Where Customer is subject to EU data protection laws, this Data Processor Addendum shall apply to the extent that Supplier processes personal data on Customer’s behalf.
1.1 The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.2 “Addendum” means this Data Processor Addendum;
1.3 “Authorised Sub-processors” means (a) those Sub-processors (if any) set out in Annex 2 (Authorised Sub-processors); and (b) any additional Sub-processors consented to in writing by the Customer in accordance with section 5.1;
1.4 “Customer” means the Customer or Licensee under the Main Agreement;
1.5 “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Main Agreement i) until 25 May 2018, EU Directive 95/46/EC, as transposed into domestic legislation of each Member State; ii) on and from 25 May 2018 the General Data Protection Regulation (EU) 2016/679 (“GDPR”); iii) EU Directive 2002/58/EC on privacy and electronic communications, as transposed into domestic legislation of each Member State; and iv) any applicable decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, supervisory authorities and other applicable government authorities; in each case together with all laws implementing, replacing, amending or supplementing the same and any other applicable data protection or privacy laws;
1.6 “EEA” means the European Economic Area;
1.7 “Personal Data” means the data described in Annex 1 (Details of Processing of Personal Data) and any other personal data processed by the Supplier on behalf of the Customer pursuant to or in connection with the Main Agreement;
1.8 “Main Agreement” means the license or services agreement into which this Addendum is incorporated;
1.9 “Services” means the services described in the Main Agreement;
1.10 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
1.11 “Sub-processor” means any data processor (including any affiliate of the Supplier) appointed by the Supplier to process personal data on behalf of the Customer;
1.12 “Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
1.13 “Supplier” means the Supplier or Licensor under the Main Agreement.
2. PROCESSING OF THE PERSONAL DATA
2.1 The parties agree that the Customer is a data controller and that the Supplier is a data processor for the purposes of processing Personal Data.
2.2 Each party shall at all times in relation to processing connected with the Main Agreement comply with Data Protection Laws.
2.3 The Supplier shall only process the types of Personal Data relating to the categories of data subjects for the purposes of the Main Agreement and for the specific purposes in each case as set out in Annex 1 (Details of Processing of Personal Data) to this Addendum and shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Customer’s documented instructions (whether in the Main Agreement or otherwise) unless processing is required by applicable law to which the Supplier is subject, in which case the Supplier shall to the extent permitted by such law inform the Customer of that legal requirement before processing that Personal Data.
2.4 The Supplier shall immediately inform the Customer if, in its opinion, an instruction pursuant to the Main Agreement or this Addendum infringes Data Protection Laws.
2.5 The Customer warrants to and undertakes with the Supplier that all data subjects of the Personal Data have been or will be provided with appropriate notices and information to establish and maintain for the relevant term the necessary legal grounds under Data Protection Laws for transferring the Personal Data to the Supplier to enable the Supplier to process the Personal Data in accordance with this Addendum and the Main Agreement.
3. PROCESSOR PERSONNEL
3.1 The Supplier shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
3.2 The Supplier shall take reasonable steps to ensure the reliability of any employee, agent, contractor and/or Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes set out in section 2.1 above in the context of that person’s or party’s duties to the Supplier.
3.3 The Supplier shall ensure that all such persons or parties involved in the processing of Personal Data are subject to:
3.3.1 confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
3.3.2 user authentication processes when accessing the Personal Data.
4.1 The Supplier shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
5.1 Subject to section 5.4, the Supplier shall not engage any Sub-processor to process Personal Data other than with the prior specific or general written authorisation of the Customer.
5.2 In the case of general written authorisation, the Supplier shall inform the Customer of any intended changes concerning the addition or replacement of other processors, thereby giving the Customer the opportunity to object to such changes.
