IDcentral - A Division of Subex

Data Processing Agreement

This Data Processing Agreement (the “DPA”) forms part of the Terms under which IDcentral makes available the Services to You (the “Controller”).

1. BACKGROUND

1.1 This DPA shall only apply if and to the extent Content uploaded to the Services contains any personal data within the meaning of Applicable Legislation. The Controller is aware that the Services are cloud based. Hence, personal data is only stored and processed by IDcentral if and to the extent the Controller, submits personal data to the Services.

1.2 The Controller acknowledge that IDcentral will not be able to control what Content the Controller uploads to the Services the Controller is responsible for any Personally Identifiable Information (PII) in the Content and compliance with Applicable Laws. The Controller is also required to inform IDcentral of the existence of personal data (including any special categories of personal data) within Content, in the Subscription Form or by notice to IDcentral.

1.3 The Controller is the data controller in relation to the processing of the personal data. IDcentral is a data processor, processing the personal data on behalf of the Controller.

2. DEFINITIONS

2.1 “Applicable Legislation” means (i) the General Data Protection Regulation, (EU) 2016/679, as amended or supplemented from time to time (the “GDPR”); and (ii) any applicable supplementary legislation to the GDPR.

2.2 “Data” means any personal data (as defined in Applicable Legislation) contained in Content uploaded by the Controller, or any user under a Project, to the Services.

2.3 “Personally Identifiable Information” or “PII” means information in any format about an identifiable individual, including, name, address, phone number, e-mail address, account number(s), identification number(s), any other actual or assigned attribute associated with or identifiable to an individual and any information that when used separately or in combination with other information could identify an individual.

3. INSTRUCTIONS AND DETAILS OF THE PROCESSING

3.1 Parties agree that this DPA is the Controller’s complete and final instructions to IDcentral in relation to processing of Data.

3.2 IDcentral disclaims all liability for any PII that is uploaded into the Content without the compliance of Applicable laws.

3.3 Any additional instructions by the Controller must be in writing and may be subject to additional fees payable by the Controller to IDcentral for carrying out such instructions. The Controller is entitled to terminate the Terms in accordance with of the Terms if IDcentral declines to follow instructions requested by the Controller.

3.4 In the event that IDcentral considers that any additional instruction violates Applicable Legislation, IDcentral shall refrain from acting on such instructions and shall promptly notify the Controller Thereof and await amended instructions.

4. DETAILS OF THE PROCESSING OF DATA

4.1 Purpose of the processing. The purpose of the processing is to provide the Services in accordance with the Terms.

4.2 Nature of the processing. Hosting, storage and provision of the Services and technical support.

4.3 Duration of the processing. During the term set out in the Subscription Form, unless otherwise instructed by the Controller.

4.4 Type of personal data. Any Data that the Controller includes in Content (i.e. in the form of data sets).

4.5 Categories of data subjects. Any categories of data subjects that the Controller includes in Content.

4.6 IDcentral shall not process the Data for any other purposes or in any other way than as instructed by the Controller in writing.

5. THE CONTROLLER’S OBLIGATION TO PROCESS DATA LAWFULLY

5.1 The Controller shall obtain explicit and legally valid consents from each data subject for the processing of the Data or ensure that another legal ground recognized under Applicable Legislation applies for processing of the Data. The Controller shall further meet all other obligations of a controller under Applicable Legislation (including requirements to properly inform the data subjects of the processing of the Data).

6. SECURITY MEASURES

6.1 The Services are subject to security measures in line with industry practice and IDcentral will take reasonable steps and precautions against security breaches.

6.2 IDcentral has implemented and will maintain appropriate technical and organizational measures to protect the Data. The security measures shall ensure that the Data is protected against destruction, modification and proliferation. IDcentral shall further ensure that each system, in which Data is processed, is protected against unauthorized access and that access events are logged and traceable.

6.3 IDcentral shall ensure (a) that only authorized employees who need access to the Data in order for IDcentral to provide the processing services under this DPA have access to the Data, (b) that the authorized employees process the Data only in accordance with this DPA and the Controller’s instructions and (c) that each authorized employee is bound by a confidentiality undertaking towards IDcentral in relation to the Data.

