GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Similar documents
Data Processing Agreement

Data Processing Agreement

Data Processing Clauses

Data Processor Agreement

Data Processing Agreement

DATA PROCESSING TERMS

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Data Processing Agreement for Oracle Cloud Services

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Data Processing Agreement DPA

Data Processing Agreement

DATA PROCESSING AGREEMENT

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

DATA PROTECTION POLICY THE HOLST GROUP

Data Processing Agreement

German Data Processing Addendum MailChimp

HPE DATA PRIVACY AND SECURITY

Individual Agreement. commissioned processing

Emsi Privacy Shield Policy

DATA PROCESSING AGREEMENT

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Customer EU Data Processing Addendum

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

Bend Mailing Services, LLC, dba BMS Technologies ( us, we, or our ) operates the website (the Service ).

Eco Web Hosting Security and Data Processing Agreement

PS Mailing Services Ltd Data Protection Policy May 2018

Workday s Robust Privacy Program

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

TERMS AND CONDITIONS FOR THE USE OF THE WEBSITE AND PRIVACY POLICY

PRIVACY POLICY PRIVACY POLICY

Version 1/2018. GDPR Processor Security Controls

CD STRENGTH LLC. A MASSACHUSETTS, USA BASED COMPANY

UWTSD Group Data Protection Policy

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

IBM Sterling B2B Services File Transfer Service

Rules for Commissioned Processing. (DDV Declaration of Conformity)

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

Fabric Data Processing and Security Terms Last Modified: March 27, 2018

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Data Processing Amendment to Google Apps Enterprise Agreement

Website Privacy Policy

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Building Information Modeling and Digital Data Exhibit

have concluded the following data processing agreement (hereinafter the Data Processing Agreement or this Agreement ):

HF Markets SA (Pty) Ltd Protection of Personal Information Policy

PRIVACY POLICY FOR THE LIDC 2018 INTERNATIONAL CONGRESS

Data Protection Policy

BUZCOIN TOKENS SALE PRIVACY POLICY. Last updated:

General Data Protection Regulation (GDPR)

Reference Offer for Wholesale Roaming Access

MASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY

DATA PROCESSING ADDENDUM

Data Protection and GDPR

Online Ad-hoc Privacy Notice

DATA MANAGEMENT POLICY

EU Data Protection Agreement

Vistra International Expansion Limited PRIVACY NOTICE

1. Right of access. Last Approval Date: May 2018

General Data Protection Regulation

PPR TOKENS SALE PRIVACY POLICY. Last updated:

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

EU-US PRIVACY SHIELD POLICY (Updated April 11, 2018)

DATA PROTECTION POLICY

Learning Management System - Privacy Policy

Saba Hosted Customer Privacy Policy

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

Shaw Privacy Policy. 1- Our commitment to you

PRIVACY POLICY OF THE WEB SITE

Subject: Kier Group plc Data Protection Policy

PRIVACY POLICY. What personal data we collect and why we collect it IN ORDER TO: (Date of last update: 1 st January 2019)

Chapter 1. Purpose, definitions and application

Privacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria

Privacy Policy. Effective date: 21 May 2018

By accessing your Congressional Federal Credit Union account(s) electronically with the use of Online Banking through a personal computer or any other

TIA. Privacy Policy and Cookie Policy 5/25/18

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

PRIVACY POLICY. 1. Introduction

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

VSC-PCTS2003 TEST SUITE TIME-LIMITED LICENSE AGREEMENT

_isms_27001_fnd_en_sample_set01_v2, Group A

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Deloitte Audit and Assurance Tools

VISTRA NETHERLANDS PRIVACY NOTICE

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

PERSONAL DATA PROTECTION POLICY

African Theatre Association (AfTA) PRIVACY POLICY

Introductory guide to data sharing. lewissilkin.com

ADIENT VENDOR SECURITY STANDARD

EU Data Protection Agreement

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Digital Signatures Act 1

DATA PROTECTION AND PRIVACY POLICY

CAPGEMINI BINDING CORPORATE RULES

SURGICAL REVIEW CORPORATION Privacy Policy

Transcription:

GDPR AMC SAAS AND HOSTED MODULES UK version AMC Consult A/S June 26, 2018 Version 1.10

