EUROPEAN SERVICE ADDENDUM
THESE ADDITIONAL TERMS PERTAIN TO CUSTOMERS IN THE EUROPEAN ECONOMIC AREA, SWITZERLAND OR THE UK (“EUROPEAN SERVICE ADDENDUM”). THIS EUROPEAN SERVICE ADDENDUM IS INCORPORATED INTO SERVICE AGREEMENTS WITH CUSTOMERS WHO RESIDE IN THE EUROPEAN ECONOMIC AREA, SWITZERLAND OR THE UK. YOUR EXECUTION OF A CUSTOMER ORDER FOR SERVICES CONSTITUTES YOUR AGREEMENT TO BE BOUND BY THESE ADDITIONAL TERMS. YOU ACKNOWLEDGE AND AGREE THAT CENTRALREACH HAS THE RIGHT TO ESTABLISH TERMS FOR THE CONTINUED USE OF OUR SERVICES. ACCORDINGLY, CENTRALREACH RESERVES THE RIGHT TO MODIFY THESE TERMS FROM TIME TO TIME WITH OR WITHOUT NOTICE TO YOU. YOU AGREE THAT YOUR USE OF THE SERVICES CONSTITUTES YOUR AGREEMENT TO ANY SUCH MODIFICATION. TERMS NOT DEFINED HEREIN SHALL HAVE THE MEANING SET FORTH IN THE TERMS OF SERVICE AND ADDITIONAL AGREEMENTS AS APPLICABLE. IN THE EVENT OF ANY CONFLICT BETWEEN THE TERMS OF SERVICE AND OTHER ADDITIONAL AGREEMENTS AND THIS EUROPEAN SERVICE ADDENDUM, THE TERMS OF THIS EUROPEAN SERVICE ADDENDUM SHALL CONTROL.
1. DATA PROCESSING UNDER THE EUROPEAN DATA PROTECTION LEGISLATION
As used herein, “European Data Protection Legislation” shall mean the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) (as amended or replaced from time to time), and any national implementing laws or regulations and secondary legislation, as amended from time to time and any other data protection, data security and privacy laws pertaining to residents of the European Economic Area, Switzerland or the UK.
To the extent that you are covered by the European Data Protection Legislation, you acknowledge and agree to the following:
- Both parties will comply with all applicable requirements of the European Data Protection Legislation. You acknowledge that Customer Content may constitute or include “personal data” under the GDPR.
- The parties acknowledge that for the purposes of the European Data Protection Legislation, you are the data controller and CentralReach is the data processor (where Data Controller and Data Processor have the meanings as defined in the European Data Protection Legislation). The categories of personal data and data subjects (as defined in the GDPR) are set out in the Appendix of this European Service Addendum.
- Without prejudice to the generality of Section 1.a. of this European Service Addendum, you will ensure that you have all necessary appropriate consents and notices in place to enable lawful transfer of Customer Content to the United States for the duration and purposes of the Services. You also represent and warrant that you have all necessary rights and consents to collect all information that you provide through your use of the Services, and that you will use any such information collected only in strict compliance with the European Data Protection Legislation.
- Without prejudice to the generality of Section 1.a. of this European Service Addendum, CentralReach shall, in relation to any Customer Content processed in connection with the performance by CentralReach of the Services:
- process Customer Content only as required to provide you with the Services, and you agree that such processing is being done at your express request and with your express consent;
- ensure that CentralReach has in place appropriate technical and organizational measures to protect against unauthorized or unlawful processing of Customer Content and against accidental loss or destruction of, or damage to, Customer Content, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymizing and encrypting Customer Content, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Customer Content can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it);
- ensure that all CentralReach personnel who have access to and/or process Customer Content are obliged to keep Customer Content confidential;
- except for the transfer of Customer Content to the United States or to one or more of our affiliates, under common control with us, who CentralReac may utilize as a subprocessor, and with respect to certain applications, CentralReach shall not transfer Your Content to any other jurisdiction outside of the European Economic Area, Switzerland and the UK unless CentralReach notifies you in writing of such transfer and, in this event, the following conditions shall be fulfilled:
- CentralReach has provided appropriate safeguards in relation to the transfer;
- the data subject has enforceable rights and effective legal remedies;
- Centralreach has complied with obligations under the European Data Protection Legislation by providing an adequate level of protection to any of Customer Content that is transferred; and
- CentralReach has complied with reasonable instructions notified to us in advance by you with respect to the processing of Customer Content;
- assist you, at your cost, in responding to any request from a data subject and in ensuring compliance with your obligations under the European Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, and you agree to promptly (and in any case, within any time period prescribed by law or regulation) notify us if any data subject requests removal of any personal information relating to such data subject;
- notify you without undue delay on becoming aware of a breach of Customer Content;
- at your written direction, delete or return Customer Content and copies thereof to you on termination of the Services unless required by applicable law to store Customer Content; and
- maintain complete and accurate records and information to demonstrate our compliance with this clause.
- You acknowledge that CentralReach may utilize third-party integration partners to process Customer Content, and you hereby consent to such third-party processing. CentralReach shall remain fully liable to you for all acts or omissions of any third-party processor appointed by us pursuant to this clause, subject to applicable exclusions and limitations of liability set forth in the Terms.
- You agree that in lieu of the obligations set forth in this European Service Addendum, CentralReach may adopt any applicable controller-to-processor standard clauses or similar terms forming part of an applicable certification scheme.
2. NOTICES PURSUANT TO EUROPEAN DATA PROTECTION LEGISLATION
Customer agrees that any request pursuant to Section 1 of this European Service Addendum shall be made in writing and sent to firstname.lastname@example.org.