These Terms apply to Clients that the GDPR applies to. For the purposes of these Terms, the following capitalised words have the following meanings:
Data Protection Laws means applicable legislation protecting the personal data of natural persons, together with binding guidance and codes of practice issued from time to time by relevant Supervisory Authorities and/or any local data protection law applicable in respect of Personal Data collected by the Client and Processed by Vista under the Agreement, including where applicable GDPR and Directive 2002/58/EC and any local implementing laws as updated from time to time, including any data protection laws substantially amending, replacing or superseding the same;
EU personal data means personal data to which Data Protection Laws of the European Union, or of a Member State of the European Union or European Economic Area, was applicable prior to its processing by Vista.
GDPR means, in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679 (“EU GDPR”); and (ii) UK GDPR.
Protected Area means:
(a) in the case of EU personal data, the members states of the European Union and the European Economic Area and any country, territory, sector or international organisation in respect of which an adequacy decision under Art.45 EU GDPR is in force; and
(b) in the case of UK personal data, the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under United Kingdom adequacy regulations is in force.
Standard Contractual Clauses or SCCs mean:
(a) in respect of EU personal data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914; and/or
(b) in respect of UK personal data, the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner in accordance with s.119A of the Data Protection Act 2018.
UK GDPR means the EU GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended).
UK personal data means personal data to which Data Protection Laws of the United Kingdom were applicable prior to its processing by Vista.
“controller”, “processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR.
A capitalised term not otherwise defined in these Terms has the meaning given to that term in the Vista Cloud Agreement Key Terms and/or Vista Cloud Agreement Standard Terms.
In the respect of their obligations under the Agreement, both parties will observe their respective obligations under the Data Protection Laws which arise in connection with the provision and use of the Services.
Where Vista Processes Client Personal Data under GDPR, Vista will:
(a) Process the Personal Data solely on the Client’s documented instructions (whether in the Agreement or otherwise) for the purposes of providing the Service or as otherwise required by applicable law or the Agreement. If Vista is required by applicable law to process the personal data for any other purpose, Vista will inform Client of this requirement first, unless such law(s) prohibit this on important grounds of public interest;
(b) notify the Client immediately if, in Vista's opinion, an instruction for the processing of personal data given by the Client infringes applicable Data Protection Laws, it being acknowledged that Vista shall not be obliged to undertake additional work to determine if Client's instructions are compliant;
(c) take reasonable steps to ensure the reliability of any staff who may have access to such Personal Data, and their treatment of the Personal Data as confidential;
(d) promptly refer to the Client any requests, notices or other communication from Data Subjects or any Supervisory Authority, for the Client to resolve and, subject to clause 7.8 of the Standard Terms, provide reasonable assistance to the Client to assist the Client to respond to such communication;
(e) provide such information to the Client as the Client may reasonably require, and within the timescales reasonably specified by the Client, to allow the Client to comply with the rights of Data Subjects, including subject-access rights, or with notices served by the Supervisory Authority;
(f) within ninety (90) days of termination of the Agreement, (at the Client’s option) return to the Client or delete all Personal Data Processed under the Agreement unless Vista is required to continue processing the data according to applicable law;
(g) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with Vista’s Processing of the Personal Data, including the minimum security measures set out in Exhibit B to these Terms;
(h) promptly notify the Client upon becoming aware of any Personal Data Breach;
(i) on request and subject to clause 7.8 of the Standard Terms, provide the Client with reasonable assistance in carrying out its obligations under Articles 32 to 36 of the GDPR, where applicable;
(j) Process only the types of Personal Data, relating to the categories of Data Subjects, and in the manner required to deliver the Service, as further described in Exhibit A to these Terms;
(k) only transfer Personal Data outside of the Protected Area in accordance with clauses 2.3 and 2.4 or with the prior written consent of the Client. The Parties acknowledge that Vista may Process Personal Data from New Zealand and the United Kingdom, and that New Zealand and the United Kingdom are countries which are within the Protected Area; and
(l) on reasonable prior notice, provide the Client with information to demonstrate compliance with Vista's obligations under the Agreement and, at the Client's expense, and subject to at least ten (10) days’ prior written notice, submit to audits conducted by the Client under the GDPR (where applicable) provided always that:
Vista shall not, and shall ensure that none of its Affiliates or Sub-Processors, transfer, access or use EU, or UK personal data outside of the Protected Area without Client’s prior authorisation. Client agrees to authorise the transfers to Sub-Processors listed on the Vista Cloud Sub-processors page and Vista confirms that it has in place a mechanism for lawful transfer and where necessary agrees to procure that its Affiliates or Sub-Processor’s (as applicable) comply with the obligations set out in the Standard Contractual Clauses, with Vista as the ‘data exporter’ and the relevant Vista Affiliate or Sub-Processor (as applicable) as the ‘data importer’. Where Client provides personal data described in Exhibit A to one of the Vista Affiliate Sub-Processors authorised under these Data Processing Terms for the purposes of enabling Vista to fulfil its obligations under the Agreement, then Client and Vista agree that such transfer shall be deemed to be a transfer from Client via Vista to such Vista Affiliate and that Vista shall be the ‘data exporter’ and the Vista Affiliate shall be the ‘data importer’ in relation to such transfers.
