Primis Data Processing Agreement
The below Data Processing Agreement shall apply for all Services provider to the Company (“Controller”) by Primis (“Processor”). This Data Processing Agreement applies to the processing of personal data through the Services provided by the Processor and forms an integral part of the Terms of Use.
1. DEFINITIONS
1.1. In this Data Processing Agreement, “GDPR” means the General Data Protection Regulation as well as all laws and regulations that may replace this regulation in the future.
1.2. Terms defined in the GDPR have the same meaning in this Data Processing Agreement, unless another definition is given here.
1.3. “Personal Data” means personal data (as defined by the GDPR) relating to the Controller or its customers and/or other contacts.
1.4. “Sub-Processor” means a legal entity or person, not being a member of the Processor’s staff, who is or will be engaged by the Processor for the purpose of providing products or services to the Controller on the Processor’s behalf, for which purpose the engaged person or entity may receive or have access to Personal Data.
2. GENERAL
2.1. The Processor and the Controller each warrant compliance with the laws and regulations applicable to them, including in any event the laws and regulations related to the protection of Personal Data, such as the GDPR.
2.2. The Processor will only process Personal Data in accordance with the applicable laws and regulations, the written instructions of the Controller and as required to deliver the Services as set out in the Agreement.
2.3. The Processor will keep secret all Personal Data which it receives from the Controller, or to which it is given access by the Controller, and the Processor will not disclose or make this data accessible to third parties (other than permitted Sub-Processors) without prior written permission from the Controller, unless the Personal Data must be disclosed to a party authorised to receive such data (such as a supervisory authority, investigating officer or court) pursuant to a written obligation.
2.4. With respect to all Personal Data and instructions issued by the Controller to the Processor, the Controller guarantees that it has the necessary authority. The Controller shall indemnify the Processor against any form of harm and/or third-party claims that may arise from, or be related to or based on, an assertion that the Controller was not authorised to issue certain Personal Data or a certain instruction to the Processor.
2.5. All subsidiaries, sister companies and parent companies in the Processor’s or permitted Sub-Processors group have the same rights and associated obligations under this Data Processing Agreement as the Processor.
2.6. The Processor is entitled to charge the Controller any costs incurred in complying with the Controller’s requests under this Data Processing Agreement or applicable data protection laws and regulations.
3. PROCESSING OPERATIONS AND PURPOSES
3.1. The Processor will process the Personal Data only to the extent necessary in order to supply the agreed Services to the Controller including improving those Services, or to fulfil a legal obligation.
3.2. The Personal Data, of Controller’s customers, that can be processed by the Processor on behalf of the Controller in using the Services may include one or more of the following data:
3.2.1. contact details (such as name, e-mail address, telephone number);
3.2.2. delivery details (such as delivery address);
3.2.3. product data (such as weight, dimensions of the parcel, content of the package).
3.3. The Controller warrants that the aforementioned list of categories of Personal Data is exhaustive and shall inform the Processor without undue delay of any changes necessary.
4. SECURITY
4.1. The Processor and the Controller will put in place appropriate technical and organisational measures to secure the Personal Data against loss or any form of unlawful processing, including unnecessary collection, disclosure or further processing. A description of technical and organisational measures taken by the Processor will be provided to the Controller on their request.
4.2. The Processor does not guarantee that the security measures are effective under all circumstances. The Processor will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
4.3. The Processor and the Controller will give their staff members and permitted Sub-Processors access to the Personal Data only to the extent necessary for the permitted processing purposes.
4.4. The Controller will only make the Personal Data available to the Processor if it is assured that the necessary security measures have been implemented.
4.5. The parties acknowledge that effective security requires frequent evaluation and regular improvement of outdated security measures. The Processor will not materially decrease the overall security of the Service during the term of the Agreement.
5. SUB-PROCESSORS
5.1. The Controller hereby gives the Processor general permission to engage Sub-Processors for the processing of the Personal Data, provided that the Processor abides by the applicable requirements of the GDPR and/or other applicable privacy legislation in doing so.
5.2. Processor shall inform Controller at their request about which Sub-Processors are engaged by the Processor. Processor endeavours to inform Controller about any planned change in the used Sub-Processors, in which case Controller has the right to object (In Writing, within two weeks and supported by arguments) to the proposed change in Sub-Processors. Should Controller object to such change, then the parties will jointly endeavour to find a reasonable solution. If parties cannot come to a solution, then the Processor is allowed to make the planned change in the used Sub-Processors and Controller is allowed to terminate the Agreement on the date that Processor will actually make the change in the used Sub-Processors but will not be entitled to any form of refund of the Charges as a result of such termination.
5.3. The Processor will (i) contractually oblige every Sub-Processor to comply with the same or equivalent obligations to processing as those by which the Processor is bound under this Data Processing Agreement, and (ii) remain liable to the Controller for the performance of the Data Processing Agreement by the Sub-Processors and all other acts or omissions of the Sub-Processors in connection with the processing of the Personal Data.
6. PROCESSING LOCATION
6.1. The Processor will not process or allow any Sub-Processors to process Personal Data in countries outside of the European Economic Area (“EEA”) without a suitable level of protection, unless appropriate guarantees are in place as required by the GDPR (such as the EU Standard Contractual Clauses or binding corporate rules).
7. NOTIFICATION OBLIGATION
7.1. In the event of a personal data breach (as defined in Article 4 (12) of the GDPR), the Processor shall notify the Controller thereof without undue delay, and in any event not later than forty-eight (48) hours upon the discovery of the personal data breach by the Processor, after which the Controller shall determine whether or not to inform the relevant data subjects and/or the relevant supervisory authority.
7.2. If required under applicable data protection law, the Processor shall fully cooperate in notifying the relevant data subjects and/or the relevant supervisory authority.
8. HANDLING REQUESTS AND COMPLAINTS FROM DATA SUBJECTS
8.1. If a data subject sends the Processor a request to access, improve, supplement, change or block their data, or submits a complaint to the Processor, the Processor will forward the request or complaint to the Controller and the Controller will follow up on the request or complaint. The Processor may inform the data subject that it has done so.
8.2. At the Controller’s request and cost and when reasonably necessary, the Processor will provide support to (i) allow data subjects access to their own Personal Data, with the approval and on the instructions of the Controller, (ii) delete or correct Personal Data, (iii) show that Personal Data have been deleted or corrected if they were incorrect (or, if the Controller does not agree that the Personal Data were incorrect, record the fact that the data subject considers their Personal Data to be incorrect) and (iv) otherwise make it possible for the Controller to comply with its obligations under the GDPR or other applicable legislation in the area of processing Personal Data.
9. DATA PROTECTION IMPACT ASSESSMENT
9.1. In case applicable privacy legislation requires a data protection impact assessment (as defined in Article 35 of the GDPR) to be conducted or prior consultation with a supervisory authority is deemed necessary (in accordance with Article 36 of the GDPR), before the intended processing under the Agreement may be carried out, then at the Controllers cost, the Processor shall provide Controller with assistance to the extent necessary and reasonable.
10. DURATION AND TERMINATION
10.1. This Data Processing Agreement is applicable for the Term.
10.2. In the event that the provision of Services to the Controller is discontinued, the Processor will – at the choice of the Controller – and subject to Clause 11 of the Terms of Use, delete or return all Personal Data to Controller, and delete any existing copies, unless further storage of the Personal Data is required by law.