INDEX 1 Signatures...3 2 General...4 3 Definitions...5 4 Scoping...6 4.1 In scope...6 5 Responsibilities of the data processor...7 6 Responsibilities of the data controller...9 7 Using Sub processors and data transfer... 10 8 Security... 11 9 Access to audit... 12 10 Duration and termination... 13 11 General terms... 14 11.1 Changes... 14 11.2 Liability... 14 11.3 Law and jurisdiction... 14 11.4 Force majeure... 14 12 Definitions of personal data... 15 12.1 Categories of none sensitive personal data processed under the agreement... 15 12.2 Categories of none sensitive personal data... 15 12.3 Categories of Sensitive Personal Data which are processed under this agreement... 15 GDPR for SAAS and Hosted Modules at AMC 2

1 SIGNATURES AMC-Consult A/S Signature: Date: Signed by: Peter Makki, CEO Company (Name) Signature: Date: Signed by: (Name / Title in capital letters) Company contact person(s) Contact 1: Email 1: Contact 2: Email 2: (Please use capital letters) GDPR for SAAS and Hosted Modules at AMC 3

2 GENERAL AMC hereby makes data processing agreement that is the basis for processing personal data when you are an AMC customer. The parties are hereinafter referred to as customer the "Data Controller" and AMC as the "Data Processor" and "Party" or "Parties". If you use the AMC software, the controller will be responsible for the processing of personal data in the application. The data processor will process personal data on behalf of the data Controller. To ensure that the parties comply with their obligations in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"), the Parties have entered into data processing agreements ("the Agreement") which provides instructions from the controller to data processor, thus regulating the processing of personal data by the data processor on behalf of the controller. Both Parties confirm that they are authorized to sign the Agreement. The processor as well processes Personal Data in accordance with the AMC s privacy policy. https://www.amcbanking.com/privacy It applies to the entire Agreement and in the relationship between the Data Controller and the Data Processor that claims arising from the GDPR described in this agreement and which do not comply with current legislation will not apply until 25 May 2018, where the GDPR applies. GDPR for SAAS and Hosted Modules at AMC 4

3 DEFINITIONS The definition of personal information, special categories of Data (Sensitive Information), processing, the data subject, the Data controller and Data processor is the same as the relevant privacy legislation, including GDPR. The agreement governs the Data Processor's Processing of Personal Data on behalf of the Data Controller and describes how the Data Processor will help protect privacy on behalf of the Data Controller and its Data Subjects through the technical and organizational measures required under the applicable data protection legislation, including the GDPR from 25. May 2018. The purpose of the Data Processor's Processing of Personal Data on behalf of the Data Controller is to ensure the Data Controller's use of the Application and the fulfillment of this Agreement. The agreement takes precedence over other conflicting provisions relating to the processing of personal data as regards terms of use of the Application or in any other agreement between the Parties. The agreement is valid as long as the Data Controller subscribes to the AMC SAAS, and the Data Processor must therefore process Personal Data on behalf of the Data Controller. However, the agreement does not take precedence if the Parties have concluded another data processing agreement, stating that the data processing agreement takes precedence over this Agreement. GDPR for SAAS and Hosted Modules at AMC 5

4 SCOPING 4.1 IN SCOPE Unless you are using AMC modules on prem the GDPR agreement is in scope. GDPR for SAAS and Hosted Modules at AMC 6

5 RESPONSIBILITIES OF THE DATA PROCESSOR The data processor must process personal data only on behalf of and on the basis of the data controller's instructions. By concluding this Agreement, the responsible entity accountable for data processing, commissions the processing of personal data in the following ways: * in accordance with applicable law * to fulfill the obligations arising from the subscription terms for the Application * in a manner more defined by the normal use of the Application by the Data Controller * as described in this Agreement As part of providing the Application, the Data Processor is obliged at all times to provide the Data Controller with good and competitive solutions that accompany the development. The data processor can offer better solutions that are tailored to the needs of the Data Controller by registering how the Data Controller and its representatives use the Application. This makes the Data Processor in order to make a better version of the Application and generally provide better services and provide more relevant communication to the Data Controller and its representatives. The goal is for Data Controller to solve as many challenges as possible in one place. To the extent that personal data from the Application form part of this work, they are processed in accordance with this Agreement and applicable law and may be shared with companies in the AMC for this purpose. The Data Controller has no reason to believe that applicable law prevents the Data Controller from following the instructions reproduced above. If this becomes aware, the Data Processor shall provide the Data Controller a notice of instructions or other Processing Activities performed by the Data Controller, which, in the view of the Data Processor, violates the applicable data protection legislation. The Categories of Registered and Personal Data Processed under this Agreement are described in chapter 5. Taking into account the available technology and the cost of implementation, as well as the scope, context and purpose of the Process, the Data Processor is required to take all reasonable measures, including technical and organizational, to ensure a sufficient level of security in relation to the risk and the category of Personal Data to be protected. Data Processor will assist the controller with appropriate technical and organizational measures as possible and taking into account the nature and category of information that GDPR for SAAS and Hosted Modules at AMC 7

