Data Processing Agreement
Last updated: 10th May 2018
All definitions of terms can be found in our separate Definitions document which applies the same definitions to all our policy documents.
This agreement is deemed to have been entered into on 25th May 2018 or the date when the Controller first started using the Email Services, whichever is later.
Nothing within this DPA relieves us, the Data Processor, of our own direct responsibilities and liabilities under the Data Protection Legislation.
- No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
- A reference to writing or written includes email.
- Roles and Scope of Processing
- Role of the Parties. You the Customer are the Data Controller of the Customer Data, and interests.me shall process Customer Data only as a Data Processor acting on behalf of the Customer.
- Control of Customer Data. You the Customer retain control of your Customer Data and remain responsible for your compliance obligations under the Data Processing Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions you give to interests.me, the Data Processor.
- me Processing of Customer Data. We will process your Customer Data only for the purposes described in this DPA and only in accordance with your documented lawful instructions, unless required by law to act without such instructions. We will not process your Customer Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation.
- Details of Data Processing:
- Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
- Duration: The duration of the data processing under this DPA is until the termination of the Terms of Agreement in accordance with its terms.
- Nature: The nature of the data processing under this DPA is the Email Services as defined above.
- Categories of Data Subject: There are two categories of Data Subject under this DPA – firstly, Users of the Email Services, and secondly, Email Subscribers.
- Categories of Personal Data: There are two categories of Personal Data under this DPA – firstly, “User Data” and secondly “Subscriber Data”. User Data comprises identity and contact data (name, address, contact details, password), financial data (credit card details, account and payment details), and location data. Subscriber Data comprises identity and contact data (name and email address), technical data (IP address), and usage data (email open information).
- Your Obligations as Data Controller
We expect you to do the following (not an exhaustive list) in your role as Data Controller. Please note that this is not an exhaustive list.
- Process the data of your Email Subscribers only in accordance with a documented lawful basis for doing so, which may be (but is not limited to) consent, contract, or legitimate interest;
- Tell your potential Email Subscribers exactly how you will process their Personal Data, and what your purposes are;
- Limit your processing (including storage) of your Customer Data to only what is required for your defined purposes;
- Store your Customer Data for no longer than is necessary for your purposes;
- Take measures to ensure Personal Data is up to date and accurate;
- Process Personal Data in a way that ensures appropriate security of the data, including keeping all passwords and access to the interests.me system safe, and taking reasonable measures to prevent the loss of privacy (This is covered in more detail in section 7).
- Comply with all regulations and laws relating to data protection, electronic communication, and privacy that apply to the countries where you’re sending any form of communication through interests.me.
- How We Will Help You With Your Data Protection Obligations
We will do our best to provide you, through the Email Services, with a number of controls and features that you may use to retrieve, correct, delete or restrict Customer Data, which you may use to assist in connection with your obligations under the Data Protection Legislation, including your obligations relating to responding to data subject access requests or requests from data protection authorities, and including your obligations to allow data subjects to exercise their rights.
We will provide you with an unsubscribe link on the bottom of every email you send using the Email Services, and help you by removing Email Subscribers automatically from mailing lists if they choose to unsubscribe.
We will also assist you in your role as Data Controller, as far as is reasonable and proportionate, in meeting your obligations in relation to the security of processing, the notification of Personal Data Breaches, and Data Protection Impact Assessments.
- How We Will Use Sub-Processors
Authorised Sub-Processors. The Customer agrees that interests.me may engage Sub-Processors to process Customer Data on the Customer’s behalf. The Sub-Processors currently engaged by interests.me and authorized by the Customer are:
- Amazon Web Services – cloud hosting and storage, emailing
- Google Analytics – analytics
- Reamaze – customer support
- AddThis – social media sharing
- Stripe – payment processing
- Typeform – forms
- Zapier – service integration and automation
- Heart Internet – hosting of our http website
Sub-Processor Obligations. interests.me shall enter into a written agreement with the Sub-Processor imposing data protection terms that require the Sub-Processor to protect the Customer Data to the standard required by the Data Protection Legislation, and shall remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause interests.me to breach any of its obligations under this DPA.
Changes to Sub-Processors. You the Customer hereby permit changes to be made to the Sub-Processors used by interests.me, subject to interests.me providing an adequate level of protection for the Customer Data processed by Sub-Processors, in accordance with the Data Protection Legislation. We will provide an up-to-date list of the Sub-Processors appointed upon a Customer’s written request. We will update this document when changes are made.
- Permission for International Transfers
You the Customer hereby permit the transfer or processing of your Customer Data by interests.me outside the European Economic Area (EEA), subject to interests.me providing an adequate level of protection for the Customer Data processed, in accordance with Data Protection Legislation.
- Data Security Measures
Data Security Measures. interests.me shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from any Personal Data Breach and to preserve the security and confidentiality of the Customer Data, in accordance with our security standards as described in our Data Security Statement. Although changes may be made to interests.me’s Data Security measures, these changes will not result in the degradation of the overall security of the Email Services.
Customer Responsibilities. The Customer is responsible for its own secure use of the Email Services, including securing its password, protecting the security of the Customer Data when in transit to and from the Email Services, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Email Services. The Customer is also responsible for reviewing interests.me’s Data Security Statement (which it acknowledges may change from time to time), and making an independent determination as to whether the Email Services meet the Customer’s requirements and legal obligations under the Data Protection Legislation.
Personal Data Breaches. interests.me shall notify the Customer upon becoming aware of a Personal Data Breach, without undue delay, and shall provide timely information relating to the incident as it becomes known or is requested by the Customer.
- Our Employees
We will ensure that all of our employees, including agents and subcontractors who process Customer Data:
(a) are informed of the confidential nature of the Customer Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
(b) have undertaken relevant training or briefing on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
(c) are aware both of our duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
We will take reasonable steps to ensure the reliability, integrity and trustworthiness of all of our employees, including agents and subcontractors, with access to Customer Data.
interests.me shall maintain the confidentiality of all Customer Data and will not disclose Customer Data to third parties unless you the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires us to process or disclose Customer Data, we will first attempt to redirect the third party to make a request directly to you. As part of this effort, we may provide your basic contact information to the third party. If compelled to disclose Customer Data, we shall inform you the Customer of the legal or regulatory requirement and give you an opportunity to object or challenge the requirement, unless the law prohibits such notice.
- Return or Deletion of Data
Upon termination of your use of the Email Services, for whatever reason, we provide the tools to help you to access and export your Customer Data by downloading a CSV file for each mailing list from your account, or to delete your Customer Data. Obtaining your Customer Data in this way is your responsibility, but we will support you in doing so.
Upon closure of your account, interests.me shall delete all the Customer Data in its possession or control, except when interests.me is required by applicable law to retain some or all of the Customer Data.
Where interests.me has archived Customer Data in backup systems, this Customer Data will be securely isolated and protected from any further processing except to the extent required by applicable law.
To the extent that Customer is unable to independently access the relevant Customer Data within the Email Services, interests.me shall (at the Customer’s expense) provide reasonable cooperation to assist the Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the DPA. In the event that any such request is made directly to interests.me, interests.me shall not respond to such communication directly without the Customer’s prior authorisation, unless legally compelled to do so. If interests.me is required to respond to such a request, interests.me shall promptly notify the Customer and provide it with a copy of the request unless legally prohibited from doing so.
To the extent interests.me is required under Data Protection Legislation, interests.me shall (at the Customer’s expense) provide reasonably requested information regarding the Email Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
We will also submit to audits and inspections, and provide you the Customer with information requested, provided this is reasonable and proportionate, to ensure both parties are meeting their obligations in Article 28 of the GDPR, and we will tell you immediately if we are asked to do something infringing relevant Data Protection Legislation.
- Term and Termination