Data Processing Addendum
The Customer has entered into an agreement with its clients to provide services. Pursuant to that agreement, the Customer is required to Process Personal Data on behalf of its client. The Customer has procured Services from the Provider pursuant to the Agreement and the Provider shall Subprocess Personal Data, as a Subprocessor on behalf of the Customer. Provider agrees to comply with the following provisions with respect to any Personal Data provided to Provider by Customer or otherwise Processed by Provider on behalf of Customer.
- DEFINITIONS AND INTERPRETATION
“Applicable Data Protection Laws” means, for such time as they are in force in England and Wales, the Data Protection Act 2018, the UK GDPR and all related legislation which may supplement, amend, implement or replace them and which relates to the protection of individual’s rights in their personal data and the protection of their privacy.
“Data Controller” means the entity or person, alone or jointly with other persons or entities, which a) determines the purposes and means of the Processing of Personal Data, and/or b) has control over or authorises the Processing of any Personal Data.
“Data Processor” means the entity or person, other than the Data Controller or Data Controller’s employees or agents, who Processes Personal Data on behalf of the Data Controller and does not Process Personal Data for its own purposes.
“Data Subprocessor” means the entity or person, who Processes Personal Data on behalf of the Data Processor and does not Process Personal Data for its own purposes.
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable person where such data is submitted to the Services as Personal Data or otherwise Processed by Provider on behalf of Customer in the course of performing the Services.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, correction, blocking, erasure or destruction by the Data Processor.
“Security Incident” means actual or reasonably suspected accidental, unlawful or unauthorized access, acquisition, loss, alteration, destruction or disclosure of Personal Data, including Personal Data, by Provider or its Subprocessors.
“Subprocess” or “Subprocessing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, correction, blocking, erasure or destruction by a Data Subprocessor.
“Supplier” means any further Data Subprocessor engaged by Provider.
“Supplier List” has the meaning given to it in clause 3.2 and the current list is shown in Annex 2.
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018
- This Data Processing Addendum is subject to the terms of the Agreement and is incorporated into the Agreement.
- The Annexes form part of this Data Processing Addendum and will have effect as if set out in full in the body of this Data Processing Addendum. Any reference to this Data Processing Addendum includes the Annexes.
- A reference to writing or written includes email.
- In the case of conflict or ambiguity between:
- any provision contained in the body of this Data Processing Addendum and any provision contained in the Annexes, the provision in the body of this Data Processing Addendum will prevail;
- the terms of any accompanying invoice or other documents annexed to this Data Processing Addendum and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
- any of the provisions of this Data Processing Addendum and the provisions of the Agreement, the provisions of this Data Processing Addendum will prevail;
- Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer shall act as Data Processor, Provider shall act as Data Subprocessor.
- Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Applicable Data Protection Laws and in strict accordance with the instructions of the Data Controller.
- Provider’s Processing of Personal Data. Provider shall only Subprocess Personal Data on behalf of and in accordance with Customer’s instructions including as set forth in the Agreement, in compliance with Applicable Data Protection Laws, and shall treat Personal Data as Confidential Information. A description about such Subprocessing is also set forth in Annex 1, as applicable. Provider shall maintain records of Subprocessing activities to the extent required by Applicable Data Protection Laws. Customer instructs Provider to Subprocess Personal Data for the following purposes: (i) Subprocessing in accordance with the Agreement and applicable order form(s); (ii) Subprocessing initiated by users in their use of the Services; and (iii) Subprocessing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. Provider shall immediately inform Customer if, in Provider’s opinion, an instruction by Customer infringes Applicable Data Protection Laws.
- Security. The Provider shall implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Annex 2.
- ASSISTANCE AND DATA SUBJECT RIGHTS
- Correction, Blocking and Deletion. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Applicable Data Protection Laws, Provider shall comply with requests by Customer to facilitate such actions, within timelines that reasonably enable Customer to comply with its legal obligations, to the extent Provider is legally permitted to do so.
- Data Subject Requests. Provider shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Provider shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. Taking into account the nature of the Subprocessing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights.
- Assistance Necessary for Compliance. Provider shall assist Customer to the extent reasonably necessary for Customer to fulfill its compliance obligations including, but not limited to, completing Data Protection Impact Assessments, Data Subject Rights, reporting to and consulting with a supervisory authority and incorporating principles of privacy by design and default.
- Personal Data Breach. The Provider shall within 24 hours and in any event without undue delay notify the Customer if it becomes aware of:
- the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data;
- any accidental, unauthorised or unlawful processing of the Personal Data; or
- any Personal Data breach.
Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer (and where instructed by the Customer, the Data Controller) in the handling and resolution of the matter.
- Appointment of Suppliers. Customer acknowledges and agrees that (a) Provider’s Affiliates may be retained as Suppliers; and (b) Provider and Provider’s Affiliates respectively may engage third-party Suppliers to Subprocess the Personal Data in connection with the provision of the Services. Provider shall require all Suppliers to agree in writing to Subprocess Personal Data in compliance with the requirements set forth in this Data Processing Addendum.
- List of Current Suppliers and Notification of New Suppliers. Provider shall make available to Customer a current list of Suppliers for the respective Services with the identities of those Suppliers (“Supplier List”). Provider shall provide Customer with updates to the relevant Supplier List (such as the ability to subscribe to an automated mailing list) and shall provide such updates before authorizing any new Supplier(s) to Subprocess Personal Data in connection with the provision of the Services. Provider shall provide such updates circulated by email.
- Objection Right for new Suppliers. If Customer has a reasonable basis to object to Provider’s use of a new Supplier on grounds of such Supplier’s non-compliance with this Data Processing Addendum, Customer shall notify Provider in writing within 45 days after receipt of Provider’s notice.
- In the event Customer objects to a new Supplier(s) and that objection is not unreasonable Provider will use reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to the Services to avoid Subprocessing by the objected-to Supplier without unreasonably burdening Customer. If Provider is unable to make available such change within a reasonable period of time, which shall not exceed 60 days, Customer may terminate the applicable Order Form(s) in respect only to those Services which cannot be provided by Provider without the use of the objected-to new Supplier, by providing written notice to Provider. Any termination by Customer under this Clause 3.3.1 shall be in accordance with the terms of the Agreement.
- Provider shall be liable for the acts and omissions of its Suppliers to the same extent Provider would be liable if Provider itself performed such acts and omissions.
- Supplier Agreements. The parties agree that, where Provider must provide Customer with copies of Supplier agreements to comply with Applicable Data Protection Laws, such agreements may have all commercial information and clauses unrelated to such compliance removed by Provider and that such copies will be provided by Provider only upon Customer’s reasonable request.
- The Provider will ensure that all of its employees:
- are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
- have undertaken training on the Applicable Data Protection Laws relating to handling Personal Data and how it applies to their particular duties; and
- are aware both of the Provider’s duties and their personal duties and obligations under the Applicable Data Protection Laws and this Agreement.
- The Provider will ensure that all of its employees:
- The Provider will take reasonable steps to ensure the reliability, integrity and trustworthiness of its employees with access to the Personal Data.
- Notification of Non-Compliance. Provider shall promptly notify Customer if, at any time, it is unable to comply with the terms of this Data Processing Addendum or Applicable Data Protection Laws. If Provider is unable to remedy such noncompliance within a reasonable period of time, not to exceed 30 days, Customer may terminate any Services for which Provider’s Subprocessing is non-compliant upon written notice to Provider.
- Security Incidents. In addition to any obligations as set forth in the Agreement, Provider shall promptly notify Customer of any Security Incident of which it becomes aware. Such notice shall not in any case be more than 24 hours after Provider becomes aware of a Security Incident.
- AUDITS AND CERTIFICATIONS
- Audit Procedures. In addition to any obligations set forth in the Agreement, the parties agree that Customer shall, subject to the Customer paying the Provider’s costs associated with the audit, have the right to audit Provider’s compliance with the terms of this Data Processing Addendum and Applicable Data Protection Laws according to the following procedures:
- Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Provider shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Provider) information sufficient to establish Provider’s compliance with the obligations set forth in this Data Processing Addendum and Applicable Data Protection Laws (“Compliance Obligations”). Such information shall include any documentation reasonably necessary to confirm Provider’s compliance with its Compliance Obligations.
- Audit requests by Customer shall be provided to Provider in writing and no more frequently than once in any 12-month period, with the exception that Customer may request an audit following any Provider notification of a Security Incident under Clause 5.2 of this Data Processing Addendum or as necessary to demonstrate Customer’s compliance with Applicable Data Protection Laws pursuant to a regulatory investigation, inquiry, or lawsuit.
- RETURN AND DELETION OF PERSONAL DATA
In addition to any obligations set forth in the Agreement, Provider shall cease to retain any documents containing Personal Data on the instruction of Customer or when the purpose for which that Personal Data was collected is no longer being served by retention of the Personal Data. Nothing in this Clause 7 shall prevent Provider from retaining Personal Data to the extent required by law. Provider shall provide Customer with a certification of deletion of Personal Data upon Customer’s request.
