Terms & Conditions

1. Subject matter and scope of these General Terms of Service

(1) These General Terms of Service (hereinafter: “Terms”) govern the rights and obligations of the Customer (hereinafter: “Customer” or “You”) and the company entity MorenOE (hereinafter: “MorenOE”, “We” or “Us”) and jointly referred to as a “Party” in connection with the use of the service of MorenOE for carrying out online surveys (hereinafter: “the Agreement”).

(2) The Terms of MorenOE shall apply exclusively. Any Terms and conditions of the customer which deviate from or are in conflict with these Terms shall not apply unless MorenOE has expressly agreed in writing or in text form to them. These Terms shall also apply if MorenOE provides its services without reservation even if the Customer’s conditions deviate or are in conflict to those of MorenOE.

2. Conclusion of Agreement

(1) The use of MorenOE services requires registration with MorenOE. MorenOE reserves the right to deny the set up for an Agreement in individual cases.

(2) The Agreement shall only become valid after the Customer receives a confirmation in text format (e.g. email) from MorenOE.

(3) MorenOE provides its service on the basis of different tariffs either with or without usage fees. The Customer may use the service according to the conditions of chosen tariff after receiving the confirmation of MorenOE. If requested, the Agreement shall be documented in written form.

3. Description of Services

(1) The Customer can use the service for online surveys in accordance with its chosen tariff in connection with the Description of Services/Price List within the respective possible technical and operational capabilities.

(2) Content and scope of the services shall be governed by the respective contractual agreements, and apart from that by the current functionalities which are available on the website of MorenOE.

(3) The hardware and/or software requirements for the use of services are described in the user manuals of MorenOE.

(4) Services of the Provider include in particular:
conducting of online surveys with a plurality of participants
evaluation of conducted online surveys

4. Intellectual Property Rights

(1) The site and the services of MorenOE and all information and screens appearing on the sites, including documents, services, site design, text, graphics, logos, images and icons, as well as the arrangement thereof, are the sole property of MorenOE or an affiliated company of the MorenOE Group. Except as otherwise required or limited by applicable law, any reproduction, distribution, modification, retransmission, or publication of any copyrighted material is strictly prohibited without the express written consent of the copyright owner or license. MorenOE reserves all rights in the site and the services that are not expressly granted. [MorenOE] is a Swedish and European trademark of MorenOE AB. Nothing in the Agreement between the Parties shall be deemed to assign or transfer to the Customer any rights to any such intellectual property. The Customer furthermore acknowledges and agrees that content made available to the Customer through the services may be subject to the intellectual property rights of third parties.

(2) MorenOE however allows the Customer to, during the entire agreement period, use protected material through the proper usage of MorenOE. (3) Unless specifically stated otherwise, MorenOE may refer to the Customer as a user of MorenOE or use services executed or products delivered as reference cases without specific permission thereof.

5. Responsibility for Access Data

(1) Customer’s access data (user name, password etc.) specified during the course of registration must be kept secret by the Customer and must not be made accessible to unauthorised Third Parties.

(2) The Customer is also required to ensure that the access to and use of the service of MorenOE with the personal data of the user is done only by the user and/or authorised users. If there are facts justifying the assumption that unauthorised Third Parties have or will gain knowledge of the User’s data, MorenOE shall be informed immediately.

(3) In case of reasonable suspicion of unauthorised use of the account, MorenOE has the right to lock the access to the account. In such case, the Customer will receive new access data from MorenOE.

(4) Third Parties in the meaning of paragraph (1) – (3) for Customers who are legal persons or public institutions, not the employees of the Customer. However, the Customer has to pay attention that only those employees attain knowledge of the access data as far as necessary that they need for the performance of the Customer’s tasks. Partners of MorenOE which have concluded an according partnership agreement in writing, may, provided that the service is used by the Partner on behalf or to the benefit of a Third Party, make this service available for this Third Party. The Partner has to ensure that the Third Party only uses the service according to the agreed conditions, especially these conditions and the Description of Service.

(5) In accordance with statutory regulations, the Customer shall be liable for any use and/or other activity that is carried out with his access data.

(6) Access Data for any MorenOE account is strictly personal and may not be used by several individuals. MorenOE reserves the right to control and lock access to the account if this is breached.

6. General Obligations of the Customer

(1) The Customer is obliged to provide accurate and truthful information regarding his/her person or its business in the course of using the online survey systems by MorenOE.

