CUSTOMER THERMOMETER: TERMS OF USE
(last amended 25 October 2021)
1. DEFINITIONS
1.1 In these Terms of Use (“Terms”)
“Additional Items” means any additional goods (including but not limited to software) and / or services that are provided by us in addition to the Service;
“Content” is defined in clause 4.9.2;
“Contract” means the order placed by you with us on these Terms and any other document agreed by us in writing to be incorporated in a contract between us both;
“Customer Thermometer account” means your account of our Customer Thermometer service;
“Data Protection Legislation” means (whilst they are in force):
(a) the Data Protection Act 1998;
(b) the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”); and
(c) any successor legislation to the Data Protection Act 1998 or the GDPR and any other applicable laws and regulations relating to the processing of personal data and privacy.
“the due date” means the repeat billing date;
“Email” means any electronic mail sent from time to time by us on your behalf under the Service using our software, servers and/or system, the Content of which is to be provided by you to us;
“List” is defined in clause 4.9.1;
“Recipient” means any person who you intend to receive an Email to be sent under the Service;
“the Service” means our email customer feedback service, using our software and reporting systems through Customer Thermometer and any Additional Items that you have ordered from us, and we have agreed in writing to supply;
“the service fees” means the fees agreed between us both for the provision of the Service by us under the Contract;
“Transgression” shall mean any breach of contract, tort or other act of default, omission or statement by us in respect of which we are liable to you;
“Unlawful” is defined in clause 4.1.
“We” means Customer Thermometer Limited and reference to our consent authority or agreement means consent authority or agreement in writing signed by one of our Directors;
“You” means the person firm or company who has entered into this Contract for the Service and includes, for the avoidance of doubt, any resellers of the Service;
1.2 Terms defined in our order form (or previously agreed in other applicable documents, which form part of the Contract) have the same meanings in these Terms.
2. OUR SERVICE
2.1 We shall provide the Service (being Customer Thermometer), to you under these Terms and the Service shall continue to be supplied, unless the Contract is terminated. No additions or modifications to these Terms shall be binding unless agreed in writing by us. In the event of any inconsistency between these Terms and any other document forming part of the Contract, these Terms shall prevail unless expressly referred to and varied with our written consent. The Contract is not intended to create a partnership or agency relationship between us both.
2.2 We will process information about you and the Recipients in accordance with our privacy policy, from time to time, contained at www.customerthermometer.com/privacy.
2.3 The delivery to or receipt of Emails by any Recipient cannot be guaranteed and is dependent upon (a) complete, full and accurate Lists from you (including but not limited to, up to date email addresses); (b) suitable internet availability or connectivity by the Recipient; and (c) on various anti-spam and junk mail policies adopted by the Recipient. Whilst we will provide the Service in accordance with the terms of the Contract, we make no representations or warranties whatsoever about the speed or proportion of Emails sent that will be delivered.
2.4 We may, at our sole discretion and upon notifying you in writing, assign, transfer, sub-contract or deal in any other manner with all or any of our rights under the Contract (or any part) to a third party.
2.5 We may, from time to time and without notice, change the Service in order to comply with any applicable statutory requirements and/or industry standard procedures, provided that such changes do not materially detrimentally affect the nature, or scope of the Service or the service fees.
3. OUR RIGHTS AND OBLIGATIONS
3.1 We shall provide the Service to you with reasonable skill and care and in a professional manner. All warranties, conditions and other terms implied by statute or common law are excluded to the fullest extent permitted by law from the Contract and these Terms.
3.2 We shall provide you with a 24-hour contact service in order that you may notify us of any interruptions or any other problems with the Service. We shall use reasonable endeavours to respond to your notification of interruptions or other problems with the Service and to rectify any problems with reasonable diligence and within a reasonable timescale.
3.3 We shall use all reasonable endeavours to ensure that access to the Service will be available at an uptime level of 95%. For the avoidance of doubt the uptime availability level does not include downtime attributable to:
3.3.1 hardware or telecommunications failures;
3.3.2 interruptions to the flow of data to or from the internet;
3.3.3 changes, updates or repairs to the network or software which we use as a platform to provide the Service;
3.3.4 the effects of the failure or interruption of the Service by third parties;
3.3.5 factors outside our reasonable control;
3.3.6 your actions or omissions (including without limitation, breach of your obligations set out in the Contract) or those of any third parties (including but not limited to breaks in the continuity of the electricity supply or of the telecommunications linked to our server); and
3.3.7 interruptions to the Service resulting from any request by you.
3.4 If the Service is suspended or interrupted, we shall use reasonable endeavours to restore the Service within a reasonable time period.
3.5 If we, in our sole discretion, believe that:
3.5.1 the Service is being used for spam, junk mail, unsolicited or unauthorised advertising, or
3.5.2 you are breaching these terms in any other way,
then we may decide (in our sole discretion) to suspend or terminate the Service and no refund to you of any service fee or other payments will be made.
3.6 We have the right, at our sole discretion, to remove the details of any Recipient from the List supplied by you (under clause 4.9.1 below), for whatever reason (including but not limited to, if we should receive any complaint from a Recipient in respect of any Email received by them).
3.7 We will make reasonable efforts to protect and backup data for you at least once every 24 hours.
3.8 We will not be liable for any lost, corrupted or destroyed data as a result of any suspension or interruption to the Service caused by our providing such a backup service or caused by the failure for whatever reason of any such backup service.
3.9 We do not guarantee the accuracy or regularity of the backup service. You are also responsible for taking your own backups (via CSV download) in connection with your use of the Service and you are solely responsible for an independent backup of data stored on your or any third party providers’ server and network. The retrieving of back up files by us may be charged as an Additional Item.
3.10 When we process any personal data on your behalf whilst performing our obligations under this Agreement, we shall process the personal data only in accordance with the data protection obligations, as set out in the Schedule to this Contract.
3.11 Notwithstanding any other provision of this Contract, including but not limited to the data processing obligations in the Schedule, we reserve the right to delete all the data that you have given us no earlier than 90 days after the end of this Contract.
4. YOUR OBLIGATIONS
4.1 You will be solely responsible for the Content of the Emails sent using the Service and for selecting the Recipients. You undertake that the Service shall not be used directly or indirectly for any Unlawful purpose and that the Content shall not be Unlawful. For the purpose of this Contract the term “Unlawful” means in breach of any law, or regulations in force, from time to time in any jurisdiction and shall include but is not limited to: –
4.1.1 civil and criminal offences of copyright and trademark infringement;
4.1.2 transmission or display or posting of abusive, indecent, obscene or pornographic material;
4.1.3 commission of any criminal offence (including deliberate transmission of computer viruses) including, but not limited to, under the Computer Misuse Act 1990 or similar legislation in any country;
4.1.4 any transmission or display or posting of any material which is defamatory, libellous, offensive, abusive, or menacing in character or which causes annoyance, inconvenience or needless anxiety to any other person;
4.1.5 transmission or display or posting of any material in breach of the Data Protection Legislation or the Privacy Electronic Communication (EC Directive) Regulations 2003 (each as amended) or similar legislation in any other country, or of any material which is confidential or is a trade secret;
4.1.6 use of the service in any manner which is a violation or infringement of the rights of any one within the United Kingdom and elsewhere;
4.1.7 the use of the Service for purposes generally deemed to be unacceptable, including spamming, hacking, phreaking, password cracking, pirated software, ROMS, emulators, or IP spoofing or providing “links” or “how to” information to such material; and
4.1.8 the use of the Service for distributing misleading information or a misrepresentation.
4.2 You accept that you are the data controller for the purposes of the Data Protection Legislation in respect of any personal data about a Recipient that we process in the course of providing the Service and you shall be solely responsible for the use of the Recipient’s personal data under this Contract. It is your obligation to ensure that you comply fully with the Data Protection Legislation, including that you have a lawful basis for collecting and using the Recipient’s personal data. We both acknowledge that the personal data used under this Contract is collected and processed for the purposes of your business and Customer Thermometer has no control over or information as to the relationship with the data subject, which remain matters solely within your control. We are not liable or responsible for the accuracy or use of such personal data.
4.3 You warrant that our processing of any personal data in accordance with this Agreement and your instructions under it will not infringe or breach any rights of any data subject or be other than in accordance with the Data Protection Legislation.
4.4 We do not accept and shall have no responsibility, or liability, for the Recipient’s personal data or the Content of the Emails sent using the Service or for sending them to Recipients in accordance with the terms of the Contract and you will indemnify us against all and any damages, claims, expenses, losses and costs that we may incur as a result of any breach of clause 4.1 to 4.3 above and Schedule 1.
4.5 You will ensure that that the Content supplied to us complies with all laws, regulations and requirements, in place from time to time, of any country from which it can be accessed and you will indemnify us against all and any damages, claims, expenses, losses and costs that we may incur as a result of any breach of this clause by you.
4.6 We reserve the right to monitor any and all communications passing through the Server in connection with the Service, at all times.
4.7 If the Service is used or we have reasonable cause to believe that it is being used for any Unlawful use we may either suspend or terminate the Service immediately and at the same time as suspension or termination occurs, we shall, if it is lawful to do so, notify you.
4.8 You shall comply with our policies which are in place from time to time in respect of the Service. You further agree to keep your password and other access details for use with the Service confidential and restricted to those members of staff who need to know such details and shall ensure all such staff are aware of the confidential nature of such information. You are solely responsible for all activities that occur under your password or on or via your Customer Thermometer account. You shall notify us without undue delay if you believe that your password and other access details for use with the Service are no longer secret.
4.9 You agree to undertake the following, from time to time, in relation to the Service:
4.9.1 the supply, in a timely manner, to us with full and accurate details (including but not limited to, names and email addresses) of all Recipients of the Emails (the “List”);
4.9.2 to supply, in a timely manner, the content, images, designs and any other information you reasonably require to be sent by us in the Emails (the “Content”); and
4.9.3 to instruct us as to when the Emails are to be sent to the Recipients.
4.10 Any date given by us to you about the Service and in particular the sending of Emails to Recipients shall be conditional upon our receiving from you the List, Content and any other information for any Emails in a final form from you, within any timescales specified by us (from time to time). Any delay in your providing such List, Content and any other information will result in our receiving an equivalent extension of time to estimated dates given for sending such Emails.
4.11 Where you submit the Content to us under clause 4.9.2, you:
4.11.1 warrant that such Content is your own original work and/or owned by you and that you have the right to make it available to us for the purpose of the Service and that the Content is and will continue to remain accurate, comprehensive and up-to-date and is not Unlawful;
4.11.2 indemnify us against all legal fees, damages, claims and other expenses that may be incurred by us as a result of your breaching clause 4.11.1;
4.11.3 agree to waive any moral rights in the Content for the purposes of its submission to Recipients as an Email; and
4.11.4 acknowledge and agree that such Content may be copied or downloaded by any Recipients.
4.12 Where you submit Content to us (including without limitation any text or graphics) you are required by such submission to grant to us a perpetual, royalty-free, non-exclusive, sub-licensable right and licence to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, and exercise all copyright and publicity rights with respect to any such work worldwide.
4.13 You accept that you are responsible for dealing with and responding appropriately to any complaints of whatever nature made by any Recipient to us and we do not accept and shall have no responsibility, or liability, for any such complaints made.
4.14 You shall not use the Service for the purposes of spam, junk mail, unsolicited or unauthorised advertising.
4.15 You agree to comply with our Anti-Spam policy, as published on our website from time to time.
5. TERM AND PRICE
5.1 This Contract will continue for an initial term of 1 month (or as otherwise previously specified in our order form or any other applicable documents which forms part of the Contract) (“the Term”) and, subject to clause 6.1, the Contract will then continue until and unless either party terminates the Contract by serving one month’s written notice on the other party.
5.2 The service fee for the Service shall remain in force for the duration of the Term. After that time, we reserve the right at our sole discretion to increase the service fee from time to time after providing you with one month’s written notice of the service fees increase.
5.3 You shall pay the service fee by recurring credit or debit card payment on the due date as set out in writing by us from time to time. If your subscription fails for any reason, then we reserve the right, notwithstanding any other rights or remedies that we may have, to charge an administration fee.
5.4 Time for payment shall be of the essence for the Contract. We reserve the right to suspend the Service or terminate the Contract immediately if the service fee is not received within 7 days of the due date. Any amounts due up to the point of suspension or termination will remain due and payable as if no suspension or termination had occurred.
5.5 If all or part of the price or service fee for the Contract or charges for any Additional Items remain unpaid after the due date we shall be entitled to charge interest on any unpaid balance at 4% above Barclays Bank plc lending base rate for the time being, such interest being due and payable in full together with the unpaid balance.
5.6 Unless otherwise expressly stated by us, all prices or service fee given by us to you under the Contract shall be exclusive of VAT.
6. TERMINATION
6.1 We shall be entitled to terminate the Contract forthwith and recover all losses or damage resulting to us (including but without limitation to loss of profit or other consequential loss) if:
6.1.1 You have a bankruptcy petition presented against you, or a bankruptcy order is made, if you make or seek to make any composition or arrangement with your creditors, if you make a proposal to your creditors for a voluntary arrangement or apply for an interim order, if an encumbrancer takes possession of any of your assets, or any of your assets are taken in execution or process of law, if a petition is presented or an order is made or a resolution is passed for your winding up, if a petition is presented or an order is made for an administration order to be made in relation to you, or if a receiver or administrative receiver is appointed over any of your assets (or any analogous event occurs to you in any jurisdiction); or
6.1.2 you fail to make any payment owed to us on the due date as specified in Clause 5;
6.1.3 you are in breach of any contract with us (including this Contract) and, if it is capable of remedy, you fail to remedy it within seven working days of written notice requiring it or immediately if the breach shall be not be capable of remedy.
6.2 Termination shall be without prejudice to the rights of either party accrued at the date of such termination.
6.3 Upon termination:
6.3.1 the account may be deleted from our server, unless agreed otherwise by the parties;
6.3.2 all service fees shall immediately become due and payable to us; and
6.3.3 we shall be under no obligation to retain any data (including the Lists) and, provided always that we comply with the requirements of the Data Protection Legislation, we may delete such data as we deem appropriate.
7. INTELLECTUAL PROPERTY
7.1 All intellectual property rights, including copyright, in all software that is supplied or used by us remains either our property or that of our licensor.
7.2 You shall indemnify and keep us indemnified from and against the consequences of our suffering any claims of infringements of any intellectual property rights, including copyrights, patents, trademarks, industrial designs, database rights or other property rights arising from the provision of the Service.
7.3 In the event that any such infringement occurs or may occur, you may request us to modify and / or amend the account content or infringing part so that it becomes non-infringing and if we agree to modify and / or amend the account content we shall be entitled to charge for the additional cost for making the modifications and /or amendments which shall be chargeable at our then current hourly rate.
7.4 You warrant that you have obtained (and for future use, will obtain) all necessary consents, approvals and licences from any third party who has intellectual property rights incorporated as part of the Email, whether now or in the future.
8. PERFORMANCE AND FORCE MAJEURE
8.1 We shall take all reasonable steps to perform our obligations under the Contract. We shall not be liable for suspension or interruptions to the Service and any suspension or interruption shall not entitle you to terminate the Contract, subject to clause 3.4.
8.2 Without prejudice to the generality of Clause 8.1, we shall have no liability for any delay or default in performance of any obligation caused directly or indirectly by breakdown or unavailability of computer hardware, software, viruses, hackers, errors, interruptions, bugs, telecoms connections or power supply or any other cause or causes beyond our control.
9. EXEMPTIONS AND EXCLUSIONS
9.1 We shall not be liable to you for any loss, injury or damage whatsoever or howsoever caused arising directly or indirectly in connection with the Contract, or the Service (including, without limitation, arising out of or in connection with any misuse of data by an unauthorised third party) except as specified in Clause 9.3 or to the extent to which it is otherwise unlawful to exclude such liability.
9.2 Notwithstanding the generality of 9.1 above, we expressly exclude liability for consequential loss, indirect damages, or loss of or corruption to software or data, or for loss of profit, business, revenue, goodwill or anticipated savings.
9.3 We do not restrict our liability for death or personal injury to the extent that it results from our negligence, or anything else that we are prevented by law from excluding.
9.4 To the extent that we are held legally liable to you for any single Transgression, our liability for it shall not exceed the value of the Contract. A number of Transgressions whether successive or concurrent, which together result in or contribute to substantially the same loss or damage shall be treated as a single Transgression.
10. NON-SOLICITATION OF STAFF
10.1 You undertake that you shall not during this Agreement and for a period of one-year following its expiry or termination employ or contract the services of any person who is or was employed or engaged by us in connection with the Contract.
11. WAIVER
11.1 Failure or neglect by us to enforce at any time any of these provisions shall not be construed nor shall be deemed to be a waiver of our rights nor in any way affect the validity of the whole or any part of this Agreement nor prejudice our rights to take subsequent action.
