This Data Processing Addendum amends any underlying agreement only to the extent required for the Processing of Personal Data.
1.1. Controller: Further defined as the natural or legal person, public authority, agency or other body which determines the purposes and means of the Processing of Personal Data.
1.2. EU: The European Union
1.3. GDPR: General Data Protection Regulation of the EU
1.4. Member State: A member state of the EU
1.5. Personal Data: Any information relating to an identified or identifiable natural person (Data Subject) that is available to the Processor or a Subprocessor as a direct or indirect result of the provision of services by the Processor to the Controller
1.6. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed
1.7. Processing:Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means and whether or not on behalf of the Controller, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
1.8. Processor: Further defined as the natural or legal person, public authority, agency or other body who Processes Personal Data on behalf of the Controller
1.9. Standard Data Protection Clauses: Clauses that can be used as appropriate safeguards when transferring Personal Data to countries without an adequate level of protection; as further defined in article 46(2)(c) GDPR and article 46(2)(d) GDPR
1.10. Subprocessor: A natural or legal person, public authority, agency or body other than the Data Subject who, under contract with the Processor, indirectly Processes Personal Data on behalf of the Controller
1.11. Supervisory Authority: An independent public authority which is established by a Member State pursuant to Article 51 of the GDPR
The definitions in this article should, as far as possible, be interpreted in line with the GDPR.
2.1. The Controller has engaged the Processor to perform and deliver certain services which may require the Processor to Process Personal Data on behalf of the Controller.
2.2. Appendix A is an integral part of this agreement and contains details about the Processing of Personal Data by the Processor.
2.3. Appendix B is an integral part of this agreement and contains contact details of the main contact persons of both Parties and the data protection officers of both Parties (if appointed).
2.4. The Processor shall comply with applicable laws and regulations.
3. Instructions by Controller
3.1. The Processor agrees that it shall only carry out Processing of Personal Data on instructions of the Controller as set out in this agreement or as otherwise notified by the Controller to the Processor during the term of this agreement. All instructions for the Processing of Personal Data by the Processor must be in writing.
3.2. The Processor may Process the Personal Data outside of the instructions of the Controller if the Processor is required to do so by EU or Member State laws or regulations to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless those laws or regulations prohibit such information on important grounds of public interest.
4.1. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include, among other measures, as appropriate:
- the pseudonymisation and encryption of Personal Data
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing of Personal Data
4.2. The Processor shall in assessing the appropriate level of security take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
4.3. The Processor shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Personal Data does not Process them except on instructions from the Controller, unless he or she is required to do so by EU or Member State laws or regulations. The Processor will obligate those natural persons to inform it of any Processing outside of the instructions of the Controller based on such a requirement; any information received by the Processor under this obligation will be relayed to the Controller.
5. Data Protection Officer
5.1. The Processor shall designate, as the case may be, a Data Protection Officer as prescribed in the GDPR.
5.2. The Processor shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3. The Processor shall ensure the reliability and integrity of any employees who have access to Personal Data and that all employees involved in the Processing of Personal Data have undergone adequate training in the care, protection and handling of Personal Data.
6. Cooperation and information
6.1. The Processor shall promptly refer to the Controller, any queries from Data Subjects whose Personal Data is being Processed, the Supervisory Authority or any other law enforcement authority, for the Controller to resolve.
6.2. The Processor shall at no additional cost, promptly provide such information and assistance to the Controller as the Controller may reasonably require to allow it to comply with requirements of the GDPR, including, but not limited to, information and assistance relating to Data Subjects access to Personal Data, Personal Data Breaches, data protection impact assessments or any relevant information or assessment notices served by the Supervisory Authority.
6.3. The Processor, upon request, makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this agreement. With regards to this clause, the Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.
7.1. The Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR, such as the rights to access and erasure.
8. Data breach
8.1. The Processor shall notify the Controller of any Personal Data Breach, as soon as it becomes aware or has a reasonable suspicion of any Personal Data Breach and keep the Controller informed of any related actions or developments.
8.2. In the case of a Personal Data Breach the Processor will assist the Controller in meeting its obligations under article 33 and 34 of the GDPR to inform the competent Supervisory Authority and Data Subjects.
9.Transfer outside of EU
9.1. The Processor will not Process or permit the Processing of Personal Data outside the EU unless:
- the Processor has obtained prior written consent from the Controller; and
- the transfer complies with chapter V of the GDPR titled ‘Transfers of Personal Data to third countries or international organisations
9.2. The Processor will not use Standard Data Protection Clauses to legitimize the transfer of Personal Data outside of the EU, unless, and only in so far as, it is explicitly allowed by the European Commission and/or Supervisory Authority to amend and merge the Standard Data Protection Clauses with other clauses.
10.1. The Processor may only subcontract the Processing of Personal Data under this agreement to a Subprocessor if the Processor:
- has provided reasonable prior notice to the Controller of the identity and location of the Subprocessor and a description of the intended Processing to be subcontracted the Subprocessor to enable the Controller to comply with the applicable data protection laws and regulations, and to evaluate any potential risks to the Personal Data;
- having provided reasonable prior notice to the Controller, has not received any reasonable objection to the subcontracting of the Processing in writing by the Controller within 30 days; and
- has imposed legally binding contractual terms substantially the same as those contained in this agreement on the Subprocessor.
10.2. The Controller has the right to receive a copy, upon request, of all data processing agreements with Subprocessors that are related to the Processing of Personal Data.
10.3. The Controller may require the Processor by notice in writing to cease or suspend the Subcontracting of the Processing of Personal Data to the Subprocessor if, in the Controller’s reasonable opinion, the Subprocessor is unable to comply with the terms of the Subcontractor’s agreement with the Processor.
10.4 A current list of Subprocessors is provided in Appendix B.
11.1. Upon reasonable request of the Controller, the Processor agrees to submit its data Processing facilities, data files and documentation needed for Processing Personal Data (and/or those of its agents, affiliates and Subprocessors) to reviewing, auditing and/or certifying by the Controller (or any independent or impartial inspection agents or auditors, selected by the Controller and not reasonably objected to by the Processor) to ascertain compliance with the warranties and undertakings in this agreement, with reasonable notice and during regular business hours. With regards to this clause, the Processor shall immediately inform the Controller if, in its opinion, a request infringes the GDPR or other EU or Member State data protection provisions.
12. Data retention and disposal
12.1. If any part of Personal Data ceases to be required by the Processor for the performance of its obligations under this agreement, or on termination or expiry of the agreement (whichever is earlier), the Processor shall at the express choice of the Controller (but not otherwise), either return to the Controller all Personal Data that has been obtained or collected in providing the services under this agreement, or delete or destroy all copies of the Personal Data in the Processor’s possession or control and certify to the Controller that it has done so, unless EU or Member State laws or regulations imposed upon the Processor prevents the return or destruction of all or part of the Personal Data. In that case, the Processor shall continue to ensure the confidentiality of Personal Data in its possession and will not actively Process such data any further.
13.1. Each Party to this agreement will indemnify the other against all losses, liabilities, damages, fines (including those from Supervisory Authorities), claims, costs (including legal and other professional costs) and expenses which the other may suffer or incur arising out of or in connection with the failure of the indemnifying Party to comply with any of its obligations in this agreement.
14.1. This Agreement can only be amended by a written and signed agreement between the Parties.
15. Effective date and duration
15.1. This agreement will be effective from the later of (a) 25th May 2018; or (b) the date on which the parties agree to the underlying agreement.15.2. This agreement will terminate automatically upon termination of the underlying agreement.
Appendix A – Details of the Processing
The Processor may need to Process the following Personal Data relating to employees, contractors, suppliers and customers of the Controller while delivering services:
Name, Email Address, Phone Number, Address, Username and IP Address.
The Personal Data may need to be Processed for the following purposes:
- For delivery of backup and recovery services
- For communication by email and phone
- For management of productivity applications
- For delivery of IT services
- For CRM purposes
- For providing quotations
- For email protection and archival
- For malware protection
- For web protection
- For invoicing
Appendix B – Subprocessors
We may use the following subprocessors to assist in providing our services.
We use Datto to deliver, manage and maintain backup, continuity and disaster recovery services. The Personal Data we process in Datto may include names and email addresses. You can find out more about Datto GDPR compliance here.
We use GoCardless to process our invoices for our clients. The personal data we process may include names, addresses and physical addresses.
You can find out more about GoCardless GDPR compliance here.
We use Mailchimp to send service announcements to clients. The Personal Data we process in Mailchimp may include names and email addresses. You can find out more about Mailchimp GDPR compliance here.
We use Microsoft to manage and maintain our and your Office 365 services. The Personal Data we process in Microsoft may include names, email addresses and usernames. You can find out more about Microsoft GDPR compliance in their Onlne Services Terms (OST), which can be downloaded from here.
We use Google to manage and maintain your G Suite services. The Personal Data we process in Google may include names, email addresses and usernames. You can find out more about Google’s GDPR compliance in their Compliance statement, which can be viewed here.