DATA PROCESSING ADDENDUM
EU GENERAL DATA PROTECTION REGULATION – DATA PROCESSING AGREEMENT
21 May 2018
Addendum to the iBex Terms & Conditions agreed between Seekom and The Operator and referred to in these Terms & Conditions as section 10. In this agreement, the Processor refers to Seekom and the Controller refers to the Operator.
The European General Data Protection Regulation (“GDPR”) imposes specific obligations on Controllers and Processors of Personal Data. In particular, the GDPR requires Controllers and Processors to enter into contracts containing specific provisions relating to the protection of the Personal Data Processed.
The application and interpretation of this Agreement and it’s terms and clauses shall be governed by current and applicable law in England and Wales. In the event of any discrepancy which may arise from the interpretation or execution of these terms, the parties with express waiver of any other court of jurisdiction which might apply, if any, shall abide by the jurisdiction and competence of the English courts.
This Addendum sets forth the GDPR requirements applicable to Personal Data Processed by us or through our subprocessor’s systems in connection with providing the Services.
With effect from 25 May 2018, the date on which the GDPR will enter into force (the "Effective Date"), the Parties agree to the following:
Capitalised terms used in this Addendum have the meaning set forth in Article 4 of the GDPR and the Agreement, unless defined below or otherwise defined in this Addendum:
Notwithstanding anything to the contrary in the Agreement, the obligations pursuant to this Addendum shall survive termination of the Agreement for as long as the Processor hold or Process Personal Data on behalf of the Controller’s entity/ies.
Notwithstanding Clause 2.1 and in those instances where the Purpose consists of a number of Processing activities, the Parties may agree to terminate part of the Processing activities forming part of the Purpose, in which case such termination shall take effect on the date agreed by the Parties in writing and shall not affect the validity of the remaining Processing activities forming part of the same Purpose.
The Processor is appointed by the Controller to Process such Personal Data for and on behalf of the Controller as is necessary to provide the Processing services, and as may subsequently be agreed to by the Parties in writing. Any such subsequent agreement shall be subject to the provisions of this Agreement.
The Controller shall Process Personal Data in accordance with the requirements of the Applicable Laws. For the avoidance of doubt, the Controller’s instructions for the Processing of Personal Data shall comply with the Applicable Law and the Processor reserves the right to refuse such instructions if not in compliance with the Applicable Law. The Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires the Personal Data.
In accordance with GDPR Article 28(3)(a), the Processor shall not Transfer any Personal Data outside a Member State (and shall not permit the Processor’s approved Subprocessors to Transfer any Personal Data outside a Member State) without the prior consent of the Controller. the Processor understands that in accordance with GDPR Chapter V, adequate protection for the Personal Data must exist after the Transfer and will, if so, requested by Controller, enter into an appropriate agreement with Controller governing such Transfer, including, but not limited to the EU Standard Contractual Clauses (Controller to Processor), unless another adequacy mechanism for the Transfer exists, including without limitation Privacy Shield for transfers to the United States of America.
The Processor warrants that any transfers of personal data to a third country or international organisation will only be made in accordance with requirements of Chapter V of the GDPR.
The Processor shall process Personal Data for the Purpose as described in the Terms of Service, as entered into between the parties, on behalf of and under the direction of the Controller and as summarised in Annex B hereunder.
The data will be processed exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Any transfer of data to a country which is not a Member State of either the EU or the EEA requires the prior consent of the Controller and is subject to compliance with the special requirements on transfers of personal data to countries outside the EU/EEA and in compliance with the technical and organisational measures set out in clause 5.
Depending on how the Controller chooses to use the Service, the subject matter of Processing of personal data may cover the types/categories of data defined in Annex B.
The Processor shall establish data security in accordance with the Applicable Laws. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons, must be taken into account.
The Processor has laid down the technical and organisational measures, in Annex C of this Agreement.
The technical and organisational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures from time to time. In so doing, the security level of the defined measures must not be reduced.
The Processor may not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless this is required by law or the Processor’s Terms of Service), but shall only do so on documented instructions from the Controller and in accordance to data retention rules associated to the Controller subscription plan.
If a Data Subject should apply directly to the Processor to request the rectification, erasure, or restriction of his Personal Data, the Processor must forward this request to the Controller without delay.
The Processor shall comply with all statutory requirements applicable when carrying out this Agreement. In particular, the Processor ensures compliance with the following requirements:
The Controller has the right, after consultation with the Processor, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The Controller has the right to convince itself of the compliance with this Agreement by the Processor in its business operations by means of random checks, which are to be announced in advance with good time. These rights of the Controller shall not extend to facilities which are operated by subprocessors, sub-contractors or any third parties which the Processor may use to attain its Purpose and provide its Services. The Processor shall ensure that the Processing activities carried out by any subprocessors, sub-contractors or any third parties which the Processor may use to attain its Purpose and provide its Services meet the requirements laid down in this Agreement and in Applicable Law.
