Exinda Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Agreement(s) and is entered by and between the Customer and the Service Provider on the Effective Date. For the avoidance of doubt, this DPA is not valid or legally binding if there is no Agreement(s) in place between the Customer and the Service Provider.

This DPA becomes effective on the 25th May 2018 or on the acceptance of the Agreement(s), whichever is later (the “Effective Date”).

  1. DEFINITIONS

    1. “Agreement(s)” means the agreement entered into between Customer and Service Provider for the provision of Service Provider’s Services to the Customer with respect to the Exinda products and services. Our Agreement(s) are located here: https://www.gfi.com/legal.
    2. “Customer” means the legal entity who is receiving Services pursuant to the Agreement(s), including all affiliates of that entity, if any.
    3. “EEA” means the European Economic Area.
    4. “EU Rules” means the laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom, applicable to the processing of Personal Data under the Agreement(s), including (where applicable) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 also known as the General Data Protection Regulation (“GDPR”).
    5. “Privacy Shield” means the EU-US framework of privacy principles agreed on February 2, 2016 and formally adopted by the European Commission implementing decision C(2016) 4176 final of July 12, 2016, or any other framework for transferring Personal Data from the EEA or Switzerland to the United States that is approved by the European Commission as providing an adequate level of protection pursuant to the EU Rules.
    6. “Services” means the services and other activities to be supplied to or carried out by or on behalf of Service Provider for the Customer pursuant to the Agreement(s).
    7. “Service Provider” means the legal entity which is a party to the Agreement(s) and Processes Personal Data on behalf of the Customer.
    8. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data from a Data Controller in the EEA to Processors established in third countries under the EU Data Protection Directive 95/46/EC (the "Directive"), or any legislation replacing the Directive, in the form set out in the Annex of European Commission Decision 2010/87/EU (or any alternative or successor Decision that approves new standard contractual clauses for transfers to data processors in third countries), as amended by incorporating the description of the Personal Data to be transferred set out in Appendix 1 to this DPA and the technical and organisational measures to be implemented as set out in Appendix 2 to this DPA. The Standard Contractual Clauses are available on the European Commission's website at the following link: http://ec.europa.eu/justice/data-protection/international-transfers/files/clauses_for_personal_data_transfer_processors_c2010-593.doc.
  2. APPLICABILITY; ROLES OF THE PARTIES

    1. This DPA amends and supplements the Agreement(s) between the parties. The terms of this DPA will apply to all processing of Personal Data in relation to the Services provided under the terms of the Agreement(s). This DPA will not apply to the processing of Personal Data, where such processing is not regulated by the EU Rules.
    2. Capitalized terms used but not defined in this DPA have the meanings assigned to them in the Agreement(s) or the EU Rules. “Personal Data” as used in this DPA includes all data relating to Data Subjects located in the EEA and Switzerland that is processed by Service Provider on behalf of the Customer within the scope of the Agreement(s).
    3. In the context of this DPA, the Customer acts as a Data Controller and the Service Provider acts as a Data Processor with regard to the Processing of Personal Data.
    4. Service Provider shall carry out the Services and Process the Personal Data received from the Customer as set out in the Agreement(s) or as otherwise notified in writing by the Customer to Service Provider during the term of the Agreement(s). In the event that in Service Provider’s opinion a Processing instruction given by the Customer may infringe EU Rules, Service Provider shall immediately inform the Customer upon becoming aware of such a Processing instruction.
    5. Service Provider shall undertake at all times to comply with the EU Rules and not to perform its obligations under the Agreement(s) in such way as to cause the Customer to breach any of its applicable obligations under the EU Rules and any existing regulations issued by the relevant data protection authorities.
  3. DATA PROTECTION

    1. All Personal Data provided to Service Provider by the Customer or obtained by Service Provider in the course of its work with the Customer should be protected and may not be copied, disclosed or processed in any way without the written authority of the Customer. To the extent that the provisions of the Agreement(s) or the instructions of the Customer necessitate the copying, disclosure or processing of data, this will be deemed to constitute the required authority to do so.
    2. Service Provider agrees to comply from time to time with any reasonable measures required by the Customer to ensure its obligations under this DPA are satisfactorily performed in accordance with all applicable legislation. This includes any best practice guidance the Customer notifies Service Provider of.
  4. PROCESSING PERSONAL DATA
    1. Where Service Provider processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Customer it shall:

      1. Process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations under the Agreement(s) or as is required by law including the EU Rules and any existing laws, rules or regulations issued by the relevant data protection authorities;
      2. Implement appropriate technical and organisational measures and take the steps necessary to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested by the Customer; such security measures are set out in Section 6 of this DPA; and
      3. At the Customer’s request, promptly supply the Customer with details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access.
    2. Customer acknowledges and agrees that (a) Service Provider’s affiliates may be retained as Sub-processors; and (b) Service Provider and Service Provider’s affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Service Provider will ensure that any third party to which it sub-contracts any processing has entered into a written contract with Service Provider containing similar provisions to those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. Upon Customer’s request, Service Provider shall make available to Customer the current list of sub-processors with their country of location. If Service Provider provides hosting services under the Agreement(s), the Customer agrees and acknowledges that Service Provider is allowed to host the Personal Data at a third-party data center provider.
    3. Unless applicable laws require retention of such Personal Data, Service Provider agrees that in the event that it is notified by the Customer that it is not required to provide any further services to the Customer under this DPA, Service Provider shall transfer a copy of all information (including Personal Data) held by it in relation to this DPA to the Customer in a format chosen by the Customer (provided that the Customer pays for the associated costs) and/or, at the Customer’s request, destroy all such information using a secure method which ensures that it cannot be accessed by any third party and shall issue the Customer with a written confirmation of secure disposal.
    4. All copyright, database right and other intellectual property rights in any Personal Data processed under this DPA (including but not limited to any updates, amendments or adaptations to the Personal Data by either the Customer or Service Provider) will belong to the Customer. Service Provider is licensed to use such data only for the term of and in accordance with this DPA.
  5. RIGHTS OF DATA SUBJECTS
    1. Service Provider shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making (each a “Data Subject Request”). Taking into account the nature of the Processing, Service Provider shall assist Customer by appropriate technical and organizational measures, to the extent possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Chapter III of the GDPR. Except to the extent required by applicable law, Service Provider shall not respond to any such Data Subject Request without Customer’s prior written consent except to confirm that the request relates to Customer.
    2. Further, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Service Provider shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Service Provider is legally permitted to do so and provided that such Data Subject Request is required under applicable EU Rules. Any costs arising from such provision of assistance shall be the responsibility of Customer, to the extent legally permitted.
  6. SECURITY
    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Service Provider shall ensure that in respect of all Personal Data it receives from or processes on behalf of the Customer it shall maintain security measures to a standard appropriate to the: (a) harm that might result from unlawful or unauthorised processing or accidental loss, damage or destruction of the Personal Data; and (b) nature of the Personal Data.
    2. Service Provider shall, with regard to Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, and particularly those related to possible Personal Data Breaches. Specifically, Service Provider shall:
      1. have in place and comply with a security policy which: (a) defines security needs based on a regular Privacy Impact Assessment (“PIA”); (b) allocates responsibility for implementing the policy to a specific individual or members of a team, including having a Data Protection Officer (“DPO”) in place; (c) 5.3.1.3 is disseminated to all relevant members, volunteers and staff; and (d) provides a mechanism for feedback and review;
      2. ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
      3. prevent unauthorised access to the Personal Data;
      4. ensure its storage of Personal Data conforms with the industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
      5. have secure methods in place for the transit of Personal Data within the customer support portal (for instance, by using encryption);
      6. use password protection on computer systems on which Personal Data is stored and ensure that only authorised personnel are given details of the password;
      7. take reasonable steps to ensure the reliability of any employee, agent, contractor or other individuals who have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Personal Data, as strictly necessary for the purposes of the Agreement(s), and to comply with EU Rules in the context of that individual's duties to the Service Provider;
      8. ensure that any employees, agents, contractors or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this DPA;
      9. ensure that none of the employees, agents, contractors or other individuals who have access to the Personal Data publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Customer;
      10. have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of Personal Data) including: (a) the ability to identify which individuals have worked with specific Personal Data; and (b) having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the EU Rules, including written records.
      11. have a secure procedure for backing up and storing back-ups separately from originals; and
      12. have a secure method of disposal for unwanted Personal Data including back-ups, disks, print outs and redundant equipment.
    3. Service Provider shall provide the Customer with relevant documentation, such as an audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, when the Customer reasonably considers that such data pr