Your privacy is very important to us. Below we explain what information we collect from you, what we do with that information and our information security policy. This Data Privacy Policy governs the processing of personal data on behalf of the customer (the “Data Controller”) by UVUMBUZI SYSTEMS INTERNATIONAL Limited/ SARL (the “Data Processor”), in which the parties have agreed to the terms of the provision of services by the Data Processor to the Data Controller (the “Main Services”).
Legislation
The Privacy Policy shall ensure that the Data Processor complies with applicable data protection and privacy legislation (the “Applicable Law”), including: Directive 95/46/EF of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as implemented in Danish law with, inter alia, the Personal Data Processing Act (Act No. 429 of 31 May 2000). Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which entered into force on 24 May 2016 and will be applicable on 25 May 2018 (“GDPR”). Regardless of the general use and reference to the GDPR in this Privacy Policy, the parties are not required to comply with the GDPR until May 25, 2018.
Hosting of the platform and storage of the data
Processing of Personal Data
As part of Data Processor’s provision of the Core Services to Data Controller, Data Processor will process certain categories and types of Personal Data of Data Controller on Data Controller’s behalf. “Personal Data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, Article 4(1)(1) (“Personal Data”). The categories and types of Personal Data processed by the Processor on behalf of the Processor are listed in Sub-Appendix A. The Processor only performs those processing activities that are necessary and relevant to perform the Core Services. The parties shall update Sub-Appendix A whenever changes occur that require an update. The Data Processor has and maintains a register of processing activities in accordance with Article 32 (2) of the GDPR. The Data Processor processes personal data about the Data Controller and the Data Controller’s employees in the context of the Data Processor’s sales, marketing and product development. This personal data is not included in this data processing agreement, as the Data Controller is the data controller for said personal data, and reference is made to the Data Controller’s data protection and privacy policy available on the Data Controller’s website.
Instructions
The Data Processor may only act and process personal data in accordance with the documented instructions of the Data Controller (the “Instructions”). The instruction, at the time of entering into this outsourcing agreement, is that the Data Processor may only process personal data for the purpose of providing the main services described in the main agreement. The Data Processor warrants that the Personal Data transferred to the Data Processor shall be processed by the Data Processor in accordance with Applicable Law, including legislative requirements regarding the lawfulness of processing. The Data Processor shall notify without undue delay if the Data Processor considers that the current Instruction is in conflict with Applicable Law.
The obligations of the data controller
Confidentiality:
The Data Processor shall treat all Personal Data as strictly confidential information. Personal Data may not be copied, transferred or otherwise processed in contradiction to the Instruction, unless the Data Controller has consented in writing. Employees of the Data Processor are subject to an obligation of confidentiality which ensures that employees will treat all Personal Data under this Data Processor Agreement with strict confidentiality.
Security:
- The Data Processor shall implement appropriate technical and organizational measures as defined in this Agreement and applicable law, including in accordance with Article 32 of the GDPR.
- The Data Processor shall ensure that access to Personal Data is limited to only those employees to whom it is necessary and relevant to process Personal Data in order for the Data Processor to perform its obligations under the Master Agreement and this Data Processor Agreement.
- The Data Processor shall also ensure that the Data Processor’s employees who process the Personal Data only process the Personal Data in accordance with the Instruction.
- The Data Processor shall provide documentation of the Data Processor’s security measures if requested in writing by the Data Controller. Data Protection Impact Assessments and Prior Consultation If the assistance of the Data Processor is necessary and relevant, the Data Processor shall assist the Data Controller in preparing Data Protection Impact Assessments pursuant to Article 35 of the GDPR, as well as any prior consultation pursuant to Article 36 of the GDPR. Rights of Data Subjects If the Data Controller receives a request from a Data Subject for the exercise of the Data Subject’s rights under applicable law and the correct and legitimate response to such a request requires the assistance of the Data Controller, the Data Controller shall assist the Data Processor by providing the necessary information and documentation.
- The Data Processor shall have a reasonable time to assist the Data Processor in responding to such requests in accordance with applicable law. If the Data Processor receives a request from a Data Subject for the exercise of the Data Subject’s rights under Applicable Law and such request relates to the Data Processor’s Personal Data, the Data Processor shall immediately forward the request to the Data Processor.
