Website Polices
Use of Service Polices
Licence Agreement and Terms of Service
Mandatory Polices
Data Processing Agreement
Data Processing Agreement
This agreement is between MY Compliance Management and the customer (The Parties)
Background
- The parties have identified a requirement to share the Personal Data.
- The parties have decided to create a framework for the systematic sharing of the Personal Data.
- The parties have agreed certain technical and organisational measures to ensure that the Personal Data is shared in a secure manner and managed as set out in Section 1 of Part B of this Agreement.
THE PARTIES AGREE:
Definitions
1. In this Agreement:
Controller |
has the meaning given in applicable Data Protection Laws; |
Data Protection Laws |
means any applicable law relating to the processing, privacy and use of Personal Data, as applicable to either party or the Services, including:
|
Data Protection Supervisory Authority |
means any regulator, authority or body responsible for administering Data Protection Laws; |
Data Subject |
has the meaning given in applicable Data Protection Laws from time to time; |
Service Agreements |
meaning the agreement between the Supplier and the Customer for the provision of the services, specifically the License Agreement and the Terms and Conditions. |
Personal Data |
has the meaning given in applicable Data Protection Laws; |
Personal Data Breach |
has the meaning given in applicable Data Protection Laws; |
Processing |
has the meaning given in applicable Data Protection Laws (and related expressions, including process, processing, processed, and processes shall be construed accordingly); |
Processor |
has the meaning given in applicable Data Protection Laws; |
Sub-Processor |
means any agent, subcontractor or other third party engaged by the Supplier (or by any other Sub-Processor) for carrying out any processing activities in respect of the Personal Data; |
Supervisory Authority |
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws. |
Supplier Personnel |
means any person engaged by, or performing services for, the Supplier or the Sub-Processor |
TerminationDate |
means the date of termination or expiry of this Agreement, which will be until the earliest of: i) expiry/termination of the Service Agreements, or ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Service Agreements (to the extent applicable). |
UK GDPR |
means the UK General Data Protection Regulation (Retained EU Law Directive (EU) 2016/67); |
1.2 Unless otherwise expressly stated in this Agreement the Supplier’s obligations and the Customer’s rights and remedies under this Agreement are cumulative with, and additional to, any other provisions of this Agreement.
2 Compliance with data protection laws
2.1. The parties agree that the Customer is a Controller and that the Supplier is a Processor for the purposes of processing Personal Data pursuant to this Agreement. The Supplier shall ensure that its Sub-Processors and each of the Supplier Personnel shall, at all times comply with all Data Protection Laws in connection with the processing of Personal Data and the provision of the Services and shall not by any act or omission cause the Customer (or any other person) to be in breach of any of the Data Protection Laws.
2.2. Nothing in this Agreement relieves the Supplier of any responsibilities or liabilities under Data Protection Laws.
2.3 The Customer warrants, represents and undertakes, that:
2.3.1 all data sourced by the Customer for use in connection with the Services, prior to such data being provided to or accessed by the Supplier for the performance of the Services under this Agreement, shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
2.3.2 all instructions given by it to the Supplier in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
2.3.3 it has undertaken due diligence in relation to the Supplier's processing operations, and it is satisfied that:
2.3.3.1 the Supplier’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage the Supplier to process the Personal Data; and
2.3.3.2 the Supplier has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
3 Liability
3.1 The Supplier's total liability to the Customer, whether in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with this Agreement shall be limited to its liability under the Service Agreements.
3.2. Nothing in this agreement shall limit or exclude the Supplier's liability for:
3.2.1death or personal injury caused by its negligence; or
3.2.2 fraud or fraudulent misrepresentation; or
3.2.3 breach of the terms implied by section 2 of the Supply of Goods and Services Act 1982 (title and quiet possession) or any other liability which cannot be limited or excluded by applicable law.
3.3 Supplier shall not be liable to the Customer, whether in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with this agreement for:
3.3.1 loss of profits; or
3.3.2 loss of sales or business; or
3.3.3 loss of agreements or contracts; or
3.3.4 loss of anticipated savings; or
3.3.5 loss of or damage to goodwill; or
3.3.6 any indirect or consequential loss.
3.4 The Customer shall indemnify and keep indemnified the Supplier in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, the Supplier and any Sub-Processor arising from or in connection with any:
3.4.1 non-compliance by the Customer with the Data Protection Laws;
3.4.2 processing carried out by the Supplier or any Sub-Processor pursuant to any Processing Instruction that infringes any Data Protection Law; or
3.4.3 breach by the Customer of any of its obligations under this Agreement except to the extent the Supplier is liable under Clause 3.1 and to the extent of the liability in Clause 3.3.
