DATA PROTECTION AGREEMENT (“DPA”)
1.1 The following capitalised terms used in this DPA shall be defined as follows:
(a) “Controller” has the meaning given in the GDPR.
(b) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR“), any applicable national implementing legislation in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data.
(c) “Data Subject” has the meaning given in the GDPR.
(d) “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
(e) “Processing” has the meaning given in the GDPR, and “Process” will be interpreted accordingly.
(f) “Processor” has the meaning given in the GDPR.
(g) “Security Incident” means any confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.
(h) “Standard Contractual Clauses” means the Standard Contractual Clauses (processors) approved by European Commission Decision C (2010) 593 or any subsequent version thereof released by the European Commission (which will automatically apply).
(i) “Sub-processor” means any Processor engaged by us who agrees to receive from us Customer Personal Data.
(j) “Customer Personal Data” means the “personal data” (as defined in the GDPR) described in Annexure – 1 and any other personal data contained in the Customer Data that Phonon processes on your behalf in connection with the provision of the Service.
(k) “Supervisory Authority” has the meaning given in the GDPR.
(l) “Agreement” means a contract between Phonon and a customer creating mutual obligations enforceable by law.
2. DATA PROCESSING
2.1 The parties acknowledge and agree that for the purpose of the Data Protection Laws, the
customer is the Controller and Phonon Communications Pvt. Ltd. is the Processor.
2.2 Instructions for Data Processing. Phonon will only Process Customer Personal Data inaccordance with customer’s written instructions. The parties acknowledge and agree that the Agreement (subject to any changes to the Service agreed between the parties) and this DPA shall be customer’s complete and final instructions to Phonon in relation to the processing of Customer Personal Data.
2.3 Processing outside the scope of this DPA or the Agreement will require prior written agreement between customer and Phonon on additional instructions for Processing.
2.4 Required consents. Where required by applicable Data Protection Laws, customer will ensure that it has obtained/will obtain all necessary consents and complies with all applicable requirements under Data Protection Laws for the Processing of Customer Personal Data by Phonon in accordance with the Agreement.
3. TRANSFER OF PERSONAL DATA
3.1 Authorised Sub-processors. Customer agrees that Phonon may use Sub-processors to Process Customer Personal Data. Customer may contact Phonon for a list of Sub-processors.
3.2 Phonon shall notify customer from time to time of the identity of any Sub-processors engaged. If customer (acting reasonably) objects to a new Sub-processor on grounds related to the protection of Customer Personal Data only, then without prejudice to any right to terminate the Agreement, customer may request that Phonon move the Customer Personal Data to another Sub-processor and Phononshall, within a reasonable time following receipt of such request, use reasonable endeavours to ensure that the original Sub-processor does not Process any of the Customer Personal Data. If it is not reasonably possible to use another Sub-processor, and customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty (30) days written notice. If customer does not object within thirty (30) days of receipt of the notice, customer is deemed to have accepted the new Sub-processor.
3.3 Save as set out in clauses 3.1 and 3.2, Phonon shall not permit, allow or otherwise facilitate Sub-processors to Process Customer Personal Data without customer’s prior written consent and unless Phonon:
(a) enters into a written Agreement with the Sub-processor which imposes equivalent obligations on the Sub-processor with regard to their Processing of Customer Personal Data, as are imposed on Phonon under this DPA; and
(b) shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to customer for the acts and omissions of any Sub-processor as if they were Phonon’s acts and omissions.
3.4 International Transfers of Customer Personal Data. To the extent that the Processing of Customer Personal Data by Phonon involves the export of such Customer Personal Data to a third party in a country or territory outside the EEA, such export shall be:
(a) to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission;
(b) to a third party that is a member of a compliance scheme recognised as offeringadequate protection for the rights and freedoms of Data Subjects as determined by the European Commission; or
(c) governed by the Standard Contractual Clauses between the customer as exporter and such third party as importer. For this purpose, the customer appoints Phononas its agent with the authority to complete and enter into the Standard Contractual Clauses as agent for the customer on its behalf.
4. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
4.1 Phonon Security Obligations. Phonon will implement and maintain the necessary technical and organisational measures. Customer acknowledges and agrees that these measures ensure a level of security that is appropriate to the risk.
4.2 Upon customer’s reasonable request, Phonon will make available all information reasonably necessary to demonstrate compliance with this DPA.
4.3 Security Incident Notification. If Phonon becomes aware of a Security Incident, Phononwill (a) notify customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide customer (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the Security Incident.
4.4 Phonon Employees and Personnel. Phonon will treat the Customer Personal Data as confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
4.5 Audits. Phonon will, upon customer’s reasonable request and at customer’s expense, allow for and contribute to audits, including inspections, conducted by customer (or a third party auditor on customer’s behalf and mandated by customer) provided (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; and (iii) are conducted in a manner that causes minimal disruption to Phonon’s operations and business.
5. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
5.1 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Phonon will use reasonable endeavours to assist customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of customer’s obligation to respond to requests for exercising Data Subject rights laid down in the Data Protection Laws.
6. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION.
6.1 To the extent required under applicable Data Protection Laws, Phonon will provide customer with reasonably requested information regarding its Service to enable customer to carry out data protection impact assessments or prior consultations with any Supervisory Authority, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Phonon.
7.1 Deletion or return of data. Subject to 7.2 below, Phonon will, at customer’s election and within 90 (ninety) days of the date of termination of the Agreement:
(a) make available for retrieval all Customer Personal Data Processed by Phonon(and delete all other copies of Customer Personal Data Processed by Phonon following such retrieval); or
(b) delete the Customer Personal Data Processed by Phonon.
7.2 Phonon and its Sub-processors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Phonon ensures the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
Annexure – 1
DETAILS OF THE PROCESSING OF CUSTOMER PERSONAL DATA
This Annexure- 1 includes certain details of the processing of Customer Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Customer Personal Data
The Customer Personal Data will be subject to the following basic processing activities:[transmitting, collecting, and storing data in order to provide the Service to the customer, and anyother activities related to the provision of the Service or specified in the Agreement].
The types of Customer Personal Data to be processed
Phonon Conversational Platform does not mandate the collection of any of the user informationor Sensitive Personal Information (SPI) information for regular functioning of the platform. However if the user voluntarily provides information to the platform, the Phonon platform already identifies a set of data fields as SPI information and masks these fields as well as encrypts this information in the platform. The following categories of data are tagged as Customer SPI information.
- user.name (optional)
- user.home-info.online.email (optional)
- user.home-info.postal (optional)
- user.bdate (optional)
- user.gender (optional)
- user.employer (optional)
- user.jobtitle (optional)
- user.business-info.postal (optional)
- user.business-info.telecom.telephone (optional)
- user.business-info.online.email (optional)
We collect identifiable information for the following reasons:
- Completion and Support of Current Activity
- Web Site and System Administration
- Research and Development
- Pseudonymous Analysis
- Individual Analysis
- Individual Decision
- Contacting Visitors for Marketing of Services or Products
- Historical Preservation
- Contacting Visitors for Marketing of Services or Products Via Telephone
Our Web Site generates server log files automatically. These log files are used to generate statistical information and error reports to ensure the Web Site runs with a minimum of disruption. They are not actively used to identify individual visitors.
Our Web site also uses the following cookies:
- name=”JSESSIONID” value=”*” domain=”*.phonon.io” path=”*.phonon.io/*”
The categories of data subject to whom the Customer Personal Data relates
The obligations and rights of the customer
The obligations and rights of the customer are as set out in this DPA.