In the course of providing the Services to the Customer PremiumSide Hosting may Process Customer Data on behalf of the Customer. The Parties agree to comply with the following provisions with respect to any Customer Data, each acting reasonably and in good faith.
Unless otherwise defined in this DPA, all capitalized terms have the meanings outlined below:
“Agreement” means the Terms of Service and other relevant policies announced on our website, together with your Order for the purchase of Services and the Order confirmation sent by PremiumSide Hosting.
“Order” means any Customer’s order for purchase of the respective services.
“Site” means the PremiumSide Hosting website and all services we offer through our website.
“Services” means any hosting services we offer and the Customer has purchased that could involve processing of Personal Data by PremiumSide Hosting.
“Partner” means any entity that directly or indirectly controls, is controlled by, or is under common control with the PremiumSide Hosting subject entity. “Control,” for the purpose of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Additional Products” means any features, products, software, programs, addons, plugins, scripts, tools or any other third-party software or content that are not part of the Services but that may be accessible via the PremiumSide Hosting User Area or the Control Panel, installed by the Customer or otherwise for the usage of the Services.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of customer data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Controller” means the natural person or the legal entity which, alone or jointly with others, determines the purposes and means of the processing of customer data;
“Customer Data” means any “Personal Data” that is provided to PremiumSide Hosting by, or on behalf of the Customer through their use of the Services and that is stored in the Customer’s account (for avoidance of doubt Personal Data part of the Customer’s order for purchase of the respective service shall not be treated as Customer Data). Customer Data may include, but is not limited to, customer data within the meaning set in the GDPR.
“Personal Data” has the meaning as given in Article 4 of GDPR.
“Data Protection Regulations and Laws” means all regulations and laws, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Customer Data under this DPA.
“Data Subject” means the identified or identifiable person to whom the Customer Data relates.
“Effective date” means, as applicable:
“Processing” has the meaning as given in Article 4 of GDPR.
“Processor” means the entity which processes Customer Data on behalf of the Controller.
“PremiumSide” means the PremiumSide entity which is a party to this DPA, as specified in the section, a company registered in Malaysia (registration number 201701046663), with address: No. 82B, Jalan Awan Jawa, Taman Yarl, 58200, Kuala Lumpur, Malaysia.
“PremiumSide Group of Companies” means PremiumSide and its related parties engaged in the Processing of Customer Data:
“Standard Contractual Clauses” or “SCCs” means the standard data protection clauses for the transfer of Customer Data, as described in Article 46, p.2, c) of the GDPR, Appendix 1 to this DPA.
“Sub-processor” means any Processor engaged by PremiumSide Hosting or a member of the PremiumSide Hosting Group.
“Supervisory Authority” means an independent public authority, which is established in United Kingdom within the territory of the EU Member State pursuant to the GDPR.
“Term” means the period from the Effective Date until the end of PremiumSide Hosting’s provisioning of the Services under the applicable Agreement, including, if applicable, any period during which the Services may have been suspended and any post-termination period (namely 60 calendar days) during which PremiumSide Hosting may continue providing Services for transitional purposes.
“Data Protection Losses” means all liabilities, including:
“Notification Email Address” means the email address specified by the Customer in the My Detail section in the User Area to receive certain notifications from PremiumSide Hosting.
This DPA applies where and only to the extent that PremiumSide Hosting processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom (referred herein as “Customer Data”).
This DPA is effective only for the Customer account it was agreed for. If the Customer owns multiple accounts, a DPA will be contracted for each individual account separately.
This DPA shall be valid and legally binding only for the physical/legal entity stated in the account in the User Area and only for the Services purchased directly from PremiumSide Hosting within the respective account.
If the Customer entity agreeing to this DPA is neither a party to an Order nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.
If European Union Data Protection Laws apply to this DPA, each party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Customer Data.
2.3.1 Subject Matter. PremiumSide Hosting will process Customer Data as necessary for the provisioning of the Services, related technical support and other inquiries pursuant to the Agreement and as further instructed by Customer in its use of the Services.
2.3.2. Duration of processing. Subject to Section 11, the duration of data processing shall be the Term designated under the Order and the applicable Agreement.
2.3.3. Nature and Purpose of the Processing. PremiumSide Hosting will process Customer Data for the purposes of providing the Services and related technical support to the Customer in accordance with the Agreement, this DPA and other relevant policies.
2.3.4. Categories of Data Subjects. Customer may submit Customer Data in the course of its use of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
2.3.5. Categories of Personal Data. Customer may submit Customer Data in the course of its use of the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Personal Data:
The parties acknowledge and agree that:
PremiumSide Hosting shall process Customer Data in accordance with this DPA, which is the Customer’s complete and final instructions to PremiumSide Hosting in relation to processing of Customer Data. Processing outside the scope of this DPA (if any) shall require prior written agreement between PremiumSide Hosting and Customer on additional instructions for processing. By entering into this DPA, Customer instructs PremiumSide Hosting to process Customer data only in accordance with applicable law:
PremiumSide Hosting shall not access or use Customer Data, except as necessary to provide the Services and related technical support to the Customer in accordance with the DPA, the Agreement and other relevant policies.