3.5 The Supplier shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with this Agreement:
3.5.1 only to the extent caused by the processing of Personal Data under this Agreement and directly resulting from the Supplier’s breach; and
3.5.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of this Agreement by the Customer.
3.6 If a party receives a compensation claim from a person relating to processing of Personal Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
3.6.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
3.6.2 consult fully with the other party in relation to any such action, but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under this Agreement for paying the compensation.
3.7 The parties agree that the Customer shall not be entitled to claim back from the Supplier any part of any compensation paid by the Customer, in accordance with this clause.
4 Instructions
The Supplier shall only process (and shall ensure Supplier Personnel only process) the Personal Data in accordance with Section 1 of Part B of this Agreement, this Agreement, the Service Agreements and any other of the Customer’s written instructions from time to time except where otherwise required by applicable law (and in such a case shall inform the Customer of that legal requirement before processing, unless applicable law prevents it doing so on important grounds of public interest). The Supplier shall immediately inform the Customer if any instruction relating to the Personal Data infringes or may infringe any Data Protection Law.
5 Security
The Supplier shall at all times implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. Such technical and organisational measures shall be at least equivalent to the technical and organisational measures set out in Section 2 of Part B of this Agreement and shall reflect the nature of the Personal Data.
6 Sub-processing and personnel
6.1 The Customer gives the Supplier general written authorisation to appoint Sub-Processors, as required, in order to perform the services under the Service Agreements.
6.2 The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of other Sub-Processors, thereby giving the Supplier the opportunity to object to such changes, and such consent from the Customer will not be unreasonably withheld.
6.3 If the Customer has a reasonable objection to any new or replacement sub-processor, it shall notify the Supplier of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith.
6.4 If the Supplier is reasonably able to provide the service to the Customer in accordance with the Service Agreement without using the sub-processor and decides in its discretion to do so, then the Customer will have no further rights under this clause in respect of the proposed use of the sub-processor.
6.5 If the Supplier requires use of the sub-processor in its discretion and is unable to satisfy the Customer as to the suitability of the sub-processor or the documentation and protections in place between the Supplier and the sub-processor within ninety (90) days from the Customer's notification of objections, the Customer may within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the part of Service Agreements with at least thirty (30) days written notice, solely with respect to the service(s) to which the proposed new sub-processor's processing of Personal Data relates.
6.6. If the Customer does not provide a timely objection to any new or replacement sub-processor in accordance with this clause, the Customer will be deemed to have consented to the sub-processor and waived its right to object.
6.7 The Supplier may use a new or replacement sub-processor whilst the objection procedure in this clause is in process.
6.8 Prior to the relevant Sub-Processor carrying out any processing activities in respect of the Personal Data, the Supplier shall appoint each Sub-Processor under a written contract containing materially the same obligations as under this Agreement.
6.9 The Supplier shall remain fully liable to the Customer under this Agreement for all the acts and omissions of each Sub-Processor and each of the Supplier Personnel as if they were its own.
6.10 The Supplier shall ensure that all persons authorised by the Supplier or any Sub-Processor to process Personal Data are reliable and:
6.10.1 adequately trained on compliance with this Agreement as applicable to the processing;
6.10.2 informed of the confidential nature of the Personal Data and that they must not disclose Personal Data;
6.10.3 subject to a binding and enforceable written contractual obligation to keep the Personal Data confidential; and
6.10.4 provide relevant details and a copy of each agreement with a Sub-Processor to the Customer on request.
7 Assistance
7.1 The Supplier shall (at its own cost and expense) promptly provide such information and assistance (including by taking all appropriate technical and organisational measures) as the Customer may require in relation to the fulfilment of the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under the UK GDPR (and any similar obligations under applicable Data Protection Laws).
7.2 The Supplier shall (at its own cost and expense) provide such information, co-operation and other assistance to the Customer as the Customer reasonably requires (taking into account the nature of processing and the information available to the Supplier) to ensure compliance with the Customer’s obligations under Data Protection Laws, including with respect to:
7.2.1 security of processing;
7.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
7.2.3 prior consultation with a Data Protection Supervisory Authority regarding high risk processing; and
7.2.4 any remedial action and/or notifications to be taken in response to any Personal Data Breach and/or any complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including (subject in each case to the Customer’s prior written authorisation) regarding any notification of the Personal Data Breach to Data Protection Supervisory Authorities and/or communication to any affected Data Subjects.
8 Data subject requests
The Supplier shall (at no cost to the Customer) record and refer all requests and communications received from Data Subjects or any Data Protection Supervisory Authority to the Customer which relate (or which may relate) to any Personal Data promptly (and in any event within three days of receipt) and shall not respond to any without the Customer’s express written approval and strictly in accordance with the Customer’s instructions unless and to the extent required by law.
