Data Processing Agreement

Last updated: 10th May 2018

Introduction

This is an additional agreement which forms part of the Terms of Use Agreement only for users of our Email Services. It is an agreement between us (the Data Processor in this instance) and you (the Customer and the Data Controller in this instance). If you use our Email Services you are a Data Controller for the purposes of this agreement, and we will be processing Personal Data on your behalf, having been delegated by you to store, handle, protect and process the data which you control. You must agree to this Data Processing Agreement in order to use our Email Services.

All definitions of terms can be found in our separate Definitions document which applies the same definitions to all our policy documents.

This Data Processing Agreement (“DPA”) sets out the additional terms, requirements and conditions on which we will process Personal Data when providing services under the more general Terms of Use Agreement. This DP Agreement contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.

This agreement is deemed to have been entered into on 25th May 2018 or the date when the Controller first started using the Email Services, whichever is later.

Nothing within this DPA relieves us, the Data Processor, of our own direct responsibilities and liabilities under the Data Protection Legislation.

  1. Relationship with the Terms of Use Agreement
  • This DPA is subject to the Terms of Use Agreement and is incorporated into the Terms of Use Agreement. Definitions used in the Terms of Use Agreement also apply to the interpretation of this DPA and all Definitions can be found in our separate Definitions
  • Except for the changes made by this DPA, the Terms of Use Agreement remains unchanged and in full force and effect.
  • In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Terms of Use Agreement, the provisions of this DPA will prevail.
  • No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
  • A reference to writing or written includes email.
  1. Roles and Scope of Processing
  • Role of the Parties. You the Customer are the Data Controller of the Customer Data, and interests.me shall process Customer Data only as a Data Processor acting on behalf of the Customer.
  • Control of Customer Data. You the Customer retain control of your Customer Data and remain responsible for your compliance obligations under the Data Processing Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions you give to interests.me, the Data Processor.
  • me Processing of Customer Data. We will process your Customer Data only for the purposes described in this DPA and only in accordance with your documented lawful instructions, unless required by law to act without such instructions. We will not process your Customer Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation.
  • Details of Data Processing:
    • Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
    • Duration: The duration of the data processing under this DPA is until the termination of the Terms of Agreement in accordance with its terms.
    • Nature: The nature of the data processing under this DPA is the Email Services as defined above.
    • Purpose: The purpose of the data processing under this DPA is the provision of Email Services (as defined above) to the Customer and the performance of interests.me’s obligations under the Terms of Use Agreement (including this DPA) or as otherwise agreed by the parties.
    • Categories of Data Subject: There are two categories of Data Subject under this DPA – firstly, Users of the Email Services, and secondly, Email Subscribers.
    • Categories of Personal Data: There are two categories of Personal Data under this DPA – firstly, “User Data” and secondly “Subscriber Data”. User Data comprises identity and contact data (name, address, contact details, password), financial data (credit card details, account and payment details), and location data. Subscriber Data comprises identity and contact data (name and email address), technical data (IP address), and usage data (email open information).
  • Where interests.me is Data Controller. Notwithstanding anything to the contrary in the Agreement (including this DPA), the Customer acknowledges that interests.me shall have a right to use and disclose data relating to the operation, support and/or use of its Email Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered Personal Data under Data Protection Laws, interests.me is the Data Controller of such data and accordingly shall process such data in accordance with its Data Protection & Privacy Policy and the relevant Data Protection Legislation.
  • Tracking Technologies. You the Customer acknowledge that in connection with the performance of the Email Services, interests.me may employ the use of Tracking Technologies. You the Customer agree that you will appropriately notify, and where necessary obtain consent, as required by the Data Protection Legislation, to enable interests.me to deploy Tracking Technologies lawfully on, and collect data from, the devices of Email Subscribers in accordance with and as described in the interests.me Cookie Policy.
  1. Your Obligations as Data Controller

We expect you to do the following (not an exhaustive list) in your role as Data Controller. Please note that this is not an exhaustive list.

  1. Maintain your own Privacy Policy (or equivalent) which you direct potential Email Subscribers to, whenever they consider signing up to your mailing list, in which you clearly describe how you plan to use any data collected, including for your use of interests.me;
  2. Process the data of your Email Subscribers only in accordance with a documented lawful basis for doing so, which may be (but is not limited to) consent, contract, or legitimate interest;
  3. Tell your potential Email Subscribers exactly how you will process their Personal Data, and what your purposes are;
  4. Limit your processing (including storage) of your Customer Data to only what is required for your defined purposes;
  5. Store your Customer Data for no longer than is necessary for your purposes;
  6. Take measures to ensure Personal Data is up to date and accurate;
  7. Process Personal Data in a way that ensures appropriate security of the data, including keeping all passwords and access to the interests.me system safe, and taking reasonable measures to prevent the loss of privacy (This is covered in more detail in section 7).
  8. Comply with all regulations and laws relating to data protection, electronic communication, and privacy that apply to the countries where you’re sending any form of communication through interests.me.
  1. How We Will Help You With Your Data Protection Obligations

We will do our best to provide you, through the Email Services, with a number of controls and features that you may use to retrieve, correct, delete or restrict Customer Data, which you may use to assist in connection with your obligations under the Data Protection Legislation, including your obligations relating to responding to data subject access requests or requests from data protection authorities, and including your obligations to allow data subjects to exercise their rights.

We will provide you with a way to display your Privacy Policy to all new subscribers signing up to public mailing lists, and we will support you to record consent or other justifications for processing Customer Data, by collecting the relevant consent text automatically in our systems.

We will provide you with an unsubscribe link on the bottom of every email you send using the Email Services, and help you by removing Email Subscribers automatically from mailing lists if they choose to unsubscribe.

We will also assist you in your role as Data Controller, as far as is reasonable and proportionate, in meeting your obligations in relation to the security of processing, the notification of Personal Data Breaches, and Data Protection Impact Assessments.

  1. How We Will Use Sub-Processors

Authorised Sub-Processors. The Customer agrees that interests.me may engage Sub-Processors to process Customer Data on the Customer’s behalf. The Sub-Processors currently engaged by interests.me and authorized by the Customer are:

  • Amazon Web Services – cloud hosting and storage, emailing
  • Google Analytics – analytics
  • Reamaze – customer support
  • AddThis – social media sharing
  • Stripe – payment processing
  • Typeform – forms
  • Zapier – service integration and automation
  • Heart Internet – hosting of our http website

Sub-Processor Obligations. interests.me shall enter into a written agreement with the Sub-Processor imposing data protection terms that require the Sub-Processor to protect the Customer Data to the standard required by the Data Protection Legislation, and shall remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause interests.me to breach any of its obligations under this DPA.

Changes to Sub-Processors. You the Customer hereby permit changes to be made to the Sub-Processors used by interests.me, subject to interests.me providing an adequate level of protection for the Customer Data processed by Sub-Processors, in accordance with the Data Protection Legislation. We will provide an up-to-date list of the Sub-Processors appointed upon a Customer’s written request. We will update this document when changes are made.

  1. Permission for International Transfers

You the Customer hereby permit the transfer or processing of your Customer Data by interests.me outside the European Economic Area (EEA), subject to interests.me providing an adequate level of protection for the Customer Data processed, in accordance with Data Protection Legislation.

  1. Data Security Measures

Data Security Measures. interests.me shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from any Personal Data Breach and to preserve the security and confidentiality of the Customer Data, in accordance with our security standards as described in our Data Security Statement. Although changes may be made to interests.me’s Data Security measures, these changes will not result in the degradation of the overall security of the Email Services.

Customer Responsibilities. The Customer is responsible for its own secure use of the Email Services, including securing its password, protecting the security of the Customer Data when in transit to and from the Email Services, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Email Services. The Customer is also responsible for reviewing interests.me’s Data Security Statement (which it acknowledges may change from time to time), and making an independent determination as to whether the Email Services meet the Customer’s requirements and legal obligations under the Data Protection Legislation.

Personal Data Breaches. interests.me shall notify the Customer upon becoming aware of a Personal Data Breach, without undue delay, and shall provide timely information relating to the incident as it becomes known or is requested by the Customer.

  1. Our Employees

We will ensure that all of our employees, including agents and subcontractors who process Customer Data:

(a)  are informed of the confidential nature of the Customer Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;

(b)  have undertaken relevant training or briefing on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and

(c)  are aware both of our duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

We will take reasonable steps to ensure the reliability, integrity and trustworthiness of all of our employees, including agents and subcontractors, with access to Customer Data.

  1. Disclosure

interests.me shall maintain the confidentiality of all Customer Data and will not disclose Customer Data to third parties unless you the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires us to process or disclose Customer Data, we will first attempt to redirect the third party to make a request directly to you. As part of this effort, we may provide your basic contact information to the third party. If compelled to disclose Customer Data, we shall inform you the Customer of the legal or regulatory requirement and give you an opportunity to object or challenge the requirement, unless the law prohibits such notice.

  1. Return or Deletion of Data

Upon termination of your use of the Email Services, for whatever reason, we provide the tools to help you to access and export your Customer Data by downloading a CSV file for each mailing list from your account, or to delete your Customer Data. Obtaining your Customer Data in this way is your responsibility, but we will support you in doing so.

Upon closure of your account, interests.me shall delete all the Customer Data in its possession or control, except when interests.me is required by applicable law to retain some or all of the Customer Data.

Where interests.me has archived Customer Data in backup systems, this Customer Data will be securely isolated and protected from any further processing except to the extent required by applicable law.

  1. Co-operation

To the extent that Customer is unable to independently access the relevant Customer Data within the Email Services, interests.me shall (at the Customer’s expense) provide reasonable cooperation to assist the Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the DPA. In the event that any such request is made directly to interests.me, interests.me shall not respond to such communication directly without the Customer’s prior authorisation, unless legally compelled to do so. If interests.me is required to respond to such a request, interests.me shall promptly notify the Customer and provide it with a copy of the request unless legally prohibited from doing so.

To the extent interests.me is required under Data Protection Legislation, interests.me shall (at the Customer’s expense) provide reasonably requested information regarding the Email Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

We will also submit to audits and inspections, and provide you the Customer with information requested, provided this is reasonable and proportionate, to ensure both parties are meeting their obligations in Article 28 of the GDPR, and we will tell you immediately if we are asked to do something infringing relevant Data Protection Legislation.

  1. Term and Termination

This DPA will remain in full force and effect so long as you the Customer use the Email Services provided by interests.me, subject to the Terms of Use Agreement, or as long as we retain any of your Customer Data in our possession or control.

Our failure to comply with the terms of this DPA is a material breach of the Terms of Use Agreement. In such event, you the Customer may terminate the Terms of Use Agreement effective immediately on written notice to the Processor (us) without further liability or obligation.

If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Terms of Use Agreement obligations, the parties will suspend the processing of Customer Data until that processing complies with the new requirements. If the parties are unable to bring the Customer Data processing into compliance with the Data Protection Legislation within one month, they may terminate the Terms of Use Agreement on written notice to the other party.