1. DEFINITIONS AND INTERPRETATION
The following definitions and rules of interpretation apply in this Data Processing Agreement.
Definitions:
1.1. DPA means this Data Processing Agreement - including additional schedules and annexes.
1.2. Cessation Date means the date at which the provision of the services in the Service Contract end.
1.3. Services means the Data Management and Analytics services the Processor provides.
1.4. Service Contract means the Terms & Conditions.
1.5. Agreement means the framework agreement between the Controller and the Processor for the provision of the Services.
1.6. Data protection legislation:
1.6.1. to the extent of the applicable data protection law which may include the EU General Data Protection Regulation (EU GDPR) in the European Union, the UK GDPR, in the United Kingdom.
1.6.2. Data Protection Act 2018 in both the UK and Ireland
1.6.3. to the extent that the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Data Controller or the Data Processor is subject, which relate to the protection of Personal Data.
1.7. Data subject means the identified or identifiable living individual to whom the Personal Data relates.
1.8. Personal data means any information relating to an identified or identifiable living individual that is processed by the Data Processor on behalf of the Data Controller as a result of, or in connection with, the provision of the services under this DPA and/or any other agreement in place between the parties; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual
1.9. Data Subject Rights Request means the exercise by a Data Subject of one or more of their rights afforded under Data Protection Legislation in relation to their Personal Data.
1.10. Designated Officer has the meaning given in section 8.
1.11. EEA means the European Economic Area.
1.12. EU GDPR means the General Data Protection regulation ((EU) 2016/679).
1.13. UK GDPR has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
1.14. Parties means the Data Processor and the Data Controller, and Party means either one of them.
1.15. Personal Data Breach means a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
1.16. Processing, processes, processed or process means any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third-parties.
1.17. Required Purposes means the services to be provided by the Data Processor to the Data Controller as more particularly identified Appendix 1.
1.18. The terms "data controller", "data processor", "data subject", "personal data", "transfer" (in the context of transfers of personal data) and "technical and organisational measures" have the meanings given to them in the Data Protection Legislation
1.19. Information Commissioner's Office (ICO) means the UK data protection regulatory body. The Data Protection Commission (DPC) means the regulatory body of the Republic of Ireland.
1.20. International Data Transfer Agreements (IDTAs) means the set of clauses approved by the ICO to facilitate adequate safeguards for international transfers of personal data.
1.21. Security Issue means any circumstance, threat, vulnerability, or action that jeopardises the security of client information, potentially leading to a security incident or personal data breach.
1.22. Standard Contractual Clauses (EU SCCs) means the set of clauses approved by the EU commission to facilitate adequate safeguards for international transfers of Personal Data.
1.23. Subprocessor means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller in connection with the Agreement.
1.24. Transfer Risk Assessments (TRAs) means the methodology developed by the ICO for assessing the risks when transferring Personal Data internationally.
2. SUMMARY
2.1 This Data Processing Agreement (DPA) sets out the obligations of the parties to:
2.1.1 To share or disclose information about the data subjects as listed in Appendix 1.
2.1.2 To process information securely at all times and to maintain confidentiality in relation to the arrangements for this DPA.
2.1.3 To agree and acknowledge that for the purpose of the Data Protection Legislation: the Data Controller retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices, and obtaining any required consents, and for the written processing instructions it gives to the Data Processor.
2.2 Appendix 1 lists the involved parties and describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Data Processor may process the Personal Data to fulfil the Required Purposes.
2.3 In the case of conflict or ambiguity between:
2.3.1 any provision contained in the body of this DPA and any provision contained in the Appendixes, the provision in the body of this DPA will prevail; and
2.3.2 any of the provisions of this DPA and the provisions of any other agreement in force between the parties, the provisions of this DPA will prevail.
2.4 Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to the other party's Designated Officer.
3. OBLIGATIONS AND RIGHTS OF THE DATA CONTROLLER
3.1 The Data Controller is obliged to implement and maintain appropriate and effective technical and organisational measures and be able to demonstrate the compliance of processing activities with Data Protection Legislation, including the effectiveness of the measures. Those measures should consider the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of Data Subjects.
3.2 Where proportionate in relation to processing activities (which shall be determined by the Data Controller in its absolute discretion), the measures referred to in clause 3.1 shall include the implementation of appropriate data protection policies by the Data Controller.
