1. When you, in your quality as Account Owner, use our Service, you will act as a controller (or other processor, as the case may be) of personal data, and we will in turn act as a processor (or sub-processor, as the case may be) of such personal data, under and in accordance with applicable data protection legislation, namely, the EU General Data Protection Regulation (the ‘GDPR’), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
Any queries regarding this Addendum should be sent to firstname.lastname@example.org.
In this Addendum, the following terms shall have the following meanings:
Relationship between the parties to this Addendum.
Instructions from the Data Controller
You shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to us for processing.
We shall not transfer Data outside of the European Economic Area (‘EEA’) unless we have taken such measures as are necessary to ensure that the transfer is compliant with applicable data protection legislation. Such measures may include, without limitation, transferring the Data to a recipient in a country that is deemed to afford adequate protection of personal data, equivalent to EU standards, or to a recipient in the U.S. that is EU-US Privacy Shield certified, or to a recipient that has otherwise executed standard contractual clauses or binding corporate rules, where applicable, adopted or approved by the European Commission.
Confidentiality of Processing
You hereby agree that we may appoint and engage third parties as sub-processors to process Data for the Permitted Purpose or pursuant to your Instructions, provided that:
Data Subject Rights
Taking into account the nature of the processing, we endeavour to co-operate and assist you, to the fullest extent of our ability and in a timely manner, in so far as this is possible and reasonable for us to do so, and at your expense, to respond to requests you receive, in your quality as controller or processor, as the case may be, by data subjects seeking to exercise their rights under applicable data protection legislation, or to address any other queries or complaints received from data subjects, competent supervisory authorities or other third parties in relation to the processing of Data. We also undertake to promptly inform you and provide full details, without undue delay, should we receive any such request, query or complaint directly.
Our Service enables you to activate a number of controls including specific security features and functionalities that you may use to retrieve, correct, delete or restrict Data, which controls may be used to assist you in connection with your respective obligations under the GDPR, including responding to requests from data subjects.
You remain responsible for properly configuring the Service and implementing any such control measures to ensure compliance with GDPR requirements including to respond to queries from data subjects.
Security Measures and Security Breaches
We commit to implementing technical and organisational measures – please refer to Annex I hereof –to protect the Data from any security breach including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, the Data (‘Security Breach’).
As soon as we become aware of any Security Breach, we undertake to promptly inform you, without undue delay, and shall endeavour to co-operate and assist you, to the fullest extent of our ability, in so far as this is possible and reasonable for us to do so, to enable you to comply with any data breach reporting or notification obligations you may have toward the competent supervisory authority which is concerned by/with the protection of personal data and to data subjects, where applicable, in accordance with applicable data protection legislation. We further undertake to take any and all such reasonable measures and actions to remedy or mitigate the effects of any such Security Breach and to keep you informed of all material developments in connection with the same.
Our undertakings or commitments in the manner here-afore described do not constitute an admission on our part of any fault or liability with respect to any such Security Breach. Furthermore, unsuccessful Security Breaches fall outside the scope of this provision.
Data Protection Impact Assessment
If we believe or become aware that our processing of Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, we shall duly inform you and shall endeavour to co-operate and assist you, to the fullest extent of our ability, in so far as this is possible and reasonable for us to do so, to enable you to carry out any data protection impact assessment that may be required under applicable data protection legislation.
Deletion or return of Data
Obligation to demonstrate Compliance
We shall make available to you all information necessary, in so far as this is possible and reasonable for us to do so, to demonstrate our compliance with our obligations under applicable data protection legislation and undertake to carry out audits, including inspections by you or an independent auditor mandated by you.