Privacy Policy

Last Revised November 2022

1 Instructions

In this Data Processing Agreement you shall act as Data Controller and we shall act as Data Processor, regarding any Personal Data. You hereby instruct us to carry out the Processing Services. When carrying out the Processing Services, we shall only process Personal Data in accordance with the instructions from you and only for the purposes authorized by you. Data will only be kept for clear and legal purposes. All Data will be processed fairly and in keeping with the purpose for which it was obtained. The Data collected by us shall only be the Data provided by you which can include employee names, extension numbers, DDI, email addresses and how you or your employees use the services including recorded communication data relating to SMS, Calls, Chat and Video.

You shall make available the appropriate power of attorney, for us to act on your behalf regarding the signing of the standard contractual clauses, after you approve specifically and in writing any relevant sub-processor. You shall ensure that you have the proper authority to furnish Data to us relating to you or your employees.

We will use the Data for administering and managing the service provided to you which shall include quality of service monitoring, providing you with information about the service, conducting market research and analysis to enhance the service on offer, sending you communications and newsletters, notifying you about changes to products and services and verifying your identity.

Certain non-personal Data collected may be transferred to third parties in connection with operating our business. By submitting Data (including personal Data) you agree to the transfer, storing and processing of this Data by us. Data may be disclosed by us to our professional advisors in order to seek advice, service providers such as payment processors, delivery service providers, technology providers and our business partners.

2 Applicable Law

2.1.
When carrying out the obligations under the Agreement, we shall comply with all Applicable Data Protection Laws including the General Data Protection Regulation (GDPR) (EU) (2016/679) and further with Applicable Data Processor Laws.

2.2.
We shall deal promptly and appropriately with your requests for assistance to ensure compliance of the processing of the Personal Data with Applicable Data Protection Laws.

If we:
a. determine we are unable for any reason to comply with our obligations under this Agreement and we cannot cure this inability to comply; or;
b. become aware of any circumstance or change in the Applicable Data Protection Laws, that is likely to have a material adverse effect on our ability to meet our obligations under this Data Processing Agreement;

2.3.
We shall promptly, but within 24 hours if possible, notify you thereof, in which case you will have the right to temporarily suspend the Processing Services until such time the Processing Services are adjusted in such a manner that the non-compliance is remedied. To the extent such adjustment is not possible within thirty (30) days, you shall have the right to terminate the relevant part of the Processing Services by us.

3 Security

We shall implement appropriate technical, physical and organizational security measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other forms of unlawful Processing Services (including, but not limited to, unnecessary collection or further Processing Services). These measures shall, taking into account the state of the art and the costs of the implementation and execution of the measures, ensure an adequate level of protection taking into account the risks involved in the Processing Services and the nature of the Personal Data to be secured.

4 Non-Disclosure & Confidentiality

We shall keep Personal Data confidential and shall not Disclose Personal Data in any way to any Third Party without your prior written approval, except where in accordance with the Agreement, (i) the Disclosure is necessary for the normal and expected performance of the Processing Services, or (ii) where Personal Data need to be Disclosed to a competent public authority to comply with a legal obligation.

4.1.
We shall for a minimum period of six (6) months, unless Applicable Data Protection Laws provides otherwise, keep a record of any Disclosure that is made, including, but not limited to:

a. Name and address of the third Party to which Personal Data was Disclosed;
b. Personal Data which was Disclosed;
c. Date and time on which Personal Data was Disclosed; and
d. Purpose of Disclosure.

We shall provide staff access to Personal Data only to the extent necessary to perform the Processing. We shall provide our staff (employees and if applicable hired personnel) access to Personal Data only to the extent necessary to perform the Processing Services. We shall ensure that any staff we authorise to have access to Personal Data Processed on our behalf, shall respect and maintain the confidentiality and security of such Personal Data.

5 Sub-Processors

We shall not permit sub-processors to Process Personal Data without your prior written consent. Any authorisation by you to use any sub-processor, is on the condition that we remain fully liable to you for the sub-processor’s performance of the contract, as well as for any acts or omissions of the sub-processor in regard of its Processing Services.

6 Notifications

6.1.
We shall promptly, and in any case within twenty-four (24) hours where possible, inform you if:
a. we receive an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the Processing Services, unless we are otherwise prohibited by law from making such disclosure;
b. we intend to Disclose Personal Data to any competent public authority;
c. if we detect or reasonably suspects that a material data Security Breach has occurred.

Such notice shall be sent per e-mail to the Customer Contract Manager, with a copy to your Legal Department. In case of a Data Security Breach, we shall take adequate remedial measures as soon as possible. Furthermore, we shall without undue delay , provide you with all relevant information (that can be provided in that time frame, due to the difficulty and complexity of the breach) as requested by you regarding the any relevant Data Security Breach but at all times regarding any Security Breach. We shall fully cooperate with you to develop and execute a response plan to address the relevant Security Breach. We shall at your request cooperate adequately, informing the Individuals involved.