The Processor shall ensure that the Controller is able to verify compliance with the the obligations of the Processor in accordance Applicable Laws. The Processor undertakes to provide to the Controller all necessary information on request and, in particular, to demonstrate the execution of the technical and organisational measures as mentioned in Schedule 2 within a reasonable timeframe.
Evidence of the implementation of any measures in this regard may also be presented in the form of up-to-date attestations, reports or extracts thereof from independent bodies (e.g. external auditors, internal audit, the data protection officer, the IT security department or quality auditors) or suitable certification by way of an IT security or data protection audit or by other measures provided by law.
The Processor shall assist the Controller in complying with the statutory obligations regarding the security and protection of personal data and shall make appropriate documentation in this regard. This includes, in particular, the obligation:
The Personal Data may only be handled under the terms of this Agreement, in alignment with the Processor’s Terms of Service, and under the instructions issued by the Controller. Under the terms of this Agreement, the Controller retains a general right of instruction as to the nature, scope and method of data Processing, which may be supplemented with individual instructions. Any changes to the subject-matter of the Processing and any changes to procedures must be agreed and documented together. The Processor may only pass on information to third parties or to the Data Subject with the prior written consent of the Controller.
The Processor will only accept instructions via electronically communicated text in writing or in text form. The Processor must not use the data for any other purpose and is particularly forbidden to disclose the data to third parties. No copies or duplicates may be produced without the knowledge of the Controller. This does not apply to backup copies where these are required to assure proper data Processing, or to any data required to comply with statutory retention rules.
The Processor shall inform the Controller immediately, if it believes that there has been infringement of legal data protection provisions. The Processor may then postpone the execution of the relevant instruction until it is confirmed or changed by the Controller’s representative.
Upon completion of the contractual work as laid down in the Principal Agreement or when requested by the Controller, and within a reasonable time which shall not exceed 30 calendar days, the Processor must return to the Controller all documents in its possession and all work products and data produced, or delete them in compliance with the Applicable Law with the prior consent of the Controller. The same applies to any test data. The deletion log must be presented upon request.
Electronic documentation intended as proof of proper data Processing must be kept by the Processor beyond the termination of the relationship between the Parties and this Agreement, in accordance with relevant retention periods relevant to the Controller’s subscription plan and timeframes corresponding to each subscription plan. The Processor may hand such documentation over to the Controller after expiry of the Agreement, upon request by the Controller.
The Processor shall, to the extent legally permitted, promptly notify the Controller if the Processor receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making.
Taking into account the nature of the Processing, the Processor shall assist Controller by appropriate technical and organisational measures, insofar as the right to be forgotten is possible, for the fulfilment of the Controller’s obligation to respond to a Data Subject’s request under the Applicable Law. The obligation to delete the Data Subject’s data shall, at all times, remain with the Controller. For the avoidance of doubt, the Processor will not undertake any data deletion efforts for and on behalf the Controller.
The Controller will indemnify the Processor in respect of all liabilities, costs and expenses suffered or incurred by the Processor in its capacity as processor of the data of the Controller arising from any Security Breach in the terms of this Agreement or any negligent act or omission by the Controller in the exercise of the rights granted to it under the Applicable Law provided that:
The Processor’s right to claim damages shall be forfeited if the Processor fails to give written notice of any damages that may be sustained as aforesaid within ten (10) business days from the occurrence thereof or commences to make good such damages before written notice is given as aforesaid.
The Processor will indemnify the Controller in respect of all liabilities, costs and expenses suffered or incurred by the Controller in its capacity as controller of the data of the Processor arising from any Security Breach in the terms of this Agreement or any negligent act or omission by the Processor in the exercise of the rights granted to it under the Applicable Law provided that:
In the event of a breach of this Agreement caused by the actions of a sub- processor, the Processor shall assign the right to the Controller to take action under the subprocessor contract as it deems necessary in order to protect and safeguard Personal Data. The Processor acknowledges and agrees that it shall remain liable to the Controller for any breach of the terms of this Agreement or any subprocessor contract by any subprocessor and other subsequent third party processors appointed by it.
‘subprocessing’, in the meaning of this Agreement, does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data Processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller's data, even in the case of outsourced ancillary services to subprocessors.
The Controller agrees to the commissioning of the subprocessors in Annex B on the condition of a contractual agreement in accordance with applicable data protection laws.
Outsourcing to further subprocessors or changing any existing subprocessors is permissible if the Processor informs the Controller of the identity of the Sub- Processor and the scope of the planned subprocessing in writing or in text form and the Controller does not object to the planned subprocessing in writing or in text form within ten (10) business days as from giving notice by the Processor. The Controller shall not unreasonably object to the planned Sub- Processing. In addition, the following provisions apply:
With respect to each subprocessor, the Processor will before the subprocessor first Processes any data of the Controller, carry out adequate due diligence to ensure that the subprocessor is capable of providing the level of protection for the Personal Data required by this Agreement and shall ensure that the agreement between the Processor and the relevant subprocessor, is governed by a written contract including terms which offer at least the same level of protection for the Controller as those set out in this Agreement and meets the requirements of article 28(3) of the GDPR.
