“Agreement(s)”means one or more sets of terms governing the arrangement(s) between Customer and MZ into which this DPA is incorporated;
“Binding Corporate Rules” (“BCR”) means a set of Binding Corporate Rules governing the transfer of data outside of the EEA but only within a Corporate Group, authorised by the appropriate EU data protection authority as being compliant with the Article 29 Working Party papers
“Customer”means a set of Binding Corporate Rules governing the transfer of data outside of the EEA but only within a Corporate Group, authorised by the appropriate EU data protection authority as being compliant with the Article 29 Working Party papers
"Customer Data"means any personal data (as defined in the Data Protection Legislation) relating to or originating from the Customer or its employees. Test
Customer Data shall include, but not be limited to:
(i) in respect of conferencing and collaboration customers the name and email address (nearly always business email address) of: conference hosts, participants in Managed Events (where customer has instructed MZ to collect such data) and users of Cisco products
(ii) in respect of the small minority of cases where conference participants choose to be “dialled back” by MZ then MZ may additionally hold a telephone number (typically a business telephone number)
(iii) in relation to the provision of Skype for Business services, MZ normally holds name, business email address and business telephone number for all individual users of the service
MZ needs to hold this Personal Data for the purposes of providing the Services including but not limited to the provision of after-call emails, billing, reporting and recovery of user logins.
Data Subjects will be individual users of the Service who will normally be employees of the Customer or occasionally one or more of their meeting invitees. “
“DPA”means this Data Processing Agreement
"Data Protection Legislation" means, for the periods in which they are in force, the European Union Data Protection Directive 95/46/EC, all Laws giving effect or purporting to give effect to European Data Protection Directive 95/46/EC or otherwise relating to data protection (to the extent the same apply) and the GDPR;
(a) to the extent that it applies, the General Data Protection Regulations (Regulation (EU) 2016/679) which comes into force on 25 May 2018; or
(b) any equivalent legislation amending, supplementing or replacing the General Data Protection Regulations (Regulation (EU) 2016/679);
"Model Clauses"means the standard contractual clauses for the transfer of personal data to a processor outside of the European Economic Area in the form as adopted by the European Commission from time to time;
“MZ” means MeetingZone Limited (company registration number in England & Wales 04300344)
"Specified Purpose"means processing limited to the extent required for the provision of the Services under the Agreement(s);
"MZ Personnel"means each individual employed or engaged (and permitted under the terms of this Agreement to be so employed or engaged) by MZ, any of its sub-contractors or any other person in the provision of the Services or the performance of any obligation of MZ under this Agreement from time to time;
2. DATA PROTECTION
These terms supersede and replace any and all data protection-related terms previously in place between Customer and MZ in the Agreement(s). 2.2. In this Clause 2, the terms “processed”, “data controller” and “data processor” shall have the meanings given to them under the Data Protection Legislation.
2.3. The Customer and MZ acknowledge that for the purposes of Data Protection Legislation, the Customer is the data controller and MZ is the data processor of any Customer Data.
2.4. Each party to this Agreement shall, and MZ shall procure that any sub-contractors shall, comply with all Data Protection Legislation in relation to any Customer Data processed and neither party shall, and MZ shall procure that no sub-contractors shall, by act or omission, put the other party in breach of the Data Protection Legislation.
2.5. MZ shall, and shall procure that each of its sub-contractors shall, process Customer Data only:
(a) in such a manner as is necessary for the Specified Purpose;
(b) in accordance with documented instructions received from the Customer; and
(c) for the term of this Agreement.
2.6. Without limiting Clause 2.4, MZ undertakes that:
(a) it shall not allow any sub-contractors to have access to, receive or process Customer Data without obtaining prior written consent from the Customer (such consent not to be unreasonably withheld or delayed);
(b) where the Customer gives consent pursuant to Clause 2.6(a), MZ shall ensure that each sub-contractor enters into a written agreement with MZ in terms no less onerous than those of the GDPR;
(c) neither MZ nor any of its sub-contractors shall process, or direct the processing of any Customer Data other than in the European Economic Area unless and until:
(i) MZ and sub-contractor have entered into Model Clauses; OR
(ii) sub-contractor is publicly listed as having approved BCRs in place OR
(iii) sub-contractor is (where applicable) publicly listed as being certified under the EU-US Privacy Shield OR
(iv) otherwise in accordance with the prior written consent of the Customer (such consent to be at the sole discretion of the Customer);
(d) MZ and each of its sub-contractors have in place now and shall on a continuing basis take all reasonable technical and organisational measures to keep all Customer Data confidential and secure and to protect Customer Data against accidental loss or unlawful destruction, alteration, disclosure or access;
(e) MZ and each of its sub-contractors shall provide such information and assistance and, on reasonable prior notice, allow for and contribute to audits (including inspections) conducted by the Customer or an auditor mandated by the Customer as is reasonably necessary to enable the Customer to satisfy itself of MZ’s compliance with this Agreement and the Data Protection Legislation; and
(f) on termination of this Agreement, and at any time on the request of the Customer, either return Customer Data in the format requested by the Customer (and destroy all remaining copies), or destroy all of Customer Data (including all copies of it), in either case immediately and confirm in writing that it has complied with this obligation.
