1. Processing Details
Purpose
For the purpose of us providing to you the Services agreed in the Nomi Terms of Use to you.
Scope and nature of the processing
The scope of the personal data includes personal data about [briefly describe what the personal data concerns] which will be transferred, accessed or stored in digital format by us.
Categories of data subject
- Website Visitors (also referred to as “Visitors”) If you have visited our website but have not interacted with us over the live chat option or filled any form sharing your details;
- Lead If you have interacted and shared your details with us to get in touch with you;
- Customer If you are already making use of our services, be it our free trail model or for paid services.
Categories of personal data
Name, Address, Email address, Marketing preference, Location information, IP addresses, etc.
Categories of special category data
GDPR specifies a set of personal data categories which are considered to be “sensitive”, and which require special consideration by Data Controllers. We do not knowingly collect or process any sensitive personal data.
Duration of Processing
For the duration that we provide Services to you which is for as long as it is necessary for us to process Customer Personal Data.
2. Data Protection Officer(s)
- Our Data Protection Officer:
Name – Sandeep Tyagi
Address – Nomisma Solution Ltd, Suite 22 Winsor and Newton Building, Whitefriars Avenue, Harrow and Wealdstone, HA3 5RN
Email – [email protected]
Contact Number – 020 3021 2326 - Your Data Protection Officer:
Name – Sandeep Tyagi
Email – [email protected]
Contact Number – 020 3021 2326
3. Background
- This Data Processing Addendum (the Addendum) is part of the Nomi Terms of Use (and any related documentation), as updated or amended over time (the Main Agreement), between you, the Customer (as defined below), and us. Any capitalised terms not defined in this Addendum have the meanings given in the Main Agreement.
- This Addendum applies only if Nomi or its sub-contractors process personal data on your behalf where you are considered a controller of that personal data under Applicable Data Protection Law (as defined below). If you previously entered into data processing terms with Nomi, those terms are replaced by this Addendum.
4. Agreed Terms
Definitions and Interpretation
In this Addendum, unless the context otherwise requires, the following expressions have the following meanings:
- Addendum refers to this Data Processing Addendum and includes the Contract Details and any Schedules attached to it.
- Customer Personal Data: the personal data processed by us on your behalf as the Customer under this Addendum and the Nomi Terms of Use (Main Agreement). This personal data being processed is detailed as the ‘Scope and nature of processing’, the ‘Categories of personal data’ and the ‘Categories of data subjects’ in the Contract Details at the front of this Addendum.
- Contract Details: refers to the terms agreed between the Parties in the Main Agreement.
- Data controller, data processor, data subject, personal data, processing and appropriate technical and organisational measures will each have the meanings given to them in the UK GDPR.
- Duration of Processing: the length of time that we will process the Customer Personal Data and for the Subscription Period as described in the Main Agreement.
- DP Regulator: a valid supervisory authority (as defined under the UK GDPR), which in the UK is the Information Commissioner’s Office.
- Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
- Purpose: means the purpose for processing the Customer Personal Data, as detailed in the Main Agreement.
- Sub-Processor(s): any processor, including any agent, sub-contractor or other third party, engaged by us (or by any other Sub-Processor) for carrying out any processing activities in respect of the Customer Personal Data.
- Person: means an individual, a firm, a company, an unincorporated body or a government entity (whether or not having a separate legal identity from its members or owners) and any of its successors, permitted transferees or permitted assignees.
5. Data Protection Roles And Relationship
- The Parties acknowledge that you are the data controller of the Customer Personal Data uploaded, stored and/or transmitted by your personnel via https://www.nomi.co.uk and we are the data processor of the Customer Personal Data.
- Both Parties will comply with all applicable requirements of Data Protection Laws in relation to personal data that is shared or processed under this Addendum. This Addendum does not relieve, remove or replace, a Party’s obligations or rights under applicable Data Protection Laws.
6. Data Processing Obligations
- Each Party will maintain records which indicate how that Party processes personal data under its responsibility. These records will contain at least the minimum information required by the Data Protection Laws and each Party will make that information available to any DP Regulator on request.
- To the extent that we process Customer Personal Data on behalf of the Customer, we will:
- process that Customer Personal Data only on the documented instructions of the Customer, which will include processing the Customer Personal Data to the extent necessary for the Purpose, unless we are otherwise required by applicable laws. We will notify you if your instructions infringe Data Protection Laws or other applicable laws;
- implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, including as appropriate:
- the pseudonymisation and encryption of Customer Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
- maintain the confidentiality of the Customer Personal Data, not disclose the Customer Personal Data to any third party other than as authorised to do so under this Addendum and ensure that any personnel engaged and authorised by us to process Customer Personal Data have committed themselves to obligations of confidentiality;
- assist you in responding to any request from a data subject and in ensuring your compliance with your obligations under applicable Data Protection Laws. This process will be provided (at your cost) and will include:
- recording and referring all requests and communications received from data subjects or any DP Regulator to you which relate to any Customer Personal Data promptly (and in any event within 5 (five) days of receipt); and
- not responding to any such requests without your express written approval and strictly in accordance with your instructions unless and to the extent required by applicable law.
