Data Processing AgreementLast Updated: May 24th, 2018
|“Customer Data”||means data provided by or on behalf of the Customer or Customer End Users via the Services under the account.|
|“Data Controller”||means the entity that determines the purposes and means of processing of Personal Data.|
|“Data Processor”||means the entity that processes Personal Data on behalf of the Data Controller.|
|“Data Protection Laws”||means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including the GDPR.|
|“Data Subject”||means the individual to whom the Personal Data relates.|
|“EEA”||means the European Economic Area.|
|“GDPR”||means EU General Data Protection Regulation 2016/679.|
|“Personal Data”||means any Customer Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under GDPR.|
|“Processing”||has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.|
|“Sub-Processor”||means any third party authorised under this DPA to have logical access to and process Customer Data to provide parts of the Services.|
|“Services”||means any product or service provide to the Customer and as described in Rosier Internet’s Terms & Conditions.|
|“Standard Contractual Clauses”||means the EU model clauses for Personal Data transfer from controllers to processors c2010-593 – Decision 2010/87EU.|
|“Subsidiary”||means any entity that directly or indirectly controls, is controlled by, or is under common control of a party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party.|
Rosier Internet shall only process Customer Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Terms & Conditions; (ii) Processing initiated by end users in their use of the Services; (iii) Processing to comply with other documented, reasonable instructions provided by Customers where such instructions are consistent with the terms of this DPA.
The Customer is responsible for ensuring that all individuals who provide instructions are authorised to do so.
Rosier Internet shall not be required to comply with or observe Customer’s instructions if such instructions would violate the GDPR or any other applicable data protection or privacy laws. Rosier Internet will notify the Customer of any instruction that it deems to be in violation of such laws.
When Customer Data is processed by Rosier Internet, both parties agree that Rosier Internet is a Data Processor and the Customer is a Data Controller of the Customer Data.
The duration of the Processing, the nature and purpose of the Processing, the types of personal data and categories of Data Subjects Processed under this DPA are further specified in the Details of the Processing.
Rosier Internet shall treat all Customer Data as strictly confidential information. Customer Data may not be copied, transferred or otherwise processed in conflict with the instructions from the Customer, unless required by law.
Rosier Internet employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all Customer Data under this DPA with strict confidentiality and only process Customer Data in accordance with the instructions.
Sub-Processors and Data Transfers
The Customer acknowledges and agrees that: (i) Subsidiaries of Rosier Internet may be used as Sub-Processors; and (ii) Rosier Internet and its subsidiaries respectively may engage Sub-Processors in connection with the provision of the Services.
All Sub-Processors who process Customer Data in the provision of the Services to the Customer shall comply with the obligations of Rosier Internet similar to those set out in this DPA.
Rosier Internet will make available to the Customer the current list of Sub-Processors.
Rosier Internet will update the list with the details of any change in sub-processors and notify the Customer at least 14 days before the new Sub-Processor processes any Customer Data.
The Customer may object in writing to the appointment of an additional Sub-Processor, provided such objection is based on reasonable grounds related to data protection.
At Rosier Internet’s sole discretion it may: (i) discuss commercially reasonable alternative solutions; or (ii) not appoint or replace the Sub-Processor; or (iii) permit the Customer to terminate the Contract in accordance with the cancellation provisions of the Terms & Conditions.
Where Sub-Processors are located outside of the EEA, Rosier Internet confirms that such sub-processors: (i) are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with Rosier Internet; or (iii) have other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.
Rosier Internet will implement and maintain technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access as set out in our Security Documentation.
The security measures are subject to technical progress and development and Customer acknowledges that Rosier Internet may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security. In addition, Rosier Internet will make controls available to the Customer to further secure Customer Data.
Data Breach Notification
Rosier Internet will notify the Customer without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any Customer Data.
Rosier Internet will take all commercially reasonable measures to mitigate the effects and to minimise any damage resulting from the Data Breach.
To assist the Customer in relation to any personal data breach notifications the Customer is required to make under any applicable privacy laws, Rosier Internet will include in the notification such information about the Data Breach as Rosier Internet is reasonably able to disclose to the Customer, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information, such as confidentiality.
The Customer agrees that a failed Data Breach will not be subject to the terms of this Agreement. A failed Data Breach is one that results in no unauthorised access to Customer Data or to Rosier Internet’s Network, equipment, or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.
Rosier Internet’s obligation to report or respond to a Data Breach is not and will not be construed as an acknowledgement by Rosier Internet of any fault or liability of Rosier Internet with respect to the Data Breach.
Notification(s) of Data Breaches, if any, will be delivered to the e-mail address registered against your account with us. It is the Customer’s sole responsibility to ensure they maintain accurate contact information within their account with us.
Data Subject Rights
If Rosier Internet directly receives a request from a Data Subject to exercise such rights in relation to Customer Data, Rosier Internet will forward the request to the Customer. The Customer must respond to any such request within the timeframes specified with GDPR.
Where the Customer’s use of the Services limits it ability to address a Data Subject Request, Rosier Internet may, where legally permitted and appropriate and upon Customer’s specific request, provide commercially reasonable assistance in addressing the request, at Customer’s cost (if any).
The Customer has the right to confirm Rosier Internet’s compliance with its processing obligations and allow for and contribute to audits and inspects.
The Customer may at its own expense conduct an audit which will be: (i) limited in scope to matters specific to the Customer and agreed in advanced with Rosier Internet; (ii) carried out during UK business hours and upon reasonable notice which shall be not less than 4 weeks; and (iii) conducted in a way which does not interfere with Rosier Internet’s day-to-day business. Rosier Internet may charge a fee (based on its reasonable time and costs) for assisting with any audit, with further details of any applicable fee, and the basis of its calculation, in advance of any such audit.
Any audit will be subject to confidentiality terms.
If Rosier Internet declines the request, the Customer is entitled to terminate this Agreement and the Terms & Conditions.
This clause shall not modify or limit the rights of audit of the Controller, instead it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.
Return or Deletion of Customer Data
The Services provide the Customer with controls that the Customer may use to retrieve or delete Customer Data as described in the Services.
Termination of this Agreement or Services in line with Rosier Internet’s Terms & Conditions will result in all Customer Data being deleted, unless otherwise required by law.
The limitations on liability set out in the Terms & Conditions apply to all claims made pursuant to any breach of the terms of this DPA.
The parties agree that Rosier Internet shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Sub-processors to the same extent Rosier Internet would be liable if performing the services of each Sub-processor directly under the terms of this DPA, subject to any limitations of liability set out in the terms of the Terms and Conditions.
The parties agree that the Customer shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Subsidiaries as if such acts, omissions and negligence had been committed by the Customer itself.
The Customer shall not be entitled to recover more than once in respect of the same claim.
Term and Termination
This DPA will be effective and replace any previously applicable data processing agreement as from 25th May 2018 and will continue until the termination of Services under the Terms & Conditions.