(a) This clause 1 defines terms used in this GDPR Schedule. Other terms are defined elsewhere in this schedule. Capitalised terms in this schedule which are defined in the Services Agreement, have the meaning as defined therein.
(b) Controller means the entity which determines the purposes and means of the Processing of Personal Data.
(c) Data Subject means an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(d) Data Subject Request means a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, right to erasure (“right to be forgotten”), right to restriction of processing, right to data portability, right to object to Processing, or right not to be subject to an automated individual decision-making, as set out in Chapter III of the GDPR.
(e) Personal Data means any information relating to a Data Subject.
(f) Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
(g) Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(h) Processor means the entity which processes Personal Data on behalf of the Controller.
(i) Services Agreement means the agreement between Customer and Sajari for services to which this schedule is a schedule.
(a) With regards to the Processing of Personal Data in relation to the Services Agreement, the parties acknowledge and agree:
(b) For the time being and subject to change, the following organisations are Processors:
(a) Customer warrants to Sajari that Customer has the legal right to disclose all Personal Data disclosed to Sajari pursuant to the Services agreement.
(b) Customer’s instructions (if any) in relation to the Personal Data must comply with the GDPR.
(c) Customer is solely responsible for the accuracy, quality and legality of Personal Data and the means by which Customer acquired Personal Data.
(a) In supplying the Services, Sajari acknowledges and agrees to Process Personal Data in compliance with its obligations under the GDPR.
(b) Without limiting its obligations under the GDPR, Sajari must:
The subject-matter of Processing is the performance of Services pursuant to the Services Agreement.
Personal Data will be Processed as necessary to perform Services pursuant to the Services Agreement.
Subject to its obligation under clause 2.3(b) above to delete or return Personal Data, Personal Data will be Processed for the duration of this agreement, or unless otherwise agreed between the parties in writing.
Customer must not submit any Personal Data to the Services unless the Personal Data is limited to data (to be read cumulatively):
Sajari must take commercially reasonable steps to ensure the reliability of any Sajari personnel engaged in the Processing of Personal Data.
Sajari must take commercially reasonable steps ensure that its access to Personal Data is limited to those Sajari personnel engaged in performing the Services in accordance with this agreement.
(a) Sajari has appointed a data protection officer, as required by Section 4 of the GDPR, and acknowledges and agrees that the data protection officer will carry out the tasks required by that position.
(b) The data protection officer may be contacted at firstname.lastname@example.org.
(a) Sajari must not engage any third party to Process Personal Data pursuant to the Services Agreement, without the prior specific or general written authorisation of Customer.
(b) Customer hereby acknowledges and agrees Sajari is authorised by Customer to engage Processors and permit Processors to engage subprocessors.
(c) Sajari must provide Customer with 14 days’ written notice of any intended changes concerning the addition or replacement of a subprocessor.
(d) Sajari must enter into a written agreement with each authorised Processor containing data protection obligations no less protective than those in this schedule, with respect to the protection of Personal Data, to the extent applicable to the nature of the services provided by such Processor.
Sajari must, to the extent legally permitted, notify Customer if Sajari receives a Data Subject Request.
(a) Sajari must implement appropriate technical and organisational measures for the protection of security (including protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data.
(b) Sajari must ensure any person acting under the authority of Sajari who has access to Personal Data does not Process that data, except on instructions from Customer, unless required by applicable law.
(a) Sajari must notify Customer without undue delay after becoming aware of a Personal Data Breach in relation to the Services Agreement.
(b) Sajari will make reasonable efforts to identify the cause of any such Personal Data Breach and, save where the Personal Data Breach is caused by Customer, take all steps Sajari considers reasonably necessary to remediate the cause of such Personal Data Breach, to the extent such remediation is within Sajari’s reasonable control.