Giggio Limited - Data Processing Terms
This Data Processing Terms Addendum ("Addendum") forms part of the agreement for provision of the Giggio service ("Agreement") between: (i) Giggio Ltd, a limited company registered in England and Wales under company number 07494249 and whose registered office is at Giggio Limited, 3rd Floor, 86-90 Paul Street, London EC2A 4NE (“Giggio”); and (ii) the person or entity specified as “You” in an Order Form ("Customer”).
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined in this Addendum shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.
Definitions
In this Addendum:
Applicable Law
means as applicable and binding on the Customer, Giggio and/or the Services:
(a) any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgment or decree; or
(d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
Appropriate Safeguards
means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
Data Controller
has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws;
Data Processor
has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws;
Data Protection Laws
means as applicable and binding on the Customer, Giggio and/or the Services:
(a) in the United Kingdom:
(i) the Data Protection Act 1998 and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive); and/or
(ii) the GDPR, and/or any corresponding or equivalent national laws or regulations;
(b) in member states of the European Union: the Data Protection Directive or the GDPR, once applicable, and all relevant member state laws or regulations giving effect to or corresponding with any of them; and
(c) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;
Data Subject
has the meaning given to that term in Data Protection Laws;
Data Subject Request
means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
GDPR
means the General Data Protection Regulation (EU) 2016/679;
International Organisation
means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
Personal Data
has the meaning given to that term in Data Protection Laws;
Personal Data Breach
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
processing
has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);
Processing Instructions
has the meaning given to that term in paragraph 2.1.1;
Protected Data
means Personal Data received from or on behalf of the Customer to the extent that it is processed by Giggio on Customer’s behalf in connection with the performance of Giggio’s obligations under the Agreement;v
Services
means the services to be provided under the Agreement.
Sub-Processor
means another Data Processor engaged by Giggio for carrying out processing activities in respect of the Protected Data on behalf of the Customer; and
Supervisory Authority
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
Specific interpretive provision(s)
In this Addendum:
(a) references to any Applicable Laws (including to the Data Protection Laws and each of them) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including the GDPR and any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable;
(b) a reference to a law includes all subordinate legislation made under that law; and
(c) references to “paragraph numbers” are to paragraphs of this Addendum.
Data processing provisions
1. Data Processor and Data Controller
1.1. The parties agree that, for the Protected Data, the Customer shall be the Data Controller and Giggio shall be the Data Processor.
1.2. Giggio shall process Protected Data in compliance with:
1.2.1. the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under the Agreement; and
1.2.2. the terms of the Agreement.
1.3. The Customer shall comply with:
1.3.1. all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under the Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
1.3.2. the terms of the Agreement.
1.4. The Customer warrants, represents and undertakes, that:
1.4.1. all data sourced by the Customer for use in connection with the Services, prior to such data being provided to or accessed by Giggio for the performance of the Services under the Agreement, shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
1.4.2. all instructions given by it to Giggio in respect of Personal Data shall at all times be in accordance with Data Protection Laws.
1.5. The Customer shall not withhold, delay or condition its agreement to any change to the Agreement or the Services requested by Giggio in order to ensure the Services and Giggio (and each Sub-Processor) can comply with Data Protection Laws.
2. Instructions and details of processing
2.1. Insofar as Giggio processes Protected Data on behalf of the Customer, Giggio:
2.1.1. unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this paragraph 2 and Schedule 1 (Data processing details), as updated from time to time in accordance with the Change Control Procedure (Processing Instructions);
2.1.2. if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
2.1.3. shall inform the Customer if Giggio becomes aware of a Processing Instruction that, in Giggio’s opinion, infringes Data Protection Laws, provided that: (a) this shall be without prejudice to paragraphs 1.3 and 1.4;
(b) to the maximum extent permitted by mandatory law, Giggio shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Customer's Processing Instructions following the Customer's receipt of that information.2.2. The processing of Protected Data to be carried out by Giggio under the Agreement shall comprise the processing set out in Schedule 1 (Data processing details), as may be updated from time to time by agreement between the parties.
3. Technical and organisational measures
3.1. Giggio shall implement and maintain, at its cost and expense, the technical and organisational measures:
3.1.1. in relation to the processing of Protected Data by Giggio, as set out in Schedule 1 (Technical and organisational measures); and
3.1.2. taking into account the nature of the processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data. 3.2. Any additional technical and organisational measures shall be at the Customer’s cost and expense.
