DATA PROCESSING ADDENDUM
Based on the General Data Protection Regulation (GDPR) and European Commission Decision
2010/87/EU – Standard Contractual Clauses (Processors)
This Data Processing Addendum ("DPA") is made as of the Effective Date by and between PARiM Limited (“PARiM”), and Customer (“Company”), pursuant to the Subscription Terms of Service ("Agreement”).
This DPA is in addition to the PARiM standard Agreement and sets out the terms that apply when Personal Data is processed by PARiM under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data are processed. Other capitalised terms used but not defined in this DPA have the same meanings as set out in the Agreement.
1. Definitions
1.1. For the purposes of this DPA:
a) “Controller” shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
b) "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
c) "Data Subject" shall be given the meaning provided under EU Data Protection Legislation;
d) “EEA" means the European Economic Area, which constitutes the member states of the European Union, the United Kingdom, Norway, Iceland and Liechtenstein;
e) “EU Data Protection Legislation” means applicable privacy and data protection legislation, including but not limited to: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, including any applicable national implementations of it the Electronic Communications Data Protection Directive 2002/58/EC and the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (as amended, replaced or superseded) ("GDPR") and any national implementations of the GDPR, the Electronic Communications Data Protection Directive 2002/58/EC and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended, replaced or superseded) ;“Processor” shall mean an entity which processes Personal Data on behalf of the Controller; and
f) “Personal Data” means any information relating to an identified or identifiable natural person.
2. Applicability of DPA.
2.1. Applicability. This DPA will apply only to the extent that PARiM processes Personal Data in the context of its activities in the European Union ("EU") and/or its processing of Personal Data of Data Subjects in the EU on behalf of the Customer.
3. Roles and responsibilities.
3.1. Parties' Roles. To the extent that PARiM processes Personal Data in the course of providing the Services, it will do so only as a Processor acting on behalf of Customer (as Controller) and in accordance with the requirements of the Agreement.
3.2. Purpose Limitation. PARiM will process the Personal Data only for the purposes of providing the Services and in accordance with Customer's lawful documented instructions.
3.3. Compliance. Both Parties shall (and PARiM shall procure that any Sub-Processor involved in the provision of the Services pursuant to the Agreement shall) comply at all times with the requirements of the EU Data Protection Legislation and neither party shall perform their obligations under the Agreement in such a way as to cause the other party to breach any of its obligations under the EU Data Protection Legislation.
4. Security.
4.1. Security. PARiM will have in place and maintain throughout the term of this agreement appropriate technical and organisational measures which are appropriate against the level of risk to the security of Personal Data, in particular from Data Breach, including, but not limited to the encryption of Personal Data, to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing (a “Security Incident”). For further information in respect of the minimum security measures maintained by PARiM see Secure and Reliable Workforce Management Software.
4.2. Security Incident. In the event of a Security Incident, PARiM will notify Customer as soon as reasonably practicable, and in any event within 72 hours of discovering the Security Incident when it constitutes a Data Breach, and will provide reasonable assistance to the Customer in order to remedy or mitigate the effects of the Security Incident.
4.3. The notification in clause 4.2 shall describe the nature of the incident and, in respect of a Data Breach, shall include, where possible, the categories and approximate number of Data Subjects concerned, the likely consequences of the Data Breach and the measures proposed to be taken by PARiM to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
5. Data Protection Officer
5.1. PARiM has appointed a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations. The appointed person may be reached at DPA@parim.co .
6. Sub-processing
Sub-processing. Customer authorizes PARiM to subcontract processing of Personal Data under the Agreement to a third party (a "Sub-Processor") provided that:
(i) PARiM provides Customer with at least sixty (60) calendar days' prior notice of any such subcontracting, enabling the Customer with an opportunity to object to such change;
(ii) PARiM enters into written arrangements with any Sub-Processors imposing data protection obligations which include the same or substantially similar provisions as set out in this DPA, including as a minimum Sections 3.2 and 4 and
(iii) PARiM complies with any obligations imposed upon it under Exhibit A in respect of Sub-processing.
7. International transfers
7.1. With the exception of the "Agreed Transfers" detailed in Exhibit B to this DPA, PARiM shall not transfer any Personal Data in respect of the Services outside the EEA without the Customer's documented instructions unless required to do so under applicable law, in which case PARiM shall inform the Customer of that legal requirement before processing unless the law prohibits such information on important grounds of public interest.
7.2. Adequacy. In respect of the Agreed Transfers and any specific transfers for which the Customer has provided documented instructions under clause 6.1, PARiM will provide an adequate level of protection and appropriate safeguards for Personal Data that it processes on behalf of Customer in accordance with the requirements of EU Data Protection Legislation.
8. Service Data
8.1 Notwithstanding anything in this DPA, PARiM will have the right to collect, extract, compile, synthesize and analyze non-personally identifiable data or information resulting from the Customer's use or operation of the Services (“Service Data”) including, by way of example and without limitation, information relating to volumes, frequencies, recipients, or any other information regarding the system usage and communications Customer, its end users or recipients generate and send/process using the Services. To the extent any System Usage/ Service Data is collected or generated by PARiM such data will be solely owned by PARiM and may be used by PARiM for any lawful business purpose without a duty of accounting to Customer or its recipients, provided that such data is used only in an aggregated form, without identifying any person. For the avoidance of doubt, this DPA will not apply to System Usage/ Service Data as such data does not constitute Personal Data.
9. Miscellaneous
9.1. Except as amended by this DPA, the Agreement will remain in full force and effect.
9.2. If there is a conflict between the Agreement and this DPA, the terms of this DPA will prevail.
9.3. Any claims brought under this DPA shall not be subject to any exclusions and limitations set forth in the Agreement.
