This agreement is between APJ Ltd of 25 Worthfield Close, Epsom KT19 9RF UK ("you" or "your") and Customer Name and Address ("we", "us" or "our"). It will take effect from 25 May 2018 and supplements or amends any current or future agreement in connection with the services we provide you (the “Main Terms of Service Agreement"). In the event of any conflict between a term in this Data Processing Agreement and the Terms of Service Agreement, the term in this Data Processing Agreement will prevail. The Main Terms of Service Agreement will remain in full force and effect in all other respects.
1. GDPR Compliance. The services we provide you under any Main Agreement may involve us processing the personal data of EU subjects on your behalf (your "Controlled Data”). Accordingly, in order to assist your compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), we confirm that we will (a) comply with applicable requirements of GDPR and (b) provide you with reasonable assistance to help you remain in compliance with GDPR. Please note that the terms of this Data Processing Agreement will only apply in relation to your Controlled Data.
2. Data processing. Your Controlled Data and the categories of data subject to which your Controlled Data relates are particularised in or are apparent from the Main Agreement. We confirm that we will process your Controlled Data only for the purposes contemplated in the Main Agreement or as we are required under GDPR. If we have actual knowledge that any such processing contravenes GDPR, we are entitled to refrain from this and will let you know. You agree not to ask us to do anything that would put you or us in breach of GDPR. If/when we stop working together, we will stop processing your Controlled Data and will immediately return or delete it, unless applicable law requires the contrary. At that point or if at any point GDPR ceases to apply to us, this Data Processing Agreement will come to an end.
3. Confidentiality. We will take steps to limit access to your Controlled Data to those personnel whom we believe reasonably need it to perform services under the Main Agreement or to ensure your or our compliance with GDPR. We will also ensure that those people have agreed to keep your Controlled Data confidential.
4. Sub-processors. You consent to us engaging third parties to act as processors of your Controlled Data on our behalf (“Sub-processors”), if we deem it beneficial to do so. We will require any Sub-processor(s) to enter into a contract with us on similar terms as this Data Processing Agreement and agree that we will remain fully liable to you for all acts or omissions of any Sub-processors.
5. Information security. We agree to implement and maintain appropriate technical and organizational measures to protect your Controlled Data. These measures will, at a minimum, meet the requirements set forth in Article 32(1) of GDPR.
6. Data breaches. We agree to notify you in writing as soon as we reasonably can in the unlikely event of any (a) breach or suspected breach of security that results in your Controlled Data being compromised; or (b) unauthorised (or suspected unauthorised) processing of your Controlled Data.
7. Data subject requests. In the event that a person makes any reasonable request concerning their personal data that is included in your Controlled Data, including (without limitation) a request to be informed what personal data is held about them, a request to access such data, a request for errors in such data to be rectified; a request for such data to be deleted or a request to restrict how such data may be processed, we will cooperate with you in actioning and responding to such request. You agree to reimburse any expenses we may incur in relation to this.
8. Data transfers outside the European Economic Area. You agree that we may transfer your Controlled Data outside the European Economic Area if we believe it necessary in the ordinary course of our business. We acknowledge that such transfers must comply with GDPR. Regarding FileMaker files hosted for you on our servers; by default these are backup up overnight to Cloud storage (currently DropBox) and may be stored outside the European Economic Area. We can arrange for your database files not to be included in these backups on request.
9. Audit and compliance. We will maintain records and information to demonstrate our compliance with GDPR and consent to you auditing these upon reasonable request and following reasonable written notice. If you have any concerns about our compliance with either GDPR or this Data Processing Agreement, you agree to notify us of these promptly and, in any event, before carrying out any audit.
10. Governing law and jurisdiction. The governing law and jurisdiction of this Data Processing Agreement shall be the same as the Main Terms of Service Agreement.