(2) The Customer is obliged to comply with applicable laws when using the online survey systems by MorenOE.

(3) The customer is obliged to the confidential treatment of e-mail or other electronic messages received in connection with the use of MorenOE’s online survey system or from other users and to not transmit them to Third Parties without the consent of the communication partner.

(4) If the Customer enables employees or vicarious agents the use of online survey systems in a permissible way, he shall oblige them in a suitable manner to comply with the obligations for Customers stated in these Terms.

(5) Further obligations arising from other regulations of this Terms shall remain unaffected.

7. Change of Services

(1) MorenOE shall be entitled at any time to change its free of charge services which are provided on the Internet, to make new service available free of charge or against payment and to end the provision of free of charge services. When doing so, MorenOE will regard legitimate interests of the users.

(2) The Customer is entitled to the services listed under section 3 of these Terms. MorenOE may change or limit services beyond those mentioned at any time, as far as legitimate interest of the Customer are taken into account in appropriate manner.

8. Data Retention and Deletion

(1) The Customer may at any time via its access provided by MorenOE, delete its questionnaires, addresses and survey results or let them be deleted by an employee of MorenOE.

(2) MorenOE has the right, without prior notice, to irrevocably delete all of the customer data set, including questionnaires, survey participants and survey results thirty (30) days after expiration of the Agreement.

(3) MorenOE will delete Customer’s data ninety (90) days after termination of the Agreement.

9. Availability

(1) MorenOE is committed to provide an almost uninterrupted usability of its services. However, due to technical disturbances (e.g. interruption of power supply, hardware and software failure, connection loss) temporary restrictions or interruptions may occur.

(2) For all services that are subject to charge, MorenOE warrants, in its area of responsibility, an availability of 98% on yearly average. No part of the calculation of availability are the regular maintenance windows, with an amount of up to four (4) hours each week, which are normally carried out between midnight and 6am CET. MorenOE will notice the Customer immediately – wherever possible – about deviating planned maintenance in advance.

(3) MorenOE points out that data loss may occur even with a duly performed data backup. The Customer is therefore recommended to store data like survey results and addresses regularly on its own, external storage devices.

10. Warranty

(1) MorenOE warrants for the duration of the Agreement that the service provided by MorenOE will fulfil the agreed functions. The prerequisite for warranty is the use of the service in accordance with the Agreement.

(2) MorenOE will remedy any deviations from what is agreed in terms of functionality and scope through free rectification at our discretion.

(3) The Customer is only entitled to extraordinary termination of the agreement due to the failure to be granted use in accordance with the Agreement, if MorenOE has been given sufficient opportunity to rectify the defect and such attempt has failed. The rectification may be deemed a failure only if rectification is impossible; if MorenOE refuses the rectification or it is delayed to an unreasonable extent; if there are justified doubts as regards to success or if it is unreasonable for the Customer on other grounds.

(4) The rights of the Customer relating to defects shall not apply if Customer made changes or commissioned such changes to the online survey system of MorenOE without consent of MorenOE, unless the Customer proves that these changes have no undue effect for Provider in regard of analysis and remedy of defects. (5) Warranty claims of the Customer shall expire after twelve (12) months.

11. Acceptable Use

(1) When using online survey system of MorenOE, the Customer is prohibited from any activities that violate applicable law, infringe the rights of Third Parties or violate the principles for the protection of children and young persons. In particular, the following actions are prohibited:
providing, distribution, public display and advertising of content, services or products that are of pornographic nature, violate protection of children and young persons, data protection laws and/or any other applicable laws and/or is of fraudulent nature;
utilisation of content that is offensive or slanderous to other participants or Third Parties;
utilisation, provision and distribution of content, services and/or products that are protected by law or by the right of Third Parties (e.g. copyright) without having the explicit permission to do so.

(2) Furthermore, the following activities are also prohibited regardless of a possible violation of laws when using the online survey systems of MorenOE:
distribution of viruses, trojans and other files with similar purposes;
transmitting junk emails or spam emails and chain mails;
distribution of offensive, objectionable, sexually explicit, obscene or defamatory content or communication as well as of content or communication that is likely to promote or support racism, fanaticism, hatred, physical violence or illegal activities (either implicit or explicit);
harassment of other participant, for example through repeatedly contacting them in person without or in contrast to the reaction of the participant as well as promoting or supporting such harassment;
requesting other participants to disclose their passwords or other personal data for commercial or unlawful or illegal purposes;
the distribution and/or public display of content available on the portal without having the explicit permission by copyright holder or without using a functionality which has been explicitly made available on the portal.

