Data addendum : Wednesday, August 12, 2020
Last updated: August 2020
1 Definitions and Interpretation
Any capitalised expressions that are not defined in this Data Addendum will have the meaning given to them in the Cloud Services Terms or the General Terms and Conditions or the meaning given to them (and equivalent expressions) in Data Protection Laws (as defined in clause 2 of this Data Addendum below).
2 General Obligations
2.1 You shall comply with all applicable data protection, security and privacy laws (and all related codes of practice and guidance issued by applicable regulators) in any jurisdiction including but not limited to the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Network and Information Systems Regulations 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”), the Data Protection (Charges and Information) Regulations 2018 (SI 2018/480) and all associated legislation, as amended or replaced from time to time (collectively "Data Protection Laws"). You shall not, by any act or omission, cause us to breach any Data Protection Laws and shall ensure our receipt of your Data in accordance with these Cloud Services Terms is lawful and does not infringe any individuals’ rights under those laws.
2.3 You shall implement and maintain at all times in accordance with Data Protection Laws a technical feature on each Website that expressly requests consent from every End User of the Website in respect of our use of your Data (as your Processor or a Joint Controller, as applicable) and a technical feature that allows the withdrawal of that consent (which must allow withdrawal as easily as consent was obtained). The consent that you shall obtain shall meet the standard of consent required under Data Protection Laws and you shall not access, read, collect, transfer or otherwise Process any of your Data in connection with the Cloud Services in respect of an End User (and shall not allow any of your Data to be received by us in respect of that user) until that user has provided such consent and provided always that consent has not subsequently been withdrawn. You shall not combine the request for such consent with consent in respect of any other Processing of or access to any data. You shall, promptly after receiving written notice from us, request and manage consent for any Processing of your Data that we perform as an independent Controller.
2.4 You shall maintain at all times a full record of any consent you request or obtain, together with a record of all withdrawals and requested withdrawals of consent in accordance with Data Protection Laws and shall, on receipt of written notice from us, promptly share with us part or all of such records, as required by us.
2.5 If a user withdraws their consent, you will notify us and provide to us in respect of such withdrawal any information we reasonably require to comply with our obligations under Data Protection Laws.
2.6 You shall co-operate and provide us with reasonable assistance in relation to any enquiry, request or notice we receive from an End User or Supervisory Authority, including the Information Commissioner’s Office.
2.7 At our written request, you will enter into applicable standard contractual clauses issued by the European Commission, any supervisory authority or other competent body from time to time (or take any other action, as we require) for the purposes of ensuring that any transfers of Personal Data between us comply with Data Protection Laws.
2.8 You shall not provide to us any Data including any Personal Data beyond the data provided to us as part of the Cloud Services except where the provision of that data is required by us to comply with Data Protection Laws or a specific request made pursuant to those laws. In particular, you shall never provide us with the name, email address or other direct contact information relating to any End Users except where this is required by law or by any court, Supervisory Authority or other competent authority. Nothing in this clause 2.8 shall reduce or otherwise affect our rights under clause 2.1 of this Data Addendum.
2.9 If we receive any requests from any End Users exercising their rights under Data Protection Laws in connection with the Cloud Services, we will notify you and provide you with the relevant details of the request. As between you and us, you shall be responsible for responding to and fulfilling to all such rights.
2.10 You shall promptly notify us in writing with full details if you fail to fulfil any of your responsibilities set out in Annex 2 to this Data Addendum.
2.11 Each party shall bear the costs of performance of its obligations under this Data Addendum except where expressly stated otherwise.
3 Terms applicable where we are a Processor
If we agree with you in writing (including in any applicable Order) that we will not make any use of your Data that is Personal Data for our own business purposes, we will Process that data as a Processor only and you shall be the Controller of that Processing. If we act as a Processor, we will enter into a separate data processing addendum with you and the provisions below in clause 4 of this Data Addendum shall not apply.
4 Terms applicable where we are a Controller
4.1 You acknowledge and agree that, subject to clause 3 of this Data Addendum, we and you are:
4.1.1 Joint Controllers in respect of any Processing of your Data in connection with the Cloud Services; and
4.1.2 independent Controllers in respect of our respective Processing of your Data where this is unrelated to the provision of the Cloud Services to you.
