Data Protection

Preamble This Agreement specifies the data protection obligations of the contractual parties arising from the defined processing activities in which personal data belonging to Controller is processed by 1&1 in compliance with the General Data Protection Regulations (“GDPR”). “Controller” shall have the same meaning as set out in article 4 (7) of the GDPR. “Personal data” shall have the same meaning as set out in article 4 (1) of the GDPR. “Processing” shall have the same meaning as set out in article 4 (2) of the GDPR. “Processor” shall have the same meaning as set out in article 4 (8) of the GDPR. Products: Dedicated Server, Dedicated Hosting, Cloud Server, Virtaul Private Server (VPS), Dynamic Cloud Server, Virtual Server, Managed Cloud, Private Cloud, Cloud Backup Web Hosting, WordPress Hosting, MyWebsite Now, MyWebsite Creator, MyWebsite Essential, MyWebsite, MyWesbite eCommerce, MyWebsite Now eCommerce, Social Buy Button, Shoplement, eShop, Website Design Service Email Marketing, HiDrive Cloud Storage, Managed Nextcloud, Mail Basic, Mail Business, Hosted Microsoft Exchange, Email Archiving, MyBackup 1. Duration of the Processing on Behalf of the Controller The term of this Agreement shall continue for the duration of the provision of the services. 2. Area of Application and Responsibility 2.1. In the provision of the services, Controller may choose to hold Controller’s customer personal data (“personal data”) at Controller’s own risk, on the platforms and data centres of 1&1. The only processing activities that may be performed by 1&1 are the storage of such personal data and any backups in order to provide continuity of service and disaster recovery. Such backups are merely for the aforementioned purpose and shall not be available to Controller. Version 20210804 - Page 2 of 5 2.2. Controller shall be solely responsible for compliance with the legal provisions of applicable data protection laws, in relation to such personal data, in particular the lawfulness of the data processing (“Controller” as defined under the GDPR). 3. Obligations of the Provider 3.1. To the extent that 1&1 shall be considered a processor of Controller’s customer personal data. 3.2. Any additional processing of personal data shall only be in accordance with instruction from Controller, unless an exception applies as defined in the GDPR. 1&1 shall promptly inform Controller if it believes that an instruction of Controller violates applicable laws. In such cases, 1&1 reserves the right to refuse Controller’s instructions. 3.3. 1&1 shall implement technical and organisational measures to protect Controller’s customer data and to ensure the confidentiality, integrity, availability and capacity of the systems and services. 1&1 shall be obliged, in accordance with the GDPR, to implement a procedure for regularly reviewing the technical and organisational measures designed to ensure the security of the processing. 3.4. 1&1 reserves the right to alter the agreed security measures, provided that any such amendment ensures that the agreed level of protection shall not me materially diminished. 3.5. 1&1 agrees to reasonably assist Controller in respect of any requests and claims in accordance with the GDPR. 3.6. 1&1 shall ensure that employees, subcontractors and affiliates who may be involved in the processing of Controller’s data shall act in accordance with this Agreement. 3.7. 1&1 shall inform Controller promptly if 1&1 becomes aware of any breaches which affect Controller’s personal data. 3.8. 1&1 shall, once notified in writing, inform Controller of any request for disclosure of personal data by authorities, unless expressly prohibited under applicable laws. 3.9. Controller may contact the Data Protection Officer by sending an email to privacynotice@1and1.co.uk. 3.10. At termination of services, all customer data, personal or otherwise, shall be deleted (including the pseudonymisation of data) within an appropriate time, in accordance with applicable laws. Version 20210804 - Page 3 of 5 3.11. In the event of a claim against Controller regarding any of the rights defined under th