Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (“DPA”) amends the Peggy’s Cove Centre for Arts & Culture Terms of Use between you as user of the Website at https://spindriftgalleryns.ca (the “Website”) and Peggy’s Cove Centre for Arts & Culture, a Canadian not-for-profit corporation with offices at 1500-1625 Grafton Street, Halifax, Nova Scotia, B3J 0E8, Canada (“PCCAC”).

Definitions

  1. “Data Protection Laws” means all applicable data protection and privacy laws, including but not limited to the General Data Protection Regulation (GDPR) (EU) 2016/679, the UK Data Protection Act 2018, and any applicable laws in the United States, as amended from time to time.
  2. “Personal Data” means any information relating to an identified or identifiable natural person as defined by the Data Protection Laws. This would include an identifiable or identified individual who visits or engages in transactions through our store.
  3. “Data Controller” means Peggy’s Cove Centre for Arts & Culture who determines the purposes for which and the means by which Personal Data is processed. This term has the meaning given to it by the Data Protection Laws.
  4. “Data Processor(s)” are third parties external to PCCAC that process personal data only on behalf of the controller, being PCCAC. The Data Processors are listed in Appendix A to this DPA.

Scope and Purpose

This DPA sets out the terms and conditions under which the Data Processor will process Personal Data on behalf of the Data Controller in connection with the provision of e-commerce services on the Website.

Processing of Personal Data

The Data Processor shall process Personal Data only on documented instructions from the Data Controller, unless required by applicable law. The Data Processor shall inform the Data Controller if it believes that an instruction infringes Data Protection Laws. The Data Processor shall implement appropriate technical and organizational measures to ensure the security of Personal Data.

Data Subject Rights

The Data Processor shall assist the Data Controller in responding to data subject requests, including requests to exercise rights under Data Protection Laws.

Sub-Processing

The Data Processor shall not engage a sub-processor without the prior written consent of the Data Controller. If consent is given, the Data Processor shall ensure that the sub-processor is bound by obligations no less protective than those in this DPA.

Security Measures

The Data Processor shall implement and maintain appropriate technical and organizational measures to ensure the security of Personal Data.

Data Breach Notification

The Data Processor shall promptly notify the Data Controller of any data breach affecting Personal Data, providing all necessary information to assist the Data Controller in meeting its obligations under Data Protection Laws.

Data Deletion or Return

Upon termination or expiration of the services, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data processed on behalf of the Data Controller.

Governing Law and Jurisdiction

The terms of this DPA shall be governed by and interpreted in accordance with the laws of the Province of Nova Scotia and the laws of Canada applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the Province of Nova Scotia with respect to any dispute or claim arising out of or in connection with this DPA.