PrivacyAid

Commercial Terms

Commercial Terms

Please read through the following terms. Click each arrow on the left of the subheading to make the section visible.  Once you have read, understood and agreed to them, you will be asked to complete the form at the bottom of the page. This form acts as digital signature.

In these terms and conditions (“Terms”) the following words have the following meanings:

“Agreement” These Terms and any Proposal referable to these Terms. 

“PrivacyAid” PrivacyAid is a trading name of Prior Analytics Ltd registered and incorporated in England company number 03641722.  Registered address 590 Green Lanes, Palmers Green, London, N13 5RY.

“Customer”, “You” or “Your” The individual or organisation whose name & address is indicated in the Proposal as the party to which PrivacyAid will supply the Services.

“Fees” The sums payable by You to PrivacyAid in consideration of PrivacyAid’s supply of Services and as specified in our proposal.

“Proposal” Any letter of proposal or other proposal document referred to as such, which is attached to this Agreement.

“Services” Any services requested by You to be supplied by PrivacyAid and as described in a Proposal.

“Work” Any specific and unique output, result or product of the Services to You in any form of media and howsoever arising.

2.1 PrivacyAid will supply Services requested by you in accordance with the terms of this Agreement. In the event of any conflict or ambiguity between these Terms and the provisions of any agreed attachment, the provisions of the attachment will prevail.

2.2 PrivacyAid warrants that Services will be performed in accordance with Good Industry Practice, with reasonable skill and care and it will exercise that degree of skill, diligence, prudence and foresight which would reasonably be expected from a skilled, experienced person engaged in the same type of undertaking under similar circumstances.

3.1 PrivacyAid will invoice you for Services supplied in accordance with this clause 3 and in accordance with Fees specified in PrivacyAid’s proposal.

3.2 All Fees and other sums payable under the Agreement are exclusive of VAT and any other applicable taxes (excluding tax on our income), duties and withholdings, which are payable by You at the rate and in the manner prescribed by law.

3.3 You will pay all invoices within 30 days of the date of the invoice. PrivacyAid reserves the right to charge You interest on all overdue sums in accordance with The Late Payment of Commercial Debts (Interest) Act 1998.

3.4 PrivacyAid will re-charge to You all directly any reasonably incurred out of pocket expenses including travel and subsistence incurred in providing the Services, subject to any maximum amounts set out in our proposal.  Reasonable evidence of expenses incurred under this Agreement will be available upon written request.

3.5 If under this Agreement any sum is owed by PrivacyAid to You, this may be deducted from any sum which at any later time may become due to PrivacyAid under this Agreement

4.1 IP Rights are any copyright, patent, registered design, trademark or other intellectual property right of whatever nature subsisting anywhere in the world.  IP Rights related to or arising in connection with this Agreement will be deemed to be wholly owned by You upon creation. You hereby grant and PrivacyAid accepts a personal, non-exclusive, non-transferable, perpetual licence to use such IP Rights only for purposes of performing Services. PrivacyAid agrees that PrivacyAid will have no right to use Work or IP Rights outside the scope of this Agreement.

4.2 PrivacyAid’s advice and Work is provided for the purposes set out in this Agreement and PrivacyAid disclaims any responsibility for the use of PrivacyAid’s advice or Work for a different purpose or in a different context.

4.3 Nothing in this Agreement shall prevent either party from using any know how, methodologies, concepts acquired before or during the performance of the Services for any purpose, subject to the confidentiality obligations contained within this Agreement.

5.1 Each party shall be responsible for its compliance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 on the basis that You are the Data Controller and PrivacyAid is the Data Processor.

6.1 PrivacyAid shall not publish or make publicly available any Work and/or any other matter related to this Agreement without Your prior written consent. If such consent is granted by You, PrivacyAid’s publication of such Work shall be subject at all times to the obligations of confidentiality contained within this Agreement. 

PrivacyAid shall not publish or make publicly available any Work and/or any other matter related to this Agreement without Your prior written consent. If such consent is granted by You, PrivacyAid’s publication of such Work shall be subject at all times to the obligations of confidentiality contained within this Agreement. 

7.1 Neither party will use or disclose any confidential information belonging to the other party including any trade secrets, business information, employee information, IP Rights and Work and all other information disclosed (“Confidential Information”) except as necessary for the performance of this Agreement and upon conditions of confidentiality. However this will not restrict the disclosure of any Confidential Information:

which is or becomes (through no fault of the disclosing party) public knowledge; or

which is already in the receiving party’s possession prior to the date of this Agreement, or was independently developed by the receiving party without reference to the Confidential Information; or

to the extent permitted or required by law; or

to a professional adviser bound by a professional duty of confidentiality.

