Data Processing Addendum
This Data Processing Addendum, including its annexes (the “DPA”) forms part of the Master Subscription Agreement or other written or electronic agreement between JRNI and the Customer (the “Agreement”) for the purchase of Services from JRNI, (identified as “Services” in the Agreement) to reflect the Parties’ agreement with regard to the processing of Personal Data.
By executing the Agreement, the Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Affiliates, if and to the extent that JRNI processes Customer Personal Data for which such Affiliates qualify as the Data Controller. All defined terms used in this DPA which are not defined here shall have the meanings given to them in the Agreement.
In the course of providing the Services to the Customer pursuant to the Agreement, JRNI may process Customer Personal Data on behalf of the Customer and the Parties agree to comply with the following provisions with respect to any Customer Personal Data, each acting reasonably and in good faith.
1. Definitions and interpretation
1.1 In this DPA, unless the context otherwise requires:
“Customer Personal Data” means all Personal Data processed by JRNI on behalf of the Customer and its Affiliates under or in connection with this Agreement.
“Data Controller” means the entity which determines the purposes and means of the processing of Personal Data.
“Data Processor” means the entity which processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means any laws and regulations relating to privacy or the use or processing of data relating to natural persons.
"DP Regulator" means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
"Data Subject Request" means a request from a Data Subject to exercise its rights under the Data Protection Laws in respect of that Data Subject's Personal Data.
“Personal Data” means any information relating to: (i) an identified or identifiable natural person; and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws).
“processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and “process” shall be construed accordingly.
"Security Breach" means any actual loss, unauthorised or unlawful processing, destruction, damage, or alteration, or unauthorised disclosure of, or access to the Customer Personal Data.
“Sub-Processor” means a third party subcontractor or Affiliate appointed by JRNI to process Customer Personal Data.
2. Compliance with Data Protection Laws
2.1 JRNI shall comply with its obligations under the Data Protection Laws as they apply to it as a Data Processor of the Customer Personal Data.
2.2 The Customer shall comply with its obligations under the Data Protection Laws as they apply to it as a Data Controller of the Customer Personal Data.
3. Processing and security
3.1 In performing its obligations under this Agreement, JRNI shall only process the categories of Personal Data and only in respect of the categories of Data Subjects, and only for the nature and purposes of processing and duration, as is set out in the Annex to this DPA or as necessary to perform its obligations under this Agreement, save as otherwise required by any Applicable Law.
3.2 In processing the Customer Personal Data, JRNI shall:
(a) process Customer Personal Data only in accordance with the Customer's written instructions from time to time (including those set out in this Agreement) except as otherwise required by any Applicable Law;
(b) not process the Customer Personal Data for any purpose other than those set out in the Annex and as necessary to perform its obligations under this Agreement unless otherwise expressly authorised by the Customer;
(c) promptly notify the Customer if it receives a Data Subject Request in respect of Customer Personal Data;
(d) as far as reasonably practicable, co-operate with and provide assistance to the Customer in relation to any Data Subject Request in respect of Customer Personal Data;
(e) taking into account:
(i) the state of the art;
(ii) the nature, scope, context and purposes of the processing; and
(iii) the risk and severity of potential harm,
protect the Customer Personal Data by ensuring that it has in place appropriate technical and organisational measures, including measures to protect the Customer Personal Data against the risks of a Security Breach; and
(f) ensure that any persons authorised by JRNI to process Customer Personal Data are obliged to keep such data confidential.
3.3 JRNI shall, without undue delay after discovering any Security Breach or any failure or defect in security which leads, or might reasonably be expected to lead, to a Security Breach (together a "Security Issue") notify the Customer of the same.
3.4 Where a Security Issue arises, JRNI shall:
(a) as soon as reasonably practicable, provide the Customer with details of the Security Issue, the actual or expected consequences of it, and the measures taken or proposed to be taken to address or mitigate it;
(b) co-operate with the Customer, and provide the Customer with all reasonable assistance in relation to the Security Issue; and
(c) unless required by Applicable Law, not make any notifications to a DP Regulator or any Data Subjects about the Security Issue without the Customer's prior written consent (such consent not to be unreasonably withheld or delayed).
4. Return or destruction of Customer Personal Data
4.1 Subject to paragraph 4.2, JRNI shall return or, at the election of the Customer, irretrievably delete all Customer Personal Data in its control or possession when it no longer requires such Customer Personal Data to exercise or perform its rights or obligations under this Agreement, and in any event within 30 days following expiry or termination of this Agreement.
4.2 To the extent that JRNI is required by Applicable Law to retain all or part of the Customer Personal Data (the "Retained Data"), JRNI shall isolate and cease all processing of the Retained Data other than as required by the Applicable Law.
5.1 Subject to paragraph 5.2, JRNI shall, at the Customer's sole expense, comply with all reasonable requests from the Customer to allow the Customer or its third party auditors to access and inspect JRNI's premises, records and personnel relevant to any processing of Customer Personal Data, in each case to enable the Customer to audit and verify that JRNI is complying with its obligations under this Agreement and under the Data Protection Laws in relation to Customer Personal Data (“Data Protection Audit”).
