European Union General Data Protection Regulation Terms
In Force makes the commitments in these GDPR Terms, to all customers effective May 25, 2018. These commitments are binding upon In Force with regard to Customer regardless of (1) the version of the Product that is otherwise applicable to any given Online Services subscription or (2) any other agreement that references this attachment.
For purposes of these GDPR Terms, Customer and In Force agree that Customer is the controller of Personal Data and In Force is the processor of such data, except when Customer acts as a processor of Personal Data, in which case In Force is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by In Force on behalf of Customer. These GDPR Terms do not limit or reduce any data protection commitments In Force makes to Customer in the Online Services Terms or other agreement between In Force and Customer. These GDPR Terms do not apply where In Force is a controller of Personal Data.
As used herein, the terms “data subject”, “processing”, “processor”, and “supervisory authority” as used herein have the meanings given in the GDPR. As used herein, the term “subprocessor” means other processors used by In Force to process data.
Relevant GDPR Obligations: Articles 28, 32, and 33
1. In Force shall not engage another processor without prior specific or general written authorisation of Customer. In the case of general written authorisation, In Force shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes. (Article 28(2))
2. Processing by In Force shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on In Force with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Customer are set forth in the Customer’s licensing agreement, including these GDPR Terms. In particular, In Force shall:
(a) process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which In Force is subject; in such a case, In Force shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) take all measures required pursuant to Article 32 of the GDPR;
(d) respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
(e) taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
(f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to In Force;
(g) at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
(h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
In Force shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
3. Where In Force engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, In Force shall remain fully liable to the Customer for the performance of that other processor’s obligations. (Article 28(4))
4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and In Force shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. (Article 32(1))
5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
6. Customer and In Force shall take steps to ensure that any natural person acting under the authority of Customer or In Force who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law. (Article 32(4)).
7. In Force shall notify Customer without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to In Force.