This Data Processing Schedule (Schedule) forms part of the BulkSMS Terms of Service (Agreement) entered into between you and BulkSMS (us and we as applicable) together the Parties and each a Party.
Processing of Company Personal Data
Role of Parties: The Parties acknowledge that for the purposes of this Schedule, we act as a processor and you are the controller in relation to Company Personal Data.
The Parties will comply with all applicable Data Protection Laws in the Processing of Company Personal Data.
We will only Process Company Personal Data on behalf of and in accordance with your relevant instructions and while carrying out our obligations under the Agreement, unless other processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case the Contracted Processor will, to the extent permitted by law, immediately inform the Company of that legal requirement before processing that Company Personal Data.
description of the types of Processing we will carry out and the types of Company Personal Data Processed under this Agreement and
the types of Data Subjects your Company Personal Data relates to.
You agree to update us (as soon as practicable) if the details in Annex 1 are incorrect or change.
We shall give you prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 10 days of receipt of that notice:
you have not notified us in writing of any objections (on reasonable grounds) to the proposed appointment of that Subprocessor we will assume that you have consented to the appointment of that Subprocessor; or
if you notify us in writing of any objections (on reasonable grounds) to the proposed appointment we shall do one of the following: (i) not appoint that Subprocessor; (ii) not disclose any Company Personal Data to that Subprocessor; or (ii) not disclose any Company Persona Data to that Subprocessor until reasonable steps have been taken to address the objections you raised and you have been informed of and agreed to that Subprocessor based on the reasonable steps taken.
With respect to each Subprocessor we shall:
before the Subprocessor Processes Company Personal Data (or, where relevant, in accordance with clause 3.2), carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Agreement and this Schedule;
ensure that the arrangement between us and the relevant intermediate Subprocessor is governed by a written contract including terms which meet the requirements of Article 28(3) of the GDPR.
Data Subject Rights
We shall promptly notify you if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data;
ensure that the Contracted Processor does not respond to that request except on your documented instructions, or as required by Applicable Laws to which the Contracted Processor is subject, in which case we shall to the extent permitted by Applicable Laws inform you of that legal requirement before the Contracted Processor responds to the request;
implement appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations under the Data Protection Laws; and
where you require our assistance to respond to a Data Subject request, use commercially reasonable efforts to assist you and to the extent legally permitted, and you shall be responsible for the costs arising from our assistance.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
We will take reasonable steps to ensure any of our personnel who Process the Company Personal Data, have been informed of the confidential nature of the Company Personal Data and are commited to keeping the Company Personal Data confidential.
In assessing the appropriate level of security we shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
Personal Data Breach: We shall notify you without undue delay if we become aware of a Personal Data Breach and provide you sufficient information to meet your legal obligations. On your reasonable request we shall take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
Upon your request and to the extent required by the GDPR we shall provide reasonable assistance to you where you are fulfilling your obligations under the GDPR by carrying out a data protection impact assessment, as follows:
to the extent that the assessment you are carrying out directly relates to the Processing of Company Personal Data, you do not otherwise have access to the information and such information is available to us; and
where you reasonably require our assistance with prior consultations with Supervising Authorities or other competent data privacy authorities.
Subject to clause 7.3, you (as data exporter) and each Contracted Processor, as appropriate, (as data importer) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from you to that Contracted Processor. The Standard Contractual Clauses are available here.
The Standard Contractual Clauses shall come into effect under clause 7.1 on the commencement of the relevant Restricted Transfer.
Clause 7.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
Subject to reasonable notice (not less than 30 days) and your reasonable request to demonstrate compliance with this Schedule we shall (subject to obligations of confidentiality):
make available information directly relating to your Company Personal Data and necessary to demonstrate your compliance with Article 28(3) of the GDPR;
shall allow you or an independent auditor appointed by you, to carry out audits, including inspections, in relation to the Processing of Company Personal Data by the Contracted Processors,
and you agree to take all reasonable measures to limit any impact on the Contracted Processors.
Deletion or return of Company Personal Data
Within four months after the termination or expiry of this Schedule, we shall destroy or return to you (where you make such a request), all Company Personal Data in our possession or control unless any Applicable Laws require that we retain Company Personal Data.
10. General Terms
Order of Precedence: In the event of any conflict or inconsistency between the agreements entered into between the Parties the Standard Contractual Clauses shall prevail, then the Schedule, followed by the Agreement.
Obligations under the Agreement: Subject to clause 10.1, nothing in this Schedule reduces the Parties’ obligations under the Agreement and all clauses in the Agreement will continue to apply unless they conflict with the Applicable Laws, including but not limited to: governing law and jurisdiction and limitation of liability.
Legal effect: This Schedule is entered into and becomes a binding part of the Agreement with the Effective Date being the date you accept online the Agreement and this Schedule, which forms part of the Agreement.
Annex 1 details of processing of company personal data
This Annex 1 includes certain details of the Processing of Company Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Company Personal Data
The subject matter and duration of the Processing of Company Personal Data are set out in the Agreement and this Schedule.
The nature and purpose of the Processing of Company Personal Data
The nature and purpose of the Processing of Company Personal Data is further specified in the Agreement and as further instructed by you.
The types of Company Personal Data to be Processed
The types of Company Personal Data to be Processed may include but is not limited to the following:
a Data Subject’s name;
a Data Subject’s work contact details;
a Data Subject’s personal mobile number;
any personal data about a Data Subject which is included in the body of the text message you choose to send via our Services (eg. the Data Subject’s appointment details); and
any other personal data requested by us and/or provided by you, a Data Subject or a third party.
Please note: Personal data about a Data Subject which is included in the body of the text message may include Special Categories of Data, such as health data which relates to that Data Subject.
The categories of Data Subject to whom Company Personal Data relates
The categories of Data Subject to whom Company Personal Data relates are as follows:
your contact person/s who we communicate with;
your employees or contractors who use our Services and actively contact us (including for a support request); and
your customers where you enter their details when using our Services.
Your obligations and rights
Your obligations and rights are set out in the Agreement and this Schedule.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The personal data transferred concern the following categories of data subjects:
as specified in the Agreement and Schedule.
Categories of data
The personal data transferred concern the following categories of data:
as specified in the Agreement and Schedule.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
as specified in the Agreement and Schedule.
The personal data transferred will be subject to the following basic processing activities:
activities reasonably required for the provision of the Services or authorised by you.
Appendix 2 to the Standard Contractual Clauses
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
We take technical and organisation security measures to protect the Company Personal Data which we Process.
Details of these technical and organisational security measures can be found here: