Effective as of: 30 June 2023
- A link to a previous version of the GDPR & Data Protection Schedule can be found here.
- A link to SuiteFiles’ Customer Terms and Conditions can be found here.
Under the Agreement , the Customer engages or may engage the Supplier to Process Personal Data on behalf of the Customer. To the extent the Customer is subject to Data Protection Law that requires the parties to enter into a data processing agreement to govern the Processing of Personal Data by the Supplier on behalf of the Customer, this schedule (“Schedule”) is incorporated into the Agreement and forms part of a written contract between the parties. In respect of any such Processing, the Customer is a “Controller”, and the Supplier is a “Processor”, for the purposes of Data Protection Law.
The subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of data subjects that will be Processed by the Supplier are set out in Appendix 1 to this schedule.
The terms used in this schedule have the meanings given to them in clause 2 of this schedule. Capitalized terms used in this Schedule that are not defined in clause 2 of this schedule have the meaning given to them in Data Protection Law or in the Agreement.
Headings used in this schedule are for ease of reference only and are not intended to influence the interpretation of a clause.
Capitalised terms used in this Schedule have the meaning given as follows:
Agreement means the agreement between the Customer and Supplier pursuant to which the Customer will access or have access to the Supplier’s Services;
Approved Jurisdiction means a country (or territory or specified sector within it) or an international organisation which the European Commission or other Government body has decided, under Data Protection Law, ensures an adequate level of data protection;
Data Protection Laws means the GDPR, the UK GDPR, and, to the extent applicable, the data protection or privacy laws of any other country;
Data Subject means an identified or identifiable natural person, or any updated definition of this term from time to time in Data Protection Laws;
EEA means the European Economic Area;
GDPR means EU General Data Protection Regulation 2016/679;
Personal Data means any information related to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person, or any updated definition of ‘Personal Data’ from time to time in Data Protection Law;
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, or any updated definition of ‘Personal Data Breach’ from time to time in Data Protection Law;
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and ‘Process’ has a corresponding meaning;
Services means the services and other activities to be supplied to or carried out by or on behalf of the Supplier for the Customer under the Agreement;
Subprocessor means any person (including any third party, but excluding an employee of the Supplier or any of its sub-contractors) appointed by or on behalf of the Supplier to Process Personal Data on behalf of the Customer in connection with the Agreement;
Supervisory Authority has the meaning given to it in the GDPR;
Standard Contractual Clauses means the Standard Contractual Clauses published by the European Commission, reference 2021/914;
UK GDPR means the United Kingdom General Data Protection Regulation, tailored by the UK Data Protection Act 2018.
Whenever the words “includes” or “including” are used in this Schedule, they are deemed to be followed by the words “without limitation”
3. Processing of Personal Data
- (a) Instructions from Customer: in providing Services under the Agreement, Process Personal Data only on the Customer’s documented instructions (as provided in clause 4 and in appendix 1 to this Schedule or otherwise in writing) unless required to do so by applicable law, in which case the Supplier will inform the Customer of that legal requirement before Processing unless the Supplier is prohibited from informing the Customer by that law;
- (b) Confidentiality: ensure that the Supplier’s personnel who are authorised to Process the Personal Data have obligations of confidentiality to the Supplier (including as required in clause 4 below) in respect of the Personal Data or are under an appropriate statutory obligation of confidentiality;
- (c) Security: comply with the security obligations in clause 6 below;
- (d) Subprocessors: comply with the provisions relating to Subprocessors in clause 7 below;
- (e) Data subjects’ rights: provide assistance to the Customer with responding to data subjects’ rights in accordance with clause 7 below;
- (f) Assist Customer: comply with its obligations to assist the Customer in relation to security of Personal Data and data protection impact assessments and consultations in accordance with clause 9 below;
- (g) Deleting and returning data: after the provision of Services related to Processing of Personal Data has ended, at the choice of the Customer either delete or return to the Customer all of that Personal Data and delete existing copies unless applicable law requires storage of Personal Data in accordance with clause 10 below; and
- (h) Compliance and audits: make available to the Customer all information necessary to demonstrate compliance with Data Protection Law and allow for and contribute to audits including inspections conducted by the Customer or another auditor mandated from time to time, in accordance with clause 11 below. The Supplier will immediately inform the Customer if, in its opinion, an instruction received from the Customer infringes Data Protection Law.
