GDPR DPA
Levi, Ray and Shoup Inc. (“LRS”)
Terms and Conditions governing the processing of personal data (“Terms”)
In the event LRS acts as a data processor when providing software support and maintenance services and/or other services (collectively “Services”) to your company (“you”), LRS shall comply with these Terms. By submitting Personal Data to LRS, you agree to these Terms on behalf of your company. The term “Personal Data” shall have the meaning given in the EU General Data Protection Regulation 2016/679/EC (“GDPR”).
1. In the context of Services, you may provide LRS with certain information or documents (e.g. logfiles, print files, data dumps, traces) and/or, in the context of online services, you may store data with LRS that may contain Personal Data. Typically, but depending upon the content of the information or document, the categories of Personal Data you provide to LRS may include: name, user ID, e-mail address of your employees, or of employees of your customers or suppliers.
2. LRS shall process the Personal Data shared by you only on your behalf and in accordance with your documented instructions which the parties agree are set forth in their contractual terms pertaining to the Service that you are using in order for LRS to fulfil its obligation to you, in accordance with the use of online services, or in any other documented instructions you may give to us. LRS shall inform you immediately if it considers that an instruction violates the GDPR.
3. LRS shall not, without your prior consent, transfer or store your Personal Data outside the EEA except to countries with an adequate level of data protection, or organisations certified under an European Commission adequacy scheme, or pursuant to European Commission Standard Contractual Clauses.
4. LRS shall restrict access to your Personal Data to LRS employees or personnel who have a specific need to access such Personal Data and impose a confidentiality obligation on them.
5. You hereby generally authorise the engagement of and the disclosure of information and documents to Compart AG (Germany) and its affiliates, Crawford Technologies Inc. (USA), Microsoft Corp (USA), Ionos AG (Germany), ServiceNow Inc (USA), IBM Corp (USA), TD Synnex Corp (USA) and/or other processors if LRS reasonably determines, based on its analysis, that the assistance by another processor is required to solve a support and/or maintenance issue or if such processor is utilized for online storage of your data.
6. When LRS engages another processor, the same data protection obligations as set out in these Terms shall be imposed on that processor. LRS shall inform you of any intended changes (additions or replacements) to those processors listed above. You may object to changes within one week. Where an LRS processor fails to fulfil its data protection obligations hereunder, LRS shall remain liable to you for the performance of the other processor’s obligations.
7. LRS shall implement and maintain technical and organizational security measures to safeguard your Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized access, disclosure, and all other unlawful forms of processing. The details are set out in our GDPR EU Privacy Policy at www.lrs.com/EUprivacy.
8. LRS shall without undue delay notify you of:
a. any security breach that affects your Personal Data and assist with subsequent investigation, mitigation and remediation;
b. any data subject access request received from an individual regarding your Personal Data prior to responding to that request; and
c. any legally binding request for disclosure of your Personal Data by a regulatory or enforcement authority unless such notification to you is expressly prohibited under the relevant regulations.
9. LRS shall make available to you all information necessary to demonstrate compliance with the obligations laid down by law and allow for and contribute to audits, including inspections. At your cost, audits may be conducted by you or an auditor mandated by you if such auditor is not a competitor of LRS and if the auditor is subject to a confidentiality obligation with LRS. You shall inform LRS in writing at least 4 weeks before the proposed audit unless mandatory data protection laws or a competent data protection authority requires shorter notice. Audits shall take place during LRS business hours.
10. LRS shall, after the end of the provision of the Service, delete Personal Data or copies thereof stored on internal LRS systems or at your choice return the Personal Data to you. Deletion of Personal Data stored via online services is your responsibility although LRS will provide assistance and advice if requested.
11. LRS shall assist you in complying with the obligations concerning data protection impact assessments and prior consultations as it pertains to our responsibilities to you under these Terms.
12. LRS may claim compensation for assistance provided to you based upon or in connection with these Terms that is unreasonable or that is not attributable to failures of LRS.
13. The Terms shall be governed by (i) the laws applicable to the agreement between LRS and you in relation to which LRS provided Services; or (ii) in the absence of a direct license agreement between you and LRS, by the laws of England and Wales.