Data Processing Addendum
This Data Processing Addendum (this “Addendum”) is executed by and between Pickaweb Limited, a company incorporated and registered in England and Wales with company number 07462192 whose registered office is at Monomark House, 27 Old Gloucester Street, London WC2N 3AX (“Pickaweb”) and you (the “Customer”) and is annexed to and supplements our Terms & Conditions – Web Hosting and our Privacy and Data Protection Policy and any and all agreements governing the provision of services to the Customer (collectively, these “Terms of Service”). Unless otherwise defined this Addendum, all capitalised terms not defined in this Addendum will have the meanings given to them in the Terms & Conditions – Web Hosting and the Privacy and Data Protection Policy. Pickaweb and the Customer are each a “Party” and are together the “Parties”.
Data Controller means the Customer, as the entity which determines the purposes and means of the Processing of Personal Data.
Data Processor: means Pickaweb, as the entity which Processes Personal Data on behalf of the Data Controller.
Data Protection Legislation: all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679) and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
Data Subject: an individual who is the subject of Personal Data.
Personal Data: means any information relating to an identified or identifiable natural person that is Processed by the Data Processor as a result of, or in connection with, the provision of the Services.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
Processing:means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and “Process”, “Processes” and “Processed” will be interpreted accordingly.
Services: means any hosted services offered by Pickaweb to the Customer that involve the Processing of Personal Data.
Standard Agreements Clauses:the European Commission's Standard Agreements Clauses for the transfer of Personal Data from the European Union to processors established in third countries as set out in Commission Decision 2010/87/EU.
Sub-processor: means any data processor engaged by the Data Processor to Process data on behalf of the Data Controller.
2.1 The Parties agree that for the purposes of the Data Protection Legislation, the Data Controller is the ‘data controller’ and the Data Processor is the ‘data processor’ with respect to the Personal Data.
2.2 The Data Controller acknowledges that for the purposes of fulfilling its obligations under these Terms of Service, the Data Processor may have access to and may be required to Process Personal Data on behalf of the Data Controller and in accepting these Terms of Service, the Data Controller authorises the Data Processor to Process the Personal Data in accordance with these Terms of Service.
3.1 The Data Processor will Process Personal Data as necessary to perform the Services pursuant to these Terms of Service and as further instructed by the Data Controller throughout its use of the Services.
The nature of the Processing will be storage of the Personal Data and as further instructed by the Data Controller throughout its use of the Services.
3.2 The business purpose of the Processing will be for the Data Processor to perform its obligations to the Data Controller under these Terms of Service.
3.3 The Data Processor will Process Personal Data during the effective date of these Terms of Service but will abide by the terms of this Addendum for the duration of the Processing if in excess of that term, and unless otherwise agreed upon in writing between the Data Processor and the Data Controller.
3.4 The Data Processor will Process Personal Data during the effective date of these Terms of Service but will abide by the terms of this Addendum for the duration of the Processing if in excess of that term, and unless otherwise agreed upon in writing between the Data Processor and the Data Controller.
3.5 The Data Controller may upload Personal Data during its use of the Services as determined by the Data Controller in its sole discretion and which may include Identity Data, Contact Data, Financial Data, Transaction Data, Technical Data, Profile Data, Usage Data and Marketing & Communications Data.
3.6 Data Subjects will include any user of the Data Controller’s websites, products or services.
3.7 The Parties will comply with all applicable requirements of the Data Protection Legislation and these Terms of Service are in addition to, and do not relieve, remove or replace, a Party's obligations under the Data Protection Legislation.
3.8 Without prejudice to the generality of clause 3.7, the Data Controller will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Data Processor for the duration and purposes of these Terms of Service. The Data Controller retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation.
3.9 Without prejudice to the generality of clause 3.7, the Data Processor shall, in relation to any Personal Data Processed in connection with the performance by the Data Processor of its obligations under these Terms of Service:
3.9.1 Process that Personal Data only on the written instructions of the Data Controller (unless required by the Data Protection Legislation to act without such instruction);
3.9.2 ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected;
3.9.3 ensure that any personnel who have access to the Personal Data shall be under a duty to keep such Personal Data confidential;
3.9.4 assist the Data Controller, at the Data Controller’s cost, in responding to any request from a Data Subject to exercise their rights under the Data Protection Legislation and to assist the Data Controller in ensuring its compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
3.9.5 not transfer any Personal Data outside of the European Economic Area without applying the Standard Agreements Clauses;
3.9.6 not appoint any Sub-processor without the written consent of the Data Controller and only if the Data Processor enters into a written agreement with the Sub-processor incorporating terms which are substantially similar to those set out in this clause 3.9 prior to any Sub-processor being appointed.
3.9.7 notify the Data Controller without undue delay on becoming aware of a Personal Data breach;
3.9.8 at the written direction of the Data Controller, delete or return Personal Data and copies thereof to the Data Controller on termination of these Terms of Service unless required by any applicable law to store or retain the Personal Data;
3.9.9 submit to any audits and inspections as required, including providing any required information, to ensure that the Data Controller and the Data Processor are each meeting their respective obligations under the Data Protection Legislation; and
3.9.10 maintain complete and accurate records and information to demonstrate its compliance with this clause 3.9.
3.10 Neither Party shall be required to comply with or observe the other Party’s instructions if such instructions would violate the Data Protection Legislation.
These Terms of Service will remain in full force and effect so long as the Data Processor provides relevant services to the Data Controller or the Data Processor retains any Personal Data related to the Services.
5.1 Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to the Data Controller to the address provided in the Terms & Conditions – Web Hosting and delivered to the Data Processor to Monomark House, 27 Old Gloucester Street, London WC2N. This clause 5.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution. A notice given under these Terms of Service is not valid if sent by email.
5.2 If any provision or part-provision of these Terms of Service is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause 5.2 shall not affect the validity and enforceability of the rest of these Terms of Service.
5.3 No variation of these Terms of Service shall be effective unless it is in writing and signed by the Parties (or their authorised representatives). No failure or delay by a Party to exercise any right or remedy provided under these Terms of Service or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy. A waiver of any right or remedy under this agreement or by law is only effective if it is in writing. Except as expressly provided in these Terms of Service, the rights and remedies provided under these Terms of Service are in addition to, and not exclusive of, any rights or remedies provided by law.
5.4 Nothing in these Terms of Service is intended to, or shall be deemed to, establish any partnership or joint venture between the Parties, nor constitute either Party the agent of the other for any purpose. Neither Party shall have authority to act as agent for, or to bind, the other Party in any way.
5.5 A person who is not a party to these Terms of Service shall not have any rights to enforce its terms.
5.6 No variation of these Terms of Service, including the introduction of any additional terms and conditions, shall be effective unless agreed in writing and signed by the Parties.
5.7 These Terms of Service and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales. Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).