3.3 Adherence to approved codes of conduct as referred to in Article 40 of the UK GDPR and/or EU GDPR (as applicable) or approved certification mechanisms as referred to in Article 42 of the UK GDPR and/or EU GDPR (as applicable) may be used in part, to demonstrate compliance with the obligations of the Data Controller.
3.4 The responsibility and liability of the Data Controller for any processing of the Personal Data carried out by the Data Controller or on the Data Controller's behalf is established in this DPA. The Data Controller determines the purposes and means of the processing and the lawful bases upon which the processing is lawfully achieved.
3.5 The Data Controller should carry out a Data Protection Impact Assessment (DPIA) should there be the possibility of a high risk to the rights and freedoms of Data Subjects. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.
4. OBLIGATIONS AND RIGHTS OF THE DATA PROCESSOR
4.1 The Data Processor will only process the Personal Data to the extent, and in such a manner, as is necessary for the Required Purposes in accordance with the Data Controller's written instructions as detailed in the Service Contract. The Data Processor will not process the Personal Data for any other purpose or in a way that does not comply with this DPA, the Service Contract or the Data Protection Legislation. The Data Processor must promptly notify the Data Controller if, in its opinion, the Data Controller's instructions do not comply with the Data Protection Legislation.
4.2 The Data Processor must comply promptly with any Data Controller written instructions requiring the Data Processor to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.
4.3 The Data Processor will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Data Controller or this DPA specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the ICO). If a domestic or EU law, court or regulator (including the ICO) requires the Data Processor to process or disclose the Personal Data to a third party, the Data Processor must first inform the Data Controller of such legal or regulatory requirement and give the Data Controller an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.
4.4 The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with the ICO or other competent data privacy authorities, which the Controller reasonably considers to be required by article 35 or 36 of the UK GDPR, EU GDPR, or equivalent provisions of any other Data Protection Law, in each case solely in relation to the Processing of the Controller's Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processor.
5. SCOPE OF THE DATA PROCESSOR AGREEMENT
5.1 This DPA has been developed to establish comprehensive and consistent standards of information processing within and between the parties, with respect to the appropriate treatment of Personal Data and other confidential information which the Data Processor will adopt.
5.2 The parties must ensure that rights of all parties are upheld in a fair and proportionate way by clear and consistent practice in accordance with:
- The duties and powers (expressed or implied) arising from relevant legislation incumbent on statutory bodies or their sub-contractors
- The Human Rights Act 1998
- The Data Protection Act 2018 (for both the UK and Ireland)
- The Freedom of Information Act 2000
- UK GDPR and/or the EU GDPR (as applicable)
5.3 The Data Processor shall process the Personal Data only on documented instructions from the Data Controller which are included in Appendix 1.
6. LAWFULNESS OF THE PROCESSING
6.1 Personal Data will only be transferred or otherwise processed between the Parties where the Data Controller has identified the processing as lawful, necessary, justified, proportionate and based on a lawful basis in compliance with Data Protection Legislation.
7. INDEMNITY
7.1 The Data Processor agrees to indemnify, and keep indemnified and defend at its own expense the Data Controller against all costs, claims, damages or expenses incurred by the Data Controller or for which the Data Controller may become liable due to any failure by the Data Processor or its employees, subcontractors or agents to comply with any of its obligations under this DPA and/or the Data Protection Legislation.
7.2 Any limitation of liability set forth in any other agreement in place between the parties will not apply to this DPA's indemnity or reimbursement obligations.
7.3 By signing this DPA, both parties agree to accept and implement it and to adopt the statements and procedures contained within it.
7.4 Any breaches of, or other complaints about, this DPA will be dealt with in accordance with the processes described in the DPA.
8. DESIGNATED OFFICER
8.1 Each party must appoint a designated officer (see Declaration of Acceptance below). The Designated Officer may be the party's Caldicott Guardian, Data Protection Officer or other relevant manager.
8.2 The Designated Officer is responsible for ensuring that their organisation complies with legal and other appropriate requirements, obligations, and guidance in relation to information processing and sharing, including those outlined in this DPA.
8.3 The Designated Officer will also be responsible for:
8.3.1 internal information governance and/or operational procedures and processes
8.3.2 dissemination, implementation, and monitoring of this DPA
8.3.3 receiving requests for changes to any aspect of this DPA, circulating them for a response, obtaining agreements for the changes and reissuing amended documents where necessary
9. INFORMATION GOVERNANCE
9.1 Each party will have in place appropriate information governance and/or operational policies and procedures to facilitate effective and secure processing of Personal Data that is compliant with the Data Protection Legislation.
