SCHEDULE 3
DATA PROCESSING AGREEMENT(“DPA”)
DEFINITIONS:
| Agreement: | means this document entered into between the Controller and Protect; |
| Contractual Clauses: | means those clauses set out in the annex to European Commission’s decision C(2010)593 for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection; |
| Data Controller: | means the Member or Facilitator as a Data Controller; |
| Controller’s Data: | means Personal Data disclosed, transferred, shared, sent, or otherwise made available or accessible to Protect by the Data Controller or to a third party for the purposes of this DPA including Card Holder Data; |
| Data Protection Laws: | means all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements that apply to either of the Parties or any consumer or potential consumer related in any way to the privacy, confidentiality or security of Personal Data; |
| Data Subject: | means the identified or identifiable natural person to whom Personal Data relates; |
| Facilitator: | means the company which has signed a Facilitator’s Agreement with Protect; |
| GDPR: | means the General Data Protection Regulation of the European Union; |
| Information Security Incident: | means any threat or hazard to the security, confidentiality, integrity, availability or audit ability of Personal Data, including any actual or potential unauthorised access to, or unauthorised acquisition of, Personal Data; |
| ISO: | means International Organisation for Standardisation; |
| Member: | means the company which has signed a Membership Agreement with Protect; |
| Parties: | means the Processor and the Controller; |
| Personal Data: | has the meaning set out in the relevant Privacy Laws and include any information which identifies or could be reasonably used to identify an identifiable natural person (Data Subject), including names, addresses, email addresses, telephone numbers, social insurance/security numbers, government identification numbers or any other personally identifiable information, including copies of such information, and materials derived from such information, and any other information associated with all linked to such information; |
| PCI DSS: | means the Payment Card Information Data Security Standard; |
| Privacy and Information Security Requirements: | means a) Data Protection Laws and B) all applicable provisions of the Parties written information security requirements, policies, or procedures applicable to this DPA; |
| Processing or to Process: | means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrievable, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
| Data Processor: | means Protect; |
| Protect: | means Event Protect Ltd and its affiliates and subsidiaries; |
| Services: | means the services performed by Protect to the Controller under its Membership or Facilitator’s agreement; |
| Sub-processor: | means any person engaged by Protect to Process Personal Data on behalf of the Controller; |
| Supervision Authority: | means anybody under the Data Protection Laws that has the authority to impose legal sanctions. |
WHEREAS:
A. The Member or Facilitator acts as a Controller.
B. The Controller wishes to subcontract certain Services to Protect which includes the Processing of Personal Data.
C. The Parties seek to implement this DPA to comply with the Data Protection Laws.
D. The Parties wish to lay down their rights and obligations.
E. This DPA is incorporated into and forms part of our Terms of Business also referred to as our Terms of Service (“the Terms”).
- Privacy and Information Security Requirements
Protect agrees:
1.1. to comply with the Data Protection Laws.
1.2. to engage Sub-processors in accordance with clause 8.
1.3. to develop, implement and maintain such organisation and technical security measures as are sufficient to meet its obligations under this DPA, whilst taking into account the nature of the processing.
1.4. to act only on the Controller’s documented instructions.
- EU Standard Contractual Clauses & PCI DSS
2.1 Protect shall not transfer any Personal Data to Processors or Sub-processors established in third countries which do not ensure an adequate level of Data Protection Laws and in consequence this DPA does not need to incorporate the EU’s Contractual Clauses.
2.2 Neither Protect nor any Sub-processor handles card data and therefore PCI DSS compliance does not arise.
- Order of Precedence
3.1 This DPA is incorporated into and forms part of the Terms. For matters not addressed in the DPA, the Terms apply. In the event of conflict between the DPA and the Terms, the DPA applies.
- Employees, Agents or Contractors
4.1 Protect shall take reasonable steps to ensure the reliability of employees, agents or contractors who may have access to Personal Data, and to provide them if necessary with appropriate training on their responsibilities. Access to Personal Data shall be restricted to those requiring it to fulfill Protect’s obligations.
