The parties have entered into an agreement for the Croudie to provide certain services (the “Services”) to the Company (the “Main Agreement”).
This data processing addendum (the “DPA”) sets forth the terms on which the parties will collect and process personal data in connection with the Services and is hereby incorporated into the Main Agreement by reference.
This DPA describes the commitments of Company and Croudie concerning the processing of personal data in connection with the provision of the Services contemplated by the Main Agreement. Defined terms within this DPA shall have the meaning given to them in the Main Agreement, unless indicated herein otherwise.
This DPA will apply to the processing of personal data under the Main Agreement, to the extent that such processing is subject to Data Protection Legislation, and takes effect from the date of the Main Agreement.
The parties acknowledge and agree that Company is either a controller, or a processor (on behalf of its Clients as controllers) with regards to the processing of personal data, and Croudie is respectively a processor or a sub-processor of Company.
Subject-matter
Processing of personal data related to the Services as described in the Main Agreement.
Nature and purpose
Processing of personal data to provide the Services as described in the Main Agreement.
Duration and Frequency
Term of the Main Agreement or for as long as Croudie is permitted or required to retain the personal data.
Types of personal data
Categories of Data Subject
“Clients” means any client or customer of the Company.
“Controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing,” “service provider” and “appropriate technical and organisational measures” are as defined in the Data Protection Legislation.
“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time including (i) the General Data Protection Regulation ((EU) 2016/679) (“EU GDPR”); (ii) the General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) (“UK GDPR”); (iii) the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.
“EU C-to-P Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module Two (Controller-to-Processor).
“EU P-to-P Transfer Clauses” means the EU SCCs sections I, II, III and IV (as applicable) to the extent they reference Module Three (Processor-to-Processor).
“Restricted Transfer” means a transfer of personal data under this DPA from the European Economic Area, Switzerland, or United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of applicable laws of the foregoing territories, to the extent such transfers are subject to such applicable laws.
“Standard Contractual Clauses” means (i) where the EU GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en (“EU SCCs”) and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).
1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation.
2.1 To the extent that Company is controller of Company personal data Company will ensure that it has all necessary and appropriate consents and notices in place to enable lawful disclosure of such personal data to Croudie and/or lawful collection or processing of personal data to Croudie on behalf of Company for the purposes of this DPA.
3.1 Croudie shall comply with the requirements below, in relation to any Company personal data or Client personal data processed by Croudie as a processor on behalf of Company:
3.1.1 Instructions: Croudie shall: (i) process Company personal data and Client personal data only on the documented written instructions of Company, which include this DPA and the Main Agreement, unless Croudie is required by applicable laws to otherwise process Company personal data or Client personal data; (ii) where Croudie is relying on applicable laws as the basis for processing Company personal data or Client personal data, Croudie shall promptly notify Company of this in advance, unless those applicable laws prohibit Croudie from doing so; and (iii) inform the Company promptly if, in Croudie’s opinion, an instruction from the Company infringes (or, if acted upon, might cause an infringement of) Data Protection Legislation;
3.1.2 Security: Croudie shall ensure that it has in place appropriate technical and organizational measures (the “Security Measures”), to protect against unauthorized or unlawful processing of Company personal data or Client personal data and against accidental loss or destruction of, or damage to, Company personal data or Client personal data, appropriate to: the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage of the data; and the nature of the data to be protected, in all cases having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate:
(a) pseudonymising and encrypting Company personal data and Client personal data;
(b) ensuring confidentiality, integrity, availability and resilience of its systems and services;
(c) ensuring that availability of and access to Company personal data and Client personal data can be restored in a timely manner after an incident
(d) regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it;
(e) installation of; anti malware solution, a secure firewall solution, updates of key operating system patches/features and firmware updates on the Croudies personal computing devices, applied within a reasonable timeframe of being made available by the relevant vendor / manufacturer.
3.1.3 Confidentiality of processing: Croudie shall ensure that Company personal data or Client personal data are kept confidential at all times and that all Croudie Personnel that have access to such personal data are subject to a strict duty of confidentiality;
3.1.4 Cooperation and data subject rights: Croudie shall assist Company, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to personal data breach notifications, impact assessments and consultations with supervisory authorities or regulators;
3.1.5 Personal data breaches: Croudie shall notify the Company without undue delay on becoming aware of a personal data breach of Company personal data or Client personal data;
3.1.6 Deletion or return of data: Croudie shall, at the written direction of the Company, delete or return Company personal data or Client personal data to the Company, on termination of the DPA unless required by applicable laws to store Company personal data or Client personal data;
3.1.7 Accountability: Croudie shall maintain complete and accurate records and information to demonstrate its compliance with Data Protection Legislation and provide the Company with appropriate evidence at its reasonable request; and
3.1.8 Audits: Croudie shall maintain complete and accurate records and information to demonstrate compliance with this DPA and allow for audits by the Company.