(g) Notwithstanding any other terms in this agreement, if the Customer chooses to purchase from MZ any Cisco products then the Customer hereby authorises MZ to use Cisco as a sub-processor, including authorising the transfer of Personal Data to the USA if this is necessitated by the choice of product; this authorisation is subject to the following conditions: (i) Cisco shall throughout the time that they are providing such service be (a) a certified company under the EU-US Privacy Shield and (b) accredited under the EU Binding Corporate Rules for transferring data within a corporate group, such rules having been agreed with the Netherlands Data Processing Authority, Autoriteit Persoonsgegevens (BCR approval commits Cisco to processing EU personal data in accordance with EU data protection standards, including GDPR, anywhere in the world that Cisco operates) (ii) Cisco ensures all media streams are encrypted once they leave a Customer device until they reach a device of one of Customer’s authorised users; importantly, data will be encrypted during transit, rest and search (iii) it is acknowledged that Cisco does not permit audits of its processes (in lieu of this it should be noted Cisco has voluntarily had its compliance with the EU-US Privacy Shield independently verified by a third party review, and that BCRs require regular auditing)
2.7. MZ shall not, and shall procure that each of its sub-contractors shall not, without the prior written consent of the Customer: use or permit any third party to use any Customer Data otherwise than for the sole benefit of the Customer and in accordance with the terms of this Agreement;
(b) disclose any Customer Data except on a need to know basis to those MZ Personnel directly concerned with the provision of the Services; or
(c) disclose any Customer Data to any persons to whom MZ is able to disclose such Customer Data in accordance with the terms of this Agreement unless such persons are made aware, prior to disclosure, of the confidential nature thereof and that they owe a duty of confidence to the Customer in respect of such information, and to use all reasonable endeavours to ensure that such persons comply with such duty.
2.8. MZ shall take all reasonable steps to ensure the reliability of any MZ Personnel who have access to Customer Data and shall ensure that all such personnel:
(a) are informed of the confidential nature of Customer Data;
(b) have undertaken training in the laws relating to handling personal data; and
(c) are aware both of MZ’s duties and their personal duties and obligations under Data Protection Legislation and this Agreement.
2.9. MZ shall notify the Customer promptly (and in any event within five (5) Business Days) if it receives:
(a) a request from a data subject (as that term is understood by reference to the Data Protection Legislation) to have access to that person’s personal data; or
(b) a complaint or request relating to the Customer’s obligations and/or the rights of a data subject under Data Protection Legislation; or
(c) any other communication relating directly or indirectly to the processing of any personal data in connection with this Agreement; and in each case, MZ shall promptly provide such information and assistance as is reasonably required by Customer to respond to and resolve the request, complaint or other communication within any time frames imposed by applicable Data Protection Legislation.
2.10.MZ shall notify the Customer as soon as reasonably practical upon becoming aware that it is or is likely to become unable to comply with its obligations regarding the processing of Customer Data under this Agreement or the Data Protection Legislation. Following notification, the Customer shall be entitled, in its absolute discretion, to terminate this Agreement on written notice. The Customer may, in addition to or instead of terminating this Agreement, require MZ to undertake one or more of the following:
(a) immediately take such remedial action as is required to ensure compliance with the Agreement and/or the Data Protection Legislation and prevent or remedy any breach;
(b) provide such information as is reasonably required by the Customer in respect of the incident leading to such notification; and/or
(c) cease to process Customer Data, return all materials containing Customer Data and delete all copies.
2.11. In addition to its obligations under Clauses 2.9 and 2.10, MZ shall: (a) notify the Customer as soon as reasonably practical upon becoming aware of a personal data breach (as that term is understood by reference to the GDPR); and
(b) following notification, provide such information and assistance as is reasonably required by the Customer in order for the Customer to notify the personal data breach to the Information Commissioner and/or the data subjects, in accordance with the Data Protection Legislation.
2.12. If any Customer Data is lost or corrupted as a result of any act or omission of MZ or any of its subcontractors, MZ shall restore Customer Data at its own expense.