Data Processing Policy
1. Where Tempora is the controller of personal data that is processed in relation to an agreement with a Client, Tempora shall comply with Data Protection Laws in respect of its processing of that personal data.
2. Where the Client is the controller of personal data and Tempora is a processor of that personal data for the Client, Tempora shall comply with the following obligations.
(a) the processing of personal data by Tempora shall be limited to the processing of business contact information.
(b) the Client shall be responsible to ensure that it has the necessary appropriate consents and notices in place to enable it to provide relevant personal data to Tempora for the duration and purposes of the agreement.
(c) Tempora shall, in relation to any personal data processed by it as data processor in connection with the performance of its obligations under the Agreement:
- (i) process that personal data only on the written instructions of the Client (which includes the provisions of the agreement) unless Tempora is required by applicable laws to otherwise process that personal data. Where Tempora is relying on laws of an EU member state or EU or UK law as the basis for processing personal data, Tempora shall promptly notify the Client of this before performing the processing required by the applicable laws unless those applicable laws prohibit it from so notifying the Client;
- (ii) process the personal data in accordance with the specified duration, purpose, type and categories of data subjects as set out in the data processing table for the relevant Tempora service at the end of this Data Processing Policy, or as otherwise notified by the Client to Tempora;
- (iii) ensure that it has in place appropriate technical and organisational measures, which the Client shall be entitled to ask to review and/or approve, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. Measures may include, where appropriate, pseudonymisation, encryption, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that access to personal data can be restored promptly after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it;
- (iv) ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
- (v) subject to the terms of the relevant agreement with the Client, where the personal data is in the EEA (whether by transfer or otherwise), not transfer any personal data outside of the EEA unless the Client’s prior written consent has been obtained and the following conditions are fulfilled: (i) the Client or Tempora has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) Tempora complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any personal data that is transferred; and (iv) Tempora complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the personal data;
- (vi) assist the Client in responding to any request from a data subject and in ensuring compliance with its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
- (vii) notify the Client without undue delay on becoming aware of a personal data breach;
- (viii) at the Client’s written direction, delete or return personal data and copies of it to it on termination of the relevant agreement unless required by applicable law to store the personal data; and
- (ix) maintain complete and accurate records and information to demonstrate its compliance with this Data Processing Policy.
3. Tempora may amend this Data Processing Policy from time to time. The appropriate Policy shall be provided on its website.
Data Processing Table for Tempora clients:
1 Subject matter of the processing As set out in the Terms of Services for use of Tempora
2 Duration The personal data will be processed during the term of the relevant agreement with the Client and as required after it ends in accordance with its terms.
3 Nature and Purpose of the processing The personal data will be processed by Tempora in performing its obligations under the relevant agreement.
4 Types of personal data processed The personal data only includes the following data fields:
Business contact information
5 Categories of Data Subjects in relation to personal data processed The Client’s Users under the relevant agreement