(3) Also prohibited is any activity that may impair the smooth operation of the online survey system of MorenOE, in particular to stress the provider’s servers unduly. (4) Unless expressly agreed in writing, the use of MorenOE’s online survey systems for Third Party purposes is prohibited. This particularly includes the resale of the use of MorenOE and/or the performance of surveys with MorenOE survey systems for other companies or external persons. When conducting surveys with MorenOE survey systems, the Customer’s logo, brand name or any other company symbol must be displayed. The contact address in connection with surveys shall be an e-mail address attributable to the Customer’s domain or an e-mail address with a MorenOE domain. In the event of a breach of these obligations, MorenOE is entitled to terminate the Agreement without notice and to claim damages for loss of profit.

12. Prices and Terms of Payment

MorenOE offers services in different price variants and tariffs. Please refer to the Agreement or the contractual regulations for the agreed prices.

13. Payment

(1) MorenOE shall charge its customers according to the remuneration agreed on by both Parties. Payment of the fee for the corresponding invoicing period shall be made in advance. The Customer receives an appropriate invoice from MorenOE. The right to remuneration is due on receipt of the invoice. Remuneration shall be paid within twenty (20) days to the account of MorenOE.

(2) Timeliness of payment will be acknowledged as soon as the amount will be at our unreserved disposal.

(3) In the event of default, MorenOE shall be entitled to claim damage caused by delay at the statutory rate from the Customer.

14. Price Adjustment

(1) Customer and MorenOE will redefine the level of remuneration as soon as the costs for the underlying services by MorenOE rise in such amount through the introduction or modification of taxes or other levies or other legal provisions and regulations, by official measures, due to an increase in labour, material and other costs, that the contractual parties would have to make more than only minor changes to the existing levels of remuneration in the event of the theoretical conclusion of a renewal of the relevant schedule of services.

(2) In the event that the Customer and MorenOE shall not be able to agree on the new level of remuneration within a period of thirty (30) days, the remuneration is determined (by a conciliator, to be appointed by both Parties) with consideration of the respective market price level.

(3) A price adjustment can be demanded for the first time in the thirteenth (13th) month after Conclusion of Agreement. The preceding shall apply accordingly for an adjustment of the general price/tariff list.

15. Indemnity Against Liability

(1) The Customer shall hold harmless MorenOE, on first demand, from any liability vis-a-vis Third parties deriving from the Customer’s violation (in connection with the use of online survey systems from MorenOE) of legal regulations, against the right of Third Parties (in particular against privacy rights, copyrights or trademark rights) or against contractual obligations, warranties or promises, including the costs incurred for necessary legal defence in statutory amount.

(2) The Customer is obliged, in case of assertion of claims in the meaning of paragraph 1 to immediately and fully participate in establishing the facts of the matter and to provide MorenOE with the necessary information in appropriate manner.

16. Blocking of Access

(1) MorenOE shall have the right to block the access of the Customer to the online survey system temporarily or permanently if there are concrete indications that the customer violates or has violated the terms of this Terms and/or applicable law or if MorenOE has a legitimate interest in a blocking of access. A legitimate interest of MorenOE exists in particular if the Customer is in arrears with payment for more than thirty (30) days.

(2) MorenOE will take into account the legitimate interest of the Customer in this decision.

17. Personal Data Processing Appointment of MorenOE as a Data Processor and Processing of contact information

(1) By entering the Agreement, the Customer acting as the controller of Personal Data, appoints MorenOE as data processor with regard to any Personal Data disclosed to MorenOE under the Agreement. MorenOE has entered into a Data Processing Agreement with the Customer as set out in Appendix 1 MorenOE DPA (Data Processor Agreement).

(2) In the event of conflict between the provisions of the Agreement and the Data Processor Agreement, the provisions of the Data Processor Agreement shall take precedence in relation to all processing of Personal Data.

(3) MorenOE shall be entitled to process Personal Data regarding the Customer’s contact persons, personnel and other individuals in order to fulfil the obligations set forth in the Agreement. Such Personal Data may include, for example, contact information, information about work tasks and other information that MorenOE receives in relation to this Agreement. The purpose of MorenOE’s processing shall be to enable implementation of the Parties’ respective obligations and cooperation under this Agreement and the administration of the contractual relationship and security. The processing can also be carried out in accordance with instructions and purposes otherwise given by the Customer.