5.2 JRNI acknowledges that the Customer (or its third party auditors) may enter its premises for the purposes of conducting a Data Protection Audit, provided that the Customer gives it reasonable prior written notice, conducts such audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to JRNI’s operations. The Customer will not exercise its audit rights under this paragraph 5 more than once in any twelve (12) calendar month period, except if: (i) required by instruction of a DP Regulator; or (ii) the Customer reasonably believes a further audit is necessary due to a Security Breach suffered by JRNI.
5.3 JRNI shall provide such information, reasonable co-operation and assistance in relation to any request made by the Customer (or its auditors, or its or their representatives) under paragraph 5.1 as necessary to demonstrate JRNI's compliance with the Data Protection Laws in relation to this Agreement.
6. Co-operation and assistance
6.1 JRNI shall co-operate with the Customer, and provide such information and assistance as the Customer may reasonably require, to enable the Customer to:
(a) comply with the Customer's obligations under the Data Protection Laws in respect of Customer Personal Data; and
(b) deal with and respond to investigations and requests for information relating to the Customer Personal Data from any DP Regulator.
6.2 If JRNI receives any complaint, notice or communication from a DP Regulator or other third party (excluding a Data Subject Request) which relates directly or indirectly to Customer Personal Data or to either Party's compliance with the Data Protection Laws, it shall notify the Customer as soon as reasonably practicable.
7.1 JRNI shall not subcontract any processing of the Customer Personal Data to any Sub-Processor except as authorised by the Customer in accordance with this paragraph 7. The Customer consents to JRNI engaging Sub-Processors to process the Data provided that: (i) JRNI provides at least 30 days' prior notice of the addition of any subcontractor (including details of the processing it performs or will perform) (“Sub-Processor Notice”); and (ii) JRNI complies with paragraphs 7.4 and 7.5 of this DPA.
7.2 The Customer hereby consents to JRNI’s use of the Sub-Processors listed at www.jrni.com/information-security which shall be maintained and updated when any Sub-Processor is added or removed in accordance with this paragraph 7.
7.3 If within 30 days of receipt of a Sub-Processor Notice the Customer notifies JRNI in writing of its refusal to consent to JRNI’s appointment of a Sub-Processor on reasonable grounds relating to the protection of Customer Personal Data, then either: (i) JRNI will not appoint the Sub-Processor; or (ii) if JRNI does appoint the Sub-Processor, the Customer may elect to terminate the Agreement without penalty or cost to either party save that any portion of the fees paid in advance in respect of Services not yet delivered as at the effective date of termination shall be refunded to the Customer. If after 30 days from receipt of the Sub-Processor Notice the Customer has not indicated its refusal of the appointment of a Sub-Processor in accordance with this paragraph, then the Customer is deemed to have given its consent and JRNI shall be entitled to appoint the relevant Sub-Processor with immediate effect.
7.4 If JRNI appoints a Sub-Processor, JRNI shall ensure that:
(a) such Sub-Processor shall only process Customer Personal Data in order to perform one or more of JRNI's obligations under this Agreement; and
(b) it enters into a written agreement or other legally enforceable terms with that Sub-Processor prior to any processing by the Sub-Processor, requiring the Sub-Processor to:
(i) process Customer Personal Data only in accordance with the written instructions of JRNI or the Customer; and
(ii) comply with data protection obligations equivalent in all material respects to those imposed on JRNI under this DPA.
7.5 Notwithstanding the appointment of a Sub-Processor, JRNI is responsible and liable to the Customer for any processing by the Sub-Processor in breach of this DPA.
8. Transfer of Customer Personal Data
8.1 JRNI shall only transfer Customer Personal Data outside of the EEA where there is adequate protection for such Customer Personal Data in accordance with applicable Data Protection Laws and as authorised by the Customer in accordance with paragraph 7.
8.2 The Customer consents to the transfers of Customer Personal Data to those non-EEA locations listed at www.jrni.com/information-security. JRNI shall ensure that such list is maintained and updated from time to time to reflect any changes.
In relation to the subject matter of this DPA and its Annex, in the event of any inconsistency between the provisions of this DPA and its Annex and the other provisions of the Agreement including any schedule or annex thereto, the provisions of this DPA and its Annex shall prevail.
Annex to Data Processing Addendum
The Personal Data processing activities carried out by JRNI under this Agreement may be described as follows, except where different provisions are set out in the Order Form:
1. Subject matter of processing
To permit JRNI to provide the Services to the Customer.
2. Nature and purpose of processing
Customer Personal Data will be processed to permit the Customer or End-User to book appointments, meetings, or other calendar arrangements with the Customer.
Customer Personal Data will be stored to create a record of such bookings for the Customer's use.
Customer Personal Data of the Customer's employees will be stored and used for the purposes of providing and administering the Services.
3. Categories of Personal Data
Personal details (including name)
Contact details (e.g. telephone number, email address)
Log-in details (including username and password)
Such other personal data as is specified in an Order Form depending on the purpose for which the Customer uses the Booking Service.
4. Categories of Data Subjects
The Customer's End-Users and employees or contractors.
The processing shall cease upon termination of the relevant Services and in any case no later than termination of the Agreement, except in respect of any Retained Data which shall cease when JRNI is no longer required to retain such Customer Personal Data in accordance with Applicable Law.