Data Processing Summary
IN TERMS OF ARTICLE 28 GENERAL DATA PROTECTION REGULATION 2016
Midnight at the start of 25 May 2018
Data Protection Legislation: (i) the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) unless and until the GDPR is no longer directly applicable in the UK, Guernsey and/or any other relevant jurisdiction in the European Union, together with any national implementing laws, regulations and secondary legislation as amended or updated from time to time in the UK, Guernsey and/or any other relevant jurisdiction in the European Union including the Data Protection Act 2018 in the UK ("DPA"); and (ii) any successor legislation to the GDPR and the DPA.
- Each party shall comply with applicable requirements of the Data Protection Legislation. This clause 2 is in addition to and does not replace a party's obligations under the Data Protection Legislation. The terms "Data Controller", "Data Processor", “Data Subject”, "Personal Data", "process" and "processing" have the meanings prescribed in the Data Protection Legislation.
- For the purposes of the Data Protection Legislation, Mobivate's customer (the "Customer") is the Data Controller and Mobivate is the Data Processor. Mobivate processes Personal Data on the Customer’s behalf as a result of the Customer using Mobivate’s software to send SMS to Data Subjects. Mobivate facilitates the sending of the SMS and retains copies of the Personal Data (namely message logs and contact lists) in accordance with Mobivate’s terms of services or the Master Services Agreement between Mobivate and the Customer (the "MSA"), as applicable. The Data Subjects are the end recipients of SMS the Customer sends using Mobivate’s software.
- Mobivate shall:
- process Personal Data only on instructions of the Customer. The Customer shall initiate instruction via Mobivate’s portal or API, which shall constitute instruction to Mobivate to process Personal Data to the extent necessary to provide the services pursuant to the MSA and/or the Terms of Service (located at mobivate.com/legal/bulksms/terms-of-service). If Mobivate is required by any applicable laws to process Personal Data it shall, to the extent legally permitted, notify the Customer before doing so;
- have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of, accidental loss or destruction of or damage to Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected;
- not engage another processor without prior specific or general written authorisation from the Customer and without ensuring that the same data protection obligations as set out in these terms are imposed on that other processor. Mobivate shall remain liable to the Customer for performance of the other processor’s obligations to the extent the other processor fails to fulfil their data protection obligations;
- ensure that personnel who have access to or process Personal Data keep the Personal Data confidential;
- subject to clause 2.6, not transfer Personal Data outside of the European Economic Area without the prior written consent of the Customer and Mobivate shall ensure that the transfer is made in accordance with the Data Protection Legislation and that the organisations to which the Personal Data is transferred ensure an adequate level of protection;
- assist the Customer to respond to any request from a Data Subject;
- notify the Customer without undue delay of a Personal Data breach (which has the meaning given to it in the Data Protection Legislation) and provide reasonable assistance to the Customer complying with its obligations pursuant to Articles 32 to 36 GDPR;
- at the written direction of the Customer, delete or return Personal Data to the Customer on termination of this agreement unless Mobivate is required by law to store the Personal Data. The parties agree that at the end of the retention period (as set out in Mobivate’s terms of services or the MSA, as applicable), Mobivate shall automatically delete all Personal Data it processes on behalf of the Customer unless otherwise requested in writing by the Customer. If the parties agree, in accordance with the terms of the MSA, that Mobivate shall encrypt the Personal Data, the parties shall agree the additional fees payable to Mobivate for encryption in accordance with the terms of the MSA; and
- maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for audits by the Customer or the Customer's designated auditor, provided that the Customer: (i) shall provide reasonable notice of any audit it wishes to carry out; (ii) shall carry out no more than one audit per year; and (iii) shall be responsible for all costs associated with the audit.
- Mobivate shall inform the Customer if, in its opinion, an instruction from the Customer infringes the Data Protection Legislation.
- Without prejudice to clause 2.6, if Mobivate wishes to appoint a third party processor, it shall seek prior written consent from the Customer. The Customer agrees that Mobivate shall only be required to seek general authorisation from the Customer and shall not be required to identify the third party processors. The Customer further agrees that clause 2.6 constitutes prior general authorisation for the purposes of this clause 2.5. Mobivate shall inform the Customer if it intends to change or replace a third party processor (although the Customer agrees that Mobivate shall not be required to identify either the existing or the replacement processor) so that the Customer has the opportunity to object to such changes, provided any such objections are made reasonably and in good faith.
- Notwithstanding clause 2.4, the Customer consents to Mobivate transferring Personal Data to mobile networks, aggregators and hosting providers in order to provide the services pursuant to Mobivate’s terms of service or the MSA, as applicable. Where such mobile networks, aggregators and hosting providers are located outside the EEA, Mobivate shall only transfer Personal Data to such mobile network, aggregator or hosting provider where there are appropriate safeguards in place in line with clause 2.3.5 above.
Contact Information – firstname.lastname@example.org