These Data Processing Terms form part of the agreement for provision of services in respect of the Notifi group management services (“Services”) under the agreement constituted under the Notifi Terms of Service (the “Agreement”) between: (i) Skygenapps Ltd, Skygenapps Ltd, a company registered in England and Wales under company number 09497294, whose registered office is at Chanfield The Hamlet, Potten End, Berkhamsted, Hertfordshire, England, HP4 2RD (“Skygenapps”); and the person or entity identified as the Business in the Notifi Terms of Service (“Business”).
In consideration of the mutual obligations set out in these Data Processing Terms, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in these Data Processing Terms to the Agreement are to the Agreement as amended by, and including, these Data Processing Terms. Except as expressly varied by these Data Processing Terms, the terms of the Agreement shall remain in full force and effect.
In these Data Processing Terms, “Data Protection Legislation” means: the Data Protection Act 2018, and unless and until the General Data Protection Regulation ((EU) 2016/679) (GDPR) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK.
-  Both parties will comply with all applicable requirements of the Data Protection Legislation. These Data Processing Terms is in addition to, and do not relieve, remove or replace, a party’s obligations under the Data Protection Legislation.
-  The parties acknowledge that:
- [a] Except to the extent that the Business is a natural person using Notifi in the course of a purely personal or household activity, if Skygenapps processes any personal data on the Business’s behalf, sole when performing its obligations under the Agreement, the Business is the data controller and Skygenapps is the data processor for the purposes of the Data Protection Legislation (where personal data, data controller and data processor have the meanings as defined in the Data Protection Legislation).
- [b] the personal data may be transferred or stored outside the EEA or the country where the Business is located in order to carry out the Services and Skygenapps’ other obligations under the Agreement;
- [c] Skygenapps also processes personal data for its own purposes as data controller, in respect of current and proposed members of groups set up and administered by the Business.
-  The Business will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of personal data to Skygenapps for the duration and purposes of the Agreement so that Skygenapps may lawfully use, process and transfer the Personal data in accordance with the Agreement on the Business’s behalf.
-  Without prejudice to paragraph 1.1, Skygenapps shall, in relation to any personal data processed in connection with the performance by Skygenapps of its obligations under the Agreement:
- [a] process that personal data only on the written instructions of the Business unless Skygenapps is required by the laws of the United Kingdom or any member of the European Union or by the laws of the European Union applicable to Skygenapps to process personal data (Applicable Laws). Where Skygenapps is relying on laws of a member of the United Kingdom European Union or European Union law as the basis for processing personal data, Skygenapps shall promptly notify the Business of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Skygenapps from so notifying the Business;
- [b] ensure that it has in place appropriate technical and organisational measures, reviewed and approved by Skygenapps, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
- [c] not transfer any personal data outside of the EEA unless the following conditions are fulfilled:
- [i] the Business or Skygenapps has provided appropriate safeguards under Data Protection Legislation in relation to the transfer;
- [ii] Skygenapps complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred.
- [d] assist the Business, at the Business’s cost, in responding to any request from a Data Subject in respect of its rights under Chapter III of GDPR, and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- [e] notify the Business without undue delay on becoming aware of a personal data breach;
- [f] at the written direction of the Business, delete or return personal data and copies thereof to the Business on termination of the Agreement unless required by Applicable Law to store the personal data; and
- [g] maintain complete and accurate records and information to demonstrate its compliance with these Data Processing Terms and allow for audits or inspections by the Business or the Business’s designated auditor.
-  The Business consents to Skygenapps appointing third party processors of personal data. Skygenapps confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on that third party’s standard terms of business or incorporating terms which are substantially similar to those set out in these Data Processing Terms. As between the Business and Skygenapps, Skygenapps shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to these Data Processing Terms. Skygenapps shall inform the Business of any intended changes concerning the addition or replacement of other processors, thereby giving the Business the opportunity to object to such changes. In the event that such objections are not met by Skygenapps within 60 days of their being made, either Business or Skygenapps may terminate the Agreement on a no-fault basis on written notice. The Business shall not be entitled to any charges paid in respect of the Services in the event of such termination.
-  Skygenapps may, at any time on not less than 30 days’ notice, revise these Data Processing Terms by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme.
-  Instructions for Processing by Skygenapps
- [a] Scope. Provision of Notifi group management services.
- [b] Nature. Create or update an Account. Set-up or update a Profile. Create or update a Group. Add in members to one or more groups. Create, amend or agree on Content for proposed Notices. Post proposed Notices to a Pending group for approval by the Business. Upon approval send Notices to current and proposed group members. Create notes on current or proposed Group members.
- [c] Purpose of processing: Providing the Business with the services under the Agreement.
- [d] Duration of the processing: for the duration of the Agreement.
- [e] Types of personal data: The following personal data:
- [i] Business: First Name and Last Name of the business appointed administer, Business Name, Business Email Address, Password, Group Name, Group Description, Content of Notices
- [ii] Individual: Email Address or mobile number; Profile contents
- [f] Categories of Data Subject: current and proposed members of groups set up and administered by the Business by means of the Notifi mobile app.