Privacy & Cybersecurity Indemnification
You agree that the EmpMonitor Services and Platform are used to process information and Personal Data that you provide on an individual basis or by way of a transfer by a business entity under these Terms, and for purposes of these Terms you are designated the data Controller and EmpMonitor is designated as Processor as those terms in defined in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”). You further agree and acknowledge your obligations as the data Controller under the Personal Data Processing Addendum set forth below. To the fullest extent permitted by law for all Personal Data that you collect, process via the Services or maintain on the Platform, you shall indemnify and hold EmpMonitor, and their respective officers, directors, trustees, shareholders, employees, and agents (each an “Indemnified Party”), harmless from and against any and all damages and liabilities or third party claims against any Indemnified Party, for loss, cost, damage, or expense of every kind and nature (including, without limitation, penalties imposed by law, regulations, rules by any regulatory authority, court costs, expenses, and reasonable attorneys’ fees) to the extent arising out of, relating to privacy and cybersecurity requirements, including without limitation, failure to comply with Articles 5 to 21, and 32 to 37 of the GDPR, or resulting from, in whole or in part, the breach or non-compliance with this Agreement or the omission, negligence, gross negligence or willful misconduct by you or any of your representatives.
Data Processing Addendum
In addition to the terms stated in between EmpMonitor and the Customer for subscriptions to the EmpMonitor Services and Platform, this Personal Data Processing Addendum (“PDPA”) covers personal data processing, privacy, and cyber security duties. By agreeing to these Terms, Customer acknowledges that its Authorized Affiliates qualify as the “Controller” as defined under General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) to the extent that EmpMonitor processes Personal Data in connection with Customer’s subscription to Platform. All capitalized terms not defined in this PDPA shall have the meaning set forth in the Terms. In the course of providing the Services to Customer pursuant to the Terms, EmpMonitor may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data.
This PDPA shall not replace shall not replace any equivalent or extra rights related to the processing of customer data that are included in the Terms.
Processing Of Personal Data
Roles of the parties
The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, EmpMonitor is the Processor and that EmpMonitor or members of the EmpMonitor Group will engage Sub-processors in accordance with the conditions outlined in Section 5 “Sub-processors” below.
Customer’s processing of personal data
The Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, the Customer’s instructions for the processing of Personal Data must adhere to all applicable Laws and Regulations on Data Protection. The correctness, excellence, legality, and method by which the Customer obtained Personal Data shall be solely the responsibility of the Customer.
EmpMonitor’s processing of personal data
EmpMonitor shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Terms and applicable order form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
The provision of the Services in accordance with the Terms is the subject-matter of EmpMonitor’s processing of personal data. The length of the Processing, the nature and purpose of the Processing, the categories of Data Subjects Processed under this PDPA, and the kinds of Personal Data are further described above.
Rights Of Data Subjects
Data subject request
EmpMonitor shall, to the extent legally permitted, promptly notify Customer if EmpMonitor receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, EmpMonitor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, EmpMonitor shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent EmpMonitor is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from EmpMonitor’s provision of such assistance.
EmpMonitor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. The EmpMonitor shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
EmpMonitor shall take commercially reasonable steps to ensure the reliability of any EmpMonitor personnel engaged in the Processing of Personal Data.
Limitation of access
EmpMonitor shall ensure that EmpMonitor’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
Customers shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of the Customer account or the Equipment with or without Customer’s knowledge or consent.
Customer Data Incident Management And Notification
EmpMonitor maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Documentation and shall, notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by EmpMonitor or its Sub-processors of which EmpMonitor becomes aware (a “Customer Data Incident”). EmpMonitor shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as EmpMonitor deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within EmpMonitor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
Return And Deletion Of Customer Data
EmpMonitor shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Security and Privacy Documentation.
European Specific Provisions
With effect from May 25, 2018, EmpMonitor will process personal data in compliance with GDPR regulations that are specifically relevant to EmpMonitor’s provision of its Services.
Data Protection Impact Assessment (DPIA)
With effect from 25 May 2018, upon Customer’s request, EmpMonitor shall provide customer with reasonable cooperation and assistance necessary to fulfill customer’s obligation under the GDPR to carry out a data protection impact assessment related to customer’s use of the services, to the extent customer does not otherwise have access to the relevant information, and to the extent such information is made available to EmpMonitor.