Data Processing Addendum

JAKAMO DATA PROCESSING ADDENDUM. PLEASE READ CAREFULLY BEFORE REGISTRATION.

May 25, 2018

1 PURPOSE

The Data Protection Regulations require that the Processing of Personal Data by a Processor is governed by a written contract or other written legal act. Since the Jakamo Service is centrally hosted and based on a multitenant architecture, giving the Company the freedom to continuously give Jakamo instructions on how to process their Personal Data is not possible. This underlines the importance of agreeing with the Company on what these instructions are. The Parties have made this Data Processing Addendum to comply with the requirements set out in the Data Protection Regulations.

The use of the Jakamo Service is governed by the Service Agreement. This Addendum forms a part of the Service Agreement.

2 SCOPE OF APPLICATION

This Addendum applies when Jakamo Processes Personal Data on behalf of the Company under the Service Agreement.

3 DEFINITIONS

For the purposes of this Addendum:

Addendum means this Data Processing Addendum including any subsequent amendments thereto.

Controller means (i) the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; (ii) or any other controller referred to in Data Protection Regulations.

Data Protection Regulations means (i) GDPR; and (ii) other applicable and mandatory personal data protection laws including any subsequent amendments thereto.

GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) including any subsequent amendments thereto.

Personal Data means (i) any information relating to an identified or identifiable natural person (“Data Subject”); or (ii) any other personal data referred to in Data Protection Regulations.

Processing means (i) any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; or (ii) any other processing of Personal Data referred to in Data Protection Regulations.

Processor means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.

Sub-processor means another Processor engaged by the Processor.

Trust Center means the site of Jakamo that contains information on security, privacy, transparency and compliance relating to the Jakamo Service and to the Processing of Personal Data by Jakamo.

Other capitalized words used but not defined in this Addendum have the meaning given to them in the Service Agreement.

4 ROLES OF THE PARTIES

Because Jakamo does not determine the purposes and means of the Processing, Jakamo is not acting in the capacity of controller in terms of the GDPR and does not have the associated responsibilities under the GDPR. The Parties acknowledge that Company acts as the Controller and Jakamo acts as the Processor in terms of the Data Protection Regulations.

5 PROCESSING OF PERSONAL DATA

The Processor Processes the Personal Data in compliance with the GDPR, the Service Agreement and the other documented instructions given by the Controller to the Processor. In particular, the Processor

  • provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of the GDPR and ensure the protection of the rights of the Data Subject;
  • ensures that the Personal Data is only accessible by such Processor’s personnel who need to have access to the Personal Data in order to carry out the obligations under the Service Agreement and that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • forwards to the Controller any third party requests or inquiries that are made directly to the Processor or a Sub-processor regarding Controller’s Personal Data;
  • notifies the Controller without undue delay after becoming aware of a Personal Data breach regarding Controller’s Personal Data;
  • taking into account the nature of the Processing, assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights;
  • assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of Processing and the information available to the Processor;
  • makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the Article 28 of the GDPR;
  • informs the Controller if, in its opinion, a documented instruction given by the Controller infringes the GDPR.

The Processor Processes the following types of Personal Data:

  • name;
  • contact details, such as address, email address and telephone number;
  • job related information, such as title, department, role, name of the Company;
  • account information, such as AD account, access rights and roles;
  • interaction, such as consents, preferences, settings, communication and feedback;
  • automatically collected information, such as, internet protocol (IP) address or other device address, devise type, the type of operating system, browser and application used, network identifiers, location, log information, access times, sites visited, features used and the Content added or viewed;
  • other types of Personal Data, if any, agreed with the Controller in writing.

The Personal Data is related to the following categories of Data Subjects:

  • Users of the Jakamo Service;
  • employees or other natural persons acting under the authority of the Company or its Partners;
  • Data Subjects whose Personal Data is added to the Service by a Company User;
  • other categories of Data Subjects, if any, agreed with the Controller in writing.

The Processor Processes Personal Data for the following purposes:

  • provision and protection of the Jakamo Service;
  • customer service;
  • communication, billing and other customer relationship management;
  • executing and verifying transactions, identification and other system maintenance;
  • product and service development;
  • inquiries and research activities;
  • performance of the Service Agreement;
  • other purposes, if any, agreed with the Controller in writing.

The Processor may Process Personal Data for other purposes if required to do so by European Union or European Union Member State law to which the Processor is subject. In such case, the Processor informs the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

The Controller takes necessary measures to ensure that the Processing complies with the Data Protection Regulations. The Controller shall, for example, provide Data Subjects the information required by the Data Protection Regulations in form of a privacy policy or other similar documentation.

