Workflow – Data Processing Policy
Gültig ab dem 19. April 2021
Diese Ideaform-Datenverarbeitungsrichtlinie ist Teil der Ideaform-Richtlinie und unterliegt den Bestimmungen der Ideaform Allgemeine Geschäftsbedingungen. Capitalized terms that are not defined in this Data Processing Policy have the meanings set forth in the Terms of Service.
Zusätzliche Definitionen
Die folgenden Definitionen gelten ausschließlich für diese Datenverarbeitungsrichtlinie:
die Begriffe "für die Verarbeitung Verantwortlicher", "betroffene Person", "personenbezogene Daten", "verarbeiten" und "Auftragsverarbeiter" haben die Bedeutung, die diesen Begriffen im EU-Datenschutzrecht zugewiesen wird.
Ein "Verstoß" ist eine Verletzung der Sicherheitsmaßnahmen, die zu einem Zugriff auf die Geräte oder Einrichtungen von Ideaform führt, in denen deine kontrollierten Daten gespeichert sind, sowie die versehentliche oder unrechtmäßige Zerstörung, der Verlust, die Veränderung, die unbefugte Offenlegung oder der Zugriff auf deine kontrollierten Daten, die von Ideaform in deinem Namen und auf deine Anweisung hin über die Dienste übertragen, gespeichert oder verarbeitet werden.
"Inhalt" bezeichnet deinen Inhalt und alle Inhalte, die uns von deinen Endnutzer/innen zur Verfügung gestellt werden, einschließlich, aber nicht beschränkt auf Text, Fotos, Bilder, Audio, Video, Code und andere Materialien.
"EU-Datenschutzgesetz" bezeichnet alle Datenschutzgesetze oder -vorschriften der Schweiz oder eines Landes des Europäischen Wirtschaftsraums ("EWR"), die auf deine kontrollierten Daten anwendbar sind, einschließlich der DSGVO und der Datenschutzrichtlinie für elektronische Kommunikation 2002/58/EG, soweit anwendbar.
"GDPR" bezeichnet die EU-Datenschutzgrundverordnung 2016/679.
"Sicherheitsmaßnahmen" bezeichnet die technischen und organisatorischen Sicherheitsmaßnahmen, die wir in Bezug auf die Dienste umsetzen, wie sie von Zeit zu Zeit auf unserer Website beschrieben werden.
"Unterauftragsverarbeiter" ist ein Unternehmen, das von Ideaform mit der Verarbeitung deiner kontrollierten Daten beauftragt wird.
“Your Controlled Data” means the personal data in the Content Ideaform processes on your behalf and instructions as part of the Services, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Your Controlled Data does not include personal data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to the Application) with respect to your End Users’ interactions with the Application through their browser and technologies like cookies.
Anwendbarkeit
Diese Datenverarbeitungsrichtlinie gilt nur für dich, wenn du oder deine Endnutzer betroffene Personen sind, die sich innerhalb des EWR oder der Schweiz befinden, und gilt nur für deine kontrollierten Daten. Du erklärst dich damit einverstanden, dass Ideaform nicht für personenbezogene Daten verantwortlich ist, die du über Drittanbieter-Dienste oder außerhalb der Dienste verarbeitet hast, einschließlich der Systeme anderer Cloud-Dienste von Drittanbietern, Offline- oder On-Premises-Speicherung.
Details zur Datenverarbeitung
3.1 Subject Matter. The subject matter of the data processing under this Data Processing Policy is Your Controlled Data.
3.2 Duration. As between you and us, the duration of the data processing under this Data Processing Policy is determined by you.
3.3 Purpose. The purpose of the data processing under this Data Processing Policy is the provision of the Services initiated by you from time to time.
3.4 Nature of the Processing. The Services as described in the Agreement and initiated by you from time to time.
3.5 Type of Personal Data. Your Controlled Data relating to you, your End Users or other individuals whose personal data is included in Content which is processed as part of the Services in accordance with instructions given through your Account.
