Service Agreements
This data processing agreement (the “Data Processing Agreement”) is between GreenGeeks at 3411 Silverside Rd, Tatnall Building #104, Wilmington, DE 19810 USA (the “Data Processor”) and the customer agreeing to the GreenGeeks Terms of Service (the “Terms of Service”) (the “Data Controller”) and incorporates the terms and conditions set out in the Schedule attached hereto (the “Schedule”). The Data Processing Agreement and the Schedule shall be referred to collectively as the “Agreement”. Terms used in the Data Processing Agreement but not defined herein shall have the meaning attributed to them in the Schedule.
Under the Terms of Service, Data Controller has appointed Data Processor to provide certain services (“Services”) to Data Controller. As a result of its providing the Services to Data Controller, Data Processor will store and process certain personal information of Data Controller as described below:
-
The Customer Personal Data Processed by Data Processor will be subject to the following basic
Processing activities: Operations necessary for the provision of the Services under the Terms of
Service by Data Processor, including the storage, retrieval, use, disclosure, erasure,
destruction and access of the Customer Personal Data.
-
The Customer Personal Data Processed by Data Processor shall concern only the following
categories of Data Subjects: Customers of Data Controller based in the European Union whose
information is provided to Data Processor for the purposes of the provision of the Services
under the Terms of Service.
-
The Customer Personal Data Processed by Data Processor includes and shall be limited to the
following categories of data: (i) identification and contact information (such as name, email
address); (ii) purchase information (such as payment method, products purchased, billing
information); and (iii) information gathered in the provision of services to Data Controller
(such as analytics, device and browser information).
-
The Customer Personal Data Processed by Data Processor does not contain special categories of
Personal Data.
The Agreement is being put in place to ensure that Data Processor processes Data Controller’s personal data on Data Controller’s instructions and in compliance with applicable data privacy laws.
The Parties to this Agreement hereby agree to be bound by the terms and conditions in the attached Schedule as applicable with effect from 28 June 2018 (the “Effective Date”).
SCHEDULE
STANDARD TERMS FOR PROCESSING AGREEMENT
1. Definitions
For the purposes of this Agreement, the following expressions bear the following meanings unless the context otherwise requires:
“Applicable Data Protection Laws” means the General Data Protection Regulation 2016/679 (“GDPR”) once it takes effect and any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument of the Data Controller’s Member State which implements the GDPR, the Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC (in each case as amended, consolidated, re-enacted or replaced from time to time);
“Customer Personal Data” means Personal Data provided by Data Controller to Data Processor for Processing on behalf of Data Controller pursuant to the Terms of Service;
“Data Subject” means the living individuals who are the subject of the Customer Personal Data;
“Model Clauses” means the standard contractual clauses for the transfer of Personal Data to data processors established in Third Countries set out in the Commission Decision of 5 February 2010 (C(2010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016;
“Personal Data”and “Process”, “Processed” or “Processing” have the meaning given in the GDPR;
“Regulator” means the data protection supervisory authority which has jurisdiction over Data Controller’s Processing of Personal Data; and
“Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time.
2. Conditions of Processing
This Agreement governs the terms under which Data Processor is required to Process Customer Personal Data on behalf of Data Controller. In the event of any conflict or discrepancy between the terms of the Terms of Service and this Agreement, the terms of this Agreement shall prevail, to the extent of the conflict.
3. Data Processor's Obligations
-
Data Processor shall only Process Customer Personal Data on behalf of Data Controller and in
accordance with, and for the purposes of providing the Services. If Data Processor cannot
provide such compliance for whatever reason (including if the instruction violates Applicable
Data Protection Laws), it agrees to inform Data Controller of its inability to comply as soon as
reasonably practicable.
-
Data Processor shall ensure that its personnel who are authorized to Process the Customer
Personal Data have committed themselves to confidentiality or are under an appropriate statutory
obligation of confidentiality.
-
Data Processor shall implement and hold in force for the term of this Agreement specific
technical and organizational security measures as required by the GDPR.
