Data Processing Agreement
Supporting Terms
The Supporting Terms below set out detailed provisions necessary to cover contingencies; they have been separated out purely so as not to distract from the readability of the main points of the Data Processing Agreement (the Agreement) of which they form an integral part.
-
Data Storage and Processing Locations
- Cape Town, South Africa
- Sao Paulo, Brazil
- New Delhi, India
-
Data Return and Destruction
- At the Customer's request, the Processor will give the Customer a copy of or access to all or part of the Personal Data in its possession or control in an industry standard format reasonably specified by the Customer.
- On completion of the services or termination of the Agreement, the Processor will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.
- If any law, regulation, or government or regulatory body requires the Processor to retain any documents or materials or Personal Data that the Processor would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
- The Processor will certify in writing to the Customer that it has destroyed the Personal Data within fourteen days after it completes the deletion or destruction.
-
Records
- The Processor will keep detailed, accurate and up-to-date records regarding any processing of the Personal Data, including the access, control and security of the Personal Data, approved subcontractors and service providers, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in the Agreement (Records).
- The Processor will ensure that the Records are sufficient to enable the Customer to verify the Processor's compliance with its obligations under this Agreement and the Processor will provide the Customer with copies of the Records upon request.
-
Audit Policies and Procedures
-
The Processor will give the Customer and its third-party representatives all necessary assistance to conduct audits. The assistance may include:
- supervised electronic access to, and copies of the Records and any other information held on the Processor’s systems storing the Personal Data; and
- access to and meetings with any of the Processor's personnel reasonably necessary to provide all explanations and perform the audit effectively; and
- details of the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process the Personal Data.
-
If a Personal Data Breach occurs or is occurring, or the Processor becomes aware of a breach of any of its obligations under this Agreement or any Data Protection Legislation, the Processor will:
- conduct its own audit to determine the cause;
- produce a written report that includes detailed plans to remedy any deficiencies identified by the audit;
- provide the Customer with a summary of the written audit report; and
- remedy any deficiencies identified by the audit within a reasonable time.
- At least once a year, the Processor will conduct an audit of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement.
- The Customer will treat audit reports and summaries of them as the Processor's confidential information.
- The Processor will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan.
-
-
Third-party Systems and Service Providers
- The Processor is currently using infrastructure and security services provided by Amazon Web Services Inc. and Certified Amazon Partners (details provided upon request by the Customer).
-
Complaints, Data Subject Requests and Third-party Rights
-
The Processor will take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
- the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
- information or assessment notices served on the Customer by a relevant regulator under the Data Protection Legislation.
- The Processor must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
- The Processor must notify the Customer within seven days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
- The Processor will give the Customer all reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
- The Processor must not disclose the Personal Data to any Data Subject or to a third party other than in accordance with the Customer's written instructions, or as required by domestic law.
-
-
Personal Data Breach Procedures
- In this section Personal Data Breach means a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
-
The Processor will within 48 hours and in any event without undue delay, notify the Customer if it becomes aware of:
- the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Processor will use reasonable endeavours to restore such Personal Data as soon as reasonably possible and, if the event has been caused by the Processor’s breach of the Agreement, it will do so at its own expense;
- any accidental, unauthorised or unlawful processing of the Personal Data; or
- any Personal Data Breach.
-
Where the Processor becomes aware of (a), (b) and/or (c) above, it shall, without undue delay, also provide the Customer with the following information:
- description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
- the likely consequences; and
- a description of the measures taken or proposed to be taken to address (a), (b) and/or (c) above, including measures to mitigate its possible adverse effects.
-
Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Processor will reasonably co-operate with the Customer (at no additional cost to the Customer if the Customer is not at fault) in the Customer's handling of the matter, including:
- assisting with any investigation;
- facilitating interviews with the Processor’s employees, former employees and others involved in the matter including its officers and directors;
- making available all relevant records, logs, files, data reporting and other materials required to comply with applicable Data Protection Legislation; and
- taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
- The Processor will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law.
- The Processor agrees that, after due consideration of the Processor’s views on the matter, the Customer has the right to determine whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, in-scope regulators, law enforcement agencies or others, as required by law or regulation, including the contents and delivery method of the notice.
- The Processor will cover all reasonable expenses associated with the performance of the obligations under this section if the matter arose from the Processor’s failure to follow the Customer’s specific written instructions or from the Processor’s negligence, wilful default or breach of the Agreement.
-
Notices
- Any notice given to a party under or in connection with the Agreement must be in writing and delivered to the data privacy contacts provided. A reference to writing or written includes email.
- Email may not be used for termination notices, for the service of any proceedings, or other documents in any legal action or other method of dispute resolution.
-
Miscellaneous
- Phrases containing the word ‘includes’ or ‘including’ (or similar) followed by examples are to be construed without limiting the related general words.
- Any provision of the Agreement or these Supporting Terms that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect the Personal Data will remain in full force and effect.
- If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under this Agreement, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 60 days, either party may terminate this Agreement with immediate effect on written notice to the other party.
-
Additional Definitions
Affiliate: in relation to a party to the Agreement, means any entity which from time to time directly or indirectly through one or more intermediaries, Controls, or is Controlled by, or is under common Control of the relevant party.
Control: in respect of an entity (i) possession (directly or indirectly) of the power to direct the management of that entity whether through ownership of voting securities, by contract relating to voting rights, or otherwise; or (ii) ownership (direct or indirect) of more than 50% of the outstanding voting securities or other ownership interest of that entity (and Controls and Controlled shall be construed accordingly.
International Data Transfer Agreement: an agreement related to the Agreement that regulates the transfer of Personal Data to another country and containing appropriate safeguards and providing for enforceable data subject rights and effective legal remedies for data subjects.
Processing, processes, processed, process: any activity that involves the use of the Personal Data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
-
Terms defined in the Agreement shall have the same meanings in these Supporting Terms.
-