Data Processing Agreement
This Data Processing Agreement is made between the Parties in addition to the obligations set out in the Terms or Service.
All capitalised terms in this Agreement shall have the meaning as prescribed by the Terms of Service unless otherwise specified below.
"Applicable Law" means as applicable and binding on the Client, Company and/or the Services:
(a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of, as may be specified in Terms;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgment or decree; or
(d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party's assets, resources or business;
"Appropriate Safeguards" means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time (including, but not limited to, EU Model Contract Clauses or Privacy Shield certification);
"Data Controller" has the meaning given to that term in Data Protection Laws;
"Data Processor" has the meaning given to that term in Data Protection Laws;
"Data Protection Laws" means as applicable and binding on the Client, Company and/or the Services:
"Data Protection Losses" means all liabilities, including all:
in the United Kingdom:
- the Data Protection Act 1998 and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive); and/or
- the General Data Protection Regulation (EU) 2016/679 (or "GDPR") and/or any corresponding or equivalent national laws or regulations; and/or
- the Privacy and Electronic Communications (EC Directive) Regulations 2003 and/or any corresponding or equivalent national laws or regulations.
- in member states of the European Union: the Data Protection Directive or the GDPR, once applicable, and all relevant member state laws or regulations giving effect to or corresponding with any of them;
- specifically, in relation to the Client, all data protection and/or privacy laws in which recipient Data Subjects are contacted through the Services are located;
- any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;
"Data Protection Losses" means all liabilities, including all:
- costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
to the extent permitted by Applicable Law:
- administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
- compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
- the reasonable costs of compliance with investigations by a Supervisory Authority;
"Data Subject" has the meaning given to that term in Data Protection Laws;
"Data Subject Request" means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
"International Organisation" means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an Agreement between two or more countries;
"International Recipient" has the meaning given to that term in clause 6;
"Personal Data" has the meaning given to that term in Data Protection Laws;
"Personal Data Breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
"Processing" has the meanings given to that term in Data Protection Laws;
"Processing Instructions" has the meaning given to that term in clause 3.2.1;
Protected Data means Personal Data received from or on behalf of the Client in connection with the performance of the Company's obligations under this Agreement;
Sub-Processor means another Data Processor engaged by the Company for carrying out processing activities in respect of the Protected Data on behalf of the Client; and
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
1 THE AGREEMENT
1.1 This Agreement will take effect from the Effective Date and shall continue until the end of the Company's provision of the Services. (including any period of suspension, where relevant) ("Term").
1.2 To the extent that there is any conflict between this Agreement and the Terms or Service or Software Licence Agreement, the clauses of this Agreement shall prevail.
1.3 In no event shall any party limit its liability with respect to any individual's data protection rights under this Agreement or otherwise. Any penalties issued by a Supervisory Authority and incurred by the Company in relation to Protected Data arising from or in connection with the Client's failure to comply with its obligations under this Agreement or any applicable Data Protection Laws shall reduce any liability of the Company under the Agreement and be considered a liability to the Client under the Agreement.
2 DATA PROCESSOR AND DATA CONTROLLER
2.1 The parties agree that, for the Protected Data, the Client shall be the Data Controller and the Company shall be the Data Processor.
2.2 the Company shall process Protected Data in compliance with:
2.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this Agreement; and
2.3 The Client shall comply with:
2.3.1 all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.3.2 the terms of this Agreement.
2.4 The Client warrants, represents and undertakes, that:
2.4.1 all data sourced by the Client for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Client providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
2.4.2 all instructions given by it to the Company in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
2.5 The Client shall not unreasonably withhold, delay or condition its Agreement to any change or amendment requested by the Company in order to ensure the Services and the Company (and each Sub-Processor) can comply with Data Protection Laws.
3 INSTRUCTIONS AND DETAILS OF PROCESSING
3.1 By entering into this Agreement, Client instructs the Company to process Client Protected Data only in accordance with Applicable Law:
3.1.1 To provide the Services;
3.1.2 As further specified by Client's use of the Services or the Software;
3.1.3 As documented in the form of the Terms of Service and this Agreement; and
3.1.4 As further documented in any other written instructions provided by the Client and acknowledged by the Company as being instructions for the purposes of this Agreement.
3.2 Insofar as the Company processes Protected Data on behalf of the Client, the Company:
3.2.1 unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Client's documented instructions as set out in this clause, as updated from time to time as agreed between the parties (Processing Instructions);
3.2.2 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Client of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
3.2.3 shall inform the Client if the Company becomes aware of a Processing Instruction that, in the Company's opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to clauses 2.3 and 2.4; and
(b) to the maximum extent permitted by mandatory law, the Company shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Client's Processing Instructions following the Client's receipt of that information; and
3.3 The subject matter and details of the processing of Protected Data to be carried out by the Company under this Agreement shall comprise the processing set out in Schedule 1 (Data processing details), as may be updated from time to time as agreed between the parties.
4 TECHNIACL AND ORGANISATIONAL MEASURES
4.1 the Company shall implement and maintain, at its cost and expense and in relation to the processing of Protected Data by the Company, technical and organisational measures taking into account the nature of the processing, to assist the Client insofar as is possible in the fulfilment of the Client's obligations to respond to Data Subject Requests relating to Protected Data.
