1 DATA PROCESSING
1.1 For the purposes of this Clause 1, controller, data subject, personal data, processing and processor shall have the meaning given to them in Regulation (EU) 2016/679 (GDPR).
1.2 In respect of personal data processed by Keystroke Pro on behalf of the customer, the parties agree that the Customer shall be the controller and the Service Provider shall be the processor.
1.3 The Service Provider shall:
1.3.1 Process the personal data solely for the purposes of performing its obligations under the Agreement.
1.3.2 Process the personal data on the documented instructions from the Customer, unless required to do so by English, European Union (EU) or EU Member State law to which the Service Provider is subject. In such a case, the Service Provider shall inform the Customer of that legal requirement before processing (unless that law prohibits such information on important grounds of public interest).
1.3.3 Immediately inform the Customer if, in its opinion, an instruction of the Customer infringes the GDPR or other EU or EU Member State data protection provisions.
1.3.4 Ensure that the Service Provider’s personnel authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
1.3.5 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of the varying likelihood and severity of rights and freedoms of natural persons, in relation to the personal data, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including considering those measures referred to in Article 32 of the GDPR (‘Security of processing’).
1.3.6 Taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising data subjects’ rights laid down in Chapter III (‘Rights of the data subject’) of the GDPR.
1.3.7 Taking into account the nature of the processing and information available to the Customer, provide assistance to the Customer in order to assist the Customer in ensuring the Customer’s compliance with the obligations set out in GDPR Article 32 (‘Security of processing’), Article 33 (‘Notification of a personal data breach to the supervisory authority’), Article 34 (‘Communication of a personal data breach to the data subject’), Article 35 (‘Data protection impact assessment’), and Article 36 (‘Prior consultation’), in each case solely in relation to processing of the personal data.
1.3.8 At the option of the Customer, delete or return all the personal data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless English, EU or EU Member State law requires storage of the personal data.
1.3.9 Make available to the Customer all information necessary to demonstrate compliance with Article 28 of the GDPR and permit audits and inspections conducted by the Customer or an auditor appointed by the Customer.
1.4 The Service Provider shall not subcontract its processing of the personal data under the Agreement to any third party without the prior written consent of the Customer.
1.5 The Customer shall ensure that the arrangement between it and each processor authorised by the Customer pursuant to Clause 1.4 is governed by a written contract including the same data protection obligations as those set out in the Agreement which are required by Article 28(3) of the GDPR.
1.6 The Service Provider shall provide assistance requested by the Customer in relation to the fulfilment of the Customer’s obligation to cooperate with the relevant supervisory authority under Article 31 GDPR.
1.7 The Service Provider warrants and represents that it shall comply with the GDPR and all other applicable laws and regulations, relevant industry codes of practice and guidance in relation to the processing of personal data under the Agreement.
1.8 The Customer warrants that they agree to have any data processed by Service Provider outside the European Union.
This addendum and any non-contractual obligations connected to it shall be governed by and construed in accordance with the laws of England and Wales.