6.4 If IDcentral becomes aware of a personal data breach, IDcentral will notify the Controller without undue delay and will take reasonable steps to mitigate the effects of the personal data breach. Furthermore, taking into account the nature of processing and the information available to IDcentral, IDcentral will assist the Controller in ensuring compliance with the Controller’s obligations to (a) document any personal data breach, (b) notify the applicable supervisory authority of any personal data breach and (c) communicate such personal data breaches to the data subjects, in accordance with Applicable Legislation. Any assistance provided by IDcentral under this Section 6.4 shall be at the sole cost of the Controller.

7. IDCENTRAL’S OBLIGATIONS TO ASSIST

7.1 Taking into account the nature of the processing, IDcentral shall assist the Controller with the fulfilment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation by ensuring appropriate technical and organizational measures. The Controller acknowledges that, given that the Data is uploaded to the Services in complete data sets, it is not technically possible for IDcentral to erase, correct or restrict the processing of specific pieces of Data in a data set. If a data subject requests that the Controller erases, corrects or restricts the processing of specific pieces of Data in a data set, the Controller must erase the data set from the Services and upload a new data set excluding the relevant pieces of Data. Any assistance provided by IDcentral under this Section 7.1 shall be at the sole cost of the Controller.

7.2 If a data subject, supervisory authority or any third-party requests information from IDcentral regarding the processing of Data, IDcentral will refer such request to the Controller and await further instructions from the Controller. IDcentral may not represent, or act on behalf of, the Controller in relation to any data subjects, supervisory authority or third party.

7.3 Taking into account the nature of processing and the information available to IDcentral, IDcentral shall further assist the Controller in relation to the Controller’s obligations to ensure security of the processing, carry out impact assessments regarding data protection and participate in prior consultations. Any assistance provided by IDcentral under this Section shall be at the sole cost of the Controller.

8. SUB-PROCESSORS

8.1 IDcentral may engage third parties to process Data or any part thereof on its behalf (“Sub-Processor”). In such event IDcentral, will provide details of its sub-processors on its website.

9. TRANSFERS TO THIRD COUNTRIES

9.1 The Processor may transfer Data outside the EU/EEA. If IDcentral transfers Data outside the EU/EEA, or engages a Sub-Processor to process Data outside of the EU/EEA, IDcentral shall ensure that at least one of the following prerequisites is fulfilled:
a) the receiving country has an adequate level of protection of personal data as decided by the European Commission,
b) the transfer is subject to the European Commission’s standard contractual clauses for transfer of personal data to third countries, or

9.2 In the event of a transfer of Data outside the EU/EEA initiated by IDcentral, IDcentral shall demonstrate that a valid legal ground applies to the transfer.

10. AUDIT

10.1 Any information provided or made available by IDcentral to the Controller under this Agreement is deemed Confidential Information and may not be disclosed by the Controller, unless IDcentral has approved such disclosure in writing.

10.2 Upon the Controller’s request, IDcentral will make available to the Controller all information necessary to demonstrate its compliance with the obligations laid in this DPA.

10.3 The Controller shall, with at least 20 days’ written notice, be entitled to carry out an audit of IDcentral’ s processing of Data, if the Controller has reason to believe that IDcentral fails to comply with this DPA. IDcentral undertakes to assist the Controller and disclose all information necessary for the Controller to carry out such an audit. Any on-site audit shall be performed by an independent third party agreed between the parties and be subject to the confidentiality and security restrictions as deemed necessary by IDcentral. The Controller shall carry all costs for an audit.

11. RETURN AND DELETION OF DATA

11.1 You may retrieve Data from the Services up until the termination or expiration. IDcentral will delete any and all Data from the Services no later than 90 days after the termination Date.

12. TERM

12.1 This DPA shall, notwithstanding the term of the Subscription Form, enter into effect when IDcentral commences to process Data on behalf of the Controller and shall terminate when the Controller has retrieved Data and/or IDcentral has erased Data in accordance with Section 11 above.

The-Regulatory-Landscape-of-Digital-Lending-in-India-What-Needs-to-Change_1