Data processing agreement
Definitions and Interpretation
- For the purposes of this Data Processing Agreement the following terms have the following meanings:
Agreement means the Squiz Plus Agreement to which this Data Processing Agreement is an annexure;
Competent Regulator shall mean the competent data protection regulator, which, by way of example, is the ICO in the United Kingdom;
Data Processing Agreement means this data processing agreement;
Data Protection Legislation means all applicable data protection, privacy and electronic marketing legislation, including any national data protection legislation enacted under Directive 95/46/EC, Directive 2002/58/EC and GDPR or otherwise), any replacement or repealing legislation, and any codes of practice issued by a Competent Regulator relating to the same, each as amended from time to time;
Designated Data Officer shall mean an authorised representative of Squiz with sufficient awareness of Squiz's processing of Personal Data;
EEA means the European Economic Area;
GDPR means Regulation (EU) 2016/679;
ICO means the Information Commissioner's Office;
Member State means EU member states from time to time and Member State Law means laws implemented by such EU member states from time to time;
Personal Data means any personal data processed by Squiz on behalf of Customer pursuant to the Agreement;
Sub-processor means any processor appointed by Squiz to assist with Squiz's processing of Personal Data;
Union means the European Union; and
You mean Customer (also referred to as the “Customer”).
- For the purposes of this Data Processing Agreement the terms controller, data subject, personal data, process, processing, processor and pseudonymisation shall have the meanings attributed to them in Article 4 of Regulation (EU) 2016/679.
- Where Customer and Squiz have more than one agreement, references to the Agreement shall be to all agreements in place between the parties under which Squiz processes personal data on behalf of Customer.
- Use of the terms include or including shall be construed without limiting the generality of the words preceding those terms.
- References to Clauses are to clauses of this Data Processing Agreement.
Acknowledgement of Roles and responsibilities
- The parties hereby acknowledge that Customer is the controller and Squiz is the processor in respect of Personal Data.
- The parties acknowledge that Squiz processes personal data as part of the provision of services under the Agreement, and confirm that the process and personal data are as set out in the annexure to this Data Processing Agreement.
Squiz's Data Processing Obligations
- Except as set out in Clause 3.3 Squiz shall, and shall ensure that any natural person acting under its authority shall:
- only process Personal Data as is necessary to fulfil its obligations under the Agreement or in accordance with Customer's express written instructions from time to time, and shall not process Personal Data for any other purposes except where required to do so by law;
- not appoint a Sub-processor without Customer's consent and in the event that Customer does provide such consent Squiz shall (i) ensure that each Sub-processor is bound by the terms of this Data Processing Agreement as it applies to Squiz hereunder, (ii) inform Customer of any change in the function of such Sub-processor, and (iii) remain liable for the actions of such Sub-processors in respect of its compliance with this Data Processing Agreement;
- not transfer Personal Data outside the EEA without specific prior written consent of Customer;
- provide all reasonable assistance to Customer to enable Customer to comply with its obligations under Data Protection Legislation in respect of Personal Data, including assisting Customer in complying with its processes in order to give effect to a data subject's rights under the Data Protection Legislation, including the right to access and portability;
- at the end of the duration of the Agreement, promptly delete or return to Customer (at Customer's discretion) all Personal Data and if requested provide written notice to Customer to confirm that such deletion or return has been completed;
- promptly comply with any request from Customer requiring Squiz to amend, transfer or delete Personal Data (such data if transferred to be provided in a commonly used electronic form);
- in the event that Squiz receives any complaint, notice or communication (from either a Competent Regulator or a data subject) which relates directly or indirectly to the processing of Personal Data or to either party's compliance with Data Protection Legislation, Squiz shall notify Customer without undue delay (and in any event in not less than 48 hours) and it shall provide Customer and any Competent Regulator (if applicable) with full co-operation and assistance in relation to any such complaint, notice or communication;
- not disclose Personal Data to any data subject or to a third party other than at the request of, or with the written consent of, Customer;
- notify Customer without undue delay (and in any event in not less than 48 hours) upon becoming aware of any accidental unauthorised or unlawful processing, disclosure, loss of, access to damage to or destruction of any Personal Data;
- maintain all appropriate records of processing carried out in respect of Personal Data as required by Data Protection Legislation;
- upon request by Customer, provide written evidence demonstrating its and its sub-processors (if applicable) compliance with this Clause 3; and
- take reasonable technical and organisational measures against the unauthorised or unlawful processing of Personal Data, and against the accidental loss or destruction of, or damage to Personal Data, such measures may include (where appropriate):
(a) the pseudonymisation and encryption of Personal Data;
(b) steps taken to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) ensuring that all individuals, parties, employees or other persons / entities with access to Personal Data are bound by industry standard confidentiality obligations which include keeping such Personal Data confidential;
(d) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(e) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
(f) except where disclosure is permitted under this Data Processing Agreement, keep, and procure that its representatives and Sub-processors keep, such personal data confidential.
