If you are a Data Controller within the meaning of the General Data Protection Regulation (GDPR) and if you have contracted us to provide services that require us to process personal information on your behalf, the following terms (the “Data Processing Agreement”) are hereby incorporated into the Terms and Conditions under which services are provided and form part of the contract for those services.
DATA PROCESSING AGREEMENT
“Regulation” or “GDPR” shall refer to the General Data Protection Regulation (EU) 2016/679
“Data” or “Information” shall refer to personal data pertaining to one or more data subjects as defined by the Regulation.
“Customer” or “Controller” shall refer to the customer acting as Data Controller as defined by the Regulation.
“Processor” shall refer to Irish Domains Limited acting as Data Processor as defined by the Regulation.
“Sub-Processor” shall refer to any third party processing Data under contract from Irish Domains Limited acting as Data Processor as defined by the Regulation.
“Agreement” shall refer to this Data Processing Agreement read together with the Terms and Conditions
“Services” shall refer to one or more contracted services provided by Irish Domains Limited to Customer within the scope of this Agreement.
“Control Panel” shall refer to Irish Domains Customer Control Panel or any similar website or portal used to manage the Services.
“Party” may refer to Customer or Irish Domains Limited, “Parties” shall refer to both.
Customer wishes to avail of one or more services provided by Irish Domains Limited that require processing of personal data.
Customer is a data controller within the meaning of the Regulation and will transmit personal data to Irish Domains Limited for processing.
Customer wishes to ensure that processing of the Data by Irish Domains is subject to contractual terms in accordance with the Regulation.
The Agreement applies only to those services listed in the Service Specific Provisions for which Irish Domains Limited is acting as a Data Processor and Customer is acting as a Data Controller within the meaning of the Regulation.
The purpose of the processing under the Agreement is the provision of the Services by Processor to Controller under contract.
In connection with Processor’s delivery of the Services to Controller, Processor may be required to process certain categories and types personal data on behalf of Controller.
Processor undertakes to process personal data on behalf of the Controller in accordance with this Agreement and contracted Services, and for such purposes as may be agreed to subsequently by the Parties.
Personal data will only be made available to employees or Sub-Processors that require access to such data for the delivery of the Services and this Agreement.
Personal data processed on behalf of Controller shall remain the property of Controller and/or the relevant data subjects.
Processor shall warrant compliance with applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the Regulation.
The Processor shall refrain from making use of the personal data for any purpose other than as specified by Controller. Controller will inform Processor of any such purposes which are not contemplated in this Agreement.
Processor’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all Data under this Agreement with strict confidentiality.
Processor shall furnish Controller on request with details regarding the measures it has adopted to comply with its obligations under this Data Processing Agreement and the Regulation.
Controller is responsible for all classification and risk assessments relating to data transmitted to or processed by the Processor.
Controller shall warrant compliance with applicable laws and regulations, including laws and regulations governing the protection of personal data, such as the Regulation.
ALLOCATION OF RESPONSIBILITY
Processor shall only be responsible for processing the Data under this Agreement, in accordance with Controller’s instructions and under the responsibility of the Controller. The Processor is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Controller to the Processor, or processing by third parties and / or for other purposes.
Controller represents and warrants that it has express consent and/or a legal basis to process the relevant Data. Furthermore, Controller represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, Controller indemnifies the Processor of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Agreement.
Where the Data is placed by Controller on a web server or other publicly accessible location, or is otherwise shared externally, the Controller assumes all risks, obligations and liabilities with respect to the security and integrity of Data so stored and indemnifies the Processor of all claims and actions of third parties related to the stored Data.
Where the Data is protected by passwords or other security measures that are assigned or managed by Controller (including those assigned or managed via the Control Panel), Controller assumes all responsibilities with respect to the security and integrity of the the passwords and assumes all risks, obligations and liabilities with respect to the security and integrity of data so secured and indemnifies Processor of all claims and actions of third parties related to the secured Data.
Where the Data is transmitted from Controller to Processor, or from Processor to Controller, Controller is responsible for ensuring such transmission is executed in a secure fashion and is protected by adequate safeguards during transmission, including but not limited to encryption using SSL/TLS. Controller assumes all risks, obligations and liabilities with respect to the security and integrity of data so transmitted and indemnifies Processor of all claims and actions of third parties related to the transmitted Data.
Where the Data consists of email messages sent, received or stored using Processor systems by Controller or data-subjects, Controller accepts that Processor is not aware of or responsible for the content and nature of such messages, Controller assumes all risks, obligations and liabilities with respect to the message content and classification, and indemnifies Processor of all claims and actions of third parties related to same.
Where Controller creates, installs or manages an application on a web server or account or on any other service provided by Processor (including applications installed via the Control Panel), Controller assumes all risks, obligations and liabilities with respect to the security, integrity and operation of the application, including all effects and indirect effects on personal data stored on or processed using the Services, and indemnifies Processor of all claims and actions of third parties related to same.
