Data Processing Addendum
This Data Processing Addendum (DPA) sets out the additional terms, requirements and conditions on which Datamaran will process Personal Data when providing services under the terms of its Enterprise Agreement and Terms of Use (Agreement).
1. Definitions and Interpretation
The following definitions and rules of interpretation apply in this Agreement.
1.1 Definitions:
1 Business Purposes: the services to be provided by Datamaran to the Customer as described in the Agreement.
2 Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
3 Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
4 Data Protection Legislation:
4a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of Personal Data.
4b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of Personal Data.]
5 EU GDPR: the General Data Protection Regulation ((EU) 2016/679). EEA: the European Economic Area.
6 UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 This DPA is subject to the terms of the Agreement and is incorporated into the Agreement. Interpretations and defined terms set forth in the Agreement apply to the interpretation of this DPA.
1.3 The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
1.4 A reference to writing or written includes email.
1.5 In the case of conflict or ambiguity between:
a) any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail;
b) the terms of any other documents annexed to this DPA and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
c) any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail.
2. Personal data types and processing purposes
2.1 The Customer and Datamaran agree and acknowledge that for the purpose of the Data Protection Legislation:
a) the Customer is the Controller and Datamaran is the Processor of Personal Data in the Submitted Content.
b) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Datamaran.
c) ANNEX A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which Datamaran may process the Personal Data to fulfil the Business Purposes.
3. Datamaran obligations
3.1 Datamaran will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. Datamaran will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. Datamaran must promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.
3.2 Datamaran must comply promptly with any Customer written instructions requiring Datamaran to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
3.3 Datamaran will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the Commissioner). If a domestic or EU law, court or regulator (including the Commissioner) requires Datamaran to process or disclose the Personal Data to a third-party, Datamaran must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.
3.4 Datamaran will reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of Datamaran's processing and the information available to Datamaran, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.
3.5. Datamaran must notify the Customer promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting Datamaran's performance of the Agreement or this DPA.
4. Datamaran employees
4.1 Datamaran will ensure that all of its employees:
(a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
(b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
(c) are aware both of Datamaran's duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.
5. Security
5.1 Datamaran must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in ANNEX B.
5.2 Datamaran must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
6. Personal data breach
6.1 Datamaran will without undue delay and where feasible within 72 hours notify the Customer in writing if it becomes aware of:
(a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data;
(b) any accidental, unauthorised or unlawful processing of the Personal Data; or
(c) any Personal Data Breach.
6.2 Where Datamaran becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information:
(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.
6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, Datamaran will reasonably co-operate with the Customer in the Customer's handling of the matter.
6.4 Datamaran will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic or EU law.
6.5 Datamaran agrees that the Customer has the sole right to determine:
(a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and
(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
6.6 Datamaran will cover all reasonable expenses associated with the performance of the obligations under 6.1 to 6.3 to the extent it is responsible for the Personal Data Breach. If the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.
7. Cross-border transfers of personal data
7.1 Datamaran (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or the EEA without obtaining the Customer's prior written consent.
8. Subcontractors
8.1 Other than those subcontractors as set out in ANNEX A, Datamaran may not authorise any other third-party or subcontractor to process the Personal Data.
8.2 Where the subcontractor fails to fulfil its obligations under the written agreement with Datamaran which contains terms substantially the same as those set out in this Agreement, Datamaran remains fully liable to the Customer for the subcontractor's performance of its agreement obligations.
9. Complaints, data subject requests and third-party rights
9.1 Datamaran must take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:
(a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
(b) information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.
9.2 Datamaran must notify the Customer promptly in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
9.3 Datamaran must notify the Customer within 7 working days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.4 Datamaran will give the Customer reasonable co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.5 Datamaran must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer's written instructions, or as required by domestic or EU law.
10. Data return and destruction
10.1 At the Customer's request, Datamaran will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
10.2 On termination of the Agreement for any reason or expiry of its term, Datamaran will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this DPA in its possession or control, except for one copy that it may retain and use in accordance with its backup and retention policies.
10.3 If any law, regulation, or government or regulatory body requires Datamaran to retain any documents, materials or Personal Data that Datamaran would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
11. Audit
11.1 Datamaran shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, conducted by the Customer or another authorised auditor mandated by the Customer with a seven working days notice. Such audits shall not take place more than once in any 12-month period and will not interfere with the regular use of the platform.
Annex A: Personal Data processing purposes and details
Subject matter and nature of processing: the performance of the Services.
Duration of Processing: the Subscription Period
Personal Data Categories: name, last name and email address
Data Subject Types: Authorised Users of the Service appointed by the Customer
Approved Subcontractors:
Amazon Web Services or equivalent cloud hosting suppliers. The Customer consents to Datamaran appointing Amazon Web Services or equivalent cloud hosting suppliers as third-party processors of Personal Data under this agreement.