(4) The Customer undertakes to take all necessary steps to inform the affected persons about MorenOE’s processing of Personal Data under this Agreement. Such information shall at least include the information set forth in MorenOE’s Privacy Policy which can be found in the MorenOE Legal Center [ https://morenoe.loc/?page_id=7206 ].

(5) At the request of MorenOE, the Customer shall be able to prove that necessary information has been provided to the affected persons. Insofar as the affected persons submit comments on MorenOE’s processing, the Customer shall immediately inform MorenOE of such comments. The Customer shall also inform MorenOE if any of the affected persons is no longer employed by the Customer.

(6) Customer’s use of MorenOE is automatically registered and monitored by MorenOE for the sole purpose of general statistical analysis in order to maintain good service. Any monitoring and analysis of registered and gathered Customer data is only for the internal purposes as indicated above. If the Customer has used any of MorenOE’s premade standardised surveys, such data may only be used by MorenOE for external use if in aggregated form and if the Customer and any included data is kept completely anonymous.

18. Limitation of Liability

(1) MorenOE is liable without limitation for damages caused intentionally or by gross negligence by MorenOE in connection with the performance of contractual services.

(2) In case of slight negligence, MorenOE is liable in the case of injury to life, body or health.

(3) Otherwise MorenOE is only liable in case of violation of an essential contractual obligation. Essential contractual obligations refer in an abstract way to such obligations that are essential for fulfilling the proper performance of the Agreement as such and the observance of which the contractual partner may regularly rely on. In these cases, liability is limited to the replacement of foreseeable, typically occurring damage, and to the maximum of a one-year license fee.

(4) In the event of loss of data, for which MorenOE is responsible, the claim for damages is limited to the costs of data recovery from the last backup which has been made by the Customer and stored by the Customer. In that regard, we point out the Customer’s duty of data backup in accordance with section 9 (3) of these Terms.

(5) Where the liability of MorenOE is excluded or limited by said provisions, this also applies to its agents.

19. Agreement Period / Termination

(1) The Agreement period arises from the statement of services or price list in conjunction with the tariff chosen by the Customer.

(2) Agreements are renewed automatically except if a notice of termination has reached MorenOE thirty (30) days before end of the Agreement period. For Agreements with a fixed term an early termination is excluded. An extraordinary right of termination shall be unaffected.

(3) MorenOE shall have the right of extraordinary termination in any case if the Customer violates these Terms or other applicable contractual obligations with MorenOE.

(4) Either party have the right to terminate the Agreement with a period of notice of thirty (30) days before the end of the Agreement period. (5) The notice of termination has to be in written form.

20. Communication and Notices

(1) MorenOE may provide the Customers with electronic notices, including e-mail, and information within the MorenOE Service that is of importance regarding the service or the contractual relationship. Notices are received by the Customer as of the date it’s made available by MorenOE to the Customer and it’s the responsibility of the Customer to be available to such notices.

(2) MorenOE may alter the Terms with a six (6) weeks notice. Changes shall not concern already charged fees or services already paid for by the Customer.

21. Transfer of Legal Rights

(1) The Customer may not transfer this Agreement to another party or legal entity without the previous written approval from MorenOE. MorenOE may transfer this Agreement, partially or in full, if MorenOE is subject to an organisational change where MorenOE is transferred to a new majority ownership.

22. Force Majeure

(1) Where a party is prevented from fulfilling its obligations pursuant to an entered Agreement due to circumstances which are beyond the party’s control such as lightning, labour disputes, fire, amendments to regulations issued by governmental authorities, intervention by the authorities and errors or delays in services from subcontractors due to circumstances as stated herein, such circumstances shall constitute an excuse which occasions a postponement of operating performance and a release from liability in damages and any other penalties.

23. Final Provisions

(1) Disputes, controversies or claims arising out of or in connection with the Agreement, or the breach, termination or invalidity thereof, where the amount in dispute does not exceed EUR 50,000 the dispute shall be settled by a national court of law. The court of jurisdiction shall be that of the business location of MorenOE and governed by the laws of that country.

(2) Where the dispute exceeds EUR 50 000 the dispute shall instead, and finally, be settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the “SCC”). The Rules for Expedited Arbitrations, where the Arbitral Tribunal is composed of a sole arbitrator, shall apply. The language to be used in the arbitral proceedings shall be English and governed according to Swedish Law. The amount in dispute includes the claims made in the Request for Arbitration and any counterclaims made in the Answer to the Request for Arbitration.

