Data addendum : Tuesday, March 29, 2022
Last updated: March 2022
These Data Addendum, together with any documents to which it refers, supplements and forms part of the Cloud Services Terms.
1 Definitions and Interpretation
Any capitalised expressions that are not defined in this Data Addendum will have the meaning given to them in the Cloud Services Terms or the General Terms and Conditions or the meaning given to them (and equivalent expressions) in Data Protection Laws (as defined in clause 2 of this Data Addendum below).
2 General Obligations
2.1 You shall comply with all applicable data protection, security and privacy laws (and all related codes of practice and guidance issued by applicable regulators) in any jurisdiction including but not limited to the Data Protection Act 2018, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Network and Information Systems Regulations 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”), the Data Protection (Charges and Information) Regulations 2018 (SI 2018/480) and all associated legislation, as amended or replaced from time to time (collectively "Data Protection Laws"). You shall not, by any act or omission, cause us to breach any Data Protection Laws and shall ensure our receipt of your Data in accordance with these Cloud Services Terms is lawful and does not infringe any individuals’ rights under those laws.
2.2 You shall ensure that, prior to any use of the Cloud Services, you make available a privacy notice (“Website Privacy Notice”) online to all visitors or other end users of every Website (“End Users”) in accordance with your obligations under Data Protection Laws and shall ensure that you maintain at all times a hyperlink to that notice on any Website of yours that uses the Cloud Services. You shall ensure that all Website Privacy Notices are consistent with our privacy policy for End Users (currently located at https://51degrees.com/terms/client-services-privacy-policy) (“51D Client Services Privacy Policy”). In particular, you must state that we and you are Joint Controllers in relation to our Processing of your Data relating to End Users and provide a summary of the information set out in the Annexes to this Data Addendum. Each Website Privacy Notice shall describe your uses of your Data (including all Device Data) and all Personal Data you Processes in connection with the Website, including use in relation to the Cloud Services. Where we have agreed that we are a Joint Controller with you and not a Processor, each relevant Website Privacy Notice shall include a prominent link to the 51D Client Services Privacy Policy in the relevant section of the Website Privacy Notice. If we agree that we will be a Processor in connection with our provision of the Cloud Services, you will expressly specify this in each relevant Website Privacy Notice.
2.3 You shall implement and maintain at all times in accordance with Data Protection Laws a technical feature on each Website that expressly requests consent from every End User of the Website in respect of our use of your Data (as your Processor or a Joint Controller, as applicable) and a technical feature that allows the withdrawal of that consent (which must allow withdrawal as easily as consent was obtained). The consent that you shall obtain shall meet the standard of consent required under Data Protection Laws and you shall not access, read, collect, transfer or otherwise Process any of your Data in connection with the Cloud Services in respect of an End User (and shall not allow any of your Data to be received by us in respect of that user) until that user has provided such consent and provided always that consent has not subsequently been withdrawn. You shall not combine the request for such consent with consent in respect of any other Processing of or access to any data. You shall, promptly after receiving written notice from us, request and manage consent for any Processing of your Data that we perform as an independent Controller.
2.4 You shall maintain at all times a full record of any consent you request or obtain, together with a record of all withdrawals and requested withdrawals of consent in accordance with Data Protection Laws and shall, on receipt of written notice from us, promptly share with us part or all of such records, as required by us.
2.5 If a user withdraws their consent, you will notify us and provide to us in respect of such withdrawal any information we reasonably require to comply with our obligations under Data Protection Laws.
2.6 You shall co-operate and provide us with reasonable assistance in relation to any enquiry, request or notice we receive from an End User or Supervisory Authority, including the Information Commissioner’s Office.
2.7 At our written request, you will enter into applicable standard contractual clauses issued by the European Commission, any supervisory authority or other competent body from time to time (or take any other action, as we require) for the purposes of ensuring that any transfers of Personal Data between us comply with Data Protection Laws.
2.8 You shall not provide to us any Data including any Personal Data beyond the data provided to us as part of the Cloud Services except where the provision of that data is required by us to comply with Data Protection Laws or a specific request made pursuant to those laws. In particular, you shall never provide us with the name, email address or other direct contact information relating to any End Users except where this is required by law or by any court, Supervisory Authority or other competent authority. Nothing in this clause 2.8 shall reduce or otherwise affect our rights under clause 2.1 of this Data Addendum.
2.9 If we receive any requests from any End Users exercising their rights under Data Protection Laws in connection with the Cloud Services, we will notify you and provide you with the relevant details of the request. As between you and us, you shall be responsible for responding to and fulfilling to all such rights.
2.10 You shall promptly notify us in writing with full details if you fail to fulfil any of your responsibilities set out in Annex 2 to this Data Addendum.
2.11 Each party shall bear the costs of performance of its obligations under this Data Addendum except where expressly stated otherwise.
3 Terms applicable where we are a Processor
If we agree with you in writing (including in any applicable Order) that we will not make any use of your Data that is Personal Data for our own business purposes, we will Process that data as a Processor only and you shall be the Controller of that Processing. If we act as a Processor, we will enter into a separate data processing addendum with you and the provisions below in clause 4 of this Data Addendum shall not apply.
