B2BE Data Processing Agreement
“Agreement” This Agreement sets out the terms on which the Customer and B2BE agrees to abide by the General Data Protection Regulation laws.
“Data Controller” or “Customer” means any person or entity that has bought from or contracted with B2BE for B2BE’s products and/or services.
“Data Processor” means B2BE.
“Data Protection Requirements” means the General Data Protection Regulation, local data protection laws, and any subordinate legislation or regulation implementing the General Data Protection Regulation, and all privacy laws.
“General Data Protection Regulation” means the European Union Regulation for the protection of individuals with regard to the processing of personal data and to the free movement of such data.
“Personal Data” means information about an individual that (a) can be used to identify, contact or locate a specific individual, including data that the Customer chooses to provide to the Data Processor for services such as customer-relationship management (CRM); (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “personal data” or “personal information” by applicable laws or regulations relating to the collection, use, storage or disclosure of information about an identifiable individual.
“Personal Data Breach” means any unlawful destruction, unauthorised alteration or unauthorised disclosure of, or unauthorised access to a Customer’s Personal Data.
“Process” and its cognates mean any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Subprocessor” means any entity that provides processing services to B2BE in furtherance of B2BE’s processing on behalf of a Customer.
2. CUSTOMER OBLIGATIONS
The Customer agrees to:
Provide instructions to B2BE to determine the purpose and general use by which B2BE processes Personal Data in accordance with business agreements;
An example of personal data in a B2BE context is “firstname.lastname@example.org”, as it is assigned to a specific person at a company. It implies who the owner of the address is, or at least gives B2BE enough information to identify a specific person at a company for support and business-related requirements.
2.2 Comply with its protection, security and other obligations with respect to Personal Data prescribed by the Data Protection Requirements for Data
(a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed;
(b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and
(c) ensuring compliance with the provisions of this Agreement by its personnel or by any third-party accessing or using Personal Data on its behalf.
3. B2BE OBLIGATIONS
3.1 Processing Requirements
B2BE agrees to:
a. Process Personal Data:
(i) only for the purposes of providing and supporting B2BE’s services, using appropriate technical and organisational security measures; and
(ii) in compliance with the instructions received from the Customer. B2BE will not use or process the Personal Data for any other purpose. B2BE will promptly inform the Customer in writing if it cannot comply with the Customer’s requirements.
b. Inform the Data Controller promptly if, in B2BE’s opinion, an instruction from the Customer violates the Data Protection Requirements;
c. Take commercially reasonable steps to ensure that (i) persons employed by B2BE and (ii) other persons engaged to perform on B2BE’s behalf comply with the terms of the Agreement;
d. Ensure that B2BE’s employees, authorised agents and Subprocessors are required to comply with, acknowledge and respect the confidentiality of the Customer’s Personal Data, including after the end of their respective employments, contracts or assignments;
e. If B2BE intends to engage Subprocessors to help it satisfy its obligations in accordance with this Agreement or to delegate all or part of the processing activities to such Subprocessors, B2BE will (i) maintain a list of all its Subprocessors and ensure that it is updated; and (ii) make contractual arrangements with such Subprocessors, binding them to provide the same level of data protection and information security to that provided herein by this Agreement; and
f. Inform the Customer if B2BE undertakes an independent security review.
3.2 Notice to Customer
B2BE will inform the Customer if B2BE becomes aware of:
a. Any non-compliance by B2BE or its employees of the Data Protection Requirements relating to the protection of Personal Data processed under this Agreement;
b. Any legally binding request for disclosure of Personal Data by a law enforcement authority, unless B2BE is otherwise forbidden by law to inform the Customer, for example to preserve the confidentiality of an investigation by law enforcement authorities;
c. Any notice, inquiry or investigation by a supervisory authority with respect to Personal Data; or
d. Any complaint or request (in particular, requests for access to, rectification of, or blocking of Personal Data) received directly from data subjects of Customers. B2BE will not respond to any such request without the Customer’s prior written authorisation.
3.3 Assistance to Customer
B2BE will provide reasonable assistance to the Customer regarding:
a. Any requests from the Customer’s data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Personal Data that B2BE processes for the Customer. In the event that a data subject sends such a request directly to B2BE, B2BE will promptly send such a request to the Customer;
b. The investigation of Personal Data Breaches and the notification to the Customer regarding such Personal Data Breaches.
3.4 Required Processing
If B2BE is required by Data Protection Requirements to process any Personal Data for any reason other than providing the services described in the Agreement, B2BE will inform the Customer of this requirement in advance of any processing, unless B2BE is legally prohibited from informing the Customer of such processing.
a. Maintain appropriate organisational and technical security measures (including with respect to personnel, facilities, hardware and software,
storage and networks, access controls and monitoring and logging) to protect against unauthorised access, unauthorised alteration, unauthorised disclosure or unlawful destruction of Personal Data;
b. Be responsible for the sufficiency of the security, privacy, and confidentiality safeguards with respect to Personal Data;
c. Take reasonable steps to confirm that all B2BE personnel are protecting the security, privacy and confidentiality of Personal Data consistent with the requirements of this Agreement; and
d. Notify the Customer of any Personal Data Breach by B2BE, its Subprocessors, or any other third-parties acting on B2BE’s behalf without
undue delay and in any event.
B2BE is in the process of pursuing ISO 27001, which is a specification for an information security management system (ISMS). ISO 27001 is one of the recognised standards or frameworks that can be used as part of a privacy compliance framework to demonstrate General Data Protection Regulation compliance.
Certification in ISO 27001 will demonstrate that B2BE follows information security best practices, and will deliver an independent, expert assessment to ensure data is adequately protected. B2BE targets to be certified by early of 2019.
5. DATA TRANSFERS
For transfers of European Union Personal Data to B2BE for processing by B2BE in a jurisdiction other than a jurisdiction in the European Union or the European Commission-approved countries providing ‘adequate’ data protection, B2BE agrees it will provide an adequate level of data protection for European Union personal data on a best effort basis.
B2BE shall promptly notify the Customer of any inability by B2BE to comply with the provisions of this Section.
6. DATA RETURN AND REMOVAL
The parties agree that on the termination of the data processing services or upon the Customer’s reasonable request, B2BE shall, and shall cause any Subprocessors to, at the choice of the Customer, return all Personal Data or copies of such data to the Customer or remove them within B2BE’s systems, unless Data Protection Requirements prevent B2BE from returning or removing all or part of the Personal Data disclosed. In such a case, B2BE agrees to preserve the confidentiality of the Personal Data retained by it and that, if it actively processes such Personal Data after the termination date, it will only be done in order to comply with applicable laws.
This Agreement shall remain in effect as long as B2BE carries out Personal Data processing operations on behalf of the Customer, or until the termination of the B2BE Contract (and all Personal Data has been returned or deleted in accordance with Section 6 above).
8. GOVERNING LAW, JURISDICTION, AND VENUE
Notwithstanding anything in the Agreement that is to the contrary, this Agreement shall be governed by the laws of the country in which the service contract between B2BE and the Customer was signed, and any action or proceeding related to this Agreement (including those arising from non- contractual disputes or claims) will be brought in that country’s courts.