Clause 14 – GDPR Data Protection

  1. We will not Process Your Personal Data other than on Your documented instructions, and for the purposes defined in writing by You, from time to time unless Processing is required by Applicable Laws to which we (or any of our Sub-processors) are subject in our provision of the Services.
  2. You:
    1. instruct us (and authorises us to instruct each Sub-processor) to:
      1. Process Your Personal Data; and
      2. in particular, transfer Your Personal Data to any country or territory,s necessary for the provision of the Services; and
    2. warrant and represent that you are and will at all relevant times remain duly and effectively authorised to give the instruction set out in Clause 13B 1.2.1 on your own behalf and that of any your affiliates.

    This Clause 13B sets out certain information regarding our processing of Your Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws).

  1. Our Personnel
    1. We will take reasonable steps to ensure that any of our (or our Sub-Processor’s) employees, agents or contractors who have access to Your Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.


    2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for your consumers’ rights and freedoms, we will in relation to Your Personal Data implement appropriate technical and organizational measures against  unauthorised or unlawful processing of Your Personal Data, unauthorised access to, or disclosure of, Your Personal Data and against accidental loss or destruction of, or damage to, Your Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected. In assessing the appropriate level of security, we will take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach. Our safeguards for the protection of Your Personal Data comprise: (i) limiting access of personal data to authorised employees/authorised persons who are obliged to keep the personal data confidential; (ii) securing business facilities, data centres, paper files, servers, backup; (iii) implementing network, device application, database and platform security; (iv) securing information transmission, storage and disposal; (v) implementing authentication and access controls within applications,  operating systems and equipment; (vi) not sharing, disclosing or subcontracting the processing of such personal data with any unapproved third parties, unless required to by an instrument of law, without your express written consent; and (vii) where appropriate, may also include the pseudonymization or encryption of personal data. You may implement additional security measures (“Your Security Measures“) from time to time (at the Your absolute discretion) always provided that:
      1. Your Security Measures are compatible with the measures we have set out above, as determined by us solely, acting reasonably; and
      2. we will not, nor any of our Sub-Processors, be required to change any of the measures we have set out or to incur any costs implementing or supporting the implementation of Your Security Measures.  If additional costs are incurred, we will arrange to pass those costs on to You.’
    3. You represent, undertake and warrant at all times, that all Personal Data Processed by us (and our’ Sub-processors) on your behalf has been and will be collected and processed by you, and disclosed to us and/or our Sub-processors, in accordance with all Applicable Laws. Without limiting the foregoing, you warrant and represent that:
      1. You have taken, and will take, all steps necessary, including obtaining relevant and appropriate consents, provided appropriate fair collection notices and opt-outs and otherwise ensuring all lawful bases and rights in respect of your and our  processing of Your Personal Data;
      2. the processing of Your Personal Data by us (and our Sub-processors) in accordance with this Clause 13B and these Terms is and will be, at all times compliant with, and in accordance with, all Applicable Laws.
  2. Sub-processing
    1. You authorise us to appoint (and permit each subsequent Sub-processor, to appoint) Sub-processors in accordance with this Clause  13B.3.
    2. You acknowledge and agree that we may continue to use those Sub-processors already engaged by us, as their identities and locations are set out in Annex 1 below (Approved Sub-processors).
    3. We will provide you with prior written notice of any change in the Approved Sub-processors list and the appointment of any new Subprocessor, including known details of the processing to be undertaken by the Subprocessor. If, within 10 Business Days days of receipt of this notice, you notify us in writing of any objections (on reasonable grounds) to the proposed appointment:
      1. we will work with You in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
      2. where such a change cannot be made within one (1) month from our receipt of Your notice, notwithstanding anything in these Terms of Use, You may by written notice to us, terminate your use of that part of our Services which relates to the Services requiring the use of the proposed Subprocessor.
    4. With respect to each new Subprocessor, we will:
      1. before the Subprocessor first processes Your Personal Data carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Your Personal Data as required by their Terms;
      2. ensure that the arrangement between us and the Subprocessor (and any subsequent chain of Sub-processors), is governed by a written contract including terms which offer at least a similar level of protection for Your Personal Data as those set out in these Terms; and
      3. if that arrangement involves a Restricted Transfer:
        1. ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between us and the Subprocessor; or
        2. before the Subprocessor first Processes, Your Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with you (or your relevant affiliate, as procured by the You).
  3. Data Subject Rights
    1. We will:
      1. promptly notify You if we or any Sub- processor (promptly once we are so notified) receives a request from a Data Subject under Data Protection Laws in respect of Your Personal Data; and
      2. not (and use best endeavours to procure its Sub-Processor will not) respond to that request except on your documented instructions or as required by Applicable Laws, in which case we will to the extent permitted by Applicable Laws inform You of that legal requirement before responding to the request.
  4. Personal Data Breach
    1. We will without undue delay upon becoming aware of a Personal Data Breach affecting Your Personal Data, provide Your with information (taking into account the nature of processing and the information available to us and when it becomes available) to assist You in your endeavours to meet any obligations to report to regulators or inform Data Subjects of the Personal Data Breach under Data Protection Laws.
    2. Subject to the reimbursement of our reasonable costs, we will co-operate with You and take such reasonable commercial and practicable steps as are directed by You to assist in the investigation, prevention (as applicable), mitigation and remediation of each Personal Data Breach.
  5. Deletion or return of Your Personal Data
    1. Subject to Clauses 13.B.6.2 and. 6.3 we will promptly and in any event within 180days of the date of cessation of any Services involving the processing of Your Personal Data (the “Cessation Date“), delete and procure the deletion of all copies of those Your Personal Data.
    2. You may by written notice to us within forty-five (45) days of the Cessation Date require us to (a) return a complete copy of all Your Personal Data by secure file transfer in such format as is reasonably notified by You to us; and (b) delete and procure the deletion of all other copies of Your Personal Data as processed by us.
  6. Audit rights
    1. Subject to providing us with reasonable notice and reimbursement of our reasonably incurred costs, and to the extent feasible, we will make available to You, on request, all information necessary to demonstrate compliance with the obligations laid down in this Clause 13B, and will allow for and contribute insofar as practicably feasible to audits, including inspections, by You or an auditor mandated by You in relation to the processing of Your Personal Data by us or our Sub-processors. You confirm and agree that you will (and will ensure that each of your mandated auditors) avoid causing or minimise any damage, injury or disruption to our, or our Sub-processors’, premises, equipment, personnel and business while your personnel are on those premises in the course of such an audit or inspection.
  7. Restricted Transfers
    1. Subject to Clause 13.8.3, you (as “data exporter“) and each of us and our Sub-Processor, as appropriate, (as “data importer“) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from you to us and our Sub-Processor, as applicable.
    2. The Standard Contractual Clauses will come into effect under Clause 13B.8.1 on the later of:
      1. the data exporter becoming a party to them;
      2. the data importer becoming a party to them; and
      3. commencement of the relevant Restricted Transfer.
    3. Clause 8.1 will not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Laws.
  8. Indemnity
    1. Notwithstanding any other provision in these Terms of Use, you indemnify, and hold us and each of our Sub-Processors harmless, against all liabilities, losses, claims, costs and expenses incurred by us or any of our Sub-Processors as a result of:
      1. any breach by you or any of your employees, agents or affiliates (as applicable) of this Clause 13B; and
      2. any processing of Your Personal Data in accordance with the provisions of this Clause 13B.
  9. General Terms

