This Privacy Policy ("Privacy Policy") relates to the website www.cloudmanage.biz and/or any sub-websites and/or associated domains (and/or sub-domains) of cloudmanage.biz (hereinafter referred to as the "Site"), the services provided by Cloudmanage Limited, the owner of the Site, ("We", "Us", "Our", "Ourselves" and/or "Cloudmanage") and any related software applications ("Apps'), where Personal Data is processed by the same (via the Site, any of Our Apps or otherwise) relating to You. In this Privacy Policy, "You" and "Your" and "User" refer to an identified or identifiable natural person being the User of the Site and/or client (or prospective client) of any of Our services. Our full details, including contact details, can be read below. You may be reading this Privacy Policy as a User or visitor of the Site or You may have been directed here by one (or more) of Our agreements, Our condensed policies or Our other notices (digital or otherwise). Although this Privacy Policy provides detailed, layered information on how and why We generally process Personal Data (via the Site, any of Our Apps, or otherwise) as well as detailed information about Your various rights, the specific and tailor-made content of such agreements, condensed policies or other notices will, in most cases, provide You with more focused and detailed information on specific processing operations (for example, the specific legal basis for processing certain categories of Personal Data and the specific purpose for doing so depending on the matter at hand). Although Our goal is to always be as clear and transparent as possible, We appreciate that legal documents can sometimes be difficult to read. However, We strongly encourage You to read this Privacy Policy (which is layered for Your convenience) with care. Please do not hold back from contacting Us for any clarification You may need. For example, if You need clarification on a specific legal basis We are relying on to process Your Personal Data for a specific processing operation, We would be happy to provide You with any such information You may need.
This Data Processing Agreement ("DPA"), forms an integral part of the Agreement by and between Cloudmanage LIMITED (hereinafter referred to as "Data Processor") and the undersigned Customer of Cloudmanage (hereinafter referred to as "Data Controller") and shall be effective on the later date set down below ("Effective Date"). The Data Controller and the Data Processor are hereinafter jointly referred to as the "Parties" and individually as the "Party". The terms, "Controller", "Processor", "Processing", "Data Subject", "Personal Data", "Personal Data Breach", and "Supervisory Authority" shall (where applicable) have the same meaning as in the MDPA (as defined hereunder) and, as of 25th May 2018, the GDPR (as defined hereunder). "SERVICES AGREEMENT' – shall mean the services agreement entered into between the Data Controller and the Data Processor dated ("Effective Date"); WHEREAS: A. The Data Processor performs services on behalf of the Data Controller ("Services") in accordance with the Services Agreement; B. In providing the Services, the Data Processor collects, uses or otherwise processes personal data within the meaning of the Data Protection Laws (as defined hereunder) for which the Data Controller is responsible as provided under the said Data Protection Laws; C. This DPA regulates the data protection obligations of the Parties when processing the Data Controller's Personal Data under the Services Agreement and will ensure that such Processing will only take place on behalf of and under the instructions of the Controller and in accordance with the Data Protection Laws, including but not limited to Article 28 of the GDPR. NOW, THEREFORE, THE PARTIES AGREE AS FOLLOWS: 1. Subject-Matter, Duration of processing, and nature and purpose of Processing: 1.1. The subject-matter, duration, nature and purpose of the processing covered by this DPA are described in the Services Agreement. 1.2. The type of personal data to be processed under this DPA shall include all customer data uploaded to Cloudmanage' services using the customer's Cloudmanage account. Data Controller is solely responsible for determining the types of Personal Data to be Processed. 1.3. The categories of data subjects relevant to the Services Agreement and this DPA are the following: Customers, Customer's Clients, Customer's Employees or other members of staff, visitors. The Data Controller is solely responsible for determining the categories of Data Subjects to whom the Personal Data relates. 1.4. The rights and obligations of the Data Controller are stipulated in the Services Agreement and/or this DPA. 2 2. Mutual Data Protection obligations: 2.1. In addition to anything else agreed between them, the Parties, in whatever role they may occupy and with respect to any processing of personal data they may be involved in together, undertake to comply with the provisions of the Maltese Data Protection Act (Chapter 440 of the Laws of Malta) – the "MDPA' – and any other relevant legislation which is applicable during the term of the Services Agreement and/or this DPA (whichever is longer), in so far as the same relates to the provisions and obligations of the Services Agreement and/or this DPA including, as of 25 May 2018, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - the "GDPR', that will replace the said Directive and replace or amend the MDPA (all the above referred to as the "Data Protection Laws'). 2.2. Each Party shall not perform any of its obligations under this DPA and/or the Services Agreement in such a way as to cause either Party to breach any of its obligations arising under the Data Protection Laws or otherwise act or fail to act in a such a manner that leads to such breach. 3. PROCESSOR'S OBLIGATIONS: 3.1. In view of its obligations under the Data Protection Laws, the Data Processor shall: 3.1.1. Act only upon the strict instructions of the Data Controller and not process any personal data that may be transferred to it by the Data Controller except as may be necessary for the performance of any service or task provided by the Data Processor to/for the Data Controller and, in particular, to process the said personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Maltese law. In such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; 3.1.2. Ensure that persons authorised to process the personal data (including but not limited to the Data Processor's employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 3.1.3. Implement appropriate technical and organisational measures to protect any personal data that may be processed on behalf of the Data Controller (if any) against accidental destruction or loss or unlawful forms of processing thereby providing the best possible level of security