(3) If individual portions of the terms of use shall be or will be invalid, this fact shall not affect the validity of the terms and conditions in its entirety.

(4) Regardless of what is mentioned above MorenOE shall always be entitled to forward claims for payment through public administration. Claims following the Agreement must be put forth in writing to the other party without delay, no later than ninety (90) days, from when the cause to the claim arose.

MorenOE Data Processing Agreement

This Data Processing Agreement (“DPA”) is an appendix and an integral part of the MorenOE General Terms of Service (“General Terms”) entered into with the Customer that has accepted the General Terms:

1 Background

1.1 Upon performance of the Agreement regarding the cloud-based software solution, MorenOE will be

Processing Personal Data on behalf of the Customer in capacity of the Customer’s Data Processor. The Customer is the Data Controller of the Processing of Personal Data (the “Controller”). For the purpose of ensuring compliance with the Data Protection Rules, the Parties enters this Data Processing Agreement (“DPA“) which forms an integral part of the entire agreement between the Parties (the “Agreement“). In the parts that terms may overlap, the terms in this DPA shall be given precedence over the conflicting terms when concerning the Processing of Personal Data.

1.2 The purpose of this Agreement is to ensure that Processing is carried out in accordance with the applicable requirements for data processing and obligations under Data Protection Rules and to ensure adequate protection of personal integrity and fundamental rights of individuals during the transfer of Personal Data from the Customer to MorenOE and its Processing within the framework of the Services that MorenOE performs under the Agreement.

2 Definitions

  • Process/Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
  • Customer” means the party defined as the Customer above and to the extent that the Customer enters into this Data Processing Agreement on behalf of other service recipients pursuant to the Agreement also such service recipients, when appropriate.
  • Data subject” means the natural person to whom Personal Data relates to.
  • Data Protection Rules” means the from time to time applicable laws and regulations in respect of Processing of Personal Data, including but not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), any local applicable laws implementing the GDPR, as well as the competent Supervisory Authority’s binding decisions, regulations and recommendations and other supplementary local adaptions and regulations in respect of data protection.

2.1 Unless otherwise stated, any other term or concept used in capitalized letters in this DPA (except in some cases as part of a heading) shall have the meaning and conception that is established in the Data Protection Rules and otherwise in the Agreement, unless the circumstances obviously require another interpretation.

2.2 This Agreement governs the Controller’s rights and obligations as Controller and the Processor’s rights and obligations as Processor when the Processor Processes Personal Data on behalf of the Controller.

3 Appendices to this DPA

  • Data Processing instructions Appendix 1
  • Sub-Processors Appendix 2

4 Responsibility and Instruction

4.1 The Personal Data Processed by MorenOE on behalf of the Customer is primarily Personal Data relating as further set out in Appendix 1 (Instructions for Processing Personal Data).

4.2 The Customer is Controller for all the Personal Data that MorenOE Processes on behalf of the Customer under the Agreement. The Customer is therefore responsible for complying with Data Protection Rules. In addition to the requirements that apply directly to a Processor in accordance with Data Protection Rules, MorenOE shall be obliged to comply with any such other applicable requirements, which MorenOE has been informed of by the Customer.

4.3 The Processor and any person acting under the authority of the Processor, who has access to Personal Data, shall not Process those data except on instructions from the Controller and according to Data Protection Rules. Processing may also be performed when required by EU law or applicable member state law, which MorenOE or Sub-Processor is subject to. MorenOE shall only Process Personal data on documented instructions from the Customer. The Customer’s instructions to MorenOE regarding the nature, purpose, Processing and storage of the Personal Data is set out in the Agreement and in Appendix 1. Any additional instructions must be given by the Customer in writing or in a documented electronic format. Verbal instructions must be confirmed immediately in writing or in a documented electronic format. Instructions that go beyond the contractually agreed services shall be treated as a request for a change in performance and shall entitle MorenOE to a reasonable remuneration.

4.4 The Customer shall immediately inform MorenOE of changes that affect MorenOE’s obligations according to this DPA. The Customer shall inform MorenOE in case anyone else, either alone or jointly with the Customer, is Data Controller(s) of the Personal Data.

