GDPR Processing Terms
Bluescape as data importer shall comply with all requirements that the General Data Protection Regulation 2016/679 (GDPR) imposes on data processors and is collectively referred to as “processor” in this Addendum. You, as our Customer and the “controller” is the data exporter. All terms herein shall take on the meaning as defined in the General Data Protection Regulation 2016/679 (GDPR). Without limiting the generality of the foregoing, processor agrees, warrants and represents that it:
a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law;
b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) takes all measures required pursuant to Article 32 of the GDPR (security of processing);
d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor;
e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject’s personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controllers obligations to satisfy data subjects’ rights, but processor shall not respond directly to data subjects);
f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor;
g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller;
i) provides notification as required by the GDPR and any other applicable law regarding any loss or breach of security of the personal data;
j) complies with this Addendum, the GDPR and applicable law until termination of services and upon termination, at controller’s choice: (1) destroy all personal data processed and any copies thereof and certify to controller on request having done so; or (2) return all data and copies thereof to controller; and
k) monitors and self-audits its own compliance with its obligations under applicable national data protection law and the GDPR and provide controller with periodic reports, at least annually.