4 Terms applicable where we are a Controller
4.1 You acknowledge and agree that, subject to clause 3 of this Data Addendum, we and you are:
4.1.1 Joint Controllers in respect of any Processing of your Data in connection with the Cloud Services; and
4.1.2 independent Controllers in respect of our respective Processing of your Data where this is unrelated to the provision of the Cloud Services to you.
4.2 You acknowledge that:
4.2.1 you have primary responsibility for fulfilling our and your obligations as a Controller under Data Protection Laws, in accordance with best industry practice and the sharing particulars and allocation of Joint Controller Responsibilities set out in the Annexes to this Data Addendum; and
4.2.2 we may from time to time amend the Annexes to this Data Addendum by providing you with written notice of the changes, where such changes are required for you and/or us to comply with Data Protection Laws.
4.3 You will not use or attempt to use the Cloud Services in connection with any Website that targets children under the age of 16, that is aimed at audiences in that age range and/or that you know collects data from such children, or allow us to receive any data relating such children from the Website.
ANNEX 1 SHARING PARTICULARS
LAST UPDATED: March 2022
Subject | Additional Information |
---|---|
The necessity and aims of the sharing of the Personal Data | For the purposes of our provision of the Cloud Services and, where relevant, to provide further Client Services, as an independent Controller. You may use the Cloud Services for the purposes you determine including to obtain information to target users of Client Sites, tailor content on those sites or for website optimisation, insight and/or analytics purposes. |
Benefits of the data sharing to the Data Subjects | Clients receiving the Cloud Services and Clients Services will be better able to provide more effective, efficient and/or relevant services and user experience to End Users. |
Third parties involved in the data sharing and reasons for sharing | Our subcontractors may receive the Device Data to perform certain Processing activities required to provide the Cloud Services and Client Services. |
Details of data protection officers (or equivalent) | For us: Data Protection Officer whose email address is dpo@51degrees.com. For you: as notified by you to us from time to time. |
Types of Personal Data and Data Subjects to whom they relate | Device Data and End Users See further Part 3 ‘What Data Do We Use?' in the 51Degrees Client Services Privacy Policy |
The lawful bases on which we/you rely | We and you rely on consent obtained from End Users to receive the Device Data and to Process that data to provide the Cloud Services to you. We rely on legitimate interests or another lawful basis set out in our respective privacy notices in respect of any Processing of Personal Data for which we are independent Controllers. |
Procedures for complying with Data Subject rights | You will handle all Data Subject rights requests relating to the Cloud Services in accordance with clause 2.9 of the Data Addendum. We will handle all Data Subject rights requests relating to the Client Services in accordance with our Client Services Privacy Policy. |
Governance arrangements | We operate an Integrated Management System (“IMS”) which is compliant with ISO 9001:2015 and ISO/IEC 27001:2013 the international standards for quality information security. We are committed to ensuring the fulfilment of customer needs and continuity of its business in the event of any personal data security breaches. The IMS ensures appropriate levels of protection in respect of data accuracy, data sharing, data storage and data security. |
ANNEX 2 ALLOCATION OF RESPONSIBILITIES BETWEEN JOINT CONTROLLERS IN RELATION TO PROCESSING AND ACCESS TO DATA FOR CLOUD SERVICES
LAST UPDATED: March 2022
Controller obligations under Data Protection Laws relating to the Cloud Services | Responsible Joint Controller |
---|---|
Determining lawful basis of Processing | We and you |
Maintaining a record of processing activities | We and you |
Maintaining appropriate policies, registers and governance measures | We and you |
Ensuring adequacy of protection for End Users of transfers of Personal Data outside the European Economic Area in accordance with Data Protection Laws | We and you |
If relevant, designating a data protection officer and EU representative | We and you |
Implementing technical and organisational security measures whilst your Data is in our possession | We |
Appointing and managing sub-contractors to provide the Cloud Services and putting in place appropriate contractual terms with the same | We |
Conducting assessments in relation to the requirement to notify (and notifying) Personal Data Breaches to End Users that affect all or a substantial number of Client Sites | We |
Conducting assessments in relation to the requirement to notify (and notifying) Personal Data Breaches to End Users and/or Supervisory Authorities that affect your End Users only | You |
Conducting data protection impact assessments and consultations with End Users and/or Supervisory Authorities | You |
Obtaining consent from End Users including for the purposes of the GDPR and the PECRs, and development and integration of software and other technical means in relation to the same | You |
Implementing technical and organisational security measures whilst your Data is in your possession or whilst it is transmitted to or from your Website | You |
Providing our and your privacy notices to End Users, updating your privacy notices | You |
Managing the acquisition of consent from End Users (including the provision of technical means to withdraw consent) | You |
Recording evidence of consent and communicating to us indications of consent/withdrawal | You |
Administering, fulfilling and managing any data subject rights relating to End User under Data Protection Laws | You |