Data Processing Addendum
This page is all about detailing the Data Processing Addendum (“Addendum”), which means it’ll read like a contract and certain parts will seem pretty dry. However, it’s very important as it’s all about YOU and protection of YOUR personal data.
When does this Addendum apply?
It applies to TinyWhale’s providing the Services to you, if the GDPR applies to Processing of Customer Personal Data (defined below), but only to the extent where you are a Controller and TinyWhale is a Processor of Customer Personal Data. This Addendum is meant to satisfy the requirements of Article 28(3) of the GDPR and will be effective for the entire duration of the Agreements.
1.1. For the purposes of this Addendum:
1.1.1. Customer Personal Data means the Personal Data described under Section 2 of this Addendum, in which you are the Controller;
1.1.2. Data Protection Legislation means the GDPR, as well as any other applicable laws in any country;
1.1.3. GDPR means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; and1.1.4. Personal Data, Data Subject, Personal Data Breach, Process, Processor and Controller will each have the meaning given to them in the GDPR.
1.2. Anything capitalized here but not defined shall take on the meaning they have in the Agreements.
- Details of the Processing
2.1. Categories of Data Subjects. This Addendum applies to the Processing of Customer Personal Data relating to the clients that you interact with through the Services.
2.2. Types of Personal Data. Customer Personal Data includes Personal Data, which scope and collection is controlled by you alone and completely, such as names, contact information, and financial information.
2.3. Subject-Matter and Nature of the Processing. The subject-matter of TinyWhale’s Processing of Customer Personal Data will be determined by what Services are provided to you which involves any Processing of Customer Personal Data. This Customer Personal Data will then need to be subject to the Processing activities that TinyWhale would need to perform in order to be able to provide the Services.
2.4. Purpose of the Processing. The Purposes for which Customer Personal Data will be Processed by TinyWhale in order to provide the Services are as set out into the Agreements.
2.5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreements, subject to Section 11 of this Addendum.
- Processing of Customer Personal Data
3.1. You and TinyWhale both know and agree that YOU, and you alone, are the Controller of Customer Personal Data, and TinyWhale is the Processor of that data. TinyWhat will only Process Customer Personal Data as a Processor on behalf of you and in accordance with this Addendum and anything you tell us to do in writing (this also applies to cross-border transfers of personal data). You agree to and hereby instruct TinyWhale to Process Customer Personal Data to the extent necessary for TinyWhale to provide the Services to you in accordance with the Agreements.
3.2. If, due to a legal requirement under any applicable European Union or Member State law, TinyWhale is not able to process Customer Personal Data according to what you tell us to, we will:
(i) promptly notify you if this issue, and provide you with a reasonable level of detail as to what it is we cannot comply, and the reasons why we cannot comply, to the greatest extent we are permitted to by applicable law;
(ii) stop all Processing of the affected Customer Personal Data (other than just storing and maintaining its security) until the time you give us new instructions with which we’re able to comply.
If such an incident happens as described under this section, unfortunately TinyWhale won’t be liable to you under the Agreements for failure to perform any Service(s) until the time you give us new instructions.
3.3. Both you and TinyWhale will each need to comply with our respective obligations under the Data Protection Legislation. You also need to ensure that you’ve already obtained (or will obtain) all necessary rights and consents (if required) for TinyWhale to Process Customer Data in accordance with this Addendum.
- Data Transfers
4.1. In connection with TinyWhale performing its Services, the Customer authorizes TinyWhale to Process Customer Personal Data associated with Data Subjects from the European Economic Area and/or Switzerland (collectively “EEA”) in the United States, whether TinyWhale transfers Customer Personal Data from the EEA or whether it receives Customer Personal Data from the EEA that was already transferred by Customer.
4.2. TinyWhale has certified to the Privacy Shield framework as administered by the U.S. Department of Commerce (the “Privacy Shield”) and commits to comply with its obligations for the Customer Personal Data transferred under the Privacy Shield throughout the term of this Addendum.