10. TYPES OF INFORMATION TO BE PROCESSED
10.1 The data the Data Processor will process is detailed in Appendix 1 and the scope for processing may not be changed without express written instruction by the Data Controller.
11. Data Subjects Privacy and Confidentiality
11.1 The Human Rights Act 1998, the Data Protection Legislation and common law duty of confidence impose obligations on users of personal information. The parties will ensure that the security and confidentiality of these data are safeguarded and there is no unlawful disclosure.
11.2 All Data subjects have the right to expect that information disclosed by them, or by other parties about them, will be treated with confidentiality according to the common law duty of confidence.
11.3 Information given or received in confidence for one purpose may not be used for a different purpose, or passed on to anyone else, without the direction of the Data Controller.
11.4 All Confidential Information disclosed by the disclosing party shall be treated by the receiving party as secret and confidential and the receiving party shall not disclose any of the Confidential Information to any person other than its directors or employees who strictly need to know the same for the purpose of complying with this DPA.
11.5 The receiving party shall:
11.6 only use the Confidential Information for the purpose of complying with this Agreement and not for any other purpose;
11.6.1 take at least the same care in protecting the Confidential Information as it takes in protecting its own confidential information and in any event not less than that which would reasonably be expected to be taken by a skilled and experienced operator engaged in the same type of undertaking in protecting its own confidential information;
11.6.2 only make such copies of the Confidential Information as are reasonably required for the purpose of complying with this Agreement and shall keep the Confidential Information and such copies secure and in such a way so as to prevent unauthorised access by any third party;
11.6.3 inform the disclosing party immediately if it becomes aware, or reasonably suspects, that Confidential Information has been disclosed to any unauthorised third party; and
11.6.4 impose upon its directors and employees to whom Confidential Information is to made available to, obligations of confidentiality substantially equivalent to those contained in this Agreement.
11.7 Any party may disclose information which would otherwise be confidential if and to the extent:
11.7.1 it is required to do so by law or any regulatory or governmental body to which it is subject wherever situated;
11.7.2 the information has come into the public domain through no fault of that party; or
11.7.3 each party to whom it relates has given its consent in writing.
12. Data Subjects' Awareness
12.1 The Data Controller informs the data subjects about the processing carried out by the Data Processor on the behalf of the Controller.
12.2 The Data Processor must ensure Data Subjects are aware of their rights with respect to the Data Protection Legislation, The Privacy Notice should explain how Data Subjects can make a Data Subject Rights Request.
13. Audit
13.1 The Processor shall comply with all requests from the Controller (and its auditors, and its and their internal or external representatives) to access and inspect the Processor's (and its Sub-Processors') premises, records and personnel relevant to any processing of the Controller Personal Data, in each case to enable the Controller to audit and verify that the Processor (and its Sub-Processors) is complying fully with its obligations under this Agreement and under the Data Protection Laws in relation to the Controller Personal Data.
13.2 The Processor shall provide such information, co-operation and assistance in relation to any request made by the Controller (or its auditors, or its or their representatives) under clause 13.1 as the Controller may reasonably require.
14. Co-operation and Assistance
14.1 The Processor shall promptly co-operate with the Controller, and promptly provide such information and assistance as the Controller may reasonably require, to enable the Controller to:
14.2 comply with the Controller's obligations under the Data Protection Laws (including Articles 32-36 of UK GDPR and/or EU GDPR, as applicable) in respect of the Controller Personal Data;
14.3 and deal with and respond to all investigations and requests for information relating to the Controller Personal Data from any DP Regulator.
14.4 If the Processor receives any complaint, notice or communication from a DP Regulator or other third party (excluding a Data Subject Request) which relates directly or indirectly to the Controller Personal Data or to either party's compliance with the Data Protection Laws, it shall notify the Controller as soon as reasonably practicable.
14.5 Where any provision of this Agreement places an obligation on the Processor, that obligation shall be construed as an obligation on the Processor to procure that all its Sub-Processors, and its own and its Sub-Processors personnel, comply with such obligation.
