Data Processing Agreement
- Last updated on August 31, 2022 at 4:21 PM
A.
This agreement is supplemental to any other separate agreement entered into between the parties and introduces further contractual provisions to ensure the Controller and the Processor comply with their respective obligations under the GDPR in respect of the data processing.
B.
Article 81 and Article 28 of the GDPR place certain obligations upon a Controller to ensure that the Processor it engages under the terms of this agreement provides sufficient guarantees in terms of: i) expert knowledge, ii) reliability and resources, iii) ability to implement technical and organisational measures which will meet the requirements of the GDPR including for the security of processing
C.
The Controller must also take into account the specific tasks and responsibilities of the Processor under this agreement in the context of the processing to be carried out and the risks to the rights and freedoms of the data subject
D.
This agreement exists to ensure that there are sufficient guarantees in place as required by the GDPR and that the processing complies with the obligations imposed on both the Controller and the Processor under the GDPR.
- Definitions
- "Data" is defined in Clauses 5 & 6.
- “Data Subject” shall have the same meaning as set out in Article 4 (1) of the GDPR and means an identified or identifiable natural person
- “EEA” means the European Economic Area – the 28 Member states of the European Union plus Iceland, Lichtenstein and Norway
- “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and the Council
- “Incident” has the same meaning as a personal data breach in Article 4 (12) of the GDPR and means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, data , transmitted, stored or otherwise processed under the terms of this agreement
- "Processing" shall mean any operation or set of operations which is/are performed upon data , (whether or not by automatic means) including collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Such processing may be wholly or partly by automatic means or processing otherwise than by automatic means of data which form part of a filing system or one intended to form part of a filing system. A filing system shall mean any structured set of data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis."
Application
(a) This agreement shall apply to all data processed from the date of this agreement by the Processor on behalf of the Controller until the date of termination of this agreement.
Purpose of processing
a) The Processor shall process the data it processes on behalf of the Controller, solely for the provision of the sending and receiving of SMS (text messages) in accordance with the written instructions of the Controller (including when making a transfer of personal data to countries outside the EEA) unless required to do by law. The Processor must inform the Controller of what processing the Processor is required to do so by law unless the Processor is prohibited under the relevant law from notifying the Controller of such processing. The Processor shall not process the data for any other purpose except with the express written consent of the Controller.
b) The Controller confirms and warrants that the processing of the data, including the transfer of the data to the Processor, has been and will continue to be carried out in accordance with the relevant provisions of the GDPR and does not violate the relevant provisions of the EEA country in which the Controller is established
Duration of processing
a) The Processor shall process the data for as long as requested by the Controller.
Types of personal data
The Processor will process the following types of personal information:
a) personal details
b) contact details
c) SMS content composed by Controller, which may include:- financial details
- employment and education details
- details of complaints, incidents and grievances
- visual images, personal appearance and behaviour
- responses to surveys
- behavioural data
- profile data
- social media data
- tracking data from web activity
Categories of data subjects
The Processor will process information about the following categories of data subjects:
- customers
- prospective customers
- witnesses
- employees
- students
- suppliers
- complainants or their representatives
- subject of a complaint or their representatives
- individuals contacted when responding to a complaint or enquiry
- service providers
- lobbyists
- offenders and suspected offenders
- applicants for a licence or registration
- authors publishers and other creators,
- individuals captured by CCTV images
- consultants and advisers
- survey respondents
- journalists and the media
Security and confidentiality of data
a) The Processor and the Controller shall implement appropriate technical and organisational measures to ensure a level appropriate to the risks that are presented by the data processing in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal transmitted, stored or otherwise processed.
b) Both the Controller and Processor shall take into account the following when determining the measures:
1. the state of the art, and
2. the cost of implementation of the measures, and
3. the nature, scope context and purposes of processing, and
4. the risk of varying likelihood and severity for the rights and freedoms of individual Data Subjectsc) The Controller and Processor agree that the security measures taken in accordance with Clause 7 (a) of this agreement after assessment with the requirements of the GDPR are appropriate to protect data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation; shall ensure a level of security appropriate to the risk.
d) The measures taken shall include amongst others the following items, where appropriate, from the non-exhaustive list below:
1. the Pseudonymisation and encryption of data
2. the ability to ensure the ongoing confidentiality, integrity and availability and resilience of processing systems and services
3. the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.e) The Controller and the Processor may use adherence to an approved code of conduct as referred to by Article 40 of the GDPR or an approved certification mechanism as referred to in Article 42 as an element by which to demonstrate compliance with the requirements set out above in Clause 7 (a), (b), (c), and (d) of this agreement.
f). The Processor shall ensure that each of its employees, agents or subcontractors are made aware of its obligations with regard to the security and protection of the data and shall require that they enter into binding obligations with the Processor in order to maintain the levels of security, protection and confidentiality provided for in this agreement.
g). The Processor shall not divulge the data whether directly or indirectly to any person, firm or company without the express consent of the Controller except to those of its employees, agents and subcontractors who are engaged in the processing of the Data and are subject to the binding obligations referred to in Clause 7 (e) of this Agreement above.
