- Terms such as “processing”, “personal data”, “controller” and “processor” shall have the meaning ascribed to them in applicable national implementation of the Data Protection Directive (1995/46/EC) or – as of 25 May 2018 - the General Data Protection Regulation (2016/679/EU, both hereinafter: the “Data Protection Laws”).
- Notwithstanding anything contained herein to the contrary, the parties agree that this clause shall apply only if and to the extent that On Next is processing any personal data on behalf of Customer (“Personal Data").
- On Next collects Personal Data in accordance with the privacy notification on the Platform.
- On Next will act as the processor and User will act as the controller.
- On Next shall;
- only carry out processing of any Personal Data on User’s instructions and to the extent necessary to provide its services. On Next will immediately inform User (i) if, in its opinion, an instruction infringes Data Protection Laws, or (ii) if On Next is required under applicable law to process the Personal Data, unless that law prohibits On Next from notifying User.
- implement appropriate technical and organisational measures to ensure a level of security of the Personal Data against loss and unlawful processing, appropriate to the risk, including remedial action in the event of a breach as meant under 7.
- only engage a sub-processor and/or in transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection with prior written approval from User and subject to a written agreement as required by Data Protection Laws.
- ensure that all its employees, agents and/or sub-processors engaged in processing Personal Data have signed a confidentiality agreement and/or are under any other binding obligation of confidentiality.
- submit to a data security audit when reasonably requested by User and at any time if any regulator of User requests or requires an audit of User and/or any of its service providers.
- where appropriate, assist User with the fulfilment of obligations, such as responding to requests to exercise data subject rights, data protection impact assessments and prior consultation with supervisory authorities.
- inform User within 24 hours of (i) a (suspected) breach of security and/or confidentiality leading to the loss or unlawful processing of Personal Data, (ii) an inquiry, subpoena or request for audit from a competent authority, or (iii) a seizure.
- delete or return all the Personal Data to User after the end of the provision of services relating to the processing, unless a legal obligation exists to store the Personal Data.
- make available to User all information and documentation requested by User to demonstrate its compliance with Data Protection Laws.
- At User’s reasonable request, On Next shall enter into a separate data processing agreement in a format satisfactory to both parties.
More details regarding the information we gather, store, and process, will be available soon.