Accendo Technologies Sdn Bhd.
GDPR DATA PROCESSING ADDENDUM
This Data Processing Addendum (DPA) is an assurance from Accendo Technologies Sdn Bhd (Accendo) to you or the entity you represent (“Customer”).
This DPA supplements to any entity using Accendo Technologies product (TalentPulse) and having existing legal contract with Accendo.
DPA is applicable when the EU GDPR (General Data Protection Regulation) and country-specific data protection requirements, applies to use of the Accendo services to process user’s personal data, personally identifiable information.
Section 1 . Data Processing
1.1 Scope and Roles.
This DPA applies when user’s Personal data, Personally identifiable information is processed through Accendo product platform. In this context, Accendo Technologies will act as “processor” to Customer who may act as “controller” with respect to user’s personal data, personally identifiable information.
1.2 Customer Controls.
Accendo provides service through Accendo Technologies product platform to Customer with a number of features and functionalities, security controls which Customer may use for processing personal data and/ or personally identifiable information.
Without prejudice to section 1.1, Customer may use controls as technical and organisational measures to protect user’s personal data, in connection with its obligations under the GDPR and country specific data protection requirements. This can include customer’s obligations relating to responding to requests from data subjects ( users), obtaining consent from data subjects ( users ).
1.3 Details of Data Processing.
1.3.1 Data Subject. End users are data subjects whose personal data, personally identifiable information are used for data processing under this DPA
1.3.2 Duration. As per contractual agreement between Accendo and Customer, the duration of the data processing under this DPA is determined by Customer.
1.3.3 Purpose. The purpose of the data processing under this DPA is the provision of the services of featured in Accendo ‘s product platform used by Customer from time to time.
1.3.4 Nature of the processing: Storage, Profiling, Modification, Profiling, Reporting using personal data, personally identifiable information are considered as processing activities and such other services as described in the contract with Customer.
1.3.5 Customer Data: User‘s ( Data Subject) personal data, personally identifiable information shared with Customer for various activities to cater to the requirements of contractual obligations or shared with government agencies upon directives of government authorities or legal obligations.
1.3.6 Categories of data subjects: The data subjects may include Customer’s customer or users of Customer’s services, employees.
Section 2. Confidentiality of Customer Data.
Accendo will not access or use or disclose to any third party, any Customer Data, except in each case, as necessary to maintain or provide the services, or as necessary to comply with the law or a valid and binding order of a governmental body.
If a governmental body sends Accendo Technologies a demand for Customer Data, Accendo Technologies will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Accendo Technologies may provide Customer’s basic contact information to the government body. If compelled to disclose Customer Data to a government body, then Accendo Technologies will provide Customer reasonable notice of the demand.
If the standard contractual clauses apply, nothing in this Section 2 varies or modifies the standard contractual clauses.
3. Confidentiality Obligations of ACCENDO Personnel.
Accendo Technologies restricts its personnel from processing Customer Data without authorisation. Accendo Technologies imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
4. Security of Data Processing
4.1 Accendo Technologies has implemented and will maintain the technical and organisational measures for security standards which are industry wide best practices. In particular, Accendo Technologies has implemented and will maintain the following technical and organisational measures:
(a) Physical security of the facilities.
(b) Measures to control access rights for employees and other stakeholders in relation to the IT Network and product platform instances/ data bases.
(c) Processes for regularly testing, assessing and evaluating the effectiveness of the technical and organisational security and data protection measures have been implemented.
4.2 Customer may wish to implement specific technical and organisational measures in relation to Customer’s customer or user data. Such technical and organisational measures can be included on and above Accendo‘s security and data protection controls.
5. Sub-processing.
6.1 Authorised Sub-processors.
Customer agrees that Accendo Technologies may use sub-processors ( They are named as “Supplier”/ “ Vendors” with whom Accendo Technologies has service contracts, to fulfil its contractual obligations and clauses under this DPA or to provide certain services on its behalf.
