Flat - Data Processing Addendum
This data processing addendum (“DPA”) applies as set out in clause 11 of the Agreement.
In the event of any conflict between the Agreement and this DPA, this DPA shall prevail.
1.1 Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following words and expressions shall have the following meanings:
- (a) “Customer Personal Data” means the personal data described here and any other personal data that Flat processes on your behalf in connection with your use of the Service;
- (b) “Data Protection Laws” means any applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data, including without limitation the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”);
- (c) “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein;
- (d) “Party” means each of you and Flat;
- (e) “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any of the Customer Personal Data;
- (f) “Standard Contractual Clauses” means means the Standard Contractual Clauses (processors) approved by the European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission (which will apply automatically); and
- (g) “Subprocessor” means any Processor engaged by Flat who agrees to receive from Flat Customer Personal Data.
1.2 The terms “personal data”, “Controller”, “Processor”, “Data Subject”, “Process” and “Supervisory Authority” shall have the same meaning as set out in the GDPR.
2. Data processing
2.1 Instructions for Data Processing. Flat will only Process Customer Personal Data in accordance with
- (a) the Agreement, to the extent necessary to provide the Service to you, and
- (b) the your written instructions, unless Processing is required by European Union or Member State law to which Flat is subject, in which case Flat shall, to the extent permitted by applicable law, inform you of that legal requirement before Processing Customer Personal Data in that way.
2.2 The Agreement (subject to any changes to the Service agreed between the Parties) and this DPA shall be your complete and final instructions to Flat in relation to the processing of Customer Personal Data. Processing outside the scope of this DPA or the Agreement will require prior written agreement between you and Flat on additional instructions for Processing.
2.3 Where applicable by virtue of Article 28(3)(h) of the GDPR, Flat shall immediately notify you in the event that Flat believes your instructions conflict with the requirements of the GDPR or other EU or Member State laws.
2.4 Right to Process. You shall ensure that Flat (and any Subprocessors) are legally permitted to store and Process the Customer Personal Data as contemplated under the Agreement and Statements of Work, including as follows:
- (a) the Processing of any Customer Personal Data will be consistent with the information communicated to the relevant Data Subjects or as otherwise necessary in accordance with applicable law; and
- (b) where required by applicable Data Protection Laws, you have obtained/will obtain all necessary consents for the Processing of Customer Personal Data by Flat in accordance with the Agreement.
3. Transfer of personal data
3.1 Authorised Subprocessors. You agree that Flat may use the entities listed here (https://flat.io/help/en/general/data-infrastructure.html#subprocessors) as Subprocessors to Process Customer Personal Data.
3.2 You agree that Flat may use subcontractors to fulfil its contractual obligations under the Agreement and Flat shall notify you from time to time of the identity of any amendments to the Subprocessors it engages. If you (acting reasonably) do not approve of a new Subprocessor, then without prejudice to any right to terminate the Agreement, you may request that Flat moves Customer Personal Data to another Subprocessor and Flat shall, within a reasonable time following receipt of such request, use all reasonable endeavours to ensure that the Subprocessor does not Process any of the Customer Personal Data.
3.3 Save as set out in paragraphs 3.1 and 3.2, Flat shall not permit, allow or otherwise facilitate Subprocessors to Process Customer Personal Data without your prior written consent and unless Flat enters into a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on Flat under this DPA.
3.4 Liability of Subprocessors. Flat shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to you for the acts and omissions of any Subprocessor approved by you in accordance with paragraphs 3.1 and 3.2 as if they were the acts and omissions of Flat.
3.5 Prohibition on Transfers of Personal Data. To the extent that the Processing of Customer Personal Data by Flat involves the export of such Personal Data to a country or territory outside the EEA, Flat shall ensure that:
- (a) the recipient, or the country or territory in which it Processes or accesses the Personal Data, ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the Processing of Customer Personal Data as determined by the European Commission; or
- (b) the transfer is based on the Standard Contractual Clauses or (where relevant) the U.S. – EU Privacy Shield, or another legally recognised transfer method. If there is any inconsistency between any of the provisions of the Standard Contractual Clauses and the provisions of the Agreement, the provisions of the Standard Contractual Clauses shall prevail.