4.2 Protect shall ensure its employees, agents or contractors are subject to all Privacy and Information Security Requirements including informing them of the confidential nature of Personal Data.
- Security
5.1. Protect has implemented and shall continue to improve and implement appropriate technical and organisational measures to safeguard Personal Data, including protection against unauthorised or unlawful Processing and against unlawful or accidental destruction, alteration or damage or loss, unauthorised disclosure of, or access to, Personal Data, in accordance with the Data Protection Laws.
5.2 Protect shall delete Personal Data when requested to do so by the Data Controller save for that Personal Data which is required for any financial recordkeeping and/or insurance purposes and which shall be deleted as soon as it is no longer required.
- Duration
6.1. The duration (term) of this DPA is the same as the Terms and Member’s Agreement concluded with the exception of any DPA provisions intended to survive termination. Any right to terminate the DPA separately before the termination of these terms shall be excluded to the extent permitted by applicable law.
6.2. On termination of these terms, Protect shall delete all Personal Data except that Personal Data which is required for on-going insurance purposes and which shall be deleted as soon as it is no longer required.
- Processing of Controller’s Personal Data
7.1. Personal Data submitted by the Data Controller is in the consumer’s name. Where the consumer makes a refund request, they do so directly to Protect, and the Personal Data received might include the consumer’s identification number, contact information, bank or credit card data, and medical records including those of an immediate family member.
7.2. Protect, and any Sub-Processor, shall not use or disclose any Personal Data for any purpose other than the Admissible Purpose.
7.3. Protect shall provide assistance to the Data Controller in dealing with a Data Subject’s complaint or a Supervision Authority’s investigation, or a Data Protection Impact Assessment.
- Sub-Processors
8.1. Protect may use one or more of the following Sub-processors and their affiliates:
Microsoft Corporation: our platform is hosted by Azure.
HCC International Insurance Co PLC: insures our liability to make refunds.
Wise PLC: to make refund payments to customers’ bank accounts.
8.2. Protect shall not use any other Sub-processor without the Data Controller’s written consent, such consent not to be unreasonably withheld.
- Data Subject Rights
9.1. Taking into account the nature of Data Processing, Protect shall assist the Data Controller to fulfill its obligations to respond to a Data Subjects requests exercising their individual rights.
9.2. Protect shall promptly notify the Data Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data.
9.3. Protect shall not respond to such requests except on the documented instructions of the Data Controller or as required by any Data Protection Law, in which case Protect shall, to the extent permitted by law, inform the Data Controller of that legal requirement before responding to the request.
- Audit
10.1. The Data Controller has the right to audit Protect’s data security policies, practices and procedures and its compliance with this section on reasonable notice, which notice period shall in no circumstance be less than 10 (ten) days written notice.
- Information Security Incident
11.1. Protect shall inform the Data Controller promptly in writing of any Information Security Incident involving Personal Data of which it becomes aware, to include reasonable detail about the effect and/or anticipated effect on the Data Controller, and the corrective action being taken by Protect.
11.2. In the event of an Information Security Incident involving the Data Controller’s Personal Data Processed by Protect, Protect shall promptly take all necessary corrective actions, at its cost and expense, and cooperate with the Data Controller in all reasonable and lawful efforts to mitigate the effects of such Information Security Incident and Protect shall reimburse reasonable costs incurred by the Data Controller in relation to such Information Security Incident.
- Indemnities
12.1. Protect shall indemnify the Data Controller and/or its representatives and hold the Data Controller harmless from and against any reasonable costs resulting from Protect’s non-compliance with Privacy Laws which are a direct consequence of the actions or omissions of Protect.
12.2. The Data Controller shall likewise indemnify Protect and its representatives and hold Protect harmless from and against any reasonable costs resulting from the Data Controller’s non-compliance with Privacy Laws which are a direct consequence of the actions or omissions of the Data Controller.
- Change Requests
13.1 Any request made by the Controller to change Protect’s security of Personal Data or Processing due to changes in the Privacy Laws or industry standards, shall be made in writing and require written acceptance by Protect.
- Notices & Governing Law
Same as per the Terms and Member’s Agreement.