DATA PROCESSING AGREEMENT
November 20, 2018
1 Definitions and Interpretation
|Data Protection Legislation||means the GDPR and any national implementing laws, regulations or secondary regulations, as amended or updated from time to time;|
|GDPR||means the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free morvement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);|
|Personal Data||means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;|
|Processing||means any operation or set of operations which is performed by the Processor on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alternation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; the scope, nature and purpose of the Processing by the Processor, the duration of the Processing and the types of the Personal Data and categories of the data subjects are set out in Schedule 1 hereto (Processing);|
a. Unless explicitly stated otherwise, any and all references made to any section or schedule shall be deemed to be a section or schedule of this Agreement;
b. The headings in this Agreement are used for convenience only and do not affect its interpretation;
c. A Party includes a reference to that Party’s successors and permitted assigns; references to a person shall include both the legal entities and natural persons;
2 Subject of the Agreement
2.1 Under this Agreement, the Processor shall carry out the Processing on behalf of the Controller.
2.2 The Parties hereby undertake to comply with all applicable requirements of the Data Protection Legislation. This Article 2.2 is in addition to, and does not relieve, remove or replace, a Party’s obligations under the Data Protection Legislation.
2.3 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Controller is the controller and the Processor is the processor as defined in the Data Protection Legislation.
2.4 Without prejudice to the generality of Article 2.2, the Controller shall ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to the Processor for the duration and purposes of this Agreement.
2.6 Without prejudice to the generality of Article 2.2, the Processor shall, in relation to any Personal Data processed in connection with the performance by the Processor or its obligations under this Agreement:
2.6.1 process the Customer Personal Data only on documented instructions of the Controller unless the Processor is required by the Data Protection Legislation. Where the Processor is relying on the Data Protection Legislation as the basis for processing the Customer Personal Data, the Processor shall promptly notify the Controller of this before performing the Processing required by the Data Protection Legislation unless the Data Protection Legislation prohibit the Processor from so notifying the Controller on important grounds of public interest;
2.6.2 ensure that it has in place appropriate technical and organizational measures, reviewed and approved by the Controller, to protect against unauthorized or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data, appropriate to the harm that might result from the unauthorized or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting the Customer Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to the Customer Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it);
2.6.3 ensure that all personnel of the Processor who have access to and/or process the Customer Personal Data are obliged to keep the Customer Personal Data confidential; and
2.6.4 assist the Controller in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
2.6.5 notify the Controller without any undue delay on becoming aware of a Customer Personal Data breach;
2.6.6 at the written direction of the Controller, delete or return the Customer Personal Data and copies thereof to the Controller on termination of the Agreement unless required by the Data Protection Legislation to store the Customer Personal Data; and
2.6.7 maintain complete and accurate records and information to demonstrate its compliance with this clause 2.6 and to allow for audits by the Controller or the Controller 's designated auditor.
4 Appointing a Third Party a processor
4.1 The Controller authorizes the Processor to engage third-party processors in fulfilling the Processor’s obligation hereunder, including processing of the Customer Personal Data. The Controller specifically authorizes the Processor to engage any of the third-party processors listed in Schedule 2 hereto (List of Sub-processors).
4.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any of the third-party processors, thereby giving the Controller the opportunity to object to such changes.
5 Final Provisions
5.1 This Agreement is governed by the laws of the country or territory stipulated for this purpose in the Terms of Service.
5.2 Schedules to this Agreement:
|Schedule 2:||List of Sub-processors|
Schedule 1 Processing
|Nature of the Processing||Live video streaming, including, depending on the subscription plan, video hosting|
|Types of the Personal Data||Data of the individuals recorded in the video|
|Categories of data subjects||Individuals recorded in the video|
Schedule 2 List of sub-processors
Amazon Web Services EMEA SARL
Amazon Web Services, Inc.