This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions (“Terms”) entered into by and between Subscriber and Digicon, pursuant to which Subscriber has purchased a subscription to Digicon’s Services (as described in the Contract).
The purpose of this DPA is to reflect the parties’ agreement with regard to the Processing of Personal Information in accordance with the requirements of applicable Data Protection Legislation.
This DPA consists of two parts: (1) the main body of the DPA, and (2) Annex A – Personal Information Processing Purposes and Details.
By signing a Digicon Order Form you agree to be bound by this DPA. If you do not agree to this DPA then you must not sign the Digicon Order Form.
In the course of providing the Services to Subscriber pursuant to the Contract, Digicon may Process Personal Information on behalf of Subscriber and the Parties agree to comply with the following provisions with respect to any Personal Information, each acting reasonably and in good faith.
This DPA shall not replace any comparable or additional rights relating to Processing of Personal Information contained in the Terms.
1. DEFINITIONS AND INTERPRETATION
The following definitions and rules of interpretation apply in this DPA. All capitalized terms used but not defined herein shall have the meaning given to such term in the Terms.
1.1 Definitions:
Authorised Persons: the persons or categories of persons that the Subscriber authorises to give Digicon written Personal Information processing instructions and from whom Digicon agrees to accept such instructions.
Breach: theft or loss, misuse, unauthorized access to or disclosure of Personal Information or other illegal Processing of Personal Information.
Business Purposes: the services to be provided by Digicon to the Subscriber as described in the Contract and any other purpose specifically identified in ANNEX A.
Data Subject: the identified or identifiable living individual to whom the Personal Information relates.
Term: this DPA's term, as defined in Clause 10.
2. PERSONAL DATA TYPES AND PROCESSING PURPOSES
2.1 The Subscriber and Digicon agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) the Subscriber retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and obtaining any required consents, performing any privacy impact assessments that may be required and for the written processing instructions it gives to Digicon.
(b) Annex A describes the subject matter, duration, nature and purpose of the processing and the Personal Information categories and Data Subject types in respect of which Digicon may process the Personal Information to fulfil the Business Purposes.
3. PROCESSING OF SUBSCRIBER PERSONAL INFORMATION
3.1 Digicon will comply with all applicable Data Protection Legislation in the Processing of Subscriber Personal Information; and not Process Subscriber Personal Information other than on the Subscriber’s documented instructions, unless Processing is required by Applicable Laws to which Digicon is subject, in which case Digicon will, to the extent permitted by Applicable Laws, inform the Subscriber of that legal requirement before Processing.
3.2 The Subscriber represents having given the appropriate notices to Data Subjects and instructs Digicon (and authorises Digicon to instruct each Subprocessor) to Process and transfer Subscriber Personal Information to any country or territory as reasonably necessary for the provision of the Services provided Digicon participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that Digicon (and, where appropriate, the Subscriber) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Data Protection Legislation.
3.3 Digicon will not act on any specific instructions given by Subscriber from time to time unless they are documented and given by an Authorised Person.
3.4 Digicon will only Process the Subscriber Personal Information in accordance with the Contract and disclose Subscriber Personal Information to:
(a) Subscriber's Users; and
(b) Subscriber's Authorised Persons.
4. SUBSCRIBER OBLIGATIONS
4.1 Subscriber represents and warrants that:
(a) the Processing of Subscriber Personal Information has been carried out and will at all times be carried out by the Subscriber in compliance with Data Protection Legislation;
(b) Subscriber has made all necessary disclosures and obtained all necessary consents from Data Subjects to fulfil all of its obligations under this DPA, including the ability to disclose Subscriber Personal Information to Digicon and its Subprocessors and the possibility that the Personal Information be transferred in a foreign jurisdiction;
(c) it is and will remain duly and effectively authorised to give instructions to Digicon under this DPA;
(d) all Subscriber Personal Information is necessary in relation to the purposes for which it is Processed, accurate and where necessary up-to-date; and
(e) any notification that it is required to be made to a supervisory authority has been made, and is complete and correct.
5. CONFIDENTIALITY
5.1 Digicon will maintain the confidentiality of the Subscriber Personal Information and will not disclose the Subscriber Personal Information to third parties unless the Subscriber, the Contract or this DPA specifically authorises the disclosure, or as required by Applicable Law, court or regulator.
5.2 Digicon will ensure that persons authorised to Process the Subscriber Personal Information have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
6. SECURITY
6.1 Digicon shall at all times implement appropriate technical and organisational measures designed to protect against unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of the Subscriber Personal Information, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Subscriber Personal Information including, but not limited to, the security measures set out in ANNEX B.
