LAST UPDATED: May 9, 2018
This Personal Information Processing Agreement (“PIPA”) is entered into by Suited Inc. (“Suited”) and the enterprise customer identified on the applicable agreement for Suited services (“Customer”), and governs the processing of personal data that is subject to the GDPR (defined below) that Customer uploads or otherwise provides to Suited pursuant to the applicable services agreement.
This PIPA is incorporated into the applicable services agreement between Suited and Customer. Collectively, this PIPA, the services agreement between Suited and Customer as well as any other terms, policies, or agreements incorporated therein, and any applicable ordering document between Suited and Customer, shall be referred to as the “Agreement.” In the event of any conflict or inconsistency between this PIPA and any other term of the Agreement, this PIPA governs.
- “Customer Personal Information” means Personal Information that (i) Customer uploads or otherwise provides to Suited in connection with the Agreement or for which Customer is otherwise a data controller, and (ii) is subject to the GDPR.
- "Data Subject" means an individual who is the subject of Personal Information.
- “GDPR” means the General Data Protection Regulation (EU Regulation 2106/679) or any amending or superseding legislation.
- “Personal Information” means information about an individual that (a) either by itself or when combined with information from other available sources allows that individual to be identified, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information.
- “Privacy and Data Protection Requirements” means all applicable laws, regulations, and other legal requirements relating to the processing, protection, or privacy of the Personal Information.
- "Processing, processes, or process" means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.
- “Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it.
- “Supervisory Authority” means an independent public authority which is established by a European Union member state pursuant to Article 51 of the GDPR.
2. Nature of Personal Information and Data Processing
- Each party agrees to process Personal Information received under the Agreement only for the purposes set forth in the Agreement. For the avoidance of doubt, the categories of Personal Information processed, the duration of processing, and the categories of Data Subjects subject to this PIPA are described in Schedule A hereto.
3. Customer Obligation
- Customer retains control of Customer Personal Information that it uploads or otherwise provides to Suited in connection with the Agreement and remains responsible for the processing instructions it gives to Suited.
- Customer agrees to comply with all of its obligations under the applicable Privacy and Data Protection Requirements, including by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Information is processed on behalf of Customer; (b) providing any required notices, obtaining any required consents, processing only data that has been lawfully and validly collected, and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring compliance with the provisions of this PIPA by its employees or by any third-party accessing or using Personal Information on its behalf.
4. Suited Obligations
- Suited will only process Customer Personal Information to the extent, and in such a manner, as is necessary to provide services pursuant to the Agreement and in accordance with the Customer's instructions. Suited will not process Customer Personal Information for any other purpose or in a way that does not comply with this PIPA or the Privacy and Data Protection Requirements. Suited will notify Customer if, in Suited’s opinion, Customer's instruction would not comply with the Privacy and Data Protection Requirements. If applicable EU or EU Member State law requires Suited to use or disclose Customer Personal Information for any purpose other than as set out in the Agreement or this PIPA, Suited will, where legally permitted, inform Customer as early as possible before such use or disclosure.
- Suited will promptly comply with any Customer request or instruction requiring Suited to amend, transfer, or delete Customer Personal Information, or to stop, mitigate, or remedy any unauthorized processing.
- If Suited is collecting Personal Information from Data Subjects on behalf of Customer, Suited will follow Customer’s instructions regarding the method of collection, including with regard to the provision of notice to the Data Subjects and exercise of choice by the Data Subjects.
- Suited will take commercially reasonable steps to ensure that its employees who are involved in the processing of Customer Personal Information: (a) are informed of the Personal Information's confidential nature and use restrictions; and (b) are aware of and have committed themselves to Suited’s and their personal obligations under the Privacy and Data Protection Requirements and this PIPA.
- Suited will use reasonable efforts to assist Customer in any steps required, in relation to the Customer Personal Information processed by Suited, to comply with Customer’s obligations under the following provisions of the GDPR: (a) the rights of Data Subjects under Chapter III; (b) Article 32 (Security of Processing); (c) Article 33 (Notification of a Personal Information breach to the Supervisory Authority); (d) Article 34 (Communication of a Personal Information breach to the Data Subject), although the parties acknowledge that a sub-processor shall only be required to communicate with Suited regarding such data breaches; (e) Article 35 (Data protection impact assessment); and (f) Article 36 (Prior consultation).
