Terms and Conditions of Use
GDPR365 LICENCE AGREEMENT (“AGREEMENT”)
Table of contents:
- General Terms
- Data Processing Addendum
1. DEFINITIONS AND INTERPRETATION1.1 In this Agreement, unless the context otherwise requires, the following terms have the following meanings: “Agreement” – means this GDPR365 Licence Agreement, the Data Processing Addendum and any other documents expressly referenced in these; “Authorised Users” – means those employees, agents and independent contractors of the Customer who are authorised by the Customer to access and use the Solution on behalf of and for the sole benefit of the Customer; “Business Day” – means Monday to Friday excluding any public holidays in the Netherlands; “Business Hours” – means 9 am – 5.00pm on a Business Day; “Confidential Information” – means any and all information in any form or medium obtained by or on behalf of either party from or on behalf of the other party in relation to this Agreement which is expressly marked as confidential or which a reasonable person would consider to be confidential, whether disclosed or obtained before, on or after the date of this Agreement, together with any reproductions of such information or any part of it; “Customer Data” – means any data inputted into the Solution by or on behalf of the Customer and/or otherwise created through use of the Solution by the Customer; “Data Protection Legislation” – means any applicable law, statute, regulation or sub-ordinate legislation and all policies, codes of conduct, direction, policy rule or order issued by any regulatory body having jurisdiction over a party within the Netherlands that is from time to time in force, relating to data protection, privacy and the processing of personal data, including
- the Privacy and Electronic Communications (EC Directive) Regulations 2003;
- the GDPR from the date the GDPR applies (as set out in Article 99 Entry into force and application) and/or
- any corresponding or equivalent national laws or regulations from the date that they come into force;
- acts of God, flood, drought, earthquake or other natural disaster;
- epidemic or pandemic;
- terrorist attack, civil war, civil commotion or riots, war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, or breaking off of diplomatic relations;
- nuclear, chemical or biological contamination or sonic boom;
- any law or any action taken by a government or public authority;
- collapse of buildings, fire, explosion or accident;
- any labour or trade dispute, strikes, industrial action or lockouts; and
- interruption or failure of a utility service;
2. TERM2.1 The Agreement shall commence on the Effective Date and shall continue for Subscription Terms unless and until terminated in accordance with the terms of this Agreement. 2.2 Either party may terminate this Agreement upon providing not less than 30 days’ written notice to the other party, such notice not to expire prior to the end of the then current Subscription Term. In the event the Customer terminates prior to the end of a Subscription Term, the Customer shall be liable to pay the Fees for the remainder of that Subscription Term.
3. SERVICE3.1 During the Term and subject to the terms and conditions of this Agreement, GDPR365 shall provide the Service. 3.2 As part of the Service, GDPR365 grants to the Customer a limited, non-exclusive, non-transferable and non-sub-licensable licence to access and use the Solution and the Templates for its own internal business purposes. 3.3 The Customer acknowledges and accepts that the Solution is hosted by GDPR365’s trusted third party hosting service provider(s) based within the European Union. 3.4 The Agreement only permits access to the Solution by persons who are Authorised Users. In relation to the Authorised Users, the Customer undertakes that: 3.4.1 the maximum number of Authorised Users that it authorises to access and use the Service shall not exceed the number of users permitted under the Subscription Plan subscribed to by the Customer; 3.4.2 each Authorised User shall keep a secure password for his/her use of the Service and shall keep the password secure and confidential; 3.4.3 it shall maintain a written, up to date list of current Authorised Users and provide such list to GDPR365 upon a written request at any time. The Customer shall notify GDPR365 immediately of any Authorised User that should no longer have access to the Solution and of any new Authorised User. 3.5 The Customer acknowledges and agrees that it is responsible for all acts and omissions of an Authorised User and for ensuring their compliance with the terms of this Agreement. 3.6 The Customer shall not access, store, distribute or transmit via the Solution any Viruses, or any material during the course of its use of the Service that: 3.6.1 is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; 3.6.2 facilitates illegal activity; 3.6.3 depicts sexually explicit images; 3.6.4 promotes unlawful violence; 3.6.5 is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability; or 3.6.6 is otherwise illegal or causes damage or injury to any person or property; and GDPR365 reserves the right, without liability or prejudice to its other rights to the Customer, to disable the Customer’s access to the Solution in the event of any breach of the provisions of this clause. 3.7 The Customer shall not and shall not attempt to: 3.7.1 except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted under this Agreement: (a) copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Solution (as applicable) in any form or media or by any means; or (b) de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Solution; 3.7.2 access all or any part of the Solution in order to build a product or service which competes with the Solution and/or any of the Templates; 3.7.3 use the Solution to provide services to third parties; 3.7.4 license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Solution and/or any Templates available to any third party except the Authorised Users; 3.7.5 attempt to obtain, or assist third parties in obtaining, access to the Solution, other than as provided under this clause 3; 3.7.6 use or knowingly permit the use of any security testing tools in order to prove, scan or attempt to penetrate the security of the Solution; and/or 3.7.7 use or launch, or knowingly permit the use or launch of, any automated system, including “robots”, “spiders” or “offline readers” that access the Solution in a manner that sends more messages to the Solution in a given period of time than a human can reasonably produce in the same period by using a conventional online web browser. 3.8 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Solution and, in the event of any such unauthorised access or use, shall promptly notify GDPR365 in writing. 3.9 Access to the Solution is licensed and not sold. The Customer shall not, by virtue of this Agreement or otherwise, acquire any rights whatsoever in the Solution aside from the limited licenses granted under this Agreement. GDPR365 and its licensors shall retain all right, title and interest in and to the Solution and all Intellectual Property Rights in the Solution as well as any modifications or enhancements made to the Solution.
