Eshopbox Privacy Policy

Learn here what information Eshopbox collects, and why we collect it.

Mayur Karwa avatar
Written by Mayur Karwa
Updated over a week ago

ESHOPBOX E-COMMERCE PRIVATE LIMITED (“Eshopbox”) owns and manages the website www.eshopbox.com (“Website”). Eshopbox values your privacy and takes responsibilities in relation to your data seriously.

This Privacy Policy (“Privacy Policy”) is published in compliance with inter alia:

  • Section 43A of the Information Technology Act, 2000 (“IT Act”);

  • Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”); and

  • Rule 3(1) of the Information Technology (Intermediaries Guidelines) Rules, 2011.

This Privacy Policy deals with information Eshopbox collect in relation to our Websites and explains:

  • What information is collected by Eshopbox;

  • How Eshopbox collects and uses that information;

  • How you can provide information selectively, how you can access and update this information; and

  • How, Eshopbox processes, shares, and protects your information.

By using the Website, you confirm that you accept the terms of this Privacy Policy and that you agree to abide by them. This Privacy Policy is incorporated into and subject to the terms of use available on the Website. This policy may be amended from, time to time.

Eshopbox values the trust You place in us. That is why Eshopbox insists upon the highest standards for secure transactions and customer information privacy. This Privacy Policy applies to the personal information Eshopbox collects on the Website. This Privacy Policy inter alia describes the types of personal information Eshopbox collects on the Website, how Eshopbox may use that information, and with whom Eshopbox may share it. Eshopbox also tells you how you can reach Eshopbox to ask it to update your preferences regarding how Eshopbox communicates with you or answer any questions you may have about Eshopbox privacy practices. Please read the following statement to learn about our information gathering and dissemination practices.

Eshopbox privacy policy is subject to change at any time with notice. To make sure you are aware of any changes, please review this policy periodically.

When you access the Website you accept, without limitation or qualification, the Privacy Policy set forth below and any additional terms of use set forth in the Website. This Privacy Policy constitutes a binding legal agreement between you and Eshopbox. If you do not agree to the Privacy Policy, you have no right to obtain information from or otherwise continue using the Website. Failure to use the Website in accordance with the Privacy Policy may subject you to civil and criminal penalties. Eshopbox has provided this Privacy Policy to familiarise you with the type of data or information that You share with or provide to Eshopbox and that Eshopbox collects from you, the purpose for collection of such data or information from you, Eshopbox information security practices and policies and Eshopbox Privacy policy on controlling or processing your data or information with third parties. This Privacy Policy may be amended/updated from time to time. Upon amending/updating the Privacy Policy, Eshopbox will accordingly amend the date above. Eshopbox suggests that you regularly check this Privacy Policy to apprise yourself of any updates. Your continued use of the Website or provision of data or information thereafter will imply your unconditional acceptance of such updates to this Privacy Policy. The information (which shall also include data) provided by you to Eshopbox or collected from you by Eshopbox may consist of Personal Information and Non-Personal Information. “Personal Information” is the information you submit and that can be used to uniquely identify or contact you and “Non-Personal Information” is the de-identified and non-personally identifiable information collected from the Website.

1. Pledge on privacy

The term “Personal Data” as used in this Privacy Policy refers to information such as your name, e-mail address, telephone/mobile number that can be used to identify You. Generally, Eshopbox will only process your Personal Data as described in this Privacy Policy. However, Eshopbox reserves the right, to conduct additional processing to the extent permitted or required by law, or in support of any legal or criminal investigation.