4. Instructions from Customer
The Customer instructs the Supplier (and authorises the Supplier to instruct each Subprocessor) to:
- (a) Process Personal Data; and
- (b) in particular, transfer Personal Data to any country or territory,
as reasonably necessary for the provision of the Services and consistent with and in compliance with the Agreement.
The Supplier will take reasonable steps to ensure the reliability of its employees, agents or contractors who may have access to Personal Data, ensuring in each case that access is limited to those individuals who need to know or need to access the relevant Personal Data, as necessary for the purposes of the Agreement, and to comply with applicable laws in the context of that individual’s duties to the Supplier, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Supplier will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk , including as appropriate the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, the Supplier will take account in particular of the risks of a Personal Data Breach that are presented by the Processing to be undertaken under the Agreement.
The Customer grants a general authorisation to the Supplier to appoint Subprocessors (and permits each Subprocessor appointed in accordance with this clause 7 to appoint Subprocessors) in accordance with this clause 7 and any restrictions in the Agreement.
The Supplier will give the Customer prior written notice of the appointment of any new Subprocessor , including full details of the Processing to be undertaken by the Subprocessor. If within two weeks of receipt of that notice, the Customer notifies the Supplier in writing of any objections (on reasonable grounds) to the proposed appointment, the Customer may terminate the Agreement by providing written notice to the Supplier within that two-week period, with such termination taking effect 30 days from the date notice of termination is received by the Supplier. If Customer does not provide notice of termination within the two-week period, the Customer is deemed to have accepted the new Subprocessor.
With respect to each Subprocessor, the Supplier will:
- (a) enter into an agreement with the Subprocessor which includes the same data protection obligations as set out in this Schedule If the Subprocessor fails to fulfil its data protection obligations, the Supplier will remain fully liable to the Customer for the performance of that Subprocessor’s obligations ; and
- (b) if the Processing by the Subprocessor will involve a transfer of Personal Data outside of the UK or EEA, ensure that such transfer meets the requirements of Data Protection Laws, including, where appropriate, ensuring the Standard Contractual Clauses are incorporated into the agreement between the Supplier and the Subprocessor.
8. Data Subjects’ Rights
Taking into account the nature of the Processing, the Supplier will assist the Customer to respond to requests to exercise Data Subject rights under the Data Protection Laws.
- (a) promptly, and in any event no later than is required under applicable law notify the Customer if the Supplier or any Subprocessor receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and
- (b) ensure that the Supplier or relevant Subprocessor does not respond to that request except on the documented instructions of the Customer or as required by Data Protection Laws to which they are subject, in which case the Supplier will to the extent permitted by Data Protection Laws inform the Customer of that legal requirement before the Supplier or relevant Subprocessor responds to the request.
9. Assist Customer
The Supplier will, by complying with the Supplier’s obligations under clause 6 of this Schedule, assist the Customer in respect of the Customer’s obligations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The Supplier will notify the Customer without undue delay if the Supplier or any Subprocessor becomes aware of a Personal Data Breach , providing the Customer with sufficient information to allow the Customer to meet any obligations to report the Personal Data Breach to the relevant Supervisory Authority under the Data Protection Laws.
Where the Customer is required to communicate a Personal Data Breach to the Data Subject, the Supplier will assist the Customer in doing so by providing relevant information in its possession as may be reasonably required by the Customer;
The Supplier will provide reasonable assistance to the Customer with any data protection impact assessments which the Customer reasonably considers to be required of the Customer under applicable Data Protection Laws.
The Supplier will provide reasonable assistance to the Customer with prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required of the Customer by Data Protection Laws.
10. Deletion or return of Personal Data
Subject to clauses 10.2 and 10.3, the Supplier will, within four weeks of the date of expiration or termination of Services involving the Processing of Personal Data (the “End of Processing Date”), delete and procure the deletion of all copies of the Personal Data.
Subject to clause 10.3, the Customer may in its absolute discretion by written notice to the Supplier within four weeks of the End of Processing Date require the Supplier to:
- (a) return a complete copy of all Personal Data to the Customer by secure file transfer in such format as is reasonably notified by the Customer to the Supplier ; and
- (b) delete and procure the deletion of all other copies of Personal Data Processed by the Supplier. The Supplier will comply with any such written request within four weeks of the End of Processing Date.
The Supplier may retain Personal Data to the extent required by applicable laws or where Personal Data forms part of the Supplier’s business records that the Supplier retains for back-up purposes or to meet their legal, regulatory, compliance or governance obligations, provided that the Supplier will:
- (a) ensure the confidentiality of all such Personal Data;
- (b) ensure that such Personal Data is only processed as necessary for the purpose(s) specified above and for no other purpose.
11. Audit rights
Subject to clauses 11.2 to 11.3, the Supplier will make available to the Customer on request all information necessary to demonstrate compliance with this Schedule, and where required by applicable Data Protection Law, will allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of Personal Data by the Supplier.
The Supplier may, on reasonable grounds, object to the proposed auditor in which case the Customer will propose an alternate auditor.
The Customer will give the Supplier reasonable notice of any audit or inspection to be conducted under clause 11.1 and will make (and ensure that its auditor makes) reasonable endeavours to avoid causing any damage, injury or disruption to the Supplier’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. The Customer shall not be entitled to undertake an audit or inspection more than once per calendar year, unless:
- (a) the Customer reasonably considers an audit is necessary because of genuine concerns as to the Supplier’s compliance with this Schedule; or
- (b) the Customer is required or requested to carry out an audit by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory.
12. Restricted Transfers
Subject to clause 11.2, where the Services involve the transfer of Personal Data outside of the EEA or UK , the Customer (as “data exporter”) and the Supplier (as “data importer”) each agrees to ensure the Personal Data is adequately protected as required by applicable Data Protection Laws. Where such international processing requires adequacy means under the laws of the country of the Controller and the required adequacy means can be met by entering into the Standard Contractual Clauses, then the parties enter into the Standard Contractual Clauses (as set out in Appendix 2 to this schedule and as may be amended or replaced from time to time).
There is no requirement for the Supplier and Customer to agree to the Standard Contractual Clauses where the transfer of Personal Data is to an Approved Jurisdiction.
13. Order of precedence
In the event of any conflict or inconsistency between this Schedule and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.
Subject to clause 13.1, in the event of inconsistencies between the provisions of this Schedule and the Agreement, the provisions of this Schedule will prevail.
APPENDIX 1 TO GDPR DATA PROCESSING SCHEDULE
Details of Processing of Personal Data
This Appendix 1 includes certain details of the Processing of Personal Data as required by Data Protection Law.
1. Subject matter and duration of the Processing of Personal Data
Such data may include your name, your physical address, your billing address, and your email address and for the period whilst we provide the services to you.
2. The nature and purpose of the Processing of Personal Data
Such data is captured to provide the Services to you, and for billing and support activities.
3. The types of Personal Data to be Processed:
Such data may include your name, your physical address, your billing address, and your email address.
4. The categories of Data Subject to whom Personal Data relates
Such data may relate to current personnel, contractors, website end-users, suppliers, consumers, customers, prospects and application end-users.
5. The obligations and rights of the Customer
The obligations and rights of the Customer are set out in the Agreement and this Schedule.
APPENDIX 2 STANDARD CONTRACTUAL CLAUSES
The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
7. Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out Appendix 1, unless on further instructions from the data exporter.
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
10. Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Appendix 1. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, of the Standard Contractual Clauses in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
11. Security of processing
The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II of the GDPR. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
12. Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Appendix 1.
13. Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
- (a) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
- (b) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
- (c) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- (d) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
13.2 Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
14. Documentation and compliance
The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.