4.3. In any situation where TinyWhale is not able to comply with its Privacy Shield obligations, it will nevertheless provide an adequate level of protection for Customer Personal Data, wherever processed, in accordance with the requirements of applicable data protection law.
TinyWhale will ensure that any person or entity that TinyWhale authorizes to Process Customer Personal Data on its behalf is subject to confidentiality obligations in respect of that Customer Personal Data.
- Security Measures
6.1. TinyWhale will implement appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data.
6.2. At your request, TinyWhale will provide you with reasonable assistance as necessary for the fulfilment of your obligation to keep Customer Personal Data secure. This is subject to you paying all our fees and expenses at prevailing rates.
7.1. We work with a selected pool of trusted partners to help deliver your Services. In this regard, you authorise TinyWhale to appoint sub-Processors to perform specific services on TinyWhale’s behalf which may require these sub-Processors to Process Customer Personal Data. Rest assured that we will let you know of any intended charges involving the addition or replacement of any sub-Processors before the fact, and you can object to any such changes on reasonable grounds within 15 business days after we notify you. In the event we can’t amicably resolve any of your objections, we can each decide to terminate the Agreements by writing to each other and parting with no hard feelings.
7.2. We’ll also enter into a binding written agreement with our sub-Processors, that imposes on the sub-Processors the same obligations that apply to us under this Addendum. Where any of our sub-Processors slip up and fail to fulfil its data protection obligations to you, we will be liable to you as if it was our failure instead.
- Data Subject Rights
At your request, TinyWhale will provide you with assistance necessary for you to fulfil your obligations to respond to requests for the exercise of Data Subject Rights. This is subject to you paying all our fees and expenses at prevailing rates. We acknowledge that you are fully in control of and wholly responsible for responding to these requests, and we will not respond to any of them unless you say that we can, in writing, with specific instructions.
- Personal Data Breaches
Personal Data Breaches are scary and stressful. TinyWhale will notify you as soon as practicable after we become aware of any Personal Data Breach affecting Customer Personal Data. At your request, we will promptly provide you with all reasonable assistance necessary for you to notify relevant security breaches to the applicable data protection regulators and/or any affected Data Subjects, if the GDPR requires you to do so. This is subject to you paying all our fees and expenses at prevailing rates. As you are firmly in the Controller seat, you are solely responsible for complying with data incident notification requirements applicable to you and for fulfilling any third-party notification obligations related to any data incidents.
- Data Protection Impact Assessment; Prior Consultation
At your request, TinyWhale will provide you with reasonable assistance to help you conduct data protection impact assessment and consultation with data protection regulators, if you need to do so under the GDPR, and only where our assistance is necessary and relates to our Processing of the Customer Personal Data, taking into account the nature of the Processing and information available to us. This is subject to you paying all our fees and expenses at prevailing rates.
- Return or Deletion of Customer Personal Data
At the end of us providing the Services relating to the Processing, TinyWhale will return to you, or delete, (you choose) Customer Personal Data. We’ll also delete all existing copies unless any applicable law requires us to store that data.
At your request, we will provide you with all information necessary for you to demonstrate compliance with your obligations under the GDPR, allow for, and contribute to audits (including inspections) either conducted by you or an auditor you select, to the extent that such information is within TinyWhale’s control and we are not precluded from disclosing it by any applicable law, a duty of confidentiality or any other obligation owed to any other party. This is subject to you paying all our fees and expenses at prevailing rates, and provided that any such audits will be carried out with reasonable notice during regular business hours and not more than once a year. Where we think that an instruction from you infringes any Data Protection Legislation, we’ll let you know immediately.
13.1. Our liability to each other under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
13.2. You agree that we are reliant on you for direction as to the extent that we are entitled to Process Customer Personal Data on your behalf in order to perform the Services. As such, TinyWhale will not be liable under the Agreements for any claim brought by a Data Subject arising from any act or omission by us, to the extent that such act or omission was a direct result of your instructions or from your failure to comply with your obligations under the Data Protection Legislation.
- General Provisions
Where things involve the subject matter of this Addendum, in the event of any conflict or inconsistency between the Agreements or this Addendum, this Addendum is king and shall prevail.