4. GDPR365’S OBLIGATIONS4.1 GDPR365 undertakes that the Service will be provided with reasonable skill and care. 4.2 GDPR365: 4.2.1 does not warrant that the Customer’s use of the Service will be uninterrupted or error-free or that the Service, Solution, Templates and/or the information obtained by the Customer through the Service, including Documents, will meet the Customer’s requirements; 4.2.2 provides the Solution, the Templates and/or any Documents for facilitating administration, mapping documentation and other work related to complying with with Data Protection Legislation, but GDPR is not a legal advisor and does not warrant that the Solution, the Templates and/or any Documents will meet the customer’s legal or other obligations. The Customer is solely responsible for obtaining its own legal advice as to whether the Solution, the Templates and any Documents comply with the Customer’s obligations under the Data Protection Legislation and other applicable laws; 4.2.3 is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Service and the Solution may be subject to limitations, delays and other problems inherent in the use of such communications facilities; and 4.2.4 shall use commercially reasonable endeavours to make the Service available 24 hours a day, seven days a week, except for planned maintenance and unscheduled maintenance. 4.3 will, as part of the Service, provide the Customer with GDPR365’s standard customer support during Business Hours as further detailed by GDPR365 on the Website and as may be amended from time to time. 4.4 warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this Agreement.
5. CUSTOMER’S OBLIGATIONS5.1 The Customer shall provide GDPR365 with: (a) all necessary co-operation in relation to this Agreement; and (b) all information as may be reasonably required by GDPR365; in order for GDPR365 to provide the Service. 5.2 The Customer warrants that: 5.2.1 all user information including information regarding Authorised Users is accurate and that such information will be updated as necessary to maintain its completeness and accuracy; 5.2.2 it will comply with all applicable laws and regulations with respect to its activities under this Agreement; 5.2.3 it will ensure Authorised Users use the Service in accordance with the terms and conditions of this Agreement and the Customer shall be responsible for any Authorised User’s breach of this Agreement; 5.2.4 it will establish adequate operational back-up systems and procedures to ensure recovery and continuity of its systems and operations in the event of a failure of the Solution; 5.2.5 it will ensure that its network and systems comply with the relevant specifications provided by GDPR365 from time to time; 5.2.6 it will use current industry standard anti-malware protection solutions to reduce the risk of passing Viruses into the Solution; and 5.2.7 it will be solely responsible for procuring and maintaining its network connections and telecommunications links.
