Plotto Customer Data Processing Terms

1. General Terms

(a) To the extent that Plotto processes personal data:

(i)  comprised in or related to video survey Requests and

(ii) content of, and information comprised in or related to, video survey Contributions,

together Plotto Customer Personal Data, each party acknowledges and agrees that for the purpose of Data Protection Laws, the Plotto Customer is the controller of the Plotto Customer Personal Data and Plotto is the processor of the Plotto Customer Personal Data.

(b) The Plotto Customer shall comply with its obligations as controller of the Plotto Customer Personal Data (including, without limitation, any obligation under Data Protection Laws to obtain Contributor consent to the processing of Plotto Customer Personal Data) and shall be liable to Plotto for any failure of Plotto Customer to comply with any such obligations.

(c) Plotto shall implement appropriate technical and organisational measures to the intent that processing should meet the requirements of Data Protection Laws as to the protection of the rights of the data subject.

(d) The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the Plotto Customer in relation to the processing are as set out or implied in these Plotto Customer Data Processing Terms, the Plotto Agreement and the Plotto Privacy Policy.

(e) Plotto shall:

(i) process Plotto Customer Personal Data as permitted under or to comply with its obligations under these Plotto Customer Data Processing Terms (including in the provision of the Plotto service) and otherwise in accordance with the instructions of the Plotto Customer as stated in these Plotto Customer Data Processing Terms and the Plotto Agreement; and

(ii) assist the Plotto Customer at the Plotto Customer’s expense with undertaking an assessment of the impact of processing that Plotto Customer Personal Data, and with any  consultations with a supervisory authority, if and to the extent an assessment or consultation is required to be carried out under Data Protection Laws.

2. Data Subject Rights

Plotto shall:

(a) implement technical and organisational measures intended to assist in the fulfilment of the Plotto Customer’s obligation to respond to requests by data subjects to exercise their rights of access, rectification or erasure, to restrict or object to processing of Plotto Customer Personal Data, or to data portability; and

(b) if a data subject makes a written request to Plotto to exercise any of the rights referred to in paragraph 2(a) above, forward the request to the Plotto Customer promptly and shall, upon the Plotto Customer’s reasonable written request, provide the Plotto Customer with such co-operation and assistance as is reasonably requested by the Plotto Customer in relation to that request with the object of assisting the Plotto Customer to respond to it.

3. Security measures

Plotto shall:

(a) taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organisational measures intended to provide a level of security  appropriate to the risk of unauthorised or unlawful processing of Plotto Customer Personal Data, and of accidental or unlawful loss, alteration, unauthorised disclosure or destruction of, or damage to, Plotto Customer Personal Data; and

(b) notify the Plotto Customer without undue delay after becoming aware of a personal data breach, and upon the Plotto Customer’s reasonable written request provide the Plotto Customer at the Plotto Customer’s expense with such co-operation and assistance as is reasonably requested by the Plotto Customer with the object of assisting the Plotto Customer to notify the personal data breach to the relevant supervisory authority and relevant data subject(s) (as applicable).

4. Sharing of Plotto Customer Personal Data

Plotto’s third party processors of Plotto Customer Personal Data (Subprocessors) are identified in the Schedule to these Customer Data Processing Terms.

Plotto shall:

(a)  when engaging a new Subprocessor, inform the Plotto Customer of the engagement at least 30 days prior to the Subprocessor commencing the processing of Plotto Customer Personal Data, notifying the Plotto Customer of the identity of the Subprocessor and its role, by email to support@plotto.com;

(b) be deemed to grant the Plotto Customer the right to object to such new Subprocessor by terminating the Agreement in accordance with clause 7c. of the Agreement (subject to the other provisions of that clause 7 and the Agreement), such right of termination being the Plotto Customer’s entire and exclusive remedy if it objects to a new Subprocessor.

(c) enter into a contract with each Subprocessor on terms appropriate to the requirements of Data Protection Laws; and

(d) ensure that its employees who have access to Plotto Customer Personal Data have committed to confidentiality obligations.

