Data Processing Policy
Effective Date: 18 May 2018
This Data Processing Policy applies to the atmail owned and operated Services. atmail (“we,” or “us”) knows that you care how your data is used and processed by atmail, how this may be exposed to third-parties and your rights. This Data Processing Policy explains how your data may be processed whilst using the atmail Service.
Capitalised terms that are not defined in this Data Processing Policy have the meaning given them in our standard Terms of Service. In the event of any conflict between the Terms of Service and the terms of this Data Processing Policy, the relevant terms of this Data Processing Policy shall prevail.
This Data Processing Policy is valid from accepting the Terms of Service and shall be effective for the services period of any cloud order placed by Customer under the Agreement. atmail applies this policy globally, in so far as possible. This Data Processing Policy is totally enforced for Services within the European Union.
This Data Processing Policy has the following definitions:
|Affiliates||Any subsidiaries of atmail that may assist in the performance of the Services.|
|Consisting of (i) the order between Customer and atmail, (ii) the Terms of Service, and (iii) all documents, appendices, and amendments incorporated therein.|
|Any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|Personal Data||Any information relating to an identified or identifiable natural person (i.e. Data Subject).|
|Controller||The natural or legal person, which alone or jointly with other, determines the purpose and means of the processing of Personal Data.|
|Processor||A natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.|
|Data Subject||An identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identify or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that natural person.|
|Data Protection Authority||An independent public authority which is established by a Member State.|
|Technical and organisational security measures||Measures to protect personal data against unintentional or unlawful extinction, accidental sealed, changes, unauthorized disclosure or access, in particular when processing involves transmission of data over a network and against all other unlawful form of processing.|
|Sub Data Processor||A natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and person who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.|
|Anonymized Data||The data is modified in such a way that the result cannot be used to identify a Data Subject.|
2. Categories of Personal Data
- In order to execute the Agreement, and in particular to perform the Services on behalf of Customer, Customer authorises and requests that atmail Process, for example but not limited to, the following Personal Data:
- Categories of Personal Data: Personal Data may include, among other information, personal contact information such as name, home address, home telephone or mobile number, email address, and passwords; social security details and business contact details; financial details; and goods and services provided.
- Categories of Data Subjects: Data subjects include Customer’s representatives and end users, such as employees, contractors, collaborators, partners, and customers of Customer. Data subjects also may include individuals attempting to communicate or transfer Personal Data to users of the Services.
- 2.2. Customer is responsible, as the Controller, for all Personal Data stored in the Service and to ensure the Personal Data does not containing any illegally obtained information or information used to preform illegal activity. Customer also agree to hold atmail harmless in any case such illegal information is processed.
3. Purpose of Processing
- atmail shall Process Personal Data only:
- in accordance with the Customer’s instructions through the settings of the Services, i.e. to operate, maintain, support and to provide the Services;
- testing and maintenance work of automatic procedures or data processing equipment, including those as part of remote access, where the use of test data is not representative of real world usage and such testing and maintenance is required to ensure accurate operations of the system;
- using Anonymised Data versions for statistical, analytical and systemic purposes by atmail;
- using Anonymised Data versions to compile statistical and other information related to the performance, operation and use of the Services;
- use data from the Services environment in aggregated form for security and operations management, to create statistical analyses, and for research and development purposes, and;
- retain anonymised data for statistical and analytical purposes.
- atmail shall not otherwise (i) Process and use Personal Data for purposes other than those set forth in this Data Processing Policy, or (ii) disclose such Personal Data to third parties other than Affiliates or its Sub Data Processors for the aforementioned purposes or as required by law.
- The warranty made under clause 3.2 remains applicable during the applicable term of this Data Processing Policy and after the termination thereof.
- If atmail does not comply with the clauses 3.1 and 3.2 Customer is entitled to suspend the transfer of data and/or seek to rectify the Processing in consultation with atmail.
- atmail may alter clauses 3.1 and 3.2 after written notification is provided to Customer, and Customer does not provide objection within 30 days of proposed changes. Customer maintains the right to object in accordance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
- atmail will fulfil its obligations of this Data Processing Policy without charging Customer any additional costs, without prejudice to clause 4.2.
4. Customer’s Instructions
- During the term of the Agreement of any order for Services, Customer may provide instructions to atmail in addition to those specified in this Data Processing Policy with regard to processing of Personal Data. atmail will comply with all such instructions to the extent necessary for atmail to comply with laws applicable to atmail as a Processor in the performance of the Services.
- atmail is entitled to compensation from Customer to comply with Customer’s written instructions if the requested action is not otherwise apparent from the Data Processing Policy. If the costs of complying with Customer’s additional instruction are beyond reasonable and disproportionate in relation to the service fee for the Service, atmail shall be entitled to terminate the Agreement (including this Data Processing Policy) with 90 days’ notice.
- atmail will inform Customer if, in atmail’s opinion, an instruction breaches data protection regulations. Customer understands that atmail is not obligated to perform legal research and/or to provide legal advice to Customer.