8.1 You undertake that You will:

make available and give free of charge, unhindered access to such of Your premises and facilities (subject to reasonable safety and security requirements) as required by PrivacyAid to enable the supply of Services;

ensure that Your employees and other independent contractors co-operate reasonably with PrivacyAid and its employees in supplying Services;

promptly furnish PrivacyAid with all information and documents as reasonably required for the supply of Services;

be solely responsible for the maintenance, upkeep and repair of all Work (unless otherwise agreed by PrivacyAid in writing);

pay VAT or any other sales tax upon any payment to be made to PrivacyAid; and

provide suitable accommodation / facilities for PrivacyAid employees on your premises.

9.1 PrivacyAid will make available (amongst others) the personnel named in the Proposal to perform the Services or such replacements of equivalent status as may be approved by You (such approval not to be unreasonably withheld or delayed) and will use all reasonable endeavours to ensure that they remain available to the extent necessary to perform their allotted tasks until the completion of the Services.

9.2 You shall have the right after consultation with PrivacyAid to request the removal from involvement in the Services of any person if in Your reasonable opinion the performance or conduct of such person is or has been unsatisfactory. 

9.3 Both parties agree not to solicit or entice away any personnel of the other party or offer or cause to be offered any employment to any such personnel for a minimum period of twelve months following the expiry or termination of this Agreement. Nothing in this clause shall restrict an application by any person in response to a general recruitment advertisement by either party.

9.4 If You do appoint any PrivacyAid’s personnel (or PrivacyAid’s subcontractors / associates) who have been engaged in the Services to a permanent and/or salaried position within Your organisation during the term of this Agreement, or within six months of its termination, even where they have applied in response to a recruitment advertisement, You will pay PrivacyAid a fee based on a percentage of the first year’s salary or of the annual equivalent if the appointment is for less than a year or of the fees You agree to pay, whichever is higher, to be calculated as follows:

– Recruited within the first 2 months of this assignment: 30%

– Recruited within first 3-6 months of this assignment:  25%

– Recruited within first 6-9 months of this assignment:  20%

– Recruited after first 9 months of this assignment:   15%

This fee will become payable on the date that the PrivacyAid employee, subcontractor or associate agrees to join Your organisation. If this Agreement is still in force at that time, it will automatically terminate on the day that this fee is received by PrivacyAid .

10.1 PrivacyAid reserves the right to sub-contract all or any part of the supply of Services.  Without limiting PrivacyAid ’s rights to engage the services of its advisors, associates, or engage consultants or sub contractors, PrivacyAid shall use its reasonable endeavours to notify You that it has or intends to sub-contract all or part of the Services.  If You object, on reasonable grounds, to such sub-contracting You shall notify PrivacyAid within five (5) working days for the grounds of such objections and the parties shall enter into good faith discussions to resolve the matter.

11.1 If either party identifies a requirement for a change to the Services, the identifying party will send a written notice (“Change Request”) to the other party detailing the change requirements. If sent by PrivacyAid, the Change Request will state the effect such a change will have on the Services and fees. If sent by You, PrivacyAid’s receipt of the Change Request will represent a request to PrivacyAid to state in writing the effect the change will have on the Services and Fees.  PrivacyAid will use reasonable endeavours to supply such information within 15 working days from receipt of Your Change Request.

11.2 Where a change to Fees is required the basis for calculating the additional cost of the change will be PrivacyAid ’s prevailing rates which are available upon written request.  The parties will then decide whether or not to implement the Change Request.  If the Change Request is implemented, the amended services and fees will be deemed Services and Fees and take effect for the remainder of this Agreement.

12.1 Neither party excludes or limits liability to the other party for death or personal injury or fraud or any breach of any obligations implied by Section 12 of the Sale of Goods Act 1979 or Section 2 of the Supply of Goods and Services Act 1982.

12.2 Each party’s total liability, whether in contract, tort (including negligence), breach of statutory duty or otherwise for loss or damage to the tangible property of the other party caused by its negligence shall not exceed one million pounds sterling in aggregate. 

