Ibby Data Processing Agreement
GDPR TERMS AMENDMENT AGREEMENT
This Amendment (Amendment) is entered into between the parties identified above and amends any existing agreement to our service Terms (Agreement) in accordance with the requirements of the European Union General Data Protection Regulation (Regulation (EU) 2016/679).
- “DPA Effective Date” means either (i) May 25, 2018, if the date on which you electronically accept or otherwise agree or opt-in to this DPA is prior to that date; or (ii) the date on which you electronically accept or otherwise agree or opt-in to this DPA, if that date is after May 25, 2018.
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- “Data Subject” means the individual to whom Personal Data relates.
- “Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
- “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
- “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
IT IS AGREED as follows:
- Capitalised terms used but not defined in this Amendment shall have the meaning given to them in the Agreement.
- In consideration of the performance of each party’s obligations set out in this Amendment and the Agreement, the parties agree that the Agreement be supplemented by adding the following clause 2 (the GDPR Terms).
- GDPR TERMS
- General terms
- To the extent that Ibby processes Personal Data in the course of providing the Services, each party acknowledges that, for the purpose of Data Protection Laws, Customer is the controller of the Personal Data and Ibby is the processor.
- Ibby shall implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
- Processing by Ibby shall be governed by this Agreement under any law of the European Union or any member state of the European Union, which is binding on Ibby with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of Customer are set forth in this Agreement and Appendix 1 (as amended by the parties from time to time).
- Ibby shall: (i) only process that Personal Data in accordance with the documented instructions of Customer (including to the extent necessary to provide the Services and to comply with its obligations under this Agreement); (ii) inform Customer if, in Ibby’s opinion, any of Customer’s instructions would breach Data Protection Laws; and (iii) assist Customer with undertaking an assessment of the impact of processing that Personal Data, and with any consultations with a supervisory authority, if and to the extent an assessment or consultation is required to be carried out under Data Protection Laws.
- Data Subject Rights
- Implement appropriate technical and organisational measures for the fulfilment of Customer’s obligation to respond to requests by Data Subjects to exercise their rights of access, rectification or erasure, to restrict or object to processing of Personal Data, or to data portability; and
- If a Data Subject makes a written request to Ibby to exercise any of the rights referred to in clause 2.2(a), forward the request to Customer promptly and shall, upon Customer reasonable written request, provide Customer with all co-operation and assistance reasonably requested by Customer in relation to that request to enable Customer to respond to that request in compliance with applicable deadlines and information requirements.
- Security measures
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the risk of unauthorised or unlawful processing of Personal Data, and of accidental or unlawful loss, alteration, unauthorised disclosure or destruction of, or damage to, Personal Data; and
- Notify Customer without undue delay after becoming aware of a Personal Data Breach, and upon Customer’s reasonable written request, provide Customer with all cooperation and assistance reasonably requested by Customer to enable Customer to notify the Personal Data Breach to the relevant supervisory authority and relevant Data Subject(s) (as applicable).
- Sharing of personal data
- Customer authorises Ibby to engage appropriate processors to carry out the processing of the Personal Data as envisaged under these GDPR Terms and Appendix 1.
- Save for those processors detailed in Appendix 1, not engage another processor without prior specific or general written authorisation of Customer and in the case of general written authorisation, inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes;
- Before disclosing Personal Data to any processor, enter into a contract with that processor under which the processor agrees to comply with obligations equivalent to those set out in these GDPR Terms; and
- Before disclosing Personal Data to any of its employees and representatives, and the employees and representatives of each of its processors, in each case who have access to the Personal Data, ensure that those persons: (i) have undergone appropriate training in data protection and the care and handling of Personal Data; (ii) are bound to hold the information in confidence to at least the same standard as required under this Agreement (whether under a written agreement or otherwise).
- Transfers of personal data
- Not transfer Personal Data to, or process Personal Data in, any third country or territory without the prior written consent of Customer (which consent may be conditional upon Ibby or the relevant third parties entering into an agreement containing similar terms to these GDPR Terms with Customer) unless (and for so long as): (i) there has been a European Community finding of adequacy pursuant to Article 25(6) of Directive 95/46/EC or, after 24 May 2018, Article 45 of the GDPR in respect of that country or territory; (ii) the transfer is to the United States to an importing entity that is a certified member of the EU-US Privacy Shield; or (iii) Customer and the relevant importing entity are party to a contract in relation to the export of Personal Data incorporating standard contractual clauses in the form adopted by the European Commission under Decision 2010/87/EU or an equivalent data transfer agreement meeting the requirements of Data Protection Laws.
- Where any mechanism for cross-border transfers of Personal Data is found by a supervisory authority, court of competent jurisdiction or other governmental authority to be an invalid means of complying with the restrictions on transferring Personal Data to a third country or territory as set out in Data Protection Laws, the parties shall act in good faith to agree the implementation of an alternatives solution to enable Customer to comply with the provisions of Data Protection Laws in respect of any such transfer.
- Notify Customer if it receives any complaint, notice or communication which relates directly or indirectly to the processing of Personal Data, or to either party’s compliance with Data Protection Laws, and shall fully co-operate and assist Customer in relation to any such complaint, notice, communication or non-compliance; and
- Upon Customer’s reasonable written request, provide all information necessary to demonstrate compliance with these GDPR Terms, and allow Customer or an auditor appointed by Customer to carry out audits, including inspections of facilities, equipment, documents and electronic data, relating to the processing of Personal Data by Ibby or any processor, to verify compliance with these GDPR Terms.
- Unless expressly stated otherwise in this Agreement, upon termination of this Agreement, Ibby shall, and shall procure that each processor shall, immediately cease to use the Personal Data and shall, at Customer’s option, return the Personal Data to Customer or to a processor nominated by Customer or delete the Personal Data and all copies and extracts of the Personal Data unless required to retain a copy in accordance with any law of the European Union or any member state of the European Union; and
- On expiry or termination of this Agreement (however arising) these GDPR Terms shall survive and continue in full force and effect.
- MISCELLANEOUS PROVISIONS
- This Amendment may be executed in any number of counterparts, all of which, taken together, shall constitute one and the same agreement, and any party (including any duly authorised representative of a party) may enter into this Amendment by executing a counterpart.
- If there is any conflict or inconsistency between the GDPR Terms and the other terms of the Agreement, these GDPR Terms will govern. Except for changes made by this Amendment, the Agreement remains unchanged and in full force and effect and the original effective date (or equivalent) as defined in the Agreement shall remain the same.
- This Amendment and any non-contractual obligations arising out of or in connection with it are governed by Scottish law. The courts of Scotland have exclusive jurisdiction to settle any dispute arising out of or in connection with this Amendment and the parties submit to the exclusive jurisdiction of the Scottish courts.
Description of processing
The Personal Data transferred by Customer is processed by Ibby to provide the Services pursuant to the Agreement. Ibby is authorised to process Customer Personal Data for the duration of the Agreement.
Customer Personal Data
The personal data transferred by Customer is determined and controlled by Customer, in its sole discretion, and includes the personal data of the end-users of Customer’s mobile and web applications.
The personal data that may be transferred by Customer is determined and controlled by Customer, in its sole discretion, and may include the following categories of personal data:
- Information about website and application browsing, and device information
- Basic personal details including name, email address, telephone number and other contact details
- Content of live chat and email communications