3.6 Categories of Data Subjects. You, Your End Users and any other individuals whose personal data is included in Content.
Bearbeitung von Rollen und Aktivitäten
4.1 Ideaform as Processor and You as Controller. You are the controller and Ideaform is the processor of Your Controlled Data.
4.2 Ideaform as Controller. Ideaform may also be an independent controller for some personal data relating to you or your End Users. Please see our Datenschutzrichtlinie und Allgemeine Geschäftsbedingungen for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your End Users’ interactions with the Application, you receive that as an independent data controller and are responsible for compliance with EU Data Protection Law in that regard.
4.3 Description of Processing Activities. We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured or modified from within your Account (the “Purpose”). For example, depending on how you use the Services, we may process Your Controlled Data in order to: (a) enable you to integrate content or features from a social media platform; or (b) email your End Users on your behalf.
4.4 Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Data Processing Policy. Ideaform will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.
Unsere Verantwortlichkeiten bei der Verarbeitung
5.1 How We Process. We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through your Account. You agree that the Agreement and the instructions given through your Account are your complete and final documented instructions to us in relation to your Controlled Data. Additional instructions outside the scope of this Data Processing Policy require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe applicable EU Data Protection Law, or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.
5.2 Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under applicable EU Data Protection Laws. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section is not and will not be construed as an acknowledgement by Ideaform of any fault or liability of Ideaform with respect to the Breach. Despite the foregoing, Ideaform’s obligations under this Section do not apply to incidents that are caused by you, any activity on your Account and/or Third-Party Services.
5.3 Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an End User, or other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data that we process on your behalf and instructions.
5.4 Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Services, your Account or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of the Services and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.
5.5 Security Measures. We will maintain the Security Measures. We may change these Security Measures but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under applicable law, and that personnel authorized by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
5.6 Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the Services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this Data Processing Policy, to the extent applicable to the nature of the Services provided by such Sub-Processor. A list of our current Sub-Processors is available upon request by sending an email to info@format.com. Provided that your objection is reasonable and related to data protection concerns, you may object to any Sub-Processor by sending an email to info@format.com. If you object to any Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such Sub-Processor, you may cancel or terminate your Account or, if possible, the portions of the Services that involve use of such Sub-Processor. Except as set forth in this Section 5.6, if you object to any Sub-Processors, you may not use or access the Services. You consent to our use of Sub-Processors as described in this Section 5.6. Except as set forth in this Section 5.6 or as you may otherwise authorize, we will not permit any Sub-Processor to access Your Controlled Data. Ideaform will remain responsible for its compliance with the obligations of this Data Processing Policy and for any acts or omissions of any Sub-Processor or their further sub-contractors that process Your Controlled Data and cause Ideaform to breach any of Ideaform’s obligations under this Data Processing Policy, solely to the extent that Ideaform would be liable under the Agreement if the act or omission was Ideaform’s own.
5.7 Ideaform Audits. Ideaform may (but is not obliged to) use external or internal auditors to verify the adequacy of our Security Measures.
5.8 Customer Audits and Information Requests. You agree to exercise any right you may have to conduct an audit or inspection by instructing Ideaform to carry out the audit described in Section 5.7. You agree that you may be required to agree to a non-disclosure agreement with Ideaform before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate. If Ideaform does not follow such instruction or if it is legally mandatory for you to demonstrate compliance with EU Data Protection Law by means other than reviewing a report from such an audit, you may only request a change in the following way:a. First, submit a request for additional information in writing to Ideaform, specifying all details required to enable Ideaform to review this request effectively, including without limitation the information being requested, what form you need to obtain it in and the underlying legal requirement for the request (the “Request”). You agree that the Request will be limited to information regarding our Security Measures.b. Within a reasonable time after we have received and reviewed the Request, you and we will discuss and work in good faith towards agreeing on a plan to determine the details of how the Request can be addressed. You and we agree to use the least intrusive means for Ideaform to verify Ideaform’s compliance with the Security Measures in order to address the Request, taking into account applicable legal requirements, information available to or that may be provided to you, the urgency of the matter and the need for Ideaform to maintain uninterrupted business operations and the security of its facilities and protect itself and its customers from risk and to prevent disclosure of information that could jeopardize the confidentiality of Ideaform or our users’ information.You will pay our costs in considering and addressing any Request. Any information and documentation provided by Ideaform or its auditors pursuant to this Section 5.8 will be provided at your cost. If we decline to follow any instruction requested by you regarding audits or inspections, you may cancel any affected Paid Services.
