Data Protection Statement
In this Statement, the expressions which follow are given these meanings unless the context in which they are used requires a different meaning:
1.1 “Cloudview UK” has the meaning of Cloudview (UK) Limited whose registered office is at Enterprise House, Beeson’s Yard, Bury Lane, Rickmansworth, Hertfordshire, WD3 1DS;
1.2 “Customer” has the meaning of a Customer of Cloudview (UK) Limited, and who enters into a written contract with Cloudview (UK) for the provision of certain goods or services;
1.3 "Data Controller" has the meaning given to that term in Data Protection Law;
1.4 "Data Processor" has the meaning given to that term in Data Protection Law;
1.5 "Data Subject" means an individual who is the subject of any of the Disclosed Data.
1.6 "Data Subject Request" means a written request of the Data Controller by or on behalf of a Data Subject to exercise any rights conferred by Data Protection Law;
1.7 "Disclosed Data" means the Personal Data disclosed to Cloudview UK by or on behalf of the Customer in connection with the Purpose, and in this context "disclose" includes directly or indirectly giving Cloudview UK, or arranging for Cloudview UK to have, access to Personal Data in any manner and in any form or format whatsoever, including by instructing Cloudview UK to collect Personal Data directly from the Data Subject (or anyone authorised by the Data Subject to provide it);
1.8 "Data Protection Law" means any Law that applies from time to time to the Processing of Personal Data by either Party under any contractual agreement between Cloudview UK and the Customer, including the EU Data Protection Directive 95/46/EC, the EU Privacy & Electronic Communications Directive 2002/58/EC, Regulation (EU) 2016/679 (if and from the date that it comes into force in the United Kingdom), all national legislation (including the Data Protection Act 1998) and subordinate legislation in the United Kingdom and any applicable decisions and guidance made under any of them;
1.9 “Law” means any statute, directive, other legislation, law or regulation in whatever form, delegated act (under any of the foregoing), rule, order of any court having valid jurisdiction or other binding restriction, decision or guidance in force from time to time;
1.10 "Personal Data" and "Processing" each have the meanings given to them in Data Protection Law and "Process" and any other tense or part of that verb will be interpreted accordingly;
1.11 "Purpose" means the provision of the Services or any Products or any other services or products as may be agreed between the Parties in writing from time to time;
1.12 “Security Breach” means any breach or suspected breach of any of Cloudview UK's obligations in terms of Articles 2 and/or 3 or any other unauthorised or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or damage or access to the Disclosed Data;
1.13 “Security Incident” means a Security Breach or a Security Risk;
1.14 “Security Measures” has the meaning given to that term in Article 3.4;
1.15 “Security Risk” means any risks or vulnerabilities that are likely to affect the integrity or effectiveness of the Security Measures (including vulnerabilities relating to any software or third party system or network) that are known or ought reasonably to be known to Cloudview UK.
2. Relationship between the Customer and Cloudview UK
In relation to any Processing for the Purpose, the Customer and Cloudview UK acknowledge that, for the purposes of Data Protection Law, the Customer is the Data Controller and Cloudview UK is the Data Processor of any Disclosed Data.
3. Obligations of Cloudview UK
3.1 Subject to Article 2.2, Cloudview UK will Process the Disclosed Data only to the extent, and in such a manner, as is necessary for the Purpose, subject to and in accordance with the Customer’s express written instructions from time to time. If Cloudview UK considers that any instruction from the Customer contravenes Data Protection Law, it shall immediately notify the Customer, giving reasonable details.
3.2 Where Cloudview UK is obliged by Law to Process the Disclosed Data other than on the express written instructions of the Customer, it will inform the Controller of such legal requirement before commencing such Processing, unless prohibited to do so by Law.
3.3 Cloudview UK will acquire no rights or interest in or to the Disclosed Data and, without affecting the generality of Article 3.6, on demand by the Customer will destroy and/or permanently delete from its information technology systems (at the option of the Customer) all copies of any Disclosed Data in its possession (in any form or format whatsoever) and give the Customer a certificate signed by one of its authorised signatories (who is properly authorised to give such a certificate) confirming that it has done so.
3.4 In accordance with the requirements of Data Protection Law, Cloudview UK will implement appropriate technical and organisational measures (the “Security Measures”), so as to ensure an appropriate level of security is adopted to mitigate the risks associated with the Processing of such Disclosed Data, including against unauthorised or unlawful Processing, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or damage or access to the Disclosed Data, to ensure that the Customer complies with its obligations under Data Protection Law. Cloudview UK shall regularly review the Security Measures to ensure that they are appropriate and reflect good industry practice, and provide the Customer with details of any material changes in accordance with Article 3.5.2.
3.5 Cloudview UK will:
3.5.1 comply with its obligations as a Data Processor under Data Protection Law in relation to the Processing of Personal Data by it under any contractual agreement between Cloudview UK and the Customer, including keeping records of all Processing of Disclosed Data that it carries out as Data Processor on behalf of the Customer under any contractual agreement between Cloudview UK and the Customer as required by Data Protection Law;
3.5.2 provide to the Customer all information necessary to demonstrate compliance with Data Protection Law in relation to the Processing of Personal Data by Cloudview UK under any contractual agreement between Cloudview UK and the Customer, including:
184.108.40.206 evidence of the Security Measures implemented by Cloudview UK pursuant to Article 3.4; and
220.127.116.11 the records referred to in Article 3.5.1.
