Data Processing Agreement (“DPA”)
Policy Effective: May 25th 2018
This Data Processing Agreement (herein referred to as the “DPA”) forms part of the overall Terms of Service and is made and entered into by and between Rochen Ltd, on behalf of itself and its subsidiaries, (herein referred to as “Rochen”, “we”, “our”, “ourselves”), and the Customer (herein referred to as “Customer”, “you”, “your”, “yourself”).
1. Further Definitions
“the Services” means services Rochen may provide to you, collectively or separately, including cloud, web hosting, content delivery network, internet security including SSL certificates, domain registrations and other related services either by ourselves or in conjunction with partners and subsidiaries.
“Data Controller” means Customer.
“Data Processor” means Rochen.
“Directive” means the EU Data Protection Directive 95/46/EC (as amended).
“General Data Protection Regulation” means the European Union General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Local Data Protection Laws” means any subordinate legislation and regulation implementing the Directive or the General Data Protection Regulation.
“Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“Data Protection Requirements” means the Directive, the General Data Protection Regulation, Local Data Protection Laws, any subordinate legislation and regulation implementing the General Data Protection Regulation, and all Privacy Laws.
“Personal Data” has meaning as given in Article 4 of the General Data Protection Regulation.
“Customer Personal Data” means Personal Data that Customer uploads or otherwise provides Rochen in connection with its use of the Services.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
“Process” and its cognates has meaning as given in Article 4 of the General Data Protection Regulation.
“Subprocessor” means any entity which provides processing services to Rochen.
“Supervisory Authority” means an independent public authority which is established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation.
2. Compliance and Use
Customer and Rochen shall comply with their Data Protection Requirements including the General Data Protection Regulation as well as other applicable Privacy Laws. Customer shall appoint a Supervisory Authority as required by Data Protection Requirements. Rochen has appointed the United Kingdom Information Commissioner’s Office (registration number: Z9105242) as its Supervisory Authority. Customer acknowledges that Rochen collects and maintains records of each Data Controller and Data Processor on behalf of which Rochen acts and makes available such records to a Supervisory Authority by request. Customer intends to use the Services and in the course of doing so will upload or otherwise provide Rochen with Customer Personal Data.
Customer shall have sole responsibility for the accuracy, quality and processing of Customer Personal Data. Rochen shall not access, use or process Customer Personal Data on behalf of Customer except as otherwise required to deliver the Services, provide technical support related to the Services and for maintenance and improvement of the Services unless otherwise directed by Customer. Customer shall determine the nature and purpose of Customer Personal Data and the categories of Data Subjects.
4. Data Access, Modification and Deletion
During the course of using the Services, when Customer Personal Data is uploaded you may access, modify or delete data by logging into the Services using common protocols and tools. After Customer Personal Data has been modified or deleted the original data may continue to be retained in backup storage for up to ninety (90) days. Upon termination or expiry of the Services and upon written request by Customer, Rochen will return and delete all Customer Personal Data in its possession or control. This requirement shall not apply to the extent that Rochen is required by law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has retained in backup storage, which Rochen shall take reasonable steps protect from any further processing except to the extent required by law.
Customer consents to Rochen engaging third party Subprocessors in connection with delivery of the Services. These Subprocessors may include partners and subsidiaries. Rochen maintains an up-to-date list of its Subprocessors. Customer may request information related to the appointment of new or the replacement of existing Subprocessors. Rochen will respond to reasonable requests for additional information or objections by Customer to the use of a Subprocessor.
6. International Transfers
Customer shall have sole responsibility for where they upload Customer Personal Data during the course of using the Services. Rochen maintains servers in secure data centres worldwide, some of which are located outside of the EU and EEA. The Services allows for selection by Customer of data centre region during the checkout process as well as through the My Rochen customer portal. If Customer is unsure which data centre region the Services are delivered from, or would like to transfer between regions, Rochen’s support team can provide assistance upon request. Customer acknowledges that certain aspects of the Services, such as the content delivery network, are by their design and purpose, served by multiple worldwide data centres including outside of the EU and EEA. Rochen has wholly owned subsidiaries outside of the EU and EEA including Rochen US, Inc. in the United States. In delivery and support of the Services, Customer consents to Rochen engaging international Subprocessors located outside of the EU and EEA including partners and subsidiaries.
7. Cooperation and Data Subjects' Rights
Rochen shall provide reasonable and timely assistance to Customer in accordance with this DPA and the Services, to enable Customer to respond to a request from a Data Subject to exercise any of its rights under the General Data Protection Regulation (including its rights of access, correction, objection, erasure and data portability, as permitted); and any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Customer Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Rochen, Rochen shall inform Customer providing details of the same unless otherwise prohibited. Customer shall be responsible for any costs incurred by Rochen as the result of providing such assistance.
8. Data Protection Impact Assessment
Rochen shall provide Customer reasonable assistance in support of a data protection impact assessment, solely in relation to Customer Personal Data, this DPA, the Services and where the Customer would not otherwise have access to the relevant information.
Rochen shall ensure that appropriate contractual obligations related to confidentiality exist with its personnel and that these survive the termination of engagement.
Rochen ensures appropriate technical and organizational safeguards exist for the Processing of Personal Data including the hiring of qualified personnel, physical data centre access controls, systems access controls, data access controls, data transmission protocols, systems logging and backup systems.
11. Security Incidents
If Rochen becomes aware of a confirmed Personal Data Breach impacting Customer Personal Data, Rochen shall notify Customer and where possible shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under the General Data Protection Regulation. Customer shall indemnify and keep indemnified Rochen against all losses with respect to any Personal Data Breach due to non-compliance by Customer with its Data Protection Requirements or violation of this DPA.
12. Other Obligations
Customer shall comply with its protection, security and other obligations with respect to Personal Data prescribed by Data Protection Requirements for Data Controllers by establishing and maintaining a procedure for the exercising of the rights of the individuals whose Personal Data are processed by Customer; processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; ensuring compliance with the provisions of this DPA by its personnel or by any third-party accessing or using Personal Data on its behalf. Customer acknowledges it has reviewed and Consents to Rochen’s separate Privacy Notice in relation to the Services and will periodically review the Privacy Notice for any changes and additions.
13. Audits and Inspections
Rochen shall provide audit and inspection assistance to Customer, if requested in writing to Rochen’s address of notice, to verify Rochen’s compliance with its obligations under this DPA. Customer shall be responsible for any costs incurred by Rochen as the result of providing such assistance. If Rochen declines to cooperate with an audit or inspection request Customer has the rights to terminate this DPA and the Services.