CA | DA | DE | EN | ES | FI | FR | IT | NL | NO | PL | PT | RU | SV
This Data Processing Agreement reflects the partners (referred to as “you”, “your”, “your company”) agreement with respect to the Processing of Personal Data by us on behalf of you in connection with the Kyero.com service under the Kyero Partner Terms of Service
Controller: Portal 47 Limited, trading as Kyero.com, a UK registered company with its registered office at 12b George Street, Bath, United Kingdom, BA1 2EH ("Controller").
and
Processor: Your company as registered with Kyero.com when creating an account with us.
Effective Dates: All parties agree that this DPA, together with your use of the Subscription Service in accordance with the Partner Terms of Service, will come into force from creation of your account on the Kyero.com portal, and will remain in force (as may be amended from time to time) until deletion of your account.
Definitions
1.1 Personal Data: Any information relating to an identified or identifiable natural person.
1.2 Data Subject: An individual whose Personal Data is processed.
1.3 Processing: Any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.4 Sub-processor: Any third party engaged by the Processor who agrees to receive from the Processor any Personal Data exclusively intended for Processing activities to be carried out on behalf of the Controller.
Subject Matter
This Agreement outlines the terms and conditions under which the Processor will process Personal Data on behalf of the Controller.
Duration
This Agreement will commence on the Effective Date and shall continue until terminated by either party in accordance with the terms herein.
Processing of Personal Data
4.1 The Processor shall process Personal Data only to the extent, and in such a manner, as is necessary for the purposes specified by the Controller and in accordance with the Controller's documented instructions.
4.2 The Processor shall not process Personal Data for any other purpose unless required to do so by law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law on important grounds of public interest.
Compliance with Data Protection Laws
Both parties shall comply with all applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR).
Data Subject Rights
6.1 The Processor shall assist the Controller, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests to exercise Data Subject rights.
6.2 The Processor shall promptly notify the Controller if it receives a request from a Data Subject under any data protection law in respect of Personal Data.
Security
7.1 The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) The pseudonymization and encryption of Personal Data;
b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
7.2 In assessing the appropriate level of security, the Processor shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
Sub-processors
8.1 The Processor shall not engage any Sub-processor without prior specific or general written authorization of the Controller.
8.2 The Processor shall ensure that the Sub-processor is bound by data protection obligations compatible with those of the Processor under this Agreement.
Personal Data Breach
9.1 The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data breach.
9.2 Such notification shall at least:
a) Describe the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
b) Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
c) Describe the likely consequences of the Personal Data breach;
d) Describe the measures taken or proposed to be taken by the Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Deletion or Return of Personal Data
Upon termination of the Agreement, the Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.
Audit
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
Governing Law
This Agreement shall be governed by and construed in accordance with the laws of England and Wales.
Miscellaneous
13.1 Any changes to this Agreement must be agreed in writing by both parties.
13.2 If any provision of this Agreement is found to be invalid or unenforceable, the remainder of this Agreement shall remain valid and in force.