Data Processor Terms and GDPR
Terms defined in the Agreement shall have the same meaning as in these terms. Further, for the purposes of these data protection terms the following terms shall have the following meanings:
- “Agreement” Rewind Subscription Agreement as set out at rewind.com/legal/terms-of-service
- “Controller” shall mean the party that determines the purposes and means of the Processing of Personal Data.
- “GDPR” mean the General Data Protection Regulation, also know n as regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- “Personal Data” shall mean any information relating to an identified or identifiable natural person (“Data Subject”) where Customer is the Controller; an identifiable natural person is a person who can be identified, directly or indirectly with the use of additional information, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Rewind.
- “Processing” or “Process” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” shall have the meaning given to in the GDPR.
2. Scope of Processing of Personal Data
2.1. In connection with the fulfilment of its obligations under the Agreement Rewind will Process Personal Data on behalf of the Customer who has the ownership of the Personal Data solely for the purposes set out in the Agreement, being:
- The creation of copies of Customer Content for back-up Purposes; and
- Enabling Customer to restore such copies of such Customer Content at Customer’s discretion.
2.2. Rewind shall not use the Personal Data for its own purposes or any other purposes than those explicitly mentioned in above, to the extent the same are directly necessary for the fulfilment of the Agreement.
3. General Obligations of the Customer
3.1. The Customer shall comply with GDPR.
3.2. The Customer shall provide Rewind with necessary written instructions in respect of Processing of Personal Data and be liable for that such instructions are in compliance with GDPR.
3.3. The Customer is responsible for the fulfilment of the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights as well as for necessary notifications to the supervisory authority and/or Data Subjects in case of Personal Data Breach.
4. General Obligations of Rewind
4.1. Rewind shall act solely as the Processor of the Personal Information.
4.2. In addition to these data protection terms Rewind shall also abide by any written instructions in respect of Processing of Personal Data given by the Customer from time to time, provided that such instructions do not create any additional obligations on Rewind.
4.3. Rewind shall, at Customer’s cost and taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subjects’ rights laid down in Chapter III of the Regulation, e.g. by promptly providing the Customer with any such information. For the sake of clarity, Rewind shall not directly respond to Data Subjects, unless the Customer specifically so requests in writing.
4.4 Rewind shall, at the choice of the Customer, delete or return all the Personal Data to the Customer, or to a third party assigned by the Customer, after the end of the provision of services related to the Processing, and delete existing copies unless the GDPR require storage of the Personal Data. The return of Personal Data shall include, at a minimum and at no additional costs to the Customer, any data conversion necessary to provide the Customer with its Personal Data in the format in which such information was originally provided to Rewind by the Customer. Rewind shall, at its own initiative and accord, inquire from the Customer whether Rewind shall delete or return the Personal Data no later than within 30 days after the end of the performance of those obligations under the Agreement that involve Processing.
4.5 Rewind shall maintain a written record of all categories of processing activities carried out on behalf of the Customer, containing the matters listed in the Article 30 of the Regulation. Rewind shall keep the records available for the Customer on request.
4.6 Rewind shall promptly notify the Customer of any queries from the data protection authority or any other law enforcement or regulatory authority.
4.7 Rewind shall maintain data within a data centre located in the EEA for Shopify and BigCommerce users. Quickbooks user data will be hosted in either Canada or the United States based on the user’s location and/or preference.
5. Security of Personal Data and Personal Data Breach
5.1. Rewind shall implement and at all times maintain appropriate, and in any event at least such as are in accordance with good industry practice, technical and organisational measures to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services, in particular the protection of the Personal Data against Personal Data Breach.
5.2. In case of a Personal Data Breach, Rewind shall without delay, notify the Personal Data Breach in writing to the Customer. The notification shall contain all relevant information regarding the Personal Data Breach, and at least a) a description of the nature of Personal Data Breach, including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned, b) a description of the likely consequences of the Personal Data Breach and c) a description of the measures taken or proposed to be taken by Rewind to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.3. Rewind shall document any and all Personal Data Breaches, comprising the facts relating to the Personal Data Breach, its effects and the remedial action taken by Rewind. This documentation must enable the Customer to review Rewind’s compliance with the Regulation in respect of Personal Data Breaches.
5.4. To the extent the GDPR require that a Data Subject or the authority be notified in the event of the Personal Data Breach, Rewind undertakes to reasonably assist the Customer in complying with such requirement.
6. Right to Audit
6.1. Rewind shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in these data protection terms and GDPR.
6.2. The Customer, or a third party auditor appointed by the Customer, shall be entitled to audit and inspect Rewind’s level of protection of Personal Data and Rewind’s compliance with these Data Protection terms and the Regulation. Rewind shall, at Customer’s cost, co-operate with the auditors performing the audit to ensure that the auditors are able to form a correct view of Rewind’s aforesaid compliance.
7. Subject to terms of the Agreement
Where these terms apply, they shall form an annex to and be subject to the terms of the Agreement. In the event of conflict between these terms and the Agreement, the terms of the Agreement shall prevail. The governing law and dispute resolution shall be determined according to what has been agreed in the Agreement.
This policy was last modified on September 28th, 2020.