This Data Processing Agreement (DPA) forms part of the contract for Services between A Seat At Our Table and you.
Under this agreement, A Seat At Our Table shall act as a Data Controller, where it wishes to subcontract certain services, which involves the processing of personal data to a Data Processor.
This DPA is compliant with the requirements of the current legal framework as per data processing. It is also compliant with the Regulation (EU) 2016/679 of the European Parliament as well as with the Council of 27 April 2016 on the protection of natural persons as per the processing of personal data and on the movement of such data.
PROCESSING OF PERSONAL DATA
We shall comply with all applicable Data Protection Laws in the processing of personal data; and will never process your personal data against your documented instructions. We will instruct the data processor to process your personal data based only on your documented instructions.
We, as the data controller, shall ensure that the data processor takes reasonable steps to ensure the reliability of any employee, contractor or agent of who may have access to your personal data, ensuring that access in each case is strictly restricted to individuals on a need to know basis as strictly necessary for the purposes of our terms of service.
The data processor shall comply with applicable laws in the context that any employee, contractor, or agent's duties to the data processor are subjected to confidentiality undertakings and/or statutory obligations of confidentiality.
We will ensure that the data processor implements appropriate technical and organizational measures to ensure a level of security in line with the measures referred to in Article 32(1) of the GDPR.
The data processor shall not appoint or reveal your personal information to any sub-processor unless required or authorized by us.
The data processor will promptly notify you if it receives a request from a data subject under any Data Protection Law in respect of your personal data; and will ensure that it does not respond to that request except on your documented instructions or as required by applicable laws to which the processor is subject.
PERSONAL DATA BREACH
The data processor shall notify you without undue delay upon becoming aware of a personal data breach affecting your personal data, providing you with sufficient information to allow you to meet any obligations to report or inform data subjects of the personal data breach under the Data Protection Laws.
The processor shall cooperate with you and take reasonable commercial steps as directed by you to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
DELETION OR RETURN OF PERSONAL DATA
The data processor shall delete and procure the deletion of all copies of those personal data within ten business days of the date of cessation of any services that involve the processing of your personal data.
Processor shall make available to you on request all information necessary to demonstrate compliance with this agreement, and shall allow for and contribute to audits, including inspections, by you or an auditor mandated by you in relation to the processing of the personal data by the contracted processors.
The processor is not allowed to transfer or authorize the transfer of data to countries outside the European Economic Area (EEA) and/or EU without your prior written consent. If personal data processed under this agreement is transferred from within the European Economic Area to outside the European Economic Area, the parties must ensure that there is adequate protection for the personal data by relying on EU approved standard contractual rules for the transfer of personal data.
Each party to this agreement must keep this agreement and information it receives about the other party and its business in connection with this agreement confidential and must not use or disclose that confidential information without the prior written consent of the other party except to the extent that disclosure is required by law; and/or the relevant information is already in the public domain.