OnApp Data Processing Termsv3.3 March 2018
If and to the extent stated in OnApp’s General Terms and Conditions of Trading in force from time to time (“GTCs”), these OnApp Data Processing Terms form part of and are hereby incorporated into those GTCs by reference as if expressly set out in them.
1.1. “Data Protection Legislation” means all applicable laws and regulations relating to the processing of Personal Data and privacy including the Data Protection Act 1998, the General Data Protection Regulation 2016/679 upon its coming into force and any statutory instrument or regulation made thereunder, as from time to time amended, extended, re-enacted or consolidated and the terms “data controller”, “data processor”, “process” and “personal data” shall have the meanings given to those terms in such Data Protection Legislation;
1.2. “Personal Data Breach” means any breach of security leading to the accidental or unauthorised destruction, loss, alteration, disclosure of, or access to, personal data.
2. OnApp acknowledges that, in respect of any personal data that it provides or that is provided on its behalf to OnApp in the course of providing services to the Company, the Company is: (i) the data controller or (ii) a data processor, and that in the case of (i), OnApp is the data processor of such personal data; and in the case of (ii), OnApp is the sub-processor of such personal data.
3. The Parties shall at all times comply with applicable Data Protection Legislation. In the case of 2(i) above, OnApp as the data processor shall, and, in the case of 2(ii) above, OnApp as the sub-processor, shall:
3.1. act only in accordance with this Agreement and with the reasonable written instructions of the Company in relation to the processing of personal data as part of providing services to the Company (including instructions in relation to the return or destruction of personal data) and in the event that a legal requirement prevents OnApp from complying with such instructions or requires OnApp to disclose the personal data to a third party, it shall, unless such legal requirement prohibits it from doing so, inform the Company of the relevant legal requirement before carrying out the relevant processing activities;
3.2. take reasonable steps to ensure: (i) the reliability of staff having access to the personal data processed as part of providing its services; and (ii) that all staff to whom it discloses personal data are made aware that the personal data is confidential information and subject to the obligations set out in this Agreement; (iii) that persons authorised by the data processor to process the personal data are bound by enforceable confidentiality obligations not to disclose it; and (iv) that access is limited to those of its staff who require it in order to meet its obligations under this Agreement and to such part or parts of the personal data as is strictly necessary for performance of each person’s duties;
3.3. ensure that any natural person acting under the authority of OnApp who has access to the personal data does not process them except on instructions from the Company;
3.4. maintain a process for regular testing, assessment and evaluation of the security measures required by this Agreement;
3.5. ensure an appropriate level of security of its systems used for processing the personal data having regard to the nature, scope, context and purposes of the data processing and the likelihood and severity of associated risks and have appropriate technical and organisational measures in place intended to prevent unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data, and maintain such security measures for as long as it is processing the personal data;
3.6. refrain from disclosing personal data to any third parties other than to sub-contractors in the ordinary course of its business, to whom disclosure is reasonably necessary in order for it to carry out its services, provided that in all such cases:
3.6.1. such disclosure is made subject to written terms as protective of the personal data provided to it by the Company as the terms contained in this Agreement;
3.6.2. OnApp shall procure that the third party complies with the same obligations as OnApp assumes hereunder;
3.6.3. such disclosure has been approved in writing in advance by the Company; and
3.6.4. it obtains a statement from any permitted sub-contractor outside the European Economic Area that such sub-contractor has no reason to believe the legislation applicable to him prevents him from complying with the contractual obligations imposed upon him in relation to data protection and that he will promptly inform OnApp if that situation changes, in which case, OnApp shall, as soon as reasonably practical following the request of the Company, terminate the data processing activities of the relevant sub-contractor in respect of the Company’s personal data and procure the return or destruction of all personal data of the Company, at the Company’s discretion and written request;
3.7. keep a written record of the processing of personal data it carries out under this Agreement and the locations at which such processing takes or has taken place and disclose this to the Company upon its written request;
3.8. upon the written request of the Company, promptly provide a written description of the technical and organisational measures employed by it so that the Company can reasonably determine whether or not, in connection with the Company’s personal data, OnApp is able to comply with its obligations under this Agreement. If, the measures employed by OnApp are insufficient to ensure compliance with its obligations under this Agreement, the Parties shall consult and cooperate to enable OnApp to take such steps as may be reasonably necessary to achieve such compliance;
3.9. on reasonable notice, at reasonable times and with reasonable frequency (not more than once per year), give the Company access to OnApp’s premises used to process relevant personal data to enable it to determine whether OnApp is in material compliance with its obligations under this Agreement;
3.10. promptly refer to the Company any requests, notices or other communication from data subjects, the Information Commissioner or any other competent law enforcement agency having jurisdiction relating to personal data processing for the Company to resolve;
3.11. at no additional cost, provide such information and assistance to the Company as it may reasonably require, and within the timescales reasonably specified by it, to allow it to comply with: (i) rights of data subjects, including subject access, or (ii) notices or other communication from the Information Commissioner or any other competent law enforcement agency having jurisdiction relating to personal data processing; or (iii) the Company’s obligations under applicable Data Protection Legislation;
3.12. not retain any personal data longer than is necessary to perform its obligations under the Supply Agreement and promptly return all personal data of the Company to it on termination of this Agreement; and
3.13. as soon as reasonably practical, notify the Company of any Personal Data Breach and take measures to address the breach and mitigate its effect as the Company may reasonably require and provide the data controller with such cooperation and assistance as it may reasonably require in managing that data breach.