2. Information we collect

2.1 Eshopbox may collect information from:

  • Service providers that make user-generated content from their services available to others, such as local business reviews or public social media posts;

  • Communication service providers, including email providers and social networks, when you permit Eshopbox to access your data on such third-party services or networks. If you choose to register to use the Website using your social network or any such other account details (e.g., Facebook, Website ID, Google), you will provide Eshopbox or allow your social network to provide Eshopbox with your username and public profile;

  • Non-personally identifiable information;

2.2 Information Eshopbox collects by automated means

If you use the Website, Eshopbox may collect the following information by automated means:

  • Internet Protocol (“IP”) address;

  • Information about your use of the Website;

2.3 Non- Personal Information

Eshopbox may de-identify personal information that Eshopbox have collected from you through the Website and combine it with de-identified information about other users, information from third parties, and/or publicly available information. Eshopbox may also collect information other than Personal Information from you through the Website when you visit and/or use the Website. Such information may be stored in server logs. This Non-Personal Information would not assist Eshopbox to identify you personally. The duration of your stay on the Website is also stored in the session along with the date and time of your access, Non-Personal Information is collected through various ways such as the use of cookies with consent. Eshopbox may store temporary or permanent ‘cookies' on your device.

2.4 Website visitorship information

Eshopbox gathers information from the Website activity, such as data on the number of people who visit the Website, the pages they visit, the duration of their stay, etc. Website visitorship information inter alia includes:

  • Collected on an aggregate, anonymous basis, which means no personally identifiable information is associated with this data;

  • Gathered through the use of web server logs and cookies;

2.5 Personal Information

You may choose to provide Eshopbox with Personal Information through the Website, like:

  • Contact information, such as your telephone/mobile number and email address;

  • Your profile searches conducted by you and the reviews submitted by you;

  • Information obtained from the account you use to login to the Website such as your username, date of birth (wherever applicable), the information you disclose in your user profile, and your photograph or profile video;

  • Information about services received/ rendered on the Website;

  • Your location;

2.6 Indirect Information

  • Your use of certain third-party services on the Website also requires Eshopbox to collect such information as is considered necessary for that purpose (“Indirect Information”) ;

  • While Eshopbox may collect Indirect Information when You access or use Eshopbox Website, Eshopbox collects User Information only from You with Your prior consent unless there are other legal grounds for doing so, as further specified in this Privacy Policy. Where You provide Eshopbox with User Information of third parties, Eshopbox understands that You have obtained the consent of such third parties, and have sufficient rights, approvals, and licenses to provide such information to Eshopbox;

  • The IT Act and the SPDI Rules regulate the collection, usage, retention, and disclosure of personal information, which is defined under the SPDI Rules as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available to a body corporate, is capable of identifying such person;

  • The SPDI Rules further define “Sensitive Personal Data or Information” (“SPDI”) of a person as Personal Information about that person relating to:
    1. Passwords;
    2. Financial information such as details of bank accounts, credit cards, debit cards or other payment instruments;
    3. Physical, physiological, and mental health conditions
    4. Sexual orientation;
    5. Medical records and history
    6. Biometric information
    7. Any detail relating to the above categories, as specified in this paragraph, as provided to the body corporate for providing services;
    8. Any of the information received under the above categories, as specified in this paragraph, by a body corporate for processing, stored, or processed under lawful contract or otherwise.

    Eshopbox does not collect any of the aforesaid SPDI of any of the users of the Website.

3. Use of information collected

Most Eshopbox services do not require any form of registration, allowing you to visit the Eshopbox Website without telling Eshopbox who you are. However, some services may require you to provide Eshopbox with Personal Information. In these situations, if you choose to withhold any Personal Information requested by Eshopbox, it may not be possible for you to gain access to certain parts of the Website and for Eshopbox to respond to your query.

Eshopbox may collect and use Personal Information to provide you with services that Eshopbox thinks may be of interest to you or to communicate with you for other purposes which are evident from the circumstances or about which Eshopbox informs you when Eshopbox collect Personal Information from you.

Eshopbox is the controller of customer data and may process such data as may be required. Eshopbox stores the information collected from the Website, which is used to:

  • Improve Eshopbox product;

  • Enhance the end-user experience;

  • Provide, maintain and protect services, Website and Eshopbox Business;

  • Communicate with the customers in relation to technical and other administrative matters via emails and other modes of communication;

  • Personalisation of the product and the services;

  • Product development;

  • Relevant offers;

  • Reporting and Business operations;

  • Conduct and undertake research in order to develop and provide search, learning and productivity tools and additional features to service better experience;

  • Consulting services;

  • Ensure that you are old enough to use our Website (as required by law); and

  • Research wherein Eshopbox investigate and help prevent security issues and abuse.