ENGAGING OF THIRD PARTIES OR SUBCONTRACTORS
Processor is authorized within the framework of the Agreement to engage third parties as Sub-Processors, without the prior approval of the Controller being required, provided a list of such Sub-Processors is maintained on the “Service Specific Provisions” page of its website.
Processor shall in any event ensure that Sub-Processors are obliged to agree in writing to materially the same duties that are agreed between Controller and Processor.
Processor’s rights, responsibilities or obligations arising under the terms of this Agreement shall apply to any Sub-Processor or contractor processing the Data on behalf of Processor.
Processor may engage Sub-Processors in any country within the European Economic Area (EEA). In addition, the Processor may also engage a Sub-Processors in a country outside the EEA provided that such country guarantees an adequate level of protection and provided it satisfies the other obligations applicable to it pursuant to this Agreement and the Regulation.
DUTY TO REPORT
Processor shall without undue delay, give notice to Controller if it becomes aware of breach that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed pertaining to Data processed on behalf of the Controller (a “Personal Data Breach”).
Processor shall make reasonable efforts to identify the cause of such a breach and, to the extent it relates to Data for which Processor is responsible, take those steps as it deems necessary to establish the cause, and to prevent such a breach from reoccurring.
Notice of a “Personal Data Breach” will include
- the (suspected) cause of the leak;
- the (currently known and/or anticipated) consequences thereof;
- the (proposed) solution;
- the measures that have already been taken, if applicable.
Controller remains the responsible party for any statutory obligations in respect of a “Personal Data Breach” including, where applicable, notifying the relevant authorities and/or data subjects.
Processor will take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or disclosure of personal data) in connection with the performance of processing personal data under this Data Processing Agreement.
Processor does not guarantee that the security measures are effective under all circumstances. Processor will ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
Controller will only make the personal data available to Processor if it is assured that the necessary security measures have been taken by all Parties. Controller is responsible for ensuring compliance with the measures agreed by and between the Parties.
HANDLING REQUESTS FROM INVOLVED PARTIES
Where a Data subject submits a request to Processor to view, change or erase their personal data, Processor will forward the request to the Controller and the request will then be dealt with by Controller. Processor may notify the Data subject thereof.
NON DISCLOSURE AND CONFIDENTIALITY
All personal data received by Processor from Controller and/or compiled by Processor within the framework of this Agreement is subject to a duty of confidentiality.
This duty of confidentiality will not apply in the event that Controller has expressly authorized the furnishing of such information to third parties, where the furnishing of the information to third parties is reasonably necessary in view of the nature of the instructions and the implementation of this Agreement or the Services contracted, or if there is a legal obligation to make the information available to a third party.
RIGHT TO AUDIT
In order to confirm compliance with this Data Processing Agreement, Controller shall be at liberty to conduct an audit by assigning with the agreement of Processor, an independent third party (Auditor) to perform this task. Any such audit will follow the Processor’s reasonable security requirements, and will not interfere unreasonably with the Processor’s business activities.
The audit may only be undertaken when there are specific and reasonable grounds for suspecting the misuse, breach or unauthorized disclosure of personal data by the Processor or its employees or Sub-Processors (where applicable), and no earlier than two weeks after the Controller has provided written notice to the Processor, and in any event no more than once in any calendar year. The scope of the audit shall be limited to those parts of the Services for which Processor has responsibility, for which an active contract exists and for which payment has been received in full at the time of notice.
The Auditor and Controller shall be obliged to observe confidentiality in this regard by completing with Processor a mutually agreed upon Non-Disclosure Agreement (“NDA”).
Controller shall be responsible for any actions taken by the third party auditor. All information disclosed by Irish Domains during the audit shall be deemed Irish Domains Confidential Information and the Controller or Auditor its shall not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency.
The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where agreed, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
The costs of the audit including Processor staff costs at Processor’s then current Professional Services rate, Auditor costs and all incidental expenses, will be borne by the Controller.
LIMITATION OF LIABILITY
The total aggregate liability to Controller, of whatever nature, whether in contract, tort or otherwise, of the Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this Data Processing Agreement shall be subject to the “Limitation of Liability” clause set out in the Terms & Conditions.
Nothing in this Agreement will relieve Processor of its own direct responsibilities and liabilities under the Regulation.
DURATION AND TERMINATION
The Agreement is entered into for the duration set out in the Agreement, and in the absence thereof, while Controller is providing Services to customer.
The Agreement may not be terminated in the interim unless the Services are also cancelled or terminated.
The Processor shall provide its full cooperation in amending and adjusting this Agreement in the event of new privacy legislation.
Logs and measurements taken by the Processor shall be deemed to be true and accurate, unless the Controller supplies convincing proof to the contrary.