ANNEX: DATA PROCESSING

1. DATA PROCESSING

1.1 Scope. Whilst providing certain SERVICES, WE (acting in capacity as processor), will/may carry out acts of processing (the PROCESSING) on personal data (the DATA, whether the DATA relates to YOUR customers, prospects, business partners, employees or related third parties, together the DATA SUBJECTS) on behalf Apple made easy of YOU (acting in capacity as data controller). This ANNEX does apply to acts of processing carried out by US in capacity as independent controller (e.g., as for everyone required to manage the CONTRACT, for billing and accounting purposes, or as required for compliance with legal obligations applicable to US). Personal data, processing, controller and processor have the same meaning in this ANNEX as in the EU GENERAL DATA PROTECTION REGULATION 679/2016 (or its successors).

1.2 Processing. By ordering relevant SERVICES, YOU have requested US to carry out the acts of PROCESSING on the DATA that are necessary to provide the SERVICES or otherwise comply with OUR obligations under the CONTRACT. The PROCESSING will:

a. be applied to DATA which are/will be/have been provided by YOU to US, or by US to YOU as the case may be, in the context of the SERVICES, and any other DATA category YOU may instruct US to process from time to time, and

b. include the acts of processing detailed in the CONTRACT or related documentation and any other acts of processing YOU may instruct US to carry out from time to time through documented instructions.

1.3 OUR obligations.

a. WE undertake neither to perform any act of PROCESSING nor to process the DATA for purposes other than delivering the SERVICES, performing its obligations under the CONTRACT, complying with applicable law or otherwise as instructed by YOU through documented instructions.

b. WE undertake to assist YOU to the best of OUR ability in responding to:

i. personal data protection statutory or regulatory requirements applicable to YOU (such as, data protection impact assessments),
ii. DATA SUBJECTS’ requests or exercise of their statutory rights on their DATA,
iii. YOUR requests for information on the PROCESSING and its conditions,
iv. YOUR auditors’ requests, audits or inspections, and
v. YOUR local authorities’ (including data protection authority’s) queries or audits.

In such case, WE may charge additional fees (on a time and material basis based on OUR then currently applicable tariffs) and expenses.

2. SUBPROCESSING

2.1 Principle. WE may use contractors (SUBPROCESSORS) whilst delivering SERVICES, who may take part in the PROCESSING. SUBPROCESSORS are mentioned either in the CONTRACT and/or on OUR website.

2.2 Change. WE may change or appoint SUBPROCESSORS at any time subject to:

a. informing YOU through a NOTICE at least 1 (one) month in advance, and

b. YOUR not objecting against such appointment (on reasonable grounds) within 2 (two) weeks of such NOTICE. In case of objection, WE reserve the right to terminate the relevant SERVICE.

3. SECURITY, CONFIDENTIALITY

3.1 Principle. WE undertake to, and procure that SUBPROCESSORS will, use exclusively personnel subject to a contractual or statutory confidentiality duty.

3.2 Security measures. WE undertake to implement and maintain at all times, throughout the duration of the PROCESSING, technical and organisational security measures that are conform with each SERVICE’s specifications as mentioned in or linked from the CONTRACT, so as:

a. to ensure the ongoing confidentiality, integrity, availability and resilience of PROCESSING systems and related services,

b. to ensure the ability to restore the availability and access to DATA in a timely manner in the event of a physical or technical incident,

c. to regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the PROCESSING.
YOU agree that:

d. the technical and organisational security measures implemented by US and mentioned in the CONTRACT are appropriate with respect to the nature of the SERVICES, the DATA and the PROCESSING, and in particular that

e. it is not possible for US to pseudonymise the DATA.

3.3 Data breach. WE undertake to inform YOU through a NOTICE without undue delay after having become aware of a personal data breach affecting the DATA, unless such breach is unlikely to result in a risk to the rights and freedoms of DATA SUBJECTS.

4. LIABILITY, INDEMNITY

4.1 Compliance with laws. YOU are solely liable for the PROCESSING’s compliance with applicable data protection and other statutory and regulatory provisions.

4.2 Limited liability. OUR sole obligation is to comply with the terms of the CONTRACT and YOUR documented instructions. Subject to the foregoing, in the event of a DATA SUBJECT’s, a local authority’s or any third party’s claim, litigation, action or proceeding directed against US for any actual or alleged breach of data protection rules, YOU hereby undertake to:

customer login
Account