7 Co-operation, Complaints, Requests & Inquiries

We shall use our best endeavours to deal promptly and appropriately with your inquiries related to the Processing Services.In the event we have direct contact with a client of yours, we shall promptly inform you of any complaints, requests or inquiries received from Individuals, including but not limited to requests to correct, delete or block Personal Data. We shall not respond to the individuals directly unless specifically instructed by you, in which case we shall respond within a reasonable period of time, and in any case within three (3) weeks after receipt of the respective complaint, request or inquiry. In any event we shall cooperate with you to address and resolve any such complaints, requests or inquiries. We shall maintain in place procedures to enable compliance with such complaints, requests or inquiries.

8 Return & Erasure of Personal Data

8.1.
All Personal Data shall be immediately returned to you upon your first request. We shall not retain Personal Data any longer than necessary for the purposes of performing its obligations under the Data Processing Agreement and the Agreement.

8.2.
Upon termination of the Agreement, we shall, at your option return the Personal Data and copies thereof to you or shall securely destroy such Personal Data, except to the extent the Data Processing Agreement or Applicable Processor Law provides otherwise. In that case, we shall no longer process the Personal Data, except to the extent required by the Agreement or Applicable Data Processor Law. You may require us to promptly, confirm and warrant in writing that we have returned, deleted or destroyed all copies of Personal Data.

9 Transfer of Personal Data

9.1.
We shall not transfer Personal Data to any Non-adequate Country outside EEA or make such Personal Data accessible from any such Non-adequate Country without your prior written approval.

9.2.
Any transfer of Personal Data outside the EEA to a Third Party in a Non-adequate Country shall be governed by the terms of a data transfer agreement, which will contain standard contractual clauses as published in the Decision of the European Commission of February 5, 2010 (Decision 2010/87/EC). We and you will work together to apply for and obtain any permit, authorization or consent that may be required under Applicable Local Law in respect of the implementation of the solution described in this Clause.

10 Obligation to Renegotiate Agreement

10.1.
Each year, or sooner if so dictated by circumstances, parties shall evaluate the Processing Services in line with the regular SLA governance and meeting structure. If changes are required in the Processing Services by us, parties shall amend the Data Processing Agreement to comply with Applicable Data Protection Law and Applicable Data Processor Law.

10.2.
We shall immediately inform you of any circumstances which may be relevant in this respect, including, but not limited to:

a. material changes in the services provided by a sub-processor;
b. a take-over or merger of Supplier or any of its sub-processors.

11 Rights of Individuals

This clause is applicable in the following situations:

a. We are permitted by you to use sub-processors situated outside the EEA and the transfer is based on Safe Harbour; and
b. where the standard contractual clauses as referenced in Clause 9.2 should have been applicable in accordance with this Agreement, but were not met of not rightfully met for whichever reason. If the EU clauses would have been applicable, this clause would have been applicable as well.

The Individual can enforce our data protection obligations under this Data Processing Agreement directly against us in cases where you have factually disappeared or have ceased to exist in law unless any successor entity has assumed the our entire legal obligations by contract or by operation of law, as a result of which it takes on your rights and obligations, in which case the individual can enforce them against such entity.

If an Individual is not able to bring a claim for compensation against you, arising out of a breach by us (or his sub-processor) of any of its obligations under this Data Processing Agreement, because you have factually disappeared or ceased to exist in law or has become insolvent, We agree that the individual may issue a claim against us as if it were you, unless any successor entity has assumed the entire of your legal obligations by contract or by operation of law, in which case the Individual can enforce its rights against such entity. We may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

Annex: Definitions

“Applicable Data Processor Law” shall mean the Data Protection Laws that are applicable to Supplier as the Data Processor of the Personal Data;
“Applicable Data Protection Law” means all laws, rules, regulations, governmental requirements, codes as well as international, federal, state, provincial laws applicable to Customer as the Data Controller of the Personal Data;
“Data Controller” shall mean the entity or natural person which alone or jointly with others determines the purposes and means of the Processing of Personal Data.
“Data Processor” shall mean the entity or natural person which Processes Personal Data on behalf of a Data Controller.
“Data Security Breach” shall mean the unauthorized acquisition, access, use or Disclosure of Personal Data.
“Disclosure” or “Disclose” or “Disclosed” shall mean any form of disclosure of Personal Data to (including remote access by) an unauthorised Employee or any unauthorised Third Party;.
“EEA” (European Economic Area) shall mean all Member States of the European Union, Norway, Iceland, Liechtenstein and, for purposes of this Annex, Switzerland.
“Employee” shall mean any employee, agent, contractor, work-for-hire or any other person working on behalf of, or under the instruction or supervision of, Supplier.
“GDPR” means General Data Protection Regulation (GDPR) (EU) (2016/679)
“Individual” shall mean any individual whose Personal Data is Processed by Data Processor during the performance of the Agreement.
“Non-adequate Country” means a country that is deemed not to provide an adequate level of protection for Personal Data within the meaning of General Data Protection Regulation (GDPR) (EU) (2016/679);
“Personal Data” means data which relate to a living individual who can be identified: from those date, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual (as defined in the Data Protection Act 1998 and GDPR).
“Processing Services” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage , adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available (including the granting of remote access), alignment or combination, blocking, erasure or destruction.
“Processing”, “Process” or “Processed” shall mean any operation that is performed on Personal Data, regarding the Processing Service.