7. SUBPROCESSING
7.1 The Subscriber authorises Digicon to appoint Subprocessors in accordance with this Clause 7. Digicon may continue to use those Subprocessors identified in Annex A as at the date of this DPA. Digicon will inform Subscriber of any intended changes concerning the addition or replacement of Subprocessors, thereby giving Subscriber the opportunity to object to such changes as set out in Annex A.
7.2 With respect to each Subprocessor, Digicon shall ensure that the arrangement between Digicon and the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Subscriber Personal Information as those set out in this DPA.
8. ASSISTANCE
8.1 Digicon shall reasonably assist the Subscriber in ensuring compliance with the Subscriber's obligations pursuant to Data Protection Law taking into account the nature of Processing and the information available to Digicon, including as set out in Section 8.3.
8.2 To the extent permitted by Applicable Law, Digicon will promptly notify the Subscriber if it receives a request from a Data Subject under any Data Protection Legislation in respect of Subscriber Personal Information and will, taking into account the nature of the Processing, reasonably assist the Subscriber by appropriate technical and organisational measures, insofar as this is reasonably possible, for the fulfilment of the Subscriber's obligation to respond to requests.
8.3 To the extent permitted by Applicable Law, Digicon shall promptly notify the Subscriber if it becomes aware of a Personal Information Breach or attempted Personal Information Breach affecting Subscriber Personal Information and will reasonably co-operate with the Subscriber and take such commercially reasonable steps as the Subscriber requests to assist in the investigation, mitigation and remediation of each such Personal Information Breach.
9. DELETION OF SUBSCRIBER PERSONAL INFORMATION
9.1 The Subscriber chooses, and Digicon agrees, that on the termination of the provision of the Services, Digicon will delete Subscriber Personal Information from Digicon's systems two years from the date of termination, unless earlier deletion is required by applicable Data Protection Legislation, except to the extent that Applicable Laws require Digicon to retain copies of such data.
9.2 Subscriber acknowledges that it bears the sole responsibility for exporting any Subscriber Personal Information it wishes to retain prior to such deletion.
10. TERM AND TERMINATION
10.1 This DPA will remain in full force and effect so long as:
(a) the Digicon Order Form and Terms remain in effect; or
(b) Digicon retains any of the Personal Information related to the Digicon Order Form and Terms in its possession or control (Term).
10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Digicon Order Form and Terms in order to protect the Personal Information will remain in full force and effect.
11. INFORMATION & AUDIT RIGHTS
11.1 Digicon will make available such information as is reasonably requested by the Subscriber to demonstrate compliance with the obligations under this DPA. The Subscriber will be entitled to conduct an audit for that same purpose, provided (a) the Subscriber gives Digicon no less than fourteen (14) days’ prior written notice, (b) the audit is conducted remotely, and (c) such audits are conducted no more than once per calendar year, excluding any audit required by any supervisory authority under applicable Data Protection Legislation.
11.2 Digicon shall promptly inform the Subscriber if, in its sole opinion, the Subscriber's instruction to Digicon infringes Data Protection Legislation or other Applicable Laws relating to data protection.
11.3 No audit under section 11.1 will provide the Subscriber with any access to Digicon’s code base, data centres, detailed network schematics or detailed records of security vulnerabilities unless such access is required by a supervisory authority under Data Protection Legislation or by Applicable Law.
11.4 Subscriber shall bear the costs of any audit under section 11.1, unless such audit reveals that Digicon is responsible for a Personal Information Breach or has otherwise materially failed to comply with its obligations under this DPA, the Terms, or the Data Protection Legislation, in which case Digicon shall bear the cost.
12. GENERAL
12.1 Nothing in this DPA is intended to impose upon Digicon any obligations materially more burdensome that those required by applicable Data Protection Legislation.
12.2 In the event of conflict between the terms set out in this DPA and the Terms, the terms set out in this DPA shall prevail solely to the extent of such conflict.
12.3 No other terms or conditions of the Terms shall be amended as a result of this DPA.
12.4 The parties will cooperate in good faith to amend this DPA where required by any change in the Data Protection Legislation applicable to either party.
12.5 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by the law governing the Agreement, without regard to any conflicts of law principles that would require a different result. Each party irrevocably submits to the jurisdiction of the same courts, arbitrators, or other dispute resolution bodies as set out in the Terms, under the same terms set out in the Terms.