Last Updated June 30th 2019
If you require a signed copy of this addendum, please email firstname.lastname@example.org.
This Addendum is incorporated into the Terms of Service (" Agreement") between the Company and the Customer and applies in respect of the provision of the Services to the Customer if the Processing of Customer Personal Data (as defined below) is subject to the GDPR, only to the extent the Customer is a Controller of Customer Personal Data and Company is a Processor. The Addendum is intended to satisfy the requirements of Article 28(3) of the GDPR. This Addendum shall be effective for the term of the Agreement.
1.1. For the purposes of the Addendum:
1.1.1. "Customer Personal Data" means the Personal Data described under Section 2 of this Addendum, in respect of which the Customer is the Controller;
1.1.2."Data Protection Legislation" means all applicable legislation relating to data protection and privacy including without limitation the GDPR together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
1.1.3."GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
1.1.4."Personal Data", "Data Subject", "Personal Data Breach", "Processing" (or "Process"), "Processor" and " Controller" will each have the meaning given to them in the GDPR; and
1.1.5."Privacy Shield" means the EU-U.S. or Swiss-U.S., as applicable, Privacy Shield frameworks operated and administered by the U.S. Department of Commerce.
1.2. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2.1. Categories of Data Subjects. This Addendum applies to the Processing of Customer Personal Data relating to Customer's employees (where Customer is a business) and the individuals with whom Customer corresponds through the Service (where Customer is an individual).
2.2. Types of Personal Data. Customer Personal Data includes Personal Data, the extent of which is determined and controlled by the Customer in its sole discretion, such as the contents, senders, and recipients of emails sent and received through the Service.
2.3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by Company is the provision of the Services to the Customer that involves the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities which Company needs to perform in order to provide the Services pursuant to the Agreement and any applicable statement of work.
2.4. Purpose of the Processing. Customer Personal Data will be Processed by Company for purposes of providing the Services set out into the Agreement and any applicable statement of work.
2.5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 10 of this Addendum.
3. Processing of Customer Personal Data
3.1. The parties acknowledge and agree that Customer is the Controller of Customer Personal Data and the Company is the Processor of that data. Company will only Process Customer Personal Data as a Processor on behalf of and in accordance with the Customer's prior written instructions, including with respect to transfers of personal data. Company is hereby instructed to Process Customer Personal Data to the extent necessary to enable Company to provide the Services in accordance with the Agreement.
3.2. If Company cannot Process Customer Personal Data in accordance with Customer's instructions due to a legal requirement under any applicable European Union or Member State law, Company will (i) promptly notify the Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as the Customer issues new instructions with which Company is able to comply. If this provision is invoked, Company will not be liable to the Customer under the Agreement for failure to perform the Services until such time as the Customer issues new instructions.
3.3. Each of the Customer and the Company will comply with their respective obligations under the Data Protection Legislation. Customer shall ensure that Customer has obtained (or will obtain) all rights and consents (if required) which are necessary for Company to Process Customer Personal Data in accordance with this Addendum.
3.4. In connection with the performance of the Agreement, Customer authorizes Company to transfer Customer Personal Data from the European Economic Area ("EEA") to the United States. Company has certified to the [EU-U.S. and Swiss-U.S.] Privacy Shield frameworks as administered by the U.S. Department of Commerce and commits to comply with its obligations for the Customer Personal Data transferred under the Privacy Shield throughout the term of this Addendum.
4.1. Company will ensure that any person whom Company authorizes to Process Customer Personal Data on its behalf is subject to confidentiality obligations in respect of that Customer Personal Data.
5. Security Measures
5.1. Company will implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
5.2. Company will, at the Customer's request and subject to the Customer paying all of Company's fees at prevailing rates, and all expenses, provide the Customer with reasonable assistance as necessary for the fulfilment of the Customer's obligation to keep Customer Personal Data secure.
6.1. Customer authorizes Company to appoint sub-Processors to perform specific services on Company's behalf which may require such sub-Processors to Process Customer Personal Data. Company will inform Customer of any intended changes concerning the addition or replacement of any sub-Processors and Customer will have an opportunity to object to such changes on reasonable grounds within fifteen (15) business days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
6.2. Company will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Company under this Addendum. Where any of its sub-Processors fails to fulfil its data protection obligations, Company will be liable to the Customer for the performance of its sub-Processors' obligations.
7. Data Subject Rights
7.1. Company will, at the Customer's request and subject to the Customer paying all of Company's fees at prevailing rates, and all expenses, provide the Customer with assistance necessary for the fulfilment of the Customer's obligation to respond to requests for the exercise of Data Subjects' rights. Company shall not respond to such requests without Customer's prior written consent and written instructions. Customer shall be solely responsible for responding to such requests.
8. Personal Data Breaches
8.1. Company will notify the Customer as soon as practicable after it becomes aware of any Personal Data Breach affecting any Customer Personal Data. At the Customer's request and subject to the Customer paying all of Company's fees at prevailing rates, and all expenses, Company will promptly provide the Customer with all reasonable assistance necessary to enable the Customer to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the GDPR. Customer is solely responsible for complying with data incident notification requirements applicable to Customer and fulfilling any third-party notification obligations related to any data incidents.
9. Data Protection Impact Assessment; Prior Consultation
9.1. Company will, at the Customer's request and subject to the Customer paying all of Company's fees at prevailing rates, and all expenses, provide the Customer with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if the Customer is required to engage in such activities under the GDPR, and solely to the extent that such assistance is necessary and relates to the Processing by the Company of the Customer Personal Data, taking into account the nature of the Processing and the information available to the Company.
10. Return or Deletion of Customer Personal Data
10.1. Company will return or delete, at Customer's choice, Customer Personal Data to the Customer after the end of the provision of Services relating to the Processing, and delete existing copies unless the applicable European Union or member state law requires storage of the data.
11.1. The Company will, at Customer's request and subject to the Customer paying all of Company's fees at prevailing rates, and all expenses, provide the Customer with information sufficient to demonstrate compliance with its obligations under the GDPR, and, where such information does not demonstrate Company's compliance with the GDPR, allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, to the extent that such information is within Company's control and Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with reasonable notice during regular business hours not more often than once per year. Company will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Legislation.
12.1. Each party's liability towards the other party under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
12.2. Notwithstanding the foregoing, the Customer acknowledges that the Company is reliant on the Customer for direction as to the extent to which Company is entitled to Process Customer Personal Data on behalf of Customer in performance of the Services. Consequently the Company will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by the Company, to the extent that such action or omission resulted from the Customer's instructions or from Customer's failure to comply with its obligations under applicable Data Protection Legislation.
13. General Provisions
13.1. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.