Updated May 21, 2018
From the date of subscribing the Services by the Subscriber: (hereafter referred to as the “Agreement”)
Concluded between: Showcase Software Limited Hereafter referred to as the “Processor”.
and Subscriber hereafter referred to as a “Controller”
hereafter referred to collectively as the “Parties”
Whereas: (A) This Agreement is supplemental to any other separate agreement entered into between the Parties and introduces further contractual provisions to ensure the protection and security of personal data passed from the Controller to the Processor for processing.
(B) The Controller may be acting as a data processor for another entity. It is only acting as a Controller for the purpose of the transfer of personal data passed from it to the Processor for processing under the terms of this Agreement.
(C) Following the entry into force of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) The Parties wish to lay down their rights and obligations.
It is agreed as follows:
(i) “Agreement” means this Data Processing Agreement;
(ii) “personal data” means any information relating to an identified or identifiable natural person (“data subject”);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(iii) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(iv) ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
(v) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(vi) “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(vii) “Sub-processor” means any data processor engaged by the Processor
(viii) “Confidential Information” means all information disclosed by a Party to the other Party pursuant to this Agreement, including (but not limited to):
1.1 In the course of providing the Services to the Controller pursuant to this Agreement, the Processor will process personal data on behalf of the Controller. The Processor agrees to comply with the following provisions with respect to any personal data processed for the Controller in connection with the provision of the Services.
1.2 The Processor shall process personal data it receives from the Controller solely for purposes stemming from usage of Service and for no other purpose except with the express written consent of the Controller.
1.3 The Processor shall process categories of data subjects which are provided to the Service by the Controller. Processor is not entitled to process any category of data without prior demand or consent of the Controller.
1.4 Types of personal data. Contact information, the extent of which is determined and controlled by the Controller in its sole discretion, and other personal data such as navigational data (including website usage information), email data, system usage data, application integration data, internet protocol (IP) and other electronic data submitted, stored, sent, or received by end users via the Service.
2.1 As the performance of this Agreement implies the processing of personal data, both Parties shall comply with the applicable data protection legislation and regulations including GDPR.
2.2 The Controller will ensure that its instructions for the processing shall comply with applicable data protection legislation and regulations including GDPR. Controller shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which Controller acquired personal data.
2.3 The Controller agrees that with regard to the processing the Processor may engage Sub -processors compliant with data protection legislation and regulations including GDPR (general consent). Where the Processor engages another Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on that Sub-processor by way of a contract or other legal act under applicable data protection legislation and regulations including GDPR.
2.4 The Processor shall ensure that any personal data that it processes are kept confidential. All persons authorized by the Processor to process the personal data are under an appropriate obligation of confidentiality and not disclose the personal data to any person other than to its personnel.
2.5 The Processor shall ensure that it implies appropriate technical and organisational measures in such a manner that processing will meet the requirements of applicable data protection legislation and regulations including the protection of the rights of the data subject.
2.6 In accordance with GDPR regulation as the performance of this Agreement the Processor shall in particular:
2.7 Personal data processed in the context of this Agreement are transferred to New Zealand and the United States. The Controller shall agree to transfer personal data to New Zealand and the United States by the Processor without further written consent.
2.8 As the transfer of personal data is necessary for the performance of the Service provided by the Processor the Parties shall ensure that the personal data are adequately protected as set forth in Article 49 of the GDPR. In particular the Processor collects and transfers personal data subject to this Agreement by the Controller to fulfil a compelling legitimate interest of the Processor in a manner that does not outweigh Controller’s nor end users rights and freedoms.
2.9 In order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer of personal data outside the EU by the Controller to the Processor agrees and warrants:
3.1 Both Parties acknowledge that during this Agreement, a Party may become privy to Confidential information which is disclosed by the other Party.
3.2 The receiving Party shall keep all confidential information confidential, in particular the receiving Party shall not disclose any confidential information to any third party and shall not use these information for purposes not resulting from this Agreement.
3.3 Any violation of this section by either of the Parties shall be deemed a material breach of this Agreement.
4.1 Neither Party shall be liable for any indirect or consequential damages, such as (but not limited to) loss of revenue, loss of profit, loss of opportunity, loss of goodwill and third-party claims.
5.1 This Agreement shall apply to all personal data disclosed to the Processor or otherwise obtained from the Controller from the date of this Agreement until the expiry of the subscription of the Services.
5.2 Where individual provisions of this Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement shall not be affected.