6.2 Sub-processor Obligations.
Where Accendo Technologies authorises any sub-processor as described in Section 6.1:
- Accendo Technologies will restrict the sub-processor’s access to Customer Data only to what is necessary to maintain the services or to provide the services to Customer and Accendo Technologies will prohibit the sub-processor from accessing Customer Data for any other purpose.
- Accendo Technologies will enter into a written agreement with the sub-processor and, will impose on the sub-processor the data protection obligations in line with EU GDPR (General Data Protection Regulation) and country-specific data protection requirements.
6. Data Subject Rights
Taking into account the nature of the services, Accendo Technologies is not responsible for Customer’s obligation towards data subject’s (customer/ end user) rights. In such cases, Customers are the direct custodian of data subject’s (customer/ end-user) personal data and Customers are referred to as “Controller” as per EU GDPR terminology.
Customer’s responsibilities include obtaining consent from its customers/users regarding using of personal data/ personally identifiable information in Accendo’s product platform to provide their services.
Accendo shall not be held responsible, in the event of any liability arising on Customer as a result of not complying to their obligations towards EU GDPR and country-specific data protection requirements.
Should a data subject contact Accendo Technologies with regard to correction or deletion of its personal data, Accendo Technologies will forward such requests to Customer.
7. Security Breach Notification.
7.1 Security Incident.
Accendo Technologies will
(a) Notify Customer of a Security Incident / Personal Data breach without undue delay after becoming aware of the Security Incident, and
b) Take reasonable steps to mitigate the effects and to minimise any damage resulting from the Security Incident/ Data breach.
7.2 Unsuccessful Security Incidents.
Customer agrees that:
- An unsuccessful Security Incident will not be subject to Section 7. An unsuccessful Security Incident is one that results in no unauthorised access to Customer Data or to any of Accendo’s equipment or facilities storing Customer Data. This may include, without limitation, pings and other broadcast attacks on firewalls, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.
- Accendo’s obligation to report or respond to a Security Incident under Section 7 is not and will not be construed as an acknowledgement by Accendo Technologies of any fault or liability of Accendo Technologies with respect to the security Incident.
8. Accendo Technologies Certifications and Audits.
8.1 Accendo Technologies Internal GDPR audits and Compliance Score Card.
In addition to the information contained in this DPA, upon Customer’s request, and provided that the parties have an applicable NDA(Non-Disclosure Agreement) in place, Accendo Technologies will make available the following documents and information:
- Internal GDPR compliance audits and compliance score card.
8.2 Accendo Technologies Audits.
Accendo Technologies uses external auditors to verify the adequacy of its security measures, including the security of the cloud instances for Accendo’s product platform development, testing and Demonstration/ production environments .
This audit:
(a) Will be performed as decided internally by Accendo Technologies
(b) Will be performed according to applicable GDPR clauses.
8.3 Privacy Impact Assessment and Prior Consultation.
Taking into account the nature of the services and the information available, Accendo Technologies will comply with it’s obligations towards data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR.
9. Transfers of Personal Data.
Taking into account the nature of the services through “Accendo Technologies Product Platform”, Accendo Technologies deploys product platform in the clients’ data centre or private cloud. Accendo Technologies is not responsible for any type of violation with respect to data transfer to third count countries.
10. Return or Deletion of CustomerData.
Accendo Technologies services provide Customer/ with controls that Customer may use to retrieve or delete or modify their Customer/ User’s Data available in Accendo’s product platform. Accendo Technologies will not have any authority over customer data.
This addendum to the current, Service Agreement/ Contract, has been communicated to all customers. Customers can choose to reply back for any changes or clarifications to [email protected].
By publishing and communicating this addendum Accendo Technologies is demonstrating it’s obligations and responsibilities to comply with EU General Data Protection Regulations ( GDPR ) and country specific data protection requirements, which may directly or indirectly impact Customer’s obligation towards, EU General Data Protection Regulations ( GDPR ) and country specific data protection requirements