For the purpose of clause 2.2(k) above, in the event that a relevant European Commission decision or other valid adequacy method under applicable Data Protection Laws on which the parties have relied as the basis for any data transfer is held to be invalid, or that any supervisory authority requires transfers of personal data made pursuant to such decision to be suspended, then the parties agree to discuss in good faith and facilitate use of an alternative transfer mechanism.
The Client authorises Vista to appoint third party Sub-Processors to assist in the management and provision of the Service provided Vista has entered into an agreement with the Sub-Processor which imposes obligations on the Sub- Processor no less onerous than as are imposed on Vista under these Terms. Vista’s use of Sub-Processors will not relieve it of any liability, and Vista will remain liable to the Client for the performance of the Sub-Processors’ obligations. The list of current Sub-Processors used by Vista is set on the Vista Cloud Sub-processors page and Vista will notify the Client of any additional Sub-Processor 10 days in advance. If the Client reasonably objects to a new Sub-Processor, the Client may inform Vista in writing of the reasons for the Client’s objections. If the Client objects to such additional Sub- Processor(s) within such notice period, the Client should stop using the Service and providing data to Vista and Vista may terminate the Agreement by providing written notice to the Client with immediate effect and the Parties obligations on termination will apply in accordance with clause 9.5 of the Standard Terms. The Client hereby specifically consents to Vista's appointment of its Affiliates as Sub-Processors for the purposes of assisting Vista to provide the Service under the Agreement.
This Exhibit A includes certain details of the Processing of the Personal Data as may be required by applicable Data Protection Laws.
The subject matter and duration of the Processing of the Personal Data are set out in the Agreement.
Vista may access, collect and Process the Client’s Personal Data where Vista provides the Services to the Client pursuant to the Agreement, including where the Client provides Vista with access to the Client’s systems for the purposes of providing the Support Services. Where possible, the Parties will work together to ensure that Personal Data is anonymised by the Client prior to any transfer to Vista for Processing. Vista may also Process the Personal Data for the applicable purposes set out in clause 7.2 of the Standard Terms and for any additional purposes applicable to the SaaS Service as specified in the Key Terms.
The types of Personal Data to be Processed commonly includes, but is not limited to, the following information uploaded by the Client into the Services (as applicable):
(a) title; full name; address; email address; phone number(s);
(b) user account information, including: username; user ID; and transaction history;
(c) loyalty scheme member information - this is highly configurable by the Client, but may include member name; member ID; gender; DOB; email address; phone number; photo; preferences for contact, movie genres, locations;
(d) payment card information, including: credit card details: first six and last four digits of the card name, cardholder’s name as recorded on the card and card expiry date; and gift card details;
(e) any additional Personal Data applicable to the Services as specified in the Key Terms or a Statement of Work; and
(f) any other information uploaded by the Client into the SaaS Applications.
Client employees, end users, patrons, guests and the Client business contacts.
The obligations and rights of the Client are set out in the Agreement and these Terms.
The third party Sub-Processors set out on the Vista Cloud Sub-processors page may act as Sub-Processors in accordance with these Terms (as applicable).
This Exhibit B sets out the security measures which Vista will take to ensure a level of security for the Personal Data appropriate to the level of the risk.
Any SaaS Application delivered under the Agreement is installed within Vista’s subscription with the Cloud Service Providers.