Personal Data Breaches
- The Data Processor shall immediately notify the Data Controller if a data security breach occurs, in particular a breach that may result in the destruction, loss, alteration, unauthorized disclosure of, or accidental or unlawful access to personal data transmitted, stored or otherwise processed.
- The data controller must maintain a log of all personal data breaches. The log shall include, at a minimum, the following: A description of the nature of the Personal Data Breach, including, if possible, the categories and approximate number of Affected Persons and the categories and approximate number of affected Personal Data records. A description of the likely and actual consequences of the Personal Data Breach. A description of the steps the data controller has taken or proposes to take to address the Personal Data Breach, including, if applicable, steps taken to mitigate its adverse effects. The personal data breach log shall be provided to the data controller in copy if the data controller or the relevant data protection agency requests it in writing.
Documents evidencing compliance:
- The Data Processor shall provide, upon written request by the Data Controller, documentation evidencing the following:
- the Data Processor is in compliance with its obligations under this Data Processing Agreement and the Instruction; and
- the Data Processor complies with applicable law with respect to the processing of the Data Controller’s Personal Data. The Data Processor’s compliance documentation shall be provided upon request within a reasonable time.
Location of Personal Data:
- The Data Processor will transfer, process and store Personal Data in the US dedicated server. Any transfer of Personal Data to third countries or international organizations in the future will only be made to the extent that such transfer is permitted and made in accordance with applicable Law.
Obligations of the Data Controller
Data Controller agrees that: it will comply with its obligations as a Data Controller under the Data Protection Laws with respect to its processing of Personal Data and any processing instructions it gives to the Data Processor; and it has provided notice and obtained (or will obtain) all necessary consents and rights under the Data Protection Laws for the Data Processor to process Personal Data and provide the Principal Services in accordance with the Agreement and this DPA.
Subprocessors
The Data Processor is given general permission to engage third parties to process Personal Data (“Subprocessors”) without obtaining further specific written permission from the Data Processor. The data controller must enter into a written agreement with any sub-processor. Such agreement shall, at a minimum, provide for the same data protection obligations that apply to the Data Processor, including the obligations set forth in this Data Processing Agreement. The Data Processor shall continuously monitor and control its Subcontractors’ compliance with applicable law.
Duration of the Data Processing
The Data Processing Agreement remains in effect until the main agreement is terminated.
Personal Data
The Data Processor processes the following types of Personal Data in connection with its provision of the Main Services: Ordinary contact details of relevant employees from the Data Processor. Users of the Principal Services: names, telephone numbers, emails, addresses and IP. Personal data provided by users in connection with their use of the Principal Services.
Categories of data subjects
The Data Controller processes Personal Data concerning the following categories of data subjects on behalf of the Data Controller: Customers End Users and Platform vendors.
Legal notice
We reserve the right to disclose your personally identifiable information if required to do so by law and if we believe that such disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order or legal process served on our website.
Security
The security of your personal information is important to us. We follow generally accepted industry standards to protect personal information submitted to us, both during transmission and after receipt. No method of transmission over the Internet, or method of electronic storage, is 100% secure, but we have taken every measure possible to secure your information. This website is protected by the Secure Sockets Layer (SSL) protocol to protect your information. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.
Termination
The Data Processor’s authorization to process Personal Data on behalf of the Data Processor is terminated upon termination of this Data Processing Agreement. The Data Processor shall continue to process Personal Data after the termination of the Data Processing Agreement to the extent necessary and required under Applicable Law. During the same period, the Data Processor is allowed to include the Personal Data in the Data Processor’s backup. Upon termination of this Data Processor Agreement, the Data Processor and its Contractors shall return to the Data Processor the Personal Data processed under this Data Processor Agreement, provided that the Data Processor is not already in possession of the Personal Data.
Changes to this Privacy Statement
If we decide to change our privacy policy, we will post those changes in this privacy statement and in other places we deem appropriate so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. We reserve the right to change this privacy statement at any time, so please review it frequently. If we make any material changes to this policy, we will notify you here. For more information, please feel free to send your questions via our contact form.