- In the event that Customer determines that any processing activity related to Squiz's processing of Personal Data is likely to result in high risk to the rights and freedoms of a data subject, Squiz shall reasonably co-operate with Customer (if requested by Customer) in conducting a data protection impact assessment in respect of such processing activity, as set out in GDPR.
- Squiz is permitted to process the Personal Data other than as set out in Clause 3.1 only to the extent required by Union or Member State Law to which Squiz is subject, and will inform Customer if such processing is required, including any details of the legal requirement, where possible before processing, unless prohibited from doing so by aforementioned applicable law.
- Squiz shall keep at its normal place of business detailed, accurate and up-to-date records (whether in electronic form or hard copy) relating to the processing of Personal Data by Squiz and to the measures taken by Squiz under Clause 3.1.11 (Records).
- Squiz shall permit Customer and its third-party representatives, on reasonable notice during normal business hours:
- gain access to, and take copies of, the Records and any other information held at Squiz's premises or on Squiz's computer systems; and
- inspect all Records, documents and electronic data and Squiz's computer systems, facilities and equipment (so far as they relate to the Customer and the Personal Data),
- for the purpose of auditing Squiz's compliance with its obligations under this Data Processing Agreement. Such audit rights may be exercised only once in any calendar year during the Term.
- Squiz shall give all necessary assistance to the conduct of any such audits and the Designated Data Officer shall be present throughout any audit.
- Audit access by any third party representative of Customer shall be subject to such representative agreeing confidentiality obligations in respect of the information obtained, provided that all information obtained may be disclosed to Customer.
- During the term of the Agreement, Squiz shall appoint a Designated Data Officer who shall act as a readily available point of contact for Customer and who shall have as part of his/her responsibilities the obligation to respond to Customer queries in respect of Squiz's processing of Personal Data. Squiz shall notify Customer of the contact details of the Designated Data Officer as soon as practicable. If at any time Squiz is required under GDPR or otherwise to appoint a Data Protection Officer (DPO) (as defined in the Data Protection Legislation), then references in this Agreement to a Designated Data Officer shall be considered to be references to such DPO.
Clauses 3.1.1, 3.1.4, 3.1.5, 3.1.9, 3.1.12, 3.1.13, 4.1, 5, 6.2, 8 and 9 shall survive the termination or expiry of this Data Processing Agreement.
Notification to be provided to Customer under this Data Processing Agreement, including (without limitation) pursuant to Clause 3.1.9, shall be provided by email to [insert] and [insert any other contact details].
- It is not envisaged that Squiz will be supplying any personal data to Customer under the Agreement. However, in the event that such personal data is provided, Customer confirms that it will comply with its obligations as a processor under the GDPR as if they were set out in full in this agreement and will enter into a long form agreement incorporating such provisions if required by Squiz.
- In the event of any conflict between the terms of this Data Processing Agreement and any provision of the Agreement, this Data Processing Agreement shall take precedence.
- A person who is not a party to this Data Processing Agreement may not enforce any of its terms under the Contracts (Rights of Third parties) Act 1999.
- This Data Processing Agreement is governed by and will be construed in accordance with laws of England and Wales and the parties will be subject to the exclusive jurisdiction of the English courts.
- This Data Processing Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.