The Customer agreeing to these terms (herein “the Customer”) and, Lynsco Group Ltd T/A Callmatic, (herein “the Company”) have entered into one or more Agreements or Contracts herein referred to as “the Contract” or “Contract”.
This Data Processing Agreement as related to the products and services as detailed in the Contract as and from the Effective Date, be effective and replace any previously applicable data processing agreement and/or other terms previously applicable to privacy, data processing and/or data security.
In this Agreement the following expressions shall have the following meanings unless the context otherwise requires:
References to the “Data Controller” and the “Data Processor” have the meanings ascribed to those terms under Data Protection Legislation;
"Acts" means Data Protection Acts 1988 and 2003;
“Confidential Information” means any information and/or material relating to the customers, business, affairs, finances, systems, processes and/or methods of operation of either party (including Personal Data) which is disclosed by one Party to the other in connection with the operation of the Contract (whether oral or in writing and whether or not such information is expressly stated to be confidential or marked as such);
“Customer Data” means data submitted, stored, sent or received via the Services by the Customer, its Affiliates or End Users.
“Customer Personal Data” means personal data contained within the Customer Data.
- a)the Data Protection Acts 1988 and 2003 in Ireland, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, EU Data Protection Directive 95/46/EC, the Data Protection (Registration) Regulations 2001, the Data Protection Act 1988 (Section 16(1)) Regulations 2007;
- b)to the extent applicable to this Agreement or the services provided pursuant to this Agreement, the data protection and information privacy laws of any other jurisdiction;
- c)any re-enactment, replacement or amendment of the laws referred to in (a) or (b) in force from time to time including the GDPR, all national implementing legislation; and
- d)all industry guidelines (whether statutory or non-statutory) or applicable Codes of Practice and Guidance Notes issued by the Data Protection Commissioner, the European Commission or European Data Protection Board relating to the Processing of personal data or privacy or any amendments and re-enactments thereof;
“Data Protection Legislation” means any laws governing the processing, use and disclosure of personal data including (without limitation):
"Data Protection Impact Assessments" shall have the meaning provided in the GDPR;
“Data Subject”, “Personal Data”, and “Processing” shall have the same meanings set out in the Data Processing Legislation and “Process” shall be construed accordingly;
"Data Security Breach" means any known potential or actual breach of the agreed security arrangements or any obligations or duties owed by the Data Processor to the Data Controller relating to the confidentiality, integrity or availability of Confidential Information or Personal Data;
“DPA” means this Data Processing Agreement;
“Effective Date” means the date on which the Customer accepted, or the parties otherwise agreed, this DPA;
“EEA” means European Economic Area;
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
"Group" of a party means in relation to a party, that party, any Subsidiary or Holding Company of that party, and any Subsidiary of a Holding Company of that party;
"Parties" means the Company and the Customer and "Party" shall be construed accordingly;
“Personnel” of a person means (i) the officers, employees, agents and contractors (including subcontractors) of that person and the members of its Group; and (ii) the officers, employees, contractors and agents of the contractors (including subcontractors) of that person and the members of its Group;
"Prior Consultations" shall have the meaning provided in the GDPR;
"Regulator" means any regulator or regulatory body (including the Data Protection Commissioner) to which the Data Controller or a member of its Group is subject from time to time or whose consent, approval or authority is required so that the Data Controller or a member of the its Group can lawfully carry on its business; and
“Security Measures” means the appropriate security measures to be taken in respect of Personal Data as more particularly described at Article 32 of the GDPR;
“Services” means the services provided by the Supplier as specified in the Contract;
“Sub-processors” means third parties authorised under this Data Processing Agreement to have logical access to and process Customer Data in order to provide parts of the Services and related technical support.
Duration of this Data Processing Agreement
This DPA will remain effective from the date agreed (Effective Date) until the date of expiry of the Contract, notwithstanding expiry of the Contract, remain in effect and automatically expire upon the deletion of all Customer Data by The Company from all live and back up systems, software and servers.
Personal Data within our Commercial Relationship
In relation to the role of the Customer and of the Company during our normal commercial relationship, the Company is the Data Controller and the Customer is the Data Processor, as defined within the GDPR. Within the boundaries of the business relationship, the following applies:
Personal Information We Process
- a) Your employee contact details: information that allows us to contact your employees directly to allow us to administer the products and service as described within the contract – names, email addresses, telephone numbers, IP addresses and User credentials where furnished to us
- b) Records of your discussions with our customer support teams, including call recordings: when you share comments and opinions with us, ask us questions or make a complaint, including when you phone us, we will keep a record of this. This includes when you send us emails, letters, phone our support team or contract us through social media or our website
- c) Responses to surveys, competitions and promotions: we keep records of any surveys you respond to or your entry into any competition or promotion we run.
- d) How you use mobile applications and websites: when you use our applications or websites, we collect information about the pages you look at and how you use them, your device type, operating system and browser type.