The information is processed and analysed by automated means to offer a variety of features that you get from using the Website. The information will be used for advanced analytics to offer additional insightful features in the future. Eshopbox may also anonymise (de-personalised) your information Eshopbox collect and combine it with other information sources for the purpose of advanced analytics and future use cases.

If you access third-party services, such as Facebook or Google, to login to the Website or to share information about your usage on the Website with others, these third-party services may be able to collect information about you, including information about your activity on the Website, and they may notify your connections on the third-party services about your use of the Website, in accordance with their privacy policies.

4. Storage and maintenance of information collected

Eshopbox access and control the Personal Data provided by you. In lieu of the same, Eshopbox may store or track information about you, however, Eshopbox shall not be obligated to do so and may delete any information and records, in whole or in part, solely at Eshopbox's discretion. Eshopbox may retain other information pertaining to you for as long as necessary for the purposes detailed within this Privacy Policy. Storing such other information provided by you shall be retained with Eshopbox, on Eshopbox servers located in Mumbai, for the period of time needed for Eshopbox to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce Eshopbox agreements.

  • Your Communication Preferences: To help Eshopbox make e-mails more useful and informative, Eshopbox often receives a confirmation when you open an e-mail from Eshopbox if Your device supports such capabilities. If you do not want to receive e-mail or other mail from Eshopbox, you may adjust your customer communication preferences from the Website.

  • Information from Other Sources: Eshopbox might receive information about you from other sources and add it to Eshopbox account information as may be required to serve you better and for Eshopbox business enhancement. By using or continuing to use Eshopbox Website, you agree to Eshopbox's use of your information (including sensitive Personal Information, if any) in accordance with this Privacy Policy, as may be amended from time to time by Eshopbox at Eshopbox discretion. You also agree and consent to Eshopbox collecting, storing, processing, transferring, and sharing information (including sensitive Personal Information) related to you with third parties or service providers for the purposes as set out in this Privacy Policy.

  • Eshopbox may be required to share the aforesaid information with government authorities and agencies for verification of identity or for prevention, detection, or investigation, including cyber incidents, prosecution and punishment of offences. You agree and provide Eshopbox consent to disclose your information, if so required, under applicable law.

5. Disclosure of information

Eshopbox customer’s privacy is extremely important to Eshopbox. However, Eshopbox may disclose certain information obtained to the following:

  • To Eshopbox employees, to diagnose and resolve any problems or to provide support to you.

  • To any other person, who performs services on Eshopbox's behalf, including billing, cashback, survey administration, reconciliation, complaint management, technical or customer support, and provision of email and data analytics.

  • To the business partners, who can alert you about the new services. Upon receipt of any alert, if you desire to be removed from such alert list, you may inform the sender or unsubscribe from the list as provided in each mail alert.

  • In the event that Eshopbox engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of a part of Eshopbox assets or stock, financing, public offering of securities, acquisition of all or a portion of Eshopbox business, a similar transaction or proceeding, or steps in contemplation of such activities (such as due diligence), some or all other information may be shared or transferred, subject to standard confidentiality arrangements.

  • To engage third-party companies or individuals as service providers or business partners to process other information and support Eshopbox business. These third parties may provide virtual computing and storage services. This may be with or without your consent.

  • With Eshopbox corporate affiliates, parents, and/or subsidiaries with respect to other information provided by the customer;

  • To protect and defend the rights, property or safety of the Company or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.

  • If Eshopbox is required to do so by law, regulation or legal process, such as a court order or in response to legal requests by government agencies or when Eshopbox believe disclosure is necessary or appropriate to prevent physical, financial or other harm, injury, or loss or in connection with an investigation of suspected or actual unlawful activity.

