Terms Of Service – Data Processing Agreement
1. Background
1.1 This Data Processing Appendix (“DPA”) is an appendix to the Terms Of Service.
1.2 The purpose of this DPA is to fulfil the requirements of a written agreement pursuant to Article 28 of the GDPR.
2. Definitions
In this DPA the following terms shall have the following meanings: “Data Protection Laws” refers to Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) including supplementing legislation acts and decisions. ”DPA” refers to this Data Processing Appendix and all annexes thereto. “Personal Data” refers to the personal data that Gaille Reports processes on behalf of Customer pursuant to the Agreement. “security incident”, “audit”, “controller”, “data subject”, “personal data”, “processor” and “processing” all have the meaning given under the GDPR.
3. Processing instructions
3.1 In consideration of Customer making available the Personal Data to Gaille Reports, Gaille Reports agrees to process the Personal Data in accordance with the terms and conditions of this DPA.
3.2 Subject to clause 3.3 in this DPA, the Parties acknowledge and agree that: i. for the purposes of this DPA and as between them, Customer is, or shall be regarded as, a controller of the Personal Data and Gaille Reports is, or shall be regarded as, a processor of the Personal Data; and ii. Customer will comply with its obligations as a controller under the Data Protection Laws and Gaille Reports will comply with its obligations as a processor under this DPA, the Data Protection Laws, and Customer’s written instructions.
3.3 Customer instructs Gaille Reports, and Gaille Reports agrees to, process the Personal Data in accordance with the instructions put forward in ANNEX 1.
4. Confidentiality of processing
4.1 Gaille Reports shall ensure that all persons it authorizes to process the Personal Data are subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and only process the Personal Data as set out in this DPA.
4.2 Gaille Reports shall ensure that only persons who need to process the Personal Data, in order for Gaille Reports to supply the Service, have access to such Personal Data.
5. Data subject rights
5.1 Gaille Reports shall provide reasonable assistance to Customer to enable Customer to respond to: i. any request relating to the Personal Data from a data subject to exercise any of its rights under Data Protection Laws; ii. any other correspondence, enquiry or complaint received from a data subject or regulator in connection with the processing of the Personal Data by Gaille Reports.
5.2 If any such request, correspondence, enquiry or complaint is made directly to Gaille Reports, Gaille Reports shall without undue delay inform Customer of such request, correspondence, enquiry or complaint.
5.3 Gaille Reports shall not disclose any Personal Data in response to a request for access or disclosure from any third party without Customer’s prior written consent, unless where Gaille Reports is compelled to do so in accordance with applicable law or as otherwise allowed under this DPA or the Agreement.
6. Data protection impact assessments
If requested by Customer, Gaille Reports shall provide Customer with reasonable assistance in order for Customer to conduct a data protection impact assessment; and if necessary, consult with its relevant supervisory authority.
7. Security
7.1 Gaille Reports shall implement and maintain appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
7.2 Gaille Reports shall notify Customer of any security incident that it becomes aware of without undue delay, and in any case, never later than 48 hours after Gaille Reports becomes aware of the security incident. All such notifications shall be made at Gaille Reports’s discretion by a phone call or email to Customer representative that Gaille Reports regularly liaises with.
7.3 If the security incident may be attributed to Gaille Reports’s processing of the Personal Data, Gaille Reports shall cooperate with Customer and provide Customer with reasonable assistance and information in the investigation of a security incident.
7.4 All costs associated with managing a security incident and fulfilling its obligations shall be borne by Customer where the security incident occurs as a result of Customer failing to perform its obligations under this DPA or the Data Protection Laws. If the security incident did not occur as a result of Customer failing to perform its obligations under this DPA or the Data Protection Laws, or if it is not possible to determine which Party that are responsible for the security incident, each Party shall bear their respective costs that are associated with managing such security incident and fulfilling such obligations.
8. Sub-Processors
8.1 Customer gives Gaille Reports a general written authorisation to subcontract any processing of the Personal Data to a third-party subcontractor.
8.2 Gaille Reports shall, upon request from Customer, provide a list to Customer of the third-party subcontractors Gaille Reports engages with in its processing of the Personal Data.
8.3 Gaille Reports shall impose data protection terms to an equivalent standard as provided for under this DPA for all its subcontractors.
8.4 Gaille Reports shall remain fully liable for the processing of the Personal Data that its subcontractors process under this DPA.
9. Audit
9.1 Gaille Reports shall permit Customer (or its appointed third-party auditors) to audit Gaille Reports’s compliance with this DPA, and shall make available to Customer information, systems and staff necessary for Customer (or its third-party auditors) to conduct such audit. Gaille Reports acknowledges that Customer (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Gaille Reports’s operations. Customer will not exercise its audit rights more than once in any twenty-four (24) calendar month period, except if, and when, required by instruction of a competent supervisory authority.
10. International data transfers
Customer gives Gaille Reports permission to transfer and process the Personal Data outside the European Economic Area, as long as Gaille Reports transfers such Personal Data in accordance with one of the allowed mechanisms prescribed by the Data Protection Laws.
11. Terms and termination
11.1 This DPA shall be in effect for as long as Gaille Reports processes Personal Data for Customer. Upon termination of the Agreement, Gaille Reports shall destroy or return the Personal Data to Customer, depending on what Customer chooses. If Customer has not informed Gaille Reports of its choice within two (2) months from the termination of the Agreement, Gaille Reports shall destroy all Personal Data.
11.2 At the request of Customer, Gaille Reports shall confirm the actions taken regarding the Personal Data after the completion of the process mentioned in clause
11.1 in this DPA.
11.3 If Customer chooses that Gaille Reports should destroy the Personal Data, in accordance with clause 11.1 in this DPA, it shall not apply to the extent that Gaille Reports is required by any European Union, or Member State, law or other applicable law to retain such data.
11.4 All clauses of this DPA which by their nature should survive termination will survive termination.
ANNEX 1
Instruction for processing of the Personal Data
- Purposes
- Categories of Personal Data
- Categories of data subjects
- Processing activities
- Location for the processing of the Personal Data
- Retention periods
- Subcontractors per the Effective Date