- Data protection
11.Interpretation
11.1.References in clauses 11 – 16 to a Regulation are to regulation 2016/679/EC, also known as the “GDPR”, for as long as the GDPR applies to our Processing of Personal Data. If the GDPR ceases to apply to our Processing of Personal data, references to a Regulation are to the Applied GDPR. References to the “Applied GDPR” are to the GDPR as amended by the UK’s Data Protection Act 2018.
11.2.References to an Article are to an Article of the Regulation and capitalised terms in clauses 11 -16 have the meaning defined by the Regulation unless otherwise defined in the Agreement.
12.Scope
12.1.If, in respect of any Personal Data Processed by us as part of the Services, you are a Data Controller, and we Process the Personal Data as your Data Processor, clauses 13 – 16 shall apply in respect of such Processing.
13.Subject matter of processing
13.1.You must provide us with a document setting out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects. You must notify us promptly if this information changes, and you must provide us with the necessary updated information.
14.Your obligations
14.1.You must, for the duration of the Processing, comply with your obligations under Data Protection Laws and Regulations. Without limiting the generality of this, you must, in particular:
14.1.1.have a lawful basis for the Processing, and ensure you are entitled to provide the Personal Data to us for Processing, and
must notify us promptly if either of these ceases to be true;
14.1.2.notify your Data Subjects of the Processing, to the standard required by Data Protection Laws and Regulations;
14.1.3.ensure that all Personal Data you provide to us is accurate and up to date, and you must make promptly any amendments necessary to ensure that the Personal Data remain accurate and up to date.
15.Our obligations
15.1.We must:
15.1.1.Process Personal Data in accordance with all applicable Data Protection Laws and Regulations;
15.1.2.Process the Personal Data within either or both the UK and the European Economic Area and only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organisation;
15.1.3.unless prohibited by law, notify you before Processing the Personal Data, if we are required to act other than in accordance with your by:
15.1.3.1.if the GDPR applies to the Processing, any law of the European Union or the law of one of the Member States of the European Union; and
15.1.3.2.if the Applied GDPR applies to the Processing, any law in the United Kingdom.
15.1.4.treat the Personal Data as confidential information;
15.1.5.take all measures required pursuant to Article 32;
15.1.6.taking into account the nature of the Processing, assist you by appropriate technical and organisational measures, insofar as this is reasonably possible, for
the fulfilment of your obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the Regulation;
15.1.7.provide reasonable assistance to you, at your cost, on your written request in ensuring compliance with your obligations pursuant to Articles 32 to 36, taking into account the nature of Processing and the information available to us;
15.1.8.at your choice, delete or return all the Personal Data to your after the end of the provision of the Services relating to the Processing, and delete existing copies. If we make available to you tools which enable you to download your Personal Data, you must only ask us to assist where those tools are unable to meet your reasonable needs. We are not required to delete Personal Data if we are required to continue store those Personal Data:
15.1.8.1. if the GDPR applies to the Processing, any law of the European Union or the law of one of the Member States of the European Union; and
15.1.8.2.if the Applied GDPR applies to the Processing, any law in the United Kingdom.
15.1.9.at your cost allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. Any audit or inspection shall be carried out on reasonable notice and avoid causing damage, injury or disruption to our premises, equipment, personnel or business;
15.1.10.at your cost provide reasonable assistance to you with any data impact assessments; and
15.1.11.in the event of a Personal Data Breach notify you without undue delay.
15.2.From time to time, we may need to engage other processors (each a “Sub-Processor”). In
respect of all Sub-Processors, we will respect the conditions referred to in paragraphs 2 and 4 of Article 28 for any such engagement. We will be liable for the acts and omissions of our Sub-Processors, and we will ensure that the Sub-Processor contract (as it relates to the Processing of Personal Data) is on terms which are substantially the same as, and in any case no less onerous than, the terms set out in this clause 15.
15.3.You hereby specifically authorise us to engage the following Sub-Processors:
- Amazon Web Services
- Microsoft
- Datto Inc. (Kaseya)
- OVH
- Backblaze
- Cloudflare Inc.
- Metronet (UK) Limited and Venus Business Communications Ltd
- KCOM Group Limited
- Pactora inc. (Zomentum)
- PipeDrive
- NinjaOne
15.4.You hereby give us a general authorisation to engage other Sub-Processors. We will inform you if we intend to appoint a Sub-Processor by email. If you object to the intended Sub-Processor, you must notify us within five day of us announcing our intention to appoint that Sub-Processor, and we and you shall discuss changes needed to the Services (which may entail an increase in charges) that might arise from this. If, acting reasonably, we and you cannot agree suitable changes to the Services (including, if relevant, increased charges), we may suspend Services or (at our discretion) terminate this agreement on immediate notice to you, in each case without liability.
16.International Transfers of Personal Data
16.1. If:
16.1.1. we act as your Processor;
16.1.2.the Processing falls within Articles 2 and 3 of Regulation 2016/679; and
16.1.3. the United Kingdom is or becomes a “third country” for the purpose of Chapter V of Regulation 2016/679;
unless and until such time as the European Commission has decided that the United Kingdom (or one or more specified sectors within the United Kingdom, where we, or the Processing, falls within one or more of those specified sectors) ensures an adequate level of protection for the purposes of Chapter V of Regulation 2016/679, you and we shall, in respect of any transfer of personal data subject to Chapter V of Regulation 2016/679 which is not subject to any of the permitted derogations set out in that Chapter V, enter automatically into the Standard Contractual Clauses and, for the purposes of these clauses, you shall be the “data exporter”, and we shall be the “data importer”
Recent Comments