- atmail agrees to not disclose or transfer any information regarding the processing of the Personal Data or any other information received under this Data Processing Policy to any unauthorised third party. The obligations stated in Section 5.1 does not apply to: (i) information which a party can show was known for the public at the time of receipt, or (ii) information that a party issued to submit to the authority.
- The Parties shall disclose Confidential information only to employees or subcontract personnel who need to know the Confidential information for their work in connection with the approved purpose or employees in the legal unit that is part of the same group as the Recipient, and who need to know the Confidential information for their work in connection with the performance of the Agreement. The confidentiality obligation shall survive the Agreement.
6. The Controller
- The control of Personal Data remains with Customer, and as between Customer and atmail, Customer will at all times remain the Controller for the purposes of the Services, the Agreement, and this Data Processing Policy.
- Customer is responsible for compliance with its obligations as Controller under data protection laws, in particular for justification of any transmission of Personal Data to atmail (including providing any required notices and obtaining any required consents from Data Subjects), and for its decisions concerning the Processing and use of the Personal Data. Customer shall without delay inform atmail about changes in the Processing which will affect atmail’s obligations. Customer shall also inform atmail about third parties, such as Data Protection Authority and Data Subjects means in regard to the Processing.
7. Rights of Data Subjects
- atmail will grant Customer electronic access to Customer’s Services environment, via defined administration interfaces only, that holds Personal Data to permit Customer to delete, release, correct or block access to specific Personal Data or, if that is not practicable and to the extent permitted by applicable law, follow Customer’s detailed written instructions to delete, release, correct or block access to Personal Data. Customer agrees to pay atmail’s reasonable fees associated with the performance of any such deletion, release, correction or blocking of access to data.
- atmail shall pass on to Customer any requests of an individual Data Subject to delete, release, correct or block Personal Data Processed under the Agreement.
- atmail will promptly notify Customer about any request received directly from the Data Subjects, such as requests based on the exercise of their rights set out in articles 15 to 19 GDPR, without responding to that request, unless it has been otherwise authorised to do so.
8. Data Processing within the EU/EEA
- With respect to Processing of Personal Data originating from the European Union (EU) and the European Economic Area (EEA), atmail will at all times maintain established Customer data during the performance of the Services in its data centres located within the EU/EEA. atmail will never transfer data to a third country per the definition in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
- atmail reserves the right to transfer Services and associated data that is subject to the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) if atmail becomes aware that this data is held or processed outside the European Union (EU) and the European Economic Area (EEA) if such a transfer is required to ensure atmail’s compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). In such cases of transfer of Services, atmail will notify Customer of the intended transfer.
9. Sub Data Processors
- atmail may subcontract any of its processing operations performed on behalf of Customer under the Clauses without the prior written consent of Customer.
- Some or all of atmail’s obligations under the Agreement may be performed by Affiliates. In such an event, atmail and Affiliates have subscribed to this Data Processing Policy, under which an atmail subsidiary handling Personal Data adopts safeguards consistent with those of atmail. Affiliates contracting with the atmail are responsible for compliance. If atmail, with Customer’s authorisation, transfers its obligation, according to this Agreement, in whole or partly to a subcontractor, a written agreement shall be concluded between atmail and such Sub Data Processors, imposing the same Processor obligations under this Data Processing Policy. atmail shall remain responsible at all times for compliance with the terms of the Agreement and this Data Processing Policy by Affiliates and Sub Data Processors.
- atmail maintains a list of Sub Data Processors that atmail has approved to Process the Personal Data of Service customers and will provide a copy of that list to Customer upon request. All Sub Data Processors are required to abide by substantially the same obligations as atmail under this Data Processing Policy as applicable to their performance of the Services.
10. Technical and Organisational Measures
- atmail shall implement and maintain compliance with necessary and appropriate technical and organisational measures to protect the Processing of Personal Data against unauthorised access, destruction and alteration. To prevent unauthorised persons from gaining access to data processing systems in which Personal Data is Processed(physical access control), atmail shall take reasonable measures to prevent physical access. To prevent data processing systems from being used without authorisation (system access control), the following may be applied depending upon the particular Services ordered: authentication via passwords and/or two-factor authentication, documented authorisation processes, documented change management processes, and logging of access on several levels.
- For Services hosted at atmail, (i) logins to services environments by atmail employees and Sub Data Processors are logged; (ii) logical access to the data centres is restricted and protected by firewall/VLAN; and (iii) the following security processes are applied: intrusion detection system, centralised logging and alerting, and firewalls.
- To ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access, and that Personal Data cannot be read, copied, modified or removed without authorisation in the course of Processing and/or after storage (data access control), Personal Data is accessible and manageable only by properly authorised staff on a ‘need to know’ basis and application access rights are established and enforced.
- To ensure that Personal Data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control), atmail will comply with the following requirements: Except as otherwise specified for the Services, transfers of data outside the Service environment are encrypted. The content of communications (including sender and recipient addresses) sent through some email or messaging services may not be encrypted once received through such services.
- To ensure that it is possible to check and establish whether and by whom Personal Data have been entered into data processing systems, modified or removed (input control), atmail will comply with the following requirements: The Personal Data source is under the control of Customer, and Personal Data integration into the system is managed by secured transfer (i.e. via web services or entered into the application) from Customer.
