Data Processing Agreement

DEFINITIONS

1.1.1 “Applicable Data Protection Law” shall mean:

(a) the Data Protection Act 2018;

(b) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); and

(c) all United Kingdom laws with direct effect relating to Processing of Personal Data including any laws that amend or any re-enactment to replace the foregoing;

1.1.2 “You” or “Your” means the Licensee under this agreement as stated on the License Certificate

1.1.3 “Controller”“Processor”“Data Subject”“Personal Data”“Processing” (and “Process”) and “Special Categories of Personal Data” shall have the meanings given in Applicable Data Protection Law;

1.1.4 “the Company” means AFD Software Limited;

1.1.5 “Your Data” means any information relating to the You and/or any member of Your Customers’ received or generated by either Party (or member of its group), or to which either Party or member of its group may have access, pursuant to this Agreement, including, without limitation, any Personal Data.

 

 

Relationship of the parties

2.1 Both parties acknowledge that the Controller is determined by law, and the parties understanding is that, in respect of the Personal Data to be Processed pursuant to this agreement the parties acknowledge that the terms in relation to any compliance with Applicable Data Protection Law is as between You and the Company.

2.2 To the extent the law determines otherwise than as set out in clause 2.1 above You (as primary Processor) appoints the Company as a sub-Processor to process the Personal Data that is the subject of this agreement.

2.3 Neither party shall breach any provision or principle of Applicable Data Protection Law and shall not as a result of its act or omission cause the other party or any of its employees or agents to commit any such breach.

 

Purpose limitation

3.1 In no event shall the Company process Your Data for its own purposes or those of any third party. Prior to carrying out an instruction of the Controller, the Processor shall inform the Controller if in its opinion such instruction infringes Applicable Data Protection Law.

 

International transfers

4.1 The Company shall not transfer the Personal Data (nor permit the Personal Data to be transferred) outside of the British Isles.

 

Confidentiality of Processing

5.1 The Company shall ensure that any person that it authorises to process the Data (including the Processor’s staff, agents and subcontractors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process Your Data who is not under such a duty of confidentiality. The Processor shall ensure that all Authorised Persons process Your Data only as necessary for the Permitted Purpose.

 

Security

6.1 The Company shall implement appropriate technical and organisational measures to protect the Personal Data:

6.1.1 from accidental or unlawful loss or destruction, and

6.1.2 unauthorised alteration, disclosure of, or access to the Personal Data (each a “Security Incident”).

6.2 The Company shall provide such assistance as You or the Controller (as the case may be) may reasonably require for the purpose of Your or the Controller’s (as the case may be) compliance with its obligations under Applicable Data Protection Law to protect Your Data against a Security Incident.

6.3 Upon becoming aware of a confirmed Security Incident, the Company shall inform You without undue delay and shall provide all such timely information and cooperation as You may require in order for You and the Controller to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.

6.4 The Company shall further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident and shall keep You updated on all material developments in connection with the Security Incident.

 

Sub-processing

7.1 The Company shall not subcontract any Processing of the Personal Data to a third-party subcontractor (“Sub-processor”) without Your prior written consent.

7.2 Subject to Clause 7.1, You may object to the Processor’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection.

 

Cooperation and Data Subjects’ rights

8.1 The Company shall provide reasonable and timely assistance (including by appropriate technical and organisational measures) to You to enable You to respond to:

8.2 any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and

8.3 any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to the Company, the Company shall promptly inform You providing full details of the same.

 

Data Protection Impact Assessment

9.1 If the Company believes or becomes aware that its Processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform You and provide You with all such reasonable and timely assistance as You may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.

 

Deletion or return of Personal Data

10.1 Upon termination or expiry of this Agreement, the Processor shall (at the Controller’s election) destroy or return to the Controller all Personal Data (including all copies of the Personal Data) in its possession or control (including any Personal Data subcontracted to a third party for Processing).

10.2 Neither party shall be required under this Paragraph 10 to recall or delete backup copies of electronic information which has been automatically stored pursuant to the party’s automatic archiving and back-up procedures, where to do so would not be technically reasonable having regard to all the circumstances.

mailLink mailLink

We are here to help

We serve thousands of organisations and a network of hundreds of partners across multiple industry sectors, enabling them to have full confidence in their contact data.