1 Definitions and Interpretation
The following definitions and rules of interpretation apply.
1.1 Definitions:
“Controller, Data Subject, Personal Data, Personal Data Breach, Processor, Processing/Process/Processed and Supervisory Authority” is as defined in the UK GDPR.
“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the EU and UK, including Regulation (EU) 2016/679 (“GDPR”); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018 (“UK GDPR”); the Data Protection Act 2018 (“DPA 2018”); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.
“We“, “Us“, “Our” shall mean the Licensor.
1.2 A reference to writing or written includes email but not fax.
2 Personal Data Types and Processing Purposes
2.1 The parties acknowledge that for the purposes of the Data Protection Legislation, You are the Controller and We are the Processor.
2.2 You retain control of the Personal Data and remain responsible for Your compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions You give to Us.
2.3 You warrant that Our expected use of the Personal Data for the provision of the Services and as specifically instructed by You will comply with the Data Protection Legislation.
2.4 The subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which We may process Personal Data to fulfil the Services are:
2.4.1 Data Subjects: Users of the Software.
2.4.2 Categories of Personal Data: Name, address, email address, single sign-on details
2.4.3 Special Categories of Personal Data: N/A.
2.4.4 Purpose of Processing: To provide the Software.
2.4.5 Duration: The duration of the Agreement.
3 Your Obligations
You shall:
3.1 provide clear and comprehensible written instructions to Us for the Processing of Personal Data to be carried out under the Agreement;
3.2 ensure that You have all the necessary licences, permissions and consents from Data Subjects;
3.3 ensure that You have an applicable legal basis, for the transfer of Personal Data to Us and to the processing of that Personal Data by Us; and
3.4 indemnify Us against all loss, liability, damages, costs, fees, claims and expenses which We may incur or suffer by reason of any breach of this DPA or the Data Protection Legislation by You.
4 Our Obligations
4.1 We will only process the Personal Data to the extent, and in such a manner, as is necessary for the Services in accordance with Your written instructions. We will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. We will immediately notify You if, in Our opinion, Your instruction would not comply with the Data Protection Legislation.
4.2 We will promptly comply with any request or instruction from You requiring Us to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
4.3 We will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless You or this DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Us to process or disclose Personal Data, We will first use reasonable endeavours to inform You of the legal or regulatory requirement and give You an opportunity to object or challenge the requirement, unless the law prohibits such notice.
4.4 We will reasonably assist You with meeting Your compliance obligations under the Data Protection Legislation, taking into account the nature of Our processing and the information available to Us, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
4.5 We will promptly notify You of any changes to Data Protection Legislation that may adversely affect Our performance of the Services.
4.6 You acknowledge that We are free to use meta-data, statistics and such other information derived from the Personal Data We receive from You which cannot be identified as originating or deriving directly from such Personal Data, and cannot be reverse-engineered by a third party such that it can be so identified, for any purpose whatsoever.
5 Our Employees
5.1 We will ensure that any and all employees:
5.1.1 are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
5.1.2 have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
5.1.3 are aware both of Our duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
6 Security
6.1 We will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
6.2 We may update the security measures from time to time, provided they do not result in a reduction in the security over the Personal Data to which they apply. We will maintain an up-to-date written record of Our then-current security measures, which We shall provide to You on request.
7 Personal Data Breach
7.1 We will promptly and without undue delay notify You if any of Your Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.
7.2 We will without undue delay notify You if We become aware of:
7.2.1 any accidental, unauthorised or unlawful processing of Your Personal Data; or
7.2.2 any Personal Data Breach relating to Your Personal Data.
7.3 Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. We will reasonably co-operate with You in Your handling of the matter.
7.4 We will not inform any third party of any Personal Data Breach without first obtaining Your prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.
7.5 Subject to clause 7.4 You have the sole right to determine:
7.5.1 whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Your discretion, including the contents and delivery method of the notice; and
7.5.2 whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
8 Cross-Border Transfers of Personal Data
8.1 You authorise Us to enter into the Standard Contractual Clauses or other appropriate international transfer mechanism with the sub-Processor on Your behalf, if required to ensure the relevant Processing of Personal Data complies with Data Protection Legislation. We will make the executed Standard Contractual Clauses available to You on written request.
9 Sub-Processors
9.1 We may only authorise a third party (sub-Processor) to process the Personal Data if:
9.1.1 You are provided with an opportunity to object to (but not prevent) the appointment of each sub-Processor within 10 days of Us providing You with reasonable details of the forthcoming changes to Our sub-Processors, with such details to be provided by Us updating Our dedicated sub-Processor webpage at Data Sub-Processors;
9.1.2 We enter into a written contract with the sub-Processor that contains terms similar to those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Your written request and at Your expense, provide You with copies of such contracts (subject to redaction of any confidential information); and
9.1.3 We maintain control over all Personal Data We entrust to the sub-Processor.
9.2 You authorise Us to use sub-Processors set out on Our dedicated sub-Processor webpage at Data Sub-Processors, which we may update from time to time and such updates are deemed approved by you. You may object to any new appointments by contacting Us. These sub-Processors include but are not limited to the general categories of data storage, hosting (including data centres and providers of virtual software environments) and IT support.
9.3 Where the sub-Processor fails to fulfil its obligations under such written agreement, We remain fully liable to You for the sub-Processor’s performance of its agreement obligations.
10 Complaints, Data Subject Requests and Third-Party Rights
10.1 We will take such technical and organisational measures as may be appropriate, and promptly provide such information to You as You may reasonably require, to enable You to comply with:
10.1.1 the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
10.1.2 information or assessment notices served on You by any supervisory authority under the Data Protection Legislation.
10.2 We will notify You immediately if We receive any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
10.3 We will notify You without undue delay if We receive a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
10.4 We will give You Our full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
10.5 We will not disclose the Personal Data to any Data Subject or to a third party other than at Your request or instruction, as provided for in this DPA or as required by law.
11 Data Return and Destruction
11.1 At Your request, We will give You a copy of or access to all or part of Your Personal Data in Our possession or control in a commonly accessible and electronic format determined by Us.
11.2 On termination of the Services for any reason or expiry of its term, We will promptly securely delete or destroy or, if directed in writing by You, return and not retain, all or any Personal Data related to this DPA in Our possession or control. This requirement shall not apply to Personal Data which We have archived on Our backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by Us using those backups to restore Our systems).
11.3 Clause 11.2 shall not apply to the extent any law, regulation, or government or regulatory body requires Us to retain any documents or materials that We would otherwise be required to return or destroy.
12 Records
12.1 We will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data We carry out for You (“Records”) and provide You with copies of the Records upon request.