Who we are
Sleeping Giant Media is Kent’s largest digital marketing agency – we base our company ethos on being an extension of the businesses we work with; our heroes work tirelessly on unlocking business performance through digital marketing! We’re fun, we’re functional… we’re a birthday cake with sparklers on top. We work with a lot of businesses, a lot of people, and funnily enough – we’re people ourselves. So we know how important data protection and privacy is to everyone. We’ve set up this Privacy Notice to let you know just what data we are collecting, why, who else might see it, and how we’re going to use it. So, if you’re into this sort of thing, grab a cup of something, put your feet up, and enjoy this bedtime read.
Types of data we collect
What are cookies, and what are you doing with my data from them?
Yes – a delicious treat. Oats and chocolate chips preferable. But in terms of computers, cookies are small data files that are popped on your computer/mobile/tablet/other device as you browse a website. They remember your device and when it accessed the website, and helps inform what happens when you’re on the site and after you leave it. For example – I’m sure all of us at some point have put something in the basket on a retail site, only to leave and come back to it later to find the 6 inch red stilettos you had in there earlier are still there? Ok, that might not apply to everyone, but that’s the work of cookies! They’re important for the effective running of a website, and we can use them to tailor the service offered to you.
What information do they collect, and why?
The cookies we have on our site collect information on things like which pages you visit, which device you’re on, your IP address, and publicly available information, including details you might have shared through a public platform like Facebook or Twitter or any other platform who have consent to share your data. Then it pops it over to Google Analytics, Adwords, Google Tag Manager, and SharpSpring so they and us can do things like show you targeted ads, banner ads, collect information to monitor the success of campaigns, competitions etc., and trigger automations for us to get in touch with you (if we think you’d be interested in hearing more!). It’s also pretty important for us to effectively run our website, especially when it comes to things like site navigation, market research, and customer service. It sounds like a lot, but all this does is help tailor our communication to you and let us know the kind of stuff you might like to know more about. We may also keep an eye on the data coming through for crime and fraud prevention, detection, and related purposes, or if we have a legal right or duty to disclose your information, but we’re hoping everyone visiting our websites are upstanding gentlefolk who have no nefarious intentions. No data is passed on to third party marketers – it stays between us, our Giant Family (Giant Campus and Pocket Giant), and the lovely software companies above.
So, what are these cookies?
We’re glad you asked! Different cookies do different things in different ways. If you want to find out exactly what, have a look at this page here.
How are cookies managed?
The cookies stored on your computer or other device when you access our websites are designed by:
- Sleeping Giant Media, or on behalf of Sleeping Giant Media;
- Third parties who participate with us in marketing programmes; and
- Third parties who broadcast web banner advertisements on behalf of Sleeping Giant Media.
How do I disable cookies, and what happens if I do?
If all of the above sounds like too much, and you want to browse from the shadows, that’s no problem – but you might need to go to your browser settings to change it from there. You’ll still see ads, but they’ll be less tailored to you, and it’ll stop us from seeing things like if you’ve encountered a problem on our site. From a personal perspective, it also automatically logs you out of things like emails and online accounts, as it doesn’t save the data.
The Easy Way (you’ll have seen this in our Cookie Banner)
Browse in Incognito/InPrivate/Private mode!
- Google Chrome Incognito (CTRL+SHIFT+N)
- Mozilla Firefox in Private Browsing with Tracking Protection (CTRL+SHIFT+P)
- Microsoft Edge in InPrivate browsing – tap the “Settings and more” button in the top-right corner, choose “New InPrivate window.”
- Opera in Private Browsing (CTRL+SHIFT+N)
- Internet Explorer in InPrivate browsing (CTRL+SHIFT+P)
For Google Chrome:
- Choose Settings> Advanced
- Under “Privacy and security,” click “Content settings”.
- Click “Cookies”
Change the settings according to what you’d like from there!
For Microsoft Internet Explorer (probably the first and last time you’ve used them!):
- Click on “Tools”, and then “Internet Options”
- Click on the “privacy” tab
- Go mad, and choose the settings you’d like from there!
For Safari (we’re not judging you…):
- Choose Preferences > Privacy
- Click on “Remove all Website Data”
This will get rid of cookies!
For Mozilla firefox:
- Choose the menu “tools” then “Options”
- Click on the icon “privacy”
- Find the menu “cookie” and pick what you’d like to do from there
- Choose the menu Files”> “Preferences”
It’s all laid out there for you to choose!