6. Use of cookies

Eshopbox and Eshopbox vendors and service providers use cookies and other similar technologies (“Cookies”) to automatically collect information, measure and analyze how you use the Website, enhance your experience using the Website, improve Eshopbox services. Cookies are small files that, when placed on your device, enable the Website to provide certain features and functionality. Additionally, Eshopbox allows Eshopbox business partners, advertising networks, and other advertising vendors and service providers (including analytics vendors and service providers) to collect information about your online activities through Cookies. Eshopbox link your contact or subscriber information with your activity on our Website across all your devices, using your email or other log-in or device information. These third parties may use this information to display advertisements on the Eshopbox Website and elsewhere online tailored to your interests, preferences, and characteristics. Eshopbox is not responsible for the privacy practices of these third parties, and the information practices of these third parties are not covered by this Privacy Policy. In addition, your opt-out selection is specific to the particular Website or device that you are using when you opt-out, so you may need to opt-out separately for each Website or device. If you choose to refuse, disable, or delete Cookies, some of the functionality of the Website may no longer be available to you.

7. Security of data

Eshopbox takes the security of your data very seriously. Eshopbox works hard to protect the information you provide from loss, misuse, and unauthorised access or disclosure. In order to build Eshopbox Website and products, Eshopbox uses multiple sources of data however, Eshopbox does not use any of Your Personal Information for developing Eshopbox Website and products. Eshopbox maintains commercially reasonable measures to maintain information security and prevent unauthorized access. Given the nature of communications and information processing technology, Eshopbox cannot guarantee that any information, during transmission through the internet or while stored on Eshopbox systems or otherwise in Eshopbox care, will be absolutely safe from intrusion by others. Since no security is fool-proof and in case Eshopbox becomes aware of any breach of security of your information, Eshopbox will notify you using the email address that Eshopbox have. If you do not agree to the terms discussed above, you should exit Eshopbox Website or stop using the same. When you access Eshopbox Website, you acknowledge that you have read and agreed to abide by the terms described above. Eshopbox will, from time to time, include links to and from the Websites of our partner networks, advertisers and affiliates. If you follow a link to any of these Websites, please note that these Websites have their own privacy policies and that Eshopbox does not accept any responsibility or liability for these policies. Please check these policies before you submit any information to these Websites.

8. Data to third party websites

Eshopbox does not provide any Personal Information to advertisers or to a third party except for Amazon Web Server (AWS) which hosts Eshopbox servers for the Website.

9. Force majeure

Notwithstanding anything contained in this Privacy Policy or elsewhere, Eshopbox shall not be held responsible for any loss, damage or misuse of your user information, if such loss, damage or misuse is attributable to a Force Majeure Event. "Force Majeure Event" shall mean any event that is beyond Eshopbox reasonable control and shall include without limitation, sabotage, fire, flood, explosion, acts of God, epidemic or pandemic, civil commotion, strikes or industrial action of any kind, riots, insurrection, war, acts of government, network errors, computer hacking, technical snags, unauthorized access to computer data and storage device, breach of security and encryption and any other like event beyond Eshopbox control.

10. Your rights

Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their Personal Information. If you are a resident or a citizen of the European Union or the European Economic Area, Eshopbox will collect, store, process and control your information in accordance with our Data Protection Policy (DPA) provided under ‘Annexure A’ hereto. Subject to any exemptions provided by law, you may have the right to request access to information, as well as to seek to update, delete or correct this information. You can contact us for any help regarding the same.

If you are a resident or a citizen outside of the European Union or the European Economic Area, you have the following rights:

  • The right to request, for a nominal charge, (i) confirmation of whether Eshopbox process your personal data and (ii) access to a copy of the personal data retained;

  • The right to request proper rectification or removal of your personal data or restriction of the processing of your personal data;

  • Where the processing of your personal data is based on your consent, the right to withdraw your consent at any time without impact to data processing activities that have taken place before such withdrawal;

  • Where the processing of your personal data is either based on your consent or necessary for the performance of a contract with you and processing is carried out by automated means, the right to receive the personal data concerning you in a structured, commonly used and machine-readable format or to have your personal data transmitted directly to another company, where technically feasible (data portability);

  • The right to object to processing if Eshopbox is processing your personal data on the basis of our legitimate interest unless Eshopbox can demonstrate compelling legitimate grounds which may override your right. If you object to such processing, Eshopbox ask you to state the grounds of your objection in order for us to examine the processing of your personal data and to balance our legitimate interest in processing and your objection to this processing;

  • The right to object to processing your personal data for direct marketing purposes;

  • The right to lodge complaints before the competent data protection regulator.

