Data Protection Legislation: The General Data Protection Regulation ((EU) 2016/679) and any national
implementing laws, regulations and secondary legislation, as amended or updated from time to time, in
Ireland and then (iii) any successor legislation to the GDPR or the Data Protection Acts 1988 & 2003
DEFINITIONS
“Customer” is the purchaser of the services of Team Blue Internet Services IE Limited t/a Hosting Ireland
(“Hosting Ireland”) of Deltona House, Six Cross Roads Business Park, Waterford, X91TX8Y
“Database Software” is a software program or utility used for creating, editing and maintaining
database files or records, such as (but not limited to) MySQL and MariaDB.
“Logical Security” the protection of computer software (“Operating System”) of Hosting
Irelands platform, including user identification and password access, authentication, access rights. These
measures are to ensure that only authorised users are able to perform actions or access information on our
platform.
“Parties” are Hosting Ireland together with the Customer.
“Physical Security” the protection of hardware, software, network and data from physical action and
events that could cause serious loss or damage to Hosting Ireland’s platform. This includes protection from
fire, flood, natural disasters, theft and vandalism.
“Software” is defined as (but not limited to) WordPress, Magento, Spreadsheets, Documents, customers
code.
-
DATA PROTECTION LEGISLATION
Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.
-
ROLES
- 2.1 The parties acknowledge that for the purposes of the Data Protection Legislation,
Team Blue Internet Services IE Limited t/a Hosting Ireland (“Hosting Ireland”) is the data processor.
- 2.2 This data processing agreement should be read in conjunction with Hosting Ireland’s
acceptable use policy and terms and conditions.
- 2.3 The duration of the processing shall be from the date of the Customer’s acceptance of
this
agreement, until the agreement expires or terminates in accordance with the expiry or
termination of the Customer’s services with Hosting Ireland.
- 2.4 The categories of Data Subjects are those whose personal data are provided or made
available
to Hosting Ireland by or on behalf of the Customer through the use or provision of the services
purchased by the Customer (the “Services”) and shall exclude special categories of personal data
or data relating to criminal convictions and offences.
- 2.5 Hosting Ireland shall process the personal data for the Customer in accordance with
article
4 no. 2 and article 28 of the GDPR.
- HOSTING IRELAND’S RESPONSIBILITIES
- 3.1 Hosting Ireland’s responsibilities with regard to the processing of personal data
provided
by the Customer in its use of the Services is limited to providing adequate security measures to
store the data uploaded by the Customer onto the hosting platform. Hosting Ireland is
responsible for the Physical Security of its platform, and the Logical Security of the Operating
System and the Database Software which serves the Customer’s database. Hosting Ireland is not
responsible for the security of the data however populated within such databases and/or hosting
space by the Customer, or Software managed by the Customer and the access to the data that this
has. This is the sole responsibility of the Customer.
- 3.2 Hosting Ireland shall, in relation to any personal data processed in connection with
the
performance by Hosting Ireland of its obligations under this agreement:
- (i) process that personal data only on the written instructions of the Customer,
unless
Hosting Ireland is otherwise required to do so by the laws of any member of the European
Union or by the laws of the European Union that apply to Hosting Ireland (“Applicable
Laws”). Where Hosting Ireland is required by Applicable Laws to process personal data,
Hosting Ireland shall promptly notify the Customer of this before performing the
processing required by the Applicable Laws unless those Applicable Laws prevent Hosting
Ireland from notifying the Customer;
- (ii) pursuant to article 32 of the GDPR, ensure that it has appropriate technical
and
organisational measures in place in order to protect against any unauthorised or
unlawful processing of personal data, accidental loss or destruction of personal data,
and damage being caused to personal data. Such measures are set out in appendix 1 of
this agreement.
