Schedule it Ltd - Data Processing Addendum
Effective Date from May 25, 2018
Please read the Data Processing Addendum (“DPA") carefully as they form a contract between You (“Customer”) and Us (“Schedule it Ltd”). As referenced in sections 8.4 (a) and 9.4 of the Schedule it Ltd Terms of Service available at https://www.scheduleit.com/terms-conditions.htm (“Terms”), this DPA will apply where We and Our Group Companies are processors of personal data. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail.
1. Data Protection
1.1 Definitions: In this DPA, the following terms shall have the following meanings:
a) "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and
b) "Applicable Data Protection Law" shall mean: (i) prior to 25 May 2018,the EU Data Protection Directive (Directive 95/46/EC); (ii) on and after 25 May 2018, the EU General Data Protection Regulation (Regulation 2016/679) and (iii) any other applicable data protection laws and regulations.
1.2 Relationship of the parties: Customer (the controller) appoints Schedule it Ltd as a processor to process the personal data forming part of the Service Data (the "Data") for the purposes described in the Terms (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
1.3 Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to Schedule it Ltd for processing.
1.4 International transfers: Schedule it Ltd shall not transfer the Data outside of the UK unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
1.5 Confidentiality of processing: Schedule it Ltd shall ensure that any person it authorises to process the Data (an "Authorised Person") shall protect the Data in accordance with Schedule it Ltd's confidentiality obligations under the Terms.
1.6 Security: The processor shall implement technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").
1.7 Subcontracting: Customer consents to Schedule it Ltd engaging third party subprocessors to process the Data for the Permitted Purpose provided that: (i) Schedule it Ltd maintains an up-to-date list of its subprocessors at https://www.scheduleit.com/privacy-sub-processor.htm
, which it shall update with details of any change in subprocessors prior to any such change; (ii) Schedule it Ltd imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law. Customer may object to Schedule it Ltd's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Schedule it Ltd will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Terms (without prejudice to any fees incurred by Customer prior to suspension or termination).
1.8 Cooperation and data subjects' rights: Schedule it Ltd shall provide reasonable and timely assistance to Customer (at Customer's expense. For data requests and information where you cannot retrieve the data yourself from your own database and the time needed is less than 30 min no charge applies. After 30 minutes, £125 is changed per additional hour for any extra work) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Schedule it Ltd, Schedule it Ltd shall promptly inform Customer providing full details of the same.
1.9 Data Protection Impact Assessment: If Schedule it Ltd believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Customer and provide reasonable cooperation to Customer (at Customer's expense. For data requests and information where you cannot retrieve the data yourself from your own database and the time needed is less than 30 min no charge applies. After 30 minutes, £125 is changed per additional hour for any extra work) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
1.10 Security incidents: If it becomes aware of a confirmed Security Incident, Schedule it Ltd shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Schedule it Ltd shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
1.11 Deletion of Data: Customer may export all personal data prior to the termination of the Customer’s Account. In any event, following the termination of Customer’s Account by either party, subject to (ii) and (iii) below, data on Customer’s Account will be retained for a period of 14 days from such termination within which Customer may contact Provider to export Service Data; (ii) the e-mail feature, if available within the Service(s), automatically archives any e-mails forming part of Service Data for a period of 3 months; and (iii) logs are archived for a period of 1 year (each a “Data Retention Period”). Beyond each such Data Retention Period, Processor reserves the right to delete all Personal Data in the normal course of operation. This requirement shall not apply to the extent that Schedule it Ltd is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which Data Schedule it Ltd shall securely protect from any further processing except to the extent required by such law.
View our Sub-processors here