7. FEES AND PAYMENT7.1 The Customer shall pay the Fees to GDPR365 in accordance with this clause 7 and without any deduction, discount, counterclaim, set-off or withholding. 7.2 The Customer shall provide to GDPR365 valid, up-to-date and complete contact and billing details. 7.3 The Fees shall be paid monthly by direct debit unless agreed otherwise by GDPR365. 7.4 In the event that the Customer wishes to upgrade to a different Subscription Plan it shall notify GDPR365 and pay any necessary further Fees (where applicable). The Customer shall only be permitted to downgrade its Subscription Plan at the end of a Subscription Term for the subsequent Subscription Term. In the event of any downgrade, GDPR365 shall not be obliged to refund any Fees already paid by the Customer. 7.5 If GDPR365 has not received payment of any sums due under this Agreement by the due date, and without prejudice to any other rights and remedies of GDPR365: 7.5.1 GDPR365 may, without liability to the Customer, suspend the Service and disable the Customer’s and all Authorised User’s access to all or part of the Solution and GDPR365 shall be under no obligation to provide any or all of the Service to the Customer while the invoice(s) concerned remain unpaid; and 7.5.2 interest shall accrue on a daily basis on such due amounts at an annual rate equal to 3% over the then current base lending rate of GDPR365’s bankers in the Netherlands from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment. 7.6.1 shall be payable in pounds sterling or Euros as stipulated by GDPR365; 7.6.2 are non-cancellable and non-refundable; 7.6.3 are exclusive of value added tax, which shall be added to GDPR365’s invoice(s) at the appropriate rate. 7.7 GDPR365 shall be entitled to review and increase the Fees annually at the end of a Subscription Term in line with any increase in the Consumer Price Index (CPI) in the preceding 12 months. 7.8 GDPR365 shall otherwise be permitted to increase the Fees upon not less than 90 days’ prior written notice to the Customer to be given prior to the start of the next Subscription Term.
8. INTELLECTUAL PROPERTY RIGHTS8.1 The Customer acknowledges and agrees that GDPR365 and/or its licensors own all Intellectual Property Rights in the Solution and the Templates. 8.2 In relation to the Templates, the Customer is permitted to use the Templates to create customised documents for its own internal business purposes only and shall not distribute the Templates to a third party. 8.3 GDPR365 warrants that it has all the rights in relation to the Solution and the Templates that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of this Agreement.
9. CONFIDENTIALITY9.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. A party’s Confidential Information shall not be deemed to include information that: 9.1.1 is or becomes publicly known other than through any act or omission of the receiving party; 9.1.2 was in the other party’s lawful possession before the disclosure; 9.1.3 is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or 9.1.4 is independently developed by the receiving party, which independent development can be shown by written evidence. 9.2 Subject to clause 9.4, each party shall hold the other’s Confidential Information in confidence and not make the other’s Confidential Information available to any third party, or use the other’s Confidential Information for any purpose other than the implementation of this Agreement. 9.3 Each party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement. 9.4 A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction, provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of such disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this clause 9.4, it takes into account the reasonable requests of the other party in relation to the content of such disclosure. 9.5 Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party. 9.6 GDPR365 acknowledges that the Customer Data is the Confidential Information of the Customer. 9.7 The above provisions of this clause 9 shall survive termination of this Agreement, however arising.
10. INDEMNITY10.1 GDPR365 shall defend the Customer, its officers, directors and employees against any claim that the Solution infringes any Intellectual Property Rights (“Claim”) and shall indemnify the Customer for any amounts finally awarded against the Customer in judgment or settlement of such Claims, provided that: 10.1.1 GDPR365 is given prompt written notice of any such Claim; 10.1.2 the Customer provides reasonable co-operation to GDPR365 in the defence and settlement of such Claim; and 10.1.3 GDPR365 is given sole authority to defend or settle the Claim. 10.2 In the defence or settlement of any claim, GDPR365 may at its sole discretion, procure the right for the Customer to continue using the Solution, replace or modify the Solution so that it becomes non-infringing or, if such remedies are not reasonably available, terminate this Agreement without any additional liability or obligation to pay damages or other additional costs to the Customer. 10.3 In no event shall GDPR365, its employees, agents and sub-contractors be liable to the Customer including under clause 10.1, to the extent that the Claim is based on: 10.3.1 a modification of the Solution by anyone other than GDPR365; 10.3.2 the Customer’s use of the Solution in breach of this Agreement; and/or 10.3.3 the Customer’s use of the Solution after notice of the alleged or actual infringement from GDPR365 or any appropriate authority. 10.4 This clause 10 sets out the Customer’s sole and exclusive rights and remedies, and GDPR365’s (including GDPR365’s employees’, agents’ and sub-contractors’) entire obligations and liability for any Claim.