- Customer acknowledges that Suited may engage further processors (sub-processors) to help satisfy certain of Suited’s obligations in relation to Customer Personal Information and in accordance with this PIPA, and Customer consents to each of the sub-processors identified on the up-to-date list of Suited sub-processors maintained by Suited and available at www.wellsuited.com/sub-processors.
- Exclusive of the list of sub-processors referenced in the prior paragraph, Suited will not engaged a sub-processor or otherwise subcontract its obligations in relation to Customer Personal Information without providing to Customer notice and an opportunity to object.
- In the case of any sub-processor engaged by Suited, Suited will: (i) ensure such sub-processors are bound, by written contract or other legal undertaking, to provide the same level of data protection and information security as that provided for in this PIPA; (ii) remain liable to Customer for the sub-processor’s acts and omissions with regard to privacy and protection of Customer Personal Information where such sub-processors fail to fulfill its data protection obligations; and (iii) provide Customer with all necessary information regarding Suited’s contracts with sub-processors upon request.
- Suited will at all times implement appropriate technical and organizational measures designed to safeguard Customer Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental destruction or loss, damage, theft, alteration, or disclosure.
- Suited will take reasonable precautions to preserve the integrity of Customer Personal Information it processes and to prevent any corruption or loss of Customer Personal Information, including but not limited to establishing effective back-up and data restoration procedures.
- Suited will promptly notify the Customer if any Customer Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. Suited will use commercially reasonable means to restore such Customer Personal Information at its own expense.
- Suited will notify Customer of, and provide reasonable details concerning, any unauthorized or unlawful processing of Customer Personal Information or of any Security Breach without undue delay. Thereafter, Suited will provide reasonable assistance to Customer to investigate and respond to the unauthorized or unlawful Customer Personal Information processing or Security Breach. Suited will not inform any third party of any Security Breach without first obtaining Customer's prior written consent, except when law or regulation requires it.
7. Complaints, Data Subject Requests, and Third Party Rights
- Suited will notify Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to Customer Personal Information processing or to either party’s compliance with the Privacy and Data Protection Requirements.
- Suited will notify Customer if it receives a request from a Data Subject for access to their Personal Information.
- Suited will give Customer its full cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request.
8. Data Return and Destruction
- Upon the termination of the Agreement or upon Customer’s request, Suited will, at the choice of Customer, return all Customer Personal Information and copies of such data to Customer or securely destroy them and demonstrate to the satisfaction of Customer that it has taken such measures.
9. Records and Audits
- Suited will keep records regarding any processing of Customer Personal Information sufficient to enable Customer to verify Suited’s compliance with its obligations under this PIPA.
- Upon Customer’s request (not to exceed one request per year), and upon at least ten business days’ notice, Suited will permit Customer or its authorized representatives reasonable access (subject to such steps as are necessary to preserve the confidentiality and/or prevent the unauthorized processing of other material held by Suited) to Suited’s premises and systems, or any place in which Suited processes Customer Personal Information, to audit Suited's compliance with its PIPA obligations.
- If a Supervisory Authority requires an audit of the data processing facilities from which Suited processes Customer Personal Information in order to ascertain or monitor Customer's compliance with Privacy and Data Protection Requirements, Suited will cooperate with such audit. Customer is responsible for all costs and fees related to such audit.
10. Cross-Border Data Transfers
- Suited will not transfer Customer Personal Information to any country outside the European Union and/or the United States except in accordance with the provisions of Privacy Shield or where the transfer complies with Chapter V of the GDPR.
11. Privacy Shield
- Suited will, during the Term of the Agreement, and for so long as it retains any Customer Personal Information: (a) use reasonable efforts to maintain its membership of the EU-US Privacy Shield Program; (b) notify the Customer if Suited’s membership of such program ceases for any reason, in which case each party will discuss in good faith alternative methods under which the Customer will remain compliant with Chapter V of the GDPR.
- This PIPA shall remain in effect as long as either party carries out Personal Information processing operations pursuant to the Agreement or until the termination of the Agreement (and all Personal Information has been returned or deleted in accordance with Section 7 above).