Terms of Data Processing

Last updated on March 06, 2025

TERMS OF DATA PROCESSING

1.     Introduction

 1.1.       These data processing terms (“Data Processing Terms”) form part of and regulate the processing of personal data related to the provision of the Link My Books service  (the “Service”) under the subscription made by the client by subscribing the service and accepting the terms and conditions related to the service available at: https://linkmybooks.com/terms-of-service, from time to time (the “Terms and Conditions”).

2.     Definitions

2.1.       Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given in the Data Protection Legislation  

2.2.       Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party. For the purposes of these Data Processing Terms, the client subscribing to the service shall be a Controller and PDLC Tech Ltd being the service provider under the Terms and Conditions shall be a Processor.

3.     Scope

3.1.       These Data Processing Terms regulate the Processor's Processing of Personal Data on behalf of the Controller, and outlines how the Processor shall contribute to ensure privacy on behalf of the Controller and its registered Data Subjects, through technical and organisational measures according to applicable privacy legislation, including the Data Protection Legislation.

3.2.       The purpose for the Processor’s Processing of Personal Data on behalf of the Controller is to provide the Service under the Terms and Conditions.

3.3.       These Data Processing Terms take precedence over any conflicting provisions regarding the Processing of Personal Data in the Service or in other former agreements or written communication between the Parties.

3.4.       These Data Processing Terms are valid as long as the Processor Processes Personal Data on behalf of the Controller.

4.     Processor’s obligations

4.1.       The Processor shall only Process Personal Data on behalf of and in accordance with the Controller’s written instructions. By subscribing the Service under the Terms and Conditions, the Controller instructs the Processor to process Personal Data in the following manner: (i) only in accordance with applicable law, (ii) to fulfill all obligations according to the Terms and Conditions, (iii) as further specified via the Controller’s ordinary use of the Processor’s Service and (iv) as specified in these Data Processing Terms.

4.2.       The Processor has no reason to believe that legislation applicable to it prevents the Processor from fulfilling the instructions mentioned above. The Processor shall, upon becoming aware of it, notify the Controller of instructions or other Processing activities by the Controller which in the opinion of the Processor, infringes applicable privacy legislation.

4.3.       The Processor shall ensure the confidentiality, integrity and availability of Personal Data are according to the privacy legislation applicable to the Processor. The Processor shall implement systematic, organisational and technical measures to ensure an appropriate level of security, taking into account the state of the art and cost of implementation in relation to the risk represented by the Processing, and the nature of the Personal Data to be protected.

4.4.       The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible and taking into account the nature of the Processing and the information available to the Processor, in fulfilling the Controller’s obligations under applicable privacy legislation with regards to request from Data Subjects, and general privacy compliance under the Data Protection Regulation.  

4.5.       If the Controller requires information or assistance regarding security measures, documentation or other forms of information regarding how the Processor processes Personal Data, and such requests exceed the standard information provided by the Processor to comply with applicable privacy legislation as Processor, the Processor may charge the Controller for such request for additional services.

4.6.       The Processor and its staff shall ensure confidentiality concerning the Personal Data subject to Processing in accordance with the Terms and Conditions. This provision also applies after the termination of the Agreement.

4.7.       The Processor will, by notifying the Controller without undue delay, enable the Controller to comply with the legal requirements regarding notification to data authorities or Data Subjects about privacy incidents.

4.8.       Further, the Processor will to the extent it is appropriate and lawful notify the Controller of (i) requests for the disclosure of Personal Data received from a Data Subject, (ii) requests for the disclosure of Personal Data by governmental authorities, such as the police.

4.9.       The Processor shall ensure that persons that have the right to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.10.       The Processor will not respond directly to requests from Data Subjects unless authorised by the Controller to do so. The Processor will not disclose information tied to this Agreement to governmental authorities such as the police, hereunder Personal Data, except as obligated by law, such as through a court order or similar warrant.

4.11.       The Processor does not control if and how the Controller uses third party integrations through the Processor's API or similar, and thus the Processor has no ownership to risk in this regard. The Controller is solely responsible for third party integrations.

4.12.       The Processor might Process Personal data about users and the Controller’s use of the Service when it is necessary to obtain feedback and improve the service. The Controller grants the Processor the right to use and analyze aggregated system activity data associated with your use of the Services for the purposes of optimizing, improving or enhancing the way the Processor provides the services and to enable the Processor to create new features and functionality in connection with the services. PDLC Tech Ltd shall be considered the Controller for such processing and the processing is therefore not subject to these Data Processing Terms.

