neil/sample_fedi_terms
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions
sample_fedi_terms/sample_data_processing_terms.md

5.7 KiB
Raw Blame History

Sample data processing terms

Definitions

These words and phrases have the following meanings in these data processing terms:

"Sub-processors": other processors which we, acting as a processor, appoint to process personal data.

Terms which are defined in the UK GDPR, and which are not defined in the [terms for registered users of fedi.example.com], have the meaning defined by the UK GDPR.

When these data processing terms apply

These data processing terms supplement, and are subject to, the [terms for registered users of fedi.example.com].

If, under Data Protection Legislation, you are the controller of the processing of personal data and we carry out one or more processing activities on your behalf as your processor, these data processing terms apply in respect of those processing activities.

These data processing terms do not apply when we are a controller in respect of a processing activity. In respect of those processing activities, please see our privacy notice.

(Note: for the vast majority of our users and processing activities, we will be a controller, not a processor, and our data processing terms will not apply. We have produced these data processing terms for the unlikely but possible situation in which we are someone's processor.)

Things you must do

You must do all of the following:

  • Ensure that any instructions that you give to us with respect to the processing of personal data are lawful and will not cause us, or you, to breach any law.

  • Give us your general authorisation to appoint Sub-processors. This means permitting us to appoint Sub-processors without getting your prior approval. It is not viable for us to provide the Service and act as your processor without your general authorisation to appoint Sub-processors so, if you wish to withdraw your general authorisation, you can, but you must delete all personal data from the Service, so that we cease to be your processor.

  • If you ask us to do one or more things which these data processing terms say that we will only do if you pay our charges, you must pay our charges for doing those things, since these are not part of the free Service. We may ask you to pay our charges in advance. If we do not receive payment in full, you agree that we are not obliged to do the things that you request.

Things we will do

If, in the course of providing the Service, you are a controller and we are your processor in respect of any processing of personal data, we will, in connection with that processing, do all of the following:

  • Process the personal data in accordance with law in any part of the United Kingdom.

  • Process the personal data only to provide the Service. This is your documented instruction to us.

  • If we are required to act other than in accordance with your instructions by any law in the United Kingdom, we will inform you before processing the personal data, unless we are prohibited from informing you.

  • Sub-processors

    • We have your general authorisation to appoint Sub-processors.
    • If we appoint Sub-processors, we will respect the conditions referred to in paragraphs 2 and 4 of Article 28 UK GDPR.
    • Subject to the limitation of our liability in the [terms for registered users of fedi.example.com], we will be liable for the acts and omissions of our Sub-processors.
    • We will ensure that the Sub-processor contract (as it relates to the processing of personal data) is on terms which are substantially the same as, and in any case no less onerous than, these data processing terms;

  • Ensure that anyone authorised by us to Process the personal data has committed themselves to confidentiality.

  • Take all security measures required by Article 32 UK GDPR.

  • Taking into account the nature of the processing, assist you, subject to you paying our charges, by appropriate technical and organisational measures, insofar as this is possible, to fulfil your obligation to respond to requests for exercising any Data Subject's rights laid down in Chapter III of the UK GDPR.

  • Provide, subject to you paying our charges, reasonable assistance following your written request to us, in ensuring your compliance with your obligations pursuant to Articles 32 to 36, taking into account the nature of processing and the information available to us.

  • At your choice and subject to you paying our charges, delete or return all the personal data for which we are your processor to you after the end of the provision of the Service, and delete existing copies. We are not required to delete personal data if we are required to continue store those personal data by any law in the United Kingdom.

    • Be mindful that, because this is a federated service, Content, including personal data, that you upload to the Service may - and probably will - be transferred to other people's servers. Deleting Content from the Service does not guarantee that it will be deleted from other servers or people's computers, as this is outside our (and your) control.

  • subject to you paying our charges and following written agreement as to the details, make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 UK GDPR, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.

  • notify you without undue delay if, in connection with our processing of personal data as your processor, we become aware of a personal data breach for which we are responsible.

Scope of processing

  • Subject matter, nature, and purpose of our processing: to provide the Service.

  • Duration of processing: until you delete the personal data from the Service, or the personal data is otherwise deleted from the Service.

  • Type of personal data and categories of data subjects: these are determined by you through your use of the Service.