Privacy Addendum
1 IN FORCE
1.1 The terms of this Schedule shall replace the previous processor clauses dated 25th May 2018 and shall continue in full force and effect from 27/07/2021 until the termination or expiry of the Your agreement with Us whereupon it shall automatically terminate.
2 AGREED TERMS
2.1 In this Addendum the following words shall have the following meanings:
2.2 “Personal Data Breach” means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
2.3 “Data Protection Legislation”
shall mean the Data Protection Act 2018, the Retained Regulation (EU) 2016/679 (UK GDPR) as incorporated under the European Union (Withdrawal Act) 2018 and as amended by The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019, and any other laws or regulations applicable in the United Kingdom, and where applicable to Us in the performance of this Agreement to You, the General Data Protection Regulation (Regulation (EU) 2016/679 (EU GDPR)), in each case as amended or repealed.
2.4 “personal data”, “data subject”, “controller”, “processor” and “process” shall be interpreted in accordance with applicable Data Protection Legislation.
2.5 ‘“Your personal data” shall mean the personal data in Your Customer Data that is processed by Us pursuant to this Agreement.
AMENDMENT TO AGREEMENT
All clauses in the Agreement which relate to the data protection shall be replaced or amended, mutatis mutandis, in order that this Addendum governs data protection from the Effective Date.
2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor, and You are the controller of such personal data. The Product Fact Sheet sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects. Subject to clause 2.7 of this Schedule 2, We may amend the Product Fact Sheet from time to time.
2.2. Each party shall comply with its obligations under applicable Data Protection Legislation, and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful.
2.3. Subject to clause 2.4 and 2.7 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your personal data outside of the European Union or the UK (the “Approved Jurisdiction”) without the documented instruction. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 2 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subjects have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation.
2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing.
2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality.
2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. Our general security measures are set out in clause 4 to this Schedule 2, the Access Product specific security measures are set out in the relevant Product Fact Sheet.
2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including but not limited to in connection with support, maintenance and development, staff augmentation and the use of third-party data centres). Any Sub Processors shall be outlined in the Product Fact Sheet. By You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace or remove a Sub Processor where We deem necessary, provided that We shall notify You of the appointment of a new Sub Processor and You may, on reasonable grounds, object to the appointment of a Sub Processor by notifying Us in writing within 14 days of receipt of Our notification (or other such timescale as may be specified on Our notification), giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors, and, for the avoidance of doubt, We shall not share Your personal data with any Sub Processor You have objected to in accordance with this Agreement. We shall ensure that all Sub Processors are bound by contract with Us which include appropriate data processing terms and We shall remain liable for Sub Processors’ acts and omissions in connection with this Agreement.
2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall use reasonable commercial efforts to assist You in fulfilling Your obligations as controller and provide You with a suitable response without undue delay (and in any event within 5 days) following written request from You provided that We may: (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation); and/or (b) charge You on a time and materials basis in the event that We consider, in Our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data.
2.9. Upon discovering We have experienced a Personal Data Breach in respect of Your personal data We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with mitigation of the impact of the Personal Data Breach and any notification to the applicable supervisory authority and data subjects, considering the nature of processing and the information available to Us.
2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy impact assessment or prior consultation with a supervisory authority to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to the processing of Your personal data by Us.
2.11. Following the earlier of termination or expiry of the Agreement (the “End Date”), Your instruction is for Us to delete Your personal data held by Us. Before deleting Your personal data, We will seek a Revised Instruction from You on or shortly after the End Date confirming Your instruction. You will have 30 days from the date the Revised Instruction was sent by Us to respond (the “Timeframe”). You may, at no additional cost and within the Timeframe, choose to have Your personal data returned to You in the format specified in the Product Fact Sheet, the Exit Policy, or as otherwise agreed with Us. Where applicable law requires Us to retain all or some of Your personal data, We shall notify You of this lawful requirement.
2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing clauses 2.2 to 2.11 inclusive, and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis.
2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infringes Data Protection Legislation We shall inform You immediately and You shall reconsider Your instruction considering the Data Protection Legislation and Our reasoning (where such reasoning is provided). We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non-infringing or amend Your instructions to make them non-infringing and notify Us accordingly. Further, where We request the same, You shall sign a waiver provided by Us which will absolve Us of any liability associated with Us following Your processing instruction.
2.14. Without prejudice to any other provision in this Agreement which may apply, You shall for the Licence Term have in place and maintain any and all appropriate consents from the relevant data subjects and or an appropriate lawful basis for processing the personal data of the data subjects affected by this Agreement.
2.15. We shall for the Licence Term use reasonable endeavours to assist You in meeting Your obligations under Articles 32 to 36 (inclusive).
2.16. Where You consider it necessary to amend this Schedule 2 as a result of any changes in law relating to the protection or treatment of personal data, You shall notify Us of the same. Thereafter the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule 2 to ensure compliance with such law.
2.17. Nothing in these Terms and Conditions is intended to govern the processing of personal data as it relates to personal data collected by Us (or a third party or agent instructed by Us) as an independent controller. For information on how We process personal data as an independent controller, please see Our privacy policy made available on Our website.
3. DETAILS OF PROCESSING
3.1. For details of how personal data is processed under this Agreement, please register to see our "Security Portal" at https://access-support.force.com/Support/s/gdpr-hub. You may also request a copy of the Product Fact Sheet from Your Access Account Manager.
3.2. If you are not already registered on the Security Portal you will need to do so. If you have any problems registering, please contact [email protected]
4. SECURITY STANDARDS
4.1. We are currently ISO27001 certified, and we undertake to maintain this certification for the Licence Term. ISO27001 certification demands best in class controls across:
4.1.1. Information security policies
4.1.2. Organisation of information security
4.1.3. Human resource security
4.1.4. Asset management
4.1.5. Access control
4.1.6. Cryptography
4.1.7. Physical and environmental security
4.1.8. Operations security
4.1.9. Communications security
4.1.10. System acquisition, development and maintenance
4.1.11. Supplier relationships
4.1.12. Information security incident management
4.1.13. Information security aspects of business continuity management
4.1.14. Compliance; with internal requirements, such as policies, and with external requirements, such as laws
4.2. Nothing in clause 4 to this Schedule 2 (or otherwise) shall prevent Us from replacing the ISO27001 certification with a certification of equivalent or enhanced standing.