4.13.       When using the service, the Controller will add data to the Software (“Customer Data”). The Controller acknowledges and does not object to the Processor using Customer Data in an aggregated and anonymized format for improving the services delivered to customers, research, training, educational and/or statistical purposes.

5.     Nature and Purpose of Processing

Nature and purpose

5.1.       The Processor processes the Personal Data in order to provide the Service for the Controller. During the provision of the Service, the Processor processes Personal Data for the following purposes: provision of the Service and any ancillary services (if applicable), invoicing, cyber security and preventing misuses of the Service. The nature of processing in most cases involve the following: collection, structuring, storage, alteration, retrieval, use, analysing, disclosure by transmission, anonymisation, erasure, and destruction.

Subject and term

5.2.       The Processor processes Personal Data as long as it is necessary for the purposes set forth above in Section 5.1.

Categories of Data Subjects and Personal Data

5.3.       The Controller and/or the users add Personal Data into the Service and thus, the Controller decides what Personal Data the Processor processes and who the Data Subjects are. Customarily these include the following categories of Data Subjects: Controller’s customers or Controller’s customer’s end-customers.

5.4.       The Processing of Personal Data by the Processor customarily covers the following categories of Personal Data: postal address, country of delivery.

6.     Controller’s rights and obligations

6.1.       The Controller confirms that:

         6.1.1.The Controller has legal authority to process and disclose to the Processor (including any subprocessors used by the Processor) the Personal Data in question.

         6.1.2.The Controller has the responsibility for the accuracy, integrity, content, reliability and lawfulness of the Personal Data disclosed to the Processor.

         6.1.3.The Controller has fulfilled its duties to provide relevant information to Data Subjects and authorities regarding processing of Personal Data according to mandatory data protection legislation.

         6.1.4.The Controller shall, when using the services provided by the Processor under the Services Agreement, not communicate any Sensitive Personal Data to the Processor, unless this is explicitly agreed between the parties.

7.     Use of subprocessors and transfer of data

7.1.       As part of the delivery of Service to the Controller according to the Terms and Conditions and these Data Processing Terms, the Processor will make use of subprocessors and the Controller gives its general consent to usage of subprocessors. Such subprocessors can be other companies within the Visma group or external third party subprocessors. All subprocessors that have access to the Controller’s Personal Data are listed on the website of the Processor.  The Processor shall ensure that subprocessors agree to undertake responsibilities corresponding to the obligations set out in these Data Processing Terms.

7.2.       The Processor may engage other EU/EEA located companies in the Visma group as subprocessors without prior approval or notification to the Controller. This is usually for the purposes of development, support, operations etc. The Controller may request more detailed information about subprocessors.

7.3.       If the subprocessors are located outside the EU or the EEA, the Controller gives the Processor authorisation to ensure proper legal grounds for the transfer of Personal Data out of the EU/EEA on behalf of the Controller. To comply with these requirements the processor must comply with the following conditions;

         7.3.1.The Processor is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. The Processor must identify, in writing, the territory that is subject to such adequacy regulations; or

         7.3.2.The Processor participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the Processor (and, where appropriate, the Controller) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as require under Article 46 of the UK GDPR and EU GDPR. The Processor must identify, in writing, the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Processor must immediately inform the Controller of any change to that status; or

         7.3.3.The transfer otherwise complies with the Data Protection Legislation for reasons set out in writing by the Processor.

7.4.       The Processor shall notify the Controller in advance of any changes of subprocessors that Process Personal Data by way of using the normal communication channels used by the Processor. The Controller may object to a new subprocessor within 30 days after a notification is given for legitimate reasons. In this case, the Processor and Controller shall review the documentation of the subprocessors compliance efforts in order to ensure fulfillment of applicable privacy legislation. If the Controller still objects and has reasonable grounds for this, the Controller can not reserve themselves against the use of such a subprocessor due to the nature of the Service being an online standard software, but the  Controller may terminate the Service for which the subprocessor in dispute is being used for in accordance with the Terms and Conditions.

8.     Security

8.1.       The Processor is committed to provide a high level of security in its products and services. The Processor provides its security level through organisational, technical and physical security measures, according to the requirements on information security measures outlined in the Data Protection Legislation.

