Further to the Terms of use.
1.1. In this Schedule:
1.1.1. References to an Article are to an article of the Applied GDPR.
1.1.2. Capitalised terms have the meaning ascribed to them in Data Protection Legislation, unless otherwise defined in the agreement.
1.2. Both parties shall comply with all applicable requirements of the Data Protection Legislation. The provisions of this Schedule 1 are in addition to, and do not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
1.3. The parties acknowledge that for the purposes of the Data Protection Legislation the Customer is the Controller and the Supplier is the Processor in relation to processing by the Supplier described at the end of this Schedule 1.
1.4. Without limiting paragraph 1.2., the Customer shall:
1.4.1. have a lawful basis for the Processing, and ensure that it is entitled to provide the Personal Data to the Supplier for Processing, and the Customer shall notify albert promptly if either of these ceases to be true.
1.4.2. notify its Data Subjects of the Processing, to the standard required by Data Protection Legislation.
1.4.3. ensure that all Personal Data the Customer provides to albert are accurate and up to date, and the Customer shall make promptly any amendments necessary to ensure that the Personal Data remain accurate and up to date.
1.5. Without limiting paragraph 1.2., the Supplier shall, in relation to any Personal Data processed by the Supplier as Processor:
1.5.1. process that Personal Data only on documented instructions of the Customer (as set out in this agreement) unless the Supplier is required to do so by the laws of any part of the United Kingdom (“Applicable Laws”). If the Supplier is required to do so, the Supplier shall promptly notify the Customer of this beforehand, unless Applicable Laws prohibit the Supplier from so notifying the Customer. In addition to instructions contained elsewhere in this agreement, the Customer instructs the Supplier to carry out such processing as is necessary for the Supplier to provide the Supplier Services to the Customer and, in particular, to offer the facility for Data Subjects and other recipients of the Customer’s email campaigns to unsubscribe from further communications, and to maintain suppression lists to prevent further communications.
1.5.2. ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, in accordance with Article 32.
1.5.3. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.
1.5.4. not transfer any Personal Data outside of the European Economic Area and the United Kingdom except in accordance with the Data Protection Legislation (for example, by providing for adequate safeguards or transferring to territories which are the subject of an adequacy decision by or recognised by the laws of any part of the United Kingdom).
1.5.5. assist the Customer, at the Customer's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. In addition to assistance which the Supplier might provide the Customer on a case-by-case basis, the Supplier maintains the facility for email recipients to view, edit, download, or delete their data.
1.5.6. notify the Customer without undue delay on becoming aware of a Personal Data Breach.
1.5.7. at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data.
1.5.8. maintain complete and accurate records and information to demonstrate its compliance with this Schedule 1 and allow for and contribute to audits by the Customer or the Customer's designated auditor at the Customer’s cost.
1.6. The Customer authorises the use by the Supplier of the companies processing Personal Data as a processor of the Supplier (each a “Sub-processor) identified below. The Supplier will impose obligations on all Sub-processors which are materially equivalent to those imposed on it in this Schedule, and will be directly responsible for their compliance.
1.7. Authorised Sub-processors:
1.7.1. Mythic Beasts (hosting provider, system administration, security)
1.7.2. Green Arrow (mail server administration)
1.8. The Supplier shall notify the Customer of any intended changes concerning the addition or replacement of its Sub-processors in order to afford an opportunity to object to those changes. If the Customer wishes to object to the relevant Sub-processor, it must give notice in writing within ten (10) business days from receiving the notification from the Supplier and the parties will come together in good faith to discuss an appropriate solution.
1.9. If the Customer objects to a new Sub-Processor and the Supplier cannot accommodate the Customer’s objection, the Customer may terminate the Services by providing no less than thirty (30) days’ written notice to the Supplier.
1.10. The Customer shall remunerate the Supplier based on time spent to perform the obligations under paragraphs 1.5.5. or 1.5.8. of this Schedule 1.
1.11. For the purposes of Article 28(3), when the Supplier acts as Processor, the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject are as follows:
The scope and purpose of processing shall be the delivery of the Supplier’s Services, including hosting personal data on behalf of the Customer.
For the duration of the provision of the Services, and for a limited period thereafter until the personal data is deleted from the Supplier’s systems and/or returned to the Customer.
As set out at https://www.smartmessages.net/formats.php
Document updated Feb 2nd, 2022