4.2 You acknowledge that:
4.2.1 you have primary responsibility for fulfilling our and your obligations as a Controller under Data Protection Laws, in accordance with best industry practice and the sharing particulars and allocation of Joint Controller Responsibilities set out in the Annexes to this Data Addendum; and
4.2.2 we may from time to time amend the Annexes to this Data Addendum by providing you with written notice of the changes, where such changes are required for you and/or us to comply with Data Protection Laws.
4.3 You will not use or attempt to use the Cloud Services in connection with any Website that targets children under the age of 16, that is aimed at audiences in that age range and/or that you know collects data from such children, or allow us to receive any data relating such children from the Website.
ANNEX 1 SHARING PARTICULARS
LAST UPDATED: August 2020
|The necessity and aims of the sharing of the Personal Data||For the purposes of our provision of the Cloud Services and, where relevant, to provide further Client Services, as an independent Controller. You may use the Cloud Services for the purposes you determine including to obtain information to target users of Client Sites, tailor content on those sites or for website optimisation, insight and/or analytics purposes.|
|Benefits of the data sharing to the Data Subjects||Clients receiving the Cloud Services and Clients Services will be better able to provide more effective, efficient and/or relevant services and user experience to End Users.|
|Third parties involved in the data sharing and reasons for sharing||Our subcontractors may receive the Device Data to perform certain Processing activities required to provide the Cloud Services and Client Services.|
|Details of data protection officers (or equivalent)||For us: Data Protection Officer whose email address is firstname.lastname@example.org. For you: as notified by you to us from time to time.|
|The lawful bases on which we/you rely||We and you rely on consent obtained from End Users to receive the Device Data and to Process that data to provide the Cloud Services to you. We rely on legitimate interests or another lawful basis set out in our respective privacy notices in respect of any Processing of Personal Data for which we are independent Controllers.|
|Governance arrangements||We operate an Integrated Management System (“IMS”) which is compliant with ISO 9001:2015 and ISO/IEC 27001:2013 the international standards for quality information security. We are committed to ensuring the fulfilment of customer needs and continuity of its business in the event of any personal data security breaches. The IMS ensures appropriate levels of protection in respect of data accuracy, data sharing, data storage and data security.|
ANNEX 2 ALLOCATION OF RESPONSIBILITIES BETWEEN JOINT CONTROLLERS IN RELATION TO PROCESSING AND ACCESS TO DATA FOR CLOUD SERVICES
LAST UPDATED: August 2020
|Controller obligations under Data Protection Laws relating to the Cloud Services||Responsible Joint Controller|
|Determining lawful basis of Processing||We and you|
|Maintaining a record of processing activities||We and you|
|Maintaining appropriate policies, registers and governance measures||We and you|
|Ensuring adequacy of protection for End Users of transfers of Personal Data outside the European Economic Area in accordance with Data Protection Laws||We and you|
|If relevant, designating a data protection officer and EU representative||We and you|
|Implementing technical and organisational security measures whilst your Data is in our possession||We|
|Appointing and managing sub-contractors to provide the Cloud Services and putting in place appropriate contractual terms with the same||We|
|Conducting assessments in relation to the requirement to notify (and notifying) Personal Data Breaches to End Users that affect all or a substantial number of Client Sites||We|
|Conducting assessments in relation to the requirement to notify (and notifying) Personal Data Breaches to End Users and/or Supervisory Authorities that affect your End Users only||You|
|Conducting data protection impact assessments and consultations with End Users and/or Supervisory Authorities||You|
|Obtaining consent from End Users including for the purposes of the GDPR and the PECRs, and development and integration of software and other technical means in relation to the same||You|
|Implementing technical and organisational security measures whilst your Data is in your possession or whilst it is transmitted to or from your Website||You|
|Providing our and your privacy notices to End Users, updating your privacy notices||You|
|Managing the acquisition of consent from End Users (including the provision of technical means to withdraw consent)||You|
|Recording evidence of consent and communicating to us indications of consent/withdrawal||You|
|Administering, fulfilling and managing any data subject rights relating to End User under Data Protection Laws||You|