Summary
This Data Processing Agreement (herein referred to as the “DPA”) forms part of the overall Terms and Conditions of Service and is made and entered into by and between O’Brien Media Limited, who’s registered office is at The Innovation Centre, PO Box 4096, Swindon, Wiltshire, SN5 1DE (Registered in England and Wales number: 07874512), on behalf of itself and its subsidiaries, (herein referred to as “O’Brien Media”, “we”, “our”, “ourselves”), and the Customer (herein referred to as “Customer”, “you”, “your”, “yourself”).
Further Definitions
“the Services” means services O’Brien Media may provide to you, collectively or separately, including cloud, web hosting, content delivery network, internet security including SSL certificates, domain registrations and other related services either by ourselves or in conjunction with partners and subsidiaries. This DPA does not cover the processing of data as part of the O’Brien Media Analytics service, which has it’s own DPA.
“Data Controller” means Customer.
“Data Processor” means O’Brien Media.
“Directive” means the EU Data Protection Directive 95/46/EC (as amended).
“General Data Protection Regulation” means the European Union General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Local Data Protection Laws” means any subordinate legislation and regulation implementing the Directive or the General Data Protection Regulation.
“Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“Data Protection Requirements” means the Directive, the General Data Protection Regulation, Local Data Protection Laws, any subordinate legislation and regulation implementing the General Data Protection Regulation, and all Privacy Laws.
“Personal Data” has meaning as given in Article 4 of the General Data Protection Regulation.
“Customer Personal Data” means Personal Data that Customer uploads or otherwise provides O’Brien Media in connection with its use of the Services.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
“Process” and its cognates has meaning as given in Article 4 of the General Data Protection Regulation.
“Sub-processor” means any entity which provides processing services to O’Brien Media.
“Supervisory Authority” means an independent public authority which is established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation.
Compliance and Use
Customer and O’Brien Media shall comply with their Data Protection Requirements including the General Data Protection Regulation as well as other applicable Privacy Laws. Customer shall appoint a Supervisory Authority as required by Data Protection Requirements. O’Brien Media has appointed the United Kingdom Information Commissioner’s Office (registration number: ZA304284) as its Supervisory Authority. Customer acknowledges that O’Brien Media collects and maintains records of each Data Controller and Data Processor on behalf of which O’Brien Media acts and makes available such records to a Supervisory Authority by request. Customer intends to use the Services and in the course of doing so will upload or otherwise provide O’Brien Media with Customer Personal Data.
Processing
Customer shall have sole responsibility for the accuracy, quality and processing of Customer Personal Data. O’Brien Media shall not access, use or process Customer Personal Data on behalf of Customer except as otherwise required to deliver the Services, provide technical support related to the Services and for maintenance and improvement of the Services unless otherwise directed by Customer. Customer shall determine the nature and purpose of Customer Personal Data and the categories of Data Subjects.
Data Access, Modification and Deletion
During the course of using the Services, when Customer Personal Data is uploaded you may access, modify or delete data by logging into the Services using common protocols and tools. After Customer Personal Data has been modified or deleted the original data may continue to be retained in backup storage for up to ninety (90) days. Upon termination or expiry of the Services and upon written request by Customer, O’Brien Media will return and delete all Customer Personal Data in its possession or control. This requirement shall not apply to the extent that O’Brien Media is required by law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has retained in backup storage, which O’Brien Media shall take reasonable steps protect from any further processing except to the extent required by law.
Sub-processors
Customer consents to O’Brien Media engaging third party Sub-processors in connection with delivery of the Services. These Sub-processors may include partners and subsidiaries. O’Brien Media maintains an up-to-date list of its Sub-processors. Customer may request information related to the appointment of new or the replacement of existing Sub-processors. O’Brien Media will respond to reasonable requests for additional information or objections by Customer to the use of a Sub-processor.
International Transfers
Customer shall have sole responsibility for where they upload Customer Personal Data during the course of using the Services. O’Brien Media maintains servers in secure data centres worldwide, some of which are located outside of the EU and EEA. The Services allows for selection by Customer of data centre region during the checkout process as well as through the O’Brien Media Client Connect portal. If Customer is unsure which data centre region the Services are delivered from, or would like to transfer between regions, O’Brien Media’s support team can provide assistance upon request. Customer acknowledges that certain aspects of the Services, such as the content delivery network, are by their design and purpose, served by multiple worldwide data centres including outside of the EU and EEA. In delivery and support of the Services, Customer consents to O’Brien Media engaging international Sub-processors located outside of the EU and EEA including partners and subsidiaries.
Cooperation and Data Subjects’ Rights
O’Brien Media shall provide reasonable and timely assistance to Customer in accordance with this DPA and the Services, to enable Customer to respond to a request from a Data Subject to exercise any of its rights under the General Data Protection Regulation (including its rights of access, correction, objection, erasure and data portability, as permitted); and any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Customer Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to O’Brien Media, O’Brien Media shall inform Customer providing details of the same unless otherwise prohibited. Customer shall be responsible for any costs incurred by O’Brien Media as the result of providing such assistance.
Data Protection Impact Assessment
O’Brien Media shall provide Customer reasonable assistance in support of a data protection impact assessment, solely in relation to Customer Personal Data, this DPA, the Services and where the Customer would not otherwise have access to the relevant information. Customer shall be responsible for any costs incurred by O’Brien Media as the result of providing such assistance.
Confidentiality
O’Brien Media shall ensure that appropriate contractual obligations related to confidentiality exist with its personnel and that these survive the termination of engagement.
Security
O’Brien Media ensures appropriate technical and organisational safeguards exist for the Processing of Personal Data including the hiring of qualified personnel, physical data centre access controls, systems access controls, data access controls, data transmission protocols, systems logging and backup systems.
Security Incidents
If O’Brien Media becomes aware of a confirmed Personal Data Breach impacting Customer Personal Data, O’Brien Media shall notify Customer and where possible shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under the General Data Protection Regulation. Customer shall indemnify and keep indemnified O’Brien Media against all losses with respect to any Personal Data Breach due to non-compliance by Customer with its Data Protection Requirements or violation of this DPA.
Other Obligations
Customer shall comply with its protection, security and other obligations with respect to Personal Data prescribed by Data Protection Requirements for Data Controllers by establishing and maintaining a procedure for the exercising of the rights of the individuals whose Personal Data are processed by Customer; processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; ensuring compliance with the provisions of this DPA by its personnel or by any third-party accessing or using Personal Data on its behalf. Customer acknowledges it has reviewed and Consents to O’Brien Media’s separate Privacy Policy in relation to the Services and will periodically review the Privacy Policy for any changes and additions.
Audits and Inspections
O’Brien Media shall provide audit and inspection assistance to Customer, if requested in writing to O’Brien Media’s address of notice, to verify O’Brien Media’s compliance with its obligations under this DPA. Customer shall be responsible for any costs incurred by O’Brien Media as the result of providing such assistance. If O’Brien Media declines to cooperate with an audit or inspection request Customer has the rights to terminate this DPA and the Services.