Data Processing Agreement
THE THREE LTD.
Data Processing Agreement
1. Subject matter
Under the Universal Terms of Service Agreement, You (Data Controller) have appointed the Company to provide certain services (“Covered Services”) to you. As a result of providing Covered Services to you, the Company will store and process certain personal information as described below: personally identifying or identifiable information about your own customers (“Your Data”).
Your Data processed by the Company will be subject to the following basic processing activities: Operations necessary for the provision of the Covered Services under the Universal Terms of Service Agreement by the Company, including the storage, retrieval, use, disclosure, erasure, destruction and access of Your Data.
This Data Processing Agreement is being put in place to ensure that the Company processes Your Data on Data Controller’s instructions and in compliance with applicable data privacy laws.
2. The Company’s Obligations:
- The Company shall only process Your Data on behalf of Data Controller and in accordance with, and for the purposes of providing the Covered Services. If the Company cannot provide such compliance for whatever reason (including if the instruction violates applicable Data Protection Laws), it agrees to inform Data Controller of its inability to comply as soon as reasonably practicable.
- The Company shall ensure that its personnel who are authorized to process Your Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- The Company shall implement and hold in force for the term of this Data Processing Agreement specific technical and organizational security measures as required by the GDPR.
- The Company shall notify Data Controller promptly upon receipt by the Company of a request from an individual seeking to exercise any of their rights under applicable Data Protection Laws. Taking into account the nature of the processing, the Company could, at Data Controller’s expense, assist Data Controller by appropriate technical and organizational measures, for the fulfillment of Data Controller’s obligation to respond to requests by Data Subjects to exercise their rights under Chapter III of the GDPR (including the right to transparency and information, the data subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing).
- Taking into account the nature of the processing under the Universal Terms of Service Agreement and the information available to the Company, the Company could, insofar as possible and at Data Controller’s expense, assist Data Controller in carrying out its obligations under Articles 32 to 36 of the GDPR and any other Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. The Company shall comply with GDPR breach notification requirements.
- Upon termination of the processing of personal data by the Company (subject to its customer data retention policy) and at Data Controller’s request, the Company shall either (i) delete all Your Data; or (ii) return all Your Data to the Data Controller and delete existing copies unless applicable law requires storage of the Your Data.
- The Company shall upon written request from Data Controller from time to time provide Data Controller with all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement.
- Data Controller acknowledges and agrees that the Company may, or may appoint an affiliate or third party subcontractor to, process Your Data in a third country, provided that it ensures that such processing takes place in accordance with the requirements of applicable Data Protection Laws.
- Where the Company processes, accesses, and/or stores Your Data in any third country, the Company shall comply with the data importer’s obligations set out in the Model Clauses, which are hereby incorporated into and form part of this Data Processing Agreement. Data Controller hereby grants the Company a mandate to execute the Model Clauses, for and on behalf of Data Controller, with any relevant subcontractor (including affiliates) it appoints.
- Data Controller acknowledges and agrees that the Company relies solely on Data Controller for direction as to the extent to which the Company is entitled to access, use and process Your Data. Consequently, the Company is not liable for any claim brought by Data Controller or a data subject arising from any action or omission by the Company to the extent that such action or omission resulted from Data Controller’s instructions.
3. Data Controller’s Obligations
- Data Controller warrants that it has complied and continues to comply with the applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to the Company and enable the processing of Your Data by the Company as set out in this Data Processing Agreement and as envisaged by the Universal Terms of Service Agreement.
- Data Controller agrees that it will indemnify and hold harmless the Company from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other claims).
Data Controller hereby consents to the use by the Company of the Subcontractors set out in the list of third party sub processors available upon request. If the Company appoints a new Subcontractor to process Your Data, it shall update such list. In the event that Data Controller objects to the appointment, Data Controller’s sole remedy shall be to terminate the services provided by the Company. If Data Controller does not object, the Company may proceed with the appointment. The Company ensures that it has a written agreement in place with all Subcontractors which contain obligations on the Subcontractor which are no less onerous on the relevant Subcontractor than the obligations on the Company under this Data Processing Agreement.
Termination of this Data Processing Agreement shall be governed by the Universal Terms of Service Agreement, mutatis mutandis.
6. Law and Jurisdiction
This Data Processing Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the jurisdiction specified in the Universal Terms of Service Agreement.