12. NOTICES
Any notice required under the Contract shall be deemed served if sent by registered or recorded delivery post or by facsimile or e-mail addressed to the party for whom it is intended at such party’s registered or main office or last known address and shall be deemed to have been served 48 hours after the date of posting or 12 hours after the time of transmission if by e-mail.
13. LEGAL CONSTRUCTION, INTERPRETATION AND LIMITS OF THE CONTRACT
13.1 The Contract shall be governed by English Law and shall be subject to the jurisdiction of the English Courts. The text of this Contract and these Terms written in the English language is the authentic text and any difficulties or uncertainties arising shall be solved solely by reference to that text.
13.2 Save for statement or representations confirmed in writing in this Contract, no oral statements of whatsoever nature and by whomsoever made shall form part of the Contract. In contracting with us you acknowledge that you have not relied on any oral statements or representations made to you save those confirmed as described above.
13.3 Clause headings are for convenience only and do not affect the construction of this document.
13.4 The Contract and the documents referred to in it constitute the entire agreement and understanding of the parties in respect of its subject matter and supersedes and extinguishes any previous agreement, understanding, undertaking, representation, warranty and arrangement between them relating to the Service, save that nothing in the Contract shall operate to limit or exclude any liability for fraud.
Schedule 1– Data Processing Agreement (SCCs)
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(b) You are the Data Controller and we are the Data Processor for the purposes of this Schedule and the Data Protection Legislation. The parties have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.
(c) These Clauses apply to the processing of personal data as specified in Annex I.
(d) Annexes I to III are an integral part of the Clauses.
(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
Clause 2
Invariability of the Clauses
(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.
Clause 3
Interpretation
(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 respectively.
(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or in a way that prejudices the fundamental rights or freedoms of the data subjects.
Clause 4
Hierarchy
In the event of a contradiction between these Clauses and the provisions of the Terms between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
SECTION II
OBLIGATIONS OF THE PARTIES
Clause 5
Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on your behalf, are specified in Annex I.
Clause 6
Obligations of the Parties
6.1. Instructions
(a) We shall process personal data only on your documented instructions, unless required to do so by UK, Union or Member State law to which we are subject. In this case, we shall inform you of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by you throughout the duration of the processing of personal data. These instructions shall always be documented. For this purpose, you specifically agree to our processing of your personal data as stated in this Schedule.
(b) We shall immediately inform you if, in our opinion, instructions given by you infringe Regulation (EU) 2016/679 / Regulation (EU) 2018/1725 or the applicable UK, Union or Member State data protection provisions.
6.2. Purpose limitation
We shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I, unless we receive further instructions from you.
6.3. Duration of the processing of personal data
Processing by us shall only take place for the duration specified in Annex I.
6.4. Security of processing
(a) We shall at least implement the technical and organisational measures specified in Annex II to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
(b) We shall grant access to the personal data undergoing processing to members of our personnel (including contractors and representatives) only to the extent strictly necessary for implementing, managing and monitoring of the contract. We shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards. We do not expect or need to receive or process any such sensitive data under the Terms.
6.6. Documentation and compliance
(a) The Parties shall be able to demonstrate compliance with these Clauses.
(b) We shall deal promptly and adequately with inquiries from you about the processing of data in accordance with these Clauses.
(c) We shall make available to the you all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At your request, we shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance.
(d) You may choose to conduct the audit by yourself or mandate an independent auditor. Audits may also include inspections at our premises or physical facilities and shall, where appropriate, be carried out with reasonable notice and subject always to the duty of confidentiality.
(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.
6.7. Use of sub-processors
(a) You authorise us to engage sub-processors listed in Annex III. We shall inform you in writing of any intended any changes of that list through the addition or replacement of sub-processors at least 10 days in advance, thereby giving you sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). We shall provide you with the information necessary to enable us to exercise the right to object. In emergencies (such as failure of a third party data centre) we may appoint a new sub-processor immediately to protect your personal data and ensure continuity of the Service in which case we will notify you as soon as practically possible.
(b) Where we engage a sub-processor for carrying out specific processing activities (on your behalf), we shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on us in accordance with these Clauses. We shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
(c) At your request, we shall provide to you a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secret or other confidential information, including personal data, we may redact the text of the agreement prior to sharing the copy.
(d) We shall remain fully responsible to you for the performance of the sub-processor’s obligations in accordance with its contract with us. We shall notify you of any failure by the sub-processor to fulfil its contractual obligations.
(e) We shall agree a third party beneficiary clause with the sub-processor whereby – in the event we have factually disappeared, ceased to exist in law or has become insolvent – you shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return any personal data it has stored or retained.
6.8. International transfers
(a) Any transfer by us of personal data to a third country or an international organisation that is not recognised by the UK or under GDPR as having adequate safeguards in place with respect to your personal data shall be done only on the basis of documented instructions from you or in order to fulfil a specific requirement under UK, Union or Member State law to which we are subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725. For this purpose, the parties agree to the Standard Contractual Clauses to comply with Regulation (EU) 2016/679 as set out under the Data Protection Legislation to the extent that any of your personal data is transferred to a country outside the UK or EEA that is not deemed by the European Union to have adequate safeguards in place.
Clause 7
Assistance to the controller
(a) We shall promptly notify you of any request we have received from a data subject. We shall not respond to the request itself, unless authorised to do so by you.
(b) We shall assist you in fulfilling your obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling our obligations in accordance with (a) and (b), we shall comply with your instructions
(c) In addition to our obligation to assist you pursuant to Clause 7(b), we shall furthermore assist you in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to us:
- (1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
- (2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;
- (3) the obligation to ensure that personal data is accurate and up to date, by informing you without delay if we become aware that the personal data we are processing is inaccurate or has become outdated;
- (4) the obligations in Article 32 of Regulation (EU) 2016/679.
(d) The Parties shall set out in Annex II the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required
Clause 8
Notification of personal data breach
In the event of a personal data breach, we shall cooperate with and assist you to comply with your obligations under the UK Data Protection Legislation and/or Articles 33 and 34 of Regulation (EU) 2016/679 or under Articles 34 and 35 of Regulation (EU) 2018/1725, where applicable, taking into account the nature of processing and the information available to us.
8.1 Data breach concerning data processed by the controller
In the event of a personal data breach concerning data processed by you, we shall assist you:
(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after you have become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
(b) in obtaining the following information which, pursuant to UK Data Protection Legislation or Article 33(3) of Regulation (EU) 2016/679 shall be stated in your notification, and must at least include:
- (1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- (2) the likely consequences of the personal data breach;
- (3) the measures taken or proposed to be taken by you to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(c) in complying, pursuant to UK Data Protection Legislation or Article 34 of Regulation (EU) 2016/679 with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
8.2 Data breach concerning data processed by the processor
In the event of a personal data breach concerning data processed by us, we shall notify you without undue delay after we become aware of the breach. Such notification shall contain, at least:
(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
(b) the details of a contact point where more information concerning the personal data breach can be obtained;
(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Annex II all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under UK Data Protection Legislation or Articles 33 and 34 of Regulation (EU) 2016/679.
SECTION III
FINAL PROVISIONS
Clause 9
Non-compliance with the Clauses and termination
(a) Without prejudice to any provisions of UK Data Protection Legislation and Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, in the event that we are in breach of our obligations under these Clauses, you may instruct us to suspend the processing of personal data until we comply with these Clauses or the contract is terminated. We shall promptly inform you in case we are unable to comply with these Clauses, for whatever reason.
(b) You shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:
- (1) the processing of personal data by us has been suspended by you pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;
- (2) We are in substantial or persistent breach of these Clauses or its obligations under UK Data Protection Legislation or Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
- (3) We fail to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to UK Data Protection Legislation or Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
(c) We shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed you that your instructions infringe applicable legal requirements in accordance with Clause 6.1 (b), you insist on compliance with the instructions.
(d) Following termination of the contract, we shall, at your choice, delete all personal data processed on your behalf and certify that we have done so, or, return all the personal data to you and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, we shall continue to ensure compliance with these Clauses.
ANNEX I
Processing Services
SCOPE OF PROCESSING | We will process Personal Data provided by you to us or collected by us in order to manage your account with us.
