Book a call

1. Definitions and Interpretation

1. For the purposes of this Data Processing Agreement the following terms have the following meanings:

Agreement means the agreement between Squiz and the Customer for Squiz to provide and the Customer to receive the products and services as set out in any order or statement of work signed and submitted to Squiz on behalf of the Customer and to which this Data Processing Agreement is an annexure;
Competent Regulator shall mean the competent data protection regulator, which, by way of example, is the Information Commissioner’s Office (ICO) in the United Kingdom;
Data Processing Agreement means this data processing agreement;
Data Protection Legislation means all applicable data protection, privacy and electronic marketing legislation, including any national data protection legislation enacted under Directive 95/46/EC, Directive 2002/58/EC and GDPR or otherwise), any replacement or repealing legislation, and any codes of practice issued by a Competent Regulator relating to the same, each as amended from time to time;
Designated Data Officer shall mean an authorised representative of Squiz with sufficient awareness of Squiz's processing of Personal Data;
EEA means the European Economic Area;
GDPR means Regulation (EU) 2016/679;
ICO means the Information Commissioner's Office;
Member State means EU member states from time to time and Member State Law means laws implemented by such EU member states from time to time;
Personal Data means any personal data processed by Squiz on behalf of Customer pursuant to the Agreement;
Sub-processor means any processor appointed by Squiz to assist with Squiz's processing of Personal Data;
Union means the European Union; and
You means Customer (also referred to as the “Customer”) named in any order or statement of work submitted to Squiz.

2. For the purposes of this Data Processing Agreement the terms controller, data subject, personal data, process, processing, processor and pseudonymisation shall have the meanings attributed to them in Article 4 of Regulation (EU) 2016/679.

3. Where Customer and Squiz have more than one agreement, references to the Agreement shall be to all agreements in place between the parties under which Squiz processes personal data on behalf of Customer.

4. Use of the terms include or including shall be construed without limiting the generality of the words preceding those terms.

5. References to Clauses are to clauses of this Data Processing Agreement.

2. Acknowledgement of Roles and responsibilities

1. The parties hereby acknowledge that Customer is the controller and Squiz is the processor in respect of Personal Data.

2. The parties acknowledge that Squiz processes personal data as part of the provision of services under the Agreement, and confirm that the process and personal data are as set out in the annexure to this Data Processing Agreement.

3. Squiz's Data Processing Obligations

1. Except as set out in Clause 3.3 Squiz shall, and shall ensure that any natural person acting under its authority shall:

  1. only process Personal Data as is necessary to fulfil its obligations under the Agreement or in accordance with Customer's express written instructions from time to time, and shall not process Personal Data for any other purposes except where required to do so by law;
  2. not appoint a Sub-processor without Customer's consent and in the event that Customer does provide such consent Squiz shall (i) ensure that each Sub-processor is bound by the terms of this Data Processing  Agreement as it applies to Squiz hereunder, (ii) inform the Customer of any change in the function of such Sub-processor, and (iii) remain liable for the actions of such Sub-processors in respect of its compliance with this Data Processing  Agreement;
  3. not transfer Personal Data outside the EEA without specific prior written consent of Customer;
  4. provide all reasonable assistance to the Customer to enable the Customer to comply with its obligations under Data Protection Legislation in respect of Personal Data, including assisting Customer in complying with its processes in order to give effect to a data subject's rights under the Data Protection Legislation, including the right to access and portability;
  5. at the end of the duration of the Agreement, promptly delete or return to the Customer (at the Customer's discretion) all Personal Data and if requested provide written notice to the Customer to confirm that such deletion or return has been completed;
  6. promptly comply with any request from the Customer requiring Squiz to amend, transfer or delete Personal Data (such data if transferred to be provided in a commonly used electronic form);
  7. in the event that Squiz receives any complaint, notice or communication (from either a Competent Regulator or a data subject) which relates directly or indirectly to the processing of Personal Data or to either party's compliance with Data Protection Legislation, Squiz shall notify the Customer without undue delay (and in any event in not less than 48 hours) and it shall provide the Customer and any Competent Regulator (if applicable) with full co-operation and assistance in relation to any such complaint, notice or communication;
  8. not disclose Personal Data to any data subject or to a third party other than at the request of, or with the written consent of, the Customer;
  9. notify the Customer without undue delay (and in any event in not less than 48 hours) upon becoming aware of any accidental unauthorised or unlawful processing, disclosure, loss of, access to damage to or destruction of any Personal Data;
  10. maintain all appropriate records of processing carried out in respect of Personal Data as required by Data Protection Legislation;
  11. upon request by the Customer, provide written evidence demonstrating its and its sub-processors (if applicable) compliance with this Clause 3; and
  12. take reasonable technical and organisational measures against the unauthorised or unlawful processing of Personal Data, and against the accidental loss or destruction of, or damage to Personal Data, such measures may include (where appropriate):
    (a) the pseudonymisation and encryption of Personal Data;
    (b) steps taken to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    (c) ensuring that all individuals, parties, employees or other persons / entities with access to Personal Data are bound by industry standard confidentiality obligations which include keeping such Personal Data confidential;
    (d) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
    (e) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and
    (f) except where disclosure is permitted under this Data Processing Agreement, keep, and procure that its representatives and Sub-processors keep, such personal data confidential.

2. In the event that the Customer determines that any processing activity related to Squiz's processing of Personal Data is likely to result in high risk to the rights and freedoms of a data subject, Squiz shall reasonably co-operate with the Customer (if requested by the Customer) in conducting a data protection impact assessment in respect of such processing activity, as set out in GDPR.

3. Squiz is permitted to process the Personal Data other than as set out in Clause 3.1 only to the extent required by Union or Member State Law to which Squiz is subject, and will inform Customer if such processing is required, including any details of the legal requirement, where possible before processing, unless prohibited from doing so by aforementioned applicable law.

4. Processing Review

1. Squiz shall keep at its normal place of business detailed, accurate and up-to-date records (whether in electronic form or hard copy) relating to the processing of Personal Data by Squiz and to the measures taken by Squiz under Clause 3.1.11 (Records).

2. Squiz shall permit the Customer and its third-party representatives, on reasonable notice during normal business hours to:

  1. gain access to, and take copies of, the Records and any other information held at Squiz's premises or on Squiz's computer systems; and
  2. inspect all Records, documents and electronic data and Squiz's computer systems, facilities and equipment (so far as they relate to the Customer and the Personal Data),

for the purpose of auditing Squiz's compliance with its obligations under this Data Processing Agreement. Such audit rights may be exercised only once in any calendar year during the Term.

3. Squiz shall give all necessary assistance to the conduct of any such audits and the Designated Data Officer shall be present throughout any audit.

4. Audit access by any third party representative of the Customer shall be subject to such representative agreeing to confidentiality obligations in respect of the information obtained, provided that all information obtained may be disclosed to the Customer.

5. During the term of the Agreement, Squiz shall appoint a Designated Data Officer who shall act as a readily available point of contact for Customer and who shall have as part of his/her responsibilities the obligation to respond to Customer queries in respect of Squiz's processing of Personal Data.  Squiz shall notify Customer of the contact details of the Designated Data Officer as soon as practicable. If at any time Squiz is required under GDPR or otherwise to appoint a Data Protection Officer (DPO) (as defined in the Data Protection Legislation), then references in this Agreement to a Designated Data Officer shall be considered to be references to such DPO.

5. Survival

Clauses 3.1.1, 3.1.4, 3.1.5, 3.1.9, 3.1.12, 3.1.13, 4.1, 5, 6.2, 8 and 9 shall survive the termination or expiry of this Data Processing Agreement.

6. Notification

Notification to be provided to Customer under this Data Processing Agreement, including (without limitation) pursuant to Clause 3.1.9, shall be provided by email to [insert] and [insert any other contact details].

7. General

  1. It is not envisaged that Squiz will be supplying any personal data to the Customer under the Agreement. However, in the event that such personal data is provided, Customer confirms that it will comply with its obligations as a processor under the GDPR as if they were set out in full in this agreement and will enter into a long form agreement incorporating such provisions if required by Squiz.
  2. In the event of any conflict between the terms of this Data Processing Agreement and any provision of the Agreement, this Data Processing Agreement shall take precedence.
  3. A person who is not a party to this Data Processing Agreement may not enforce any of its terms under the Contracts (Rights of Third Parties) Act 1999.
  4. This Data Processing Agreement is governed by and will be construed in accordance with laws of England and Wales and the parties will be subject to the exclusive jurisdiction of the English courts.
  5. This Data Processing Agreement may be executed in one or more counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.

Annexure to Data Processing Agreement

Processing activities undertaken by Squiz under the Agreement

[Insert activities for example Online customer-facing, Internal software support – SaaS for employee use, Physical internal- hardware, server storage, etc.]

Personal Data held or access by Squiz under the Agreement

[Insert Personal Data held or accessed for example Contact details, Personal history (CV, education, previous jobs), and any Special category data (e.g. health, race or ethnic origin, political opinions, sexual orientation etc., criminal records)]

Data subjects covered by the Agreement

[insert individuals information held or accessed for example Online customers, Employees, Mailing list subscribers, or Prospective customers, etc.]