3.5.3 permit the Customer (or any third party auditor appointed by the Customer) to have reasonable access to Cloudview UK's premises, personnel and records, on reasonable notice, for the purposes of inspecting, testing and auditing the technical and organisational measures implemented by Cloudview UK pursuant to Article 3.4 and otherwise verifying compliance with Data Protection Law in respect of Cloudview UK’s Processing of Disclosed Data under any contractual agreement between Cloudview UK and the Customer. Such access may exclude, at Cloudview UK’s discretion, access to certain proprietary Cloudview UK intellectual property;
3.5.4 promptly make such changes to those measures, and otherwise take such steps as the Customer requests it to take, to ensure that those measures are sufficient to ensure the Customer's compliance with Data Protection Law; and
3.5.5 without prejudice to Articles 3.5.1 to 3.5.3 (both inclusive), generally assist the Customer to ensure compliance with the Customer’s obligations under Data Protection Law in relation to the Processing of the Disclosed Data under any contractual agreement between Cloudview UK and the Customer, having regard to the nature of the processing and the information available to Cloudview UK, including by doing such further acts or things as may be reasonably required by the Customer at the Customer's cost and expense.
3.6 Cloudview UK will promptly comply with any request from the Customer requiring Cloudview UK delete or destroy the Disclosed Data and in any event promptly delete or destroy the Disclosed Data upon the expiry or termination of any contractual agreement between Cloudview UK and the Customer.
3.7 Cloudview UK will not transfer any of the Disclosed Data outside the European Economic Area, except upon and in accordance with the express written instructions or agreement in writing of the Customer. Without limiting Article 3.8, where Cloudview UK has transferred any of the Disclosed Data outside the European Economic Area on such instructions of the Customer or with such agreement, the Customer may require Cloudview UK to transfer the Disclosed Data back to within the European Economic Area:
3.7.1 on giving not less than 10 days’ notice in writing to that effect; or
3.7.2 at any time in the event of a change in Law which makes it unlawful for the Disclosed Data to be Processed in the jurisdiction outside the European Economic Area where it is being Processed.
3.8 Where the legal basis upon which Disclosed Data is a transferred outside the European Economic Area pursuant to Article 3.7 is ruled by any court of competent jurisdiction to be unlawful or otherwise ceases to exist, Cloudview UK shall, at the Customer’s discretion either:
3.8.1 take such steps and execute such documents as the Customer may reasonably require to ensure that the transfer of Disclosed Data takes place on a lawful basis; or
3.8.2 transfer the Disclosed Data back to within the European Economic Area in accordance with Article 3.7.
3.9 If Cloudview UK receives any complaint, notice or communication which relates directly or indirectly to the Processing of the Disclosed Data or to either party's compliance with Data Protection Law, it will immediately notify the Customer and it will provide the Customer with full co-operation and assistance in relation to any such complaint, notice or communication.
3.10 Cloudview UK agrees to assist the Customer, within such timescale as may be reasonably required by the Customer, in responding to any Data Subject Request which is received by the Customer or Cloudview UK. However, Cloudview UK will not acknowledge or otherwise respond to any such Data Subject Request, nor disclose any of the Disclosed Data to any Data Subject or to any third party, other than upon and in accordance with the Customer's instructions or as otherwise provided for any contractual agreement between Cloudview UK and the Customer.
4. Cloudview UK's Employees and Agents
4.1 Cloudview UK will ensure that access to the Disclosed Data is limited to:
4.1.1 those of its employees or agents who need access to the Disclosed Data to meet Cloudview UK's obligations under any contractual agreement between Cloudview UK and the Customer (the “Relevant Employees and Agents”); and
4.1.2 in the case of any access by any such employee or agent, such part or parts of the Disclosed Data as is strictly necessary for performance of that employee's or agent’s duties.
4.2 Cloudview UK will ensure that its Relevant Employees and Agents:
4.2.1 only Process Disclosed Data to the extent permitted by Article 3.1 and (where applicable) Article 3.2;
4.2.2 are bound by appropriate obligations of confidentiality in respect of the Disclosed Data and understand that the Disclosed Data is confidential in nature;
4.2.3 have undertaken training in Data Protection Law; and
4.2.4 are aware of Cloudview UK's obligations under such Data Protection Law and any contractual agreement between Cloudview UK and the Customer.
4.3 Without affecting the generality of Article 3.4, Cloudview UK will take appropriate steps to ensure the reliability of any of Cloudview UK's employees or agents who have access to the Disclosed Data.
5. Security Incidents
5.1 Cloudview UK shall put in place and maintain appropriate systems to monitor and identify Security Incidents. Upon becoming aware of any Security Incident, Cloudview UK shall take the steps set out in this Article 5.
5.2 Cloudview UK will immediately upon becoming aware of a Security Incident take such steps as are necessary to mitigate the detrimental impact of the Security Incident.
5.3 Cloudview UK will promptly (and, in any event, no later than 12 hours after becoming aware of the Security Incident) inform the Customer in writing of any Security Incident. Such notification shall specify (at a minimum):
5.3.1 the nature of the Security Incident;
5.3.2 the date and time of occurrence;
5.3.3 the extent of the Disclosed Data and Data Subjects affected or potentially affected;
5.3.4 the likely consequences of the Security Incident for Data Subjects and any measures taken or proposed to be taken by Cloudview UK to contain or rectify the Security Incident; and
5.3.5 any other information that the Customer shall require in order to discharge its responsibilities under Data Protection Law in relation to the Security Incident.
5.4 Cloudview UK will thereafter promptly, at Cloudview UK's expense: (i) provide the Customer with all such information as the Customer reasonably requests in connection with the Security Incident; (ii) take any such additional steps as the Customer reasonably requires it to take to mitigate the detrimental effects of the Security Incident on any of the Data Subjects and/or on the Customer; and (iii) otherwise cooperate with the Customer in investigating and dealing with the Security Incident and its consequences.