1. General Terms

(a) To the extent that WiSoft Professional Services processes personal data:

(i)  comprised in or related to video survey Requests and

(ii) content of, and information comprised in or related to WiSoft Professional Services’s services and products

together WiSoft Professional Services Customer Personal Data, each party acknowledges and agrees that for the purpose of Data Protection Laws, the WiSoft Professional Services Customer is the controller of the WiSoft Professional Services Customer Personal Data and WiSoft Professional Services is the processor of the WiSoft Professional Services Customer Personal Data.

(b) The WiSoft Professional Services Customer shall comply with its obligations as controller of the WiSoft Professional Services Customer Personal Data (including, without limitation, any obligation under Data Protection Laws to obtain Contributor consent to the processing of WiSoft Professional Services Customer Personal Data) and shall be liable to WiSoft Professional Services for any failure of WiSoft Professional Services Customer to comply with any such obligations.

(c) WiSoft Professional Services shall implement appropriate technical and organisational measures to the intent that processing should meet the requirements of Data Protection Laws as to the protection of the rights of the data subject.

(d) The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the WiSoft Professional Services Customer in relation to the processing are as set out or implied in these WiSoft Professional Services Customer Data Processing Terms, the SocrateCloud Agreement, other WiSoft Professional Services products Agreements and the WiSoft Professional Services Privacy Policy.

(e) WiSoft Professional Services shall:

(i) process WiSoft Professional Services Customer Personal Data as permitted under or to comply with its obligations under these WiSoft Professional Services Customer Data Processing Terms (including in the provision of the WiSoft Professional Services service) and otherwise in accordance with the instructions of the WiSoft Professional Services Customer as stated in these WiSoft Professional Services Customer Data Processing Terms and the WiSoft Professional Services Agreement; and

(ii) assist the WiSoft Professional Services Customer at the WiSoft Professional Services Customer’s expense with undertaking an assessment of the impact of processing that WiSoft Professional Services Customer Personal Data, and with any  consultations with a supervisory authority, if and to the extent an assessment or consultation is required to be carried out under Data Protection Laws.

2. Data Subject Rights

WiSoft Professional Services shall:

(a) implement technical and organisational measures intended to assist in the fulfilment of the WiSoft Professional Services Customer’s obligation to respond to requests by data subjects to exercise their rights of access, rectification or erasure, to restrict or object to processing of WiSoft Professional Services Customer Personal Data, or to data portability; and

(b) if a data subject makes a written request to WiSoft Professional Services to exercise any of the rights referred to in paragraph 2(a) above, forward the request to the WiSoft Professional Services Customer promptly and shall, upon the WiSoft Professional Services Customer’s reasonable written request, provide the WiSoft Professional Services Customer with such co-operation and assistance as is reasonably requested by the WiSoft Professional Services Customer in relation to that request with the object of assisting the WiSoft Professional Services Customer to respond to it.

3. Security measures

WiSoft Professional Services shall:

(a) taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organisational measures intended to provide a level of security  appropriate to the risk of unauthorised or unlawful processing of WiSoft Professional Services Customer Personal Data, and of accidental or unlawful loss, alteration, unauthorised disclosure or destruction of, or damage to, WiSoft Professional Services Customer Personal Data; and

(b) notify the WiSoft Professional Services Customer without undue delay after becoming aware of a personal data breach, and upon the WiSoft Professional Services Customer’s reasonable written request provide the WiSoft Professional Services Customer at the WiSoft Professional Services Customer’s expense with such co-operation and assistance as is reasonably requested by the WiSoft Professional Services Customer with the object of assisting the WiSoft Professional Services Customer to notify the personal data breach to the relevant supervisory authority and relevant data subject(s) (as applicable).

4. Sharing of WiSoft Professional Services Customer Personal Data

WiSoft Professional Services’s third party processors of WiSoft Professional Services Customer Personal Data (Subprocessors) are identified in the Schedule to these Customer Data Processing Terms.

WiSoft Professional Services shall:

(a)  when engaging a new Subprocessor, inform the WiSoft Professional Services Customer of the engagement at least 30 days prior to the Subprocessor commencing the processing of WiSoft Professional Services Customer Personal Data, notifying the WiSoft Professional Services Customer of the identity of the Subprocessor and its role, by email to support@WiSoft Professional Services.com;

(b) be deemed to grant the WiSoft Professional Services Customer the right to object to such new Subprocessor by terminating the Agreement in accordance with clause 7c. of the Agreement (subject to the other provisions of that clause 7 and the Agreement), such right of termination being the WiSoft Professional Services Customer’s entire and exclusive remedy if it objects to a new Subprocessor.