11. LIMITATION OF LIABILITY11.1 Nothing in this Agreement excludes or limits the Liability of GDPR365: 11.1.1 for fraud or fraudulent misrepresentation; 11.1.2 for death or personal injury caused by GDPR365’s negligence; 11.1.3 which it cannot exclude or limit as a matter of applicable law. 11.2 Except as expressly and specifically provided in this Agreement: 11.2.1 all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law including any warranties of satisfactory quality or fitness for purpose are, to the fullest extent permitted by applicable law, excluded from this Agreement; and 11.2.2 the Service is provided to the Customer on an “As Is” basis. 11.3 Subject to clause 11.1: 11.3.1 GDPR365 shall have no Liability for any loss of profits, loss of business, depletion of goodwill and/or similar losses; loss or corruption of data or information; pure economic loss; and/or any special, indirect or consequential loss, costs, damages, charges or expenses; in all cases however arising under this Agreement and whether direct or indirect, foreseeable or otherwise; and 11.3.2 the total aggregate Liability of GDPR365 arising out of or in connection with this Agreement (unless otherwise excluded or limited) shall be limited to 125% of the total Fees paid by the Customer to GDPR365 during the 12 months immediately preceding the date of the event giving rise to the Liability. 11.4 The exclusions and limitations of Liability under clause 11.3 have effect in relation to both any Liability expressly provided for under this Agreement and to any Liability arising by reason of the invalidity or unenforceability of any term of this Agreement.
12. TERMINATION12.1 Without affecting any other right or remedy available to it, either party may terminate this Agreement with immediate effect by giving written notice to the other party if: 12.1.1 the other party is in material breach of any of its obligations under this Agreement, and, where such material breach is capable of remedy, the other party fails to remedy such breach within a period of 30 days of being notified of such breach by the party; and/or 12.1.2 the other party is subject to any insolvency proceedings such as suspention of payment or insolvency. 12.2 Termination of this Agreement shall be without prejudice to any accrued rights or remedies of either party. 12.3 Termination of this Agreement shall not affect the coming into force, or continuance in force, of any provision which is expressly or by implication intended to come into or continue in force on or after such termination. 12.4 On termination of this Agreement for any reason: 12.4.1 the licence granted under this Agreement shall immediately terminate and GDPR365 shall be entitled to disable Customer’s use of the Solution; 12.4.2 GDPR365 may, upon expiry of 3 months from the date of termination, destroy or otherwise dispose of any of the Customer Data in its possession ; and 12.4.3 any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Agreement which existed at or before the date of termination shall not be affected or prejudiced.
13. FORCE MAJEURE13.1 If GDPR365 is subject to a Force Majeure Event, it shall not be in breach of this Agreement and shall be excused from performance under this Agreement while and to the extent it is unable to perform due to any Force Majeure Event. 13.2 If the circumstance of a Force Majeure Event continues for a period of 30 days or longer, either party shall have the right to terminate this Agreement upon written notice to the other.
14. WAIVER14.1 A waiver of any right or remedy under this Agreement is only effective if given in writing and shall not be deemed a waiver of any subsequent breach or default. No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it preclude or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall preclude or restrict the further exercise of that or any other right or remedy.
15. SEVERANCE15.1 If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force. 15.2 If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.
16. ENTIRE AGREEMENT16.1 This Agreement and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter of this Agreement. 16.2 Each of the parties acknowledges and agrees that in entering into this Agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this Agreement or not) relating to the subject matter of this Agreement, other than as expressly set out in this Agreement. 16.3 Neither party excludes or limits its liability for fraud or fraudulent misrepresentation.
17. ASSIGNMENT17.1 The Customer may not assign, sub-licence, novate or transfer any right, benefit or interest and/or any of its obligations under this Agreement, without GDPR365’s prior written consent. 17.2 GDPR365 shall be entitled to assign, sub-licence, novate or transfer any right, benefit or interest and/or any of its obligations under this Agreement.
18. NO PARTNERSHIP18.1 Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
19. THIRD PARTY RIGHTS19.1 This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns).
20. NOTICES20.1 Any notice required to be given under this Agreement shall be in writing and shall be delivered by hand or sent by recorded delivery post or email to the other party at such address as may have been notified by that party for such purposes. 20.2 A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in Business Hours, at 9 am on the first Business Day following delivery). A correctly addressed notice sent by recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by email to the email address set out above shall be deemed to have been received on the day it is sent if that is a Business Day or otherwise on the next Business Day.
21. VARIATION21.1 No changes may be made to this Agreement without the agreement in writing of each of the parties. 21.2 Notwithstanding the foregoing, GDPR365 has the right to amend the terms of this Agreement unilaterly. If it does so, it will inform the Customer accordingly. If GDPR365 amends the terms, the Customer has the right to terminate this Agreement during a term ending 30 days after the Customer was informed of the amendment.