is available for Data processor, in order to ensure compliance with the obligations of the controller in accordance with applicable Data protection legislation, including assistance in relation to the fulfilment of the requests by data subjects and general compliance with the provisions of the GDPR Articles 32-36. The Data Processor shall notify the Data Controller without undue delay via a contact person specified in the Data Processing Agreement if the Data Processor becomes aware of a security shortage. In addition, the Data Processor shall, as far as possible and legally, inform the Data Controller if: * A request for insight into Personal Information is received directly from the Data Subject * A request for insight into Personal Data is received directly from government agencies, including the police. The Data Processor may not respond to such requests from data subject, unless authorized by the Data Controller to do so. The data processor will also not disclose information about this Agreement to governmental authorities such as the police, including Personal Data unless the Data Processor is required by law, such as a court order or similar. If the Data Controller requires information or assistance regarding security, documentation or information about how the Data Processor Processes Personal Data generally and such request contains information that goes beyond what is required by applicable Data Protection Law, the Data Processor may require payment for such additional services. The data processor and its employees shall ensure confidentiality in relation to Personal Data processed under the Agreement. This provision shall also apply after termination of the Agreement. GDPR for SAAS and Hosted Modules at AMC 8

6 RESPONSIBILITIES OF THE DATA CONTROLLER The Data Controller confirms after conclusion of this contract that: * The Data Controller shall use the application provided by the Data Processor to only process personal data in accordance with the requirements of the applicable Data protection law. * The Data controller has a legal basis to process and disclose personal data to a Data processor (including Sub processor which Data Processor uses). * The Data Controller is responsible for the accuracy, the integrity, credibility and the lawfulness of the personal data processed by the data processor. * The Data Controller has fulfilled all mandatory requirements and duties in relation to notification to, or obtaining permission from, the relevant public authorities as regards the Processing of Personal Data. * The Data Controller has fulfilled his disclosure obligations to the Data Subject regarding the processing of Personal Data in accordance with applicable data protection legislation. * The controller agrees that Data Processor have given the appropriate assurances in respect of the implementation of the technical and organizational security measures to safeguard the data subjects ' rights and their personal data. * When using the Application, the Data Controller shall not process Sensitive Information, unless specified in chapter 12 to this Agreement. * The Data Controller must have an updated list of the categories of Personal Data it treats, especially if such treatment differs from the categories of information listed in chapter 12. GDPR for SAAS and Hosted Modules at AMC 9

7 USING SUB PROCESSORS AND DATA TRANSFER As part of the operation of the Application, the Data Processor uses subcontractors ("Sub processors"). Such Sub processors may be other companies within the AMC group to which AMC is a part or third-party supplier within and outside the EU / EEA. The data provider's subcontractors will be listed on AMC website in a list of Sub processors. (Currently there is no, but there may be some in the future. Be aware that some banks the data controller may transfer payment files to can contain information mentioned in the chapter 12) The data processor must ensure that its Sub processor is subject to the corresponding obligations and requirements described in the Agreement. All use of Sub processors is also subject to the AMC Privacy Statement. This agreement constitutes the controller prior general and specific written approval of the Data Processor's Use of Sub processors. If a Sub processor or Personal Data is respectively established outside or is stored outside of the EU / EEA, the Data Processor provides authorization to ensure a sufficient basis for transferring Personal Data to a third country on behalf of the Data Controller, using the EU Commission Standard Contracts. The Data controller must be informed before the Data Processor replaces its Sub processor. However, the Data Controller is only entitled to protest against a new Sub processor who processes Personal Data on behalf of the Data Controller if it does not process data in accordance with applicable data protection legislation. In such a situation, the Data Processor shall demonstrate compliance by giving the Data Controller access to the Data Processor's data protection assessment by the Data Processor. If there is still disagreement about the use of the Sub processor, the Data controller may terminate its subscription to the Application, including with a shorter notice than usual, to ensure that the Data Controller's Personal Information is not processed by the appropriate Sub processor. GDPR for SAAS and Hosted Modules at AMC 10

