Last updated: 20 July 2020
1.1 Scope of DPA. This Data Protection Agreement (DPA) governs the processing of Personal Data by us and you in relation to the Itarmi Platform and our services. This DPA is incorporated by reference into the Terms and Conditions.
1.2 Priority of terms. In the event of any conflict of terms in relation to data protection, the following provisions, in order of priority, shall prevail: (a) the Standard Contractual Clauses (see SCCs below); (b) Customer Order Form (if applicable); (c) this DPA; (d) other Terms and Conditions.
2.1 Defined terms in this DPA.
Appstore means a third party online portal or digital distribution platform through which software programs are made available for procurement and download.
Controller Personal Data means any Personal Data that is Processed by a party in connection with its provision or use of the Itarmi Platform.
Data Protection Laws means the GDPR and any applicable laws, regulations, and other legal requirements relating to the privacy, security or Processing of Personal Data.
Data Subject Request means a request to exercise a Data Subject’s rights under applicable Data Protection Laws.
EEA means the European Economic Area.
General Data Protection Regulation or GDPR means Regulation (EU) 2016/679 of the European Parliament and the Council, and any legislation implementing it (in the case of the United Kingdom, as amended or incorporated into United Kingdom law under the European Union (Withdrawal) Act 2018 or otherwise and including the Data Protection Act 2018).
Restricted Transfer means the transfer of Personal Data to a Third Country.
SCCs means the Standard Contractual Clauses.
Subprocessor means any Processor appointed by a Processor.
Third Country means a jurisdiction other than a jurisdiction in the EEA.
2.2 GDPR defined terms. Each of the terms Controller, Data Subject, Personal Data, Personal Data Breach, Processing, Processor, Restricted Transfer and Supervisory Authority has the meaning given in the GDPR.
2.3 Other defined terms. Definitions used in the Master Terms shall apply to this DPA.
2.4 Interpretation. Any reference to a legal framework, statute, regulation or legislative enactment is a reference to it as amended or to its replacement from time to time.
3.1 Independent Controllers. Each party agrees that it:
3.1.1 is an independent controller of Controller Personal Data under the GDPR, which individually determines the purposes and means of its Processing of such data;
3.1.2 will comply with the GDPR regarding its Processing of Controller Personal Data;
3.1.3 will implement technical and organisational measures sufficient to ensure the security of Controller Personal Data.
4.1 Use of Processors. Each party agrees that it shall only appoint a Processor in relation to Controller Personal Data if it considers, after making reasonable enquiries, that the Processor shall provide the level of protection of Controller Personal Data required by the GDPR and this DPA.
4.2 Processor requirements. Each party agrees that it shall only appoint a Processor in relation to Controller Personal Data if that Processor has agreed in writing to:
4.2.1 implement adequate technical and organisational measures to ensure a level of Personal Data security consistent with the requirements of Article 32(1) of the GDPR, taking into account risks of Processing and inherent in a Personal Data Breach;
4.2.2 reasonably limit access to Controller Personal Data to individuals who need access to enable the Processor to provide its services to that party;
4.2.3 only carry out Restricted Transfers on terms equivalent to section 5 (Data Transfers);
4.2.4 reasonably assist that party in meeting its obligations under this DPA and the GDPR, including section 6 (Data Subjects), 7 (Personal Data Breach) and 8 (Audit);
4.2.5 protect confidentiality on terms equivalent to those set out in our Master Terms;
4.2.6 only appoint Subprocessors that
5.1 Restricted Transfers. A party may only carry out a Restricted Transfer if either:
5.1.1 the Third Country is recognised by the European Commission as providing adequate data protection;
5.2.2 it has implemented adequate safeguards and supplementary measures for the purposes of the GDPR; or
5.2.3 a valid exception to, or exemption or derogation from the GDPR conditions for Restricted Transfers applies to the transfer.
5.2 SCCs. The SCCs are incorporated by reference into this DPA. Without restricting a party’s obligations under section 5.1 (Restricted Transfers), each party agrees that:
5.2.1 it will be treated as executing the applicable SCCs;
5.2.2 the SCCs shall apply to a Restricted Transfer; and
5.2.3 a Data Subject shall be a third party beneficiary under the SCCs.
6.1 Required measures. Each party shall implement technical and organisational measures that are sufficient to enable it to respond to a Data Subject Request with respect to Controller Personal Data as required by the GDPR.
6.2 Co-operation. Each party shall promptly notify another party if it receives a relevant Data Subject Request with respect to Controller Personal Data and co-operate in reasonably responding to that Data Subject Request as required by the GDPR.
7.1 Notification of breach. Each party shall promptly notify any relevant party if it becomes aware, or is notified by a Processor, of any Personal Data Breach affecting Controller Personal Data. The notice shall provide information reasonably required by the other party to meet its reporting obligations, including:
7.1.1 the circumstances of the Personal Data Breach;
7.1.2 categories and numbers of Data Subjects and Personal Data records concerned; and
7.1.3 the measures taken or proposed to be taken to address the Personal Data Breach.
7.2 Co-operation. The parties shall reasonably co-operate in mitigating and remedying any Personal Data Breach.
8.1 Supervisory Authority. If a Supervisory Authority carries out an audit or investigation of a party’s Processing facilities in relation to Controller Personal Data, the parties shall, at their own cost, reasonably co-operate and assist in relation to relevant enquiries.
9.1 Contacting us. You may contact us by e-mail about this DPA at compliance@itarmi.com.
9.2 How we contact you. We may contact you by e-mail (using the e-mail address you provided to us for the purposes of this DPA, if applicable).
END OF DATA PROTECTION AGREEMENT