GDPR – STANDARD TERMS OF BUSINESS
These Standard Terms of Business (as amended from time to time) (the “Agreement”) are effective as of the 25th of May 2018 (the “Agreement Effective
Date”) by and between you and 4pm, a company incorporated in Ireland (company registration number 457751) which has its registered office at Unit 105, Nova UCD, Belfield, Dublin 4 (“4pm”).
1.1. Structure. The provisions of this Agreement are supplementary to the existing terms of business in place between you and 4pm.
1.2. Hierarchy of Terms. In the event of any conflict or inconsistency between any of the terms, this Agreement shall take precedence over the General Provisions.
1.3. Variation. No further variation to the terms of the Agreement will be valid unless it is agreed in writing and signed by duly authorised representatives of each party.
1.4. Definitions. For the purpose of this Agreement, the following terms shall have the following meanings:
“Affiliates” means in respect of a Party, any company which is a subsidiary or a holding (including ultimate holding) company of that Party, and any company which is a subsidiary of such holding company from time to time, (the terms subsidiary and holding company having the meanings given in the Companies Act 2014);
“Data Protection Laws” means all laws, regulations, orders, by-laws, codes, standards, guidelines, decisions and opinions determined by any governmental or regulatory authority, which apply to any undertaking or circumstance relevant to data protection, including, but not limited to, the Irish Data Protection Acts 1988 and 2003 and the UK Data Protection Act 1998 (as amended or replaced from time to time including but not limited to by the GDPR) and any other laws, regulations (EU or Irish statutory), directives, decisions or other guidelines;
“Data Controller”, “Data Processor”, “Data Subject”, and “Personal Data” shall have the meanings attributed to those terms in the Irish Data Protection Acts 1988 and 2003 and the UK Data Protection Act 1998 as amended or replaced from time to time including but not limited to by the GDPR;
“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679) (as may be amended from time to time and includes all GDPR implementing legislation);
“Parties” means you and 4pm and any one of them is referred to as a “Party”;
“Regulator” means any person or professional body having regulatory or supervisory authority over you, your Affiliates or 4pm including without limitation the Property Services Regulatory Authority and the Central Bank of Ireland / Financial Conduct Authority
“Service Personnel” means the Supplier’s and its Affiliates officers, employees, agents, contractors, and their officers, employees, agents and contractors;
“Services” means the services supplied under an Agreement by the Supplier to you and/or its Affiliates.
Other Definitions. Unless otherwise defined in this Agreement, all capitalised terms used in this Agreement will have the meaning ascribed to them in the General Provisions.
1.5 Specific Data Protection Provisions applicable to the Supplier, in each case acting as a Data Processor:
The Supplier warrants, represents and undertakes to you that it shall (and shall procure that the Service Personnel shall):
(a) not process, disclose to or source from any third party, any Personal Data except to the extent, and in such a manner, as is reasonably necessary for the provision of the Services and then only where the Supplier is acting on and in accordance with the express written instructions of you and/or its Affiliates, and in accordance with all Data Protection Laws,
(b) not transfer or process any Personal Data outside the European Economic Area, including any transfer via electronic media, without the express prior written consent of yourself (c) ensure that all Service Personnel engaged in the provision of the Services have entered into a confidentiality agreement with the Supplier and shall further ensure that such Service Personnel are made aware of and observe the Supplier’s obligations under this Agreement with regard to the security and protection of Personal Data.
