GDPR Data Processing Agreement
Levy, Ray and Shoup Inc. (“LRS”)
Terms and Conditions governing the processing of personal data (“Terms”)
In the event LRS acts as a data processor when providing software support and maintenance services to your company (“you”), LRS shall comply with these Terms.
By submitting Personal Data to LRS, you agree to these Terms on behalf of your company.
If you and LRS enter into a data processing agreement under the General Data Protection Regulation (“GDPR”) either before or after accepting these Terms, such data processing agreement (and not these Terms) shall apply exclusively between you and LRS.
1. In the context of support and maintenance services, you may provide LRS with certain information or documents (e.g. logfiles, print files, data dumps, traces) that may contain personal data (“Personal Data”). Typically, but depending upon the content of the information or document, the categories of Personal Data you provide to LRS may include: name, user ID, e-mail address of your employees, or of employees of your customers or suppliers.
2. LRS shall process the Personal Data shared by you only on behalf of and in accordance with your documented instructions which the parties agree are set forth in their contractual terms pertaining to support and maintenance of the LRS software that you are using in order for LRS to fulfil its support and maintenance obligation to you or in any other documented instructions you may give to us. LRS shall inform you immediately if it considers that an instruction violates the GDPR.
3. LRS shall not, without your prior consent, transfer your Personal Data outside the EEA except to countries or organisations with an adequate level of data protection, such as Canada, USA and Switzerland (in the latter two cases in compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework or replacement adequacy scheme).
4. LRS shall restrict access to your Personal Data to such of LRS employees or personnel who have a specific need to access such Personal Data and impose a confidentiality obligation on them.
5. You hereby generally authorise the engagement of and the disclosure of information and documents to Compart AG (Germany) and its affiliates, Crawford Technologies Inc. (USA) or other processors if LRS reasonably determines, based on its analysis, that the assistance byanother processor is required to solve a support and/or maintenance issue. This section prevails over any other agreement between the parties, except the parties have entered into a data processing agreement pursuant to the section above section 1.
6. When LRS engages another processor, the same data protection obligations as set out in these Terms shall be imposed on thatprocessor. LRS shall inform you of any intended changes (additions or replacements) of processors other than Compart or Crawford to process the data. You may object to changes within one week. Where a processor LRS uses fails to fulfil its data protection obligations, LRS shall remain liable to you for the performance of the other processor’s obligations.
8. LRS shall without undue delay notify you of:
a. Any security breach that affects this Personal Data and assist with subsequent investigation, mitigation and remediation.
b. Any data subject access request received from an individual regarding this Personal Data prior to responding to that request.
c. Any legally binding request for disclosure of this Personal Data by a regulatory or enforcement authority unless such notification to you is expressly prohibited under the relevant regulations.
9. LRS shall make available to you all information necessary to demonstrate compliance with the obligations laid down by law and allow for and contribute to audits and inspections. At your cost, audits may be conducted by you or an auditor mandated by you if such auditor is not a competitor of LRS and if the auditor is subject to a confidentiality obligation with LRS. You shall inform LRS in writing at least 2 weeks before the proposed audit. Audits shall take place during the LRS business hours.
10. LRS shall delete Personal Data or copies thereof when the relevant support incident is finally resolved (but in any case, not later than after the end of the obligation to provide support and maintenance services) or at your choice return the Personal Data to you.
11. LRS shall assist you in complying with the obligations concerning data protection impact assessments and prior consultations as it pertains to our responsibilities to you under these Terms.
12. LRS may claim compensation for assistance provided to you based upon or in connection with these Terms that is unreasonable or that is not attributable to failures of LRS.
13. The Terms shall be governed by (i) the laws applicable to the software license agreement between LRS and you in relation to which LRS provided support and maintenance services; or (ii) in the absence of a direct license agreement between you and LRS, by the laws of England and Wales.