- (iii) ensure only personnel required for the purposes of carrying out this
agreement
have access to, and that all personnel who have access to and/or process personal data
are obliged to keep the personal data confidential;
- (iv) if the Customer is unable to access the relevant information, to assist the
Customer, and in any event, at the Customer’s cost, provide reasonable assistance in
responding to any request from a supervising authority or a data subject and in ensuring
compliance with its obligations under the Data Protection Legislation with respect to
security, breach notifications, impact assessments and consultations with supervisory
authorities or regulators;
- (v) notify the Customer on becoming aware of a personal data breach;
- (vi) in accordance with Hosting Ireland’s standard policies, delete, or return
(at the
Customer’s cost) in a format determined by Hosting Ireland, personal data and copies
thereof, on termination of the agreement, unless required by any Applicable Laws to
continue to store the personal data; and
- (vii) maintain complete and accurate records and information to demonstrate its
compliance with this clause and allow for audits to be carried out by the Customer, only
so far as is necessary in order to demonstrate compliance, provided that the Customer
(a) provides Hosting Ireland with no less than 30 days’ notice of such audit or
inspection; (b) refunds Hosting Ireland for all reasonable costs and expenses that it
incurs as a result of any such audit or inspection (c) both parties agree the scope,
duration and purpose of such audit or inspection. If the Customer becomes privy to any
Confidential Information of Hosting Ireland as a result of this clause, the Customer
shall hold such Confidential Information in confidence and, unless required by law, not
make the Confidential Information available to any third party, or use the Confidential
Information for any other purpose. The Customer acknowledges that Hosting Ireland shall
only be required to use reasonable endeavors to assist the Customer in procuring access
to any third party assets, records or information as part of any audit; and
- (viii) to provide a list of sub-processors engaged to full Services by sending an
email
request to dpo@hostingireland.ie
- THE CUSTOMER’S RESPONSIBILITIES
- 4.1 The Customer acknowledges that Hosting Ireland has no knowledge of the type/content
of any personal data received, stored, or transmitted to Hosting Ireland’s platform, by using
the Services.
- 4.2 If Hosting Ireland believes or becomes aware that its processing of Customer personal
data is likely to result in a high risk to the data protection rights and freedoms of Data
Subjects, it shall inform Customer and provide reasonable cooperation to Customer (at the
Customer's expense) in connection with any data protection impact assessment that may be
required under Applicable Data Protection Law.
- 4.3 In respect of personal data which the Customer receives, stores, or transmits using
the Services, the Customer:
- (i) will ensure, and warrants that, it has all necessary and appropriate consents
and notices in place to ensure that it can lawfully transfer the personal data to
Hosting Ireland, for the duration and purposes of this agreement;
- (ii) undertakes that its use of the Services for processing personal data will
each (i) comply with privacy laws or regulations applicable to its Processing of
Customer Personal Data,
(ii) not cause Hosting Ireland to infringe Applicable Data Protection Law. The Customer
will
ensure that it has all necessary consents, notices and other requirements in place to
enable
lawful processing of the customer personal data by Hosting Ireland for the duration and
purposes of this agreement;
- (iii) shall, unless otherwise provided for in the agreement, be solely
responsible for the legality, confidentiality, integrity, availability, accuracy and
quality of all data it processes;
- (iv) shall be solely responsible for ensuring the safety and security of all the
data it controls and processes. The Customer warrants it has relevant and appropriate
security measures in place to adequately protect the personal data it
collects/processes. The Customer must verify the adequacy of Hosting Ireland’s security
measures as appropriate for the type of personal data the Customer collects/processes
and stores on Hosting Irelands’s platform. The Customer should refer to the Acceptable
Use Policy to ensure it is not in breach of Hosting Ireland’s terms and conditions.
- (v) is solely responsible for responding to any request from a data subject and
in ensuring its own compliance with its obligations under Data Protection Legislation
with respect to security, breach notifications, impact assessments and consultations
with supervisory authorities or regulators;
- (vi) shall indemnify Hosting Ireland against any claims, actions, liabilities,
proceedings, direct losses, damages, expenses, fines and costs (including without
limitation court costs and reasonable legal fees) incurred by Hosting Ireland as a
direct result of any negligence, willful misconduct, or breach of the Data Protection
Legislation of the Customer.
- THIRD PARTY PROCESSING
- 5.1 The Customer grants Hosting Ireland the authorisation to appoint (and permit
each third party processor appointed in accordance with this section 5 to appoint) third
party sub-processors in accordance with this section 5.
- 5.2 Hosting Ireland may appoint alternative third party processors to provide
materially like for like services to the Customer as part of the Services subject to:
(a) Hosting Ireland entering into a written agreement with such third party processor
incorporating terms which are substantially similar to those set out in this agreement;
and (b) such third party processor being able to demonstrate at least as high a standard
of service quality and compliance to the previously appointed third party processor.
- 5.3 The Customer agrees to Hosting Ireland giving any such sub processors access
to the Customer's details so that Hosting Ireland can deliver the Services under the
agreement. The Customer further agrees that those sub processors may be based outside of
the country in which the Customer has chosen to store Customer Personal Data, subject to
Hosting Ireland taking steps to ensure transfer protections are in place if transfers
are made to those sub processors. Hosting Ireland requires that its sub processors
maintain security and data protection practices that are consistent with the agreement.
- Indemnity
- 6.1 The Controller shall indemnify and hold harmless on demand Hosting Ireland
for any loss, damage, liabilities, penalties, expenses or fines incurred, whether
foreseeable or unforeseeable or direct or indirect, (“losses”) as a result of:
- 6.1.1 The Controller breaching its obligations under clause 1 (Data
Protection Legislation);
- 6.1.2 Any unsuccessful claim by a data subject when such claim holds both
Controller and Hosting Ireland as jointly and severally liable under the GDPR.
- 6.2 Where under GDPR Hosting Ireland and the Controller incur joint and several
liability, as Controller and Processor with any other person, and, as such, Hosting
Ireland incurs losses, other than for damage caused by processing where it has not
complied with obligations under GDPR specifically directed to Processors or where it has
acted outside or contrary to the Controller’s lawful instructions under these terms and
conditions, the Controller shall indemnify Hosting Ireland on demand against all such
losses, save for such liability as corresponds directly to Hosting Ireland’s part of the
responsibility for the damage caused by Hosting Ireland’s breach of the obligations of
GDPR or under these terms and conditions.
- Limitation of Liability
- 7.1 Neither party excludes or limits liability to the other party for any matter for
which it would be unlawful for the parties to exclude liability.
- 7.2Subject to Clause 7.1 above, with respect to any claim relating to a breach of the
GDPR or a breach of this Addendum, Hosting Ireland shall not in any circumstances be liable to
the Controller whether in contract, tort, including for negligence and breach of statutory duty
howsoever arising, misrepresentation, whether innocent or negligent, restitution or otherwise,
for:
- 7.2.1 Any loss, whether direct or indirect, of profits, business, business
opportunities, revenue, turnover, reputation or goodwill; and
- 7.2.2 Any loss or corruption, whether direct or indirect, of personal data or
information;
- 7.3 Subject to Clause 7.1 above, Hosting Ireland’s total aggregate liability to the
Controller in contract, tort, including negligence and breach of statutory duty howsoever
arising, misrepresentation, whether innocent or negligent, restitution or otherwise, arising in
connection with a breach of GDPR or a breach of this Addendum or any collateral contract shall
in all circumstances be limited to the greater of:
- 7.3.1 The Charges paid or payable by the Controller to Hosting Ireland under the
relevant contract in the Initial Term; or
- 7.3.2 The total Charges paid or payable by the Controller to Hosting Ireland
under the relevant contract in the contract year concerned.
- Governing Law and Jurisdiction
This Addendum and any dispute or claim arising out of or in connection with it, or its subject matter or
formation, including non-contractual disputes or claims, shall be governed by, and construed in
accordance with, Irish law. The parties agree that the courts of Ireland will have exclusive
jurisdiction to settle any dispute, whether contractual or non-contractual, arising from or in
connection with the Addendum.
Hosting Ireland reserves the right to change these terms and conditions without notice. In order to
avoid doubt, such terms and conditions are referenced at the checkout and on all invoices. By confirming
acceptance at the checkout or payment of invoices the Applicants and/or existing Clients confirms their
ongoing acceptance of the terms and conditions. It is the Applicant’s and/or Client’s responsibility to
check these terms and conditions before accepting them.
Appendix 1 - Technical and Organisational Measures in Accordance with
Article 32 GDPR
- Confidentiality
- 1.1 Building Security & Access Control:
- 1.1.1 Hosting Ireland’s primary data centre has external and internal CCTV systems, with
a dedicated security team manned 24x7.365. All members of this team are vetted to the SIA and
BS7858 standards..
- 1.1.2 Hosting Ireland’s primary data centre access is controlled via
air-lock door, biometric security and photo ID is required for all visitors.
- Electronic Access Control
- 2.1 For self-managed dedicated / VPS / Cloud servers, colocation servers and customer
solution servers:
- 2.1.1 Server root passwords are only known to Hosting Ireland, either at initial
deployment of the server or when the Customer has provided Hosting Ireland with the
details in order to assist with troubleshooting. Hosting Ireland only store Customer’s
passwords in an encrypted format. It is the Customer’s responsibility to ensure
passwords are secure and changed when required.