5.9 Questions. Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this Data Processing Policy, we shall, where such information is not otherwise available to you, provide you with written responses, provided that you agree not to exercise this right more than one (1) time per calendar year (unless it is necessary for you to do so to comply with EU Data Protection Law). The information to be made available by Ideaform under this Section 5.9 is limited to solely that information necessary, taking into account the nature of the Services and the information available to Ideaform, to assist you in complying with your obligations under the GDPR in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure agreement with Ideaform before we share any such information with you.
5.10 Requests. You can delete or access a copy of some of Your Controlled Data through your Account. For any of Your Controlled Data which may not be deleted or accessed through your Account, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor’s possession that we can associate with a data subject, subject to the limitations described in the Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body: (a) return such data and copies of such data to you provided that you make such request within no more than ninety (90) days after the cancellation of the applicable paid Services; or (b) delete, and request that our Sub-Processors delete, such data (excluding in the case of (a) or (b) any of such data which is archived on back-up systems, which we shall securely isolate and protect from any further processing, except to the extent required by applicable law). Otherwise, we will delete Your Controlled Data in accordance with our data retention policy. This Section 5.10 does not apply to personal data held by Third Party Services.
Datenübertragungen
Du ermächtigst uns, deine kontrollierten Daten aus dem Land, in dem sie ursprünglich erhoben wurden, zu übertragen. Insbesondere ermächtigst du uns, deine kontrollierten Daten in die USA und nach Kanada zu übermitteln. Wir übermitteln deine kontrollierten Daten in Länder außerhalb des EWR unter Anwendung des Swiss-U.S. und EU-U.S. Privacy Shield Frameworks oder eines anderen rechtmäßigen Datenübertragungsmechanismus, der nach dem EU-Datenschutzrecht ein angemessenes Schutzniveau für solche Datenübermittlungen bietet.
Haftung
Die Haftung jeder Partei gemäß dieser Datenverarbeitungsrichtlinie unterliegt den Haftungsausschlüssen und -beschränkungen, die in der Vereinbarung festgelegt sind. Du erklärst dich damit einverstanden, dass alle behördlichen Strafen oder Ansprüche von betroffenen Personen oder anderen, die Ideaform in Bezug auf deine kontrollierten Daten entstehen, die sich aus der Nichteinhaltung deiner Verpflichtungen gemäß dieser Datenverarbeitungsrichtlinie oder des EU-Datenschutzgesetzes ergeben, die maximale Gesamthaftung von Ideaform dir gegenüber im Rahmen der Vereinbarung in der gleichen Höhe reduzieren, wie die Strafe und/oder Haftung, die uns dadurch entstanden ist.
Konflikt
In the event of a conflict between this Data Processing Policy and our Terms of Service, this Data Processing Policy will control.
Sonstiges
Du bist für alle Kosten und Ausgaben verantwortlich, die dadurch entstehen, dass Ideaform deinen Anweisungen oder Anfragen gemäß der Vereinbarung (einschließlich dieser Datenverarbeitungsrichtlinie) nachkommt, die über die Standardfunktionalität hinausgehen, die von Ideaform allgemein über die Dienste zur Verfügung gestellt wird.
Wenn du Fragen zu dieser Datenverarbeitungsrichtlinie hast, kontaktiere uns bitte unter privacy@format.com.
Unsere Adresse:
Ideaform Inc. 125-720 King Street West, Suite 2000 Toronto, Ontario M5V 3S5 Canada
1.888.568.8276