This Data Processing Addendum (the ‘DPA’) forms part of The Gap Terms of Service between the Member and The Gap (the ‘Terms of Service). All capitalised terms that are not defined in this DPA shall have the same meaning as set out in the Terms of Service.
This DPA only applies if and to the extent The Gap processes personal data on behalf of a Member that qualifies as a controller with respect to that personal data under Applicable Data Protection Law (as defined below).
In case of any conflict or inconsistency with the terms of the Terms of Service, this DPA will take precedence over the terms of the Terms of Service to the extent of such conflict or inconsistency.
The Gap updates these terms from time to time. The date of the last update is shown at the top of this document. The Gap will notify the Member of changes to this DPA by email and posting an announcement in The Gap Portal and/or on its website prior to the changes becoming effective. The Member is bound by any changes when you use our website or our Services after such changes have been announced.
1.1 In this DPA: controller, processor, data subject, personal data, processing (and process) and special categories of personal data have the meanings given in Applicable Data Protection Law
‘Applicable Data Protection Law’
Means the EU General Data Protection Regulation (Regulation 2016/679) (the GDPR) and/or the UK General Data Protection Regulation (the UK GDPR)
2.1. The subject matter of this DPA is the processing of personal data by The Gap (the “Processor”) on behalf of, and on the documented instructions of, the Member (the “Controller”), as necessary for the provision of the Services described in the Terms of Service, or as otherwise agreed in writing between the parties.
2.2 The nature and purpose of the processing, the types of personal data, and the categories of data subjects are set out in the Privacy Policy.
3.1. Unless explicitly requested by the Processor to do so, the Controller will not disclose (and will not permit any data subject to disclose) any special categories of personal data to the Processor for processing.
4.1. Each party must comply with the obligations that apply to it under Applicable Data Protection Law.
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law. The Processor shall promptly inform the Controller if, in its opinion, an instruction infringes the Applicable Data Protection Law.
6.1 The Processor shall ensure that its personnel engaged in the processing of personal data are subject to appropriate obligations of confidentiality.
7.1. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage of personal data.
8.1. The Processor shall provide reasonable assistance to the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under the Applicable Data Protection Law, including but not limited to access, rectification, erasure, restriction of processing, and data portability. The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject.
9.1. A list of our current sub-processors can be viewed at www.thegaphq.com/sub-processors.
Upon termination or expiration of the Terms of Service or upon the Controller's written request, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete any existing copies unless applicable law requires the storage of the personal data.
9.2. The Controller hereby authorises the Processor to engage sub-processors for the processing of personal data. The Processor shall ensure that any sub-processor engaged by it is bound by written contractual obligations that provide at least the same level of protection as set forth in this DPA.
10.1. If the Processor needs to transfer personal data to a third country or an international organisation, the Processor shall ensure that appropriate safeguards are in place to protect the personal data, in accordance with the requirements of Applicable Data Protection Law.
11.1. In the event of a personal data breach, the Processor shall notify the Controller without undue delay, providing all necessary information to enable the Controller to fulfil its obligations to report or inform competent supervisory authorities and affected data subjects, as required by Applicable Data Protection Laws.
12.1. Upon the Controller's written request, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete any existing copies unless applicable law requires the storage of the personal data.
12.2. The Processor retains personal data associated with a Member's account for a period of two (2) years after account deactivation, in order to facilitate the reactivation of their account if they choose to return. At the end of this retention period, all personal data will be permanently deleted unless required for legal, regulatory, or contractual purposes.
12.3. The Controller may request the deletion or return of personal data at any time during the retention period, in accordance with 12.1.
13.1. The Processor shall make all information reasonably necessary to demonstrate compliance with this DPA available to the Controller or any appointed third-party auditor to facilitate audits and/or inspections, where required by Applicable Data Protection Law.
