This data processing agreement (the "Data Processing Agreement") is entered into by and between hOSTINGchs in Goregaon, Mumbai (the "Data Processor") and the reseller customer agreeing to the "Terms of Use" (the "Data Controller") and incorporates the terms and conditions set forth in the Schedule attached hereto (the "Schedule"). The Data Processing Agreement and the Schedule shall be collectively referred to as the "Agreement". Terms used in the Data Processing Agreement but not defined herein shall have the meaning given to them in the Schedule.
Pursuant to the Terms of Use, the Data Controller has appointed the Data Processor to provide certain services (“Services”) to the Data Controller. As a result of providing the Services to the Data Controller, the Data Processor will store and process certain of the Data Controller’s personal information as described below:
The Customer's Personal Data processed by the Data Processor will be subject to the following basic processing activities: Operations necessary for the provision of the Services under the Terms of Use by the Data Processor, including storage, retrieval, use, disclosure, deletion, destruction, and access to the Customer's Personal Data.
Customer Personal Data processed by the Data Processor shall relate solely to the following categories of Data Subjects: Customers of the Data Controller based in the European Union whose information is provided to the Data Processor for the purposes of providing the Services under the Terms of Use.
The Customer Personal Data Processed by the Data Processor includes, and is limited to, the following categories of data: (i) identification and contact information (such as name, email address); (ii) purchase information (such as payment method, products purchased, billing information); and (iii) information collected in the provision of services to the Data Controller (such as analytics, device and browser information).
The Customer Personal Data processed by the Data Processor does not contain special categories of Personal Data.
The Agreement is implemented to ensure that the Data Processor processes the Data Controller's personal data on the Data Controller's instructions and in compliance with applicable data privacy laws.
The Parties to this Agreement hereby agree to be bound by the terms and conditions of the attached Schedule as applicable as of May 25, 2018 (the “Effective Date”).
CREATE STANDARD TERMS FOR CONTRACT PROCESSING
Definitions
1.1 For the purposes of this Agreement, the following expressions have the following meanings unless the context otherwise requires:
"Applicable Data Protection Laws" means the General Data Protection Regulation 2016/679 ("GDPR") as it enters into force and any applicable law, statute, declaration, decree, directive, statutory provision, order, ordinance, regulation, rule or other binding instrument of the Member State of the Controller implementing the GDPR, the Data Protection Directive 95/46/EC and the ePrivacy Directive 2002/58/EC (in each case as amended, consolidated, re-enacted or replaced from time to time);
“Customer Personal Data” means Personal Data provided by the Data Controller to the Data Processor for processing on behalf of the Data Controller in accordance with the Terms of Use;
“Data Subject” means living individuals who are the subject of the Customer’s Personal Data;
“Model Clauses” means the standard contractual clauses for the transfer of personal data to data processors established in third countries set out in Commission Decision of 5 February 2010 (C(2010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016;
“Personal Data” and “Process”, “Processed” or “Processing” have the meaning given to them in the GDPR;
“Regulator” means the data protection supervisory authority that has jurisdiction over the processing of personal data by the data controller; and
“Third Countries” means all countries outside the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries approved by the European Commission as providing adequate protection for personal data from time to time.
Processing conditions
2.1 This Agreement governs the terms under which the Data Processor processes the Customer's personal data on behalf of the Data Controller. In the event of any conflict or inconsistency between the terms of the Terms of Use and this Agreement, the terms of this Agreement shall prevail to the extent of the conflict.
Obligations of the data controller
3.1 The Data Processor will only process the Customer's Personal Data on behalf of the Data Controller and in accordance with and for the purpose of providing the Services. If the Data Processor is unable to comply with such instructions for any reason (including if the instruction violates applicable data protection laws), it agrees to inform the Data Controller of its inability to comply as soon as reasonably possible.
3.2 The Data Processor shall ensure that its personnel authorized to process the Customer's Personal Data have committed to maintaining confidentiality or are under an appropriate legal obligation of confidentiality.
3.3 The Data Processor shall implement and maintain in force during the term of this Agreement specific technical and organizational security measures as required by the GDPR.
3.4 The Data Processor shall notify the Data Controller immediately after the Data Processor receives a request from an individual seeking to exercise any of their rights under Applicable Data Protection Laws. Taking into account the nature of the processing, the Data Processor, at the Data Controller's expense, shall assist the Data Controller through appropriate technical and organizational measures, to fulfill the Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Chapter III of the GDPR (including the right to transparency and information, the data subject's right of access, the right to rectification and erasure, the right to restriction of processing, the right to data portability, and the right to object to processing). The Data Processor shall carry out a request from the Data Controller to amend, correct, block, transfer, or delete any of the Customer's Personal Data to the extent necessary to allow the Data Controller to fulfill its responsibilities as a data controller.
3.5 Taking into account the nature of the Processing under the Terms of Use and the information available to the Data Processor, the Data Processor, to the extent possible and at the expense of the Data Controller, shall assist the Data Controller in complying with its obligations under Articles 32 to 36 of the GDPR and any other Applicable Data Protection Laws with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators. The Data Processor shall comply with the breach notification requirements of the GDPR.
3.6 Upon termination of the Processing of Personal Data by the Data Processor (subject to the Data Processor's Customer Data Retention Policy) and at the Data Controller's request, the Data Processor shall (i) delete all Customer Personal Data; or (ii) return all Customer Personal Data to the Data Controller and delete existing copies, unless applicable law requires the retention of Customer Personal Data.
3.7 The Data Processor shall, upon written request from the Data Controller, periodically provide the Data Controller with all information necessary to demonstrate compliance with the obligations set forth in this Agreement.
3.8 The Data Controller acknowledges and agrees that the Data Processor may, or may designate an affiliate or third-party subcontractor to, process the Data Controller's Personal Data in a third country, provided that it ensures that such processing is carried out in accordance with the requirements of applicable Data Protection Laws. The Data Controller hereby consents to the Data Processor's access to the Customer's Personal Data from the United States to the extent necessary for the Data Processor to provide the Services.
3.9 Where the Data Processor processes, accesses and/or stores Customer Personal Data in any third country, the Data Processor shall comply with the data importer obligations set out in the Model Clauses, which are hereby incorporated into and made part of this Agreement. The processing details set out in paragraphs a) to d) on the first page of this Agreement shall apply for the purposes of Appendix 1 to the Model Clauses, and the terms of the Security Policy shall apply for the purposes of Appendix 2 to the Model Clauses. The Data Controller hereby grants the Data Processor a mandate to execute the Model Clauses, in the name and on behalf of the Data Controller, with any relevant subcontractors (including affiliates) that it appoints.
3.10 The Data Controller acknowledges and agrees that the Data Processor relies solely on the Data Controller for instructions regarding the extent to which the Data Processor is entitled to access, use, and process the Customer's Personal Data. Accordingly, the Data Processor is not liable for any claim brought by the Data Controller or a data subject arising from any action or omission by the Data Processor to the extent that such action or omission resulted from the Data Controller's instructions.
Obligations of the data controller
4.1 The Data Controller warrants that it has complied and continues to comply with applicable Data Protection Laws, in particular that it has obtained the necessary consents or given the necessary notices, and that it otherwise has a legitimate reason to disclose the data to the Data Processor and to allow the Processing of the Customer's Personal Data by the Data Processor as set out in this Agreement and as provided for in the Terms of Use.
4.2 The Data Controller agrees that it will indemnify and hold harmless the Data Processor upon request from and against all claims, liabilities, costs, expenses, losses or damages (including consequential losses, loss of profits and loss of reputation and all interest, penalties and statutory rights and other professional costs and expenses) incurred by the Data Processor arising directly or indirectly from a breach of this Clause 4 or any Applicable Data Protection Law.
Subcontracting
5.1 The Data Controller hereby consents to the Data Processor's use of the Subcontractors set forth in the list of external Subprocessors available upon request. If the Data Processor appoints a new Subcontractor to process the Customer's Personal Data, it shall update said list. If the Data Controller objects to the appointment, the Controller's sole remedy shall be to terminate the services provided by the Processor. If the Data Controller does not object, the Data Processor may proceed with the appointment. The Data Processor warrants that it has a written agreement in place with all Subcontractors containing obligations for the Subcontractor that are no less onerous for the relevant Subcontractor than the Data Processor's obligations under this Agreement.
Termination
6.1 Termination of this Agreement shall be governed by the Terms of Use, mutatis mutandis.
Law and jurisdiction
7.1 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the jurisdiction specified in the Terms of Use.