Under the Agreement, the Client may request assistance from Vista support personnel in providing the Support Services, which may include the use of Vista Affiliates in accordance with clause 2.4 of the GDPR Data Processing Terms above. In order to adequately provide the Support Services, Vista and its Affiliates may need (i) to access the SaaS Application located in Vista’s subscription with the Cloud Service Providers for the purpose of diagnosing the reason for the incident or issue; or (ii) a copy of the applicable SaaS Application’s database to be transferred to Vista premises to aid in further investigations.
For any SaaS Service, the Client acknowledges and accepts that Vista’s support personnel will have access to the subscription and therefore data stored within, including Personal Data, for the purposes of delivering the Support Services.
Where Vista is required to retrieve a copy of the Client’s database back to Vista’s premises (the Database) to perform the requested Support Services and any Personal Data in that Database is not required to perform such Support Services, the Parties will work together in good faith to anonymise the Database prior to transfer as set out in this clause 3.
Prior to transferring the Database to Vista by uploading such Database on Vista’s servers, the Client will, or Vista will on the Client’s behalf:
(a) run a tool provided by Vista that identifies the type of Database and anonymises any Personal Data in the Database; and
(b) encrypt the Database. Only Vista can decrypt the Database to a useable state.
Where the Database is no longer required by Vista to carry out the requested Support Services, Vista will promptly and securely destroy the Database.
In the rare event that Vista is required to retrieve a copy of a Database back to Vista’s premises and any Personal Data in that Database is required to perform the Support Services, Vista will only work on a non-anonymised Database with the written approval of the Client’s nominated Representative(s) (email to suffice).
Vista will securely hold and destroy the non-anonymised Database in accordance with the prescribed methods outlined in paragraph 5 below.
In addition to the security methods detailed above, Vista will implement the following common measures and processes set out below. Vista will:
(a) ensure that only authorised devices and authorised relevant personnel with a work-related need for Processing have access to the Personal Data. For example, only Vista’s support personnel will connect to Vista’s subscription with the Cloud Service Providers;
(b) ensure that any employee who changes roles within Vista does not retain access to Personal Data unless such Personal Data is required for their new role. When an employee leaves Vista, Vista will ensure that they do not have access to, or take with them, any Personal Data. Vista will ensure that no previous employees or external consultants have access rights to the Vista systems holding Personal Data;
(c) use secure/encrypted transfer of Personal Data on the open internet;
(d) ensure appropriate physical security of Personal Data, including:
a. fit appropriate locks or other physical controls to the doors and windows of rooms where computers are kept;
b. destroy or remove all Personal Data from media such as CDs before disposing of them; and
c. ensure that all Personal Data is removed from the hard drives of any used computers before disposing of them.
(e) implement best practice access controls, including:
a. best practice password procedures must be in place, including using strong passwords; and
b. industry standard hard drive encryption for internal or external hard drives; and
(f) ensure suitable firewall and infrastructure logging to ensure the ongoing logging of failed login attempts or attacks on Vista systems, including log of time, user, etc. and block access after a certain number of failed login attempts for each user.
Vista will protect Vista’s networks, systems and logs against tampering.
Vista will have a vulnerability management program, including regular monitoring of potential vulnerabilities and performance of penetration tests of networks and Vista systems.
The vulnerability management program will include, but is not limited to:
(a) performing vulnerability scans on internal and external perimeters at least quarterly;
(b) performing penetration tests on external network perimeters at least annually or more frequently where incidents disclose the need for such tests; and
(c) following up on and remedy of any weaknesses identified in connection with such scans and tests.
Vista will keep Vista networks and systems up to date with regard to new versions, updates, and patches on an ongoing basis.
Vista will perform appropriate reference checks on all new employees.
Vista will provide training to new employees regarding information security and ensure that they read and understand Vista’s internal policies related to information security and data protection. Vista will ensure that employees know where to find details of information security standards and procedures relevant to their role and responsibilities.
Vista will ensure that employees understand what a Personal Data Breach and a Security Incident mean, and train employees to recognise the signs thereof and to respond appropriately.
Vista will have a Security Incident Response Plan (Plan) in place in the event of a serious security incident. The Plan will be regularly reviewed and will be reviewed after every Personal Data Breach and Security Incident in which the Plan is used and updated according to the lessons learned.
Vista will monitor and keep up to date all security measures, processes and risk analyses.
Vista will implement a process for periodical testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the Processing, including, but not limited to, the measures set out in these Terms.
Vista will implement procedures for effectively following up on non-compliance.