5 USING SUB-PROCESSORS
5.1 Subject to the below, it may be necessary for the Company to engage Sub-Processors for carrying out specific processing activities in respect of the Protected Data were necessary to deliver the provision of service and meet its obligations under the Terms of Service and this Agreement.
5.2 Subject to the below, the Client specifically authorises the Company's choice and engagement of Sub-Processors.
5.3 the Company shall ensure:
5.3.1 via a written contract that the Sub-Processor only accesses and processes Protected Data to perform the obligations subcontracted to it and does so in accordance with the measures contained in this Agreement that is enforceable by the Company; and
5.3.2 remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own, excluding cases where the Client contracts directly with the Sub-Processor.
5.4 In cases where the Client requires the Company to engage a specific Sub-Processor, Clause 6 Variation, in the Terms of Service shall apply.
6 INTERNATIONAL DATA TRANSFERS
6.1 The Client agrees that the Company may transfer any Protected Data to countries outside the European Economic Area (EEA) or to any International Organisation(s) (an International Recipient), provided all transfers by the Company of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be executed by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this Agreement shall constitute the Client's instructions with respect to transfers in accordance with clause 3.1.
7.1 the Company shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case the Company shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before such disclosure).
8 ASSISTANCE WITH THE CLIENT'S COMPLIANCE AND DATA SUBJECT RIGHTS
8.1 the Company shall refer all Data Subject Requests it receives to the Client within three Business Days of receipt of the request, provided that if the number of Data Subject Requests exceeds three per calendar month, the Client shall pay the Company's Charges calculated on a time and materials basis for recording and referring the Data Subject Requests in accordance with this clause 8.1.
8.2 Further to the above and notwithstanding anything to the contrary in the Terms, The Company reserves the right to disclose the identity of the Client to any relevant Data Subject following any such request from a Data Subject.
8.3 the Company shall provide such reasonable assistance as the Client reasonably requires (taking into account the nature of processing and the information available to the Company) to the Client in ensuring compliance with the Client's obligations under Data Protection Laws with respect to:
8.3.1 security of processing;
8.3.2 data protection impact assessments (as such term is defined in Data Protection Laws);
8.3.3 prior consultation with a Supervisory Authority regarding high risk processing; and
8.3.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Client in response to any Personal Data Breach.
9 RECORDS, INFORMATION AND AUDIT
9.1 the Company shall maintain, in accordance with Data Protection Laws binding on the Company, records of all categories of processing activities carried out on behalf of the Client.
9.2 the Company shall, in accordance with Data Protection Laws, make available to the Client such information as is reasonably necessary to demonstrate the Company's compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections by a suitably qualified auditor mandated by the Client for this purpose, subject to the Client:
9.2.1 giving the Company reasonable prior notice of such information request, audit and/or inspection being required by the Client;
9.2.2 ensuring that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
9.2.3 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to the Company's business and the business of other Clients of the Company; and
9.2.4 paying The Company's reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.
10 BREACH NOTIFICATION
10.1 In respect of any Personal Data Breach involving Protected Data, the Company shall, without undue delay (but in any event within 24 hours) from when the Company becomes aware of the same:
10.1.1 notify the Client of the Personal Data Breach; and
10.1.2 provide the Client, where possible, with details of the Personal Data Breach.
10.2 Notice of a Personal Data Breach as contemplated under 10.1.1 above shall include:
10.2.1 the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
10.2.2 the likely consequences of the Personal Data Breach; and
10.2.3 the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
11 DELETION OR RETURN OF PROTECTED DATA AND COPIES
11.1 the Company shall, at the Client's written request, or provide facilities for the Client to either delete or return all the Protected Data to the Client in such form as the Client reasonably requests within a reasonable time after the earlier of:
11.1.1 the end of the provision of the relevant Services related to processing; or
11.1.2 once processing by the Company of any Protected Data is no longer required for the purpose of the Company's performance of its relevant obligations under this Agreement, and delete existing copies (unless storage of any data is required by Applicable Law and, if so, the Company shall inform the Client of any such requirement).
12.1 If a party receives a compensation claim from a person relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
12.1.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
12.1.2 consult fully with the other party in relation to any such action.
DATA PROCESSING DETAILS
1 Subject-matter of processing
The Company's provision of the Services to the Client.
2 Duration of the processing
From the Effective Date until Termination of the Agreement and deletion of all Protected Data by the Company in accordance with the Agreement.
3 Nature and purpose of the processing
the Company will process Client Protected Data for the purposes of providing the Services to the Client in accordance with the Agreement and the Terms of Service.
4 Type of Personal Data
Data relating to the Client and the Client's Customers provided to the Company via the provision of the Services by or at the direction of the Client or Customer of the Client.
5 Categories of Data Subjects
Data subjects include the Client and the Client's Customers about whom data is provided to the Company via the Services by or at the direction of Client or Customer of the Client.
Please contact us for further information.
Alternatively, you can click here to email us