4.5 MorenOE may not Process Personal Data for other purposes than those for which MorenOE was commissioned.

4.6 MorenOE’s right to store, process and exploit data derived from the Customer in an aggregated and anonymized format, containing no Personal Data, remains unaffected.

5 Security and Confidentiality

5.1 MorenOE shall implement technical and organizational measures, as required by the Data Protection Rules, in order to ensure a level of security that is appropriate with regards to the risk and to protect Personal Data being Processed from accidental or unlawful destruction, loss or alteration, or unauthorized disclosure of, or access to, the Personal Data being Processed.

5.2 To the extent necessary and reasonable MorenOE shall assist the Customer in ensuring that the obligations under Articles 32-36 of the GDPR are fulfilled, taking into consideration the type of Processing and the information available to MorenOE.

5.3 MorenOE undertakes not to disclose information about the Processing of Personal Data covered by the Agreement or any other information that MorenOE has received as a result of the Agreement to a third party. This commitment does not apply to information that MorenOE has been submitted to disclose to an Authority or under Data Protection Rules. The Processor undertakes to notify the Controller in writing of any injunction of such disclosure that has been issued.

5.4 MorenOE shall, where applicable, comply with national legislation applicable to classified or confidential information. MorenOE undertakes to ensure that personnel authorized to process Personal Data under this DPA have undertaken to observe confidentiality for the Processing or are subject to applicable statutory duty of confidentiality.

5.5 The confidentiality obligation also applies after the Agreement has ceased to apply.

6 Disclosure of Personal Data and Information etc.

6.1 MorenOE may not without written consent from the Controller disclose or otherwise make Personal Data that is being Processed under this Agreement available to third parties, unless otherwise provided by the applicable European and national law, court or government decision.

6.2 If a Data subject requests access to information from MorenOE regarding the Processing shall MorenOE refer such requests to the Customer.

6.3 If a supervisory authority requests information from MorenOE regarding the Processing of Personal Data shall MorenOE inform the Customer of the request. MorenOE may not act on behalf of or as a representative of the Customer.

6.4 MorenOE shall assist the Customer in complying with their obligation to respond to requests regarding a Data Subject’s right stated in Chapter III of the GDPR, by taking technical and organizational measures, which are appropriate taking into account the nature of the Processing.

7 Sub-Processors

7.1 Personal Data may be Processed by a Sub-Processor provided that the Sub-Processor meets the specified conditions set out in this Agreement. MorenOE shall ensure that all Sub-processors are bound by written agreements which impose on them the corresponding obligations when Processing Personal Data as per the Agreement. Appendix 2 contains a list of currently approved Sub-Processors as of the signatory date of this Agreement. MorenOE shall remain responsible towards the Customer for the performance of the Sub- Processor’s Data Protection obligations.

7.2 MorenOE undertakes to inform the Customer of any plans to retain new Sub-Processors or to replace Sub-Processors. The Customer is entitled to object to such changes. Such objection may only relate to objective

7.3 MorenOE is specifically responsible for ensuring that Article 28.2 and 28.4 of the GDPR are taken into account when using Sub-Processors and to ensure that such Sub-Processors provides adequate guarantees to implement appropriate technical and organizational measures in such a way that the Agreement meets the requirements of Data Protection Rules.

7.4 MorenOE shall provide the Customer with a correct and up-to-date list of the Sub- Processors assigned to Process Personal Data on behalf of the Customer, Contact Information, and the geographic location of the Processing. MorenOE can fulfil the obligations under this paragraph by providing a new version of Appendix 2 (Sub-Processor List). If a Sub-Processor fails to fulfil the obligations under this Agreement and according to Data Protection Rules, MorenOE shall be responsible for performing the Sub-Processor’s obligations in relation to the Customer.

8 Audits etc.

8.1 MorenOE shall provide the Customer with all information required to comply with the obligations according to Article 28 of the GDPR within reasonable time after such request has been made by the Customer to MorenOE. This means, among other things, that the Customer, as a Controller, is entitled to take the necessary steps to verify that MorenOE can fulfil its obligations under this Agreement and had taken necessary measures to ensure this. The customer must give a thirty (30) days notice prior to an audit.

8.2 MorenOE shall provide the Customer with all information required to demonstrate that the obligations according to this Agreement are met, as well as enable and contribute to audits, including inspections carried out by the Customer or by an independent auditor authorized by the Customer.

