Data Processing Agreement

The purpose of this Data Processing Agreement (“DPA”) is to set out each party’s obligations relating to the personal data processed by the parties pursuant to the Master Services Agreement (“Agreement”) entered into between them and to which this DPA is incorporated.

  1. Definitions

Defined terms in the Master Services Agreement have the same meaning where used in this DPA unless otherwise defined below.

Appropriate Safeguards

means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time;

Applicable Law

means as applicable and binding on Customer, the Supplier and/or the Services:

  1. any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject;
  2. any court order, judgment or decree; or
  3. any direction, policy, rule or order that is made or given by any regulatory body having jurisdiction over a party;

Controller

means the entity which determines the purposes and means of the Processing of Personal Data;

Data Protection Laws

means all laws and regulationsapplicable to the Processing of Personal Data under the Agreement;

Data Subject

means the identified or identifiable person to whom Personal Data relates;

Data Subject Request

means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;

Data Protection Laws

has the meaning given in the Agreement;

Data Protection Losses

means all losses and liabilities, including all:

  1. costs (including legal costs), claims, demands, actions, settlements, interest, charges, expenses, losses and damages; and
  2. administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; and
  3. compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and
  4. the reasonable costs of compliance with investigations by a Supervisory Authority;
  5. costs of investigation including forensic investigation;
  6. cost of breach notification including notifications to the Data Subjects; and
  7. cost of complaints handling including providing Data Subjects with credit reference checks, setting up contact centres (e.g. call centres), producing end customer communication materials, provision of insurance to end customers (e.g. identity theft), and reimbursement of costs incurred by end customers (e.g. changing locks);

International Recipient

has the meaning given to that term in clause 7.2;

Personal Data

means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws;

Personal Data Breach

means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;

Processor

means the entity which Processes Personal Data on behalf of the Controller;

processing

means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (and related terms such as process have corresponding meanings);

Processing Instructions

has the meaning given to that term in clause 3.2;

Protected Data

means Personal Data provided to the Supplier by the Customer, or otherwise received by the Supplier in connection with the Services, pursuant to the Agreement;

SCCs

means the European Commission approved Standard Contractual Clauses for the transfer of Personal Data from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws of the foregoing territories;

Services

means the services provided to Customer by the Supplier pursuant to the Agreement;

Sub-Processor

means another Processor engaged by the Supplier for carrying out processing activities in respect of the Protected Data on behalf of the Supplier;

Supervisory Authority

means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;

Working Day

means Monday to Friday inclusive excluding bank and public holidays in the UK.
  1. Roles And Obligations
    1. The parties agree that, for the Protected Data, Customer shall be the Controller and the Supplier shall be the Processor.
    2. The Supplier shall process the Protected Data in compliance with the obligations of Processors under Data Protection Laws and the terms of this DPA.
    3. Customer shall ensure all Protected Data it provides to the Supplier for use in connection with the Services shall be collected and transferred to the Supplier in accordance with Data Protection Laws. For the avoidance of doubt, it shall be Customer’s responsibility to (i) ensure the terms of use it supplies to the Data Subjects of the Protected Data comply with Data Protection Laws including in particular any fair processing information requirements relating to the processing of the Protected Data by the Supplier and (ii) to ensure it has a legal basis for the processing of the Protected Data by the Supplier.
  2. Instructions
    1. Customer shall, in its use of the Services, Process Protected Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Customer’s instructions for the Processing of Protected Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Protected Data and the means by which Customer acquired Personal Data.
    2. Insofar as the Supplier processes Protected Data, the Supplier:
      1. shall (and shall ensure each person acting under its authority shall) process the Protected Data only on and in accordance with Customer’s documented instructions from time to time and in accordance with Exhibit 1(Data Processing Particulars), as updated from time to time by written agreement of the parties or as otherwise detailed in the Agreement (“Processing Instructions”);
      2. shall inform Customer if the Supplier is aware of a Processing Instruction that, in its opinion, infringes Data Protection Laws.
  3. Technical and Organisational Measures

The Supplier shall implement and maintain, at its cost and expense:

    1. the technical and organisational measures prescribed by Data Protection Laws; and
    2. taking into account the nature of the processing, the technical and organisational measures necessary to assist Customer insofar as is reasonably possible in the fulfilment of Customer’s obligations to respond to Data Subject Requests relating to Protected Data.
  1. Sub Processors and Staff

The Supplier has appointed those Sub-Processor(s) listed in

    1. Exhibit 1 to this DPA under a written contract containing materially equivalent obligations to those in this Data Processing Agreement. Supplier shall provide Customer with a copy of the agreements with Sub-Processors if requested to do so by Customer. Supplier may redact commercial terms from such agreements before disclosing them to Customer.
    2. The Supplier shall ensure that all of its personnel and contractors processing Protected Data are subject to a binding written contractual obligation with the Supplier or under professional obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case the Supplier shall, where practicable and not prohibited by Applicable Law, notify Customer of any such requirement before such disclosure).
    3. Supplier may not change or add new Sub-Processors without first notifying the Customer and giving the Customer ten days (from date of receipt of the notice) to object to the change or addition in Sub-Processor on reasonable and objectively justifiable grounds. If Customer objects to the change in Sub-Processor, Supplier will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of the Protected Data by the objected to new Sub-Processor. If Supplier is unable to make available such change within a reasonable period of time, Customer may, by written notice, terminate those Services which cannot be provided by the Supplier without the use of the objected to new Sub-Processor. Supplier will refund to Customer any prepaid fees covering the remainder of the term of such Services following the effective date of termination with respect to such terminated Services.
  1. Data Subject Request Assistance
    1. Supplier shall promptly refer all Data Subject Requests it receives to Customer (wherever practicable within two Working Days of receipt of the request).
    2. The Supplier shall provide such assistance to Customer as Customer reasonably requires (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with each party’s obligations under Data Protection Laws with respect to:
    3. Data Subject Requests;
      1. security of processing;
      2. data protection impact assessments (as such term is defined in Data Protection Laws);
      3. prior consultation with a Supervisory Authority regarding high risk processing; and
      4. notifications to the Supervisory Authority and/or communications to Data Subjects by Customer in response to any Personal Data Breach and for the avoidance of doubt the Supplier must promptly notify Customer in writing of any communications received by it from Data Subjects or Supervisory Authorities relating to the Protected Data without responding to either of the same unless it has been expressly authorised to do so by Customer.
  2. Overseas Transfers

