GDPR Data Processing Agreement – Updated 20/09/18

1. Introduction

1.1 The customer agreeing to these terms (“The Customer”), and Premeum International Limited (Premeum), have entered into an agreement under which Premeum has agreed to provide data processing service and related technical support to The Customer.

1.2 The GDPR makes written contracts between controllers and processors a general requirement. These terms are designed to ensure that processing carried out by a processor meets all the requirements of the GDPR, they reflect the agreement, in regard to the terms governing the processing and security of Customer Data, between Premeum and The Customer.

2. Definitions

The following definitions will be used throughout this document.

Customer Data

means data provided by or on behalf of Customer or Customer End Users via the Services under the Account.

Customer Personal Data

means the personal data contained within the Customer Data. The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in these terms have the meanings given in the GDPR.

Data Incident

means a breach of Premeum security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Premeum. “Data Incidents” do not include unsuccessful attempts to compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks.

Notification Email Address

means the email address(es) designated by Customer in the Customer Dashboard, or in the Order Process to receive certain notifications from Premeum.

Support Ticket System

means the ticket system we use to offer support and communication available in your Premeum account support portal you will be notified via your Notification Email Address when an update is made.

 

3. Duration

These Terms will take effect on the Terms Effective Date and, even in the event of expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Customer Data by Premeum as described in these Terms.

4. Processing of Data

4.1 Processor and Controller Responsibilities

The European Data Protection Legislation applies to the processing of Customer Personal Data and the parties acknowledge and agree that:

  • Premeum is a processor of Customer Personal Data under the General Data Protection Regulation
  • The Customer is a controller or processor, as applicable, of that Customer Personal Data under the General Data Protection Regulation.
  • Each party will comply with the obligations applicable to it under the General Data Protection Regulation with respect to the processing of that Customer Personal Data.
  • The types of personal data include data relating to individuals provided or uploaded to Premeum, by (or at the direction of) Customer or by Customer End Users.

 

4.2 Authorisation by a Third Party Controller

The Customer confirms that The Customer’s instructions and actions in regard to that Customer Personal Data, including its engagement of Premeum as another processor, have been authorised by the relevant controller under the General Data Protection Regulation.

5. Scope of Processing

5.1 The Customers Instruction

By entering into these Terms, The Customer instructs Premeum to process Customer Personal Data in order to:

  • Provide delivery and order information.
  • Provide relevant offers and product information.
  • Process data as documented in these Terms.

5.2 Premeum Compliance with Instructions

Premeum will comply with the instructions described under “The Customer’s Instructions”.

6. Data Deletion

6.1 Deletion by Customer

Premeum will enable The Customer to delete Customer Data via instruction in writing only. Confirmation of deletion will be made in writing or by email. Infrastructure backups may remain on Premeum servers for up to 90 days after this request.

 

7.1 Data Security

7.1 Premeum Security Measures

Premeum will implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure

7.2 Staff Security Compliance

Premeum will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and sub processors including ensuring that all persons authorised to process Customer Personal Data have committed themselves to confidentiality.

7.3 Data Incidents

7.3.1 Incident Notification

If Premeum becomes aware of a Data Incident, Premeum will:

  • Notify The Customer of the Data Incident promptly and without undue delay after becoming aware of the Data Incident.
  • Take reasonable steps to minimise harm and secure Customer Data.

7.3.2 Details of Data Incident

Data Incident notifications will include details of the Data Incident including steps taken to mitigate the potential risks and steps Premeum recommends The Customer take to address the Data Incident.

7.3.3 Delivery of Notification

Notifications of any data incident will be made via the Notification Email Address. It is the responsibility of the customer to ensure that this email address is kept current and up to date.

7.3.4 No Assessment of Customer Data

Premeum will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. The Customer is solely responsible for complying with incident notification laws applicable to The Customer and fulfilling any third party notification obligations related to any Data Incident.

7.3.5 No Acknowledgement of Fault

Notification of or response to a Data Incident will not be construed as an acknowledgement of fault or liability.

7.3.6 Audit Rights

Premeum will provide all information necessary to demonstrate compliance and allow for and contribute to audits, including inspections, requested by The Customer, carried out by the ICO https://ico.org.uk/

Premeum will inform The Customer immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

Sub processors

8.1 Consent to Sub Processors

The Customer specifically authorises the engagement of Premeum third-party suppliers as Sub processors. In addition, The Customer generally authorises the engagement of any other third parties as Sub processors.

8.2 Process to Engage New Sub processors

Premeum will provide notice via this policy of updates to the list of sub processors that are utilised or which Premeum proposes to utilise to deliver its Services. Premeum undertakes to keep this list updated regularly to enable The Customer to stay informed of the scope of sub processing associated with the Premeum Services.

The Customer can object in writing to the processing of its Personal Data by a new sub processor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If The Customer does not object during such time period, the new sub processor(s) shall be deemed accepted.

If The Customer objects to the use of a sub processor pursuant to the process provided under the DPA, Premeum shall have the right to resolve the objection through one of the following options (to be selected at the sole discretion of Premeum):

  • Premeum will cease to use the sub processor with regard to Personal Data or;
  • Premeum will take the corrective steps requested by The Customer in its objection and proceed to use the sub processor to process Personal Data or;
  • Premeum may cease to provide or The Customer may agree not to use (temporarily or permanently) the particular aspect of an Premeum Service that would involve use of the sub processor to process Personal Data or;
  • Premeum may cease to offer services to The Customer entirely

The list of Premeum third party sub processors is maintained here.

9. Premeum Data Protection Officer

In the case of any complaint regarding our handling of your data, our privacy policy or our adherence to it, please contact our data protection officer listed below. This individual will carry out a full investigation on your behalf in the event that you feel there is a problem.

  • Name Aaron Rathore
  • Address Premeum International Ltd. PO Box 10744 NG5 0JZ
  • Email Address customer-serv@premeum.co.uk

 

 

Third Party Processors – Updated 20/09/18

Name

Purpose

Privacy Details

Royal Mail Provide delivery and postage services https://www.royalmail.com/privacy-notice/
PayPal Providing payment processing https://www.paypal.com/webapps/mpp/ua/privacy-full
Facebook Providing relevant and target advertising https://www.facebook.com/policy.php
Google Analytics Internal tracking and marketing purposes https://policies.google.com/privacy?hl=en&gl=ZZ