- 2.2 For Managed dedicated / VPS / Cloud servers:
- 2.2.1 Server root passwords are only known to Hosting Ireland. Passwords are
restricted to authorised staff and controlled using authentication systems such as LDAP,
Radius and cryptographic key. Customers may have access to the server using a third
party control panel.
- 2.3 For Control Panel / Web Hosting (FTP/SFTP):
- 2.3.1 Server root passwords are only known to Hosting Ireland. Passwords are
restricted to authorised staff and controlled using various authentication systems such
as LDAP, Radius and cryptographic key. Customers may have access to the server using a
third party control panel.
- 2.3.2 Before Customer account access is enabled via the Online Control Panel,
unique usernames and passwords need to meet Hosting Ireland’s minimum-security
requirements and passwords are encrypted. Hosting Ireland only store Customer’s
passwords in an encrypted format.
- 2.3.3 Customer account access can be restricted to require Two Factor
Authentication. This can be enabled in the in the Security Settings section of the
Customer’s Online Control Panel.
- 2.4 For Web Site Builder:
- 2.4.1 All Customer passwords are encrypted and only known to the Customer.
- 2.5 For mailboxes:
- 2.5.1 All Customer passwords are encrypted and only know to the Customer.
- Internal Access Control
- 3.1 For self-managed dedicated / VPS / Cloud servers, colocation servers and customer
solution servers:
- 3.1.1 The responsibility of access control is with the Customer.
- 3.2 For Managed dedicated / VPS / Cloud server:
- 3.2.1 Hosting Ireland shall prevent unauthorised access by applying necessary
security updates regularly. It is the Customer’s responsibility to ensure that they
restrict to whom they provide access.
- 3.2.2 Hosting Ireland shall ensure access is restricted to only those employees
that need to access the system in order to perform their duties within the organisation.
- 3.3For Control Panel / Web Hosting
- 3.3.1 Hosting Ireland shall ensure access is restricted to only those employees
that need to access the system in order to perform their duties within the
organisation3.4.3 Hosting Ireland shall ensure access is restricted to only those
employees that need to access the system in order to perform their duties within the
organisation
- 3.4For Web Site Builder
- 3.4.1 Hosting Ireland shall ensure access is restricted to only those employees
that need to access the system in order to perform their duties within the
organisation3.4.3 Hosting Ireland shall ensure access is restricted to only those
employees that need to access the system in order to perform their duties within the
organisation
- 3.5For Mailboxes:
- 3.5.1 The responsibility of access control is with the Customer.
- 3.5.2 Hosting Ireland shall ensure access is restricted to only those
employees that need to access the system in order to perform their duties within the
organisation.
- Transfer Control
- 4.1 For Control Panel / Web Hosting / Web Site Builder, Website / mailboxes:
- 4.1.1 When a Customer’s service is not renewed and/or is cancelled with Hosting
Ireland, the Customer’s hosting and data stored on the hosting account is deleted
including but not limited to any databases Customers have created for use with the
Service. It is the Customer’s responsibility to delete any data from their hosting
space, databases or servers before expiry of their Service term.
- 4.2 For self-managed dedicated / VPS / Cloud servers, colocation servers and Customer
solution servers:
- 4.2.1 When a Customer ends their rental agreements with Hosting Ireland, we
ensure that the server is delegated into our cancellation delegation where we securely
wipe the data on the disks.
- 4.3 For Managed dedicated / VPS / Cloud servers:
- 4.3.1 When a Customer ends their rental agreement with Hosting Ireland, the
server is delegated into the cancellation delegation where the data is securely wiped
from the disks.
- 4.4 Failed disks out of warranty / disks
- 4.4.1 Failed disks and disks older than three years are removed and disposed of
securely in line with our Disposal and Destruction Policy
- Isolation Control
- 5.1 For Control Panel / Web Hosting / Web Site Builder, Website / mailboxes:
- 5.1.1 The Customer is responsible for Isolation control.
- 5.2 For self-managed dedicated / VPS / Cloud servers, colocation servers and
customer solution servers:
- 5.2.1 The Customer is responsible for Isolation control.
- 5.3 For Managed dedicated / VPS / Cloud servers:
- 5.3.1 Data shall be physically or logically isolated.
- 5.3.2 Backups of the data shall also be performed using a similar system of
physical and logical isolation.
- Pseudonymisation
- 6.1 For Hosting Ireland’s internal system:
- 6.1.1 Hosting Ireland will ensure that all non-production systems have
pseudonymised data.
