A. Purpose, Background and Acknowledgements
The purpose of this Addendum is to:
- Comply with the requirements of the GDPR, and in particular Article 28 of the GDPR, with respect to the Processing of Personal Data by the Company on behalf of the Customer.
- Provide sufficient guarantees that the Company’s Processing of Personal Data will meet the requirements of the GDPR and ensure the protection of the rights of Data Subjects.
- The Customer engages the Company pursuant to the Terms of Service which may involve the Processing of Personal Data on its behalf.
- This Addendum is to govern the scope and requirements upon which the Company must carry out the Processing of Personal Data on behalf of the Customer.
The parties acknowledge and agree that:
- With respect to the Processing of Personal Data:
- The Customer is a Controller; and
- The Company is a Processor;
- The relationship of the parties to this Addendum does not form a joint venture or partnership in any respect;
- Except as varied by the terms in this Addendum, the Terms of Service shall remain in full force and effect;
- The terms set out in this Addendum shall be considered and added as an addendum to the Terms of Service, and do not reduce the Company’s obligations under the Terms of Service;
- Nothing within the Addendum relieves the Company of its own direct responsibilities and liabilities under the GDPR; and
- With respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity, the parties submit to the jurisdiction of the competent courts of the governing law as per item F.
B. Key Definitions
1. Addendum Date
The date the last party signs this Addendum.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, and for the purposes of this Addendum, includes the Customer.
3. Data Subject
The natural person to whom Personal Data pertains.
EU General Data Protection Regulation 2016/679
5. Personal Data
Any information relating to an identified or identifiable natural person that the parties may Process.
Any activity or combination of activities which is performed on Personal Data, including collecting, recording, organising, storing, updating, amending, accessing, consulting, using, providing by way of forwarding, distributing or otherwise making available (where “Process” shall have the same meaning).
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, and for the purposes of this Addendum, including the Company.
Any entity that is appointed by the Company for the purposes of Processing the Personal Data on behalf of the Customer in accordance with item D.
The period commencing on the Addendum Date until validly terminated in accordance with this Addendum, subject to the parties agreeing to specific term in the Terms of Service.
10. Terms of Service
The agreement entered into between the Customer and the Company to govern the relationship of the parties.
C. Obligations of the Parties
1. Customer Obligations
With limiting any obligations and conditions imposed on the Customer under the GDPR or other instrument or contract, the Customer shall:
- Ensure that the Processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law, in particular the applicable provisions of the GDPR;
- Instruct and throughout the duration of the Term will instruct, the Company to Process the Personal Data transferred only on the Customer’s behalf and in accordance with the applicable data protection law;
- Ensure that the Processor will provide sufficient guarantees in respect of the technical and organisational security measures;
- Ensure compliance with the security measures; and
- In the event of sub-processing, the Processing is carried out in accordance with this Addendum by a sub- processor providing at least the same level of protection for the Personal Data and the rights of Data Subject as the Company.
2. Company Obligations
The Company shall:
- Process Personal Data in accordance with the GDPR, including the transfer of Personal Data to third countries or international organisations, unless otherwise required by law;
- Promptly notify the Customer about:
- Any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited,
- Any accidental or unauthorised access to Personal Data, or other security breach, and
- Any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so;
- Inform the Customer immediately if it believes that a data processing breach has occurred, or will probably occur, providing the Customer with sufficient information to allow the Customer to meets its obligations under the GDPR and any other applicable data protection law;
- In the event of a data processing breach, co-operate with the Customer and take such reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such breach;
- Ensure that personnel authorised to Process the Personal Data on behalf of the Processor are bound by a contractual or statutory duty of confidentiality, and as much as possible limit the number of personnel who may access the Personal Data;
- Take all appropriate technical and organisational measures to ensure the security of Processing;
- Obtain the Customer’s prior written consent to engage sub-processors (except as authorised in this Addendum);
- Impose on its sub-processors the data protection obligations set out in the Addendum between the Customer and the Company by written contract;
- Taking into account the nature of the Processing, assist the Customer by taking appropriate technical and organisational measures, insofar as possible, to ensure fulfilment of the Customer’s obligation to reply to requests by Data Subjects exercising their rights;
- Assist the Customer in ensuring compliance with its security and certain other obligations such as the notification of personal data breaches, taking into account the nature of the Processing and the information available to the Company;
- At the Customer’s choosing, delete or return all Personal Data to the Customer upon completion of the Processing and return any existing copies of the data, unless otherwise required by law to store such data;
- Make available to the Customer all information necessary to demonstrate compliance with its obligations and allow and cooperate fully with audits, including inspections, conducted by the Customer or another person authorised to this end by the Customer;
- Employ a data protection officer if required by Article 37 of the GDPR; and
- Cooperate with any relevant supervisory authorities of the GDPR in the performance of its tasks.