12.3 Except for liability governed by clause 12.1 and 12.2 above, each party’s total liability (whether in contract, tort (including negligence), breach of statutory duty or otherwise) in connection with this Agreement shall not exceed the greater of £500,000 (five hundred thousand pounds sterling) or the Fees paid by You under this Agreement

12.4 Subject always to Clause 12.1, neither party will be liable to the other for: Loss of profits, business, revenue; data, goodwill or anticipated savings; and/or Indirect or consequential loss or damage. however and whenever arising.

12.5 PrivacyAid and You agree that should any limitation or provision contained in this Agreement be held invalid under any statute or other law it shall to that extent be deemed omitted but if either party becomes liable for loss or damage which would otherwise have been excluded such liability shall be subject to the other limitations and provisions set out herein.

12.6 Except as expressly provided in this Agreement no warranty, condition, undertaking or term, expressed or implied, statutory or otherwise as to the condition, quality, performance or fitness for purpose of the Work or the Services will be assumed by PrivacyAid and except as expressly provided in this Agreement all such warranties, conditions, undertaking and terms are excluded.

13.1 You may upon not less than 1 month’s written notice suspend the supply of Services for up to three consecutive months (“Suspension Period”) subject to payment of 25% of the average monthly Fees (estimated by PrivacyAid ) for each month or part month in the Suspension Period. You may request reinstatement of the supply of Services upon not less than 1 month’s written notice (unless a shorter period shall be agreed between the parties) at any time during the Suspension Period.  If You do not request reinstatement of Services during the Suspension Period this Agreement will be terminated immediately upon expiry of the Suspension Period.

14.1 Neither party will be under any liability to the other for damage, delay or any other matter arising from circumstances beyond a party’s reasonable control, including but not limited to acts of war, rebellion, civil disturbance, strikes, lock outs and industrial disputes, fire, explosion, earthquake, Acts of God, flood, drought or bad weather or other act or order by any Government department, Council, or other constituted body (‘‘Force Majeure’’) provided always that both parties will use all reasonable endeavours (but without an obligation to incur cost) to minimise the period of disruption caused by Force Majeure.

 

15.1 Either party may terminate this Agreement by giving 30 days written notice if:

The other party commits any material breach of this Agreement and fails to remedy such breach within 30 days, for the avoidance of doubt non-payment by

You of any invoice in accordance with section 3 shall be considered a material breach of this contract;

The other party becomes bankrupt or compounds or makes any arrangement with or for the benefits of its creditors or (being a company) enters into compulsory or voluntary liquidation or amalgamation (other than for the purpose of a bone fide reconstruction or amalgamation without insolvency) or has a receiver or manager appointed of the whole or substantially the whole of its undertakings or if any distress or execution is threatened or levied upon any property of the other party or if the other party is unable to pay its debts as they fall due; or

An occurrence of Force Majeure continues for 3 months.

15.2 PrivacyAid may immediately terminate this Agreement upon written notice if (in its discretion) PrivacyAid determines, and can demonstrate, that a conflict of interests exists or may develop between PrivacyAid and You.

15.3 Upon termination or expiry of the Agreement, however caused: the provisions of clauses 1, 3, 4, 6, 7, 8, 12, 9.3, 15 and 16 shall survive; You shall pay all fees and other charges payable prior to the date of termination or expiry and You shall have no right to withhold, deduct or set off any such amounts and will be without prejudice to any accrued rights and remedies available to either party.

16.1 This Agreement represents the whole agreement between the parties in respect of the matters referred to above and overrides any other prior verbal or written understandings except in the case of fraud.

16.2 No amendment to this Agreement will be binding unless made in writing and signed by an authorised representative of both parties.

16.3 You shall not assign, charge or otherwise transfer to a third party any of Your rights or obligations hereunder, or hold any such rights or obligations on trust for any other person, without the prior written consent of PrivacyAid , such consent not to be unreasonably withheld or delayed.

16.4 No waiver of any breach of the other party’s obligations hereunder will represent a waiver of the rights for that or any subsequent breach.

16.5 Any notice to effect suspension or termination of the whole or any part of this Agreement:

(i)        Will be made in writing and either delivered personally or sent by first class recorded delivery to the party to whom the notice is addressed at its address as set out in the Proposal or such other address as either party may specify by notice in writing to the other;

(ii)        In the absence of evidence of earlier receipt, notice shall be deemed to have been duly given:

(a)    if delivered personally, when left at the address referred to in 16.5 (i);

(b)    if sent by recorded delivery, at the time recorded by the delivery agent.