15. Compliance with the Data Protection Legislation
15.1 Each party will process the Personal Data in accordance with the principles of data protection legislation. The Data Processor will ensure that its policies, procedures and ways of working robustly uphold the Data Protection Legislation.
15.2 Following termination or contract end the Data Processor will forward or redirect any requests in relation to user data rights to the Data Controller for a period of up to 6 months.
16. Processing and Information Security
16.1 The Data Processor must at all times ensure that appropriate technical and organisational measures are in place as referred to in Article 32(1) of the UK GDPR and/or EU GDPR (as applicable), to protect against unauthorised or unlawful processing of Personal Data, and against accidental loss, disclosure, or destruction of or damage to Personal Data.
16.2 The Data Processor must have in place the appropriate level of security commensurate with the sensitivity and classification of the information to be processed, including:
16.2.1 the pseudonymisation and encryption of Personal Data;
16.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
16.2.3 the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
16.2.4 a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
16.3 The Data Processor must ensure that system-specific policies and mechanisms are in place to address access levels, physical security of information, security awareness and training, security management, systems development and data transfer and transport.
16.4 Where a Security Issue arises, the Processor shall:
16.4.1 as soon as reasonably practicable, provide the Controller with full details of the Security Issue, the actual or expected consequences of it, and the measures taken or proposed to be taken to address or mitigate it;
16.4.2 co-operate with the Controller, and provide the Controller with all reasonable assistance in relation to the Security Issue; and
16.4.3 unless required by applicable law not make any notifications to a DP regulator or any data subjects about the Security Issue without the Controller's prior written consent (not to be unreasonably withheld or delayed).
17. Data Retention and Destruction
17.1 On expiry or termination of this DPA ('the Cessation Date"), the Data Processor will promptly and in any event within 7 calendar months of the Cessation Date, ensure that all relevant data is transferred to the Data Controller and removed from any independent MIS systems or paper filing systems managed by the Data Processor.
17.2 Any further data which the Data Controller does not request is returned shall be deleted at the end of the processing arrangement unless the law requires it to be retained in accordance with Article 28; 3(g) of UK GDPR and/or EU GDPR. The Data Processor shall notify the Data Controller of the completion of the destruction of the data.
17.3 The Data Processor will provide assurance that systems and processes are in place to securely and robustly destroy personal identifiable information to ensure that it is not recoverable by any means.
18. Business Processes and Procedures
18.1 Use of data subject personal information for marketing purposes:
18.1.1 The Data Processor may not use data subject personal information obtained as a result of this DPA, for any purposes outside of the contract, unless such use has been directed by the Data Controller.
18.2 Recording of disclosure decisions:
18.2.1 The Data Processor will promptly (and in any event within 24 hours) notify the Data Controller of requests for disclosure. The Data Controller will decide whether information will be disclosed by the Data Processor. In the event that the Data Processor is permitted by the Data Controller to disclose information, every request for disclosure, whether fulfilled or not, must be fully recorded and clearly referenced to the evidence and information on which the decision to share or not share was based, and on which lawful basis the disclosure has relied on.
18.3 Access to Management Information System (MIS):
18.3.1 The workforce of the Data Processor which require access to the Data Controller's MIS systems as part of this DPA will ensure that those members of the workforce complete appropriate training.
19. Sharing of Information with Third Parties
19.1 The Data Controller retains ownership of the information. The Data Processor must not disclose it to any third party without the express agreement of the Data Controller.
19.2 The Data Processor shall process the Personal Data only on documented instructions from the Data Controller, unless required to do so by Union or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
20. Subcontracting Data Processing
20.1 The Data Processor shall not engage a sub-processor without notifying the Data Controller. The Data Processor shall inform the Data Controller of any changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes.
20.2 Where the Data Processor is authorised by the Data Controller to engage a sub-processor to carry out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this contract or other legal act between the Data Controller and the Data Processor shall be imposed on the sub-processor by way of a contract or other legal act under Law between the Data Processor and that sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of data protection regulations.
20.3 Where the sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of the sub-processor's obligations.
20.4 The Controller authorises the Processor to use Sub-processors as outlined in Appendix 1.
20.5 The Authorisation from 20.1 only applies where;
20.5.1 The Processor can demonstrate they have conducted due diligence on the Sub-processor in the last 12 months.
20.5.2 There is a legally binding and enforceable agreement in place between the Processor and Sub-processor that reflects the terms of this Agreement.