5.3 With respect to each Sub-processor, the Supplier shall:
5.3.1 carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Addendum;
5.3.2 include terms in the contract between the Supplier and each Sub-processor which are the same as those set out in this Addendum, and shall supervise compliance thereof;
5.3.3 insofar as that contract involves the transfer of Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by the Customer into the contract between the Supplier and each Sub-processor to ensure the adequate protection of the transferred Personal Data, or such other arrangement as the Customer may approve as providing an adequate protection in respect of the processing of Personal Data in such third country(ies); and
5.3.4 remain fully liable to the Customer for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
5.4 As at the date of the Main Agreement or (if later) implementation of this Addendum, the Customer hereby authorises the Supplier to engage those Sub-processors set out in Annex 2 (Authorised Sub-processors).
6. DATA SUBJECT RIGHTS
6.1 The Supplier shall without undue delay, and in any case within three (3) working days, notify the Customer if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in chapter III of GDPR, and shall provide full details of that request.
6.2 The Supplier shall co operate as reasonably requested by the Customer to enable the Customer to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or the Main Agreement, which shall include:
6.2.1 the provision of all information reasonably requested by the Customer within any reasonable timescale specified by the Customer in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to a data subject;
6.2.2 where applicable, providing such assistance as is reasonably requested by the Customer to enable the Customer to comply with the relevant request within the timescales prescribed by Data Protection Laws; and
6.2.3 implementing any additional technical and organisational measures as may be reasonably required by the Customer to allow the Customer to respond effectively to relevant complaints, communications or requests.
7. INCIDENT MANAGEMENT
7.1 In the case of a personal data breach, the Supplier shall without undue delay notify the personal data breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a personal data breach under Data Protection Laws. Such notification shall as a minimum:
7.1.1 describe the nature of the personal data breach, the categories and numbers of data subjects concerned, and the categories and numbers of Personal Data records concerned;
7.1.2 communicate the name and contact details of the Supplier’s data protection officer or other relevant contact from whom more information may be obtained;
7.1.3 describe the likely consequences of the personal data breach; and
7.1.4 describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.2 The Supplier shall fully co-operate with the Customer and take such reasonable steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each personal data breach, in order to enable the Customer to (i) perform a thorough investigation into the personal data breach, (ii) formulate a correct response and to take suitable further steps in respect of the personal data breach in order to meet any requirement under Data Protection Laws.
7.3 The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The Supplier shall not inform any third party without first obtaining the Customer’s prior written consent, unless notification is required by law to which the Supplier is subject, in which case the Supplier shall to the extent permitted by such law inform the Customer of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Customer before notifying the personal data breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
8.1 The Supplier shall, at the Customer’s request, provide reasonable assistance to the Customer with any data protection impact assessments and any consultations with any Supervisory Authority of the Customer as may be required in relation to the processing of Personal Data by the Supplier on behalf of the Customer.
9. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
9.1 Upon request made by the Customer within thirty (30) days of the earlier of: (i) cessation of processing of Personal Data by the Supplier; or (ii) termination of the Main Agreement, the Supplier shall return all Personal Data to the Customer. After such thirty (30) day period, the Supplier shall securely dispose of Personal Data and delete all copies of it (except to the extent that any applicable law requires the Supplier to retain a copy of such Personal Data) and Customer acknowledges that the Supplier will have no obligation to maintain or provide such Personal Data.
10. AUDIT RIGHTS
10.1 The Supplier shall make available to the Customer on request all information necessary to demonstrate compliance with this Addendum and Data Protection Laws and allow for and contribute to audits, including inspections by the Customer or another auditor mandated by the Customer of any premises where the processing of Personal Data takes place.
10.2 The Supplier shall permit the Customer or another auditor mandated by the Customer during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the Customer may satisfy itself that the provisions of Data Protection Laws and this Addendum are being complied with.
10.3 The Supplier shall provide full co operation to the Customer in respect of any such audit and shall at the request of the Customer, provide the Customer with evidence of compliance with its obligations under this Addendum and Data Protection Laws.