- e) Advertising and Direct Marketing: Where you have opted in you may receive direct marketing. While you are online, you may be exposed with our digital advertising. Information about how you respond, or interact with, any direct marketing or advertising communications directed to you, including any requests for these communications to stop.
The Legal Grounds Under Which We Process this Personal Data
We process this information solely because you are the Customer. Information described in a) and b) is essential to allow us to maintain our business relationship and as such the legal grounds for processing this data is that ‘processing is necessary for the performance of a contract to which the data subject is party’. Information described in c) through e) ensures that we monitor our customer engagement, provide multiple lines of customer support, facilitate communications and ensure we continue to grow the business commercially. All activities described in c) through e) are done so with the users consent and so the legal grounds for processing this data is that ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’. The Company ensure we have the users consent through the various policies on the various portals, such as our website, newsletters, etc
Personal Data within the Products and Services we Provide
Roles and Authorisations
In relation to the role of the Customer and the Company during the delivery of products and services we provide as per the Contract that is in place, the Company is the Data Processor and the Customer is the Data Controller or a Data Processor, as defined within the EDPR. The Company commits to ensuring compliance with Article 28 of the GDPR.
If the GDPR applies to the processing of Customer Personal Data and the Customer is a processor, the Customer warrants to the Company that the Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of the Company as another processor, have been authorised by the relevant Data Controller.
Scope of Processing
The Company will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing Agreement.
Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: End Users including Customer’s employees and contractors; the personnel of Customer’s customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users.
The Customer’s Instructions
By entering into this Data Processing Agreement by signing up to direct debit, Customer instructs the Company to process Customer Personal Data only in accordance with applicable law:
- a)to provide the Services and related technical support;
- b)as further specified via Customer’s use of the Services and related technical support;
- c)as documented in the form of the applicable Contract, including this Data Processing Agreement; and
- d)as further documented in any other written instructions given by Customer and acknowledged by the Company as constituting instructions for purposes of this Data Processing Agreement
The Company’s Compliance with Instructions
As from the effective date of this DPA, the Company will comply with the instructions described in the Customer’s Instructions (including with regard to data transfers) unless EU or Irish law to which the Company is subject requires other processing of Customer Personal Data by the Company, in which case the Company will inform Customer (unless that law prohibits the Company from doing so on important grounds of public interest).
The Company’s Security Responsibilities
The Company commits to ensuring compliance with Article 32 as it applies within the scope of Article 28 of the GDPR. The Company will implement and maintain technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Security Measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of The Company’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. The Company may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
The Company will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
By agreeing to this DPA, the Customer specifically authorises the engagement of Sub-processors by the Company, within the terms of this DPA and the Contract.
The Company will not transfer Customer Data outside of the EEA without the explicit written instruction of the Customer and only then within the scope permitted by Articles 44-50 of the GDPR.
The Company’s Security Assistance.
The Customer agrees that The Company will (taking into account the nature of the processing of Customer Personal Data and the information available to The Company) assist Customer in ensuring compliance with any of Customer’s obligations in respect of security of personal data and personal data breaches, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR.
Compliance with Data Subject Requests
Where the Customer has received a Data Subject Access Request or a Data Subject Deletion Request, the Company will comply within the scope of and as allowed by the GDPR and/or other applicable EU or Irish law to which the Company is subject and facilitate the Customer in complying with the request.
If the Company becomes aware of a Data breach, the company will notify the Customer promptly without undue delay and take reasonable steps to minimise hard and secure Customer Data.
The Company will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements.
Without prejudice to the Company’s obligations relating to Data Breaches, the Customer is solely responsible for complying with data breach notification laws applicable to Customer and fulfilling any third-party notification obligations related to any data breaches.
The Company’s notification of or response to a data breach will not be construed as an acknowledgement by the Company of any fault or liability with respect to the data breach.
The Customer’s Security Responsibilities
The Customer agrees that, without prejudice to The Company’s Security Responsibilities
- (a) Customer is solely responsible for its use of the Services, including:
- a. making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data;
- b. securing the account authentication credentials, systems and devices Customer uses to access the Services; and
- c. retaining copies of its Customer Data as appropriate; and
- (b)The Company has no obligation to protect copies of Customer Data that Customer elects to store or transfer outside of The Company’s and its Sub-processors’ systems (for example, offline or on-premise storage), unless this is specifically within the scope of the Contract.
The Customer’s Security Assessment
- (a)The Customer is solely responsible for assessing and evaluating for itself whether the Services, the Security Measures and The Company’s commitments within this DPA and the Contract will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.
- (b)The Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by The Company as set out in this DPA and the Contract provide a level of security appropriate to the risk in respect of the Customer Data.
The Customer agrees to hold harmless and indemnify The Company, and its subsidiaries, affiliates, officers, agents, employees, advertisers, licensors, suppliers or partners, (collectively "The Company and Partners") from and against any third party claim arising from or in any way related to your use of The Company services, violation of the Terms or any other actions connected with use of The Company services, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and lawyers' fees, of every kind and nature. In such a case, The Company will provide you with written notice of such claim, suit or action.