We will process the Personal Data for the duration of the period in which we provide the Service to you. |
PURPOSE OF PROCESSING | We will process the Personal Data provided by you or your affiliates in order to administer and provide the Service. |
CATEGORIES OF DATA SUBJECTS AND PERSONAL
DATA PROCESSED |
Personal Data provided by you to us or collected by us in order to manage your account. This includes the following:
• Customer name. • Customer email address. • Customer business address. • Customer telephone number. • Customer credit card information. • Credit card name. • Credit card type. • Credit card expiry date. • Credit card number. Where you log a technical support case, we will process the name and contact details of the user logging the case and the other users involved in the case. If we are provided access to email or other content by you (with your express permission having been granted), we will have access to any Personal Data set out in that email including satisfaction level and other information as included in the survey by you (as data controller) . Personal Data provided by you to us or collected by us in order to provide the Service. This includes the following data: • Users’ First, Last and Full name. • Users’ email address. • Users’ email / ticket subject line and content information • Users’ company or other company details. • Users’ IP address (and Geolocation based on their IP address) • Any other information that you expose to us |
NATURE OF PROCESSING | Personal Data provided by you to us or collected by us in order to manage your account is stored for the duration of your relationship with us as per the current subscription Contract.
Where you log a technical support case, the data relating to the case is stored within our CRM. |
SUBPROCESSORS | The data centre that runs the Customer Thermometer platform service is owned and operated by a sub-processor named in Annex III. |
DURATION OF PROCESSING | Only for the duration of your subscription to the Service |
CONTACT | [email protected] |
ANNEX II
Description of the technical and organisational security measures implemented by Customer Thermometer:
Security Requirement | Implemented security measures |
1.
Physical access control measures to prevent unauthorized persons from gaining access to Processing systems or premises where Personal Data are Processed or used. |
Card access control system with documentation of key holders.
Security patrolled business park. Physical security service inside building. Burglar alarm system. CCTV. Locked server room with authorized personnel access only. |
2.
Access control measures to prevent Processing systems from being used without authorization. Including Importer’s representatives access permissions segregation to Processing systems and Personal Data such as read, copy, modify, delete. |
Individual user log-in to corporate network.
All development, staging, production systems are located within secure Data Centres. Access to production level infrastructure per tenancy is limited to secure certificate endpoint. Processors Password policy procedures are regulated by Password Policy. Automatic password-protected blocking of computer after a certain period of time without user activity. |
3.
Transmission control measures taken in by Importer and Exporter to ensure that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Personal Information by means of data transmission facilities is envisaged. |
Encrypted access via TLS
Hard drive encryption of all processor employee machines used to facilitate business performance protected by Bitlocker. Locked server room at Processor‘s premises with authorized personnel access only.
|
4.
Describe the measures of input control to ensure that it is possible to check and establish whether and by whom Personal Data have been entered into Processing systems, modified or removed. |
Access rights.
Functional responsibilities. |
5.
Assignment control measures Importer takes to ensure that, in the case of commissioned Processing, the Personal Information are Processed strictly in accordance with the instructions of the principal. |
Training of all Processor‘s representatives involved in Personal Data Processing for technical and organizational security measures. Follow-up training at regular intervals.
Specific clauses in Contractor/Employment agreements with all Processor’s representatives, such as: The Right for Work Results, Confidentiality, Policies and work processes, Non-compete, Non Disclosure. Appointment of contact person in charge of data protection ([email protected]). |
6.
Availability control measures Importer applies to ensure that Personal Data are protected from accidental destruction or loss. |
Replication/Back-up processes.
Active/Active and regional Data Centres. Centralized virus protection and firewall at Processor‘s infrastructure Air conditioning for work and server/network environment. Fire alarm system. Burglar alarm system. CCTV. Contingency plans. |
ANNEX III
List of sub-processors
The controller has authorised the use of the following sub-processors:
Name of subcontractor | Subcontractor Address | |
1. | Microsoft Operations Limited | 70 Sir John Rogerson’s Quay
Dublin 2 D02R296 IRELAND |
2. | Rapidswitch, iomart Hosting Ltd | RapidSwitch, Spectrum House
Clivemont Road, Maidenhead, SL6 7FW UNITED KINGDOM |
3. | Cloudflare | 101 Townsend Street San Francisco, CA 94107
USA |
4. | Socketlabs | SocketLabs Acquisition, LLC
700 Turner Industrial Way, Suite 100 Aston, PA 19014 USA |
5. | Salesforce UK Limited | Floor 26, Salesforce Tower, 110 Bishopsgate, London EC2N 4AY
UNITED KINGDOM |
6. | Stripe | Stripe Payments Europe Limited C/O A & L Goodbody, Ifsc, North Wall Quay Dublin D01 H104, Ireland |
7. | Recurly | 400 Alabama Street,
Suite 202 San Francisco, CA 94110 USA |