DATA PROCESSING AGREEMENT
- 1 For the purposes of this Agreement, the following terms shall have their respective meanings set forth below:
- a. “EEA“means the European Economic Area
- b. “EU & UK Data Protection Legislation” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive“), including any applicable national implementations of it; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“) (as amended, replaced or superseded).
- POST-BREXIT On 28 June 2021, the European Union (EU) approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before, in the majority of circumstances. Both decisions are expected to last until 27 June 2025. The General Data Protection Regulation has been kept in UK law as the UK GDPR. This guidance is aimed at UK businesses who receive data from, or have offices in the EU and EEA. source: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/overview-data-protection-and-the-eu/
- c. “Controller” means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
- d. “Processor” means an entity which processes Personal Data on behalf of a Controller.
- e. “Personal Data” means any information relating to an identified or identifiable natural person (a “data subject“) that the Company may process on behalf of the Controller as part of the supply of the Software and/or Services.
- f. “Security Incident” means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- g. “Sub-processor” means an entity which processes Personal Data on behalf of a Processor or sub-processor.
- Roles and responsibilities
- Parties’ Roles. The Company is appointed by the Customer to process the Personal Data described in Annex A on behalf of the Customer.
- Purpose Limitation. The Company shall process the Personal Data solely for the purposes described in Annex A and only in accordance with the lawful, documented instructions of the Customer, except where otherwise required by applicable law. This Agreement sets out the Customer’s complete instructions to the Company in relation to the processing of the Personal Data and any processing required outside of the scope of these instructions will require prior written agreement between the parties.
- Responsibility. The Company shall be responsible for any processing, whether authorized or unauthorized, of Personal Data while such Personal Data is under the Company’s control or in its possession.
- Description of Processing. A description of the nature and purposes of the processing, the types of Personal Data, categories of data subjects, and the duration of the processing are set out further in Annex A.
- Compliance. The Customer shall be responsible for ensuring that:
- it has complied, and will continue to comply, with all applicable law relating to privacy and data protection, including EU & UK Data Protection Legislation, in its use of the Services and its own processing of Personal Data (except as otherwise required by applicable law); and
- it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to the Company for processing in accordance with the terms of this Agreement
- Security. The Company shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
- International Transfers. The Company shall not transfer the Personal Data (nor permit the Personal Data to be transferred) outside of the EEA unless (i) it has first obtained the Customer’s prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with EU & UK Data Protection Legislation.
- Confidentiality of processing. The Company shall ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (whether a contractual or a statutory duty).
- Security Incidents. Upon becoming aware of a Security Incident: (a) the Company shall notify the Customer without undue delay (but in any event, not more than twenty four (24) hours after becoming aware), shall provide regular updates about such Security Incident, and shall provide such timely information as the Customer may reasonably require, including to enable the Customer to fulfil any data breach reporting obligations under EU & UK Data Protection Legislation; (b) the Company shall not disclose any information regarding the Security Incident without the Customer’s prior express written consent, except as otherwise required for the Company to comply with applicable law; (c) the Company shall reasonably cooperate with and assist the Customer, at the Company’s reasonable expense (except where the breach or security incident was caused by an act or omission of the Customer), to draft disclosures that are required by applicable law for the Customer to use with its customers, the public, or government entities; and (d) the Company shall make commercially reasonable best efforts to promptly mitigate and remedy such Security Incident, and prevent any further Security Incidents or recurrence thereof.
- Sub-processing by the Company
- Company’s Sub-processors. The Customer agrees that the Company may engage third party Sub-processors to process the Personal Data on the Company’s behalf and that such Sub-processors must do so in accordance with this paragraph 7. The Sub-processors currently engaged by the Company and authorized by the Customer are: Proserve, Six Degrees, Message Bird and ZenDesk. The Customer shall be notified by the Company in advance of any new Sub-processor being appointed by e-mail at the e-mail address set out in the Agreement.
- Objection to Sub-processors. The Customer may object in writing to the appointment of an additional Sub-processor within fifteen (15) calendar days after receipt of the Company’s notice in accordance with the mechanism set out at section 1 above. In the event that the Customer objects on reasonable grounds relating to the protection of the Personal Data, then the parties shall discuss commercially reasonable alternative solutions in good faith. If no resolution can be reached, the Company will, at its sole discretion, either not appoint such Sub-processor, or permit the Customer to suspend or terminate the affected service in accordance with the termination provisions of the Agreement.
- Sub-processor obligations. Where a Sub-processor is engaged by the Company as described in this Section 7, the Company shall:
- restrict the Sub-processor’s access to Personal Data only to what is necessary for the Sub-processor to perform the subcontracted services;
- impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this Agreement; and
- remain liable for any breach of this Agreement caused by a Sub-processor.
- Cooperation and data subjects’ rights. The Company shall, taking into account the nature of its processing, provide reasonable assistance to the Customer insofar as this is possible, to enable the Customer to respond to requests from a data subject seeking to exercise their rights under EU & UK Data Protection Legislation. In the event that such request is made directly to the Company, the Company shall promptly inform the Customer of the same.
- Data Protection Impact Assessments. The Company shall, to the extent required by EU & UK Data Protection Legislation and at the Customer’s reasonable expense, taking into account the nature of the processing and the information available to the Company, provide the Customer with commercially reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that the Customer may be required to carry out under EU & UK Data Protection Legislation.
- Security reports and audits. The Company shall permit the Customer (or its appointed third party auditors) to audit the Company’s compliance with this Schedule, and shall make available to the Customer all information, systems and staff necessary for the Customer (or its third party auditors) to conduct such audit. The Company acknowledges that the Customer (or its third party auditors) may enter its premises for the purposes of conducting this audit, provided that the Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to the Company’s operations. The Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) the Customer believes a further audit is necessary due to a Security Incident.
- Deletion of data
- Deletion of data: Upon termination or expiry of the Agreement, the Company shall delete the Personal Data (including copies) in the Company’s possession, save to the extent that the Company is required by applicable law to retain some or all of the Personal Data.
- A material breach of this Schedule shall be deemed a material breach of the Agreement.
DESCRIPTION OF PROCESSING
Nature and purposes of processing
The Company is a UK and EU based provider of cloud-based transactional and marketing email delivery, management and analytics services. These services will consist primarily of sending and delivering e-mail communications on behalf of the Customer to recipients and containing such content as are determined by the Customer, in its sole discretion. The Company will also provide the Customer with analytic reports concerning the e-mail communications it sends on behalf of the Customer. Otherwise, the data processing will involve any such processing that is necessary for the purposes set out in this Agreement or as otherwise agreed between the parties.
Categories of data subjects The Personal Data transferred concern any data subject who is a sender, recipient or copy recipient of an email which the Customer instructs the Company to deliver and manage. Categories of Personal Data The Personal Data transferred may concern the following categories of personal data for the data subjects:
- Sender, recipient and copy recipient identification information (first and last name) and contact information (address, telephone number (fixed and mobile), e-mail address, fax number); and
- Any other personal data that the Customer chooses to include within the body of an e-mail that it sends using the Company’s services.
Special categories of data (if appropriate) None. Duration of processing The Personal Data will be processed by the Company in accordance with the Customer’s instructions and to the extent required to provide the Software and Services for the term of the Agreement and will be delivered or destroyed at the Customer’s election and in accordance with paragraph 10 of Schedule 4 to this Agreement, or as otherwise required by law.