In this section Data Protection the following words and expressions shall have the following meanings:
|“Customer”||means any Client, Agent or Reseller as defined in any supporting agreements.|
|“Customer Personal Data"|
- The Processor agrees, in relation to the Customer Personal Data, that the Customer is the Data Controller (and therefore controls what happens to the Customer Personal Data) and the Processor is the Data Processor.
- The Processor acknowledges and agrees that nothing in this agreement relieves the Processor from its responsibilities and liabilities under the Privacy Laws.
- The purpose of the Processing is the performance of the Services and the Processing will be carried out until the date that the Processor ceases to provide the Services to the Customer. Details as to the nature and purpose of the Processing, the types of Personal Data and the categories of Data Subjects are set out below;
- “Subject matter of the Processing:” The subject matter for Processing results from the Service Agreement between the Data Controller and the Data Processor.
- “Nature and purpose of the Processing:” The Processing of the Personal Data in the course of the Processor delivering cloud-based hosting services as more particularly described in the FileHound Cloud Customer Service Level Agreement (SLA).
- “Type of Personal Data:” Personal data may include, among other information, personal contact information such as name, address, telephone or mobile number, fax number, email address, and passwords; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualifications, identification numbers and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers, IP addresses, behaviour and interest data, and any other data the Data Controller may elect to include as part of Processing.
- “Categories of Data Subject:” Data Subjects may include the Customer’s representatives and end users, such as employees, job applicants, contractors, collaborators, partners, customers and users of the Customer and any other Data Subjects the Data Controller may elect to include as part of Processing. Data Subjects may also include individuals attempting to communicate or transfer Personal Data to users of the Service.
- When the Processor Processes Customer Personal Data in the course of providing the Services, the Processor will:
- Process the Customer Personal Data only in accordance with written instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country or international organisation except where required to do so by law. If the Processor is required by law to Process the Customer Personal Data for any other purpose, the Processor will inform the Customer of this requirement before the Processing, unless that law prohibits this on important grounds of public interest. If the Customer issues a direction to the Processor which requires the Processor to do something that is inconsistent with the terms of the Service Agreement, the Processor may wish to make a reasonable charge, in which case that charge will be as agreed in writing between the parties.
- take reasonable steps to ensure the reliability and competence of the Processor personnel who have access to the Customer Personal Data;
- ensure that the personnel required to Process the Customer Personal Data:
- are informed of the confidential nature of the Customer Personal Data;
- are subject to appropriate obligations of confidentiality; and
- do not publish, disclose or divulge any of the Customer Personal Data to any third party unless directed in writing to do so by the Customer;
- implement and maintain Appropriate Technical and Organisational Measures to protect the Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure;
- by taking Appropriate Technical and Organisational Measures and in so far as it is possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights; and
- in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR or equivalent provisions in the Privacy Laws, and the Customer shall notify the Management Team by email (firstname.lastname@example.org) of any requests from Data Subjects;
- make available to the Customer all information necessary to demonstrate its compliance with its obligations in this agreement and allow the Customer and its auditors or authorised agents to conduct audits and inspections during the term of the Service Agreement (and provide reasonable assistance in connection therewith) for the purpose of verifying that the Processor is Processing Customer Personal Data in accordance with the Processor’s obligations under this agreement, the Service Agreement and applicable Privacy Laws; and
- not give access to or transfer any Customer Personal Data to any third party (including any group companies or sub-contractors) without the prior written consent of the Customer. Where the Customer does consent to the Processor engaging a sub-contractor to carry out any part of the Services, the Processor must ensure the reliability and competence of the third party, its employees and agents who may have access to the Customer Personal Data and must include in any contract with the third party, provisions in favour of the Customer which are equivalent to those in this clause and as are required by applicable Privacy Laws. For the avoidance of doubt, where a third party fails to fulfil its obligations under any sub-processing agreement or any applicable Privacy Laws, the Processor will remain fully liable to the Customer for the fulfilment of the Processor’s obligations under this agreement and the Service Agreement.
- The Processor shall notify the Customer immediately if, in the Processor’s opinion, an instruction for the Processing of Customer Personal Data given by the Customer infringes applicable Privacy Laws.
- The Processor shall communicate any claims or requests in respect of the Customer Personal Data without delay to the Customer to enable the Customer to provide details to its customers.
- If the Processor becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to any Customer Personal Data that the Processor Processes when providing the Services (a "Personal Data Breach"), the Processor will:
- notify the Customer by email and without undue delay (and in any event within 48 hours). The email shall be sent to the Customer’s primary contact (as shown in the Processor’s customer relationship management (CRM) system) and the Customer is responsible for ensuring this information is kept up to date;
- provide the Customer (as soon as possible) with a detailed description of the Data Breach, the type of Customer Personal Data that was the subject of the Data Breach and the identity of each affected person, as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information the Customer may reasonably request relating to the Data Breach); and;
- not release or publish any filing, communication, notice, press release, or report concerning the Data Breach without the Customer's prior written approval (except where required to do so by law).
- If, pursuant to Article 28(7) or Article 28(8) of the GDPR, the Information Commissioner adopts standard contractual clauses for the matters referred to in Article 28(3) and Article 28(4) of the GDPR and the Customer notifies the Processor that it wishes to incorporate any element of any such standard contractual clauses into the Agreement, the Processor will agree to the changes as reasonably required by the Customer to achieve this.
- The Processor will not Process Customer Personal Data outside the European Economic Area, or a country in respect of a valid adequacy decision has been issued by the European Commission, except with the prior written consent of the Customer. Where the Customer gives its consent, such transfers will be made subject to the terms of the model clauses for the transfer of Personal Data to data processors established in third countries adopted by the European Commission or any replacement or additional form approved by the European Commission or as applicable in the UK.