Data Processing Agreement
This Data Processing Agreement ("DPA") sets out the terms, requirements, and conditions on which you, Bluestone Consolidated Holdings Limited registered with company number 08753310, of 1 Station Square, Cambridge, England, CB1 2GA ("You", "Your") will process Personal Data when providing services to us, Fignum Limited registered with company number 11918733, of 1 Station Square, Cambridge, England, CB1 2GA ("We", "Us", "Our") when supporting us to provide the add-on services to our Paycada offering to our clients (the "Services").
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this DPA.
"Controller”, "Data Subject", "Personal Data", "Personal Data Breach", "processing, processes and process" and "Processor" are as defined in the GDPR.
"Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK and EU, including Regulation (EU) 2016/679 ("GDPR"); the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and any other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.
1.2. A reference to writing or written [includes email but not fax].
1.3. In the case of conflict or ambiguity between any provisions contained in the body of this DPA and any provisions contained in the Schedule, the provisions in the body of this DPA will prevail.
2. Personal Data Types and Processing Purposes
2.1. The parties acknowledge that for the purpose of the Data Protection Legislation, our client instructing us to carry out the Services is the Controller, We are the Processor and You are our Sub-Processor.
2.2. We retain control of the Personal Data and remain responsible for Our compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions We give to You.
2.3. We warrant that Your expected use of the Personal Data for the provision of the Services and as specifically instructed by Us will comply with the Data Protection Legislation.
2.4 The Schedule describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which You may process to fulfil the Services.
3. Your Obligations
3.1. You will only process the Personal Data to the extent, and in such a manner, as is necessary for the Services in accordance with Our written instructions. You will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. You will immediately notify Us if, in Your opinion, Our instruction would not comply with the Data Protection Legislation.
3.2. You will promptly comply with any request or instruction from Us requiring You to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3. You will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless We or this DPA specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires You to process or disclose Personal Data, You will first use reasonable endeavours to inform Us of the legal or regulatory requirement and give Us an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4. You will reasonably assist Us with meeting Our compliance obligations under the Data Protection Legislation, taking into account the nature of Your processing and the information available to You, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
3.5. You will promptly notify Us of any changes to Data Protection Legislation that may adversely affect Your performance of the Services.
3.6. You will ensure that any and all employees:
- are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
- have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
- are aware both of Your duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
4.1. You will at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in the Schedule.
4.2. You may update the measures in the Schedule from time to time, provided they do not result in a reduction in the security over the Personal Data to which they apply. You will maintain an up-to-date written record of Your then-current security measures, which You shall provide to Us on request, and review at least on an annual basis to ensure they remain current and complete.
4.3. You will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of security measures.
5. Personal Data Breach
5.1. You will promptly and without undue delay notify Us if any of the Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. You will restore such Personal Data at Your own expense.
5.2. You will without undue delay notify Us if You become aware of:
- any accidental, unauthorised or unlawful processing of the Personal Data; or
- any Personal Data Breach relating to the Personal Data.
5.3. Where You become aware of an event within the scope of clause 5.2, You shall, without undue delay, also provide Us with the following information:
- a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;
- the likely consequences of the event; and
- a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.
5.4. Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. You will reasonably co-operate with Us in Our handling of the matter, including:
- assisting with any investigation;
- making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by Us; and
- taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.
5.5. You will not inform any third party of any Personal Data Breach without first obtaining Our prior written consent, except when required to do so by law, to maintain any policy of insurance, or to maintain regulatory or equivalent certifications.
5.6. Subject to clause 5.5 We have the sole right to determine:
- whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in Our discretion, including the contents and delivery method of the notice; and
- whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6.1. You may only authorise a third party (sub-processor) to process the Personal Data if:
- You first notify Us of such intended authorisation; and
- You enter into a written contract with the sub-processor that contains terms substantially the same to those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon Our written request and at Your expense, provide Us with copies of such contracts (subject to redaction of any confidential information); and
- You maintain control over all Personal Data You entrust to the sub-processor.
