9 June 2023 — Pobl Tech
1. Scope and Purpose of Processing
1.1 Pobl Tech (the “Processor”) shall only process personal data on the documented instructions of you (the “Controller”), in accordance with the services agreed in these Terms and Conditions, unless required by law. This includes the type, duration, and scope of processing, all of which shall be specified by the Controller to ensure alignment with GDPR requirements.
1.2 Any additional processing activities outside the scope specified by the Controller must receive explicit prior written consent from the Controller.
2. Duration and Termination
2.1 Pobl Tech will retain personal data only for as long as necessary to fulfil the specified purposes or as otherwise directed by the Controller. Upon completion or termination of services, Pobl Tech will cease processing and follow the Controller’s instructions regarding return or deletion.
2.2 Where retention is required by applicable law or to comply with legal obligations, Pobl Tech will securely store the data solely for the specified retention period.
3. Confidentiality
3.1 Pobl Tech ensures that all employees, contractors, or any individuals acting on behalf of Pobl Tech who have access to personal data are bound by strict confidentiality agreements and undergo regular data protection training.
3.2 Pobl Tech will ensure that these individuals have access only to the data necessary to fulfil their specific roles.
4. Security Measures
4.1 Pobl Tech shall implement and maintain appropriate technical and organisational security measures, including but not limited to encryption, access controls, and secure data storage, in line with Article 32 of the GDPR, to prevent unauthorised access, loss, or misuse of personal data.
4.2 Pobl Tech conducts regular risk assessments and updates its security practices to ensure data protection in line with industry standards and the evolving threat landscape.
5. Use of Sub-Processors
5.1 Pobl Tech will not engage sub-processors without the prior specific or general written consent of the Controller. Should a new sub-processor be engaged, Pobl Tech will notify the Controller and allow sufficient time to object if desired.
5.2 Pobl Tech shall ensure any approved sub-processors are also bound by equivalent contractual obligations for data protection, confidentiality, and security.
6. Data Subject Rights
6.1 Pobl Tech shall assist the Controller, to the extent possible, in fulfilling their obligation to respond to data subject requests, such as requests for access, rectification, erasure, or data portability, as required by GDPR.
6.2 Any requests received by Pobl Tech from data subjects directly will be promptly forwarded to the Controller for action unless legally prohibited from doing so.
7. Data Breach Notifications
7.1 In the event of a personal data breach, Pobl Tech will notify the Controller without undue delay and provide all necessary information to support the Controller in managing the breach.
7.2 Pobl Tech will assist in determining the likely consequences of the breach and any required notifications to data subjects and regulatory authorities.
8. Data Protection Impact Assessments and Prior Consultation
8.1 Pobl Tech will assist the Controller in conducting Data Protection Impact Assessments (DPIAs) and consultations with supervisory authorities when processing activities are likely to result in high risk to data subjects’ rights and freedoms.
8.2 Upon request, Pobl Tech will provide documentation or other evidence needed for DPIAs to demonstrate compliance with GDPR requirements.
9. Data Return and Deletion at Contract Termination
9.1 Upon termination of the services or at the Controller’s request, Pobl Tech will either securely delete or return all personal data in its possession, including all copies, unless legally required to retain it.
9.2 Deletion procedures will be verified and documented to ensure compliance, and data shall be rendered irrecoverable wherever possible.
10. Audit and Documentation of Compliance
10.1 Pobl Tech will maintain records of all processing activities and, upon request, will provide the Controller with necessary information to demonstrate compliance with these processing terms.
10.2 The Controller may conduct or mandate an independent auditor to perform audits or inspections of Pobl Tech’s facilities and processing practices. Such audits will be conducted in line with reasonable procedures and terms to protect both parties’ confidential information.
10.3 Pobl Tech shall cooperate fully with any audits and inspections, providing access to relevant personnel, systems, and data processing records to demonstrate compliance with Article 28.