5. Transfers of Plotto Customer Personal Data

(a) Save as permitted pursuant to paragraph 4 above, Plotto shall not transfer Plotto Customer Personal Data to, or process Plotto Customer Personal Data in, any country outside the European Economic Area without the prior written consent of the Plotto Customer (such consent not to be unreasonably withheld or delayed) unless (and for so long as):

(i) there has been a European Community finding of adequacy pursuant to Article 25(6) of Directive 95/46/EC or, after 24 May 2018, Article 45 of the GDPR in respect of that country or territory;

(ii) the transfer is to the United States to an importing entity that is a certified member of the EU-US Privacy Shield; or

(iii) the Plotto Customer or Plotto and the relevant importing entity are party to a contract in relation to the export of Plotto Customer Personal Data meeting the then-current requirements of Data Protection Laws and these Plotto Customer Data Processing Terms.

(b) Where any mechanism for cross-border transfers of Plotto Customer Personal Data is found by a supervisory authority, court of competent jurisdiction or other governmental authority to be an invalid means of complying with the restrictions on transferring Plotto Customer Personal Data to a third country or territory as set out in Data Protection Laws, the parties shall act in good faith to agree the implementation of an alternative solution to enable the Plotto Customer to comply with the provisions of Data Protection Laws in respect of any such transfer.

6. Compliance

(a) Plotto shall at Plotto Customer’s expense:

(i) upon Plotto Customer’s written request provide all information reasonably required to demonstrate its compliance with Article 28 of the GDPR;

(ii) allow for and contribute to audits conducted by or on behalf of Plotto Customer relating to the processing of Plotto Customer Personal Data by Plotto;

(iii) provide all co-operation and assistance reasonably requested by Plotto Customer in connection with:

(A) assisting Plotto Customer in ensuring compliance with obligations under Articles 32 to 36 of the GDPR, taking into account the nature of Plotto’s processing and the information available to Plotto;

(B) the undertaking of any assessment by Plotto Customer of the impact of processing Plotto Customer Personal Data; and

(C) any consultations conducted by Plotto Customer with any supervisory authority under Data Protection Laws.

(b) The Plotto Customer shall:

(i) comply with all applicable laws (including Data Protection Laws), and rights of third parties, that relate to Plotto Customer Personal Data; and

(ii) comply with all of its obligations as Customer of Customer Personal Data; and

(iii) ensure that it is and shall remain entitled to authorise the processing by Plotto and other processors engaged by Plotto of Customer Personal Data in connection with the Plotto service.

7. Termination/expiry

(a) Unless expressly stated otherwise in these Plotto Customer Data Processing Terms, upon termination of  the Plotto Customer’s participation in the Plotto service, Plotto shall, and shall procure that each processor engaged by Plotto to process Plotto Customer Personal Data shall, cease as soon as is reasonably practicable to use the Plotto Customer Personal Data and delete the Plotto Customer Personal Data unless required or entitled to retain a copy in accordance with any law of the European Union or any member state of the European Union or permitted to retain or continue processing the Plotto Customer Personal Data under any provision of these Plotto Customer Data Processing Terms.

(b) On expiry of the Plotto Customer’s participation in the Plotto service these Plotto Customer Data Processing Terms shall survive and continue in full force and effect.

8. Definitions

In these Plotto Customer Data Processing Terms:

(a) Data Protection Laws include (i) Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR) and the Directive on Privacy and Electronic Communications (2002/58/EC), (ii) their successors or replacements, and (iii) any legislation implementing or modifying any of them in the United Kingdom;

(b)  controller, data subject, personal data, personal data breach, processor and processing shall each bear the meanings given to them in the GDPR;

(c) Words and phrases defined in the Plotto Agreement or the Plotto Privacy Policy have the same meaning in these Plotto Customer Data Processing Terms

 

Schedule: Processors

The Customer confirms that the following general authorisations of processors are authorised for use by Plotto:

Hosting and Infrastructure Service providers, including:

Company Address Scope
Amazon Web Services Amazon Web Services EMEA, Luxembourg Primary cloud infrastructure. Hosting, Storage, Data Processing
Microsoft Microsoft Corporation, Redmond, WA, USA Cognitive Services
IBM IBM Corporation, Austin, TX, USA Watson Services
Intercom Intercom, San Francisco, CA, USA Chat and support services
Loggly Loggly Inc, San Francisco, CA, USA Application Logs management