GDPR: Data Processing Addendum
EFFECTIVE AS OF MAY 25, 2018
Evidence Prime is committed to complying with the General Data Protection Regulation (“GDPR”), and enabling our customers to comply with the latter data protection law. We follow a strict Privacy by Design framework and maintain a robust privacy and security program that we continually assess and improve. We understand the GDPR has robust requirements and obligations for both data controllers and data processors and we are committed to helping our customers use Evidence Prime products and Services in a compliant manner. Our DPA is available below so that our customers can be confident that their data is processed in a lawful and transparent manner.
and Terms of Service
If the Customer entity entering into this DPA has executed an order form or statement of work with Evidence Prime pursuant to the Agreement (an “Ordering Document”), but is not itself a party to the Agreement, this DPA is an addendum to that Ordering Document and applicable renewal Ordering Documents. If the Customer entity entering into this DPA is neither a party to an Ordering Document nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity that is a party to the Agreement executes this DPA.
This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.
In the course of providing the Evidence Prime Products and Services to Customer pursuant to the Agreement, Evidence Prime may process personal data on behalf of Customer. Evidence Prime agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to Evidence Prime or collected and processed by or for Customer through the Evidence Prime Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
Data Processing Terms
In this DPA, “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation (Regulation (EU) 2016/679)), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction. The terms “data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation.
The parties agree that Customer is the data controller and that Evidence Prime is its data processor in relation to personal data that is processed in the course of providing Evidence Prime Products and Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Evidence Prime pursuant to the Agreement.
The subject-matter of the data processing covered by this DPA is Evidence Prime Products and Services ordered by Customer either through GRADEpro website (https://gradepro.org/licences/
) or through an Ordering Document https://www.chargebee.com
or as additionally described in the Agreement or the DPA. The processing will be carried out until the term of Customer’s ordering of the Application Services ceases.
In respect of personal data processed in the course of providing Evidence Prime Products and Services, Evidence Prime:
- Shall process the personal data only in accordance with the documented instructions from s DPA or the Agreement or as otherwise notified by Customer to Evidence Prime). If Evidence Prime is required to process the personal data for any other purpose provided by applicable law to which it is subject, Evidence Prime will inform Customer of such requirement prior to the processing unless that law prohibits this on
- Shall notify Customer without undue delay if, in Evidence Prime' opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation.
- Shall implement and maintain appropriate technical and organisational measures designed to protect the personal data against unauthorised or unlawful processing and against accidental or unlawful loss, destruction, damage, theft, alteration, access or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.
- May hire other companies to provide limited services on its behalf, provided that Evidence Prime complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Evidence Prime has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Evidence Prime remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Evidence Prime transfers personal data will have entered into written agreements with Evidence Prime requiring that the subcontractor abide by terms substantially similar to this DPA. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in Evidence Prime reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to Evidence Prime, terminate the Agreement.
- Shall ensure that all Evidence Prime personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause.
- At the Customer’s request, shall use commercially reasonable efforts, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GPDR (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data).
- Shall take reasonable steps at the Customer’s request to assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Evidence Prime.
- May transfer personal data from the EEA to the US for the purposes of this DPA. Evidence Prime agrees it will provide at least the same level of privacy protection for EU Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks. Note that Evidence Prime is a Polish company and that the Privacy Shield framework is for EEA businesses.
- Shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Evidence Prime in connection with the provision of Evidence Prime Products and Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Evidence Prime is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (a) the provision by Evidence Prime of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (b) interviews with Evidence Prime’ IT personnel. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Evidence Prime’ IT system, data hosting sites or centers, or infrastructure will be permitted. Before the commencement of any such audit, Customer and Evidence Prime shall mutually agree upon the scope, timing, and duration of the audit. Customer shall promptly notify Evidence Prime with information regarding any non-compliance discovered during the course of an audit. Customer may not audit Evidence Prime more than once annually. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Evidence Prime expends for any such audit, in addition to the rates for services performed by Evidence Prime.
- If Evidence Prime becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Evidence Prime in the course of providing the Application Services (an “Incident”) under the Agreement it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Evidence Prime shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.
- Evidence Prime shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.
Data Processing Activities
The provision of Evidence Prime Products and Services by Evidence Prime to Customer.
This DPA shall remain in effect as long as Evidence Prime carries out Personal Data processing operations on behalf of Customer or until the termination of the Evidence Prime Contract (and all Personal Data has been returned or deleted in accordance with Section 8 above).
Last Updated: Jul. 24, 2019