Before Eshopbox can respond to a request to exercise one or more of the rights listed above, you may be required to verify your identity or your account details. Eshopbox shall have a duration of 1 month to respond to any or all of such exercising of your rights.

11. Children information

Another part of our priority is adding protection for children while using the internet. Eshopbox encourages parents and guardians to observe, participate in, and/or monitor and guide their online activity. Eshopbox does not knowingly collect any personally identifiable information from children under the age of 18. If you think that your child provided this kind of information on the Website, Eshopbox strongly encourages you to contact us immediately and Eshopbox will do our best efforts to promptly remove such information from Eshopbox records.

12. Change in privacy policy

Eshopbox reserve the right to update, modify and amend any of the terms of Eshopbox Privacy Policy, at any time without prior intimation to you. Eshopbox shall not be liable for any failure or negligence on your part to review the updated Privacy Policy before accessing or using the Website. Your continued use of the Website, following changes to the Privacy Policy, will constitute your acceptance of those changes.

Eshopbox understands that all Personal Information provided by you to Eshopbox is voluntary. Collection, use and disclosure of Personal Information require Your express consent unless there are other legal grounds available to us to collect such information as further specified in this Privacy Policy. By using or accessing the Websites or otherwise providing Eshopbox with Your Personal Information, where applicable, you are providing Eshopbox with Your consent to Eshopbox use, collection, retention, transfer and disclosure of the Personal Information in accordance with the terms of this Privacy Policy.

In the event of a change in the law applicable to data protection in India, You hereby expressly consent to Eshopbox continued use, storage, collection and disclosure of Your Information including Personal Information to the fullest extent permitted under such applicable law. Eshopbox may reach out to You for obtaining additional consents and Websiterovals as required under the amended law and You will be required to comply with such requests. Should You choose to not provide Eshopbox with such additional consents and Websiterovals, Eshopbox may have to discontinue your access to the Websites.

You may choose to not provide Eshopbox with or withdraw any or all information included under Personal Information, but in the event that You do so, Eshopbox may be unable to allow you to access the Website or otherwise avail services for the provision of which your information is being collected or processed.

13. Retention of information

Eshopbox will put in place measures such that Your Personal Information, which is in Eshopbox possession or under Eshopbox control, is destroyed and/or anonymized as soon as and in any case, within 5 (five) years of it being reasonable to assume that (i) the purpose for which that Personal Information was collected is no longer being served by the retention of such Personal Information; and (ii) retention is no longer necessary for any other reason including applicable law.

If You wish that Eshopbox no longer use Your Personal Information in accordance with the terms of this Privacy Policy, contact Eshopbox.

Eshopbox, however, reserves the right to retain, store and use Your Information including Personal Information for Eshopbox business purposes, whether such information has been deleted or not. After a period of time, Your data may be anonymized and aggregated, and then maybe held by Eshopbox as long as necessary for Eshopbox to provide Eshopbox Services effectively.

Please note that Your withdrawal of consent to use Your Personal Information may result in Eshopbox not being able to provide You with access to the Websites, or terminate any existing relationship that Eshopbox may have with You.

15. Disclaimer

Eshopbox cannot ensure that all of Your Information including Personal Information will never be disclosed in ways not otherwise described in this Privacy Policy. Therefore, although Eshopbox is committed to protecting Your privacy, Eshopbox does not promise, and You should not expect, that Your Information or private communications will always remain private. As a user of the Websites, You assume all responsibility and risk for Your use of the Website, the internet generally, and the information You post or access and for Your conduct on and off the Websites.

16. Indemnity

You agree and undertake to indemnify Eshopbox in any suit or dispute by any third party arising out of disclosure of information by You to third parties either through Eshopbox Websites or otherwise, and Your use and access of Websites and resources of third parties. Eshopbox assumes no liability for any actions of third parties with regard to Your Information or Personal Information which You may have disclosed to such third parties.

17. Grievance officer and contact information

In accordance with the IT Act and rules made thereunder, the name and contact details of the Grievance Officer are provided below. If you have any concerns or questions in relation to Eshopbox Website or this Privacy Policy, you may address them to the Eshopbox grievance officer.