20.5.3 The Sub-processor is Processing Controller's Personal Data only for the purposes of the Service Contract.
21. Cross Borders Transfers
21.1 The Processor shall not process the Controller Personal Data, or otherwise transfer or access the Controller Personal Data, outside of the permitted region without the express prior written consent of the Controller.
21.2 The Controller's consent under clause 21.1 shall be conditional upon the Processor ensuring there is adequate protection and appropriate safeguards for such the Controller Personal Data in accordance with applicable Data Protection Laws when it is transferred or accessed outside of the permitted region. Such adequate protection and appropriate safeguards may include the completion of a transfer risk assessment and the application of further safeguards as the UK addendum, IDTAs, EU SCCs or the UK International Data Transfer Agreement.
21.3 If the Controller authorises the Processor to transfer the Controller Personal Data outside the permitted region pursuant to clause 21.2 and either (a) the means by which adequate protection for the transfer is achieved ceases to be valid, or (b) any DP Regulator (or other supervisory or regulatory authority) requires transfers of Personal Data pursuant to such UK addendum, EU SCCs or IDTA to be suspended, then the Controller may (at its discretion) require the Processor immediately to cease transfers of Personal Data and delete or return all Personal Data previously transferred.
22. Data Quality Assurance
22.1 The Data Controller is responsible for the quality of Personal Data it obtains, records, holds, uses and shares. The Data Processor will have appropriate procedures in place for monitoring and ensuring adequate standards in processing Personal Data in accordance with the terms of this DPA.
22.2 Where information is shared between the Data Controller and Data Processor, both parties receiving the shared information are responsible for applying relevant data quality checks before using the information.
22.3 If information is found to be inaccurate, the party discovering the inaccuracy must notify the Designated Officer of the party sharing the information. The Designated Officer will ensure that the source data is corrected and will notify all recipients, who will be responsible for updating the information.
22.4 The Data Processor must make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and/or EU GDPR (as applicable) and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. The Data Processor must promptly remedy any deficiencies identified by such audit.
23. Workforce Requirements
23.1 The conditions, obligations and requirements set out in this DPA will apply to all appropriate staff, agency workers, consultants, volunteers and contractors working within or on behalf of the Data Processor.
23.2 The Data Processor must ensure that confidentiality is underpinned by appropriate policies, protocols and guidance which highlight the implications and possible consequences of unauthorised or inappropriate disclosure of personal information.
23.3 The Data Processor must ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
23.4 The Data Processor must ensure that all relevant staff receive training, advice and ongoing support in order to understand the implications of and implement this DPA and where appropriate or necessary, the underpinning legislation for information sharing, common law duties, appropriate codes of practices and other organisational information governance guidance.
24. Concerns or Complaints
24.1 Any concerns or complaints received from Data Subjects relating to the processing of their personal information and any concerns or complaints from practitioners relating to the implementation of this DPA, must be dealt with promptly in accordance with the internal complaints procedure of the Data Controller.
24.2 Should the Data Processor receive a complaint, this must be notified to the Data Controller via the Designated Officer within 24 hours.
25. Non-Compliance and Breaches of Security
25.1 Instances of internal non-compliance, security breaches (either potential or confirmed), Personal Data Breaches (either potential or confirmed) relating to information within scope of this DPA, must be logged and reported to the Data Controller's relevant Designated Officer within 24 hours. They should be dealt with promptly in accordance with the Data Controller's information governance or operational policies and procedures. The Data Processor will not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Data Controller's written consent, except when required to do so by domestic or EU law.
25.2 Where the Data Processor becomes aware of an instance set out in clause 25.1 above, it will, without undue delay, also provide to the Data Controller the following written information:
25.2.1 description of the nature of the instance, including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
25.2.2 the likely consequences; and
25.2.3 a description of the measures taken or proposed to be taken to address the instances, including measures to mitigate its possible adverse effects.
25.3 In the case of a Personal Data Breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after the Data Processor having become aware of it, notify the Personal Data Breach to the supervisory authority (ICO or equivalent e.g. the DPC in Ireland), unless the Personal Data Breach is unlikely to result in a risk to the rights and freedoms of natural persons.