(d) implement and maintain appropriate technical and organisational measures to protect Personal Data including, but not limited to, against accidental, unauthorised or unlawful loss, destruction, damage, alteration, access, disclosure or other processing and shall ensure that such measures shall provide a level of security appropriate to the risk represented by the processing and having regard to the nature of the Personal Data which is to be protected;
(e) only sub-contract any element of the data processing provided that (i) you has given its express prior written consent to the use of such a sub-contractor or (ii) has given its prior general consent to sub-contracting of the data processing by the Supplier from time to time. In the case of (ii), the Supplier will maintain a list of subcontractors used from time to time in relation to the data processing and will make such list available to you with any proposed additional or replacement sub-contractors prior to the introduction of any such addition or replacement. You may object to the inclusion or replacement of any particular sub-contractor proposed by the Supplier. The Supplier shall ensure that (i) the terms governing the engagement between the Supplier and any subcontractors are identical to the provisions of this Agreement and any other relevant provisions of the Agreement; and (ii) the Supplier will remain responsible for the sub-contractor’s compliance with its obligations and for any acts or omissions of such subcontractor.
(f) implement and maintain appropriate technical and organisational measures to assist you in responding to requests from Data Subjects exercising their rights and shall notify you promptly upon receipt of any such request from a Data Subject and shall assist you where required in its obligation under Arts 35 and 36 GDPR including but not limited to the completion of a data protection impact assessment;
(g) at your request, cooperate with the Regulator in the performance of its tasks under GDPR;
(h) promptly upon becoming aware of any DP Incident (and in any event within 24 hours of becoming aware of such an incident), notify you by telephone and by email. The Supplier shall at no cost to you , provide you with all resources and assistance as are required by you , including for (i) you to notify the Office of the Data Protection Commissioner and/or the UK Information Commissioner’s Office of a DP Incident within 72 hours of becoming aware of the DP Incident (ii) for you to provide such reports or information as may be requested by it in relation to such DP Incident and/or (iii) for you to notify the relevant data subjects of such DP Incident, without undue delay and where required.
(i) except where Applicable Law requires the retention by the Supplier of Personal Data, on the expiration of the provision of the Services, the Supplier shall, at the election of you either (i) return to you or (ii) delete, destroy and make permanently unusable all Personal Data supplied to it by or on behalf of you, together with all copies, records, analysis, memoranda or other notes to the extent containing or reflecting any Personal Data; and
(j) without prejudice to other rights of you , the Supplier will provide access to you and its auditors, to you Data and to any other data and information relating to the provision of the Services and to any other information in each case for the purpose of demonstrating compliance with the GDPR Regulation. If requested by you , the Supplier will permit you (or you ‘s auditors mandated on its behalf) to audit and inspect the Supplier including permitting you or its auditor to visit any business premises relevant to the provision of the Services and the Supplier will co-operate with and contribute to such audits and inspections without undue delay.
(k) Summary of the support process and access flow from a GDPR perspective.
As a provider of support for Acquaint CRM we will become a data processor when we are requested to provide technical and operational support and thus in this exercise we require temporarily access to your Acquaint CRM database in your office to carry out our support. As per the Service Level Agreement we do record or store or act upon any personal we are exposed or privy to when performing our duty as this is treated as highly confidential.
4pm use a remote access software application called ISL and this is built into Acquaint CRM. The Acquaint customer will:
● click on the HELP menu in Acquaint
● select the option “Request remote support”
● ISL will download and launch
● The customer will enter in the support number
The application will launch and the support staff will be able to see the customer screen and be able to support the client by working on the technical or operational support issue. After the session the support staff will disconnect and will not take a copy of any data with them. They will hold in strict confidence and treat as highly confidential anything they have seen when providing support.
If forensic and deep examination and correction is required
● The data a backup of the database will be taken and this will be delivered securely to the Acquaint BrightLogic server.
● The database will be restored so that we can then examine and provide a correction or solution.
● After this support ticket is concluded the database is deleted within 2 days.
There are two setups for Acquaint customers. Local and cloud. In the case of the cloud the customers database is stored in a secure server and only their company has access to the Acquaint database and digital assets such as images and documents pertaining to the clients managed by the estate agency.
This is the web interface available to be able to access at www.acquaintanywhere.co.uk from any web device the agencies Acquaint CRM system. This access is a two step or password secured access.
1. A customer prefix
2. site password
3. user id#
4. user password