appropriate to the particular risks in question and take any other such measures as required by the Data Processor's direct obligations as a data processor in terms of Article 32 of the GDPR; 3.1.4. Not engage another data processor without prior specific or general written authorisation of the Data Controller. In the case of general written 3 authorisation, the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes. Where the Data Processor engages another processor for carrying out specific processing activities on behalf of the Data Controller (as authorised by the Data Controller), the same data protection obligations as set out in this DPA shall be imposed on that other processor or sub-processor by way of a contract or other legal act under EU or Maltese law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor or sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of that other processor or sub-processor's obligations. A list of sub-processors currently employed by Data Processor can be found in "Annex A"; 3.1.5. Assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, taking into account the nature of the processing; 3.1.6. Assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security obligations, notification of personal data breach to the supervisory authority obligation, communication of a personal data breach to the data subject obligation, data protection impact assessment obligation and prior consultation with the supervisory authority obligation) taking into account the nature of processing and the information available to the Data Processor; 3.1.7. In any case, notify the Data Controller without undue delay after becoming aware of a personal data breach; 3.1.8. At the choice of the Data Controller, delete or return all the personal data to the Data Controller after the end of the provision of services relating to processing, and delete existing copies unless EU or Maltese law requires storage of the personal data; 3.1.9. Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Clause 2 and in the applicable data protection law(s) and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. In this regard, the Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction in connection with point (h) of the first subparagraph of Article 28 of the GDPR infringes the GDPR or other EU or Maltese data protection provisions; 4 3.1.10. Take all such measures necessary to ensure that processing will meet the requirements of the GDPR and ensure the protection of the rights of data subjects. 4. CONTROLLER'S OBLIGATIONS: 4.1. In view of its obligations under the Data Protection Laws, the Data Controller shall: 4.1.1. Be responsible for fulfilling the obligations pertaining solely to the Data Controller in particular in order to ensure compliance with the Data Protection Laws (including but not limited to obtaining any consent(s) that may be required from any relevant data subjects within the scope of the Services Agreement and/or this DPA for the disclosure of personal data to the Data Processor under the terms of the Services Agreement and/or this DPA); 4.1.2. Provide all required instructions to the Data Processor in a timely, sufficiently clear and detailed manner in either written or electronic form; 4.1.3. Confirm in writing any verbal instructions given to the Data Processor as soon as is reasonably possible after such instructions are originally given; 4.1.4. Notify the Data Processor in a timely manner and in writing of any individuals who are authorised by the Data Controller to issue instructions to the Data Processor; 4.1.5. Take all such measures as are necessary to ensure that the Data Processor is in the best possible position to assist the Data Controller in the latter's obligations under the MDPA and the GDPR and to comply with the Data Processor's own obligations at law. 5. LIABILITY AND indemnity: 5.1. The Data Controller shall be liable for damages to concerned data subjects which are caused by processing of personal data which is not compliant with the Data Protection Laws and which are not caused by the Data Processor's acts or omissions. 5.2. Notwithstanding anything else agreed between the Parties, each Party (the First Party) shall indemnify the other Party (the Second Party) and hold such Second Party harmless from and against all claims, damages, losses, fines or other expenses whatsoever arising from any breach or default in the performance of any data protection obligation(s) on the First Party's part to be performed under the terms of the Services Agreement and this DPA and from and against all reasonable costs, advocates' fees, expenses and liabilities incurred in the defence of any claim or any action or proceeding brought thereon. 6. DURATION: 6.1. The rights, benefits and obligations of this DPA shall commence on the date of signature by both Parties of this DPA and shall terminate with the termination of the services under the Services Agreement. 5 7. Jurisdiction and Governing Law: 7.1. This DPA shall be governed by and construed in accordance with the Laws of the Republic of Malta and shall be subject to the jurisdiction of the Maltese courts. 8. DPA supersedes other agreements: 8.1. In so far as the Parties' data protection obligations in terms of the Services Agreement and of the Data Protection Laws are concerned, this DPA shall take precedence over any and/or all other agreements between the Parties. Please note that the general terms of how we process personal data (for example, the technical and organisational measures (security measures) we implement to protect personal data we process) are the same whether we are doing this in our capacity as a data controller or as a data processor on behalf of a data controller.
As an entity established in Malta, EU, the main privacy laws that are applicable to Us in so far as You are concerned, are as follows: The (Chapter 586 of the Laws of Malta) as well as the various subsidiary legislation issued under the same – the "DPA'; The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – the "GDPR'. All the above referred to together as the "Data Protection Laws"
"PERSONAL DATA" means any information that identifies You as an individual or that relates to an identifiable individual. Whenever it is not possible or feasible for Us to make use of anonymous and/or anonymised data (in a manner that does not identify any Users of the Site or customers of Our services), We are nevertheless committed to protecting Your privacy and the security of Your Personal Data at all times. We collect Personal Data in various ways both digitally via the Site (either when You choose to provide Us with certain data or in some cases, automatically or from third parties) as well as non-digitally (for example when You fill in a physical form to benefit from one or more of Our services).