6.2. We consent to You transferring Personal Data to sub-processors outside the United Kingdom and the European Economic Area provided that where such processing occurs, You:
- are processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals;
- participate in a valid cross-border transfer mechanism under the Data Protection Legislation, so that You (and, where appropriate, We) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR; or
- otherwise ensure that the transfer complies with the Data Protection Legislation.
6.3. Where the sub-processor fails to fulfil its obligations under such written agreement, You remain fully liable to Us for the sub-processor’s performance of its agreement obligations.
6.4. On Our written request, You will audit a sub-processor's compliance with its obligations regarding the Personal Data and provide Us with the audit results. Where We conclude reasonably that the sub-processor is in default of its obligations regarding the Personal Data, We may in writing instruct You to instruct the sub-processor to remedy such deficiencies within five (5) working days.
7. Complaints, Data Subject Requests and Third-Party Rights
7.1. You will take such technical and organisational measures as may be appropriate, and promptly provide such information to Us as We may reasonably require, to enable Us to comply with:
- the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the processing and automated processing of Personal Data, and restrict the processing of Personal Data; and
- information or assessment notices served on Us by any supervisory authority under the Data Protection Legislation.
7.2. You will notify Us immediately if You receive any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
7.3. You will notify Us without undue delay if You receive a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
7.4. You will give Us Your full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
7.5. You will not disclose the Personal Data to any Data Subject or to a third party other than at Our request or instruction, as provided for in this DPA or as required by law.
8.1. Our total liability pursuant to this DPA shall be limited to £[5,000].
9. Term and Termination
9.1. This DPA will remain in full force and effect for so long as You retain any of Our Personal Data related to the Services in Your possession or control.
9.2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Services in order to protect Personal Data will remain in full force and effect.
9.3. If a change in any Data Protection Legislation prevents either party from fulfilling all or part of the Services, the parties will discuss in good faith with a view to implementing any changes necessary to ensure the processing of Personal Data complies with the new requirements.
10. Data Return and Destruction
10.1. At Our request, You will give Us a copy of or access to all or part of Our Personal Data in Your possession or control in a commonly accessible and electronic format determined by Us.
10.2. On termination of the Services for any reason or expiry of its term, You will promptly securely delete or destroy or, if directed in writing by Us, return and not retain, all or any Personal Data related to this DPA in Your possession or control. This requirement shall not apply to Personal Data which You have archived on Your backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by You using those backups to restore Your systems).
10.3. Clause 10.2 shall not apply to the extent any law, regulation, or government or regulatory body requires You to retain any documents or materials that You would otherwise be required to return or destroy.
11.1. You will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data You carry out for Us ("Records") and provide Us with copies of the Records upon request.
12.1. You will permit Us and our third-party representatives to audit Your compliance with this DPA and your performance of the Services, on at least 5 working days' written notice, during the Term. You will give Us and our third-party representatives all necessary assistance to conduct such audits at no additional cost to Us. The assistance may include, but is not limited to:
- physical access to, remote electronic access to, and copies of the Records and any other information held at Your premises or on systems storing the Personal Data;
- access to and meetings with any of Your personnel reasonably necessary to provide all explanations and perform the audit effectively; and
- inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.
12.2. The notice requirements in clause 12.1 will not apply if We reasonably believe that a Personal Data Breach has occurred or is occurring, or You are in material breach of any of Your obligations under this DPA or the Data Protection Legislation.
12.3. On Our written request, You will exercise relevant audit rights you have in connection with any sub-processors’ compliance with their obligations regarding Our Personal Data, and provide Us with a summary of the audit results.
12.4. Nothing in this DPA shall prevent or is intended to undermine the rights and powers granted to Data Subjects or Supervisory Authorities, and accordingly You shall submit to any audits required by a Supervisory Authority or Data Protection Legislation.
Data Processing Agreement
1. Description Of Data Processing
- Categories of data subjects: Our clients who use the Paycada service and our clients' debtors.
- Categories of personal data transferred: Our clients' names, phone numbers and email addresses, and our clients' debtors' names, email addresses, addresses and phone numbers.
- Sensitive data transferred: None.
- Nature and purpose of the processing: Personal data will be used by You to perform the Services.
- Duration of the processing: For the duration of your provision of the Services.