- promptly (and in any event within 24 (twenty-four) hours):
- notify you if we (or any of the Sub-Processors or our personnel) become aware of any actual occurrence of any Personal Data Breach in respect of any Customer Personal Data; and
provide all information as you reasonably require to report the circumstances to a DP Regulator and to notify affected data subjects under Data Protection Laws.
- notify you if we (or any of the Sub-Processors or our personnel) become aware of any actual occurrence of any Personal Data Breach in respect of any Customer Personal Data; and
- Where we are relying on applicable laws as the basis for processing Customer Processor Data under clause _______ above, we will use reasonable efforts to notify you of this before performing the processing required by the applicable laws unless those applicable laws prohibit us from so notifying you.
7. Sub-Processors
- You hereby provide your prior, general authorisation for us to appoint Sub-Processors to process the Customer Personal Data, provided that we:
- will ensure any Sub-Processors will comply with applicable Data Protection Laws, and will comply with terms that are materially similar to those imposed on us in this clause 7;
- will remain responsible for the acts and omissions of any such Sub-Processor as if they were our acts and omissions; and
- will inform you of any intended changes concerning the addition or replacement of the Sub-Processors; giving you the opportunity to object to such changes. Where you object to the changes and cannot demonstrate, in our reasonable opinion, that the objection is due to an actual or likely breach of applicable Data Protection Law, you will indemnify us for any losses, damages, costs (including legal fees) and expenses suffered by us in accommodating the objection.
- We require the services of three organisations that acts as a Data Processor for us in the provision of our services to you:
- Google Analytics: It helps us to track the movement of a Visitor within our website and how much time is spent by that Visitor and along with other standard log information. They do not capture, store or use any personal identifiable data that you as a Lead or Customer share with us. You can visit Google’s Privacy Policy for more information by clicking here.
- Zendesk Chat: Zendesk is a chat option which is used and operated by Nomisma. Zendesk is legally not allowed to use any data that you have shared with us. You can visit Zendesk’s Privacy Policy on GDPR for more information by clicking here.
- Jot Form: Jot Form is used to collect information which you as a Customer or Lead fill in the forms given on our website. The data that you share on the forms reside with us only and Jot Form is not legally authorized to use the data that you have shared with us. You can visit Jot Form’s Privacy Policy on GDPR for more information by clicking here.
8. International Transfers
We may transfer Customer Personal Data outside of the United Kingdom and European Economic Area as required to process the Customer Personal Data for the Purpose under this Addendum, provided that we will ensure that all such transfers are made in accordance with applicable Data Protection Laws. For these purposes, you will promptly comply with any reasonable request of ours, including any request to enter into standard data protection clauses to safeguard international transfers, as adopted by the UK Information Commissioner.
9. Liability
- Neither Party excludes nor limits any liability for:
- personal injury (including sickness and death) to the extent that such injury results from the negligence or wilful default of a Party or its employees; or
- fraud or fraudulent misrepresentation; or
- any other liability to the extent it cannot be excluded or limited by law.
- Subject to the provisions of this clause 9 (Liability) and the last paragraph of the clause 12 (Indemnity) below, our total aggregate liability arising under or in connection with this Addendum, or applicable Data Protection Laws, will be limited to £___.
10. Audit
- We will maintain complete, accurate and up to date written records of all categories of processing activities carried out on your behalf.
- Such records will include all information necessary to demonstrate your compliance with this Addendum and the information referred to in Articles 30(1) and 30(2) of the UK GDPR.
- We will make copies of such records referred to in this clause, available to you promptly on written request by you.
- We will (and will ensure all Sub-Processors will) promptly on written request by you make available to you (at no cost to you) such information as is required to demonstrate our compliance with our obligations under this Addendum and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by you (or another auditor instructed by you) for this purpose annually (if requested) and in the event of an actual or suspected Personal Data Breach.
- Except in the event of an actual or suspected Personal Data Breach, you will provide no less than 30 (thirty) days’ notice to us of any audit under this clause 10 and will use reasonable endeavours to cause minimal disruption to our business during any such audit.
11. Termination And Effect Of Termination
- This Addendum will remain in full effect for the Duration of Processing following which it will automatically terminate.
- Where we no longer require the Customer Personal Data for the Purpose, we will, at your written direction, delete (so far as technically possible) or return Customer Personal Data and any copies to you within 60 (sixty) days of termination of this Addendum, unless we are required by any applicable law to continue to process that Customer Personal Data. Similarly, in the event that the Main Agreement is terminated, we will delete all (so far as technically possible) Customer Personal Data within 60 (sixty) days of termination of this Addendum.
- For the purposes of this clause, Customer Personal Data will be considered deleted where it can no longer be used further by us.
12. Indemnity
- We will indemnify and keep you indemnified against:
- all losses, claims, damages, liabilities, fines, interest, penalties, costs, charges, sanctions, expenses, compensation paid to data subjects, demands and legal and other professional costs (calculated on a full indemnity basis and in each case whether or not arising from any investigation by, or imposed by, a supervisory authority) arising out of or in connection with any breach by us of our obligations under this Addendum; and
- all amounts paid or payable by you to a third party which would not have been paid or payable if our breach of this Addendum had not occurred.
- For the avoidance of doubt, the limit of liability set out at clause 9 (Liability) will apply to the indemnity in this clause 12.