Incident reporting
a) The Processor must have effective processes for the identification, management and reporting of incidents. Any incident, suspected or actual, involving the Controller’s data must be reported immediately to the Controller. An incident may include but not be limited to:
- Security breach or fraud
- Misuse of relevant system storing Controller’s data
- Misuse, loss or corruption of the Controller’s data
- Unauthorised access to, use of, alteration, amendment or deletion of Controller’s data
- Physical security incident
- Any unapproved requirement to disclose Controller’s data to a third party b) The Processor will be expected to promptly investigate any such incident, provide status updates throughout the incident, where appropriate cooperate with reasonable Controller requests during the management of the incident or permit the Controller to support the management of the incident, and send a written report to the Controller, describing the nature of the incident, stating any control weaknesses discovered, and any actions taken/planned. A plan to agree any reasonable additional controls, either identified by the Processor or the Controller, to prevent or reduce the likelihood of a similar incident must be agreed and monitored.
c) The Processor will assist the Controller in informing Data Subjects if there has been an incident involving the Processor.
d) The Processor will assist the Controller in informing any relevant supervisory authority of an incident.
Processor’s appointment of a sub-processor
a) The Controller consents to the Processor to engage further processors (sub-processors) for carrying out specific processing activities on behalf of the Controller, under the condition that the Processor impose the same data protection obligations as set out in this DP Agreement on that other processors, to the extent applicable to the nature of the services provided by such sub-processor, by way of a written contract or other legal act according to the Applicable Data Protection Laws.
b) The Processor will not engage a level 2 sub processor to process the Controller’s Data.
Data Subjects' rights
a) The Processor shall have appropriate technical and organisational means taking account of the nature of the processing in so far as this is possible for the fulfilment of the Controller‘s obligation to respond to requests for exercising the following Data Subject’s rights :
- information rights under Articles 13 and 14 of the GDPR
- right of access by the Data Subject under Article 15 of the GDPR
- right to rectification under Article 16 of the GDOR
- right to erasure under Article 17 of the GDPR
- right to restriction of processing under Article 18 of the GDPR
- notification regarding the right of rectification and/or erasure of personal data and/or restriction of processing under Article 19 of the GDPR
- right to data portability under Article 20 of the GDPR
Assisting the Controller
a) The Processor will assist the Controller, taking into account the nature of the processing and the information available to the Processor, to meet the Controller’s obligations
- to keep data secure in accordance with Article 32 of the GDPR
- to notify incidents in accordance with Article 33 of the GDPR
- to advise Data Subjects when there has been an incident in accordance with Article 34 of the GDPR
- to carry out data protection impact assessments (DPIAs) in accordance with Article 35 GDPR
- to consult with the Controller’s supervisory authority where a DPIA indicates there is an unmitigated high risk in accordance with Article 36 of the GDPR b) The Processor will immediately pass on any notices, requests or other communications from a Data Subject. The Processor will not act on any request from a Data Subject, without the full written authority of the Controller.
c) If a privacy impact assessment indicates that there is an unmitigated high risk to the rights and freedoms of the Data Subject, the Processor will assist the Controller in consulting with the relevant supervisory authority or authorities
Audit, inspections and legal processing
a) The Processor must provide the Controller with all the information that is needed to show that both the Processor and the Controller have met their obligations under Article 28 of the GDPR. If the Processor provides reasonable assurance, such as security accreditations, and the Controller still wishes to audit, this will be carried at commercial cost to the Controller.
Processor’s responsibilities and liabilities under the GDPR
a) The Processor is aware that it may be subject to enforcement action by any relevant data protection supervisory authority to which the Controller is subject under Article 58 (Powers of the supervisory authority) of the GDPR.
b) The Processor is aware that if it fails to meet its obligations as set out in this agreement and under Article 83 (General conditions for imposing administrative fines) of the GDPR, it may be subject to an administrative fine.
c) The Processor is aware that if it fails to meet its obligations under GDPR, it may be subject to a penalty under Article 84 (Penalties) of the GDPR.
d) The Processor is aware that if it fails to meet its obligations under GDPR, it may have to pay compensation to individual Data Subjects under Article 82 (right to compensation and liability) of the GDPR.
e) The Processor will appoint a data protection officer, if required in accordance with Article 37 (designation of the data protection officer) of the GDPR.
f) The Processor will appoint (in writing) a representative within the European Union if required because it is not established in the European Union and the provisions of Article 3 (2) apply in accordance with Article 27 (representatives of controllers or processors not established in the Union) of the GDPR .
- Liability
The Processor's liability to the Controller for any loss or damage of whatsoever nature suffered or incurred by the Controller or for any liability of the Controller to any other person for any loss or damage of whatsoever nature suffered or incurred by that person shall to the extent permitted by law not exceed £250, unless superseded by a separate agreement.
Termination
a) Subject to Clause 15 (b) either party may terminate this agreement upon giving 1 month’s prior written notice to the other. Upon the date of termination of this agreement, the Processor shall return or delete at the Controller’s choice any data received from the Controller to the Controller.
The Processor shall not be obliged to return or delete any data received from the Controller which has:- already been deleted in the normal course of events or
- the Processor is required to retain by law. b) Notwithstanding termination of this contract, the provisions of this agreement shall survive the termination of this agreement and shall continue in full force and effect for a period of 2 years from the date of termination of the agreement. The obligations contained in Clause 7 of this agreement – Security and Confidentiality of Data – and Clause 8 of this agreement- incident reporting shall continue indefinitely.
- Assignment
This agreement shall not be transferred or assigned by either party except with the prior written consent of the other.
- Jurisdiction
This agreement shall be governed by and construed in accordance with the law of England and Wales and the parties shall submit to the exclusive jurisdiction of the Courts of England and Wales.