3.1.9 Cross-border transfers: except to the extent that the provisions of clause 5 apply, Croudie shall not process or transfer any Company personal data or Client personal data outside the UK or the EEA without the prior written consent of Company.
4.1 The Croudie agress that any Substitute appointed under clause 4 of the Main Agreement, is a sub-processor of Company personal data or Client personal data.
4.2 Croudie confirms that: (a) it shall impose on all sub-processors substantially the same data protection obligations as set out in this DPA; and (b) Croudie shall remain fully liable for the actions of its sub-processors at all times.
5.1 Insofar as the provision of the Services lead to a Restricted Transfer of Company personal data, Croudie and Company hereby enter into the EU C-to-P Transfer Clauses and the UK Addendum (where applicable) on the basis that the exporter is Company and the importer is Croudie. and on the basis that:
(a) The EU C-to-P Transfer Clauses will be completed as follows:
(i) in clause 7, the optional docking clause will apply;
(ii) in clause 9, Option 1 will apply, and the timeframe in which consent must be requested by Croudie is 30 days;
(iii) in Clause 11, the additional redress mechanism will not apply;
(iv) Clauses 17 and 18 shall be governed by the jurisdiction of Ireland and disputes shall be resolved before the courts of the jurisdiction of Ireland;
(v) for the purposes of Annex I to the EU C-to-P Transfer Clauses: (a) the categories of data transferred are Company Data (as defined above); and (b) the categories of data subject, subject matter, nature and purpose and duration and frequency of the transfer and retention are set out above under “Description of Data Processing”. It is not anticipated that sensitive data will be transferred;
(vi) For the purpose of Annex II the security measures are specified on the Company website which are hereby incorporated by reference.
(b) The UK Addendum will apply as follows:
(i) The EU C-to-P Transfer Clauses (as amended as specified by Part 2 of the UK Addendum) are completed as set out above in Section 5.1(a); and
(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out above in Section 5.1(a) (as applicable) and table 4 in Part 1 shall be deemed completed by selecting “data exporter”.
5.2 Insofar as the provision of the Services lead to a Restricted Transfer of Client personal data, Croudie and Company hereby enter into the EU P-to-P Transfer Clauses and the UK Addendum on the basis that the exporter is Company and the importer is Croudie. and on the basis that:
(a) The EU P-to-P Transfer Clauses will be completed as follows:
(i) in clause 7, the optional docking clause will apply;
(ii) in clause 9, Option 1 will apply, and the timeframe in which consent must be requested by Croudie is 30 days;
(iii) in Clause 11, the additional redress mechanism will not apply;
(iv) Clauses 17 and 18 shall be governed by the jurisdiction of Ireland and disputes shall be resolved before the courts of the jurisdiction of Ireland;
(v) for the purposes of Annex I to the EU P-to-P Transfer Clauses: (a) the categories of data transferred are Company Data (as defined above); and (b) the categories of data subject, subject matter, nature and purpose and duration and frequency of the transfer and retention are set out above under “Description of Data Processing”. It is not anticipated that sensitive data will be transferred; and
(vi) For the purpose of Annex II the security measures are specified on the Company website which are hereby incorporated by reference.
(b) The UK Addendum will apply as follows:
(i) The EU P-to-P Transfer Clauses (as amended as specified by Part 2 of the UK Addendum) are completed as set out above in Section 5.1(b); and
(ii) Tables 1 to 3 of the UK Addendum shall be deemed completed with the information set out above in Section 5.1(a) (as applicable) and table 4 in Part 1 shall be deemed completed by selecting “data exporter”.
5.3 To the extent there is any conflict between this DPA and/or the Main Agreement with any applicable Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
6.1 This DPA is subject to the terms of the Main Agreement and is incorporated into the Main Agreement. In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Main Agreement, the provisions of this DPA will prevail to the extent of such conflict or ambiguity. This DPA will remain in full force and effect so long as the Main Agreement remains in effect.
6.2 The Croudie has personal liability for and shall indemnify the Company for any loss, liability, costs (including legal costs), damages, or expenses resulting from any breach by the Croudie or a Substitute of the Data Protection Legislation.
6.3 Croudie agrees that Company may require Croudie, and Croudie Personnel, to enter into further Data Protection Agreements for specific Company client projects that require processing of Company personal data or Client personal data. Croudie agrees that in such case Croudie, and Croudie Personnel, will comply with all Company technical and security processes as directed by the Company and under this DPA.
6.4 If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
6.5 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
6.6 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims), arising out of or in connection with this DPA or its subject matter or formation.