(c) enter into a contract with each Subprocessor on terms appropriate to the requirements of Data Protection Laws; and

(d) ensure that its employees who have access to WiSoft Professional Services Customer Personal Data have committed to confidentiality obligations

5. Transfers of WiSoft Professional Services Customer Personal Data

(a) Save as permitted pursuant to paragraph 4 above, WiSoft Professional Services shall not transfer WiSoft Professional Services Customer Personal Data to, or process WiSoft Professional Services Customer Personal Data in, any country outside the European Economic Area without the prior written consent of the WiSoft Professional Services Customer (such consent not to be unreasonably withheld or delayed) unless (and for so long as):

(i) there has been a European Community finding of adequacy pursuant to Article 25(6) of Directive 95/46/EC or, after 24 May 2018, Article 45 of the GDPR in respect of that country or territory;

(ii) the transfer is to the United States to an importing entity that is a certified member of the EU-US Privacy Shield; or

(iii) the WiSoft Professional Services Customer or WiSoft Professional Services and the relevant importing entity are party to a contract in relation to the export of WiSoft Professional Services Customer Personal Data meeting the then-current requirements of Data Protection Laws and these WiSoft Professional Services Customer Data Processing Terms.

(b) Where any mechanism for cross-border transfers of WiSoft Professional Services Customer Personal Data is found by a supervisory authority, court of competent jurisdiction or other governmental authority to be an invalid means of complying with the restrictions on transferring WiSoft Professional Services Customer Personal Data to a third country or territory as set out in Data Protection Laws, the parties shall act in good faith to agree the implementation of an alternative solution to enable the WiSoft Professional Services Customer to comply with the provisions of Data Protection Laws in respect of any such transfer.

6. Compliance

(a) WiSoft Professional Services shall at WiSoft Professional Services Customer’s expense:

(i) upon WiSoft Professional Services Customer’s written request provide all information reasonably required to demonstrate its compliance with Article 28 of the GDPR;

(ii) allow for and contribute to audits conducted by or on behalf of WiSoft Professional Services Customer relating to the processing of WiSoft Professional Services Customer Personal Data by WiSoft Professional Services;

(iii) provide all co-operation and assistance reasonably requested by WiSoft Professional Services Customer in connection with:

(A) assisting WiSoft Professional Services Customer in ensuring compliance with obligations under Articles 32 to 36 of the GDPR, taking into account the nature of WiSoft Professional Services’s processing and the information available to WiSoft Professional Services;

(B) the undertaking of any assessment by WiSoft Professional Services Customer of the impact of processing WiSoft Professional Services Customer Personal Data; and

(C) any consultations conducted by WiSoft Professional Services Customer with any supervisory authority under Data Protection Laws.

(b) The WiSoft Professional Services Customer shall:

(i) comply with all applicable laws (including Data Protection Laws), and rights of third parties, that relate to WiSoft Professional Services Customer Personal Data; and

(ii) comply with all of its obligations as Customer of Customer Personal Data; and

(iii) ensure that it is and shall remain entitled to authorise the processing by WiSoft Professional Services and other processors engaged by WiSoft Professional Services of Customer Personal Data in connection with the WiSoft Professional Services service.

7. Termination/expiry

(a) Unless expressly stated otherwise in these WiSoft Professional Services Customer Data Processing Terms, upon termination of  the WiSoft Professional Services Customer’s participation in the WiSoft Professional Services service, WiSoft Professional Services shall, and shall procure that each processor engaged by WiSoft Professional Services to process WiSoft Professional Services Customer Personal Data shall, cease as soon as is reasonably practicable to use the WiSoft Professional Services Customer Personal Data and delete the WiSoft Professional Services Customer Personal Data unless required or entitled to retain a copy in accordance with any law of the European Union or any member state of the European Union or permitted to retain or continue processing the WiSoft Professional Services Customer Personal Data under any provision of these WiSoft Professional Services Customer Data Processing Terms.

(b) On expiry of the WiSoft Professional Services Customer’s participation in the WiSoft Professional Services service these WiSoft Professional Services Customer Data Processing Terms shall survive and continue in full force and effect.

8. Definitions

In these WiSoft Professional Services Customer Data Processing Terms:

(a) Data Protection Laws include (i) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR) and the Directive on Privacy and Electronic Communications (2002/58/EC), (ii) their successors or replacements, and (iii) any legislation implementing or modifying any of them in the United Kingdom;

(b)  controller, data subject, personal data, personal data breach, processor and processing shall each bear the meanings given to them in the GDPR;

(c) Words and phrases defined in the WiSoft Professional Services Agreement or the WiSoft Professional Services Privacy Policy have the same meaning in these WiSoft Professional Services Customer Data Processing Terms

Schedule: Processors

The Customer confirms that the following general authorisations of processors are authorised for use by WiSoft Professional Services:

Hosting and Infrastructure Service providers, including:

Amazon Web Services

Amazon Web Services EMEA, Luxembourg

Cloud infrastructure, Storage, Data Processing

MongoDB

MongoDB Ltd, Dublin, Ireland

Storage and Data Processing

Google

Google Ltd Dublin, Ireland

Google Analytics

Intercom

Intercom, San Francisco, CA, USA

Chat and support services

Loggly

Loggly Inc, San Francisco, CA, USA

Application Logs management