22. GOVERNING LAW AND JURISDICTION22.1 This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, the laws of the Netherlands. 22.2 The parties submit to the exclusive jurisdiction of the courts in Amsterdam, the Netherlands, except that GDPR365: 22.2.1 has the right to sue in any jurisdiction in which the Customer is operating or has assets; and 22.2.2 has the right to sue for breach of its Intellectual Property Rights in any country where it believes that infringement or a breach of this Agreement relating to its Intellectual Property Rights might be taking place.
DATA PROCESSING ADDENDUMThis Data Processing Addendum (“Addendum”) forms part of the Licence Agreement entered into between GDPR365 (the trading name of Compliance Technology Solutions BV) (“GDPR365”) and the customer to whom GDPR365 provides the services (“Customer”) (the “Agreement”), either previously or concurrently with this Addendum. Where there is any conflict between the terms of the Agreement and the terms of this Addendum, the terms of this Addendum shall prevail. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by and including this Addendum. THE PARTIES AGREE AS FOLLOWS:
1. SCOPEThe following clauses will only apply to the extent that Data Protection Legislation applies to Protected Data (both as defined below).
2. DEFINITIONS2.1. Appropriate Safeguards: means such legally enforceable mechanism(s) for transfers of Personal Data outside the European Economic Area as may be permitted under Data Protection Legislation from time to time. Controller: has the meaning given to that term in Data Protection Legislation. 2.2 Data Protection Legislation: means any applicable Dutch or EU law, statute, regulation or sub-ordinate legislation and all policies, codes of conduct, direction, policy rule or order issued by any regulatory body having jurisdiction over a party that is from time to time in force, relating to data protection, privacy and the processing of personal data, including: (a) the GDPR from the date the GDPR applies (as set out in Article 99 Entry into force and application) and/or (a) the GDPR from the date the GDPR applies (as set out in Article 99 Entry into force and application) and/or (b) any corresponding or equivalent national laws or regulations from the date that they come into force. 2.3. Data Subject: has the meaning given to it in Data Protection Legislation. 2.4 EU: The European Union. 2.5 GDPR: means the General Data Protection Regulation (EU) 2016/679; 2.6. Member State: A member state of the EU. 2.7. Personal Data: has the meaning given to that term in Data Protection Legislation. 2.8. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data on systems managed by or otherwise controlled by GDPR365, excluding unsuccessful attempts or activities that do not compromise the security of the Protected Data. 2.9. Processing or processing: has the meaning given to that term in Data Protection Legislation and related terms such as ‘process’ have corresponding meanings. 2.10. Processor: has the meaning given to that term in Data Protection Legislation. 2.11. Protected Data: means Personal Data processed by GDPR365 on behalf of the Customer as a Processor in connection with the provision of the Services. 2.12. Services: means the services provided by GDPR365 to the Customer pursuant to the Agreement. 2.13. Sub-Processor: another processor engaged by GDPR365 for carrying out processing activities in respect of the Protected Data as part of the Services. 2.14. Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the GDPR. The definitions in this clause should, as far as possible, be interpreted in accordance with the GDPR.
3. GENERAL3.1. The Annexes form part of this Addendum and shall have effect as if set out in full in the body of this Addendum. Any reference to this Addendum includes the Annexes. 3.2. The Customer has engaged GDPR365 to perform and deliver the Services which may require GDPR365 to process Personal Data on behalf of the Customer as a Processor. 3.3. Annex A (“Details of Processing”) contains details about the processing of Protected Data by GDPR365.
4. INSTRUCTIONS BY CONTROLLER4.1. GDPR365 agrees that it shall only carry out processing of Protected Data on the documented instructions of the Customer as set out in this Addendum and Annex A (“Details of the Processing”), as updated from time to time upon written agreement between the parties (including with regard to the transfer of Personal Data to a third country or an international organisation). 4.2. GDPR365 may process the Protected Data outside of the instructions of the Customer if GDPR365 is required to do so by EU or Member State law to which GDPR365is subject; in such a case, GDPR365 shall to the extent permitted by law inform the Customer of that legal requirement before processing. 5. SECURITY 5.1. GDPR365 shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 5.2. GDPR365 shall in assessing the appropriate level of security take into account in particular the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
6.1. GDPR365 shall ensure that persons authorised by them to process the Protected Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7. COOPERATION AND INFORMATION
7.1. GDPR365 shall provide such information and assistance to the Customer as the Customer may reasonably require to allow it to comply with requirements of the GDPR, including, information and assistance relating to the security of processing, notification of Personal Data Breaches to the Supervisory Authority, communication of a Personal Data Breach to the Data Subject (where required), data protection impact assessments and/or prior consultation with a Supervisory Authority regarding high risk processing.