So, you’ve come for a visit, but don’t have unlimited data and can’t tether to your other devices. You’ll probably want to borrow some of our internet through our Wifi! Just so you know, this does collect some data from you – including your device, what websites and apps you’ve been on, how much data you’ve used, and where/when/how often you’ve used the Wifi. This helps us keep things secure in our offices, as well as make sure the basics of our internet are working properly. If you’re not a security risk, you shouldn’t have to worry about this, as we will only use the information to build a general report. It’s only if there’s a problem that we will process your data further, and let’s face it if you are a security risk, you might have bigger problems than us collecting your data…
You’ve signed up for our mailing list! You love us after all! We’ve loads of stuff to talk about, but first, let’s explain what information we’ve collected, and how and why we use it.
When you first sign up, we collect your information for things like your name and email address, what you’d like to be signed up for (obviously), your business name, and occasionally your business address. We do that because you’ve asked us to give our wisdom to you – whether you’ve chosen a whitepaper option, to get included in competitions, to get newsletters, to keep up to date with digital marketing, or anything else we provide that you’ve opted into. So we’ll stick to that in terms of contacting you, unless we need to get in touch to get some more information from you or make sure you’re happy and that your details are up to date.
We do use SharpSpring (as mentioned above), which means you might receive some emails from us even if you haven’t signed up, but that will be because you’ve shown an interest in us – we’re not needy, we just want to make sure you know what you’re missing out on… SharpSpring are all above board, but if you want to double check for yourself, check out their own Privacy Notice here. Rest assured, if you want us to stop, you can unsubscribe or just let us know by emailing Nell Sanders (our poor Data Protection Office) at email@example.com. Just put [CONTACT PREFERENCES] in your subject line, let us know what you’d like, and we’ll sort the rest out from there. Ultimately, you won’t be bombarded by emails, and you’ll stop getting them if you don’t show interest, because although we want to keep in touch, we deserve more than the cold shoulder.
Giant Campus Ticket Data
You’ve committed to learning more about Digital Marketing (to be honest, just reading through this notice is giving you a bit more knowledge than anyone thought they needed, right?), and so you’re off on an adventure over to Giant Campus! You’ve bought your tickets, you know the date, you know where you’re going, you’ve got a rough idea of what you’re in for – you’re set. But what about the data we’ve collected to get you on the course? You won’t actually receive a ticket – your name’s on the list – but we have got your data somehow. When you book yourself onto the course, the details you’ve input (name, address, email, phone number) will be stored in our internal system. We’ll get in touch with you if we think you’ll be interested in another course, but like with everything else, we won’t chase you – if you’re not interested you can let us know, and we’ll stop it! And if all else fails, if you’re not getting back to us, we’ll just stop emailing you. We’ll miss you, though.
Sleeping GIant Media will (with your say so) send you funky updates on things like our Digital News Roundup, GIANTtalks, information on our other company’s services, special offers, newsletters, and other fun stuff we’ve already run through with you -when you signed up (and if you haven’t signed up, we’d totally recommend doing it here!). It’s all stuff we think you’ll find relevant, but if you don’t like it, you can always unsubscribe by the emails or contacting us in the email listed below!
We also might send out a banner ad on another website after you’ve visited our website. Sorry, but it’s a part of cookies (see above), and who knows – you might actually want to see our smiling faces everywhere. If not, have a look at our cookies section above for how to not see us!
People who contact us via social media
We use social media management tools to manage our social media interactions. Because these things exist, and they’re awesome. They take a lot of the leg-work out of managing social media! If you want to find out more, get in touch with Giant Campus – they can train you on this! It does mean that these tools and platforms have their own cookies, data that they send us, and data we can access. Have a look at our Cookie matrix to find out more!
We share (and likely get some of) your information with Third Parties. Damn, that sounds bad.
Let’s get it straight – if you’ve opted into getting information from our trusted third parties, we’ll only share the information that’s relevant, and they’ll only contact you for purposes that might serve you well. So, if you’ve said to us “I’d like to learn more about Digital Marketing”, or “I need another agency to build my website”, or “I’m going to one of your events and I want to network” that’s the kind of example that shows you what we mean! We never sell data (terrible practise), and we always hold our Third Parties to the standards of GDPR.