9.4. PaRIM shall indemnify, defend and hold harmless the Customer and its employees, principals, agents and affiliates from and against any losses, damages, costs, expenses (including court costs and legal fees), judgments, assessments, fines and other liabilities arising out of or resulting from any third-party claims or actions resulting from any breach of this DPA of EU Data Protection Legislation by PARiM.
Exhibit A – GDPR Addendum
The parties agree that the following terms in this Exhibit A shall apply to the Agreement and the DPA only on and after 25 May 2018.
1. Scope. The subject-matter of the data processing is the provision of the Services and the processing will be carried out for the duration of the Agreement. Exhibit B sets out the nature and purpose of the processing, the types of Personal Data PARiM processes and the categories of Data Subjects whose Personal Data is processed.
2. Instructions. The Agreement and this DPA sets out Customer's complete documented instructions to PARiM in relation to the processing of the Personal Data (including in respect of transfers of Personal Data as set out at clause 6 of the DPA) and any processing required outside of the scope of these instructions will require prior written agreement between the parties.
3. Purpose Limitation. If PARiM is required to process the Personal Data for any other purpose by EU or national law to which PARiM is subject, PARiM shall inform Customer of this requirement before the processing, except where otherwise required by such law.
3.1. Data Protection Impact Assessments. PARiM shall, to the extent required by EU Data Protection Legislation, provide the Customer with assistance in relation to data protection impact assessments including any related prior consultations with supervisory authorities that Customer is required to carry out under EU Data Protection Legislation.
4. Subprocessing.
4.1. Customer agrees that PARiM may engage PARiM Sub-Processors to process the Personal Data on PARiM's behalf in accordance with clause 5 of the DPA.
4.2. PARiM shall remain liable for any breach of the DPA caused by a Sub-Processor.
4.3. PARiM may, by giving reasonable notice to the Customer, add or make changes to the Sub-Processors. If the Customer objects to the proposed appointment of a Sub-Processor or any changes in respect of a Sub-Processor within thirty (30) calendar days of such notice, then PARiM will not appoint the Sub-Processor or make the proposed changes and will work in good faith with the Customer to find an alternative solution.
5. Security
5.1. PARiM shall take all measures required pursuant to Article 32 of the GDPR and shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and information available to PARiM, including in respect of data security, notification of Security Incidents (both to regulatory bodies and affected customers), completing data protection impact and engaging in any prior consultations with supervisory authorities (as detailed at clause 3.1 above) required by GDPR. In particular, PARiM shall comply with clause 4 of the DPA in respect of security measures and Security Incident reporting.
5.2. PARiM will also ensure that any person that it authorises to process the Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be subject to a duty of confidentiality) whether a contractual or a statutory duty).
6. Audit. Whilst it is the parties' intention ordinarily to rely on the provision of the documentation to verify PARiM's compliance with this DPA, PARiM shall supply the Customer with such information as it may reasonably require or request to satisfy itself that PARiM is complying with its obligations under the EU Data Protection Legislation and shall allow for and contribute to, and permit the Customer (or its appointed third party auditors) to, carry out an audit (including inspections) of PARiM's processing of Personal Data. Customer must give PARiM reasonable prior notice of such intention to audit, conduct its audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to PARiM's operations. Any such audit shall be subject to PARiM's security and confidentiality terms and guidelines. If PARiM declines to follow any instruction requested by Customer regarding audits, Customer is entitled to terminate this DPA and the Agreement.
7. Data Subjects' rights. PARiM shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible for the fulfilment of Customer's obligation to respond to requests from Data Subjects seeking to exercise their rights laid down in Chapter III of the GDPR. In the event that such request is made directly to PARiM, PARiM shall promptly (and in any event within 24 hours) inform Customer of the same, forward the request to the Customer and provide Customer with all information that it reasonably requires to respond to the request.
8. Deletion / return of Personal Data. Upon termination or expiry of the Agreement, PARiM shall, at Customer's election, delete or return to Customer all relevant Personal Data (including copies) in PARiM's possession, save to the extent that PARiM is required by any applicable law to retain some or all of the Personal Data in which case it shall hold such information confidentially and shall not use it for any other purpose.
9. If there is a conflict between the DPA and this Exhibit, the terms of this Exhibit will prevail.
Exhibit B – Data Processing Appendix
Data Subject categories
The Personal Data transferred concern the following categories of Data Subjects:
End users – individuals (typically employees) who interact with the Customer by way of the PARiM communication platform.
Type of personal data
The Personal Data transferred concern the following types of personal data:
Name, email address, IP address, data analytics, device data, usage data, location data, and interactions with end users via the communication platform.
Special categories of data (if appropriate)
The Personal Data transferred does not concern special categories of personal data
Processing operations
The Personal Data transferred will be subject to the following basic processing activities:
Personal Data will be transferred from the Customer to PARiM for PARiM to provide a communication platform to facilitate interaction and engagement between the Customer and the end user.
This service will consist of providing a communication platform for the Customer to use in order to on-board and retain end users as well as analyze their use of the Customer's product and / or services.
Full details about PARiM's products and services can be found at https://www.parim.co/
Agreed Transfers
The Client agrees that Personal Data may be transferred outside of the EEA to the following third party processors who are engaged by PARiM, provided that any transfer is made in accordance with the terms of this DPA:
Third partyAdequate safeguards in place by PARiMAmazon Web Services, IncEU-US Privacy Shield (adequacy decision)