16.6 For the avoidance of doubt electronic mail shall be deemed to be “writing” for the purpose of this Agreement but this shall not prejudice the express requirements for delivery of notices under clause 16.5.

16.7 If any provision of this Agreement is held to be void or unenforceable in whole or in part, this Agreement shall continue to be valid as to the other provisions thereof and the remainder of the affected provision.

16.8 This Agreement shall be binding on and shall continue for the benefit of any permitted successors and permitted assigns of each of the parties hereto.

16.9 All provisions of this Agreement shall so far as they are capable of being performed and observed continue in full force and effect until any expiry or earlier termination.

16.10 None of the provisions of this Agreement are intended to or will operate to confer any benefit pursuant to the Contracts (Rights of Third Parties) Act 1999 on a person who is not named as a party to this Agreement.  The Contracts (Rights of Third Parties) Act 1999 is expressly excluded to the fullest extent permitted by law.

16.11 PrivacyAid shall have at all times reasonable insurance cover, taking into account the nature and type of services being performed under this Agreement.

17.1 This Agreement will be governed by and construed in accordance with English law and each party to this Agreement submits to the non-exclusive jurisdiction of the English courts.

Privacy Notice

Please read through the following privacy notice. Click each arrow on the left of the subheading to make the section visible.  Once you have read, understood and agreed to them, you will be asked to complete the form at the bottom of the page. This form acts as digital signature.

PrivacyAid (‘we’ or ‘us’ or ‘our’) gather and process your personal information in accordance with this privacy notice and in compliance with the relevant data protection Regulation and laws. This notice provides you with the necessary information regarding your rights and our obligations, and explains how, why and when we process your personal data.

PrivacyAid is a trading name of Prior Analytics Ltd, a company registered in England – Registered office 590 Green Lanes, London, N13 5RY under company number 0364172. We are registered on the Information Commissioner’s Office Register; registration Z1919962, and act as the data controller when processing your data. Our designated appointed data protection person is Claire Robinson, who can be contacted at Registered office 590 Green Lanes, London, N13 5RY.

PrivacyAid processes your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice.

The personal data that we collect from you is: –

• Name

• Personal Email

• Business Email

• Mobile Telephone Number

We collect information from you when you register on our site, place an order, subscribe to our newsletter or fill out a form.

PrivacyAid take your privacy very seriously and will never disclose, share or sell your data without your consent; unless required to do so by law. We only retain your data for as long as is necessary and for the purpose(s) specified in this notice. Where you have consented to us providing you with promotional offers and marketing, you are free to withdraw this consent at any time.  The purposes and reasons for processing your personal data are detailed below: –

We collect your personal data in the performance of a contract or to provide a service and to ensure that orders are completed and can be sent out to your preferred address.

We collect and store your personal data as part of our legal obligation for business accounting and tax purposes.

We will occasionally send you marketing information where we have assessed that it is beneficial to you as a customer and in our interests. Such information will be non-intrusive and is processed on the grounds of legitimate interests.

You have the right to access any personal information that PrivacyAid processes about you and to request information about: –

• What personal data we hold about you

• The purposes of the processing

• The categories of personal data concerned

• The recipients to whom the personal data has/will be disclosed

• How long we intend to store your personal data for

• If we did not collect the data directly from you, information about the source.

If you believe that we hold any incomplete or inaccurate data about you, you have the right to ask us to correct and/or complete the information and we will strive to do so as quickly as possible; unless there is a valid reason for not doing so, at which point you will be notified.

You also have the right to request erasure of your personal data or to restrict processing (where applicable) in accordance with the data protection laws; as well as to object to any direct marketing from us. Where applicable, you have the right to data portability of your information and the right to be informed about any automated decision-making we may use.

If we receive a request from you to exercise any of the above rights, we may ask you to verify your identity before acting on the request; this is to ensure that your data is protected and kept secure.

We do not share or disclose any of your personal information without your consent, other than for the purposes specified in this notice or where there is a legal requirement.

PrivacyAid takes your privacy seriously and takes every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place.

Personal data in the European Union is protected by the General Data Protection Regulation (GDPR) but some other countries may not necessarily have the same high standard of protection for your personal data. GDPR Tools does not transfer or store any personal data outside the EU.

As noted in the ‘How We Use Your Personal Data’ section of this notice, we occasionally process your personal information under the legitimate interests’ legal basis. Where this is the case, we have carried out a thorough Legitimate Interests’ Assessment (LIA) to ensure that we have weighed your interests and any risk posed to you against our own interests; ensuring that they are proportionate and appropriate.

