These Supplemental Terms address the data protection law changes introduced by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) on 25 May 2018.
These Supplemental Terms apply to new customers and customers with whom we have an existing agreement in relation to the use of our products and services, which may include our Virtual Cabinet, SmartVault and/or GetBusy products (“Agreement”).
In these Supplemental Terms, all references to “we”, “our” or “us” are to the entity within the GetBusy group that has entered into the Agreement (GetBusy UK Limited, GetBusy Australia Pty Limited or GetBusy USA Corporation, as applicable).
You agree that these Supplemental Terms shall, with effect from 25 May 2018, be incorporated into and form part of the Agreement.
Your acceptance of these Supplemental Terms will be deemed by your continued use of the products and services that we provide to you pursuant to the Agreement.
1.1 In these Supplemental Terms, unless the context otherwise requires, the following expressions have the following meanings:
“Controller”, “Data Subject”, “Personal Data”, “Processor” and “Process” or “Processing” have the meaning set out in the Data Protection Legislation in the context of the Agreement;
“Customer Personal Data” means the Personal Data that we Process on your behalf pursuant to the Agreement; and
“Data Protection Legislation” means the Data Protection Act 1998, or, from the date it comes into effect in the UK, the GDPR (as applicable) and any other relevant laws relating to the protection of personal data and the privacy of individuals (all as amended, updated or re-enacted from time to time).
1.2 Unless otherwise specified, words in the singular shall include the plural and in the plural shall include the singular and a reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time and shall include all subordinate legislation made from time to time under that statute or statutory provision.
2.1 It is agreed that you are a Controller and that we are a Processor acting on your behalf in respect of the Customer Personal Data.
2.2 You shall comply at all times with the Data Protection Legislation and shall notify us promptly in the event of any breach by you of your obligations under the Data Protection Legislation. You indemnify us against all costs, expenses, liabilities, losses, damages and judgments that we incur as a result of any failure by you to comply with the Data Protection Legislation.
2.3 You undertake to provide all necessary notices to and obtain all necessary consents from Data Subjects to enable the use of the Customer Personal Data in accordance with the Data Protection Legislation.
2.4 To the extent that we are Processing the Customer Personal Data, we shall:
2.4.1 Process the Customer Personal Data only in accordance with your written instructions as set out in the Agreement or as otherwise agreed in writing between the parties;
2.4.2 implement appropriate technical and organisational measures in accordance with the Data Protection Legislation to protect the Customer Personal Data against a breach of security caused by unauthorised or unlawful processing and against accidental or unlawful destruction, loss, damage, alteration or unauthorised disclosure of or access to the Customer Personal Data;
2.4.3 ensure that any employees or other persons that we authorise to Process the Customer Personal Data are subject to appropriate obligations of confidentiality;
2.4.4 not engage any third party to carry out our Processing obligations under these Supplemental Terms without obtaining your prior written consent and, where such consent is given, procuring by way of a written contract that such third party will, at all times during the engagement, be subject to data processing obligations equivalent to those set out in this clause 2.4, save that you consent to our use of the categories of sub-processor set out in clause 2.8 below;
2.4.5 notify you, as soon as reasonably practicable, about any request or complaint received from a Data Subject of the Customer Personal Data (without responding to that request, unless you authorise us to do so);
2.4.6 assist you by technical and organisational measures, insofar as possible, for the fulfilment of your obligations in respect of any requests and complaints received from a Data Subject of the Customer Personal Data;
2.4.7 notify you without undue delay after becoming aware of a Personal Data breach in respect of the Customer Personal Data;
2.4.8 on your request, use all reasonable endeavours to assist you in ensuring compliance with your obligations under Articles 32 to 36 of the GDPR (and any equivalent national implementing legislation) in respect of the Customer Personal Data, taking into account the nature of the Processing and the information available to us;
2.4.9 on your request, make available the information necessary to demonstrate our compliance with this clause 2 and on reasonable advance notice in writing otherwise permit, and contribute to, audits that you (or your authorised representative) carry out with respect to the Customer Personal Data, provided that you shall (or shall ensure your authorised representatives shall):
(i) comply strictly with the obligations of confidentiality set out in our Agreement;
(ii) use reasonable endeavours to ensure that the conduct of any such audit does not unreasonably disrupt our normal business operations; and
(iii) whilst carrying out any such audit, comply with any relevant IT and security terms and policies that we supply to you;
2.4.10 on termination or expiry of the Agreement, destroy or return (as you direct) the Customer Personal Data and delete all existing copies of such data except to the extent that we are required to keep or store such data by law.
2.5 You acknowledge and consent to us transferring the Customer Personal Data outside the European Economic Area for the purpose of the services that we provide to you under the Agreement, provided that any such transfer meets the relevant requirements under the Data Protection Act 2018 and Articles 44 - 50 of the General Data Protection Regulation. We will not otherwise transfer the Customer Personal Data outside of the European Economic Area without your prior written consent, unless required to do so by law.
2.6 You acknowledge that clause 2.4.1 shall not apply to the extent that we are required by law to Process the Customer Personal Data other than in accordance with your instructions.
2.7 We may require you to reimburse any reasonable costs that we incur in the performance of our obligations under clauses 2.4.6, 2.4.8 and 2.4.9 where we consider, in our reasonable discretion, that your requests go beyond what is reasonably necessary for your compliance (as a Controller) with the GDPR in respect of the Processing that we carry out on your behalf.
2.8 For the purposes of clauses 2.4 - 2.7, details of the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of Data Subject relating to the Agreement are as follows:
Nature/purpose of the Processing
To enable us to supply our services to you pursuant to the Agreement (where such services form the subject matter of the Processing).
Duration of the Processing
The term of the Agreement
Type of Personal Data
All types of Customer Personal Data that you and your authorised users store on or otherwise transmit through our services.
Categories of Data Subject
The following categories of service providers:
3.1 These Supplemental Terms and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by English law and the parties agree that the English courts shall have exclusive jurisdiction to settle any such dispute or claim.
Last updated May 2018.