This Data Processing Addendum (“DPA”) forms part of and is subject to the provisions of, the Terms and Conditions found at https://www.create.net/about/terms-and-conditions (the “Agreement”).
By agreeing to the Terms and Conditions, You enter into the DPA to the extent required under the applicable UK Data Protection Laws. This DPA is in place to prove adequate safeguards for the protection of privacy and fundamental rights and freedoms of individuals for the transfer of Personal Data by the Data Controller to the Data Processor.
In the event of a conflict between the Data Processing Addendum and the Terms and Conditions, this Data Processing Addendum will control.
The definitions outlined within our Terms and Conditions apply to this Data Processing Addendum as well as the following definitions:
Data Processor - means any entity (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller
Data Controller - means any person or company who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed
Website - means the website that you manage that is maintained through our Services.
User - means an individual who uses our Site or has registered to use our Services.
Your End Users - means the users, visitors and customers of our Users Websites
EU Data Protection Laws - refers to the UK Data Protection Act 2018 and UK GDPR
UK GDPR - the regulation bringing the General Data Protection Regulation 2016/679 of the European Parliament and of the Council into law within the United Kingdom
Sub-Processors - means any entity engaged by Create to process Personal Data in connection with the Services
Sub-Contractors - any Data Processors that are used by our Sub-Processors
Governing Body - a public authority established by the UK, or any other relevant country, pursuant to the UK GDPR.
Personal Data - means any information that can be used to personally identify an individual.
Data Within Your Control - means the Personal Data in Your Account that Create process on your behalf, and on your instructions as part of the Services, but only to the extent that you are subject to UK Data Protection Law in respect of such Personal Data.
Your Account - means any area of Create.net that you manage which requires you to log in using your designated username and selected password
Third Party Service - means any integration available through our Service that the User has actively chosen to use and thus enter into their own Contract with the relevant service
Data Breach - means a breach of Create’s infrastructure, the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed of the Data Within Your Control.
Content - means your Personal Data and any Personal Data provided to us from Your End User
Standard Contractual Clauses - The Standard Contractual Clauses are standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to, aimed at protecting personal data leaving the European Economic Area (EEA) or to a country where there is no adequacy agreement/decision in place between the UK and the relevant country.
This Data Processing Addendum applies to you if you or Your End Users are located in the United Kingdom, European Economic Area (“EEA”), Switzerland. It only applies in regards to Data Within Your Control.
You agree that we are not responsible for the Data Within Your Control that you have chosen to process through any Third Party Services or services outside of the Services we provide to you at Create.
3.1 Description of Roles
For the purposes of this DPA, unless explicitly stated, Create is the Data Processor and you are the Data Controller of all the Data Within Your Control.
3.2 Description of Processing Activities
Depending on how you use the varied functionality and integrations available through our Services, Create will be required to process Data Within Your Control, including that of Your End Users, in order for us to provide our Services.
3.3 Ensuring Compliance with the Law as the Data Controller
You will ensure that any actions taken within the Services, and thus the instructions, are in full compliance with any laws, regulations and rules that are applicable to the Data Within Your Control. Furthermore, you will also ensure that the Data Within Your Control is collected and provided to us in line with the aforementioned laws, regulations and rules, where applicable.
You also agree that the processing of any Data Within Your Control as per the actions instructed through the Services, will not result in us or you breaching any laws, regulations or rules. You are responsible for reviewing any information that is made available to us as a result of us actioning this Addendum and whether this Addendum itself, as well as the Services, meet the required legal obligations. Further to this, you are also responsible for your legal obligations that arise when you agree to this Addendum.
Create will under no circumstances access or use any Data Within Your Control except as detailed in this Addendum, necessary for us to maintain and provide the Services or if required to do so by the Law or an appropriate Governing Body.
3.4 Create as the Data Controller
Please note that if we provide any information to you, in which we are the Data Controller of, that relates to your Website (i.e Your End Users activity on your site) then you receive that information as a separate Data Controller and how you handle that data needs to be in compliance with the UK Data Protection Laws. When Create process Personal Data as a Data Controller, you agree to the fact that this Addendum does not create a joint-controller relationship between you and us.
4.1 How we will Process Data as the Processor
We will process Data Within Your Control in accordance with this Addendum as well as the actions required of us as instructed by you in Your Account. You agree that this Addendum, and the actions taken and thus instructions given by you within Your Account are your complete and final instructions to us in relation to the Data Within Your Control.
We will immediately inform you if we feel that your instructions infringe on the applicable UK Data Protection Law or for any reason, we are unable to carry out your instructions. If your instructions prevent us from complying with the applicable laws, we will notify you. However, we will not notify you when such disclosure is forbidden by applicable law on the important grounds of public interest.
4.2 How we will assist you in Complying
When complying with any requests relating to Data Within Your Control received from Your End User as a Data Controller, we have provided reasonable tools within Your Account that enable you to comply and fulfil your obligations as a Data Controller when you have received any request from Your End Users regarding their Personal Data. In the instances where you are not able to comply using the tools available within Your Account and complicated action is required to remove the Personal Data in question, we will provide, where possible, a reasonable quotation (upon request) based on the action that is required to complete this on your behalf.
4.3 Any Requests Regarding the Data In Your Control
Some of the Data Within Your Control is accessible and thus removable through Your Account. With respect to any Data Within Your Control that is not accessible and thus removable within Your Account, a request can be made to us in order for you to take relevant action that is otherwise not possible. The request must be made in writing and must include details of Your End User and the Personal Data that the request is referring to, along with any relevant action required to be taken.
