This Data Processing Agreement is applicable to customers signing up for Services provided by Zamzar Ltd from 25 May 2018. The GDPR comes into full effect in the United Kingdom on 25 May 2018. Under the GDPR it is mandatory for there to be a written agreement between a controller and a processor setting out certain provisions. Zamzar is entering into this Data Processing Agreement with you in order to ensure that our Agreement for the Services we provide to you is compliant with the GDPR, and any other Data Protection Laws. These terms are explained in more detail below.
[If you signed up for Services before 25 May 2018 and now wish to enter into a Data Processing Agreement with Zamzar, we have a separate Addendum available for existing customers. If you wish to receive a copy of this Addendum please contact us by emailing firstname.lastname@example.org with the subject line "Data Processing Agreement Addendum required".]
- This policy is effective from 25th May 2018
- This policy was last modified on 25th May 2018
The Terms of Service and this Data Processing Agreement (together the "Agreement") set forth the terms and conditions upon which Zamzar Ltd ("Zamzar", "we" or "our company") makes available its file conversion services ("Services" as defined in the Terms of Service) to the individual or business entity that is using or registering to use the Services, including its employees and agents ("Customer" or "you").
By registering to use our Services as a "Business" customer (selecting the "Business" Account Type when signing up for an account), or by using the Services to process the personal data of your end-users you are indicating that you agree to be bound by this Data Processing Agreement. You acknowledge and agree that Zamzar may revise this Data Processing Agreement from time to time. If we make changes, we will notify you and indicate at the top of this page the Data Processing Agreement effective date and last modification date. By continuing to access or use the Services after Zamzar makes any such modification, you agree to be bound by the terms of the modified Data Processing Agreement.
Zamzar is registered in England as a limited company (number 6463494).
In this Data Processing Agreement, unless a contrary intention is expressly stated, the following definitions shall apply:
- "Agreement" means the Terms of Service and this Data Processing Agreement.
- "Data Protection Laws" means (a) the GDPR and (b) any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR, in each case, to the extent in force in the United Kingdom from time to time, and as such are updated, amended or replaced from time to time.
- "DP Regulator" means the Office of the Information Commissioner and any other governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws in the United Kingdom from time to time.
- "Terms of Service" means the Terms of Service for Zamzar's Web Application product dated 25th May 2018 between Zamzar and the Customer.
- "GDPR" means Regulation (EU) 2016/679.
- "Services" means the services as defined in the Terms of Service.
- The terms "controller", "processor" "data subject", "personal data", "personal data breach" and "processing" shall have the meaning set out in the GDPR.
2. Controller-Processor Clauses
- 2.1 The processing carried out by Zamzar on behalf of the Customer under this Data Processing Agreement shall be in respect of the types of personal data, categories of data subjects, nature and purposes, and duration, set out in the schedule.
- 2.2 Each party shall maintain records of all processing operations under its responsibility relating to this Data Processing Agreement that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request.
- 2.3 The Customer:
- (a) shall ensure that all instructions issued from the Customer to Zamzar are in compliance with the Data Protection Laws;
- (b) shall have sole responsibility for the accuracy, quality and legality of any personal data processed by Zamzar on its behalf and the means by which the Customer acquired such personal data shall establish the legal basis for processing under the Data Protection Laws, including providing all notices and obtaining all consents as may be required under the Data Protection Laws in order for Zamzar to process the personal data as other contemplated by this Data Processing Agreement; and
- (c) acknowledges and agrees that where standards of security have been agreed with Zamzar elsewhere in this Data Processing Agreement, such standards shall be deemed to comply with the standards required by Paragraph 2.4(c) and the Customer shall not require Zamzar to process any personal data whose nature is such that the use of any such agreed standards of security would be in breach of Paragraph 2.4(c).
- 2.4 To the extent Zamzar processes personal data on behalf of the Customer pursuant to this Data Processing Agreement, Zamzar shall:
- (a) process such personal data only in accordance with the Customer's written instructions from time to time (including those set out in this Data Processing Agreement) (including, where relevant, with regard to transfers of personal data outside of the European Economic Area) provided such instructions are lawful and save for processing which Zamzar is required to do pursuant to any applicable law (in which case, unless such law prohibits such notification on important grounds of public interest, Zamzar shall notify the Customer of the said relevant legal requirement before such processing);
- (b) take commercially reasonable steps to ensure that any members of its personnel who are authorised to have access to such personal data are committed to the confidentiality of such personal data, or are under an appropriate statutory obligation of confidentiality;
- (c) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, implement together with the Customer, appropriate technical and organisational measures and procedures to ensure a level of security appropriate to the risk for such personal data including the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;
- (d) unless the transfer is based on an "adequacy decision", is otherwise "subject to appropriate safeguards" or if a "derogation for specific situations" applies (each within the meanings given to them in Articles 45, 46 and 49 of the GDPR respectively), not transfer, access or process any such personal data outside the European Union without the prior written consent of the Customer (not to be unreasonably withheld);
- (e) inform the Customer, without undue delay, upon becoming aware of any such personal data being subject to a personal data breach (as defined in Article 4 of the GDPR) while within Zamzar's or its sub-processors’ possession or control;
- (f) not disclose any such personal data to any data subject or to a third party other than at the written request of the Customer or as expressly provided for in this Data Processing Agreement;
- (g) except for personal data of which Zamzar is also a controller, and except to the extent applicable law requires continued storage of any such personal data by Zamzar, or to the extent reasonably necessary to defend any actual or possible legal claims, as the choice of the Customer, delete or return all such personal data to the Customer on termination or expiry of this Data Processing Agreement and not make any further use of such personal data;
- (h) (at the Customer's cost) provide to the Customer and any DP Regulator all information which is necessary to demonstrate or ensure compliance with the obligations in this paragraph 2.4;
- (i) (at the Customer's cost) permit the Customer or its representatives to access any relevant premises, personnel or records of Zamzar on reasonable notice to audit and otherwise verify compliance with this paragraph 2.4, subject to the following:
- (i) the Customer may perform such audits no more frequently than annually unless required more frequently to comply with Data Protection Laws;
- (ii) the Customer may use a third party to perform the audit on its behalf, provided that any such third party executes a confidentiality Data Processing Agreement reasonably acceptable to Zamzar preceding the audit;
- (iii) audits must be conducted during the regular business hours of Zamzar, and may not unnecessarily interfere with Zamzar's business activities;
- (iv) at the Customer's cost, the Customer will provide Zamzar with any reports generated in connection with any audit, and use them only for the purposes of complying with Data Protection Laws and/or for establishing Zamzar's compliance with the requirements of this paragraph 2.4, but shall otherwise keep any such reports confidential; and
- (v) to request an audit, the Customer must submit a detailed audit plan at least four weeks in advance of the proposed audit date describing the scope, duration and start date of the audit. If Zamzar informs the Customer of any reasonable concerns or questions, the Customer will cooperate to address such concerns;
- (j) (at the Customer's cost) take such steps as are reasonably required to assist the Customer in ensuring compliance with the Customer's obligations under Articles 30 to 36 (inclusive) of the GDPR;
- (k) notify the Customer without undue delay if it receives a request from a data subject to exercise its rights under the Data Protection Laws in relation to such personal data of that person; and
- (l) (at the Customer's cost) provide the Customer with reasonable co-operation and assistance in relation to any request made by a data subject to exercise that data subject's rights under the Data Protection Laws in relation to such personal data of that person.
- 2.5 If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of such personal data by the other party or to either party's compliance with the Data Protection Laws in relation to the processing of such personal data, it shall without undue delay notify the other party and it shall (at the cost of the requesting party) provide the other party with a commercially reasonable level of co- operation and assistance in relation to any such complaint, notice or communication.
- 2.6 Where the Customer transfers personal data to Zamzar, the Customer warrants that it has the right to transfer such personal data to Zamzar, and that it has either:
- (a) obtained all necessary consents to transfer such personal data to Zamzar at the appropriate time; or
- (b) secured another legal data processing ground, in accordance with applicable Data Protection Laws, to process such personal data and to share such personal data with Zamzar.
- 2.7 The Customer acknowledges that Zamzar is reliant on the Customer alone for direction as to the extent Zamzar is entitled to use and process the personal data. Consequently, Zamzar shall be entitled to relief from liability in circumstances where a data subject makes a claim or complaint with regards to Zamzar's actions to the extent that such actions result from (a) instructions received from the Customer or (b) a breach by the Customer of its obligations under this paragraph 2.
- 2.8 Zamzar may subcontract its processing of the Personal Data on behalf of the Customer. Zamzar shall procure that any such sub-processors enter into a written contract with Zamzar which contains obligations for the protection of the Personal Data which are no less onerous than those set out in this paragraph 2.
- 2.9 By entering into this Data Processing Agreement, the Customer is deemed to have approved the use of Zamzar's current sub-processors used to undertake processing of any personal data as at the date of this Data Processing Agreement ("Current Sub-Processors") as further detailed in the schedule. The rights afforded to the Customer in paragraphs 2.10, 2.11 and 2.12 shall not apply in relation to Current Sub-Processors.
- 2.10 Following the date of this Data Processing Agreement, Zamzar shall notify the Customer of any intention to appoint or use a new sub-processor in respect of processing of Personal Data on behalf of the Customer (which is not a Current Sub-Processor). If the Customer has a reasonable basis to object to Zamzar's use of such sub-processor, and such objection directly relates to the Customer's obligations under Data Protection Laws, the Customer shall notify Zamzar promptly in writing within one week of receipt of Zamzar's notice, giving full details of the grounds for its objection.
- 2.11 If the Customer objects to any new sub-processor in accordance with paragraph 2.10, Zamzar will use reasonable efforts to make available to the Customer an alternative solution or arrangement to avoid the processing by the relevant sub-processor of any personal data provided by the Customer, provided that:
- (a) Zamzar shall not be required to implement an alternative solution or arrangement which unreasonably burdens Zamzar; and
- (b) Zamzar shall be entitled to make a reasonable additional charge to cover the costs of implementing and operating the alternative solution or arrangement.
- 2.12 If Zamzar is unable to make available an alternative solution or arrangement within a reasonable period of time (which shall not exceed sixty days) or the Customer is unwilling to pay any charge by Zamzar to cover the costs of implementing and operating the alternative solution or arrangement, the Customer may, by written notice to Zamzar:
- (a) discontinue its use of that part of the Services which is impacted by the Customer's objection; or
- (b) terminate the Data Processing Agreement, but only in such circumstances in which it is not technically possible to discontinue only part of the Service pursuant to paragraph 2.12(a),
3. Governing law and jurisdiction
- 3.1 This Data Processing Agreement and any dispute, claim or obligation (whether contractual or non-contractual) arising out of or in connection with it, its subject matter or formation shall be governed by English law.
- 3.2 The parties irrevocably agree that the English courts shall have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this Data Processing Agreement, its subject matter or formation.
The personal data processing activities carried out by Zamzar under this Data Processing Agreement may be described as follows:
1. Subject matter of processing
Zamzar's provision of the Services and related technical support to the Customer.
2. Nature and purpose of processing
To enable Customer to receive and Zamzar to provide the Services. Customer may submit Personal Data to Zamzar via the Services, and for the Customer's end-customers ("End Users") may submit Personal Data to Zamzar via the Services to be processed on the Customer's behalf, the extent of which is determined and controlled by the Customer in its sole discretion.
3. Categories of Personal Data
Personal data processed for the Customer (including personal data received from End Users) includes: IP address, name, email address, mailing address, payment information (card number, card name, card expiry, card CVV), VAT number, cookies data, web browser data, online navigation data, file names and file URLs.
4. Categories of data subjects
Any individual accessing and/or using the Services through the Customer's account, including End Users, Customer’s employees and contractors; the personnel of Customer’s customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.
The Subscription Period as defined in clause 1.4 of the Terms of Service.
As at the date of this Data Processing Agreement, Zamzar uses the following Current Sub- Processors to undertake processing of any personal data on behalf of the Customer under this Data Processing Agreement:
- PayPal (Europe) S.à r.l. et Cie, S.C.A. (Billing / Payments)
- Amazon Web Services, Inc (Hosting)
- MacStadium, Inc (Hosting)
- Keyweb AG (Hosting)
- SoftLayer Technologies. Inc (Hosting)
- Google LLC (Advertising / Customer Support)
- WeTransfer B.V. (Customer Support)
- Habla, Inc (Customer Support)
- Slack Technologies, Inc (Customer Support)