aCommerce Data Protection Agreement
Both Parties declare that they have (i) fulfilled all obligations applicable to the Processing of Personal Data (including the information of any natural person who is directly or indirectly identifiable through the Personal Data processed under this Agreement (“Data Subject”)) and (ii) the Processing of Personal Data herein is compliant with relevant Data Protection Regulations.
Definitions
Processing / Process means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Controller means any legal entity which determines the purposes and means of the Processing of Personal Data.
Data Processor means any legal entity which processes Personal Data on behalf of, or in accordance with, the instructions the Data Controller.
Sub-processor: means any legal or natural person, including any agents and intermediaries, processing personal data on behalf of the Data Processor
Processing of Personal Data by aCommerce
aCommerce expressly acknowledges that Personal Data Processed under this Agreement is and remains Client’s property.
The Client as Data Controller further assures that all the required consents have been obtained from such Data Subject and the Data Controller shall remain solely responsible for its actions and instructions, under all the relevant laws.
In consideration of the nature of the Services, Parties hereby state and agree that:
– should aCommerce Process any Personal Data on the Client’s behalf or instructions, aCommerce shall be deemed acting as the Data Processor and the Client acting as the Data Controller
– aCommerce shall collect, use, and process data, and transfer such data to third party service providers acting as Sub-processors only to the extent required for successful completion of its obligations under this Agreement.
– aCommerce shall ensure that the Sub-processors are bound by data protection obligations compatible with those of aCommerce under this Appendix, shall supervise compliance thereof, and must in particular impose on its Sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Data protection Regulations.
Personal Data shall not be Processed other than the purposes provided under this Agreement. Consequently, aCommerce undertakes to comply and ensure compliance by its employees and Sub-processors with the following commitments:
– Grant access to personal data only to authorized employees as required for the service, and ensure regular and suitable training regarding its obligations under this Appendix.
– Except as required by the law, comply with (i) Client’s data retention instructions and erase or archive Personal Data accordingly and (ii) any other specific obligations which may apply upon termination of the Agreement;
– Ensure compliance with the highest industry best practices and recommendations that have been, or may be, issued in relation to the Parties’ respective business field;
– Take any appropriate technical and organizational measures to ensure the security and the confidentiality and safeguard of Personal Data against unlawful disclosure or unauthorized processing or accidental loss, alteration, destruction of, or damage to Personal Data. Said measures and safeguards shall at least ensure a level of security as is appropriate and proportionate to the risk exposure resulting from Personal Data unlawful disclosure, unauthorized processing of or accidental loss, destruction, damage or alteration;
– Notify the Client as soon as possible, (and at the latest within a week) of the nature and scope of any failure(s) to the above obligations that aCommerce is aware of or suspects and assist the Client, in the setting up of any action permitting to address them. Such assistance may or may not be chargeable depending on the source of failure and etc; and
– If any request is made by any third party (including government bodies or law enforcement agencies) to access Personal Data processed by aCommerce, notify the Client of such information request within seven (7) business days after receiving such request and, if required by the Client, permit Client to handle such information request.