-
Data Processor shall notify Data Controller promptly upon receipt by Data Processor of a request
from an individual seeking to exercise any of their rights under Applicable Data Protection
Laws. Taking into account the nature of the processing, Data Processor shall, at Data
Controller’s expense, assist Data Controller by appropriate technical and organizational
measures, for the fulfillment of Data Controller’s obligation to respond to requests by Data
Subjects to exercise their rights under Chapter III of the GDPR (including the right to
transparency and information, the data subject access right, the right to rectification and
erasure, the right to the restriction of processing, the right to data portability and the right
to object to processing). Data Processor shall carry out a request from Data Controller to
amend, correct, block, transfer or delete any of the Customer Personal Data to the extent
necessary to allow Data Controller to comply with its responsibilities as a data controller.
-
Taking into account the nature of the Processing under the Terms of Service and the information
available to Data Processor, Data Processor shall, insofar as possible and at Data Controller’s
expense, assist Data Controller in carrying out its obligations under Articles 32 to 36 of the
GDPR and any other Applicable Data Protection Laws with respect to security, breach
notifications, impact assessments and consultations with supervisory authorities or regulators.
Data Processor shall comply with GDPR breach notification requirements.
-
Upon termination of the Processing of Personal Data by Data Processor (subject to Data
Processor’s customer data retention policy) and at Data Controller’s request, Data Processor
shall either (i) delete all Customer Personal Data; or (ii) return all Customer Personal Data to
the Data Controller and delete existing copies unless applicable law requires storage of the
Customer Personal Data.
-
Data Processor shall upon written request from Data Controller from time to time provide Data
Controller with all information necessary to demonstrate compliance with the obligations laid
down in this Agreement.
-
Data Controller acknowledges and agrees that Data Processor may, or may appoint an affiliate or
third party subcontractor to, Process the Data Controller’s Personal Data in a Third Country,
provided that it ensures that such Processing takes place in accordance with the requirements of
Applicable Data Protection Laws. Data Controller hereby consents to Data Processor’s access to
Customer Personal Data from the United States to the extent necessary for Data Processor to
provide the Services.
-
Where the Data Processor processes, accesses, and/or stores Customer Personal Data in any Third
Country, Data Processor shall comply with the data importer’s obligations set out in the Model
Clauses, which are hereby incorporated into and form part of this Agreement. The processing
details set out at paragraphs a) to d) of the first page of this Agreement shall apply for the
purposes of Appendix 1 of the Model Clauses and the terms of the Security Policy apply for the
purposes of Appendix 2 of the Model Clauses. Data Controller hereby grants Data Processor a
mandate to execute the Model Clauses, for and on behalf of Data Controller, with any relevant
subcontractor (including affiliates) it appoints.
-
Data Controller acknowledges and agrees that Data Processor relies solely on Data Controller for
direction as to the extent to which Data Processor is entitled to access, use and process
Customer Personal Data. Consequently, Data Processor is not liable for any claim brought by Data
Controller or a data subject arising from any action or omission by Data Processor to the extent
that such action or omission resulted from Data Controller’s instructions.
4. Data Controller's Obligations
-
Data Controller warrants that it has complied and continues to comply with the Applicable Data
Protection Laws, in particular that it has obtained any necessary consents or given any
necessary notices, and otherwise has a legitimate ground to disclose the data to Data Processor
and enable the Processing of the Customer Personal Data by the Data Processor as set out in this
Agreement and as envisaged by the Terms of Service.
-
Data Controller agrees that it will indemnify and hold harmless Data Processor on demand from
and against all claims, liabilities, costs, expenses, loss or damage (including consequential
losses, loss of profit and loss of reputation and all interest, penalties and legal and other
professional costs and expenses) incurred by Data Processor arising directly or indirectly from
a breach of this Clause 4 or any Applicable Data Protection Laws.
5. Sub-contracting
-
Data Controller hereby consents to the use by Data Processor of the Subcontractors set out in
the list of third party sub processors available upon request. If Data Processor appoints a new
Subcontractor to Process Customer Personal Data, it shall update such list. In the event that
Data Controller objects to the appointment, Data Controller’s sole remedy shall be to terminate
the services provided by Data Processor. If Data Controller does not object, Data Processor may
proceed with the appointment. Data Processor ensures that it has a written agreement in place
with all Subcontractors which contains obligations on the Subcontractor which are no less
onerous on the relevant Subcontractor than the obligations on Data Processor under this
Agreement.
6. Termination
- Termination of this Agreement shall be governed by the Terms of Service, mutatis mutandis.
7. Law and Jurisdiction
- This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the jurisdiction specified in the Terms of Service.