Name: Mayur Karwa

Data protection policy

This Data Protection Policy (“DPA”) has been framed in compliance with GDPR issued by the European Parliament and Council. This DPA is applicable to every person that collects data from (“European Union”) EU residents, or processes data on behalf of a data controller, or any person based in the EU and has a contractual relationship with ESHOPBOX E-COMMERCE PRIVATE L, a company incorporated under the Companies Act, 2013 having its registered office at [ ](hereinafter referred to as “Company”/ “Eshopbox”/ “Eshopbox”/ “Eshopbox”).

This DPA is incorporated by reference into any and all agreements currently in place between you and the Company (“Agreement”). When you enter into any agreement with the Company, you accept, without limitation or qualification, the DPA set forth below. You hereby represent and warrant that you have the authority to legally bind yourself and all of Your personnel, representatives and/or Affiliates operating pursuant to any such Agreement referenced herein.

The Company reserves the right to modify or update this DPA at any time and changes will become effective immediately upon posting. You are requested to check for updates to the DPA periodically.

You hereby agree to comply with the following provisions with respect to any Personal Data of one or more Data Subjects located in the European Economic Area Processed in connection with the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with Data Protection Laws, including GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are Processed. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.

1. Definitions

In this DPA, the following terms shall have the meanings set out below:

  • “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;

  • “Contracted Processor” means the duly appointed Data Processor or a Subprocessor;

  • “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR;

  • “Data Subject” means the individual to whom the Personal Data relates;

  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

  • “Security Breach” has the meaning set forth in Clause 7 of this DPA;

  • “Standard Contractual Clauses” means standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission Decision C (2004) 5271;

  • “Sub-processor” means any Processor or sub-processor engaged by the Data Controller for the Processing of Personal Data;

  • “Supervisory Authority” has the meaning set forth in Article 51 of the GDPR;

  • “Term” has the meaning set forth in Clause 12.1 of this DPA; and

  • The terms “Controller”, “Personal Data”, “Processor,” “Processed” and “Processing,” have the meanings given to them in applicable Data Protection Laws.

2. Processing of personal data

  • The parties to the Agreement hereby agree that they are independent Controllers with respect to the processing of the Personal Data. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Both parties shall keep a record of all Processing activities with respect to Personal Data as required under GDPR.

  • Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data, including but not limited to: (i) providing accurate and up-to-date contact details of either party’s data protection officer to the other party; and (ii) providing reasonable information and assistance to the other party: (a) conducting data protection impact assessments as required under the Data Protection Laws; and (b) regarding consultations between that party and a Supervisory Authority.

  • The Data Processor shall Process the Personal Data in accordance with the requirements of the Data Protection Laws.

  • The Data Processor shall not Process any Personal Data other than with the written instructions of the Data Controller.

  • The Data Controller
    A) Shall instruct the Data Processor and its Affiliates (and instruct the Data Processor and its Affiliates to instruct each Sub- Processor) to:
    1. Process the Personal Data; and
    2. In particular, transfer the Personal Data to any country or territory as reasonably necessary and consistent with the Agreement.

    B) Hereby warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in clause 2.5.1 above on behalf of its Affiliates.

The information regarding the Processing of Personal Data is set out under ‘Annexure 1’ of this DPA. The parties shall incorporate the terms of ‘Annexure 1’ as a part of the Agreement and such terms shall form an integral part of this DPA.

3. Data subjects rights

Each party is separately responsible for honouring Data Subject access requests under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from Data Subjects. Each party shall provide reasonable and timely assistance to the other party as necessary to help facilitate compliance with this Clause 3.

4. Personnel

Both the parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Sub-processors

  • The Data Controller hereby authorises the Data Processor to appointed Subprocessors in accordance with this Clause and any restrictions in the Agreement.

  • The Data Processor may continue to use those Subprocessors already engaged by the Data Processor as at the date of the Agreement, subject to the Data Processor as soon as practicable meeting the obligations set out in Clause 5.4 below.

  • The Data Processor shall neither appoint nor disclose any Personal Data to the proposed Sub-processor except with the prior written consent of the Data Controller.