8. REQUESTS8.1. GDPR365 shall promptly assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.
9. DATA BREACH
9.1. GDPR365 shall notify the Customer of any Personal Data Breach, promptly upon becoming aware of such Personal Data Breach.
9.2. In the case of a Personal Data Breach GDPR365 will assist the Customer in meeting its obligations under Articles 33 and 34 of the GDPR to inform the competent Supervisory Authority and Data Subjects. As the Controller, the Customer is solely responsible for complying with its notification obligations for Personal Data Breaches under Data Protection Legislation.
10. SUB-PROCESSORS10.1. The Customer acknowledges and agrees that GDPR365 engages Sub-Processors to provide certain services The Customer provides general consent to the engagement of such Sub-Processors. The current Sub-Processors are set out in Annex B. 10.2. GDPR365 will notify the Customer of the appointment of any new Sub-Processor or changes to any existing Sub-Processor. The Customer may object to the appointment of or any change in the Sub-Processor where it has reasonable grounds for doing so and in such circumstances GDPR365 shall be entitled to address the objection through one of the following options at its sole discretion: (i) cease to use the relevant Sub-Processor; (ii) take steps suggested by the Customer to address the objection; (iii) terminate or allow the Customer to terminate the Services. 10.3 .GDPR365 may only subcontract the processing of Protected Data under this Addendum to a Sub-Processor if GDPR365 has imposed legally binding contractual terms substantially the same as those contained in this Addendum on the Sub-Processor. The Customer acknowledges and agrees that it has no right to audit and inspect a Sub-Processor’s facilities and premises and that GDPR365 shall not be obliged to include such rights in its agreements with Sub-Processors.
11. AUDITS AND COMPLIANCE11.1. Upon reasonable request of the Customer, GDPR365 agrees to make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Addendum and the Data Protection Legislation and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer subject to clause 11.2. 11.2. The Customer shall give GDPR365 reasonable prior notice of any information request, audit or inspection and ensure that such audit or inspection is undertaken during normal business hours for GDPR365 and with minimal disruption to GDPR365. The Customer shall ensure that all information obtained or generated by the Customer pursuant to clause 11.1 is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable law). The Customer shall pay GDPR365’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits. 11.3 GDPR365 may object to any third party auditor appointed by the Customer to conduct any audit or inspection under clause 11.1 if the auditor is not in GDPR365’s reasonable opinion, suitably qualified or independent. Nothing in clause 11.1 gives the Customer any right to access any data of any other customer of GDPR365 or any information that could cause GDPR365 to breach its obligations under Data Protection Legislation and/or its confidentiality or privacy obligations to any third party.
12. DATA RETENTION AND DISPOSAL
12.1. GDPR365 shall at the express choice of the Customer and upon the end of the provision of Services relating to processing, either return to the Customer or delete or destroy all copies of the Protected Data in GDPR365’s possession or control and if the Customer requests, certify to the Customer that it has done so, unless EU or Member State law requires the storage of the Protected Data.
13. DATA TRANSFERS13.1 GDPR365 shall not transfer Protected Data outside of the European Economic Area unless there are Appropriate Safeguards in place and any transfer shall be in accordance with Data Protection Legislation.
14. AMENDMENTS14.1 GDPR365 may amend this Addendum at any time where required to comply with any applicable laws or where such amendments do not result in a material reduction in the protection of the Protected Data and do not breach Data Protection Legislation.
15.1. GDPR365’s liability under this Addendum shall be subject to the exclusions and limitations set out in the Agreement.
16. ENTRY INTO FORCE AND DURATION16.1. This Addendum will enter into force upon signing by both parties of the Agreement. 16.2. This Addendum will remain in effect until the Agreement is terminated.
Annex A – Details of the ProcessingDetailed description of the Processing – The processing of Personal Data to the extent necessary in the provision of the Services (including the subject-matter, nature and purpose) Duration of the Processing – The term of the Agreement and until deletion of all Protected Data by GDPR365 Types of Personal Data processed – Personal Data relating to individuals that is provided to GDPR365 via the Services by or at the direction of the Customer including without limitation, names, addresses, contact details, online identifiers and login details. Categories of Data Subjects – Individuals about whom Personal Data is provided to GDPR365 via the Services by or at the direction of the Customer.
Annex B – Sub Processors
|Name||Description of services|
|Freshworks||Support and Helpdesk|