personal data processing provisions
Home > legal > terms and conditions > personal data processing provisions
Unless specified otherwise below, capitalised words and expressions contained with this document have the same meaning as set out in the Terms and Conditions:
1.1. “Controller” means the entity that alone or jointly with others determines the purposes and means of the processing of Personal Data.
1.2. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
1.3. “Personal Data” means any information provided to Supplier within the Client Data which relates to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.4. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Supplier.
1.5. “Process” and “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.6. “Processor” means the entity that processes Personal Data on behalf of the Controller.
1.7. “Subprocessor” means the Processor engaged by Supplier or an Affiliate of Supplier to Process Personal Data on behalf of the Client.
1.8. “Supervisory Authority” means any regulatory, supervisory, governmental or other competent authority with jurisdiction or oversight over the application of applicable data protection laws.
2. Description of the Processing
2.1. Personal Data shall be processed under the Agreement as set out below:
a) Subject matter and duration of the Processing: The subject matter is the provision of the Services by Supplier to the Client under the Agreement. The duration will be for the Term and following the termination or the expiry of the Agreement until all Personal Data is deleted from the Supplier’s information technology by Supplier. The retention of aggregated Usage Data by Supplier will not prolong the term of these Personal Data Processing Provisions in the event that all other Personal Data has been deleted by Supplier.
b) Nature and purpose of the Processing: Personal Data will be Processed for purposes of providing the Services in accordance with the Agreement.
c) Type of Personal Data: Personal Data Processed in providing the Services may include the following categories of data: names, user IDs, email addresses, job titles, salary, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by Users via the Services.
d) Categories of Data Subject: Personal Data submitted, stored, sent or received via the Services may relate to Users and the Client’s employees and contractors as the Data Subjects.
3. General processing obligations of Supplier
3.1. The parties acknowledge and agree that Client is the Controller and Supplier is the Processor with regard to the Processing of Personal Data under the Agreement.
3.2. Process Personal Data only on documented instructions of the Client as set out in the Agreement unless specifically instructed by the Client in writing to do so, or as required to do otherwise pursuant to a legal requirement to which it is subject.
3.3. Supplier shall ensure that its staff, agents and/or Subprocessors authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality.
4. Information security
4.1. Supplier shall implement appropriate technical and organisational measures to safeguard the Personal Data and shall assist the Controller in ensuring its own compliance with any legal obligations to implement the same. Controller acknowledges and agrees that the technical and organisational measures contained in the Security Provisions ensure a level of security appropriate to protect against the risk of harm or damage to the rights and freedoms of Data Subjects.
Supplier shall be permitted to appoint a Subprocessor to Process Personal Data provided that:
a) Supplier enters into a written contract with the Subprocessor on the same terms as those set out in these Personal Data Processing Provisions;
b) Supplier shall inform the Client of any intended changes concerning the addition or replacement of any Subprocessor and give the Client the opportunity to object to such changes; and
c) where a Subprocessor fails to fulfil its data protection obligations, Supplier shall remain fully liable to the Client for the performance of the Subprocessor’s obligations.
6. Data Subject requests
6.1. Taking into account the nature of the Processing, Supplier shall assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing or his/her rights not to be subject to an automated individual decision making.
7. Personal Data Breach
7.1. Supplier shall notify the Client without undue delay after becoming aware of a Personal Data Breach and shall assist the Client in connection with its third party notification and communication obligations that are legally required, taking into account the nature of the Personal Data Processing and the information available to Supplier.
7.2. For the avoidance of doubt, the Client shall determine if serious harm to any affected individual is likely, and will be responsible for issuing any necessary notices that are legally required, unless Supplier reasonably forms the view that the Client’s determination would cause Supplier to breach applicable laws.
8. Data protection impact assessments
8.1. Supplier shall provide commercially reasonable assistance to the Client in connection with any legal obligations to carry out a data protection impact assessment (and, where required by the Data Protection Laws, consulting with the relevant Supervisory Authority in respect of any such data protection impact assessment).
9.1. Supplier shall make available to the Client all information necessary to demonstrate compliance on these Personal Data Processing Provisions and shall allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client.
10. Return or deletion of Personal Data
10.1. At the choice of the Client, Supplier shall delete or return all Personal Data to the Client after the end of the provision of the Services that involve the Processing of Personal Data unless Supplier is legally obliged to store Personal Data for a longer period.
11.1. The Client shall be responsible for any costs arising from Supplier’s provision of such assistance, contribution or demonstration of compliance as referred to in these Personal Data Processing Provisions.