GDPR Contract Addendum


New Contractual Commitments for the General Data Protection Regulation

Either you and/or your affiliates, including subsidiaries and holding companies (collectively, “you” and “your”), receive services and products from EAC Network Solutions (“EAC”, “we” and “our”). From 25 May 2018, the terms set out below will come into force between you and EAC to coincide with the taking effect of the General Data Protection Regulation (2016/679) (“GDPR”).

1. You and we will each comply with the GDPR and any other similar national privacy legislation (collectively the “Data Protection Legislation”) applicable to any personal data processed as part of the products and services you receive from us or otherwise in connection with those products and services (the “Personal Data”). We may process the Personal Data in connection with the provision and administration of the products or services and as permitted or in accordance with law.

2. Where we process personal data made available by you to us in relation to the products and services we provide (“Supplied Personal Data”) as your Processor (as defined in the Data Protection Legislation):

a) the subject matter, nature, purpose and duration of our Supplied Personal Data processing (as well as information on the types of Personal Data processed and categories of data subjects) is set out in product information provided to you from time to time in respect of our services and products at privacy policy;

b) we will only process the Supplied Personal Data on your documented instructions, unless we are required to process it for other purposes by EU law (in which case we will give prior notice of that requirement unless the relevant law prohibits the giving of notice);

c) we will comply with the express obligations of a Processor under Articles 28(3)(b) to 28(3)(h) of the GDPR. However, you may not instruct us to delete copies of data that we hold as Controller (as defined in the Data Protection Legislation);

d) you generally authorise us to engage further Processors to process Supplied Personal Data. A list of those further Processors is available at privacy policy. We will update this list in advance of making any change. If you reasonably object to a change, at our option we will either: (i) give you an opportunity to pay for a version of the relevant product or service without use of the Processor to which you object; or (ii) terminate the provision of the affected product or service to you;

e) you will tell us if you require any assistance pursuant to Articles 28(3)(a) to 28(3)(h) of the GDPR inclusive. We and you will agree the scope, method, timing and reasonable fees chargeable by EAC for such assistance; and

f) in fulfilment of our obligation to demonstrate compliance with this paragraph, we will make available to you information on our processing of your Supplied Personal Data (including, at our discretion, certificates, third party audit reports or other relevant information).

3. Where we process Personal Data as Controller:

a) you will bring to the attention of any individuals that you make our products and services available to (or that you ask us to deal with or carry out research on) any privacy notices we make available for those products and services;

b) you continue to act as Controller in respect of any Personal Data you choose to record or otherwise process as a result of your receipt and use of the services provided by EAC; and

c) only in very limited circumstances might you and we be considered to be joint Controllers, and where this is the case, our respective responsibilities will be clearly set out in product information.

4. We may transfer Supplied Personal Data outside of the EEA where we are permitted to do so for that transfer under Articles 44 to 49 of the GDPR. Further information regarding where Personal Data is being transferred outside of the EEA is available at privacy policy

5. You confirm that any Supplied Personal Data provided to us by you or on your behalf has been collected and disclosed in accordance with Data Protection Legislation. When using our products and services, you will take reasonable steps to ensure that you and your employees, agents and contractors do not input, upload or disclose to us any irrelevant or unnecessary information about individuals.

6. You and we will each maintain and will require your and our Processors (respectively) to maintain, appropriate physical, technical and organisational measures to protect Personal Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access (“Data Breach”). You will, without undue delay, tell us of any actual or suspected non-trivial Data Breach relating to Personal Data that may also impact us or the security of our systems, products or services. Where we act as your Processor, we will notify you, without undue delay, of any non-trivial Data Breach that may adversely affect the Supplied Personal Data.