Data Processing Addendum




Last edited on

Dec 8, 2023

The following terms for data processing form part of the Agreement between the Supplier and the Customer.  During the course of providing the Services, the Supplier may process Personal Data that is subject to Data Protection Legislation.  The Customer appoints the Supplier to Process such Personal Data in accordance with this Data Processing Addendum.

1. Interpretation

Capitalized terms used in this Data Processing Addendum and not otherwise defined in the Terms of Service set out online (the “Terms of Service") shall have the meaning given to them in the Data Protection Legislation and the following additional definition shall apply: “Data Protection Legislation” means all applicable privacy and data protection laws, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the Data Protection Act 2018, and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)). If there is a conflict between the Terms of Service and this Data Processing Addendum, the terms of this Data Processing Addendum shall prevail.

2. Data Processing Obligations

The Parties acknowledge and agree that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and the Supplier is the Data Processor of the Personal Data and a description of the Personal Data and the Processing activities undertaken by the Supplier is set out in clause 5.

3. The Supplier’s processing obligations

3.1. To the extent that the Supplier processes any Personal Data on behalf of Customer in connection with the Services, the Supplier shall:

3.1.1. only Process such Personal Data in accordance with the purposes set out in this Data Processing Addendum and notify Customer immediately if in its opinion the Customer’s instructions infringes applicable law;

3.1.2 maintain a record of its Processing activities under this Data Processing Addendum in accordance with and to the extent required by Article 30(2) GDPR, and the Supplier shall at any time upon request, deliver up to Customer details of such Processing activities;

3.1.3. ensure that access to any such Personal Data is restricted to those of its personnel who need to have access in order to perform the Services and who are subject to confidentiality obligations in respect of the Personal Data;

3.1.4. notify Customer without undue delay if it suffers a Personal Data Breach, if it receives any Data Subject Request relating to the Personal Data, and shall: (a) not respond to the Data Subject Request without Customer’s prior written consent and in accordance with Customer’s instructions; and (b) shall provide such assistance as Customer may reasonably require in respect of such Personal Data in order for Customer to comply and respond to the Data Subject Request in accordance with the Data Protection legislation;

3.1.5. provide reasonable assistance to Customer in inputting into and carrying out data protection impact assessments and, to the extent required under the Data Protection Legislation, prior notification under Article 36 of GDPR; and

3.1.6. ensure that it has implemented appropriate organizational and technical measures in order to comply with its obligations under this clause 3, including the measures referred to in clause 5.5.

3.2. To the extent legally permitted, Customer shall be responsible for any costs arising from the Supplier’s provision of assistance beyond the existing functionality of the Services.

3.3. The Supplier is permitted to engage a Subprocessor to Process any of the Personal Data on Customer’s behalf in connection with the Services. The Customer pre-approves the Supplier’s use of third party processors for the purposes of fulfilling its obligations, including this List of Subprocessors. The Supplier shall:

3.3.1. inform Customer prior to the appointment or removal of any such Subprocessor, thereby giving Customer an opportunity to object to the appointment or removal. If Customer objects on reasonable grounds, the Supplier shall either: i) alter its plans to use the Subprocessor with respect to Personal Data, or (ii) take corrective steps to remove Customer’s objections. If none of the above options are reasonably available or the issue is not resolved within 30 days of the objection, either party may terminate the Agreement; and

3.3.2. ensure that such Subprocessor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on the Supplier under this Data Processing Addendum; and

3.3.3. ensure that the Subprocessor’s Processing of such Personal Data terminates upon termination of the Supplier’s right to Process the data,

provided that the Supplier shall be liable for the acts and omissions of such Subprocessors in relation to the Processing of such Personal Data.

3.4. The Customer acknowledges that the Supplier and its Subprocessors may Process Personal Data outside of the EEA or UK in non-adequate countries. The Supplier will abide by the requirements of the Data Protection Legislation regarding the transfer and Processing of Personal Data from the EEA or UK. The Supplier will ensure that transfers of Personal Data to a third country or an international organization that does not ensure an adequate level of protection are subject to appropriate safeguards as described in Article 46 of the GDPR or UK GDPR.

3.5. Upon termination or expiry of the Agreement, the Supplier shall cease all Processing of any Personal Data Processed on Customer’s behalf under the Agreement and shall, at Customer’s option, return or destroy and delete all such Personal Data.

3.6. In order to demonstrate the Supplier’s compliance with the Data Protection Legislation, the Supplier shall:

3.6.1. provide the Customer with such information as the Customer reasonably requests from time to time to enable the Customer to satisfy itself that the Supplier is complying with its obligations under this Data Processing Addendum and the Data Protection Legislation; and

3.6.2. allow the Customer, at the Customer’s sole cost and expense access (on reasonable notice and no more than once a year) to its premises where Personal Data is Processed under this Data Processing Addendum to allow Customer to audit its compliance with this Data Processing Addendum and Data Protection Legislation and shall provide reasonable co-operation as requested by the Customer in the performance of such audit. The Parties shall agree in advance on the reasonable start date, duration and security and confidentiality controls applicable to such audit.

4. Obligations of Customer

4.1. Customer shall:

4.1.1. have at all times during the term of the Agreement appropriate technical and organizational measures to ensure a level of security appropriate to the risk to protect any Personal Data;

4.1.2. provide clear and comprehensible written instructions to the Supplier for the processing of Personal Data to be carried out under this Data Processing Addendum; and

4.1.3. ensure that it has all the necessary licenses, permissions, consents and notices in place to enable lawful transfer of Personal Data to the Supplier for the duration and purposes of the Agreement.

5. Processing Particulars

5.1. Data Subjects. The categories of Data Subjects whose Personal Data may be Processed in connection with this Data Processing Addendum are The Customer may submit Personal Data to the Supplier through its use of the Services, the extent of which and the data subjects whose Personal Data is processed in relation to such use of the Services is determined and controlled by the Customer in its sole discretion and may include data subjects who are customers of the Customer.

5.2. Categories of Personal Data. The Customer may submit Personal Data to the Supplier through its use of the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: first name, last name, email address, address, country, and profession.

5.3. Processing Operations. Personal Data shall be processed by the Supplier in accordance with this Data Processing Addendum for the purpose of providing the Services in accordance with the Agreement.

5.4. Duration. The Supplier will Process the Personal Data on the Customer's behalf for the duration of the Agreement.

5.5. A description of the technical and organizational measures applying to this Data Processing Addendum are set out in the Supplier's Privacy Policy.