    Governing law and jurisdiction

    1. The choice of jurisdiction stipulated in these Terms will apply without prejudice to relevant clause 7 (Mediation and Jurisdiction) and clause 9 (Governing Law) of the Standard Contractual Clauses.

      Order of precedence

    2. In the event of any conflict or inconsistency between these Terms and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
    3. Subject to Clause 10.2, with regard to the subject matter of this Clause 13B, in the event of inconsistencies between the provisions of this Clause 13B and any other agreements between us, the provisions of this Clause 13B will prevail.

      Changes in Data Protection Laws

    4. These Terms and this Clause 13B may be varied and updated from time to time by us as a result of any change in Data Protection Laws, including any variation which is required to the Standard Contractual Clauses or similar adequacy requirement for cross-border transfers of personal data as may be stipulated under applicable Data Protection Laws.


    5. Should any provision of this Clause 13B be invalid or unenforceable, then the remainder of this Clause 13B will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner, as if, the invalid or unenforceable part had never been contained in this Clause 13B.
  10. Definitions

    In this Clause 13B, the following terms will have the following meaning:

    Applicable Laws” means: (a) European Union or Member State laws with respect to any of Your Personal Data in respect of which we are subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Your Personal Data in respect of which we are subject to any other Data Protection Laws; together with all guidelines and other codes of practice issued by an applicable data protection regulator or supervisory authority;

    Your Personal Data” means any Personal Data Processed by us or any of our Sub-processors, on behalf of and under your instructions in connection with the provision of the Services;

    Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection and privacy laws, regulations and secondary legislation of any other country;

    EEA” means the European Economic Area;

    EU Data Protection Laws” means the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, and any successor legislation to the GDPR or relevant national implementing laws, regulations and secondary legislation.

    GDPR” means EU General Data Protection Regulation 2016/679;

    Restricted Transfer” means:

    1. a transfer outside the EEA of Your Personal Data; or
    2. an onward transfer of Your Personal Data from us to our Sub-Processor, or between our Sub-processor and any of their Sub-processors,

    in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under these Terms.

    For the avoidance of doubt, where a transfer of Personal Data is of a type authorised by Data Protection Laws in the exporting country; for example in the case of transfers from within the European Union to the US under a scheme (such as the current US Privacy Shield) which is approved by the EU Commission as ensuring an adequate level of protection, or any other transfer which falls within a permitted derogation under EU Data Protection Laws, such transfer will not be a Restricted Transfer;

    Standard Contractual Clauses” means the EU model /standard contractual clauses for the transfer of personal data to controller and /or processors established in third countries which do not ensure an adequate level of protection, as set out in Commission Decision C(2010) 593, and as approved and adopted by the Commission in accordance with the examination procedure referred to in Article 93, GDPR, the current version of each set of  (controller to controller) and (controller to processor) terms as are set out at, and as each may be updated, amended or superseded, from time to time;

    Subprocessor” means any person (including any third party and any our affiliates) but excluding any of our employees), appointed by us or on our behalf to process Personal Data on your behalf under these Terms; and

    The terms, “Commission“, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” will have the same meaning as in the GDPR, and their cognate terms will be construed accordingly.

Appendix 1

Approved Subcontractors

Amazon Web Services

We hold and store our data with Amazon Web Services (AWS) in the US. You can find out more information about AWS, their policies and terms including how they handle your data on here. and

iWeb / Apple Inc.

We also use iWeb’s hosting solutions located in Canada for some of our support services. You can find out more on iWeb services, their policies and how they handle your data here

We use cookies to ensure that we give you the best experience on our website.