6 DURATION OF PROCESSING

The Processor Processes the Personal Data for the duration of the services relating to Processing and in no event for longer than is necessary for the purposes for which the Personal Data is Processed.

The Processor will retain Personal Data in compliance with the Service Agreement and the other documented instructions given by the Controller to the Processor. The Processor, at the choice of the Controller, deletes or returns the Personal Data to the Controller after the end of the provision of services relating to Processing, and deletes existing copies unless European Union or European Union Member State law requires retention of the Personal Data.

7 LOCATION OF PERSONAL DATA

Jakamo Service is an advanced information sharing service that is accessible via internet. This means that information shared through the Service (including Personal Data) may be accessed by other Users despite their location. For example, User’s name and photograph may be shown to another User in connection with the comments the User has written within the Service. However, Jakamo’s servers containing Personal Data are located and database is retained within the European Union at the moment.

The Processor may transfer and otherwise Process Personal Data within the European Union or the European Economic Area in order to provide the Service. The Processor may also transfer and otherwise Process Personal Data outside the European Union or the European Economic Area in compliance with the Data Protection Regulations, unless otherwise stipulated in the documented instructions given by the Controller to the Processor. Up-to-date information on the current location of the Processing is available in the Trust Center.

The Processor may transfer Personal Data to a third country or an international organization, if required to do so by European Union or European Union Member State law to which the Processor is subject. In such a case, the Processor informs the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

If the Personal Data is Processed outside the European Union or the European Economic Area, each Party ensures for its part that the Processing complies with the Data Protection Regulations.

8 SECURITY OF PROCESSING

The Processor follows generally accepted industry standards to protect the Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor implements, for its part, appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures may include inter alia as appropriate: (i) the pseudonymisation or encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the Service; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data Processed. The Processor will review the security standards and measures from time to time in order to keep them up to date.

The Jakamo Service is protected with password. The information in transactions is encrypted. Every User must register. The Users are being identified by personal passwords which are not to be shared with anyone else. The servers and backup files are in premises that are locked and have passage control.

The Processor takes steps to ensure, for its part, that any natural person acting under the authority of Processor who has access to Personal Data does not Process them except on instructions from the Controller, unless he or she is required to do so by European Union or European Union Member State law.

The Processor ensures that there are technical and practical solutions for investigating suspicions that someone working for the Controller, the Processor or a Sub-processor has had unauthorized access to Personal Data.

The Processor allows for and contributes to inspections or other audits conducted by the Controller or an auditor mandated by the Controller in order to assess the compliance of the Processor and its Sub-processors with the Service Agreement. The audit report and any information disclosed during the audit is confidential and may be utilized only for the purpose to assess the compliance of the Processor and its Sub-processors with the Service Agreement. The report may contain only information that is necessary for the mentioned purpose. The audit may not jeopardize security of the Jakamo Service, confidentiality of the third-party data or any business secrets. The Processor has right to deny the use of disreputable auditors. The Controller pays auditor’s remuneration and costs. Otherwise, each Party is liable for its part for the audit costs.

9 SUB-PROCESSORS

The Processor may use Sub-processors. Up-to-date information on Processor’s Sub-processors is available in the Trust Center.

The Controller authorises the Processor to use the following Sub-processors:

  • Jakamo’s affiliates, if any;
  • Microsoft Corporation and its affiliates.

If the Processor uses a Sub-processor not mentioned above, the Processor informs the Controller of any intended changes concerning the addition or replacement of such Sub-processors in the Trust Center. If the Controller does not approve the change, the Controller has right to terminate the Service Agreement.

Where the Processor uses a Sub-processor, (i) the assignment must be governed by a written contract or other written legal act; and (ii) the same data protection obligations as set out in the Service Agreement must be imposed on the Sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the GPDR.

The Processor is responsible for the performance of its Sub-processors, its employees or other natural persons acting under the authority of Processor as for its own performance in accordance with the Service Agreement.

10 MISCELLANEOUS

If the Controller gives to the Processor instructions that cause additional costs to the Processor, the Processor is entitled to additional remuneration. The Processor informs the Controller any such costs in advance.

Jakamo may provide information on Processing, Sub-processors, security, privacy, transparency or compliance in the Trust Center. Jakamo will not usually send any email or other message regarding the updates of information in the Trust Center. Jakamo keeps the information in the Trust Center up to date, and the Company is advised to visit the Trust Center on regular basis.

In the event of any discrepancy between this Addendum and the Jakamo Service Terms, this Addendum prevails regarding Processing and Personal Data.

A Party provides to the other Party its contact details and, where applicable, of the Party’s representative and the data protection officer as well as any amendment thereto in writing and without delay.