GDPR Contract Addendum
By using our service you agree to be bound by these conditions.
GDPR Contract Addendum
Either you and/or your affiliates, including subsidiaries and holding companies (collectively “you” and “your”), receive services from M247 Ltd (trading as eHosting) (“M247”).
The terms set out below are to be read in conjunction with the terms of service which you will find on the website of eHosting and you and M247 agree to comply with the General Data Protection Regulation.
“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “Processing” have the same meanings given to those terms in the Data Protection Legislation;
“Data Protection Legislation” means the DPA, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2016, the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to processing of personal data and privacy from time to time including the General Data Protection Regulation (EU) 2016/679 such legislation as amended by the DP Brexit Regulations and renamed the UK GDPR;
“DPA” means the Data Protection Act 2018 (as amended) and any successor legislation;
“Processing Details” the processing details set out in the Annex which sets out the scope, nature and purpose of Processing by M247, the duration of the Processing, the types of Personal Data and the categories of Data Subject.
“Subprocessor” means any person (including any third party, but excluding an employee of M247) appointed by or on behalf of M247 to process Personal Data on your behalf.
“Working Day” means any day excluding Saturdays, Sundays and the usual bank holidays in England.
1. You and M247 and our respective employees shall observe the requirements of the Data Protection Legislation and shall comply with any request made or direction given to the other which is directly due to the requirements of the Data Protection Legislation.
2. You and M247 agree that for the purposes of the Data Protection Legislation you shall, in respect of all your data which is Personal Data, be the Data Controller and M247 shall be the Data Processor.
3. You confirm that any Personal Data supplied to M247 has been collected and disclosed in accordance with the Data Protection Legislation and M247 is entitled to process the Personal Data.
4. The Processing Details sets out the scope, nature and purpose of Processing by M247, the duration of the Processing, the types of Personal Data and the categories of Data Subject. You will keep us updated as to the types of Personal Data and categories of Data Subjects that may be included in the processing of Personal Data on your behalf.
5. M247 shall take all measures required pursuant to Article 32 GDPR and also appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. M247 shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. M247 shall not transfer any Personal Data outside of the European Economic Area unless you have given us prior written consent. M247 shall comply with reasonable instructions notified to M247 in advance by you with respect to the processing of Personal Data.
7. M247 shall assist you, at your cost, with all Data Subject access requests under the Data Protection Legislation which may be received from the Data Subject of any Personal Data forming part of your data.
8. M247 shall notify you without undue delay of and about any actual incident of unlawful destruction or accidental loss or disclosure or access to your data that may include Personal Data.
9. M247 shall make available to you all information reasonably necessary to demonstrate compliance with its obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you. Notwithstanding such rights M247 may, in its absolute discretion, use independent third party auditors to verify the adequacy of the security controls that apply to the services we provide to you and M247’s compliance with its obligations under the provisions contained in this Addendum.
10. On your written direction, M247 shall delete or return to you, at your cost, all Personal Data on termination of the contract between us unless M247 is required by any law to store the Personal Data.
11. You and M247 each agree the following provisions so far as they relate to Subprocessors:
(i) You authorise M247 to appoint (and permit each Subprocessor to appoint) Subprocessors in accordance with this paragraph 11.
(ii) M247 may continue to use those Subprocessors already engaged by M247 as at 25th May 2018.
(iii) M247 shall ensure its agreements with Subprocessors incorporate terms similar to the data protection provisions contained in this Addendum.
(iv) M247 shall give you as much notice as is reasonably practicable of the appointment of any new Subprocessor including details of the processing to be undertaken. If, within 5 Working Days of receipt of this notice, you notify M247 in writing of any objections (on reasonable grounds) to the proposed appointment, M247 and you shall work together in good faith to make available any commercially reasonable change in the provision of the services M247 provides to you which avoids the use of that Subprocessor.
(v) If M247 is unable to make the required change to such services under the provisions of paragraph 11(iv) within 20 Working Days from receipt of your notice objecting to the proposed appointment of the Subprocessor, you may terminate the contract on 1 month’s notice to the extent it relates to the services which require the use of the proposed Subprocessor.
12. You acknowledge that if any claim or action is brought by a Data Subject arising from any action or omission by M247, M247 shall not be liable to the extent such action or omission resulted directly or indirectly from your instructions.
Scope of processing
M247 processes Personal Data to enable it to provide the services under your contract with M247 and to comply with any legal obligations imposed upon it.
Nature and purpose of processing
Use of Personal Data to set up, operate, monitor and provide the services under your contract;
Perform day to day management of accounts and products we provide to you;
Record consent (e.g. in respect of marketing of products and services or any other consent you provide which we are obliged to record);
Uploading any fixes or upgrades to the services we provide (where we are obliged to carry out fixes and/or upgrades);
Back up of Personal Data;
Computer processing of Personal Data, including data transmission, data retrieval, data access;
Complying with our statutory obligations;
Providing access to online platforms (if any);
Network access to allow transfer of Personal Data;
Execution of your written instructions in accordance with the above provisions and/or your contract with M247;
Administration of accounts to manage user permissions.
Categories of Personal Data
Account data such as account number, device ID, IP address, service history etc.
Personal data such as name, address, date of birth, email address, telephone number, circuit ID;
Professional information such as job title, details of your professional body;
Financial data such as credit or debit card details, bank account details;
History product data and information;
Company data where this identifies a Data Subject;
Identification data (where required);
Special categories of Personal Data (where part of our contract with you).
Categories of Data Subjects
Employees, contractors, temporary workers, agents, your clients, your suppliers or other individuals having Personal Data to be Processed as part of our service to you.
End users or their authorised representatives.
Duration of Processing
M247 shall process Personal Data no longer than is necessary in order to perform its obligations under the contract with you or in order to comply with any legal requirement regarding the Processing of Personal Data.
If there are any inconsistencies between the terms contained above and the terms of service between you and M247 the terms contained above shall take priority.
Have any other questions?
Look through our hosting page for more information on our services. .