We take your clients’ privacy seriously and you can find out more here about how we gather, use and share your clients’ personal information.
This Data Processing Agreement (‘DPA’) explains how we use your clients’ personal information, describes the categories of personal information we process and for what purposes. We are committed to collecting and using such information fairly and in accordance with the requirements of the General Data Protection Regulation (‘GDPR’).
How we use your clients’ personal information
You are responsible for the personal information you hold for your clients (‘Client Information’) as Data Controller and warrant that when acting in this capacity, you hold a formal contract or agreement to share Client Information with us.
Where you share Client Information with us for the purposes of us providing our services to you (‘Services’) pursuant the terms of the service/fee agreement (‘Contract’) we will hold and use that information as Data Processor.
Both you (the ‘Controller’) and we (the ‘Processor’) will act in accordance with the requirements of the Data Protection Act 2018 and the EU General Data Protection Regulation, together referred to as the ‘Regulations’.
We will not share Client Information with any other party except as indicated in this DPA or where required to do so by any statutory, governmental or regulatory body for legitimate purposes.
The Processor has agreed to provide Services to the Controller. In so doing the Processor shall process Client Information on behalf of the Controller.
In providing Services to the Controller, the Processor shall process Client Information only to the extent necessary to provide Services in accordance with both the Contract and the Controller’s instructions.
The Processor confirms that it shall process Client Information on behalf of the Controller and shall take steps to ensure that any natural person acting under the authority of the Processor who has access to Client Information does not process the Client Information except on instructions from the Controller.
The Processor shall promptly inform the Controller, if in the Processor’s opinion, any of the instructions regarding the processing of Client Information provided by the Controller, breach any applicable data protection laws.
The Processor shall ensure that all employees, agents, officers and contractors involved in the handling of Client Information:
- are aware of the confidential nature of the Client Information and are contractually bound to keep the Client Information confidential;
- have received appropriate training on their responsibilities as a data processor; and
- are bound by the terms of this DPA.
The Processor shall implement appropriate technical and organisational procedures and measures to protect Client Information, with due consideration to the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Processor shall implement such procedures and measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:
- the pseudonymisation and encryption of Client Information;
- the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Client Information in a timely manner, in so far as is possible, in the event of a physical or technical incident or for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Information transmitted, stored or otherwise processed.
The Controller represents and warrants that it shall comply with the terms of the Contract, this DPA and all applicable data protection and GDPR laws.
The Controller has their own obligations to implement their own appropriate technical and organisational procedures and measures to protect Client Information and is responsible for compliance with all applicable data protection legislation, including requirements with regards to the transfer of Client Information under this DPA and the Contract.
The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor to execute their rights or undertake the Services under this DPA.
All subsidiaries or Appointed Representatives of the Controller who use the Services shall comply with the obligations of the Controller set out in this DPA.
The Controller may request correction, deletion, blocking and/or making available the Client Information during or after termination of the Contract. The Processor will process the request to the extent it is lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. The Processor may be required by regulations, or for legal or insurance purposes, to retain Client Information contrary to the Controller’s request for deletion.
The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data from the Processor, may result in additional fees. In such case, the Processor will notify the Controller of such fees in advance unless otherwise agreed.
The Controller acknowledges and agrees that subsidiaries and agents of the Processor may be used as Sub-Processors for the provision of Services. All Sub-Processors who process Client Information in the provision of the Services shall comply with the obligations of the Processor as set out in this DPA.
Client Information will not be processed outside the EEA without the explicit consent and agreement of the Controller prior to data being processed outside the EEA.
The Processor’s Sub-Processors are:
- ATEB IT Solutions Ltd (our business partner for the provision of auditing software);
- Microsoft Corporation (for the provision of offsite data storage);
- Dropbox Inc (for the provision of offsite data storage).
The Processor shall not engage another Sub-Processor without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the controller the opportunity to object to such changes. The Controller has 5 business days to object in writing to the Sub-Processor being used outlining any reasonable concerns. The Processor will work with the Controller to help remediate any reasonable concerns. If the Processor is not able to remediate the reasonable concerns, then the Controller shall be able to terminate the contract without penalty.
The Processor will implement appropriate safeguards in any contract/agreement with a Sub-Processor but will remain fully liable to the Controller for any Sub-Processor’s performance of its obligations.
The limitations on liability set out in the Contract apply to all claims made pursuant to any breach of the terms of this DPA.
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with its processing obligations under this DPA.
Notification of Data Breach
The Processor shall notify the Controller without undue delay after becoming aware of (and in any event within 24 hours of discovering) any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any Client Information (‘Data Breach’).
The Processor will take all commercially reasonable measures to secure the Client Information, to limit the effects of any Data Breach and to assist the Controller in meeting the Controller’s obligations under applicable law.
The Processor will cover all reasonable expenses, subject to the provision of proof of actual financial loss, when responding to Data Breach caused by the Processor, unless the matter arose from the Controller’s specific instructions, negligence, wilful default or breach of this Agreement, in which case the Controller will cover all reasonable expenses.
The Processor’s notification of, or response to, a Data Breach will not be construed as an acknowledgement by the Processor of any fault or liability with respect to the Data Breach.
The Controller is solely responsible for complying with data breach notification laws applicable to the Controller and fulfilling any third-party notification obligations related to any Data Breach(es).
Compliance, Cooperation and Response
In the event that the Processor receives a request from a client of the Controller in relation to Client Information, the Processor will refer the client to the Controller unless otherwise prohibited by law.
The Controller shall reimburse the Processor for all costs incurred resulting from providing reasonable assistance in dealing with the request or assisting the Controller in complying with its duties.
Where the Processor is legally required or bound for legitimate purposes by any statutory, governmental or regulatory body to respond to the request, the Controller will fully cooperate with the Processor as applicable.
The Processor will notify the Controller promptly of any request or complaint regarding the processing of Client Information, which adversely impacts the Controller, unless such notification is not permitted under applicable law or by any statutory, governmental or regulatory body.
The Processor may make copies of and/or retain Client Information in order to comply with its legal or insurance purposes.
The Processor will keep detailed, accurate and up-to-date written records regarding any processing of the personal information, including but not limited to, the access, control and security of the personal information, approved subcontractors (if any), the processing purposes, categories of processing, any transfers of personal information to a third country and related safeguards, and a general description of the technical and organisational security measures.
The Processor will ensure that the records are sufficient to enable the Controller to verify the Processor’s compliance with its obligations under this Agreement and the Processor will provide the Controller with copies of records upon request.
The Controller and the Processor and, where applicable, their representatives, shall cooperate, on request, with a supervisory data protection authority in the performance of their respective obligations under this DPA.
The Controller agrees that the Processor will be entitled to charge the Controller additional fees to reimburse the Processor for its staff time, costs and expenses in assisting the Controller, when the Controller requests the Processor to provide assistance pursuant to this DPA. In such cases, the Processor will notify the Controller of its fees for providing assistance, in advance.
Term and Termination
This DPA and any addendums to the Contract will continue in force until termination of the contract.
This DPA sets out the entire understanding of the parties with regards to the subject matter herein.
Should a provision of this DPA be invalid or become invalid then the legal effect of the other provisions shall be unaffected. A valid provision is deemed to have been agreed which comes closest to what the parties intended commercially and shall replace the invalid provision. The same shall apply to any omissions.
This DPA shall be governed by the laws of England and Wales. The courts of England shall have exclusive jurisdiction for the settlement of all disputes arising under this DPA.