11. INTERNATIONAL TRANSFERS OF CONTROLLER PERSONAL DATA
11.1 The Supplier shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the EEA without an adequate level of protection, other than in respect of those recipients in such countries listed in Annex 3 (Authorised Transfers of Personal Data), unless authorised in writing by the Customer in advance.
11.2 When requested by the Customer, the Supplier shall promptly enter into (or procure that any relevant Sub-processor of the Supplier enters into) an agreement with the Customer on Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of Personal Data in a country outside of the EEA without an adequate level of protection.
12.1 The disclaimers and limitations of liability set out under the Main Agreement shall apply also to this Addendum.
13.1 The Customer shall pay any reasonable costs and expenses incurred by the Supplier in meeting the Customer’s requests made under this Addendum.
14.1 Any obligation imposed on the Supplier under this Addendum in relation to the processing of Personal Data shall survive any termination or expiration of the Main Agreement.
14.2 With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of the Main Agreement and any provision of this Addendum, the provision of this Addendum shall prevail. In the event of any conflict or inconsistency between the Main Agreement or this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Personal Data
The subject matter of the data processing under this DPA is personal information relating to clients and staff of the Customer and users of the Application.
The duration of the data processing under this DPA is until the earlier of: (a) deletion of data in accordance with Supplier’s archiving processes; or (b) request for data deletion by the Customer or data subject.
The nature and purpose of the processing of Personal Data
The nature of the processing Supplier provides to the Customer is a Salon and Spa management system. It provides appointment book, point of sale, client management, stock management, marketing and report functionality.
The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of the Supplier’s obligations under the Main Agreement (including this DPA) or as otherwise agreed by the parties
The categories of data subject to whom the Personal Data relates
The Data Subject categories processed are Clients of the Customer, Staff of the Customer and Users of the application.
The types of Personal Data to be processed
Identification and contact data
– first name
– last name
– phone numbers
– date of birth
Personal data associated with a client including:
– client and appointment attributes
– documents and photos
– first name
– last name
c) Application Users:
– first name
– last name
Personal data associated with users:
– usage/log data
ANNEX 2: AUTHORISED SUB-PROCESSORS
Baxus uses these third party sub processors to assist it in providing the Services to the Customer:
- Amazon Web Services for cloud hosting
- MailChimp for email marketing
- Intercom for user tracking and user messaging
- Kapow (Cygnet Internet Services Ltd) for SMS messaging
- Zendesk for in app chat and helpdesk
- Rollbar for error logging.
- Mailgun for transactional email
- CLX Communications Ltd for SMS messaging
- Twilio Inc for SMS messaging
ANNEX 3: AUTHORISED TRANSFERS OF CONTROLLER PERSONAL DATA
Categories of Processing
Country (International Transfer)
Safeguards in Place
|1||Hosting for Application Storage||Republic of Ireland||Amazon Web Services Inc||EU Country|
|2||SMS messaging||UK||Kapow (Cygnet Internet Services Ltd)||EU Country|
|3||Hosting of Messaging Storage (txt and email)||New Zealand||NetValue||Adequate Country|
|4||Hosting for Photos and Document Storage||US||Amazon Web Services Inc||Sub Processor is Privacy Shield compliant|
|5||In application messaging||US||Intercom||Sub Processor is Privacy Shield compliant|
|6||Application Error logging||US||Rollbar Inc||Sub Processor is Privacy Shield compliant|
|7||In application chat and helpdesk||US||Zendesk Inc||Sub Processor is Privacy Shield compliant|
|8||Email Marketing||US||MailChimp (The Rocket Science Group)||Sub Processor is Privacy Shield compliant|
|9||SMS messaging||Sweden||CLX Communications Ltd||EU Country|
|10||SMS messaging||US||Twilio Inc||Sub Processor is Privacy Shield compliant|
For the purposes of clause 5.3.3 of this Data Processor Addendum, the Customer acknowledges that the Safeguards specified as being in place in respect of each Sub Processor named in the table above provide an adequate protection in respect of processing of Personal Data in the relevant third country(ies).
Date issued: 24 May 2018.