Genetec Cloud Services - Data Processing Addendum
This Data Processing Addendum (“DPA”) to the Subscriber Terms of Service (“Terms of Service”) sets out the additional terms and conditions under which Genetec Inc. (referred to as “Genetec”, “we”, “us” or “our”) and its customer (either you as a an individual, or the legal entity that you represent and have the full power and authority to bind contractually, as applicable; referred to as the “Subscriber”, “you”, “your” or “yours”) agree to share the responsibility for the processing of any Personal Data (as such terms are defined below) in relation to the Subscriber’s access and use of Genetec’s Cloud Services provided to the Subscriber under the Terms of Service.
Application of the Terms of Service.
1.1. This DPA is deemed part of the Terms of Services, and is incorporated therein by reference (and therefore apply to Subscriber upon Subscriber’s acceptance of the Terms of Service, without need for the Subscriber to take any further action) in the following events: (i) if Subscriber will use the Cloud Service in the territory of any member state of the European Economic Area (each a “Member State”), or (ii) if, in relation to Subscriber’s use of the Cloud Service, Subscriber and/or Genetec will collect, use or otherwise process personal data of residents of any Member State.1.2. In the events not covered in clause 1.1 above, if Subscriber nonetheless desires for the terms of this DPA to apply with regards to its use of the Cloud Services, Subscriber shall direct Genetec to enter into the DPA by completing the required information in the form version of this DPA (available at www.genetec.com/legal/clouddpaform), countersigning it, and sharing the fully-signed version with Genetec by sending it to [email protected]. Upon its receipt by Genetec, the terms of the DPA will be deemed incorporated to these Terms of Service, and be binding upon the parties.
1.3. In the event of any conflict or inconsistency between the provisions of the DPA and those of the Terms of Service, the provisions of the Terms of Service will take precedence.
1.4. Once incorporated into the Terms of Service, this DPA applies if and to the extent that Genetec is Processing Submitted Data.
2.1. "Applicable Data Protection Laws" shall mean, as applicable: (a) the EU Data Protection Directive (Directive 95/46/EC) (prior to May 25, 2018); and the EU General Data Protection Regulation (Regulation 2016/679) (on and after May 25, 2018) (the “EEA Data Protection Laws”; (b) the Protection of Personal Information of Residents of the Commonwealth of Massachusetts, codified at 201 CMR 17:00 et seq., and such other applicable data protection laws in the United States; and (c) the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) and such other applicable data protection laws in Canada.
2.2. "Controller", "Processor", "Sub-Processors", "Data Subject", "Personal Data", "Processing" (and "Process") and "Special Categories of Personal Data" shall have the meanings given in the EEA Data Protection Laws;
2.3. "Submitted Data" means any and all Personal Data that the Subscriber submits, uploads or otherwise stores on or through the Cloud Services, directly or indirectly by its users.
Relationship of the parties.
The parties hereby acknowledge and agree that as part of the Subscriber’s access and use of Genetec’s Cloud Services, the Subscriber will act as the Controller with respect to any Submitted Data submitted directly or on behalf of its users (acting as Controllers). The Subscriber appoints Genetec as a Processor to Process the Submitted Data on the Subscriber's behalf for the purposes and within the scope described in the Terms of Services and this DPA (or as otherwise agreed in writing by the parties). Each party shall comply with the obligations that apply to it under Applicable Data Protection Laws.
The Subscriber shall not disclose (and shall not permit any user to disclose) any Special Categories of Personal Data to Genetec for Processing.
Confidentiality of Processing.
Genetec shall ensure that any person it authorises to Process the Submitted Data shall treat and protect the Submitted Data as confidential information, and shall be under a duty of confidentiality (whether contractual or statutory).
Genetec shall implement appropriate technical and organisational measures to protect the Submitted Data from unlawful destruction, or unauthorised disclosure of or access to the Submitted Data (a "Security Incident") that are based on industry practices and the requirements of the Applicable Data Protection Laws.