The parties agree that the Supplier may only transfer Protected Data to any overseas recipients (an “International Recipient”) provided all transfers by Supplier of Protected Data to an International Recipient (and any onward transfer) shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The Supplier will provide to the Customer a list of all International Recipients (other than where International Recipient is Customer itself) which shall include detail of their identity, locations and of their processing activities.

  1. Records and Audits
    1. The Supplier shall maintain written records of all categories of processing activities carried out on behalf of Customer.
    2. The Supplier shall make available to Customer such information as is reasonably necessary to demonstrate its compliance with the obligations of Processors under Data Protection Laws, and shall allow for and contribute to audits, including inspections, by Customer (or another auditor mandated by Customer) for this purpose, subject to Customer:
      1. giving the Supplier at least thirty (30) days’ advance notice of such information request, audit and/or inspection being required; and
      2. Customer and Supplier mutually agreeing the scope, timing, and duration of the audit and for the cost sharing; and
      3. ensuring that all information obtained or generated by Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law). Customer shall provide a copy of such information and audit reports to the Supplier following an inspection or audit pursuant to this clause 8.
  2. Breach Notification

In respect of any Personal Data Breach involving Protected Data, the Supplier shall without undue delay of becoming aware of the Personal Data Breach: notify Customer of the Personal Data Breach; and so far a possible without prejudicing the continued security of the Protected Data or any investigation into the Personal Data Breach, provide Customer with details of the Personal Data Breach.

  1. Deletion or Return of Data

10.1 The Supplier shall either delete or return all the Protected Data to Customer in accordance with the provisions of the Agreement, or if none in the Agreement then, in such form as Customer requests within thirty (30) days after the earlier of:

(a) the end of the provision of the relevant Services related to processing of that data; or

(b) once processing by the Supplier of any Protected Data is no longer required for the purpose of Supplier’s performance of its obligations under the Agreement,

unless storage of any data is required by Applicable Law and, if so, Supplier shall inform Customer of any such requirement and the period during which it is required to be stored.

  1. Indemnity and Liability
    1. Each party (“Indemnifying Party”) shall indemnify and keep indemnified the other (“Indemnified Party”) in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, the Indemnified Party arising from or in connection with any:
      1. non-compliance by the Indemnifying Party with the Data Protection Laws; and
      2. breach by the Indemnifying Party of any of its obligations under this DPA.
    2. If a party receives a compensation claim from a person (including but not limited to a Data Subject) relating to processing of Protected Data processed by the Supplier under this Agreement, it shall promptly provide the other party with notice and full details of such claim. Neither party shall make an admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other (as applicable).
    3. This clause 11 does not affect the liability of the Supplier to any Data Subject or Supervisory Authority pursuant to a claim made directly against the Supplier by either of them.
    4. As between the Supplier and the Customer liability for all Data Protection Losses arising out of any breach of this Data Processing Addendum including for any loss or damage arising out of a Personal Data Breach, shall be subject to the limitations and exclusions of liability as set out in the Agreement.
  1. Change in Law

Notwithstanding anything to the contrary in this DPA, in the event: (i) of a change in any law or regulation or (ii) a regulator issues a binding instruction, order or requirement which changes the basis on which the Protected Data can be processed, transferred or stored pursuant to this DPA, the parties agree to negotiate in good faith to agree an amendment to this DPA and that Agreement (to the extent necessary) to address change in law or regulation or to comply a binding instruction, order or requirement as applicable.

Exhibit 1

Data Processing Particulars

  1. Subject-matter of Processing:

Customer contact/distribution lists.

  1. Duration of the Processing:

Subject to clause 10 of this DPA, Supplier will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

  1. Nature and Purpose of the Processing:

To use the Protected Data for the purpose of providing the Services and as otherwise detailed in the Agreement, and as further instructed by Customer in its use of the Services.

  1. Type of Personal Data:
  • Required: Email address
  • Optional: First Name, Last Name, Nick Name, Birthday Date, Gender, Telephone number, Title, Language, Physical Address, Job Name, Company Name, Location & Company Address.

Special Category Data: None.

  1. Categories of Data Subjects:
    • Customer’s of customer
    • Prospects of customer
    • Members
    • Subscribers / Trackers
  1. Processing Instructions

To use the Protected Data for the purpose of providing the Services and as otherwise detailed in the Agreement.

  1. Sub-Processors
Name Location Processing Activity
Mailjet France Emailing of newsletters containing Third Party Content; distribution list management, email engagement
Google Analytics USA (California) Website analytics
Amazon Web Services

(USA (Seattle)

Hosting and processing all personal data