4. Data security, audits and security notifications
4.1 Flat Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Flat shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out here.
4.2 Security Audit. You may, upon reasonable notice, audit (either by itself or using independent third party auditors) Flat’s compliance with the security measures set out in this DPA (including the technical and organisational measures as set out in here), including by conducting audits of Flat’s data processing facilities. Flat shall assist with, and contribute to any audits conducted in accordance with this paragraph 4.2.
4.3 Upon your reasonable request, Flat shall make available all information reasonably necessary to demonstrate compliance with this DPA.
4.4 Security Incident Notification. If Flat or any Subprocessor becomes aware of a Security Incident, Flat will
- (a) notify you of the Security Incident without undue delay,
- (b) investigate the Security Incident and provide such reasonable assistance to you (and any law enforcement or regulatory official) as required to investigate the Security Incident, and
- (c) take steps to remedy any non-compliance with this DPA.
4.5 Flat Employees and Personnel. Flat shall treat Customer Personal Data as your Confidential Information, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
5. Access requests and data subject rights
5.1 Data Subject Requests. Save as required (or where prohibited) under applicable law, Flat shall notify you of any request received by Flat or any Subprocessor from a Data Subject in respect of their personal data included in Customer Personal Data, and shall not respond to the Data Subject.
5.2 Flat shall provide you with the ability to correct, delete, block, access or copy Customer Personal Data in accordance with the functionality of the Service.
5.3 Government Disclosure. Flat shall notify you of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
6.1 Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Flat shall provide you with any information or assistance you reasonably request for the purpose of complying with any of your obligations under applicable Data Protection Laws, including:
- (a) using all reasonable endeavours to assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment your obligation to respond to requests for exercising Data Subject rights laid down in the GDPR; and
- (b) providing you with reasonable assistance with any data protection impact assessments and with any prior consultations to any of your Supervisory Authorities, in each case solely in relation to Processing of Customer Personal Data and taking into account the information available to Flat.
7. Duration and termination
7.1 Deletion of data. Subject to 7.2 and 7.3 below, Flat shall, within 90 (ninety) days of the date of termination of the Agreement:
- (a) return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by you to Flat; and
- (b) delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Flat or any Subprocessors.
7.2 Subject to section 7.3 below, you may in your absolute discretion notify Flat in writing within 30 (thirty) days of the date of termination of the Agreement to require Flat to delete and procure the deletion of all copies of Customer Personal Data Processed by Flat. Flat shall, within 90 (ninety) days of the date of termination of the Agreement:
- (a) comply with any such written request; and
- (b) use all reasonable endeavours to procure that its Subprocessors delete all of Customer Personal Data Processed by such Subprocessors, and, where this section 7.2 applies, Flat shall not be required to provide a copy of Customer Personal Data to you.
7.3 Flat and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Flat shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
Annex 1: Details of the processing of customer personal data
This page includes certain details of the processing of Customer Personal Data as required by Article 28(3) of the GDPR.
**Subject matter and duration of the Processing of Customer Personal Data**
The Processing of Customer Personal Data in connection with your access to the Service on the terms set out in the Agreement.
**The nature and purpose of the Processing of Customer Personal Data**
The provision of the Service to you.
**The types of Customer Personal Data to be processed**
Any Personal Data uploaded or created on the Service, including name, contact details, profile information, and any Personal Data contained in User Content uploaded or created on the Service.
**The categories of data subject to whom the Customer Personal Data relates**
**Your obligations and rights**
The obligations and rights of the Customer are as set out in this DPA.
Annex 2: Technical and organisational security measures
1. Flat maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:
- (a) secure any Personal Data Processed by Flat against accidental or unlawful loss, access or disclosure;
- (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Personal Data Processed by Flat;
- (c) minimise security risks, including through risk assessment and regular testing.
2. Flat will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
3. Flat will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
4. Flat will provide its staff with regular training on data security and privacy issues relevant to staff members’ job role.