GDPR – Yamin Ismail

This Data Processing Agreement (“DPA”) is an addendum to the Terms & Conditions between CyberWebPAGE Ltd (“CyberWebPAGE”) and you (“Customer”). The DPA will be effective from 25th May 2018, replacing any previously applicable data processing and security terms, and will continue for as long as CyberWebPAGE provides the services set out in CyberWebPAGE Ltd Terms & Conditions.

Definitions

“Customer Data” means data provided by or on behalf of Customer or Customer End Users via the Services under the account.

“Data Controller” means the entity that determines the purposes and means of the processing of Personal Data.

“Data Processor” means the entity that processes Personal Data on behalf of the Data Controller.

“Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including the GDPR.

“Data Subject” means the individual to whom the Personal Data relates.

“EEA” means the European Economic Area.

“GDPR” means EU General Data Protection Regulation 2016/679.

“Personal Data” means any Customer Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under GDPR.

“Processing” has the meaning given to it in the GDPR, and “process”, “processes” and “processed” shall be interpreted accordingly.

“Sub-Processor” means any third party authorised under this DPA to have logical access to and process Customer Data to provide parts of the Services.

“Services” means any product or service provided to Customer and as described in CyberWebPAGE Ltd Terms & Conditions.

Data Processing

CyberWebPAGE will only act and process Customer Data in accordance with the documented instructions from Customer (the “Instruction”) unless required by law to act without such Instruction. The Instruction at the time of entering into this DPA is that CyberWebPAGE may process Customer Data only for the purpose of delivering Services as described in its Terms & Conditions and any product-specific agreements. Subject to the terms of this DPA and with the parties’ agreement, Customer may issue additional written instructions consistent with the terms of this Agreement. The customer is responsible for ensuring that all individuals who provide instructions are authorised to do so.

CyberWebPAGE will inform Customer of any instruction it deems to be in violation of the GDPR and will not execute the instruction until it has been confirmed or modified.

When Customer Data is processed by CyberWebPAGE, both parties acknowledge and agree that:

– CyberWebPAGE is a Data Processor of Customer Data under the GDPR

– Customer is a Data Controller of Customer Data under GDPR.

Confidentiality

CyberWebPAGE shall treat all Customer Data as strictly confidential information. Customer Data may not be copied, transferred or otherwise processed in conflict with the Instruction from Customer unless required by law.

CyberWebPAGE employees shall be subject to an obligation of confidentiality that requires them to treat all Customer Data under this DPA with strict confidentiality and to process it only in accordance with the Instruction.

Sub-Processing

Customer authorises CyberWebPAGE to engage third parties (“Sub-Processors”) to process Customer Data without obtaining any further specific written authorisation. CyberWebPAGE will restrict Sub-Processor access to Customer Data to what is necessary to provide the Services.

CyberWebPAGE shall complete a written agreement with any Sub-Processors. Such an agreement shall, at a minimum, provide the same data protection obligations as those set out in this DPA. It remains accountable for any Sub-Processor in the same way as for its own actions and omissions.

CYberWebPAGE will inform Customer of any new Sub-Processor engagements at least 30 days before the new Sub-Processor processes any Customer Data. Notifications of such engagements will be delivered to the account email address and/or through the control panel interface. It is the Customer’s sole responsibility to ensure account information is correct and kept up to date.

The customer has the right to object to the use of a Sub-Processor by terminating this Addendum and Services in accordance with Hyper Host Terms and Conditions. A list of current Sub-Processors is provided in Annex 1.

Security

CyberWebPAGE will implement and maintain technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as set out in Annex 2 of this Addendum and in accordance with GDPR Article 32. The security measures are subject to technological progress and development, and Customer acknowledges that CyberWebPAGE may update or modify the security measures from time to time, provided that such updates and modifications do not result in a degradation of overall security. In addition, CyberWebPAGE will provide the Customer with controls to further secure the Customer Data within the control panel.

Data Breach Notifications

If CyberWebPAGE becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to Customer Data on systems managed by or otherwise controlled by CyberWebPAGE, CyberWebPAGE agrees to notify Customer without hesitation or delay. Notifications of such incidents will be sent to the account email address as set by the Customer. It is the customer’s sole responsibility to ensure this information is correct and kept up to date inside the control panel.

CyberWebPAGE will make reasonable efforts to identify the cause of any breach and take the necessary steps to prevent it from recurring.

Customer agrees that Data Breach Notifications will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful login attempts, pings, port scans, denial-of-service attacks, and other network attacks against firewalls or networked systems.

Data Subject Rights

If CyberWebPAGE directly receives a request from a Data Subject to exercise such rights in relation to Customer Data, it will forward the request to Customer. The customer must respond to any such request within the timeframes specified within GDPR.

CyberWebPAGE will assist the Customer in fulfilling any obligation to respond to data subject requests, which may include providing controls via the control panel to help comply with the commitments set out in the GDPR.

Data Transfers

CyberWebPAGE stores and processes data in secure data centres located within the European Economic Area (“EEA”). Data may be transferred and processed outside the EEA to countries where Sub-Processors maintain their own data processing operations. Customer hereby agrees to the transfer, storing or processing of data outside the EEA. Hyper Host will take all reasonably necessary steps to ensure that Customer Data is handled securely and in accordance with the relevant Data Protection Laws.

Compliance and Audit Rights

CyberWebPAGE agrees to maintain records of its security standards, and, upon Customer’s written request, Hyper Host shall make available all relevant information necessary to demonstrate compliance with this DPA. Customer agrees that any audit or inspection shall be carried out with reasonable prior written notice of at least 30 days and shall not be conducted more than once in any 12-month period. If CyberWebPAGE declines the request, Customer is entitled to terminate this addendum and Services.

Return or Deletion of Data

CyberWebPAGE only retains Customer Data for as long as required to fulfil the purposes for which it was initially collected. Termination of this Addendum or Services in line with CyberWebPAGE Terms & Conditions will result in all Customer Data being deleted unless otherwise required by law. For Customer Data archived on back-up systems, CyberWebPAGE shall securely isolate and protect from any further processing.

Limitation of Liability

The total liability of each part under this addendum shall be subject to the limitation of liability as set out in CyberWebPAGE Terms & Conditions. For the avoidance of doubt, in no instance will CyberWebPAGE be liable for any losses or damages suffered by Customer when Customer uses the Services in violation of its Terms & Conditions, regardless of whether it terminates or suspends an account due to such violation.

Annexe 1 – Sub-Processors

Company: CyberWebPAGE Limited | Service: Subscription Management, Service Provisioning.
Company: Hyper Host Limited | Service: Subscription Management, Service Provisioning.
Company: 20i Limited | Service: Servers & Data Centre.
Company: Stripe | Service: Credit/Debit Card Payments.
Company: PayPal | Service: Credit/Debit Card Payments.
Company: GetGist | Service: Support & Communications.
Annexe 2 – Security Measures

Available upon request.