25.4 The Data Processor must comply with any investigation instigated by the Data Controller in relation to the potential or confirmed non-compliance or breach, at no additional cost to the Data Controller, including but not limited to:
25.4.1 assisting with any investigation;
25.4.2 providing the Data Controller with physical access to any facilities and operations affected;
25.4.3 facilitating interviews with the Data Processor's employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
25.4.4 making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Data Controller; and
25.4.5 taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.
25.5 Incidents relating to information shared as a result of this DPA that should be logged and reported include, but are not restricted to:
25.5.1 inappropriate, unauthorised or unlawful disclosure
25.5.2 inappropriate or unauthorised access
25.5.3 theft, loss or damage to information or other breaches of security
25.5.4 loss of access to Personal Data (for example, failure of a data management system)
25.6 Without prejudice to Articles 82, 83 and 84 of the UK GDPR and/or EU GDPR (as applicable), if the Data Processor infringes the UK GDPR and/or EU GDPR (as applicable) by determining the purposes and means of processing, the Data processor shall be considered to be a controller in respect of that processing (see Article 28;10).
25.7 The Data Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the UK GDPR and/or EU GDPR (as applicable), specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Data Controller.
25.8 The Data Processor will reimburse the Data Controller for actual reasonable expenses that the Data Controller incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Data Processor caused such, including all costs of notice and any remedy provided to a Data Subject.
26. The Rights of the Data Subject
26.1 The Data Processor shall assist and fully co-operate with the Data Controller to enable the Data Controller to comply with its obligations including in relation to the security of processing, Data Subject Rights Requests, reporting Personal Data Breaches to the supervisory authority (ICO or equivalent e.g. the DPC in Ireland) and conducting data privacy impact assessments (DPIAs).
26.2 The Data Processor shall notify the Data Controller within 24 hours if it receives a request from a Data Subject to exercise its rights under Data Protection Legislation or any communication from a Data Subject, the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this DPA.
26.3 The Data Processor shall ensure that it does not respond to Data Subject requests except when authorised by the Data Controller.
27. Effective Dates and Termination of the Agreement
27.1 This DPA comes into force and is effective from the date specified in Appendix 1.
27.2 The term of this DPA is specified on Appendix 1. At the end of the term the DPA shall terminate unless the parties agree in writing that it is extended or renewed (and the period of such extension or renewal).
27.3 Any provision of this DPA that expressly or by implication should continue in force after termination of the DPA in order to protect the Personal Data will remain in full force and effect.
27.4 The Data Processor's failure to comply with the terms of this DPA is a material breach of this agreement. In such an event, the Data Controller may terminate this DPA effective immediately on written notice to the Data Processor without further liability or obligation of the Data Controller.
27.5 Each party may terminate this Agreement at any time with immediate effect upon written notice to the other if:
27.5.1 the other commits a material or persistent breach of this Agreement which, if capable of remedy, has not been remedied within seven (7) days of written notice to do so; or
27.5.2 the other enters into voluntary or involuntary liquidation (excluding any re-organisation or amalgamation), or enters into, or resolves to enter into, an arrangement, composition or compromise with, or assignment for, the benefit of its creditors generally, or any class of creditors or proceedings are commenced to sanction such an arrangement, composition or compromise; an order is made or a resolution is passed for the winding up or dissolution of the other party; or a provisional liquidator or similar officer is appointed in respect of the whole or any part of the assets or undertaking of the other party; or
27.5.3 the other ceases or threatens to cease to carry on business.
27.6 Upon any termination or expiration of the Agreement:
27.6.1 the provisions of clause 17 shall apply;
27.6.2 the parties' respective obligations under the Agreement shall cease immediately, however
27.6.3 The termination of this Agreement for whatever cause shall not prejudice or affect the rights of either party in respect of any breach of this Agreement or any provision herein which is expressly or by implication to survive such termination.
28. General Terms
28.1 Confidentiality. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
28.2 All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email.
29. Governing Law and Jurisdiction
29.1 This DPA and any dispute or claim (whether contractual or non-contractual) arising out of or in connection with it, its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales if the Data Controller is based in the United Kingdom or in accordance with the law of Ireland if the Data Controller is based in Ireland.
29.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (whether contractual or non-contractual) arising out of or in connection with this DPA, its subject matter or formation if the Data Controller is based in the United Kingdom, or the courts of Ireland if the Data Controller is based in Ireland.
