Schedule 1 to TOS
Data Protection Terms and Conditions
1.1 Capitalized terms used but not defined in this Schedule will have the meanings set forth in the TOS. The following capitalized words and expressions shall have the following meanings unless the context otherwise requires:
1.1.1 “Data” means all Personal Data processed by Company as a Processor on behalf of Customer under or in connection with the MSA, including in providing the Services, further details of which are in Schedule 2;
1.1.2 “Data Subject Requests” means a request from a data subject made in accordance with the GDPR to exercise one or more of its Data Subject Rights;
1.1.3 “Data Subjects’ Rights” means those rights of data subjects as set out in the GDPR including, without limitation, rights of access, rectification, erasure, restriction of processing, data portability, objection, and not to be subject to automated decision making (including profiling);
1.1.4 “EEA” means European Economic Area;
1.1.5 “EU” means the European Union;
1.1.6 “Personal Data Breach” means a breach of Company’s or permitted Subprocessor’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Data;
1.1.7 “data subject,” “international organization,” “personal data,” “process/processing,” “pseudonymisation,” “representative,” “special categories of personal data,” “supervisory authority,” and “third country” shall each have the meaning ascribed to them in the GDPR;
1.1.8 “Subprocessor” means any third party: (i) who is engaged by Company to carry out any of Company’s processing activities it conducts as a Processor of the Data; or (ii) to whom Company subcontracts any of its obligations under this Schedule.
2. SCOPE OF PROCESSING
2.1 The duration of processing will be the same as the Term, except as otherwise agreed to in the MSA or in writing by the Parties. The scope and further details of the processing activities to be performed by Company under or in connection with the MSA are set out in Schedule 2.
3. GENERAL PROCESSOR OBLIGATIONS
3.1 Company shall:
3.1.1 only process the Data to the extent and in such a manner as is necessary for the provision of the Services and for no other purpose(s);
3.1.2 only process the Data in accordance with the terms of this Schedule 1;
3.1.3 only process the Data in accordance with the written instructions of Customer from time-to-time (including in respect of transfers of Data to a third country or international organization outside the EEA), unless otherwise required to do so by applicable EU or EU Member State law (in any such case, Company shall promptly inform Customer of the relevant legal requirement before processing, unless prohibited from doing so on important public interest grounds); and
3.1.4 keep the Data confidential and ensure that any person authorized to process the Data for or on behalf of Company has agreed to keep the Data confidential, or is otherwise under an appropriate statutory obligation of confidentiality in respect of the Data.
4.1 Company agrees that it shall implement the technical and organizational security measures set out in Schedule 2.
5.1 Company shall notify and obtain Customer’s prior written consent before engaging any Subprocessors.
5.2 Company may engage a Subprocessor prior to obtaining Customer’s consent if the need is urgent and necessary to provide the Services and the need is beyond Company’s reasonable control. In such instance, Company shall notify Customer of the engagement as soon as reasonably practicable, and Customer shall retain the right to object to the engagement of a Subprocessor pursuant to Section 5.3 of this Schedule 1.
5.3 Customer may object to Company’s intended use of Subprocessors within five (5) calendar days after receipt of the notification set out in Section 5.1 or 5.2 of this Schedule 1. If Customer objects on reasonable grounds, Company and Customer will discuss reasonable alternative solutions in good faith. If no resolution is reached, Company will not appoint the Subprocessor in dispute and will seek alternative Subprocessors, or if an alternative Subprocessor is not found, is unavailable, or is inappropriate, Customer has the right to terminate the element of the Services that cannot be provided without Company’s use of the objected to Subprocessor.
5.4 Company shall ensure that the same data protection obligations as set out in this MSA as between Customer and Company are imposed on all permitted Subprocessor by way of a written agreement. If any permitted Subprocessor fails to fulfill its data protection obligations under such written agreement, Company shall remain fully liable to Customer for the performance of these obligations to the same extent Company would have been liable if performing the obligations of the Subprocessor directly under the terms of this MSA.
6.1 Upon Customer’s request and at its cost, Company shall provide reasonable assistance to Customer in ensuring Customer’s compliance with the obligations referred to below as and to the extent required by the GDPR, taking into account the nature of processing and the information available to Company, including in respect of:
6.1.1 implementing appropriate technical and organizational security measures to ensure the security of processing in respect of the Data;
6.1.2 the notification of any personal data breaches in respect of the Data to any relevant supervisory authority and communication of personal data breaches to any relevant data subjects;
6.1.3 carrying out data protection impact assessments; and
6.1.4 consulting with any relevant supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk if measures are not taken by Customer to mitigate the risk.
7. DATA SUBJECTS RIGHTS
7.1 Customer shall ensure that it provides data subjects with the information required under the GDPR at the point of collection of their Data.
7.2 Taking into account the nature of the processing performed by the Company, Company shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations to respond to Data Subject Requests.
7.3 Company shall promptly notify Customer in writing (email being sufficient) of each Data Subject Request that it receives.
7.4 Unless otherwise required by applicable EU or EU Member State law, Company shall not respond to any Data Subject Requests or other communications which Company receives from data subjects of the Data, without the prior written consent of and at the direction of Customer.
8. PERSONAL DATA BREACHES
8.1 In the case of any actual Personal Data Breach, Company shall promptly notify Customer in writing (email being sufficient) after becoming aware of such breach.
9. INTERNATIONAL TRANSFERS OF DATA
9.1 Customer hereby acknowledges that Company’s provision of the Services may require the transfer of Data outside of the EEA to Company and permitted Subprocessors. Customer further acknowledges that the Company is registered under the EU-US Privacy Shield and the Parties shall rely on such registration as the transfer mechanism under the GDPR for any such transfers, for as long as such registration remains current. Company shall notify Customer if for any reason its EU-US Privacy Shield registration expires, terminates or is withdrawn.
9.2 Other than as set out in Section 9.1 of Schedule 1, Company shall not further process in or transfer any Data to, any country or international organization outside the EEA except on the instructions or with the prior written approval of Customer.
10.1 Upon written request from Customer, Company shall make available to Customer all information necessary to demonstrate compliance with its obligations in this Schedule 1 and at reasonable intervals, will provide a copy of Company’s then most recent audit results to demonstrate compliance with its obligations under this Schedule 1.
10.2 Company shall immediately inform Customer if, in Company’s opinion, any instruction from Customer with respect to the processing of Data under or in connection with this MSA infringes the GDPR, or other applicable EU or EU Member State data protection law or regulation.
11. RETURN OR DISPOSAL
11.1 Following completion of the Services or upon the expiration or termination of the MSA for any reason (whichever is the latest) (“End Date”), unless the Customer requests otherwise within five (5) days of the End Date, Company shall delete and destroy all such Data (including any and all copies thereof) no later than sixty (60) days after the End Date. Within such time Customer will have access to the Data and shall be responsible for obtaining copies of all such Data prior to the deletion date. After this time the Data is no longer recoverable.
11.2 If EU or EU Member State law requires the storage of such Data beyond the sixty (60) days referred to in Section 11.1 of Schedule 1, Company shall promptly inform Customer of such requirement.
12.1 In the event of a conflict between the terms of this Schedule 1 and the TOS, the terms of this Schedule 1 shall prevail.
12.2 To the extent required by applicable law, the terms of this Schedule 1 shall be governed by the laws of England and Wales. In all other cases, this Schedule 1 shall be governed by the laws of Southfield, Michigan.