Our Trusted Third Parties include people like our teams in Giant Campus and Pocket Giant, other agencies that we work with that might be able to help you, and – of course – anyone that you want to speak to at our events. Depending on if you say cookies, software, and tools are third parties, we also share data with those, but that’s for the purpose of processing your information, rather than giving them your information for their own purposes! If you’re a client, we also might share your information with financial or credit reference agencies, and any third party that’s needed to perform the contract we hold with you. Other cases may be where we need to share your information could be with governmental bodies, regulators, law enforcement agencies, courts/tribunals and insurers where we need to, comply with our legal obligations or exercise our legal rights or for the prevention, detection, investigation of crime or prosecution of offenders, and for the protection of our employees and customers.
How and why do we use your Data?
There are three main reasons, and a couple of sub-reasons we collect and process your data:
- Consent – you’ve given us a clear “YES!” on what you want from us, and we’ll contact you in line with that!
- Contract – you’ve signed up to work with us (thanks again 🙂 ), and so we need to use your data to actually fulfill that contract. OR you want to work with us, and so we need to get in touch with you to hopefully turn that maybe into a yes. Because ultimately, we want to work with you. It’ll be great.
- Legitimate Interests – This one’s a long one. Here we go….
- If it’s going to cause you minimal impact, if we think you’ll benefit from what we’re offering, or if you’ve been in touch before and fallen off the radar, if processing your data is necessary to serve those interests – then we’ll get in touch. It could be for selling our services to you; protecting our team or you for health, safety and welfare purposes; promoting, marketing, or advertising our services; sending personalised marketing (you lucky things, you); understanding client needs, behaviours, preferences, needs, activities; improving our services; again, for crime and fraud prevention, detection, and related purposes; handling client complaints, queries, disputes etc.; and generally fulfilling our duties to our clients, team, and data subjects! We’re not going to overwhelm you with “LOOK AT THIS KITTEN! SO CUTE!” emails, We will only get in touch if our Legitimate Interests Assessment (fancy GDPR process) lets us – we’re not in the spamming game. And if it’s really not wanted, you can always tell us to stop through the email already stated, or through unsubscribe buttons where applicable! (Phew! Told you that was a long one!)
- Legal obligation – just in case you think we’ll evade the law to protect your data, I’m really sorry, but that’s just not going to happen. If we’re required to process it by law, we’ll do that.
How do we keep your data safe?
We are committed to keeping your data safe! This is through:
- Online and IT security protocols and protection
- Organisational and property security protocols
- A “Privacy by Design” approach to your data
- Regular internal audits
- Internal policies setting out data security
- Training for all our staff on proper process
How can YOU keep your data safe?
It would be nice if there was a lock and key system… Our office would look like the end of Indiana Jones: Raiders of the Lost Ark.
This may not be feasible, but there are some things that you can do to protect your data. Firstly – we don’t take credit card payments, so you can be damn sure if someone contacts you asking for these – it’s not us. Don’t do it. I learned this the hard way when a Nigerian Prince got in touch with me.
Secondly, if we do send an email asking for payment, and it looks a little dodgy, our finance team of two don’t mind answering the phone to client queries. Give us a call and check. This goes for other dodgy looking emails from us – if you’re not sure, just give us a call. We’re the birthday cake with sparklers people; always happy to help.
It goes without saying, but if you’re on a public network out and about, it’s unlikely to be very safe. Don’t submit personal details if you’re not on a trusted network! And in that same vein, you’ll have passwords to access certain information (like on your emails if we’re sending you reports or cool information). Don’t give them out to people, please – it’s just not safe.
After all of this – what are your rights?
(a technical look at the GDPR…)
So you’ve given your details to us at Sleeping Giant Media! You’re in good hands, but you may be wondering what rights YOU have. In regards to all the rights below, you can get in touch with our Data Protection Officer – Nell Sanders – at firstname.lastname@example.org. Pop “[MY DATA – MY RIGHT] in the subject line, let us know what you’d like, and we’ll get back to you as soon as we can and in line with GDPR requirements.
- If you’ve given us consent, you have the right to withdraw it! This seems fairly obvious. You’re not married to us, and even if you were, you’d still have the option to divorce us! If you don’t want us to get in touch any more, just unsubscribe or get in touch with our Data Protection Officer
- You can lodge a complaint with a supervisory authority. We’re a friendly bunch, here, and you can talk to us about anything, but if you’d like to lodge a complaint with a higher power, you can! You can get in touch with the Information Commissioner’s Office. Have a look here for more details: https://ico.org.uk/for-the-public/raising-concerns/
- You’ve got the right to be informed about the collection and use of personal data. This is the Privacy Notice you’re reading at the moment!