D. Sub-processing of Personal Data
The Company shall have the authority to appoint sub-processors (which may include such entities already engaged by the Company), subject to the conditions set out in item D.3 being met.
- The Company shall will give the Customer prior written notice of the appointment of any new sub-processor, including full details of the Processing to be undertaken by the Sub-processor.
- If, within 5 days of receipt of the notice under (a) above, the Customer notify the Company in writing of any objections (on reasonable grounds) to the proposed appointment, the Company must not appoint (or disclose any Personal Data to) that proposed sub-processor until reasonable steps have been taken to address the objections raised by the Customer.
- The Customer agrees that the Company may publish a standard list of Sub-processors on its publicly available website which shall deem compliance with this item D.
With respect to the appointment of a Sub-processor, the Company shall:
- Ensure that the express prior written consent of the Customer is obtained for the appointment of new sub-processor;
- Before the Sub-processor first Processes Personal Data, carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by this Addendum;
- Ensure that the arrangement between the Company and the Sub-processor is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR;
- Provide to the Customer for review such copies of the agreements with Sub-processors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as the Customer may request from time-to-time; and
- Provide to the Customer an up-to-date list of all Sub-processors used for the Processing of Personal Data as the Customer may request from time-to-time.
E. Termination, Liability and Indemnity
This Addendum shall automatically expire on the date the Terms of Service is validly terminated between the parties.
2. Effect of Termination
- The Company shall promptly, and in default within 10 business days of the date of termination of this Addendum, delete or procure the deletion of all copies of Personal Data, unless storage of the data is otherwise required by law.
- Any rights and obligations of the parties accrued prior to termination shall continue to exist.
- Provisions which, by their nature, are intended to continue to apply after termination of this Addendum, will continue to apply after termination, including those provisions concerning confidentiality, indemnity and limitation of liability.
- The Customer will not be held liable for any breach with respect to the Processing of Personal Data unless it is in any way responsible for the event giving rise to the damage.
- Without limiting the indemnity under item E.4, where a party has been held liable for a claim for damages by a Data Subject, such party shall have the right to seek part compensation from the other party (including any Sub-processor) for their part of responsibility for the damage suffered by the Data Subject.
The Company hereby indemnifies and shall keep indemnified the Customer from and against all actions, claims, demands, losses, damages, costs and expenses which the Customer may sustain or incur in respect of, or arising from any breach by the Company of this Addendum and/or the GDPR, including the Processing of Personal Data outside the scope of authorisation and/or inconsistent with the instructions of the Customer.
Annexure - Details of Processing of Personal Data
This Annexure includes certain details for the Processing of Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of Processing
The subject matter and duration of the Processing of the Personal Data are set out in the Terms of Service and this Addendum.
Nature and purpose of Processing
The Customer has engaged the Company to provide the Milanote SaaS application service.
Type of Personal Data being Processed
- Personal data (including name, location, date of birth)
- Personal photos (including profile picture)
- Contact information (including phone number and email address)
- Financial information (including credit card details)
- Statistical information (including online habits and preferences)
- Device information (including number and type of devices, and operating systems on those devices)
- Location information (including IP address and location of device)
Categories of Data Subjects being Processed
Customers and other users authorised and/or invited by the Customer, such as members of the Customer’s team
Obligations and Rights of the Customer
The obligations and rights of the Customer are set out in the Terms of Service and this Addendum.