How we will Process Data as the Processor
We will process Data Within Your Control in accordance with this Addendum as well as the actions required of us as instructed by you in your Account. You agree that this Addendum, and the actions taken and thus instructions given by you within your Account are your complete and final instructions to us in relation to the Data Within Your Control.
We will immediately inform you if we feel that your instructions infringe on the applicable Data Protection Laws or for any reason, we are unable to carry out your instructions. If your instructions prevent us from complying with the applicable laws, we will notify you. However, we will not notify you when such disclosure is forbidden by applicable law on the important grounds of public interest.
How we will assist you in Complying
When complying with any requests relating to Data Within Your Control received from Your End user as a Data Controller (as detailed in Chapter 3 of the GDPR), we have provided reasonable tools within your Account that enable you to comply and fulfil your obligations as a Data Controller when you have received any request from your End users regarding their Personal Data. In the instances where you are not able to comply using the tools available within your Account and complicated action is required to remove the Personal Data in question, we will provide, where possible, a reasonable quotation (upon request) based on the action that is required to complete this on your behalf.
Any Requests Regarding the Data In Your Control
With respect to any Data Within Your Control that is not accessible and thus removable within your Account, a request can be made to us in order for you to take relevant action that is otherwise not possible. The request must be made in writing and must include details of Your End user and the Personal Data that the request is referring to, along with any relevant action required to be taken.
Once the request has been received and validated, we will, where applicable:
- Remove any Personal Data of Your End user in question or provide copies of the Personal Data of Your End user in an easily accessible format
- Contact the applicable Sub-Processor or Sub-Processors to request the removal of any Personal Data relating to Your End user in question.
The request will be acted in accordance with the above except if the request is subject to the limitations as set out in this Data Processing Addendum or restricted by law and/or a Governing Body, where applicable.
What we do when we Receive an Inquiry or Complaint
If we are permitted to do so by the relevant applicable law, we will provide you notice upon receiving an inquiry or complaint from any of your End users, or if required to do so by the law or any lawfully binding order from a Governing Body that relates to the Data Within Your Control that we have processed on your instructions and thus, on your behalf.
Security Incidents and Security
We will at all times ensure that Data Within Your Control is adequately protected in accordance with the requirements of the GDPR. To do so, we agree that we will implement an appropriate level of technical, organisational and procedural measures to protect the Data Within Your Control from security incidents. If we become aware of and confirm any security incident, for which notification to you is required under applicable Data Protection Laws which consists of the unpermitted, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Data Within Your Control we will inform you without any undue delay, and in no event longer than 48 hours after we discover the security incident.
If we become aware of and confirm any security incident, for which notification to you is required under applicable Data Protection Laws which consists of the unpermitted, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Data Within Your Control we will inform you without any undue delay, and in no event longer than 48 hours after we discover the security incident.
We will always cooperate reasonably with you and provide you with the information you need in order to fulfil your Data Breach obligations under the GDPR. we will also take further measures and actions that are necessary to fix or mitigate the effects of the security incident and we will keep you informed of any material development related to the security incident. Unless required by law we will not take action to notify your End users of any security breach. We may also use external or internal auditors to verify that the security measures that we have in place are adequate in protecting the Data Within Your Control that we store.
Notifying you of a Data Breach
When we are made aware of and confirm the occurrence of a Data Breach, we will immediately notify you in line with the requirements set out in the applicable Data Protection Laws. In order for us to assist you in complying with your notification obligations as set out in articles 33 and 34 of the GDPR, we will provide you with information of the Data Breach that we are reasonably able to disclose with you. The information disclosed will be based upon the type of data involved with the Data Breach, the sensitivity of the data, and if it is subject to any restrictions that prevent us from disclosing information. Our duty to report and respond to a Data Breach as detailed in ‘Notifying you of a Data Breach’ is not and must not be misinterpreted as us acknowledging any fault or liability in regards to the Data Breach. However, our obligations as detailed above do not apply to incidents that are caused by you, any actions taken through your Account and/or any Third Party Services.
In the course of providing our Services, we may be required to contract with a Sub-Processor to perform a portion of the Services. You agree that we can share Data Within Your Control with Sub-Processors in order to provide the Services to you. A list of our current Sub-Processors is available upon request by sending an email through our contact form.
You acknowledge and agree that we will use Sub-Processors to process Personal Data and any Data Within Your Control in order for us to provide the Services. Our use of any specific Sub-Processor used must be in compliance with the Data Protection Laws and must be governed by a contract between us and the Sub-Processor.
You may object to any of the Sub-Processors used on the grounds that the request is related to data protection concerns, to do so email [email protected]. If your objection is validated, we will work with you to find a viable alternative for providing the Services without using the Sub-Processor or Sub-Processors in question. If there is no reasonable action found that we can take and you still object to the Sub-Processor being used after notification, you will have the option to terminate your Account with us or, where possible, relinquish use of the part of the Services that require the Sub-Processor in question. If you object to the Sub-Processors that we use and there is no workaround for you to use the Services in any sense without using Sub-Processors in question, then please do not use the Services.
Regardless of any Sub-Processors that we use, we will remain responsible for maintaining it’s compliance with the Data Protection Laws, including any Data Breaches that involve our Sub-Processors and their Sub-contractors in relation to the Data Within Your Control.
Questions in Regards to our Compliance
We will, to a reasonable extent, provide information to you upon request regarding our compliance with this Data Processing Addendum, where such information is not otherwise accessible by you. Only the required information will be made available to you in order for you to fulfil your duties under the GDPR. (Please note that a non-disclosure agreement may be necessary before any information is shared with you as a result of your request).