PrivacyAid only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations. We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it will be destroyed.

Where you have consented to us using your details for direct marketing, we will keep such data until you notify us otherwise and/or withdraw your consent.

PrivacyAid GDPR Tools will occasionally send you promotions by email that have been identified as being beneficial to our customers and in our interests. Such information will be relevant to you as a customer and is non-intrusive and you will always have the option to opt-out/unsubscribe at any time.

We adopt a Social Media Policy to ensure our business and our staff conduct themselves accordingly online. Users are advised to verify the authenticity of our social media profiles before engaging with, or sharing information on these platforms. (Facebook, Instgram, LinkedIn, Twitter). We will never ask for user passwords or personal details on social media platforms and do not operate any Single Sign ons using your own social media usernames and passwords. Users are advised to conduct themselves appropriately when engaging with us on social media.

There may be instances where our website features social sharing buttons, which help share web content directly from web pages to the respective social media platforms. You use social sharing buttons at your own discretion and accept that doing so may publish content to your social media profile feed or page.

PrivacyAid take your privacy seriously and will only process your personal data with your consent and in accordance with the terms stated in our Privacy Notice.

This section explains what to do if you no longer want us to hold or use your personal information.

You can withdraw your consent at any time. Please contact us if you want to do so.

This will only affect the way we use information when our reason for doing so is that we have your consent. See the section ‘Your Rights’ about more generally restricting use of your information.

If you withdraw your consent, we may not be able to provide certain products or services to you. If this is so, we will tell you.

 

PrivacyAid only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority.

Prior Analytics Ltd

Claire Robinson

590 Green Lanes, London, N13 5RY. Tel: 0345 6588 121 E-mail:  info@privacy-aid.com

You can also register a complaint about our handling of your personal data with the ICO, who are the UK’s supervisory authority for GDPR. www.ico.org.uk/concerns

Data Protection Addendum

Please read through the following Data Protection Addendum. Click each arrow on the left of the subheading to make the section visible.  Once you have read, understood and agreed to them, you will be asked to complete the form at the bottom of the page. This form acts as digital signature.

“Agreement”means The PrivacyAid’s Support Agreement (as applicable) and the related Order Form, which together govern the provision of the Services to Customer.

“Customer Data”means any Personal Data that PrivacyAid processes on behalf of Customer as a Data Processor in the course of providing Services.

“Data Protection Laws”means all data protection and privacy laws applicable to the processing of Personal Data by PrivacyAid pursuant to the Agreement, including, where applicable, EU Data Protection Law.

“Data Controller”means an entity that determines the purposes and means of the processing of Personal Data.

“Data Processor”means an entity that processes Personal Data on behalf of a Data Controller.

“EU Data Protection Law”means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”) and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).

“EEA”means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.

“Personal Data”means any information relating to an identified or identifiable natural person.

“Processing”has the meaning given to it in the GDPR and “process”, “processes”, and “processed” will be interpreted accordingly.

“Security Incident”means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Customer Data.

“Services”means any product or service provided by PrivacyAid to Customer pursuant to the Agreement.

The parties agree that this DPA will replace any existing data protection addendum or similar agreement the parties may have previously entered into in connection with the Services.

Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict.

Any claims brought under or in connection with this DPA will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

No one other than a party to this DPA, its successors and permitted assignees will have any right to enforce any of its terms.

This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

This DPA applies where and only to the extent that PrivacyAid processes Customer Data that originates from the EEA and/or that is otherwise subject to EU Data Protection Law on behalf of Customer as Data Processor in the course of providing Services pursuant to the Agreement.

Part A of this DPA (Sections 4 through 8) will apply to the processing of Customer Data within the scope of this DPA beginning on the Effective Date.

Part B of this DPA (Sections 9 through 12) will apply to the processing of Customer Data within the scope of the DPA beginning 25 May 2018. For the avoidance of doubt, Part B will apply in addition to, and not in substitution for, the terms in Part A.

Role of the Parties.As between PrivacyAid and the Customer, the Customer is the Data Controller of Customer Data, and PrivacyAid will process Customer Data only as a Data Processor acting on behalf of the Customer.

Customer Processing of Customer Data.The Customer agrees that: (i) it will comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to PrivacyAid; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for PrivacyAid to process Customer Data and provide the Services pursuant to the Agreement and this DPA.