In accordance with GDPR Article 28(3), the Processor will (and ensure that any Subprocessor acting under the Processor’s authority will):
With effect from 25 May 2018, upon the Controller’s request, the Processor shall provide the Controller with reasonable cooperation and assistance needed to fulfil the Controller’s obligation under the General Data Protection Regulation to carry out a data protection impact assessment related to the Controller’s use of the Processor’s Services, to the extent that the Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Processor.
To the extent they are applicable to the Processor’s Processing activities for the Controller, the Processor shall maintain all records required by Article 30(2) of the GDPR and the Processor shall make them available to the Controller upon written request.
If any variation is required to this Agreement as a result of a change in the Applicable Law, then either Party may provide written notice to the other party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this Agreement. The parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the relevant requirements.
Clauses and other headings in this Agreement are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of this Agreement. Annexes to this Agreement shall be deemed to be an integral part of this Agreement to the same extent as if they had been set forth verbatim herein.
The provisions of this Agreement are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this Agreement shall remain in full force and effect.
Any notice, letter or other communication contemplated by this Addendum shall be communicated in writing via registered mail to the registered addresses of the Parties or via electronic mail, delivery and read receipt requested.
The provisions of this Agreement shall endure to the benefit of and shall be binding upon the Parties and their respective successors and assigns.
This Agreement may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.
This Addendum supplements, and does not replace, any existing obligations related to the privacy and security of Personal Data as already set forth in the Agreement, including any previously executed EU Standard Contractual Clauses. In the event of a conflict between the terms of this Addendum and the Agreement, the Processor shall comply with the obligations that provide the most protection for Personal Data, in particular, in terms of security. In the event of any conflict or inconsistency between the terms of the Agreement or this Addendum, and the terms of an agreement governing Transfer outside the Member State entered into pursuant to Section 4 herein, the applicable clauses of the agreement governing Transfer entered into Section 4 herein shall control.
The Parties agree to this Addendum with effect from the Effective Date on the terms set out above:
The subprocessors currently engaged by Seekom are:
Country where it is established or from which it may access the Personal data
United States of America
Application error tracking services.
Amazon Web Services (AWS)
United States of America
Hosting of iBex platform.
United States of America
Payment gateway and anti-fraud services.
United States of America
Customer Service platform.
Hosting of iBex platform.
This list includes all subprocessors currently engaged by Seekom that may receive Personal Data, however not all subprocessors provide services to the Controller. For more information regarding which subprocessors apply to the services contracted by you, please contact us.
Categories of data subjects / Type of data
Subject matter and duration of processing
Nature and purpose of processing
Category of data subjects:
- Staff of Seekom (the Processor)
- staff members of the Operator (the Controller)
- The Operator’s staff members
- The Operator’s Clients customers (guests) possibly including children under the age of 16 years.
Type of data:
Types of personally identifiable data stored on the processors systems may include but not be limited to Title, Name, UserID, Address, Telephone Numbers, Date of Birth, Vehicle Registration, IP Address, time and date of which events occurred, Credit Card data, gender, driver's license and passport number.
Subject matter of processing is the following data:
Personal data of operators (including Controller, Processor and Client staff) is limited to Name, UserID and email address to enable them to use the iBex software. Observed data such as a audit logs of their actions are kept for security reasons.
Duration of the processing:
The processing is conducted until termination of the Agreements unless instructed otherwise by Controller at their sole discretion.
Following deregistration, or a remove request made under GDPR Personal Data will be removed, or anonymised within 6 months.
The Processor is a SaaS provider who, on behalf of the Controller:
- The Controller’s staff data is stored to facilitate login to access the system and password reset. User actions are logged in the system. The Controller’s staff data may be accessed by the processor following a written request for technical support by the Controller or it’s authorised staff.
- Client staff Personal Data is stored on the Processor’s system for the purpose of accessing the system and making available those details to the Controller and to the client’s customers (guests) via the website booking application. This data also enables password resets. Client staff Personal Data within an account may be accessed by the Processor following a written request for technical support by the Controller or it’s authorised staff.
- Client customer (guest) data is stored on the Processors system for the purpose of enabling the Controller’s client to contact their customers (guests) and in the course of providing their services, and to charge for services.
Client customer (guest) data within an account may be accessed by the Processor following a written request for technical support by the Controller or it’s authorised staff.
The Processor warrants and undertakes in respect of all Personal Data that it Processes on behalf of the Controller that, at all times, it maintains and shall continue to maintain appropriate and sufficient technical and organisational security measures to protect such Personal Data or information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
The Processor shall provide the Controller, upon request, with adequate proof of compliance (e.g. the relevant parts of the Processor’s agreements with its data center provider).
For more detailed information on the latest state of the art measures adopted by our hosting provider, please refer to the following link: https://aws.amazon.com/security/.
Some smarts from Seekom to help you start growing your business.
Copyright 2022 © Seekom Limited (NZ owned)