Definitions Within this Data Processing Addendum, "G.D.P.R." means the General Data Protection Regulation (Regulation (EU) 2016/679), and "Controller", "Data Processor", "Data Subject", "Personal Data", "Personal Data Breach" and "Processing" shall have the same meanings as are defined in Article 4 of the General Data Protection Regulation.
For the purposes of this addendum, the customer of PFU (EMEA) LIMITED is the Data Controller and PFU (EMEA) LIMITED is the processor.
All other terms herein shall be defined elsewhere in this data processing Addendum.
Data processing
In conducting its activities the Processor confirms that:
the duration, subject matter, nature and purpose of the Processing shall be based on GDPR Article 6 (b) “Performance of the contract”.
the types of Personal Data Processed shall include only those supplied to the processor directly by the data controller.
the categories of Data Subjects include your representatives, Users and any other individuals identified or identifiable by Your Personal Data; and
your obligations and rights as Data Controller in relation to Your Personal Data as defined by the GDPR.
PFU (EMEA) LIMITED shall:
only Process Your Personal Data in accordance with your instructions, including in respect of the transfer of Your Personal Data, subject to any exceptions permitted by Article 28(3)(a) of the G.D.P.R.;
ensure that those of its employees authorised who Process Your Personal Data under this Agreement have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality in relation to processing Your Personal Data;
implement appropriate technical and organisational measures to protect your personal data.
inform you in respect to any changes in respect to appointing Sub-processors and give you 14 days in which to object to such appointment.
assist you by appropriate technical and organisational measures, insofar as this is reasonably possible, to enable you to fulfil your obligations to respond to requests for the exercise of rights by a Data Subject under Chapter III of the G.D.P.R.;
assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 G.D.P.R. taking into account the nature of the Processing and the information that is available to PFU (EMEA) LIMITED;
on termination of the Agreement, delete the Personal Data pursuant to the Agreement, unless European Union or Member State law requires Personal Data to be retained;
make available to you all information that is necessary to demonstrate compliance with the obligations of the processor under Article 28 G.D.P.R.; and
You authorise PFU (EMEA) LIMITED to subcontract its data Processing obligations under this Agreement to PFU (EMEA) LIMITED's Affiliates, and to other third parties, a list of which PFU (EMEA) LIMITED will provide to you upon your written request. PFU (EMEA) LIMITED shall do so only by way of a written agreement with such Sub-processor, which imposes the same data protection obligations on the Sub-processor as are imposed on PFU (EMEA) LIMITED under this Agreement. Where that Sub-processor fails to fulfil such obligations, PFU (EMEA) LIMITED shall remain fully liable to you for the performance of that Sub-processor's data protection obligations.
PFU (EMEA) LIMITED shall notify you without undue delay upon becoming aware of a Personal Data Breach relating to Your Personal Data. Such notice shall include, at the time of notification or as soon as possible after notification, relevant details of the Personal Data Breach where possible, including the number of your records affected, the category and approximate number of affected Users, anticipated consequences of the breach and any actual or proposed remedies, where appropriate, for mitigating the possible adverse effects of the breach.