8.2.       The Controller agrees that it is responsible for independently determining whether the security provided for the Personal Data adequately meets the Controller’s obligations under the applicable data protection laws. The Controller is furthermore responsible for its own secure use of the Service, including protecting the security of Personal Data in transit to and from the Service and securely backuping or encrypting any such Personal Data outside the Service to the extent deemed necessary by the Controller.

9.     Audit rights

9.1.       The Controller may audit the Processor’s compliance with these Data Processing Terms up to once a year. If required by legislation applicable to the Controller, the Controller may request audits more frequently. To request an audit, the Controller must submit a detailed audit plan at least four weeks in advance of the proposed audit date to the Processor, describing the proposed scope, duration, and start date of the audit. If any third party is to conduct the audit, it must as a main rule be mutually agreed between the Parties. However, if the processing environment is a multitenant environment or similar, the Controller gives the Processor authority to decide, due to security reasons, that audits shall be performed by a neutral third party auditor of the Processor’s choosing.

9.2.       If the requested audit scope is addressed in an ISAE, ISO or similar assurance report performed by a qualified third party auditor within the prior twelve months, and the Processor confirms that there are no known material changes in the measures audited, the Controller agrees to accept those findings instead of requesting a new audit of the measures covered by the report.

9.3.       In any case, audits must be conducted during regular business hours at the applicable facility, subject to the Processors policies, and may not unreasonably interfere with the Processors business activities.

9.4.       The Controller shall be responsible for any costs arising from the Controller’s requested audits. Requests for assistance from the Processor may be subject to fees.

10.       Term and Termination

10.1.       These Data Processing Terms are valid for as long as the Processor processes Personal Data on behalf of the Controller under the Terms and Conditions.

10.2.       These Data Processing Terms are automatically terminated upon termination of the subscription of the Service under the Terms and Conditions. Upon termination of these Data Processing Terms, the Controller may upload the Personal Data from the Service. The Processor will delete Personal Data processed on behalf of the Controller, according to the applicable clauses in the Terms and Conditions. Such deletion will take place as soon as reasonably practicable, unless local law requires further storage.

11.     Changes and amendments

11.1.       If any provisions in this Agreement become void, this shall not affect the remaining provisions. The Parties shall replace the void provision with a lawful provision that reflects the purpose of the void provision.

11.2.       If the Controller changes the contact person(s) mentioned provided to the Processors in correction with the subscription, the Controller must inform the Processor of this in writing.

12.     Liability

12.1.       For the avoidance of doubt, the Parties agree and acknowledge that each Party shall be liable for and held accountable to pay administrative fines and damages directly to data subjects which the Party has been imposed to pay by the data protection authorities or authorized courts according to applicable privacy legislation. Liability matters between the Parties shall be governed by the liability clauses in the Terms and Conditions between the Parties.

13.     Governing law and legal venue

13.1.       This Agreement is subject to the governing law of England and Wales.

Whether you’re an e-commerce business or accountant, our software helps get rid of your bookkeeping headache and allows you to focus on growth.

Made in the UK by ex e-commerce sellers and accountants.

Link My Books © 2024. All rights reserved.
Company
AboutHelp CenterAffiliatesTerms of ServiceTerms of Data ProcessingPrivacy PolicyCookiesSitemap
Pricing
contact
+44 (0)1207 788 962support@linkmybooks.com
integrations
Amazon to XeroAmazon to QuickBookseBay to XeroeBay to QuickBooksEtsy to XeroEtsy to QuickBooksShopify to XeroShopify to QuickBooksWalmart to XeroWalmart to QuickBooksTikTok Shop to XeroTikTok Shop to QuickBooksSquare to XeroWooCommerce to Xero
Resources
Webinar: Amazon to XeroeBook: 11 Common MistakesReviews on XeroReviews on QuickBooksAccountant & Bookkeeper PartnersE-Commerce Industry PartnersBlogCustomer Success Stories
For Accountants
Link My Books for AccountantsBecome a Partner
Link My Books © 2024. All rights reserved.
Link My Books is the trading name of PDLC Tech Ltd, a company registered in England & Wales with company number 10744178 and VAT number GB 349672752, whose registered office address is at Office F1 Tanfield Lea Business Centre, Stanley, DH9 9DB, United Kingdom.
WANT TO TALK TO AN EXPERT BEFORE GETTING STARTED?
let’s chat no thanks
Dan Little