This Data Processing Addendum (“DPA”) supplements and forms part of the ZapWorks User Agreement for Business and Education users. Capitalised terms used, but not defined, in this DPA are defined in the User Agreement.
This DPA sets out the terms that apply when Personal Data is processed by Zappar on behalf of an Account Holder as part of the Services, where the Account Holder is acting as a Controller for the purposes of UK or EU Data Protection law or regulation, including the European General Data Protection Regulation (“GDPR”) (collectively, the “Data Protection Laws”). It applies solely to the extent required by the Data Protection Laws and takes effect as of 25 May 2018.
Effect of DPA
If a provision of this DPA conflicts with a provision of the User Agreement, then this DPA will control. The User Agreement will remain in full force and effect and will be unchanged except as modified by this DPA. This DPA will terminate automatically upon the expiry or termination of the User Agreement.
Provided that the User is a party to an effective User Agreement, this DPA shall take effect automatically as between the parties. The parties may also, at the request of the Account Holder, enter into a hard copy version of this DPA which is physically signed by or on behalf of both parties. The parties may also by agreement enter into an individually negotiated data processing agreement provided such agreement satisfies the minimum requirements laid down in the Data Protection Laws.
For the purposes of this DPA:
the expressions “Controller”, “Data Subject”, “Processor”, “Personal Data Breach” and “processing” have the same meaning as in Article 4 of the GDPR; and
“Personal Data” means any User Content of the Account Holder that is or contains information that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under the Data Protection Laws. This does not include any personal data in respect of which Zappar is the sole Controller under the Data Protection Laws.
Details of Zappar’s role as a Processor of Personal Data are as follows:
Subject Matter of the Personal Data processing: The provision of the Services by Zappar to the Account Holder and their Authorised Users.
Duration of the Personal Data processing: The term of the User Agreement and any period after the term prior to Zappar’s deletion of all Personal Data included within the User Content.
Nature and purpose of the Personal Data processing: To enable the Account Holder and their Authorised Users to receive and Zappar to provide the Services, including publication, hosting and serving of User Content across Zappar’s technology platform.
Categories of Personal Data: In general, this may consist of identifying information and organisation data of the Account Holder’s customers and end users and Personal Data of Data Subjects contained in User Content such as images, videos, voices; together with such other categories as are agreed by the parties and recorded in writing. It is acknowledged that Zappar does not allow the Services to be used for the purposes of processing any of the “sensitive categories” of Personal Data specified in Article 9(1) of the GDPR.
Categories of Data Subjects: To the extent User Content contains Personal Data, it may concern the Account Holder’s end users, customers, employees, business contacts, members of the public and other individuals who have consented to their Personal Data being included within the Account Holder’s User Content.
The roles of the parties
To the extent that Zappar processes Personal Data in the course of providing the Services, it will do so only as a Processor acting on behalf of the Account Holder (as the Controller) and in accordance with the requirements of this DPA.
Scope of processing
Zappar undertakes that it will only process the Personal Data on documented instructions from the Account Holder, including with regard to transfers of Personal Data to a third country or an international organisation, unless Zappar is required to do so by European Union or national law to which Zappar is subject; in such a case, Zappar shall inform the Account Holder of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. For the purposes of this clause, any processing necessary to provide the Services in the manner requested by the Account Holder or their Authorised User(s) shall be deemed to be a documented instruction to Zappar.
Zappar shall immediately inform the Account Holder if, in Zappar’s opinion, an instruction given by or on behalf of the Account Holder would breach the GDPR or other European Union or Member State data protection provisions.
Obligations of the Account Holder
The Account holder, as the Controller, shall be responsible for ensuring that: (a) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including the Data Protection Laws; and (b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Zappar for processing in accordance with the terms of the User Agreement and this DPA.
The Account Holder shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which the Account Holder acquired the Personal Data.
Zappar shall ensure that persons authorised by Zappar to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Zappar shall have in place and maintain throughout the term of this DPA appropriate technical and organisational measures to protect the Personal Data in accordance with the requirements of Article 32 of the GDPR.
Rights of Data Subjects
Zappar shall taking into account the nature of the processing, provide the Account Holder with reasonable assistance by appropriate technical and organisational measures, insofar as this is possible and at the Account Holder’s cost, with fulfilling the Account Holder’s obligations to respond to requests by Data Subjects to exercise their rights laid down in Chapter III of the GDPR. If a request is made directly to Zappar, Zappar shall promptly inform the Account Holder
Zappar shall notify the Account Holder without undue delay after becoming aware of a Personal Data Breach affecting the Personal Data which is the subject of this DPA.
Zappar shall also provide the Account Holder with reasonable assistance, at the Account Holder’s cost, in ensuring compliance with the Account Holder’s obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Zappar.
Deletion/ Return of Personal Data
Upon the expiry or termination of the User Agreement, Zappar shall, at the choice of the Account Holder, delete or return to the Account Holder all relevant Personal Data and delete all existing copies, save to the extent that Zappar is required by any applicable law to retain some or all of the Personal Data.
Zappar will make available to the Account Holder all information reasonably necessary to demonstration compliance with the obligations laid down in Article 28 of the GDPR. Whilst it is the parties’ intention ordinarily to rely on the provision of the documentation to verify Zappar’s compliance with this DPA, Zappar shall permit the Account Holder (or their appointed third party auditor who must not be a competitor of Zappar) to carry out an audit of Zappar’s processing of Personal Data under the User Agreement following a Personal Data Breach suffered by Zappar, or upon the instruction of a data protection authority. The Account Holder must give Zappar reasonable prior notice of such intention to audit, conduct its audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Zappar’s operations. Any such audit shall be subject to Zappar’s security and confidentiality terms and guidelines. The Account Holder will reimburse Zappar for any such on-site audit at Zappar’s then-current rates, which shall be made available to the Account Holder upon request. The charges for the audit shall be reasonable taking into account the resources expended (or to be expended) by Zappar and where possible shall be agreed by the parties prior to commencement of the audit. If Zappar declines to follow any instruction requested by the Account Holder regarding audits, the Account Holder is entitled to terminate this DPA and the User Agreement.
Use of sub-processors
The Account Holder agrees that Zappar may engage third party sub-processors (collectively, “Sub-Processors”) to process the Personal Data on the Account Holder’s behalf. Zappar shall impose on each Sub-Processor obligations that protect the Personal Data to the same or substantially similar standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-Processor. Zappar, may by giving reasonable notice, add or make changes to the Sub-Processors. If the Account Holder objects on reasonable grounds to any proposed change (e.g. if making Personal Data available to the Sub-Processor may violate applicable Data Protections Laws, or weaken the protections for such Personal Data) it must notify Zappar within 14 calendar days of the date of Zappar’s notification. Such notice shall contain the reasonable grounds for the objection. Following receipt of the Account Holder’s notice, the parties will work together in good faith to find an alternative solution. If the parties are unable to find an alternative solution acceptable to both of them within a reasonable period of time, which shall not exceed 30 calendar days, and Zappar is unable to continue to provide the Services to the Account Holder without use of the objected-to Sub-Processor, either party may at any time thereafter terminate the User Agreement by written notice to the other, without imposing a penalty for such termination on the Account Holder.
Zappar may update and change any part or all of this DPA at any time by posting a new version on zap.works provided that the updated DPA continues to meet the minimum requirements laid down in the Data Protection Laws. When Zappar makes changes the “Last Updated” date will be updated to reflect the date of the most recent version.
This DPA shall be governed by and construed in all respects in accordance with the laws of England and Wales.
LAST UPDATED: 21 MAY 2018