8.3 The Customer is entitled to carry out inspections at MorenOE during the normal business hours without interrupting the operating procedure, after prior notification, taking into account a reasonable lead time, in order to check compliance with data protection regulations. MorenOE may make the inspection conditional upon the signing of a confidentiality agreement regarding the data of other customers and MorenOE’s technical and organizational measures, as well as MorenOE’s business and trade secrets. If the auditor commissioned by the Customer is a competitor of MorenOE, MorenOE has a right to object to the commissioning of this auditor.

8.4 The Customer may carry out one inspection per calendar year. Further inspections are only admissible against reimbursement of costs and subject to prior consultation with MorenOE.

8.5 At the option of MorenOE, proof of compliance with the obligations under this Agreement may be provided instead of a review by the Customer in accordance with the above provisions by providing appropriate evidence. Appropriate evidence may in particular be approved codes of conduct within the meaning of Art. 40 GDPR or an approved certification procedure within the meaning of Art. 42 GDPR. The presentation of test certificates or reports by independent bodies (e.g. auditors, legal departments, IT security officers, data protection officers), a coherent data security concept or appropriate certification by an IT security and privacy audit are also recognized as appropriate proofs, if they have been issued within the last twelve (12) months prior to the Customer’s request and MorenOE or MorenOE’s Sub-Processor confirms in writing that there have been no material changes in the controls and systems to be audited since the date of issue.

8.6 Regarding the obligations stated in section 8 of this Agreement, immediately inform the Customer if MorenOE considers that an instruction is in violation of Data Protection Rules. MorenOE is entitled to refuse to execute such an instruction.

9 Transfers of Personal Data outside the EU/EEA

In the event that MorenOE and/or Sub-Processors transfer Personal Data to a location outside of the EU/EEA

10 Compensation

10.1 MorenOE shall be entitled to reasonable compensation for all work and all costs that arise due to the Customer’s instructions for Processing if these exceeds the features and level of security based on the services that MorenOE normally provides to its customers, e.g. in the case that MorenOE’s system / services requires special adjustments or development following special requests from the Customer. MorenOE is not entitled to compensation for costs which arise based on compliance with requirements set out in the GDPR.

11 Liability

11.1 MorenOE and the Customer are liable to data subjects in accordance with the provisions of Art. 82 GDPR. If both the Customer and MorenOE are responsible for such damage pursuant to Art. 82 (2) GDPR, they are liable internally for this damage in proportion to their share of the responsibility. If, in such a case, a third party claim compensation from a party wholly or in excess of the party’s liability, that party may require indemnity or compensation from the other party, to the extent that the damages are greater than their own share of the responsibility.

11.2 Internal liability shall be governed by the terms and conditions set forth in the Agreement, including MorenOE’s General Terms of Service.

11.3 During the term of this DPA and thereafter, the Customer shall indemnify and hold MorenOE harmless from any damage, including claims from Data Subjects and third parties, which MorenOE has suffered due to unclear, inadequate or unlawful instructions from the Customer, or which was otherwise caused by the Customer, depending on the circumstances deriving from the Customer.

12 Term and Termination

12.1 This DPA enters into and remains in force for as long as MorenOE Processes Personal Data on behalf of the Customer under the Agreement.

12.2 Upon termination of the Agreement or this DPA (depending on which occurs first), MorenOE shall in accordance with the Customer’s instructions delete or return the Personal Data that the Customer has transferred to MorenOE and delete any existing copies, where appropriate, and unless storage of the Personal Data is required by EU law or applicable member state law, and ensure that each Sub-Processor does the same.

13 Changes and additions

13.1 If the Data Protection Rules are changed during the term of this DPA, or if the Supervisory Authority issues guidelines, decisions or regulations concerning the application of the Data Protection Rules that result in this DPA no longer meeting the requirements for a DPA, the Parties shall make the necessary changes to this DPA, in order to meet such new or additional requirements. Such changes shall enter into force no later than thirty (30) days after a Party sends a notice of change to the other Party or otherwise no later than prescribed by the Data Protection Rules, guidelines, decisions or regulations of the Supervisory Authority.

13.2 Other changes and additions to this DPA, in order to be binding, must be made in writing and duly signed by both Parties.

14 Miscellaneous

14.1 This DPA supersedes and replaces all prior DPAs between the Parties and supersedes any deviating provisions of the Agreement concerning the subject matter of this DPA, regardless if otherwise stated in the Agreement.

* * * * This DPA is an integral part of the Agreement entered into between MorenOE and the Customer. * * * *