- TERM AND TERMINATION
- This Data Processing Addendum will remain in full force and effect so long as:
- the Agreement remains in effect; or
- the Provider retains any of the Personal Data related to the Agreement in its possession or control (Term).
- Any provision of this Data Processing Addedum that expressly or by implication should come into or continue in force on or after termination of the Agreement to protect the Personal Data will remain in full force and effect.
- If a change in any Applicable Data Protection Laws prevents either party from fulfilling all or part of its obligations, the parties may agree to suspend the Subprocessing of the Personal Data until that Subprocessing complies with the new requirements. If the parties are unable to bring the Personal Data Subprocessing into compliance with the Applicable Data Protection Laws within 60 days, either party may terminate the Agreement on no less than 30 days’ written notice to the other party and in accordance with the terms of the Agreement.
- This Data Processing Addendum will remain in full force and effect so long as:
- Each party acknowledges and agrees that a violation of this Data Processing Addendum constitutes a material breach of the Agreement.
- The Customer will cover all reasonable expenses associated with the performance of the obligations under clauses 2, 6 and 7 unless the matter arose from the Provider’s negligence, wilful default or breach of this Agreement, in which case the Provider will cover all reasonable expenses.
- Each party shall bear its own costs in relation to the execution of this Data Processing Agreement.
- Indemnity. The Customer shall defend, indemnify and hold the Provider harmless against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with the Customer’s breach of this Data Processing Addendum (including without limitation a breach of the Applicable Data Protection Legislation.)
Annex 1: Personal Data Processing Details
Subject matter of processing:
- IT solution to support the courier industry
Duration of Processing:
- Duration of Agreement plus statutory archiving periods
Nature of Processing:
- Technical processing for the purposes of automating (as far as possible) managing and tracking the delivery of parcels
- Managing user accounts and permissions
- To fulfil a contract
Personal Data Categories:
- Names and addresses of parcel addressees
- Names and addresses of parcel senders (or their representatives)
- Usernames and associated details of authorized users
Data Subject Types:
- Private individuals
- Business persons on behalf of corporate customers and corporate parcel addressees
Annex 2: Technical and Organisational Measures
Technical and Organisational Measures – context
The personal data processed by Provider is low risk. No special category data is processed. In order to ensure the accuracy, integrity and security of personal data, the following measures are adopted in line with Provider’s analysis in its’ data protection impact assessment.
Physical Controls: The Building
- Provider operate from a secure data centre in London (UK) which has ISO and BS certifications for information and security management system. The facility has five layer of physical security with 24/7 staffing presence.
- Power to the data centre is supplied by two neutral carriers plus onsite generators which can provide constant power for a 24hour period, these generators are able to be refuelled within a 4 hour period.
- The data centre has a climate-controlled environment, the walls are fire retardant, and the building has early smoke detection systems with direct lines to fire stations and automatic gas based fire suppression systems.
- Access to the building is controlled by designated staff members at Provider in conjunction with the buildings own security policy and management.
Technical Controls: Internet Connectivity
- Provider operates dual connectivity to servers using two fibre-based Internet Service Providers (ISP). The ISP are separate providers minimising any client connectivity issues to servers.
Technical Controls: Data Back Up
- Provider stores client data on separate servers contained within our secure network for data back-up provision.
- Data is backed up at different levels both weekly and daily.
Technical Controls: Hardware Redundancy
- Client Applications are specified with a dual power supply and swappable hard drives should technical problems arise with hardware.
- Provider holds redundant server equipment within our hosted environment should a total failure occur to an operational system. This can be replaced within 72 hours.
- Should Provider seek to relocate hardware and our hosted environment, this will be completed with the knowledge of the clients’ data officers.
Technical Controls: Data Security
- Application and Database servers are protected by our firewall with IP address /Port restrictions.
- The connections from application servers to database servers is encrypted and only crosses our network.
- Provider shall only release data to our client’s Data Officer, in most instances we will also require a senior directors approval accompanying any data request.
- Access to client data by Provider staff is controlled by designated staff members at Provider in accordance with our contractual confidentiality obligations.
- Provider staff are subject to confidentiality agreements and trained with regard to personal data security.
- There are no Suppliers at present who are subprocessors of personal data.
- Example overview of a typical client configuration operating a WP plugin customer portal: