Personal Data Processing Agreement
NXT Generation Consultancy Limited, a private company limited by shares, registered in England with Company Number 11297875 and registered office address at 1 Lysias Road, London, United Kingdom, SW12 8BW (“the Company”).
A. Having noted changes to data protection law being introduced by among others, the GDPR,
B. Being mindful of their own direct responsibilities and liabilities under data protection law, and
C. Considering Article 28 of the GDPR,
The parties have agreed to enter into this PDPA to govern their rights and obligations under Data Protection Law in relation to the processing of personal data, in so far as this is required by the GDPR.
1.1. “Affiliate” means an entity that directly or indirectly controls or owns, or is owned or controlled, or is under common control or ownership with another entity. Any references to the Company or the Customer shall be construed to mean reference to their respective Affiliates;
1.2. “Data Protection Law” means The Data Protection Act 2018; Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the GDPR); and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any superseding and repealing legislation;
1.3. “Data Controller” has the same meaning as the one provided for in Article 4.7 GDPR. For the purposes of this PDPA and the Terms, the Data Controller is the Customer;
1.4. “Data Processor” has the same meaning as the one provided for in Article 4.8 GDPR. For the purposes of this PDPA and Terms, the Data Processor is the Company;
1.5. “The Terms” means either the Company’s [standard T&Cs] for Customers (as the same may be modified from time to time) or any other separately negotiated agreement between the Company and the Customer concerning the Customer’s use of the Company’s marketing services or the Customer Order Form;
1.6. All definitions in Article 4 GDPR shall apply to this PDPA;
1.7. All capitalised terms shall have the meaning given in the Terms.
2. GENERAL PROVISIONS
2.1. This PDPA is hereby incorporated into and forms part of the Terms. In the event and to the extent of a conflict with any provision of the Terms relating to Data Protection Law, this PDPA shall prevail. Save as specifically amended herein, all of the provisions of the Terms, save to the extent modified by this PDPA, are unaffected and shall continue to apply.
2.2. The parties acknowledge that the rights and obligations of this PDPA are supported by the consideration provided under the Terms.
2.3. This PDPA together with the Terms represent the Customer’s complete and final documented instructions to the Company, which may change from time to time, for the processing of personal data on the Customer’s behalf, including for the avoidance of doubt with regard to transfers of personal data as described in Clause 8 below.
2.4. This PDPA applies where and only to the extent that the Company processes personal data that originates from the European Economic Area and/or is otherwise subject to Data Protection Law.
2.5. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this PDPA or the SCCs, whether in contract, tort or under any other theory of liability, is subject to any limitation of liability provisions set out in the Terms, and any reference herein to the liability of any party means the aggregate liability of that party and all of its Affiliates under the Terms.
2.6. Upon the parties’ written agreement and subject to 30 days written notice being served by either party to the other, this PDPA may be replaced by standard contractual clauses adopted pursuant to Article 28(7) or Article 28(8) GDPR.
2.7. Following service of written notice pursuant to Clause 2.6, the Company may also modify this PDPA if required to do so by law or if it decides to implement approved codes of conducts or certifications pursuant to Article 28(5) GDPR or Binding Corporate Rules pursuant to Article 47 GDPR.
3. PERSONAL DATA PROCESSING
3.1. The Company may process, on behalf of the Customer, personal data:
3.1.1. relating to persons identified in the process of generating marketing leads for the Customer in accordance with the Terms and for the length of time permitted under the Terms;
3.1.2. by automated means for the purpose of fulfilling its obligations under the Terms or as otherwise required by law;
3.1.3. such as individual names, physical addresses, email addresses, IP addresses, internet browser types, phone numbers, and any other information that persons submit on the Company’s landing pages.
4. UNDERTAKINGS OF THE COMPANY
4.1. The Company undertakes to implement appropriate technical and organisational measures sufficient to ensure that any processing of personal data it undertakes on behalf of the Customer will meet the requirements of the GDPR and will ensure the protection of the rights of the data subject to whom the personal data relates. With regard to the above, the Company hereby undertakes to:
4.1.1. only act on the documented instructions of the Customer,as amended from time to time, unless otherwise required by law;
4.1.2. ensure that persons authorised to process the personal data, if any, are subject to a duty of confidence;
4.1.3. ensure a level of security of personal data processing appropriate to the risk involved in such processing;
4.1.4. only engage third parties in the sub-processing of personal data on behalf of the Customer on terms substantially similar to the terms of this PDPA;
4.1.5. assist the Customer, insofar as this is possible taking into account the nature of the relevant processing, in fulfilling the Customer’s obligations with respect to the exercise of data subjects’ rights laid down in Data Protection Law (it being understood that the Company will be entitled to make reasonable charges to the Customer reflecting the level of assistance required);
4.1.6. reasonably assist the Customer, while taking into account the nature of the processing and the information available to the Company, in meeting its obligations under Data Protection Law in relation to the security of processing, the notification of personal data breaches and data protection impact assessments (it being understood that the Company will be entitled to make reasonable charges to the Customer reflecting the level of assistance required);
4.1.7. delete and/or return to the Customer all personal data obtained from the Customer within a reasonable time following the Customer’s request following expiry of the Terms, save for any personal data the Company is obliged to retain under law;
4.1.8. allow for and contribute to audits conducted by or on behalf of the Customer and make available to the Customer information necessary to verify that the Customer and the Company are both meeting their obligations under this PDPA (it being understood that the Company will be entitled to make reasonable charges to the Customer reflecting the level of assistance required);
4.1.9. attend to queries related to Data Protection Law that the Customer may have in relation to this PDPA or the Terms, which are to be directed to [firstname.lastname@example.org.
5. UNDERTAKINGS OF THE CUSTOMER
5.1. The Customer hereby:
5.1.1. acknowledges,with respect to personal data acquired by the Customer, it is solely responsible for the accuracy, quality, and legality of personal data and the means by which it was acquired;
5.1.2. grants permission to the Company to use third party sub-processors on its behalf for the purposes of fulfilling the Company’s obligations under this PDPA (and the Company shall, upon request, make a list of such sub-processors available to the Customer within a reasonable time);
5.1.3. instructs the Company to process personal data on its behalf for the purposes of fulfilling its obligations under this PDPA;
5.1.4. acknowledges that, as a Data Controller, it is ultimately responsible for ensuring that personal data is processed in accordance with Data Protection Law;
5.1.5. waives its right to make any claims against the Company for any share of liability under Article 82(5) GDPR.
6. THIRD PARTIES
6.1. The Company has engaged Microsoft Online Services to facilitate the provisions of its own marketing services to the Customer, on terms substantially similar to these of this PDPA. The Company will procure that any agreements it enters into with any other third parties will be on such terms as well. In the event the Company engages additional or alternative third parties as sub-processors it will notify the Customer in writing.
7. SECURITY MEASURES
7.1. The Company maintains a robust set of security measures for ensuring the ongoing confidentiality, integrity and availability of personal data, and the resilience of the hardware and software systems in use. Such security measures are subject to continuing technical progress and development.
7.2. Further information on the security measures the Company has in place is available on request made via email to email@example.com.
8. PERSONAL DATA TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA
8.1. The Customer acknowledges and agrees that the Company or its sub-processors may transfer personal data outside the EEA to the extent necessary to provide the services specified in the Terms.
8.2. Any international trasnfers pursuant to clause 8.1, to the extent that these include the processing of personal data covered by Data Protection Law, shall be made solely pursuant to an appropriate safeguard or otherwise permitted by law.
8.3. International trasnfers of personal data by the Company’s primary sub-processor, namely Microsoft Online Services, are undertaken on the basis of EU Standard Contractual Clauses.
8.4. In the event that the Company adopts Binding Corporate Rules pursuant to Article 47 GDPR and/or Clause 2(7) of this PDPA, international personal data transfers carried out by the Company shall be governed by such Binding Corporate Rules and not by the SCCs.
9. FINAL PROVISIONS
9.1 If any provision of this PDPA is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision shall be deemed deleted. Any modification to or deletion of a provision under this Clause shall not affect the validity and enforceability of the rest of this PDPA.
9.2 Each party warrants to the other that (i) it has full capacity and authority and all necessary licences, permits and consents to enter into and to perform its obligations under this PDPA and (ii) this PDPA is executed by its duly authorised representative.
9.4 This PDPA, and any dispute or claim arising out of or in connection with it (including any dispute or claim relating to non-contractual obligations), will be governed by, and construed in accordance with, English law.
9.5 The courts of England and Wales will have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this PDPA (including any non-contractual disputes or claims).