- To ensure that Personal Data is Processed strictly in accordance with the instructions of Customer, atmail will comply with the instructions of Customer concerning Processing of Personal Data; such instructions are specified in the Agreement and in this Data Processing Policy and may additionally be provided by Customer in writing from time to time subject to this Policy.
- To ensure that Personal Data is protected against accidental destruction or loss, for Services hosted by atmail: back-ups will be taken on a regular basis; back-ups are encrypted and are secured. It is Customer’s responsibility to ensure that back-ups are taken in a manner that meets all legal requirements.
- To ensure that Personal Data which is collected for different purposes may be Processed separately, data from different atmail’s customers’ environments is logically segregated on atmail’s systems.
- Customer has the final responsibility to assess which safety measure need to be implemented. However, upon the effectiveness of the General Data Protection Act (“GDPR”) on 25 May 2018, atmail will have its own responsibility to safeguard that essential security measures for processing is implemented and if necessary implement further technical and safety measures. atmail is entitled to compensation if Customer requests additional security measures (in accordance to 4.2).
11. Audit Rights
- atmail shall provide Customer with certificates of compliance with data protection and cloud security applicable to the Services, upon Customer’s request. Customer may audit atmail’s compliance with the terms of the Agreement and this Data Processing Policy up to once per year. Customer may perform more frequent audits of the Service computer systems that Process Personal Data to the extent required by laws applicable to Customer. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and atmail and must execute a written confidentiality agreement acceptable to atmail before conducting the audit.
- To request an audit, Customer must submit a detailed audit plan at least two weeks in advance of the proposed audit date to atmail describing the proposed scope, duration, and start date of the audit. atmail will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise atmail’s security, privacy, or employment policies). Customer will provide atmail any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of the Agreement and this Data Processing Policy. The audit reports are Confidential Information of the parties under the terms of this Data Processing Policy.
- Any audits are at Customer’s expense. Any request for atmail to provide assistance with an audit is considered a separate service if such audit assistance requires the use of different or additional resources. atmail will seek Customer’s written approval and agreement to pay any related fees before performing such audit assistance.
12. Incident Management and Breach Notification
- atmail evaluates and responds to incidents that create suspicion of unauthorised access to or handling of Personal Data, which includes unlawful or accidental addition, modification, destruction, loss, disclosure or access to such data. atmail is informed of such incidents and, depending on the nature of the activity, defines escalation paths and response teams to address those incidents. atmail will work with Customer, with the appropriate technical teams and, where necessary, with outside law enforcement to respond to the incident. The goal of the incident response will be to restore the confidentiality, integrity, and availability of the Services environment, and to establish root causes and remediation steps. For purposes of this section, “security breach” means the misappropriation of Personal Data located on atmail’s systems or the Services environment that compromises the security, confidentiality or integrity of such information.
- atmail operations staff is instructed on responding to incidents where handling of Personal Data may have been unauthorised, including prompt and reasonable reporting to atmail, atmail’s legal department, escalation procedures, and chain of custody practices to secure relevant evidence.
- atmail shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, inform Customer when a security breach was detected, if atmail determines that Personal Data has been subject to a security breach or any other circumstance in which Customer is required to provide a notification under applicable law, unless otherwise required by law.
- atmail shall promptly investigate any security breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by law, atmail will provide Customer with a description of the security breach, the type of data that was the subject of the breach, and other information Customer may reasonably request concerning the affected Data Subjects. The Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects.
- atmail will disclose to statutory authorities within the time frames provided under the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
- In the case of Personal Data breach, upon notification from atmail, Customer is responsible to provide notice to affected Data Subjects on behalf of atmail.
13. Return and Deletion of Personal Data Upon End of Services or at Customer’s Request (“Data Portability”)
- Within 30 days of the effective date of termination of the Agreement atmail will keep available to Customer all Data and without any charges. atmail shall thereafter delete all Data in its possession or otherwise under its control and shall warrant that its Affiliates or any other party for which atmail is responsible will do the same.
- If the Customer requires Data from the Service, the Customer will, at their own expense, perform the necessary transfer of such data from the Service in a way that is compliant with this Data Processing Policy and in a manner that ensure Personal Data is not put at risk.
- The Parties agree that on the termination of the provision of data processing services, atmail and Sub-processors shall destroy all the Personal Data, unless legislation imposed upon atmail prevents it from destroying all or part of the Personal Data transferred. In that case, atmail warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred.
14. Legally Required Disclosures
- Except as otherwise required by law, atmail will notify Customer within twenty-four hours of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency or other governmental authority (“Demand”) that it receives, and which relates to the Personal Data atmail is Processing on Customer’s behalf.
- At Customer’s request, and to the extent permitted by law, atmail will provide Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Customer to respond to the demand in a timely manner.
- Upon the effectiveness of the GDPR, atmail is obligated, on request, to collaborate with the Data Protection Authority. This provision will take precedence to any confidentiality obligations which atmail concluded with Customer.