PrivacyAid Processing of Customer Data.PrivacyAid will process Customer Data only for the purposes described in the DPA and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to PrivacyAid in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) will require prior written agreement between Customer and PrivacyAid.

Details of Data Processing.

Subject matter:The subject matter of the data processing under this DPA is the Customer Data.

Duration:As between PrivacyAid and the Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.

Purpose:The purpose of the data processing under this DPA is the provision of the Support Services to the Customer and the performance of PrivacyAid pursuant to the Agreement (including this DPA) or as otherwise agreed by the parties.

Nature of the processing:PrivacyAid provides data security and protection and other related services, as described in the Agreement.

Categories of data subjects:Any individual accessing and/or using the Services through the Customer’s Account (“Users”)

Types of Customer Data: Typically the CRM system which is used to process customer data will store:

Customer and Users: identification and contact data (name, address, title, contact details, username, email,  geographic location, area of responsibility);

Legitimate Interests.Notwithstanding anything to the contrary in the Agreement (including this DPA), the Customer acknowledges that PrivacyAid will have a right to use and disclose data relating to the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, PrivacyAid is the Data Controller of such data and accordingly will process such data in accordance with the PrivacyAid Privacy Policy and Data Protection Laws.

Information Security Policy.Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, PrivacyAid will implement and maintain appropriate technical and organisational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with PrivacyAid’ security standards described at: (“Information Security Policy”).

Updates to Security Measures.The Customer is responsible for reviewing the information made available by PrivacyAid relating to data security and making an independent determination as to whether the Services meet the Customer’s requirements and legal obligations under the Data Protection Laws. The Customer acknowledges that the Security Policy is subject to technical progress and development and that PrivacyAid may update or modify the Security Policy from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

Customer Responsibilities.Notwithstanding the above, the Customer agrees that, except to the extent expressly provided in this DPA, the Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of the Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.

International Transfers. PrivacyAid will not transfer any Personal Data outside the European Economic Area unless the prior written consent of the Customer has been obtained and the following conditions are fulfilled:

The Customer or the Provider has proved appropriate safeguards in relation to the transfer;

The Data Subject has enforceable right and effective legal remedies;

The Provider complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and

The Provider complied with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Person Data.

PrivacyAid will at all times provide an adequate level of protection when transferring and processing Personal Data outside the European Economic Area.

Confidentiality of Processing. PrivacyAid will ensure that any person who is authorised by PrivacyAid to process Customer Data will be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

Security Incident Response. Upon becoming aware of any Security Incident, PrivacyAid will notify the Customer without undue delay and will provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

Return or Deletion of Data. Upon termination or expiration of the Agreement, PrivacyAid will (at Customer’s election) delete or return to the Customer all Customer Data (including copies) in its possession or control, save that this requirement will not apply to the extent PrivacyAid is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data PrivacyAid will securely isolate and protect from any further processing, except to the extent required by applicable law.

Data Subject Requests. Concerning Personal Information for which Licensee is the data controller, PrivacyAid will only act on the written instructions of the Licensee;

PrivacyAid will ensure that any personnel processing the Personal Information are subject to a duty of confidence;

PrivacyAid will take appropriate measures regarding the security of processing;

PrivacyAid will only engage sub-processors with the previous consent of the Licensee and under a written contract with such sub-processors;

PrivacyAid will assist the Licensee in providing subject access and allowing data subjects to exercise their rights under the GDPR, in circumstances where the Licensee cannot do so through their access to the Licensed Product;

PrivacyAid will assist the Licensee in meeting GDPR obligations concerning the security of processing, the notification of personal data breaches and data protection impact assessments;

PrivacyAid will delete or return all personal data to the Licensee as requested at the end of the contract;

PrivacyAid will submit to audits and inspections, excepting any such onsite; provided they do not interfere or impact PrivacyAid’s obligations of confidentiality under law or contract or disrupt its ordinary course of business;

PrivacyAid will provide the Licensee with the applicable information in PrivacyAid’s possession that Licensee needs to ensure that PrivacyAid’s and the Licensee are meeting the obligations for a Processor under Article 28; and

PrivacyAid will notify the Licensee promptly if PrivacyAid is asked by the Licensee to do something infringing the GDPR or other data protection law of the EU or a member state.

Data Protection Impact Assessments.To the extent PrivacyAid is required under EU Data Protection Law, PrivacyAid will (at the Customer’s expense to the extent legally permitted) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.