Once the request has been received and validated, we will, where applicable:
The request will be actioned in accordance with the above except if the request is subject to the limitations as set out in this Data Processing Addendum or restricted by law and/or a governing body, where applicable.
4.4 What we do when we Receive an Inquiry or Complaint
If we are permitted to do so by the relevant applicable law, we will provide you notice upon receiving an inquiry or complaint from any of ‘Your End Users’, or if required to do so by the law or any lawfully binding order from a Governing Body that relates to the Data Within Your Control that we have processed on your instructions and thus, on your behalf.
4.5 Security Incidents and Security
We will at all times ensure that Data Within Your Control is adequately protected in accordance with the requirements of the UK GDPR. To do so, we agree that we will implement an appropriate level of technical, organisational and procedural measures to protect the Data Within Your Control from security incidents.
If we become aware of and confirm any security incident, for which notification to you is required under applicable EU Data Protection Laws which consists of the unpermitted, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Data Within Your Control we will inform you without any undue delay, and in no event longer than 48 hours after we discover the security incident.If we become aware of and confirm any security incident, for which notification to you is required under applicable UK Data Protection Laws which consists of the unpermitted, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to any Data Within Your Control we will inform you without any undue delay, and in no event longer than 48 hours after we discover the security incident.
We will always cooperate reasonably with you and provide you with the information you need in order to fulfil your Data Breach obligations under the UK GDPR. We will also take further measures and actions that are necessary to fix or mitigate the effects of the security incident and we will keep you informed of any material development related to the security incident. Unless required by law we will not take action to notify Your End Users of any security breach. Create may also use external or internal auditors to verify that the security measures that we have in place are adequate in protecting the Data Within Your Control that we store.
4.6 Notifying you of a Data Breach
When we are made aware of and confirm the occurrence of a Data Breach, where obligated or deemed necessary, we will immediately notify you in line with the requirements set out in UK Data Protection Laws. In order for us to assist you in complying with your notification obligations as set out in the UK GDPR, we will provide you with information of the Data Breach that we are reasonably able to disclose with you. The information disclosed will be based upon the type of data involved with the Data Breach, the sensitivity of the data, and if it is subject to any restrictions that prevent us from disclosing information. Our duty to report and respond to a Data Breach as detailed in ‘Notifying you of a Data Breach’ is not and must not be misinterpreted as Create acknowledging any fault or liability in regards to the Data Breach. However, Create’s obligations as detailed above do not apply to incidents that are caused by you, any actions taken through Your Account and/or any Third Party Services.
In the course of providing our Services, we may be required to contract with a Sub-Processor to perform a portion of the Services. You agree that we can share Data Within Your Control with Sub-Processors in order to provide the Services to you. A list of our current Sub-Processors is available upon request by sending an email to firstname.lastname@example.org.
You acknowledge and agree that Create will use Sub-Processors to process Personal Data and any Data Within Your Control in order for us to provide the Services. Our use of any specific Sub-Processor used must be in compliance with the UK Data Protection Laws and must be governed by a contract between Create and the Sub-Processor.
You may object to any of the Sub-Processors used on the grounds that the request is related to data protection concerns, to do so email email@example.com. If your objection is validated, we will work with you to find a viable alternative for providing the Services without using the Sub-Processor or Sub-Processors in question. If there is no reasonable action found that we can take and you still object to the Sub-Processor being used after notification, you will have the option to terminate Your Account with Create or, where possible, relinquish use of the part of the Services that require the Sub-Processor in question. If you object to the Sub-Processors that we use and there is no workaround for you to use the Services in any sense without using Sub-Processors in question, then please do not use the Services.
Regardless of any Sub-Processors that we use, Create will remain responsible for maintaining it’s compliance with the UK Data Protection Laws, including any Data Breaches that involve our Sub-Processors and their sub-contractors in relation to the Data Within Your Control.
4.8 Questions in Regards to our Compliance
We will, to a reasonable extent, provide information to you upon request regarding our compliance with this Data Processing Addendum, where such information is not otherwise accessible by you. Only the required information will be made available to you in order for you to fulfil your duties under the UK GDPR. (Please note that a non-disclosure agreement may be necessary before any information is shared with you as a result of your request).
You agree for us, where required, to transfer any Data Within Your Control to a different country from which it was originally collected. We will ensure that any transfer away from the country in which the Data From Your Control was first collected, especially outside of the EEA, complies with the UK Data Protection Laws and any other legal framework where applicable, to ensure the adequate level of security for the data transfer. Further to this, where there is no adequacy agreement/decision is in place between the UK and the relevant country, we will ensure that the Standard Contractual Clause’s are in place between Us and the company we are transferring the data to for processing.
In line with the existing indemnity as outlined in the Terms and Conditions, you indemnify us from any penalties, loss or claims that arise from Your End Users, or from Data Within Your Control as a result of, or in conjunction with, your failure to comply with UK Data Protection Laws and this Data Processing Addendum when using our Service. You agree that when you terminate your Account with us, you agree to remove any Personal Data of Your End Users in a timely manner in which you are able to do so through Your Account. However, you will have the responsibility ensuring these measures comply with the applicable UK Data Protection Laws and the Personal Data of Your End Users is still categorised as Data Within Your Control.
We will charge you for any request, and thus action, which is outside of the reasonable extent necessary for us to comply with any requests made in relation to this Data Processing Addendum.