Controller Processor Addendum
1. Introduction
1.1 This Addendum applies to any Personal Data that our Subscribers and Customers store using the Services. It sets out the parties’ respective rights and obligations regarding the treatment of any such Personal Data that IT Glue processes in the course of providing the Services.
1.2 In this Addendum:
“Data Protection Legislation”
means (i) the GDPR, unless and until the GDPR is no longer directly applicable in the UK, and then (ii) any successor legislation to the GDPR or the DPA.
“DPA”
means the UK Data Protection Act 1998, as amended or updated from time to time.
“GDPR”
means the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK.
“Other Applicable Laws”
means the laws of any member of the European Union or the laws of the European Union applicable to IT Glue concerning the Processing of Personal Data, other than the Data Protection Legislation.
“Special Category Data”
has the meaning set out in the Data Protection Legislation, and includes for example information about a data subject’s ethnic origin; politics; religion; trade union membership; genetics; biometrics, health; sex life; or sexual orientation.
1.3 In this Addendum, the terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller” and “Data Processor” have the meanings set out in the Data Protection Legislation.
1.4 Annex 1 to this Addendum sets out the categories of Data Subject whose Personal Data will be processed, the types of Personal Data, the scope, nature and purpose of the intended Processing, and the duration of the Processing.
2. General obligations of the parties
2.1 The parties acknowledge that for the purposes of the Data Protection Legislation, the Subscriber is the Data Controller and IT Glue is the Data Processor.
2.2 The parties will comply with all applicable requirements of the Data Protection Legislation. The provisions of this Addendum are in addition to, and do not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
3. Obligations of the Subscriber
3.1 Without limiting paragraph 2.2, the Subscriber is responsible for ensuring that it has all necessary consents and notices in place to enable lawful transfer of the Personal Data to IT Glue for the duration and purposes of the Services.
3.2 The Subscriber must not submit, collect or use any Special Category Data with or to the Services, and must ensure that none of its Customers submits, collects or uses any Special Category with or to the Services. The Subscriber agrees that IT Glue shall have no liability for Special Category Data received from the Subscriber or any Customer, notwithstanding anything to the contrary herein, and all such liabilities are hereby excluded to the fullest extent permitted by law.
3.3 The Subscriber shall indemnify IT Glue in respect of any claim by a Data Subject that the processing by IT Glue of Personal Data submitted by the Subscriber or by any Customer is unlawful on the grounds that IT Glue was not entitled to process the Personal Data.
4. Obligations of IT Glue
4.1 Without limiting paragraph 2.2, IT Glue shall comply with the following provisions of this Section 4, in relation to any Personal Data processed in connection with its performance of the Services.
4.2 IT Glue shall process the Personal Data only on the written instructions of the Subscriber or Customer, unless IT Glue is required otherwise by Other Applicable Laws. Where IT Glue is relying on Other Applicable Laws as the basis for Processing, IT Glue shall promptly notify the Subscriber of this before performing the processing required by the Other Applicable Laws (unless those Other Applicable Laws themselves prohibit IT Glue from doing so).
IT Glue shall ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.
4.3 IT Glue shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. In this paragraph 4.4:
4.3.1 “appropriate” means that the measures are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures; and
4.3.2 the measures in question may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of IT Glue’s systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it.
4.4 IT Glue shall assist the Subscriber in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
4.5 IT Glue shall delete or return Personal Data and copies thereof to Subscriber on termination of the Services, in accordance with Section 6 of the Terms of Service, unless required by the Data Protection Legislation or Other Applicable Law to retain the Personal Data.
4.6 IT Glue shall maintain complete and accurate records and information to demonstrate its compliance with this Addendum, and make them available for inspection from time to time as reasonably required by the Subscriber or its designated auditor.
4.7 IT Glue shall immediately inform the Subscriber if, in its opinion, an instruction infringes Data Protection Legislation or Other Applicable Laws.
4.8 IT Glue shall not transfer any Personal Data outside the European Economic Area unless (a) the prior written consent of the Subscriber has been obtained (and the Subscriber hereby consents consent to the transfer of Personal Data to IT Glue’s data centres in the US and Canada), and (b) the following conditions are fulfilled:
4.8.1 the Subscriber or IT Glue has provided appropriate safeguards in relation to the transfer;
4.8.2 the data subject has enforceable rights and effective legal remedies;
4.8.3 IT Glue complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and
4.8.4 IT Glue complies with reasonable instructions notified to it in advance by the Subscriber with respect to the processing of the Personal Data.
4.9 IT Glue shall notify the Subscriber without undue delay on becoming aware of a Personal Data breach.
5. Engagement of Sub-Processors
The Subscriber consents to IT Glue appointing one or more subcontractors as third-party processors of Personal Data under this Agreement. IT Glue confirms that it has entered or (as the case may be) will enter into a written agreement with each third-party processor incorporating terms which are substantially similar to those set out in this Addendum. If so requested by the Subscriber, IT Glue shall must notify the Subscriber in writing with details of the relevant subcontractors (including company name, scope of processing and location of services) whenever a new subcontractor is engaged, and with details of all subcontractors at least once in every 12 month period. As between IT Glue and the Subscriber, IT Glue shall remain fully liable for all acts or omissions of any third-party processor appointed by it under this provision.
Annex 1 to the Addendum
Particulars of Processing
[Details to be completed by the parties, having regard to the nature of the particular personal data that will be processed under this Agreement. GDPR requires this information to be included in any Controller-Processor arrangement.]
1 Categories of Data Subject
2 Types of Personal Data to be processed
3 Scope, nature and purpose of Processing
4 Duration of Processing