Oikos Digital Ltd - Data Processing Agreement

Data Protection Legislation:  all applicable data protection laws including General Data Protection Regulation ((EU) 2016/679) ("GDPR") and any applicable national data protection legislation, regulations and secondary legislation from time to time in force in the jurisdiction of the Controller and/or the Processor relating to the processing of Personal Data, and where relevant the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).

All definitions used in this clause shall have the definition set out in the Data Protection Legislation.

In this document, “you” and “your” refers to either yourself if you are the controller, or the organisation you represent if it is the data controller.

Oikos Digital Ltd and you acknowledge that you are the controller and Oikos Digital Ltd is the processor and that you retain control of the Personal Data and remain responsible for its compliance obligations under Data Protection Legislation. Oikos Digital Ltd may process the Personal Data categories and Data Subject types set out in Schedule 1 of this Agreement. Each party agrees to comply with all applicable requirements of the Data Protection Legislation.

The Processor shall:

• implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Legislation and ensure the protection of the rights of the Data Subject;
• only authorise a third party (“sub-processor”) to process the Personal Data if (i) the the sub-processor fits into one of the categories set out in Schedule 1 and (ii) the Processor has ensured that the sub-processor has a similar degree of security of data to the Processor as described in the Processor’s privacy policy and (iii) the Processor maintains control over all Personal Data it shares with the sub-processor and (iv) the Processor ensures that the sub-processor does not process the Personal Data except on instructions from the Data Controller (unless required to do so by Union or Member State law);
• where the controller has provided prior general written authorisation for the appointment of sub-processors, the processor shall inform the controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the controller the opportunity to object to such changes. If the controller so objects, the processor shall immediately terminate the appointment of such sub-processors. If the processor fails to terminate the appointment of such sub-processors, the controller may terminate the services agreement with immediate effect without any liability.
• process the Personal Data only on documented instructions from the Controller, unless required to do so by Data Protection Legislation to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
• ensure that persons authorised to process the personal data (such as its employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Controller, to ensure a level of security appropriate to the risk (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Natural Persons) including, where appropriate, the pseudonymisation and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident and a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of processing. Account shall also be taken of the risks that are presented by the processing in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;
• taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights set out in Chapter III of the GDPR;
• assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 of the GDPR (data breach) taking into account the nature of processing and the information available to the Processor;
• at the choice of the Controller, delete or return all the Personal Data to the Controller after the termination or expiry of this Agreement and delete existing copies (unless Union or Member State law requires storage of the Personal Data);
• make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
• assist the Controller in ensuring compliance with the requirement to carry out Data Protection Impact Assessments as set out in Article 35 of GDPR, taking into account the nature of processing and the information available to the Processor;
• immediately inform the Controller, if in the opinion of the Processor, an instruction from the Controller infringes Data Protection Legislation;
• promptly comply with any request by or instruction from the Controller to process the Personal Data, or to stop, mitigate or remedy any unauthorised processing;
• keep all Personal Data confidential and not disclose such data to third parties unless specifically authorised in writing by the Controller or as required by law. If the Processor is required by law, court, regulator or supervisory authority to process or disclose any Personal Data, the Processor will first inform the Controller of this and allow the Controller to object or challenge the requirement, unless the law prohibits the Processor from informing the Controller;
• not transfer or otherwise process Personal Data outside the European Economic Area (EEA) without obtaining the Controller’s prior written consent (except where the Processor is required to transfer such data by Union or Member State law, in which case the Processor shall inform the Controller of such legal requirement before processing takes place, unless any law prohibits such disclosure on important grounds of public interest) and (i) there is an appropriate safeguard or derogation for such transfer in accordance with part V of the GDPR;

PERSONAL DATA PROCESSING PURPOSES AND DETAILS

Subject matter of processing:

Personal information stored on/in the Controller's website, web application, mobile application, database or IT systems that we host and/or support and any associated files or databases.

Duration of Processing:

For website hosting, the Processor will keep data for the duration of the hosting agreement. At the end of a hosting agreement backups of data may exist and these may take a short time (normally a month) to expire and be erased.

For website migrations/moves the Processor will keep the data only until we are sure that the migration or move has been successful. Backups of data may exist and these may take a short time (normally a month) to expire and be erased.

For copies of websites taken for development, maintenance and support work the Processor will try to anonymise personal data in the copy of the website. Where this is not possible or practical, the Processor will keep the data for the duration of the work being carried out. On completion of the work backups of the data may exist and these may take a short time (normally a month) to expire and be erased.

For other data: the Processor will try to minimise all other processing of the Personal Data, but sometimes work requests involve specific individuals. In these cases the Processor will only process the data for as long as is needed to carry out the requested work, unless there is a specific legal or regulatory reason to process it for longer.

Nature and purpose of processing

The Processor will process the Personal Data in order to:

• host the Controller's website, web-based or mobile application, or database
• move the Controller's website, web-based or mobile application, database, media or other files and data to a new host or server, or to provide the Controller with an archive of it
• carry out work requests involving the Controller's website, web-based or mobile application, database, social media or other IT systems

Data Subject Types

• Any person accessing and/or using the Online Services through the controller’s account ("users") - usually the Controller's own internal and external users of the Online Services
• Any person: (i) whose personal data is stored on or collected via the services, or (ii) to whom users engage or communicate with via the services - usually the Controller's clients, users, website visitors, and contacts

Personal Data Categories

These may include, but not be limited to:

• user logins, email addresses, (encrypted) passwords, addresses, and any other data stored in user profiles
• eCommerce purchase records, file download records, or event booking records
• data submitted in forms to the Online Services
• any personal data present in content stored in the Online Services or in the Controller's social media accounts
• comments and personal data associated with comments
• user tracking and analytics
• online identifiers such as session cookie identifiers and IP addresses
• emails that you send and receive (if the Processor hosts the Controller's email or provides support with the email service)
• contacts and calendar entries (if the Processor hosts these services or helps with the Controller's IT systems)
• documents and media items

 Security Measures

The Processor takes the following security measures as a minimum:

• use of long, strong, random passwords and not re-using passwords across services
• generating and storing passwords in an advanced, secure password vault tool
• use of 2-factor authentication for services where available
• ensuring that employees’ computers have encrypted disks, and are backed up to password-protected, encrypted, external disks that are stored in a safe
• protecting the office using a night-vision, motion sensing camera
• using HTTPS where possible for client sites and advising clients on good security practices
• endeavouring to keep software up to date, while being aware that major software releases may contain new flaws and therefore require caution
• when travelling or at home employees are instructed to keep laptop screens locked when away from them and to ensure that equipment is secure at all times
• being alert and cautious about emails and phone calls that may be malicious
• aiming to be highly knowledgable about online security and trying to stay up to date with the latest threats

Sub-processor categories

• Shared hosting companies
• Virtual Private Server or Cloud Computing companies
• Service providers who provide email, IT, storage, online document systems, backups, project management and other business-related services.