DATA PROCESSING ADDENDUM TO GENERAL TERMS AND CONDITIONS
In the course of providing Services to Client, Pegasus will Process Personal Data on behalf of Client or its Affiliates in the capacity of Processor. Controllers or Processors that Process Personal Data regarding residents of the European Economic Area (“EEA”) are required to comply with the requirements of the Regulation and must include terms required by the Regulation in their agreements with Processors. This Data Processing Addendum (“DPA”) is part of and incorporated into the General Terms and Services and forms part of the Agreement between Client and/or its Affiliates and Pegasus. “Party” means Client or Pegasus and “Parties” means Client and Pegasus, collectively. Capitalized used but undefined in this DPA have the meanings ascribed to them in the T&Cs.
- Controller, Processor, Data Subject, Personal Data, Personal Data Breach, and Processing have the meaning given to them by the Regulation (and Process(ed) shall be construed accordingly).
- Member State means any member state of the European Economic Area (EEA).
- Regulation means the General Data Protection Regulation (Regulation (EU) 2016/679).
- Services describes the services provided to Client (and/or, as applicable, Client’s Affiliates) by Pegasus under the Agreement.
- Sub-processor means any Processor engaged by Pegasus in relation to the provision of the Services.
3. RELATIONSHIP OF THE PARTIES
With regard to Processing of the Personal Data, Client is Controller and Pegasus is Processor. Accordingly, Client appoints Pegasus as a Processor to Process the Personal Data as it relates to the obligations set forth in the Agreement. Additionally, each Party shall comply with the obligations that apply to it (as Controller in the case of Client and Processor in the case of the Pegasus) under Regulation.
4. PURPOSE LIMITATION
Pegasus will process Personal Data as a Processor to the fullest extent necessary to perform its obligations under the Agreement and where otherwise required by any law (including non-Member State law) applicable to Pegasus.
5. RIGHTS OF DATA SUBJECTS
- Subject to Section 5(b) of this DPA, Pegasus shall provide reasonable assistance to Client in complying with request received by Client from any Data Subject to exercise their rights under the Chapter III of the Regulation.
- Pegasus and Customer, through good faith consultation and mutual agreement, will agree to a procedure whereby Client will reimburse Pegasus for reasonable internal and external costs incurred in complying with requests made by Customer pursuant to Section 5(a) of this DPA if, in Pegasus’s reasonable opinion, the corresponding underlying request made by Data Subject, exceeds the scope of rights granted to such party under Regulation or if compliance with Client’s request under Section 5(a) will excessively burden Pegasus’s operations or impair its ability to carry out ordinary course of business.
- Nothing in this Section 5 shall require Pegasus to delete Personal Data held electronically in archive or back-up systems in accordance with general systems archiving or backup policies or to return or destroy Personal Data to the extent the Pegasus is required to retain a copy pursuant to applicable law applicable to Pegasus.
6. INTERNATIONAL TRANSFERS
Pegasus’s transfer of Personal Data outside of EEA will be compliant with Chapter V of the Regulation.
Pegasus may, at its sole discretion, allow any Sub-processor to Process Personal Data received in the course of the Services. Pegasus will be liable for the acts and omissions of its Sub-processors to the same extent Pegasus would be liable if performing the Services of each Sub-processor directly under the terms of this DPA. Where any Sub-processor is located outside the EEA, Pegasus shall, in addition to the above, ensure that Processing activity of such Sub-Processor complies with the requirements of Chapter V of the Regulation.
8. CONFIDENTIALITY OF PROCESSING
Pegasus will ensure its personnel who are authorized to Process Personal Data are informed of the confidential nature of the Personal Data and are subject to contractual or appropriate statutory obligations of confidentiality.
- The processor shall implement appropriate technical and organizational measures to protect Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to Personal Data (a "Security Incident").
- Pegasus will notify Client within 72 yours after becoming aware of any Security Incident which affects Personal Data and provide all reasonable assistance in order for Client to fulfill its data beach reporting obligations under Regulation.
10. COMPLIANCE WITH ARTICLE 17 OF REGULATION
Upon termination or expiry of the Agreement, Pegasus shall ensure all Personal Data (including all copies thereof) in its possession complies with Article 17 of Regulation. Without limiting the generality of the exemptions set forth in Regulation, the requirement in this Section 9 of this DPA shall not apply to the extent Pegasus is required to retain some or all of the Personal Data under law applicable to Pegasus, in which event Pegasus will isolate and protect Personal Data from any further processing except to the extent required by such law.
Pegasus agrees to make available to Client all information necessary to demonstrate compliance with the obligations under Article 28 of the Regulation. The scope, nature, and timeline for providing the requisite information shall be mutually agreed to by Pegasus and Client.
Except as and to the extent expressly modified by this DPA, all other terms and conditions of the Agreements in full force and effect and unchanged. In the event the terms of this DPA conflict with the terms of the Agreement regarding Processing of Personal Data, the terms of this DPA shall control.