9 International transfers
9.1 The Customer acknowledges and accepts that the provision of the service under the Service Agreements may require the processing of Personal Data by sub-processors in countries outside the UK.
9.2 The Customer gives the Supplier a general authorisation to process and/or transfer Personal Data in or to countries outside of the UK, provided that all transfers shall be to countries deemed adequate by the UK government or by using the UK’s International Data Transfer Agreement and in accordance with Data Protection Laws.
9.3 For the avoidance of doubt, the Supplier does not transfer data to the USA. The Supplier holds all customer data on AWS servers in the UK. The Supplier uses processors in the EU.
10 Records
10.1 The Supplier shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer.
10.2 Such records shall include all information necessary to demonstrate its and the Customer’s compliance with this Agreement, the information referred to in Articles 30(1) and 30(2) of the UK GDPR and such other information as the Customer may reasonably require from time to time.
10.3 The Supplier shall make copies of such records available to the Customer promptly (and in any event within three days) on request from time to time.
11 Audit
11.1 The Supplier shall (and shall ensure all Sub-Processors shall) promptly make available to the Customer (at the Supplier’s cost) such information as is reasonably required to demonstrate the Supplier’s and the Customer’s compliance with their respective obligations under this Agreement and the Data Protection Laws, and allow for, permit and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose at the Customer’s request from time to time.
11.2 The Supplier shall provide (or procure) access to all relevant premises, systems, personnel and records during normal business hours for the purposes of each such audit or inspection upon reasonable prior notice (not being more than two Business Days) and provide and procure all further reasonable co-operation, access and assistance in relation to any such audit or inspection.
12 Breach
12.1 The Supplier shall promptly (and in any event within 24 hours) notify the Customer if it (or any of its Sub-Processors or the Supplier Personnel) suspects or becomes aware of any suspected, actual or threatened occurrence of any Personal Data Breach in respect of any Personal Data.
12.2 The Supplier shall promptly (and in any event within 24 hours) provide all information as the Customer requires to report the circumstances referred to in paragraph 12.1 (above) to a Data Protection Supervisory Authority and to notify affected Data Subjects under Data Protection Laws.
13 Deletion/return
13.1 The Supplier shall (and shall ensure that each of the Sub-Processors and Supplier Personnel shall) without delay (and in any event within 7 days), at the Customer’s written request, either securely delete or securely return all the Personal Data to the Customer in such form as the Customer reasonably requests after the earlier of:
13.1.1 the end of the provision of the relevant Services related to processing of such Personal Data; or
13.1.2 once processing by the Supplier of any Personal Data is no longer required for the purpose of the Supplier’s performance of its relevant obligations under this Agreement, and
13.1.3 securely delete existing copies (except to the extent that storage of any such data is required by applicable law and, if so, the Supplier shall inform the Customer of any such requirement).
14 Conflict
This Agreement is without prejudice to the rights and obligations of the parties under the Service Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this Agreement and the terms of the Service Agreement, the terms of this Agreement shall prevail so far as the subject matter concerns the processing of Personal Data
Data processing and security details – Part B
Section 1—Data processing detailsProcessing of the Personal Data by the Supplier under this Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in this Section 1.
Subject-matter of processing:
Customer may upload content to Supplier’s platform which may include personal data and special categories of data, the extent of which is determined and controlled by the Customer in its sole discretion.
Duration of the processing:
The duration of the processing will be until the earliest of:
(i) expiry/termination of the Service Agreements, or
(ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Service Agreements (to the extent applicable).
Type of Personal Data:
All personal data including, but not limited to, special categories of data such as information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade-union membership,and the processing of data concerning an individual’s health or sexual and gender orientation.
Categories of Data Subjects:
i. Prospective customers, customers, resellers, referrers, business partners, and vendors of the Customer (who are natural persons);
ii. Employees or contact persons of the Customer’s prospective customers, customers, resellers, referrers, sub-processors, business partners, and vendors (who are natural persons);
iii. Employees, agents, advisors, and freelancers of the Customer (who are natural persons); and/or
iv. Natural persons authorized by the Customer to use the Service
Section 2—Minimum technical and organisational security measures1. Without prejudice to its other obligations, the Supplier shall implement and maintain at least the following technical and organisational security measures to protect the Personal Data:
1.1n accordance with the Data Protection Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Personal Data to be carried out under or in connection with this Agreement, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed, the Supplier shall implement appropriate technical and organisational security measures appropriate to the risk, including as appropriate those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the UK GDPR.