This Data Processing Addendum ("DPA") forms part of the Jezzam Terms & Conditions (and any ancillary or related documentation), as updated or amended from time to time (the "Agreement""), between the Customer and Jezzam. Please read the DPA carefully as it forms a contract between You, the Customer and Jezzam.
The Jezzam Terms & Conditions are available at https://www.jezzam.com/terms. All capitalised terms not defined in this DPA shall have the same meaning as set out in the Agreement.
This DPA will apply where Jezzam is the processor of EU Personal Data on behalf of the Customer.
|How to execute this Addendum
|A downloadable, pre-signed version of this Addendum is available here
|If Jezzam processes personal data on behalf of a Jezzam customer that qualifies as a controller with respect to that personal
data under the EU General Applicable Data Protection Law (Regulation 2016/679) (an Eligible Customer), such Eligible Customer may execute
this Addendum. Eligible Customers can complete this Addendum by:
|Upon receipt of the validly completed and signed DPA in accordance with the instructions above, this DPA will become legally binding.
|The Controller processes Personal Data in connection with its business activities. As a subscriber of Jezzam Services, you are the Controller;
|The Processor processes Personal Data on behalf of other businesses and organisations. Jezzam is the Processor;
|The Controller wishes to engage the services of the Processor to process Personal Data on its behalf;
|Article 28(1) of the Applicable Data Protection Law (as hereinafter defined) provides that, where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject;
|Articles 28(2) of the Applicable Data Protection Law require that where processing is carried out by a processor on behalf of a controller such processing shall be governed by a contractor or legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects and the obligations and rights of the controller;
|In compliance with the above-mentioned provisions of Article 28 of the Applicable Data Protection Law the Controller and Processor wish to enter into this processing security Agreement.
|The parties hereby mutually agree as follows:
|Definitions and Interpretation
|In this Agreement the following words and phrases shall have the following meanings, unless inconsistent with the context or as otherwise specified:
|“Applicable Data Protection Law” shall mean the EU general data protection regulation 2016/679 (GDPR);
|“national law” shall mean the law of the Member State in which the Processor is established;
|“Customer” shall mean the party using Jezzam as a processor of Personal Data and whom is, in relation to the Applicable Data Protection Law, the Controller.
|"controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and;
|“processing of Personal Data” shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
|“Sub-processor” shall mean another Processor engaged by the Processor for carrying out specific processing of Personal Data on behalf of the Controller; and
|“Technical and organisational security measures” shall mean measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alternation, unauthorised disclosure or access and against all other unlawful forms of processing.
|In consideration of the Controller engaging the services of Jezzam to process Personal Data on its behalf, Jezzam shall comply with the security, confidentiality and other obligations imposed on it under this Agreement.
|Prohibited data: Unless explicitly requested by Jezzam to do so, Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of Personal Data to Jezzam for processing.
|Confidentiality of processing
|Jezzam agrees that it shall maintain the Personal Data processed on behalf of the Controller in confidence. In particular, Jezzam agrees that, save with the prior written consent of the Controller, it shall not disclose any Personal Data supplied to Jezzam by, for, or on behalf of, the Controller to any third party.
|Jezzam shall not make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of services to the Controller.
|Jezzam shall ensure that any person it authorises to process the Personal Data (an "Authorised Person") are subject to a duty of confidence.
|Nothing in this agreement shall prevent either party from complying with any legal obligation imposed by a regulator or court. Both parties shall however, where possible, discuss together the appropriate response to any request from a regulator or court for disclosure of information.
|Security obligations of Jezzam
|Jezzam shall only carry out those actions in respect of the Personal Data processed on behalf of the Controller as are expressly authorised by the Controller.
|Jezzam shall take such Technical and Organisational Security Measures as are required under its own national law to protect Personal Data processed by Jezzam on behalf of the Controller against unlawful forms of processing. Such Technical and Organisational measures shall include, as a minimum standard of protection, compliance with the legal and practical security requirements set out in Appendix 1 of this Agreement.
|Jezzam shall not transfer Personal Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
|Customer consents to Jezzam engaging third party sub-processors to process the Personal Data for the Permitted Purpose provided
|Cooperation and data subjects' rights
|Jezzam shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to:
|Data Protection Impact Assessment
|If Jezzam believes or becomes aware that its processing of Personal Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Customer and provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that may be required under the Data Protection Regulation.
|If it becomes aware of a confirmed Security Incident, Jezzam shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) the Applicable Data Protection Law. Jezzam shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
|Term and Termination
|This Agreement shall continue in full force and effect for so long as Jezzam is processing Personal Data on behalf of the Controller.
|Upon termination or expiry of the Agreement, Jezzam will, on Customer’s explicit request, delete or return the Personal Data in its possession or control (in a manner and form decided by Jezzam, acting reasonably). This requirement shall not apply to the extent that Jezzam is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Jezzam shall securely isolate and protect from any further processing.
|Jezzam will, on request from the Customer, provide the Customer with such information as necessary to demonstrate its compliance with the obligations set out in this Addendum and shall (at the Customer's cost and on reasonable prior notice) co-operate with any audits, including inspections, conducted by the Customer or the Customer's nominated auditor.
Appendix 1 – Security Measures
Information regarding the Technical and Organisational measures Jezzam has in place to protect Personal Data available at:https://www.jezzam.com/support/security