4. Using staff and other processors
4.1. The Customer acknowledges that Sub-Processors are essential in order for Giggio to provide the Services. The Customer provides general written authorisation to Giggio to engage Sub-Processors to perform the Services. Giggio shall notify the Customer of any additions to its Sub-Processors. The Customer shall be given the opportunity to object to any new Sub-Processor and state its grounds for doing so. The Customer acknowledges that objecting to the use of a Sub-Processor may prevent Giggio from continuing to provide the Services to the Customer. In the event that Giggio is unable to adequately address those objections, either party may terminate the Agreement upon notice without liability to the other. For the avoidance of doubt, in such circumstances Giggio shall not be obliged to refund any Subscription Fees paid by the Customer under the Agreement. Additionally, the Customer hereby provides specific authorisation in respect of the following Sub-Processors: Secura Hosting Limited (www.secura.cloud)
4.2. Giggio shall: 4.2.1. prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract substantially on the standard terms of business of that Sub-Processor, or containing materially the same obligations as under this Addendum, that is enforceable by Giggio;
4.2.2. ensure each such Sub-Processor complies with all such obligations; and
4.2.3. remain fully liable for all the acts and omissions of each Sub-Processor which constitutes a breach of these terms as if they were its own. 4.3. Giggio shall ensure that all its personnel authorised by it to process Protected Data are subject to an obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law).
5. Assistance with the Customer’s compliance and Data Subject rights
5.1. Giggio shall refer all Data Subject Requests it receives to the Customer within 5 Business Days of receipt of the request, provided that if the number of Data Subject Requests exceeds 5 per calendar month, the Customer shall pay Giggio’s charges calculated on a time and materials basis at Giggio’s then current rates for recording and referring the Data Subject Requests in accordance with this paragraph 5.1.
5.2. Giggio shall provide such reasonable assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Giggio) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to: 5.2.1. security of processing;
5.2.2. data protection impact assessments (as such term is defined in Data Protection Laws);
5.2.3. prior consultation with a Supervisory Authority regarding high risk processing; and
5.2.4. notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,provided the Customer shall pay Giggio’s charges for providing the assistance in this paragraph 5.2, such charges to be calculated on a time and materials basis at Giggio’s then-current rates.
6. International data transfers
6.1. The Customer agrees that Giggio may transfer Protected Data to countries outside the United Kingdom, provided all transfers by Giggio of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of the Agreement shall constitute the Customer’s instructions with respect to transfers in accordance with paragraph 2.1.
7. Records, information and audit
7.1. Giggio shall maintain, in accordance with Data Protection Laws binding on Giggio, written records of all categories of processing activities carried out on behalf of the Customer.
7.2. Giggio shall, in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate Giggio's compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits and inspections by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer: 7.2.1. giving Giggio reasonable prior notice of such information request, audit and/or inspection being required by the Customer;
7.2.2. ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
7.2.3. ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Giggio's business, the Sub-Processors’ business and the business of other customers of Giggio; and
7.2.4. paying Giggio's reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.
8. Breach notification
8.1. In respect of any Personal Data Breach involving Protected Data, Giggio shall, without undue delay:
8.1.1. notify the Customer of the Personal Data Breach; and
8.1.2. provide the Customer with details of the Personal Data Breach.
9. Deletion or return of Protected Data and copies
9.1. Giggio shall, at the Customer’s written request, either delete or return all the Protected Data to the Customer in such form as the Customer reasonably requests within a reasonable time after the earlier of: 9.1.1. the end of the provision of the relevant Services related to processing; or
9.1.2. once processing by Giggio of any Protected Data is no longer required for the purpose of Giggio’s performance of its relevant obligations under the Agreement, and delete existing copies (unless storage of any data is required by Applicable Law and, if so, Giggio shall inform the Customer of any such requirement).
Data Processing Details
1. Subject-matter of processing:
Any personal data comprised within customer invoices, customer contracts, customer contact information and calendar entries input by Customer into the Giggio Service
2. Duration of the processing:
For the duration of the Agreement
3. Nature and purpose of the processing:
To provide the Giggio service to the Customer.
4. Type of Personal Data:
Client Information, including Name, Address, Email, Position, Phone no.
Performer Information, including Name, Address, Email, Act Type, Phone no.
Gig details including date, time, venue, services provided and fee.
5. Categories of Data Subjects:
Clients, users and suppliers of Customer, or staff of the same.
6. Technical and Organisational Security measures applied to the Protected Data.
SSL Encryption on the Giggio websites
Firewall on server. Access to server back end is restricted to 2 IP addresses (one being the director of Giggio the other being Giggio’s programmer)
Passwords for computers and servers contain no common words, and are at least 12 characters.
Mobile devices are fingerprint secured with 6 digit pins
Email notifications and IP address logging for errors caused by suspicious activity
7. Processing Instructions
Not applicable.