performance of Subprocessors’ obligations; and
      4. ACCO shall execute with Subprocessors a written agreement with data protection obligations at least as restrictive as those set out in this Agreement.
    2. Subprocessors that are currently engaged by ACCO are:
    Name Service(s) Provided Location(s)
    Microsoft Corporation Cloud Hosting United States
    Cognizant Worldwide Limited Technical Support United Kingdom
    United States


    1. ACCO shall prove to the Controller compliance with the obligations set forth in this DPA by appropriate means, e.g., by conducting a self-audit, documented internal binding corporate rules including external evidence of compliance, certificate on data protection and/or information security, approved codes of conduct according to Art. 40 GDPR or certificates according to Art. 42 GDPR.
    2. Should inspections by an independent auditor be necessary in individual cases, these shall be carried out during normal business hours without disrupting business operations, after notification, taking into account a reasonable lead time. In this context, the Controller agrees to the appointment of an independent external auditor by ACCO. Controller shall bear the costs incurred in relation to audits under this Section.
    3. ACCO shall, upon request and provided that the parties have an applicable NDA in place, provide Controller with a copy of the audit report pursuant to Section 5.2 of this DPA, so that Controller can reasonably verify ACCO’s compliance with its obligations under this DPA. 


    1. ACCO shall provide written notice to Controller without undue delay upon becoming aware of a potential or suspected Data Breach.
    2. The written notice of a Data Breach shall include all information relevant to assist Controller with its own notification obligations under Data Protection Laws, including the nature of the Data Breach, the number of impacted individuals, the number of impacted records, contact details for ACCO’s data protection officer or privacy contact, the potential consequences to individuals, and the steps taken in response to the Data Breach.


    1. ACCO shall comply with all requirements under Data Protection Laws regarding Cross-Border Transfers, including where required, implementing standard contractual clauses or binding corporate rules.
    2. To the extent required by Data Protection Laws, the parties hereby enter to the following standard contractual clauses, which shall be populated with the corresponding information from this Agreement:
      1. The standard contractual clauses set out in Commission Implementing Decision (EU) 2021/194, MODULE TWO: Transfer Controller to Processor;
      2. The standard contractual clauses set out in the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses; and
      3. The standard contractual clauses set out in the Annex to the Chinese “Measures for Standard Contracts on the Export of Personal Information” (个人信息出境标准合同办法).
    3. In the event of any conflict between this DPA and the standard contractual clauses in Section 7.2, the standard contractual clauses shall control.


    1. This DPA shall terminate automatically upon the later of (1) termination of the Agreement, and (2) the date that ACCO no longer possesses Personal Data.
    2. Upon termination of this DPA, ACCO shall promptly deliver to Controller or destroy, at Controller’s sole option, all Personal Data in its possession or under its control. Upon request, ACCO shall provide to Controller a written certification of destruction.


    1. The liability of the parties shall be governed by the provisions of clause 11 of the Agreement.


    1. In the event of any conflict between this DPA and any other agreement between the parties, this DPA shall control.
    2. In the event there is a change to Data Protection Laws, the parties shall reasonably cooperate to comply with such Data Protection Laws. 
    3. ACCO may amend this DPA at any time, and the then-current DPA terms will apply to any subsequent use of the ACCO Service and Application.
    4. Should any provision of this DPA be or become invalid, that shall not affect the validity of the remaining terms. The parties shall cooperate in good faith to agree to new terms that achieve a legally valid result that comes closest to that of the invalid provision.
    5. This DPA shall be governed by the same law that governs the Agreement.