1. DEFINED TERMS
Data Protection Legislation means the South African Data Protection Legislation and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and
South African Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in South Africa including The Data Protection Act 2018, the Electronic Communications and Transactions Act, 2002 (‘ECTA’) and the Protection of Personal Information Act 4 of 2013 (POPIA).
2. DATA PROCESSING
2.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This paragraph 2 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.
2.2 The parties acknowledge that: (a) if Oxford Economics processes any personal data on the Customer's behalf when performing its obligations under this Agreement, the Customer is the controller and Oxford Economics is the processor for the purposes of the Data Protection Legislation; and (b) the table below sets out the scope, nature and purpose of processing by Oxford Economics, the duration of the processing and the types of personal data and categories of data subject.
2.3 Without prejudice to the generality of paragraph 2.1 above, the Customer will ensure that it has all necessary consents and notices in place to enable lawful transfer of the personal data to Oxford Economics for the duration and purposes of this Agreement so that Oxford Economics may lawfully use, process and transfer the personal data in accordance with this Agreement on the Customer's behalf.
2.4 Without prejudice to the generality of paragraph 2.1, Oxford Economics shall, in relation to any personal data processed in connection with the performance by Oxford Economics of its obligations under this Agreement:
(a) process that personal data only on the documented written instructions of the Customer (including this Agreement), unless Oxford Economics is required by South African laws to process personal data, in which case Oxford Economics shall promptly notify the Customer of this before performing the processing unless those laws prohibit Oxford Economics from so notifying the Customer;
(b) not transfer any personal data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled:
(i) the Customer or Oxford Economics has provided appropriate safeguards in relation to the transfer;
(ii) the data subject has enforceable rights and effective legal remedies;
(iii) Oxford Economics complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and
(iv) Oxford Economics complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data;
(c) assist the Customer, at the Customer's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(d) notify the Customer without undue delay on becoming aware of a personal data breach;
(e) at the written direction of the Customer, delete or return personal data and copies thereof to the Customer on termination of the Agreement unless required by applicable law to store the personal data (and for these purposes the term delete shall mean to put such data beyond use);
(f) on request, demonstrate its compliance with this paragraph 3 to Schedule 1 and immediately inform the Customer if, in the opinion of Oxford Economics, an instruction infringes the Data Protection Legislation; and
(g) allow for and contribute to audits by the Customer or the Customer's designated auditor in so far as relevant to the personal data processed by Oxford Economics pursuant to this Agreement in the following manner:
(i) Oxford Economics will respond to reasonable queries raised by the Customer or the Customer’s designated auditor regarding the processing of personal data on the Customer’s behalf.
(ii) In the event the Customer reasonably considers that the responses provided by Oxford Economics necessitate further analysis, Oxford Economics shall, in respect of any of its sub-processors, such as any cloud hosting providers, make available such security information which is made available by them (and Customer acknowledges and agrees that Oxford Economics is not able to allow for more extensive audits in this regard), and in respect of its own facilities used for the processing of such personal data, allow for the relevant audit provided that at all times:
(A) information acquired during any such audit shall be treated as Oxford Economics’ confidential information; and
(B) any audit must only be carried out during regular business hours, with at least 30 days’ prior written notice, and with minimum disruption to Oxford Economics.
2.5 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures
2.6 The Customer consents to Oxford Economics appointing third-party processors of personal data under this Agreement. Oxford Economics confirms that it has entered or (as the case may be) will enter a written agreement with any third-party processor into incorporating terms which are substantially similar to those set out in this paragraph 2. As between the Customer and Oxford Economics, Oxford Economics shall remain fully liable for all acts or omissions of any third-party processor appointed by it.
Scope and purpose of processing
Providing the Subscription Services to the Customer and its Authorised Users; sending them marketing communications and general company updates.
Nature of processing:
Collection, recording, structuring, storage, retrieval, verification.
Duration of processing:
Types of Personal Data:
Full names, e-mail address, passwords, records of accessing the Subscription Services, contact information, other information volunteered by users, such as information provided during surveys and Sites' registration, IP address.
Categories of Data Subjects:
Authorised Users of the Subscription Services.