2.6.1. Customer’s Processing. The Customer shall, in their use of the Services, Process their Data in accordance with the requirements of Data Protection Laws and Regulations applicable to it. The Customer shall have sole responsibility for the accuracy, quality, and legality of their Data and the means by which the Customer acquired this Data.
2.6.2. PremiumSide Hosting’s Processing of Customer Data. PremiumSide Hosting shall only Process Customer Data on behalf of and in accordance with the Customer’s documented instructions for the following purposes:
2.6.3. PremiumSide Hosting’s Compliance with Instructions. As from the Effective Date PremiumSide Hosting shall comply with the described instructions above in the Section Customer’s Instructions, including with regard t o data transfers, unless EU or EU Member State law to which PremiumSide Hosting is subject requires other processing of Customer Data by PremiumSide Hosting, in which case PremiumSide Hosting shall inform the Customer (unless that law prohibits PremiumSide Hosting from doing so on important grounds of public interest) via the Site or the Notification Email Address.
Customer Data may be accessed and processed by PremiumSide Hosting, Authorized Users and Sub-processors to fulfill the obligations under this DPA and the respective Agreement or to provide certain services on behalf of PremiumSide Hosting. Such processing will comply with the measures outlined in Sections 3, Section 7 and Annex 2 Security Measures.
2.7.1. Access, Rectification, Restricted Processing, Portability. During the applicable Term, PremiumSide Hosting shall, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via deletion of all or some of the Customer Data under their account or deletion of the whole account as described in Section 2.6. (Return and Deletion of customer data), and via export of Customer Data.
184.108.40.206. Customer’s Responsibility for Requests. If during the applicable Term, PremiumSide Hosting receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”), PremiumSide Hosting shall advise the Data Subject to submit his/her request to the Customer, and the Customer shall be responsible for responding to any such request including, where necessary, by using the functionality of the Services. PremiumSide Hosting shall, to the extent legally permitted, take commercially reasonable steps to notify the Customer about such requests.
220.127.116.11. PremiumSide Hosting Data Subject Request Assistance. Taking into account the nature of the Processing, Customer agrees that PremiumSide Hosting shall provide appropriate technical and organizational assistance, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests by Data Subjects, including if applicable Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by:
The Customer shall cover PremiumSide Hosting’s reasonable costs of providing assistance in section 18.104.22.168.
PremiumSide Hosting shall enable Customer to delete Customer Data during the applicable Term in a manner consistent with the functionality of the Services and the features as per the respective Order. If the Customer uses the Services to retrieve or delete Customer Data and the Customer Data cannot be recovered, this shall constitute an instruction to PremiumSide Hosting to delete the relevant Customer Data archived on backup systems in accordance with applicable law and within maximum period of 60 calendar days.
Deactivation of the Services or expiry of the applicable Term shall constitute an instruction to PremiumSide Hosting to delete the Customer Data and the relevant Customer Data archived on backup systems within maximum period of 60 calendar days.
Nothing in this Section 2.8 varies or modifies any obligation of PremiumSide Hosting to retain some or all Customer Data as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or a court order).
PremiumSide Hosting shall not disclose Customer Data to any government, law enforcement agencies and other authorities, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or a court order).
PremiumSide Hosting restricts its personnel from processing Customer Data without authorisation by PremiumSide Hosting. Access to Customer Data is limited to those personnel performing a role and responsibilities in accordance with the Agreement.
PremiumSide Hosting imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security. PremiumSide Hosting ensures that these confidentiality obligations survive the termination of the personnel engagement.
The Customer acknowledges and agrees that:
3.2.2. Notification. When a new Third Party Sub-processor is engaged to process any Customer Data in connection with the provisioning of the applicable Services during the applicable Term of this DPA, PremiumSide Hosting shall inform the Customer of this engagement, including the category and location of the relevant sub-processor and the activities it shall perform, at least 10 calendar days before authorizing the new Third Party Sub-processor either by sending an email to the Notification Email Address or via the User Area.
When engaging any Sub-processor, SiteGround shall:
3.4.1. Customer may object to any new Third Party Sub-processor by terminating the applicable Agreement immediately upon written notice to PremiumSide Hosting, on condition that Customer provides such notice within 10 calendar days of being informed of the engagement of the sub-processor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third Party Sub-processor.
3.4.2. PremiumSide Hosting shall refund Customer any prepaid fees covering the remainder of the term of such Order(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on the Customer.
Upon Customer’s request, PremiumSide Hosting shall provide the Customer with reasonable cooperation and assistance needed to fulfil the Customer’s obligation under the GDPR to carry out a data protection impact assessment related to the Customer’s use of Services, to the extent the Customer does not otherwise have access to the relevant information, and to the extent that such information is available to PremiumSide Hosting. PremiumSide Hosting shall provide reasonable assistance to the Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this DPA, to the extent required under the GDPR.
PremiumSide Hosting stores and process Customer Data in Data Centers located inside and outside the European Union. Information about our Data Center locations is available on: https://www.premiumsidehosting.com/datacenters and PremiumSide Hosting reserves the right to update it from time to time.