  • With respect to each Sub-processor, the Data Processor shall:
    1. Before the Subprocessor first Processes the Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for the Personal Data required by the Agreement; and
    2. Ensure that the arrangement between the Data Processor and the Subprocessor is governed by a written contract including terms that offer at least the same level of protection for Personal Data as those set out in this DPA.

6. Security and audit rights

  • The Data Controller shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA and the Agreement. The Data Controller will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

  • Both the parties will (taking into account the nature of the processing of Personal Data under the Agreement) cooperatively and reasonably assist each other in ensuring compliance with any of each other’s respective obligations with respect to the security of Personal Data and Personal Data breaches under this DPA, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by (a) in the case of the Data Controller, implementing and maintaining appropriate security measures; and (b) complying with the terms of Clause 7 of this DPA.

  • Each party shall make available to the other party all information necessary to demonstrate compliance with the DPA and each Party may (or if mandated by a Supervisory Authority, will) allow for an audit by a mutually agreeable firm. To request an audit, the requestor must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. The auditor must be approved in advance by both the parties (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to both parties before conducting the audit. The audit must be conducted during regular business hours, subject to both the parties’ company policies, and may not unreasonably interfere with either company’s business activities. Any such audits shall be conducted at the expense of the party making the request for such an audit. Both the parties agree to share information with the other regarding any non-compliance discovered during the course of an audit.

7. Security breach management and notification

  • If either party becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the other party’s equipment or facilities under this DPA (“Security Breach”), such party will promptly notify the other party of the Security Breach. Notifications made pursuant to this section will take place within a reasonable time and certainly no longer than 3 (three) business days after discovery and shall describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and any recommended steps that either or both parties should take to address the Security Breach. Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as reasonably necessary for both parties to meet their obligations under Data Protection Laws.

  • Both the parties agree that an unsuccessful Security Breach attempt will not be subject to this Clause 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to this DPA or to any of either party’s equipment or facilities storing Personal Data and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.

  • Notifications of Security Breaches, if any, will be delivered to one or more of the other party’s business, technical or administrative contacts by any reasonable means, including via email. It is each party’s responsibility to ensure it keeps the other party updated with accurate contact information.

  • Any notification of or response to a Security Breach under this Clause 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Breach.

  • The Data Controller shall implement reasonable technical and organizational security measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organisational measures are subject to technological development, either party is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by Data Protection Laws.

8. Return and deletion of personal data

  • Both the parties will comply with instructions from the other party to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 (thirty) days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable) requires further storage.

  • On the expiry of the Agreement, both parties hereby instruct the other to delete all Personal Data (including existing copies) from their respective systems and discontinue processing of such Personal Data in accordance with Data Protection Law as soon as reasonably practicable and within a maximum period of 60 (sixty) days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that the Personal Data has been archived on backup systems so long as such Personal Data is isolated and protected from any further processing except to the extent required by applicable law.

9. Data transfers

  • Neither party shall transfer any Personal Data (nor permit any Personal Data to be transferred) to a territory outside of the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Data Protection Laws.

  • Except with regard to the Personal Data transferred from one party to the other party in reliance on the appropriate transfer mechanism specified in Clause 9.1 above, the Standard Contractual Clauses shall apply to the recipient's processing of Personal Data in countries outside the EEA that do not provide an adequate level of data protection. To the extent that the parties transfer Personal Data in reliance on the Standard Contractual Clauses, the Standard Contractual Clauses shall be deemed completed and signed by the parties by the execution of the Agreement.

10. Liability

  • Both parties agree that their respective liability under this DPA shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party as may be determined by the parties mutually.

  • Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).

11. Governing law and jurisdiction

  • The parties shall submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

  • This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.

12. Miscellaneous

  • This DPA will take effect on the date of execution of the Agreement (the “Effective Date”) and will remain valid until the deletion of all Personal Data under the Agreement by both the parties (“Term”).

  • Nothing in this DPA shall impact either party’s intellectual property rights with respect to Personal Data provided by either party under the Agreement except to the extent required by applicable law.

  • Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to the Agreement.

Did this answer your question?