8 SECURITY The data processor is required to ensure a high level of security in its products and services, which is ensured by relevant organizational, technical and physical security measures required by information about security measures as described in article 32 GDPR. In addition, the AMC internal data protection policies aim at ensuring confidentiality, integrity, resilience and access to Personal Data. The following measures are particularly important: * Classification of Personal Data to ensure implementation of security measures relevant to risk assessments. * Assessment of encryption and pseudonymizing as risk mitigating factors * Assessment of anonymizing as risk mitigating factors * Limit access to personal data to the relevant persons to comply with the requirements and obligations of the agreement or in accordance with the parties ' agreement on the use of the application. * Operation and implementation of systems that can detect, restore, respond and report events related to Personal Data. * Identify the security structure and how to transfer Personal Data between the Parties. * Carry out assessment of own security level in order to ensure that the current technical and organizational measures are adequate for the protection of personal data in accordance with article 32 on the security of processing as well as GDPR article 25. GDPR for SAAS and Hosted Modules at AMC 11

9 ACCESS TO AUDIT The Data Controller is entitled to initiate a review of the Data Processor's obligations under the Agreement once a year. If the Data Controller is required to do so under applicable legislation, audits may be repeated more often. The Data controller must provide a detailed audit plan with a description of the scope, duration and start date at least four weeks prior to the proposed start date. It must be decided jointly between the Parties if a third party is to conduct the audit. However, the Data Controller may allow the Data Processor to conduct the security review by a neutral third party after the Data Processor's choice, if it is a processing environment where multiple data controller data is used. If the proposed scope of the audit follows an ISAE, ISO or similar certification report conducted by a qualified third-party auditor within the previous twelve months and the Data Processor confirms that there have been no material changes in the measures under review, it shall Data controllers accept this review instead of requesting a new review of the measures already covered. In any case, audits must take place during normal office hours on the relevant facility in accordance with the Data Processor policies and may not unreasonably interfere with the Data Processor's usual commercial activities. The Data Controller is responsible for all costs in connection with the request for audit. The Data processor s assistance in connection therewith, which exceeds the regular service, are billed separately. GDPR for SAAS and Hosted Modules at AMC 12

10 DURATION AND TERMINATION The agreement is valid as long as the Data Processor Processes Personal Data on behalf of the Data Controller in connection with the Data Controller's use of the Application. This Agreement will automatically terminate at the end of the Data Controller's termination period in relation to Application Subscription. Upon termination of the subscription, the Data Processor will delete all Personal Data that the Data Processor has processed on behalf of the Data controller under the Agreement. If the Data Controller requests data retrieval assistance, the associated costs shall be covered by the Data controller and will be based on: * hourly rates for the Data Processor's time spent * the complexity of the requested process and * the chosen format. The Data Processor is entitled to retain Personal Data after termination of the Agreement to the extent required by applicable law, which in such case will be in accordance with the technical and organizational safeguards described in the Agreement. GDPR for SAAS and Hosted Modules at AMC 13

11 GENERAL TERMS 11.1 CHANGES Changes to the Agreement must be enclosed in a separate amendment to the Agreement. If any of the provisions of the Agreement are invalid, this will not affect the remaining provisions. The parties shall replace invalid provisions with a legal provision that reflects the purpose of the invalid provision. 11.2 LIABILITY Liability for actions contrary to the provisions of this Agreement is governed by liability stated in the General Terms for Supply of Software and Consultancy Services Agreement found here. https://www.amcbanking.com/agreements This also applies to any violation by the Data Processor Sub processors. 11.3 LAW AND JURISDICTION Law and jurisdiction is governed by the General Terms for Supply of Software and Consultancy Services Agreement found here. https://www.amcbanking.com/agreements 11.4 FORCE MAJEURE Force majeure is governed by the General Terms for Supply of Software and Consultancy Services Agreement found here. https://www.amcbanking.com/agreements GDPR for SAAS and Hosted Modules at AMC 14

12 DEFINITIONS OF PERSONAL DATA 12.1 CATEGORIES OF NONE SENSITIVE PERSONAL DATA PROCESSED UNDER THE AGREEMENT 1. Categories of Data Subjects 2. The Data Controller s end users 3. The Data Controller s staff (salary payments) 12.2 CATEGORIES OF NONE SENSITIVE PERSONAL DATA 1. Name 2. Title 3. Phone number 4. E-mail 5. Address 6. Bank account number (only for personal bank transfers) 12.3 CATEGORIES OF SENSITIVE PERSONAL DATA WHICH ARE PROCESSED UNDER THIS AGREEMENT Data processor on behalf of the Data controller must deal with one or more of the following information about: 1. CPR number via nem konto (only for easy account transfers in DK) GDPR for SAAS and Hosted Modules at AMC 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback