Pursuant to the European General Data Protection Regulation (2016/679), a new article entitled « Protection of Personal Data » is added as of May 25, 2018 to any agreement in force between Interbyte and the Customer. Except any other written agreement between the Parties regarding the compliance of the agreement with GDPR, this article replaces any other article of the agreement relating to privacy and protection of personal data as of that date.
1.1.1. The data protection related concepts used in this article 1 shall have the meaning given to them in the Data Protection Legislation.
1.1.2. The Customer (i) represents and warrants that it complies and undertakes to continue to comply with the national laws implementing the Data Protection Directive (95/46/EC) until 24 May 2018 and (ii) undertakes to comply with the General Data Protection Regulation (2016/679) as of 25 May 2018 and (iii) undertakes to comply with the national laws implementing the Directive on Privacy and Electronic Communications (the legislation referred to under (i) , (ii) and (iii) above being jointly referred to as the "Data Protection Legislation").
1.1.3. Interbyte will comply with the Data Protection Legislation when processing information relating to an identified or identifiable natural person in its performance of this Agreement (referred to as 'personal data' under the Data Protection Legislation).
Interbyte processes personal data relating to its Customers (and their fellow users and end users where applicable), e.g. identification data, contact data, data on the Customer's use of Interbyte's products and services, data on the Customer's communication traffic, billing and payment data, and technical data. In this context, Interbyte acts as a data controller. The data is processed for the following purposes:
Interbyte's files may be accessible to third parties who work in the name or on behalf of Interbyte.
In the cases stipulated by law, Interbyte shall hand over Customer data if requested to do so by the government services.
The Customer has the right to access, correct and delete any data that relates to him.
The data relating to Customers who have terminated their contracts with Interbyte can be used by Interbyte to inform them of the Interbyte products and services, unless the Customer objects to this.
Interbyte hereby delegates to the Customer, which agrees, to carry out the following obligations of Interbyte under the Data Protection Legislation. In particular, the Customer shall:
1.3.1. Where Customer (or its data controllers if the Customer is not the data controller) provides personal data to Interbyte in connection with its use of the Products/Services and requests Interbyte to process personal data on behalf of the Customer (or of the Customer's data controllers) for the sole purpose of providing the Customer with the Products/Services, the Customer shall act as data controller in relation to the processing of these personal data and Interbyte shall act as a data processor regarding these personal data.
1.3.2. The Customer shall ensure the rights and obligations of the Parties under this Article 1 are appropriately reflected towards its data controllers it allows to make use of the Products/Services. The Parties agree that Customer shall act as the sole point of contact for Interbyte, either in its capacity as data controller or on behalf of its data controllers. All references to Customer rights and obligations under this Article 1 shall be deemed to include the respective data controllers of the Customer to the extent applicable.
The personal data made available by the Customer might relate to the following types of data subjects: its own customers, employees, workers, agents, representatives, consultants or other third parties.
The personal data might include the following categories of data:
With regard to these personal data of the Customer (or its data controllers) will have the rights and obligations a data controller as set out in the Data Protection Legislation.
1.3.3. Interbyte shall process or transfer the personal data in accordance with Customer's documented instructions, unless Interbyte is required to otherwise process or transfer the personal data under the laws of the European Union or one of its Member States. Where such a requirement is placed on Interbyte, Interbyte shall provide prior notice to the Customer, unless the law prohibits such notice on important grounds of public interest. The Agreement, including this article, is the Customer's complete instruction to Interbyte in this respect. All additional or alternative instructions must be agreed upon in writing by the Parties.
1.3.4. Interbyte shall treat the personal data as strictly confidential and ensure that any natural person acting under its authority who has access to the personal data (i) commits himself/herself to confidentiality or is under an appropriate statutory obligation of confidentiality and (ii) does not process the personal data except on instructions from the Customer, unless he/she is required to otherwise process or transfer the personal data under the laws of the European Union or one of its Member States.