- 6.2 For Control Panel / Web Hosting / Web Site Builder, Ecommerce or Build me website /
mailboxes:
- 6.2.1 The Customer is responsible for pseudonymisation.
- 6.3 For self-managed dedicated / VPS / Cloud servers, colocation servers and customer
solution servers:
- 6.3.1 The Customer is responsible for pseudonymisation.
- 6.4 For Managed dedicated / VPS / Cloud servers:
- 6.4.1 The Customer is responsible for pseudonymisation.
- Integrity
- 7.1 Data Transfer Control:
- 7.1.1 Hosting Ireland employees are trained to ensure that personal data is
handled in accordance with
appropriate data protection regulations.
- 7.1.2 Data will be removed in accordance with Hosting Ireland’s Data Retention
Policy, when a Customer’s
contract is not renewed or cancelled.
- 7.1.3 The Customer is responsible for ensuring that the data transmitted is
encrypted.
- Data Entry Control
- 8.1 For Hosting Ireland’s internal system managing data collection:
- 8.1.1 Data is entered or collected by the Customer.
- 8.1.2 Changes in data are logged in the appropriate Hosting Ireland system.
- 8.2 For Control Panel / Web Hosting / Web Site Builder, Ecommerce or Build me website /
mailboxes:
- 8.2.1 The Customer is responsible for input control. Data is entered or collected
by the Customer.
- 8.3 For self-managed dedicated / VPS / Cloud servers, colocation servers and customer
solution servers:
- 8.3.1 The Customer is responsible for input control. Data is entered or collected
by the Customer.
- 8.4 For Managed dedicated / VPS / Cloud servers:
- 8.4.1 The Customer is responsible for input control. Data is entered or collected
by the Customer.
- Availability and Resilience (Article. 32 Para.1 Clause b GDPR)
- 9.1 For Hosting Ireland’s internal system:
- 9.1.1 Daily backups of all relevant data realigned for fulfilment of the Services
- 9.1.2Employment of security measure (virus scanning, firewalls, encryption of
data only where appropriate,
spam filters).
- 9.1.3Employment of Raid protection on all relevant servers.
- 9.1.4Monitoring of all relevant servers.
- 9.1.5Network security and protection.
- 9.1.6Data centre power protection (Generators & UPS).
- 9.2 For Control Panel / Web Hosting / Web Site Builder, Website / mailboxes:
- 9.2.1 The Customer is responsible for their own Data backups. Where
customer purchases a backup product, Hosting Ireland shall provide the tools for a
Customer to ensure they have setup the backup routine. Customer backups are onsite
unless specificity specified by Hosting Ireland.
- 9.2.2 Hosting Ireland’s data centre provider is in control of Data centre power
protection (Generators & UPS).
- 9.3 For self-managed dedicated / VPS / Cloud servers, colocation servers and customer
solution servers:
- 9.3.1 The Customer is responsible for their own Data backups. Where a Customer
purchases a backup product, Hosting Ireland shall provide the tools for Customer to
ensure they have setup the backup routine.
- 9.3.2 The Customer should employ software firewalls and restrict ports.
- 9.3.3 Hosting Ireland’ data centre provider is in control of Data centre power
protection (Generators & UPS).
- 9.4 For Managed dedicated / VPS / Cloud servers:
- 9.4.1 The Customer is responsible for their own Data backups. Where a customer
purchases a backup product, Hosting Ireland shall provide the tools for Customer to
ensure they have setup the backup routine.
- 9.4.2 The Customer should employ software firewalls and restrict ports.
- 9.4.3 Hosting Ireland data centre provider is in control of Data centre power
protection (Generators & UPS).
- 9.5 For rapid recovery measures (Article 32 Para. 1 Clause c GDPR):
- 9.5.1 Hosting Ireland has a defined escalation chain which is followed in the
event of
known
issues in order to address the issues promptly.
- Procedure for regular testing, assessments and evaluation (Article. 25 Para.1 GDPR)
- 10.1 Hosting Ireland has a DIMS (Data Protection Information Security Management System).
- 10.2 Hosting Ireland has Incident response policies.
- 10.3 As per Article. 25 Para. 2 GDPR, data protection default settings are taken into
account for Hosting Ireland software development.
- 10.4 Contract / Agreement Control:
- 10.4.1 Hosting Ireland’s terms and conditions, along with the Privacy Policy
outlines the
scope of our data processing and use of Customers’ personal data.
- 10.4.2 Hosting Ireland has appointed a Data Protection Officer.