- If you want to see the data we have for you, you can ask for it.
- If the data we have on file for you is outdated, incomplete, or just plain wrong, you also have the right to change that too! It may be that you have changed your name to Princess Consuela Banana Hammock – we won’t judge, we will just change it!
- You can ask to be forgotten. It feels like prom all over again, left there to dance alone. But if you want us to forget you, you can ask us to do that – just see this guidance from the ICO: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
- You can ask for us to “restrict processing” of your data. If it’s wrong, if it’s not been processed in line with the GDPR, if you need it for legal reasons (but we don’t need it any more), or if you’ve asked us to stop processing your information altogether – while we consider stopping processing it, you can ask to restrict it. Blimey, that’s a head twister.
- You’ve got the right to ask for your data in a portable way (like through a USB). This applies to when you’ve given us consent to use your data, or when you’re in a contract with us.
- You can ask us to stop! If we’re marketing to you, or if we’re processing your data on the grounds of legitimate interests, you can ask us to just quit doing that.
- You also have rights related to automated decision making and profiling, where serious decisions made by automated processing (all systematic, no human interaction), where you can ask us not to automate any decision making process, and you can ask us for the information we’ve used to make that processing possible.
On very very rare occasions (as in, we haven’t encountered this yet), we may possibly have to share your data outside of the European Economic area (EEA). You should rest easy, though, it’s subject to special rules under GDPR. If we do have to do this, we’ll make sure it’s done in line and compliantly with data protection laws to make sure it is secure. If we ever need to do it, we’ll make sure the standard data protection contract clauses below are signed or at the very least covered by their own data protection terms.
How long do we keep your data?
We hope you’ll be working with us forever, and so we hope we’ll keep your data forever! But that’s not how it works. We’ll not keep your data any longer than is needed under this notice, and the longest we’ll hold onto any personal data after the purpose has been completed is 6 years.
Hello! You might be wondering why you’ve been directed to this page, you might have skipped past this entire thread just to find this part, you might just be reading through the entire privacy notice. It’s fun, right? It’s taken days to write…
As a Client of Sleeping Giant Media, you’ve signed an arrangement with terms and conditions, you’ve given us your data, and we’re hopefully cracking on with what we need to do for you this very moment (although, not if you’re reading this at Midnight on a Saturday. In which case – what are you still doing up?! Get to bed with you! Unless this is a bedtime read? In which case, we totally understand, this isn’t the most riveting piece of content we’ve written…)
Back to the matter at hand. You might be wondering what, where, how, why, when, we use your data. Lucky for you, there’s this whole Privacy Notice and a handy list of things right here for you to read:
Data we collect as a part of a contractual obligation:
In contracting with us, we’ll need some data from you so that we can effectively perform the services for you and your business. This will be confirmed with you in the working arrangement and any emails you’ve received from us, but will include things like:
Life of Lead
Ways we receive this information:
- Directly from you
- From your website
- From one of our team
- From our website
- At an event
- Experian Credit Check
How and why is it processed?
According to your contract, you’ve asked us to do something for you! Whether this is SEO, PPC, Social, Video – we’ll use your information in line with this purpose so that we can actually perform the contract. This is how we will process your data.
Below are the ways in which we could process this data as per your contract.
Direct Contact – Email
Direct Contact – Telephone
Direct Contact – Meeting
Internal Strategy Development
Search Engine Optimisation
Where is it stored?
Now that we’ve got your information, where is it stored? Again, depending on what we’re doing for you, this could be in:
Mobile Storage Devices
Other Cloud Storage
Digital Marketing Tools
Where and how do we send this information?
We’ve already covered that we’ll never sell your details, but we may share your details with other Third Parties (see “Third Parties” below). In terms of processing your information, though, in addition to the above, this is how and where else your data could be sent:
Instant Messaging Services
Project Management Systems
You have a lot of rights as a data subject, so if you want to find out more, just have a look at our section – “After all of this – what are your rights?”.
Current Giants, Former Giants, and Potential Giants
(Staff, former staff, and recruitment)
Sleeping Giant Media work with external parties (LinkedIn, KentJobs.co.uk, and JobsinKent.com) to collect details from applicants, that they then send to us. We’re the controller for the information, so if you want to chat about how we use the information, just let us know!