The Customer may specify the Data center location where their Customer Data will be stored. The Customer agrees that PremiumSide Hosting may change the locations of the Data Centers and move Customer Data to another Data Center. PremiumSide Hosting shall inform the Customer at least 10 calendar days before moving Customer Data to a new Data Center either by sending an email to the Notification Email Address or via the User Area. If the change of the Data Center results in storing the Customer Data under a different jurisdiction, the Customer may object to such change by terminating the Agreement immediately and upon written notice to SiteGround, on condition that the Customer provides such notice within 10 calendar days of being informed of the change of the Data Center.
The Customer can move their account and Customer Data to another Data Center location at any time, provided that the functionality of the Services allows it and in exchange of additional fees. Once the Customer has made their choice and specified a Data Center location within the European Union, PremiumSide Hosting will not store Customer Data outside the borders of European Union except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or a court order).
To the extend the Customer has specified a Data Center outside the European Economic Area and to the extend PremiumSide Hosting provides the Services and related technical and other support, the Customer agrees that PremiumSide Hosting may, subject to Section 5, access and process Customer Data in EEA, United States and any other countries where SiteGround and/or its Partners and Sub-processors have Data Centers, facilities or maintain data processing operations. If the storage and/or processing of Customer Data involves processing of Customer Data outside of the EEA, and the European Data Protection Legislation applies, the Customer agrees that PremiumSide Hosting reasonably requires the Customer to enter into Model Contract Clauses in respect to such transfers in accordance with Section 5.2 and Appendix 1 and the Customer agrees to do so..
To the extent PremiumSide Hosting processes or transfers (directly or via onward transfer) Customer Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland in or to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws of the foregoing territories, the parties agree that:
The Customer acknowledges that PremiumSide Hosting is required under the GDPR to:
PremiumSide Hosting shall implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to provide encrypted transmission of customer data outside the Service environment; to help ensure ongoing confidentiality, integrity, availability and resilience of PremiumSide Hosting’s systems and services; to help restore timely access to Customer Data from an available backup copy, provided either by PremiumSide Hosting Backup Services or Customer’s own backup copy following an incident; and for regular testing of effectiveness. PremiumSide Hosting may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
The Customer agrees that, without prejudice to PremiumSide Hosting’s obligations under Section 7. (Security Responsibilities of PremiumSide Hosting) and other relevant Sections in this DPA:
If the European Data Protection Legislation applies to the processing of Customer Data:
Nothing in this Section 8 (Review and Audits of Compliance) varies or modifies any rights or obligations of Customer or PremiumSide Hosting under any Model Contract Clauses entered into as described in Sections 5 (Transfers of Data Out of EEA).
9.1. PremiumSide Hosting maintains security incident management policies and procedures and shall notify the Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Customer data transmitted, stored or otherwise Processed by PremiumSide Hosting or its Sub-processors of which SiteGround becomes aware (a “Customer Data Incident”). PremiumSide Hosting shall make reasonable efforts to identify the cause of such Customer Data Incident and take the steps as PremiumSide Hosting deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within PremiumSide Hosting’s reasonable control. The obligations herein shall not apply to incidents that are caused by the Customer, Customer’s usage of the Services, Customer’s actions or activities or Customer’s Users.
9.2. Notifications made pursuant to this section shall describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps PremiumSide Hosting recommends the Customer takes to address the Data Incident.
9.3. Notification(s) of any Data Incident(s) shall be delivered to the Notification Email Address or, at PremiumSide Hosting’s discretion, by direct communication (for example, by phone call). The Customer is solely responsible for ensuring that the Notification Email Address and contact information is current and valid.
9.4. PremiumSide Hosting shall not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to the Customer and fulfilling any third party notification obligations related to any Data Incident(s).
9.5. PremiumSide Hosting’s notification of or response to a Data Incident under this Section 10 shall not be construed as an acknowledgement by PremiumSide Hosting of any fault or liability with respect to the Data Incident.
10.1. The Customer shall indemnify and keep indemnified PremiumSide Hosting with respect to all data protection breaches and losses suffered or incurred by, arising from or in connection with:
10.2. PremiumSide Hosting shall be liable for data protection breaches and losses caused by processing of Customer Data only to the extent directly resulting from PremiumSide Hosting’s failure to comply with its obligations as Data Processor under Data Protections laws and Regulations.
This DPA will take effect from the Effective Date until the end of PremiumSide Hosting’s provisioning of the Services under the applicable Agreement, including, if applicable, any period during which the Services may have been suspended and any post-termination period (namely 60 calendar days) during which PremiumSide Hosting may continue providing Services for transitional purposes (“Term”). The DPA will automatically expire upon deletion of all Customer Data by PremiumSide Hosting.
To the extent of any conflict or inconsistency between the terms of this DPA and the remainder of the applicable Agreement related to the Processing of Customer Data, the terms of this DPA shall govern. Subject to the amendments if any in this DPA, such Agreement remains in full force and effect. For clarity, if the Customer has entered more than one Agreement, this DPA shall amend each of the Agreements separately.