BetterWebSpace
About Us | Login | Buy Now

     
View Full Site

Terms & Conditions

16. Data Processing

These Terms and Conditions form part of the full Terms and Conditions of services

More details about how we process your data as a data controller an be found in our privacy notice.

All definitions used in this clause shall have the definition set out in the Data Protection Legislation.

  1. The Controller and the Processor acknowledge that the Controller is the client and the Processor is InnovaTech Media Ltd t/a BetterWebSpace and that the Controller retains control of the Personal Data and remains responsible for its compliance obligations under Data Protection Legislation. The Processor may process the Personal Data categories and Data Subject types set out in Schedule 1 of this Agreement. Each party agrees to comply with all applicable requirements of the Data Protection Legislation.
  2. The Processor shall:
    1. implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Legislation and ensure the protection of the rights of the Data Subject;
    2. Where the controller has provided prior general written authorisation for the appointment of sub-processors, the processor shall inform the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller th the opportunity to object to such changes. If the controller so objects, the processor shall immediately terminate the appointment of such sub-processors. If the processor fails to terminate the appointment of such sub-processors, the the controller may terminate the services agreement with immediate effect without any liability.
    3. process the Personal Data only on documented instructions from the Controller, unless required to do so by Data Protection Legislation to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
    4. ensure that persons authorised to process the personal data (such as its employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    5. ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Controller, to ensure a level of security appropriate to the risk (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Natural Persons) including, where appropriate, the pseudonymisation and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident and a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of processing. Account shall also be taken of the risks that are presented by the processing in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;
    6. taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights set out in Chapter III of the GDPR;
    7. assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR (data breach) taking into account the nature of processing and the information available to the Processor;
    8. at the choice of the Controller, delete or return all the Personal Data to the Controller after the termination or expiry of this Agreement and delete existing copies (unless Union or Member State law requires storage of the Personal Data);
    9. make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
    10. assist the Controller in ensuring compliance with the requirement to carry out Data Protection Impact Assessments as set out in Article 35 of GDPR, taking into account the nature of processing and the information available to the Processor;
    11. immediately inform the Controller, if in the opinion of the Processor, an instruction from the Controller infringes Data Protection Legislation;
    12. promptly comply with any request by or instruction from the Controller to process the Personal Data, or to stop, mitigate or remedy any unauthorised processing;
    13. keep all Personal Data confidential and not disclose such data to third parties unless specifically authorised in writing by the Controller or as required by law. If the Processor is required by law, court, regulator or supervisory authority to process or disclose any Personal Data, the Processor will first inform the Controller of this and allow the Controller to object or challenge the requirement, unless the law prohibits the Processor from informing the Controller;
    14. use subcontractors based outside of the EEA as long as the subcontractor is established within a country for which there is an adequacy decision or the subcontractor is part of the EU-US Privacy Shield; where the subcontractor does not meet these requirements, the Processor shall, prior to any Personal Data relating to data subjects within the Union being transferred to it, execute the European Commission’s Standard Contractual Clauses (controller-to-processor transfers), as set out in the Schedule to Commission Decision 2010/87/EU (“SCCs”)."