1.3.5. Irrespective of where Interbyte receives or holds the personal data, Interbyte shall take the technical and organizational measures agreed in this Agreement to ensure a level of security appropriate to the risks that are presented by the processing (in particular risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, use or access and against all other unlawful forms of processing) and taking into account the state of the art, the costs of implementation and the nature of the personal data and the potential risks.
1.3.6. If Interbyte detects a personal data breach affecting the personal data in the framework of the performance of the Agreement, Interbyte shall inform the Customer about the breach without undue delay.
1.3.7. At the request of the Customer and taking into account the nature of the processing as well as the information available to Interbyte, Interbyte shall provide insofar as possible reasonable assistance to the Customer in:
Interbyte reserves the right to claim a reasonable compensation for this assistance.
1.3.8. At the request of the Customer, Interbyte shall provide all information necessary to demonstrate compliance with this article 1.3 as well as to contribute reasonable demands for audits conducted by the Customer or another independent auditor mandated by the Customer. Advance notice of at least 60 (sixty) Calendar days is required, unless applicable Data Protection Law requires earlier audit. In case of an audit, Customer will bear its own expense and the cost of Interbyte's internal resources required to conduct the audit. Audits will be limited to data privacy aspects and to a maximum of 3 Business days and will only be allowed during Business Hours without impact on the Interbyte business. Interbyte and the Customer agree to limit the audits to a strict minimum and with a maximum of once every 2 year, unless serious reasons for an earlier audit would exist or if a data protection authority would require so. Certifications and existing audit reports will be used to avoid audits. If any audit reveals that Interbyte is, or that the Products/Services are, not in compliance with the provisions of this Agreement and/or Data Protection Legislation, the exclusive remedy of the Customer, and the exclusive obligation of Interbyte shall be that: (i) the Parties will discuss such finding, and (ii) Interbyte shall take, at its own cost, all corrective actions, including any temporary workarounds, it deems necessary to comply with the provisions of this and/or Data Protection Legislation. Interbyte may charge the Customer for any corrective actions if the corrective actions were required due to changes of Data Protection Legislation.
1.3.9. The Customer hereby provides a general written authorisation to Interbyte to engage subcontractors for the processing of the personal data (i) to the extent necessary to fulfil its contractual obligations under the Agreement and (ii) as long as Interbyte remains responsible for any acts or omissions of its subcontractors in the same manner as for its own acts and omissions hereunder. Interbyte shall inform the Customer of any intended addition or replacement of other processors, giving the Customer the opportunity to object to such changes. If the Customer has a legitimate reason for objection that relates to the processing of personal data, Interbyte may not be in a position to continue to provide the Service to the Customer and shall in such case be entitled to terminate this Agreement. Where Interbyte engages another processor under this Article, Interbyte shall ensure that the obligations set out in this article 1.3. are imposed on that other processor by way of a written contract.
1.3.10. Interbyte shall be entitled to transfer the personal data to a country located outside the European Economic Area which has not been recognised by the European Commission as ensuring an adequate level of data protection, if Interbyte (i) has provided appropriate safeguards in accordance with the Data Protection Legislation or (ii) can rely on a derogation foreseen by the Data Protection Legislation enabling such transfer. The Customer shall from time to time execute such documents and perform such acts as Interbyte may reasonably require to implement any such appropriate safeguards.
1.3.11. At the end of the Agreement, Interbyte will delete the personal data (unless the law requires further storage of the personal data) or, if requested by the Customer, return it to the Customer or give the Customer the possibility to extract the personal data.
1.3.12. If any request of the Customer under this article 1.3 requires Interbyte to take additional steps beyond those directly imposed on Interbyte by the Data Protection Legislation, the Customer shall reimburse Interbyte for any costs incurred by Interbyte for taking such additional steps.
1.3.13. The breach of any Data Protection Legislation by Interbyte shall be deemed as Interbyte's Fault only if Interbyte has acted outside or contrary to lawful instructions of the Customer.
pdf version of the GDPR addendum.
In the case of differences and/or contradictions between this version and the pdf version of this addendum, the pdf version will precede over this version.