As you may be aware, on 25 May 2018 new EU data protection legislation comes into force. The new law, the General Data Protection Regulation (“GDPR”), requires data controllers (entities, like yours, which determine the purposes for which, and means by which, personal information is processed) to have certain provisions in their contracts with data processors (entities, like Shiftboard, that process personal information on behalf of and in accordance with the instructions of data controllers). Our existing contract does not contain the required provisions and so we are updating it with the below Data Processing Addendum to ensure that we are both complying with the GDPR.
The new provisions are set out below and reflect the requirements in Article 28 of the GDPR. They will be added to our existing clause in our contract dealing with data processing for EU customers. If we have not heard back from you within 14 days from the date of notification, we will assume that you accept this amendment to our contract.
- Customer represents, warrants and undertakes that it has complied, and shall comply, with its obligations under Data Protection Laws, including, without limitation, obtaining valid and effective consent from Data Subjects or having an alternative legal basis, for the transfer of Personal Data to Shiftboard and the processing and storage of Personal Data by Shiftboard envisaged by the terms of this Agreement.
- Customer agrees to indemnify, keep indemnified and defend at its own expense, Shiftboard against all costs, claims, damages or expenses incurred by Shiftboard or for which Shiftboard may become liable (including, without limitation, any claim brought by a Data Subject against, or fine imposed by a regulator upon, Shiftboard) due to: (i) Customer’s breach of any representation, warranty or undertaking contained in Section 1; and (ii) any failure by Customer, its employees, or its agents to comply with Data Protection Laws.
- In respect of Customer Personal Data, Customer and Shiftboard acknowledge that Shiftboard acts as a Data Processor and Customer acts as the Data Controller. Shiftboard shall comply with all applicable Data Protection Laws in processing Customer Personal Data and not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws. Customer instructs Shiftboard to process Customer Personal Data as necessary to provide the Shiftboard Service to Customer and to perform Shiftboard’s obligations and exercise Shiftboard’s rights under this Agreement. Where Shiftboard receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Shiftboard shall inform Customer.
- Customer represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is, and will be throughout the term of this Agreement, a valid legal basis for the processing by Shiftboard of Customer Personal Data in accordance with this Agreement.
- Shiftboard shall take reasonable steps to ensure the reliability of its personnel who may process Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Shiftboard shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Shiftboard shall take account in particular of the risks presented by the processing, in particular from a Personal Data Breach.
- Customer authorizes Shiftboard to appoint subprocessors in accordance with this Addendum. Shiftboard may continue to use those subprocessors already engaged by Shiftboard as at the date of this Agreement. Shiftboard shall give Customer prior written notice of the appointment of any new subprocessor, including reasonable details of the processing to be undertaken by the subprocessor. If, within seven days of receipt of that notice, Customer notifies Shiftboard in writing of any objections (on reasonable grounds) to the proposed appointment, Shiftboard shall use reasonable efforts to make available a commercially reasonable change in the provision of the Shiftboard Service which avoids the use of that proposed subprocessor. Where such a change cannot be made within 14 days from Shiftboard’s receipt of Customer’s notice, or no commercially reasonable change is available, or Customer declines to bear the cost of the proposed change, notwithstanding anything in this Agreement, either party may by written notice to the other party with immediate effect terminate this Agreement either in whole or to the extent that it relates to the Shiftboard Service which requires the use of the proposed subprocessor. With respect to each subprocessor, Shiftboard shall ensure that the arrangement between Shiftboard and the subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Agreement.
- Taking into account the nature of the processing, Shiftboard shall provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subjects’ requests to exercise their rights under the GDPR. Shiftboard shall promptly notify Customer if Shiftboard receives such a request and ensure that Shiftboard does not respond to any such request except on the documented instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws.
- Shiftboard shall notify Customer without undue delay upon Shiftboard becoming aware of a personal data breach affecting Customer Personal Data, providing Customer with sufficient information (insofar as such information is, at such time, within Shiftboard’s possession) to allow Customer to meet any obligations under Data Protection Laws to report or inform the Personal Data Breach to affected Data Subjects or the relevant supervisory authority(ies) (as may be determined in accordance with the Data Protection Laws). Shiftboard shall at Customer’s sole cost and expense co-operate with Customer and take such reasonable commercial steps as may be directed by Customer to assist in the investigation, mitigation and remediation of each such personal data breach.
- Shiftboard shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with supervisory authorities, which Customer reasonably considers to be required of Customer by Article 35 or Article 36 of the GDPR, in each case solely in relation to processing of Customer Personal Data by, and taking into account the nature of the processing by, and information available to, Shiftboard.
- Upon the date of cessation of the Shiftboard Service (the “Cessation Date”), Shiftboard shall immediately cease all processing of the Customer Personal Data for any purpose other than for storage. To the extent technically possible in the circumstances (as determined in Shiftboard’s sole discretion), on written request to Shiftboard (to be made no later than 30 days after the Cessation Date), Shiftboard shall return a complete copy of all Customer Personal Data within Shiftboard’s possession to Customer, promptly following which Shiftboard shall delete all other copies of such Customer Personal Data or delete all Customer Personal Data then within Shiftboard’s possession to the fullest extent technically possible in the circumstances.
- Shiftboard and any subprocessor may retain Customer Personal Data to the extent required by applicable law and only to the extent and for such period as required by applicable law and always provided that Shiftboard shall ensure the confidentiality of all such Customer Personal Data and that such Customer Personal Data is only processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
“Data Protection Laws” means any data protection, privacy or similar laws or regulations anywhere in the world relating inter alia to the processing or other use of personal data, including the GDPR.
“Data Controller” shall have (until 24 May 2018) the meaning prescribed under the Directive and (from 25 May 2018) the meaning given to it under the GDPR.
“Data Processor” shall have (until 24 May 2018) the meaning prescribed under the Directive and (from 25 May 2018) the meaning given to it under the GDPR.
“Data Subject” shall have (until 24 May 2018) the meaning prescribed under the Directive and (from 25 May 2018) the meaning given to it under the GDPR.
“Directive” means European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as amended or superseded from time to time.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data an on the free movement of such data, and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom.
“Personal Data” shall have (until 24 May 2018) the meaning prescribed under the Directive and (from 25 May 2018) the meaning given to it under the GDPR and “Customer Personal Data” means such Customer Data that is Personal Data.