What do we do with your information?
To start with, we take the information you’ve given us, and process your application! We only ask for the information that’s needed to see who you are and whether you’d be right for the company. You don’t have to give us the information if you don’t want to, but it may affect your application. We use your CV to assess whether you should be invited to a phone interview, your data to contact you if you’re successful to that phone interview, and then further process your details if you’re successful in getting a place on our recruitment day! Simple steps, there! We’ll then be in touch to let you know if you’re successful or not. We do keep CVs on file to refer back to – either for quality management or future positions, but data is kept for a maximum of 6 years. So basically, we’ll use your data to progress your application or to fulfil legal/regulatory requirements. Nothing much to it.
We don’t share this data with third parties for marketing, nor do we send it out of the EEA (you can breathe a sigh of relief), and it’ll stay in our hands (unless we think you’d be good for a role in one of our other Giant Things businesses – Giant Campus or Pocket Giant – but we’ll ask you if this is ok first!).
If you get through the phone interview round, you’ll be invited to a recruitment day! Here we set up named folders to which only you and the recruitment team will have access. In here, there’ll be a personality test, role specific tests, tasks, and eventually your presentation (that you’ve created). Any notes made by you or by us will only be kept by those involved in your recruitment, and won’t be farmed out to anyone else.
Congratulations! You’ve been offered a role as a Giant! What now? You’ll be asked for a lot of information from us (sorry, but it’s necessary), so that we can make sure you’re entitled to work in the country, that you’re entitled to work with us, that we can pay you, that you’ve not hidden some severe “I definitely shouldn’t have been offered the job” red flags, who to get in touch with if there’s an emergency (we advise against chopping off your finger at work, but you know… just in case…), and other bits of information needed to offer you the job. So, all in all, this would be:
- Proof of identity (original documents, please!)
- Referee information
- Bank details (so we can pay you for doing your job)
- Emergency contact details (for emergencies…)
- Next of Kin details
- National Insurance Number
- P45 (or we’ll get you to sign a “New Starter” form)
- Full Name, Address, Date of Birth
How we make decisions about recruitment?
We tally up your scores from the day (based on finite test results and subjective interview scores), we ask a select group of Giants for feedback (just in case they saw you steal a laptop or something. Could be less severe, don’t get me wrong, but that would be a definite no!), and we gather up all available information before the Associate Research and Development Director makes a final decision. Whether you get the role or not, we won’t leave you guessing – we’ll get in touch to let you know.
If you want to find out more about applications (whether it’s your specific one, or just in general), email email@example.com
Current and Former Giants
All of the information (as under “Potential Giants”) and anything further that we acquire in your time here will be kept on file after you leave, but for no longer than 6 years after the information is no longer required. The additional data can include (but let’s face it, definitely isn’t limited to) things like:
- Holiday Use
- Sick time
- Involvement in any Human Resource related situations
- Records of work
- Personal information that may have been discussed in the workplace
- Information on health
Changes to this Privacy Notice
We’ve reviewed this Privacy Notice in May 2018 (GDPR!), but we will amend it from time to time according to legislation changes, changes in branding, changes in policy, or anything else that may need us to review it at least once a year.
ANNEX 2: STANDARD CONTRACTUAL CLAUSES
These Clauses are deemed to be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws (i) by the Commission to or of the equivalent contractual clauses approved by the Commission under EU Directive 95/46/EC or the GDPR (in the case of the Data Protection Laws of the European Union or a Member State); or (ii) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law (otherwise).
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organisation:
Tel.: ____________; fax: __________________; e-mail: __________________
Other information needed to identify the organisation
(the data exporter)
Name of the data importing organisation:
Tel.: ________________; e-mail:__________________
Other information needed to identify the organisation:
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
The data exporter has entered into a data processing addendum (“DPA”) with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; [If these Clauses are governed by a law which extends the protection of data protection laws to corporate persons, the words “except that, if these Clauses govern a transfer of data relating to identified or identifiable corporate (as well as natural) persons, the definition of “personal data” is expanded to include those data” are added.]
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words “and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC” are deleted.]
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words “within the meaning of Directive 95/46/EC” are deleted.]
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
[Populated with details of, and deemed signed on behalf of, the data exporter:]
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
On behalf of the data importer:
[Populated with details of, and deemed signed on behalf of, the data importer:]
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
Want to know more?
Reach out and say hello. Come experience the GIANT side.