There are various categories of Personal Data that We collect about You, namely: CONTACT DETAILS: REGISTRATION DATA: MARKETING DATA: TRACKING DATA: FINANCIAL INFORMATION: PROFILE DATA: ADDITIONAL INFORMATION: In some cases, (for example, if You are a client [or prospective client] of Our services, via the Site, any App or otherwise) We may request additional Personal Data as a means of securely identifying You or for another similar lawful purpose. The additional information We may request from You to be able to provide You with Our services includes: More secure identification methods Credentials/references Details of Your next of kin Certain special categories of data (sensitive Personal Data) such as health conditions/status (only where necessary and with the necessary safeguards in place). Many of the categories of Personal Data above are collected directly from You (for example, Your Contact Details and Your Registration Data). However, WE MAY ALSO COLLECT PERSONAL DATA FROM OTHER SOURCES, including publicly accessible databases, joint marketing partners, social media platforms and other third parties. We may also receive Personal Data about You from third parties when We need to confirm Your Contact Details. Should this be the case, and when acting as a data controller, We will take all measures as required by law to further inform You about the source of such Personal Data as well as the categories of Personal Data We collect and process. There are certain instances at law where We are specifically forbidden from disclosing to You such activity (for example, when carrying out due diligence for anti-money laundering purposes). When acting as a data processor, Cloudmanage processes personal data on behalf of one or more data controllers. In such cases it is the data controller's obligation to provide data subjects with the said information.
If You choose to connect one or more of Your social media accounts with Our Site to enable the sharing of Personal Data via social media platforms, certain categories of Personal Data relating to You from Your social media account(s) will be shared with Us.
As a general rule, when acting as a data controller, We do not collect any Personal Data, that is, information that identifies You as an individual other than that which You choose to provide to Us such as the data (including Contact Details and Registration Data) You provide when registering with Our Site (where this is available), when contacting Us with enquiries relating to Our goods and/or services, when subscribing to any service offered by Us or via Our Site, such as any newsletters as may be issued by Us from time to time or even when subscribing to any offers We (and/or Our affiliates and/or corporate partners) may offer from time to time (see Personal Data We Collect About You above). Unless otherwise specified and subject to various controls, as a general rule, We only collect Personal Data (from You or elsewhere) that We: Need to be able to provide You with the goods and/or services You request from Us Are legally required to collect/use and to keep for a predetermined period of time Believe to be necessary for Our legitimate business interests
By providing Us with or allowing Us to access Personal Data relating to individuals other than Yourself, You are letting Us know that You have the authority to send Us that Personal Data or the authority to permit Us to access those data in the manner described in this Privacy Policy.
For the avoidance of all doubt, We would like to point out that in those limited cases where We cannot or choose not to rely on another legal ground (for example, Our legitimate interests), We will process Your Personal Data on the basis of Your consent. In some cases, We will require Your explicit consent, for example, when, on the basis of Your explicit consent We will process special categories of data concerning You such as Your health data or data that reveals Your race or ethnic origin (what was previously referred to as "sensitive Personal Data') that might be needed as part of Our processing of Your application for a credit facility with Us. In those cases where We, as a data controller, process on the basis of Your consent (which We will never presume but which We shall have obtained in a clear and manifest manner from You), YOU HAVE THE RIGHT TO WITHDRAW YOUR CONSENT AT ANY TIME and this, in the same manner as You shall have provided it to Us. Should You exercise Your right to withdraw Your consent at any time (by writing to Us at the physical or email address below), We will determine whether at that stage an alternative legal basis exists for processing Your Personal Data (for example, on the basis of a legal obligation to which We are subject) where We would be legally authorised (or even obliged) to process Your Personal Data without needing Your consent and if so, notify You accordingly. When We ask for such Personal Data, You may always decline, however should You decline to provide Us with necessary data that We require to provide requested services, We may not necessarily be able to provide You with such services (especially if consent is the only legal ground that is available to Us). Just to clarify, consent is not the only ground that permits Us to process Your Personal Data. In the last preceding section above We pointed out the various grounds that We rely on when processing Your Personal Data for specific purposes.
We only send mail, messages and other communications relating to marketing where We are authorised to do so at law. In most cases We rely on Your consent to do so (especially where We use electronic communications). If, at any time, You no longer wish to receive direct marketing communications from Us You can exercise this right by clicking the "unsubscribe" or "opt-out" link in the marketing emails we send you or let Us know by contacting Us at the details below or update Your preferences on any of Our Site(s) or Apps (where applicable). In the case of direct marketing sent by electronic communications (where We are legally authorised to do so) You will be given an easy way of opting out (or unsubscribing) from any such communications. Please note that even if You withdraw any consent You may have given Us or if You object to receiving such direct marketing material from Us (in those cases where We do not need Your consent), from time to time We may still need to send You certain important communications from which You cannot opt-out.