For purposes of these GDPR Terms, Customer and DataRails agree that Customer is the controller of Personal Data and DataRails is the processor of such data. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by DataRails on behalf of Customer. These GDPR Terms do not limit or reduce any data protection commitments DataRails makes to Customer in the Service Level Agreement or other agreement between DataRails and Customer.
1. DataRails cloud services are provided by Microsoft. The DataRails licensing agreements for Microsoft cloud services include commitments to be GDPR compliant. You may find the Microsoft’s contractual commitments with regard to the GDPR in the Online Services Terms found in this link. The GDPR Terms commit Microsoft to the requirements on processors in GDPR Article 28 and other Articles of GDPR. (The GDPR Terms are in Attachment 4 to the Online Services Terms, at the end of the document).
2. DataRails processes the following personal data: First Name, Last Name, Work email address.
1. DataRails shall not engage another processor without prior specific or general written authorization of Customer. In the case of general written authorization, DataRails shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes. (Article 28(2) of the GDPR)
2. Processing by DataRails shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on DataRails with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Customer are set forth in these GDPR Terms. In particular, DataRails shall:
(a) process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which DataRails is subject; in such a case, DataRails shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) take all measures required pursuant to Article 32 of the GDPR;
(d) respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
(e) Considering the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
(f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to DataRails;
(g) at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
(h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
DataRails shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3) of the GDPR)
3. Where DataRails engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, DataRails shall remain fully liable to the Customer for the performance of that other processor’s obligations. (Article 28(4) of the GDPR)
4. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and DataRails shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymization and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1) of the GDPR)
5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2) of the GDPR)
6. Customer and DataRails shall take steps to ensure that any natural person acting under the authority of Customer or DataRails who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law. (Article 32(4) of the GDPR)
7. DataRails shall notify Customer without undue delay after becoming aware of a personal data breach. (Article 33(2) of the GDPR). Such notification will include that information a processor must provide to a controller under Article 33(3) of the GDPR to the extent such information is reasonably available to DataRails.