The Subscriber consents to Genetec instructing third party Sub-Processors to process the Submitted Data for the purposes and within the scope described in the Terms of Service and this DPA, provided that: (i) Genetec maintains an up-to-date list of its Sub-Processors which shall be available to the Subscriber upon written request, which Genetec shall update with details of any change in Sub-Processors at least ten (10) days prior to any such change; (ii) Genetec imposes data protection terms on any Sub-Processor it appoints that require it to protect the Submitted Data to the standard required by Applicable Data Protection Laws; and (iii) Genetec remains liable for any breach of this clause that is caused by an act, error or omission of its Sub-Processor. The Subscriber may object to Genetec's appointment or replacement of a Sub-Processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, the Subscriber and Genetec will negotiate in good faith to try and resolve the issue. If not resolvable, Genetec will either not appoint or replace the Sub-Processor or, if this is not possible, the Subscriber may suspend or terminate its subscription to the Cloud Services and the Terms of Service with Genetec; provided that the Subscriber will remain responsible for any fees and charges associated with its access or use of the Cloud Services prior to such suspension or termination. Without restricting the generality of the above, the Subscriber acknowledges and agrees that Microsoft Corporation, in its capacity of provider of Genetec’s data centers used in the provision of Cloud Services, shall be appointed and act as a Sub-Processor of Genetec under the Terms of Service.
Cooperation and Data Subjects' Rights.
Genetec shall provide reasonable and timely assistance to the Subscriber (at the Subscriber's expense) to enable the Subscriber to support its users in responding to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject or regulator in connection with the Processing of the Submitted Data under this DPA. In the event that any such request, correspondence, enquiry or complaint is made directly to Genetec, Genetec shall promptly inform the Subscriber providing full details of the same.
Data Protection Impact Assessments.
Genetec shall provide reasonable cooperation to the Subscriber (at the Subscriber's expense) in connection with any data protection impact assessments or consultations with regulatory authorities that are required under the Applicable Data Protection Laws.
Genetec shall not transfer the Submitted Data of any residents of any Member State outside of the territory of the European Economic Area (“EEA”), unless it has taken such measures as are necessary to ensure the transfer is made in compliance with the EEA Data Protection Laws. Such measures may include (without limitation) transferring the Submitted Data to a recipient in a country that the European Commission has designated as providing adequate protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Laws, or that is certified under the EU-US Privacy Shield framework (or its equivalent), or to a recipient that has executed the “standard contractual clauses for the transfer of personal data to processors established in third countries” (as set out in European Commission Decision 2010/87/EU or its replacement).
If Genetec becomes aware of a confirmed Security Incident, Genetec shall inform the Subscriber without undue delay and shall provide reasonable information and cooperation to the Subscriber. Genetec shall further take any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep the Subscriber informed of all material developments in connection with the Security Incident.
Genetec shall destroy or return, at Subscriber's choice, all Submitted Data under its control upon the expiration or termination of the Terms of Service. This requirement shall not apply to the extent that Genetec is required by applicable law to retain some or all of the Submitted Data, or to Submitted Data it has archived on backup systems, which Genetec shall securely isolate and protect from any further Processing, except to the extent required by such law.
The Subscriber acknowledges that Genetec is regularly audited against ISO 27001 standards by independent third party auditors. Upon request Genetec shall supply a summary copy of its audit report(s) to the Subscriber, which reports shall be subject to the confidentiality and security provisions of the Terms of Service.
In the situations described in clause 1.1 above, this DPA will become effective immediately when the Terms of Service become effective and apply to the Subscriber, in accordance with the Terms of Service. Otherwise, in the situations described in clause 1.2 above, this DPA will become effective as of the date that Genetec receives the copy of this DPA countersigned by the Subscriber in accordance with such clause 1.2 above. In both cases, this DPA will remain in force and effect until the termination or expiration of the Terms of Service.
This Addendum may be modified in accordance with the terms of the Terms of Service.