30. Variation
30.1 No purported variation of this DPA shall be valid unless it is in writing and signed by or on behalf of each party.
Appendix 1 – List of Parties, Description of Processing and Transfer of Personal Data
A) List of Parties
| The Controller: the Client | |
|---|---|
| Address | As set out for the Client in the Agreement. |
| Contact person's name, position and contact details | As provided by the Client in its account and used for notification and invoicing purposes. |
| Signature and date | By entering into the Agreement, the Controller is deemed to have agreed to this Data Processing Agreement |
| Role | Data Exporter |
| Name of Representative (if applicable) | |
| The Processor: Bridgit Technologies Ltd | |
|---|---|
| ICO Registration Number | ZA768618 |
| Address | 97 Charlotte Street, London, W1T 4QA, United Kingdom |
| Contact person's name, position and contact details | Sean Donnelly, Bridgit CEO hibridgit.com |
| Signature and date | By entering into the Agreement, the Processor is deemed to have agreed to this Data Processing Agreement |
| Role | Data Importer |
B) Description of Processing and Transfers
| Describe the subject-matter, the nature and necessity of the processing | Bridgit is an integration hub purpose-built for charities. It automatically ingests data from the platforms that the Client uses regularly, in many cases this means once per day. The data is consolidated inside Bridgit so that the Client can configure Bridgit to automatically upload such data to other platforms such as their CRM. |
| Categories of Data subject | The Controller's donors and supporters |
| Categories of Personal data | The Controller may submit Personal Data to the Processor, the extent of which is determined and controlled by the Controller. The Personal Data includes but is not limited to:
|
| Special category data | N/A |
| The frequency of the processing and transfer | Continuous basis for the duration of the Agreement. |
| Purpose(s) of the data transfer and further processing | Personal Data is transferred to sub-processors who need to process some of the Personal Data in order to provide their services to the Processor as part of the Services provided by the Processor to the Controller. The Sub processor list in Appendix 2 sets out the Personal Data processed by each Sub-processor and the services provided by each Sub-processor. |
| Duration of the processing | Established by the Agreement |
| The period for which the Personal Data will be retained | Unless agreed otherwise in writing, for the duration of the Agreement |
Appendix 2 – Subprocessor List
| Company / Name | Okta, Inc., trading as Auth0 |
| Contact of data protection officer | (see below) |
| Address | ATTN: Okta Data Protection Officer (Okta Privacy Team) 20 Farringdon Road ECIM 3HE United Kingdom |
| Description of the service | Authentication service for users (charity staff accounts) |
| Transferred data | Charity employee email address |
| Purpose of the transfer | To deliver the Bridgit service |
| Company / Name | Sleekplan |
| Contact of data protection officer | privacy@sleekplan.com |
| Address | Georgenstrasse 66 80799 Munich (München) Germany |
| Description of the service | Sleekplan is a software feedback tool which allows users to suggest and upvote features, take screenshots and upload feedback, and generally annotate the product. In the case of Bridgit, users (e.g. a Fundraising Manager) can interact with Sleekplan to provide feedback on the platform. View GDPR compliance info |
| Transferred data | (Optional) - A user (charity staff) can submit their name and email address when providing feedback, or they can send it anonymously. Supporter data is not deliberately transferred through Sleekplan but it is possible. For example, if a user screenshots an area of the platform in which a supporter's personal data is visible, such as within a supporter's profile page. |
| Purpose of the transfer | 1. To provide customer support; 2. To gather analysis or valuable information so that we can improve our Service; 3. To detect, prevent and address technical issues |
| Company / Name | Stripe |
| Contact of data protection officer | dpo@stripe.com |
| Address | Stripe Payments UK, Ltd. 7th Floor, The Bower Warehouse 211 Old Street London EC1V 9NR |
| Description of the service | Payment processing for charities to pay for their Bridgit subscription |
| Transferred data | Charity employee email address and name |
| Purpose of the transfer | To fulfil the service |
| Company / Name | Google Cloud Platform |
| Contact of data protection officer | Kristie Chon Flynn – Contact form |
| Address | Google LLC Attn: Data Protection 1600 Amphitheatre Parkway Mountain View, CA 94043 United States of America Main phone: +1 650 253 0000 Fax: +1 650 618 1806 Email: data-access-requests@google.com |
| Description of the service | Cloud hosting of the Bridgit platform, monitoring for logging and error tracking. |
| Transferred data | All platform data is hosted on Google Cloud Platform (GCP) servers |
| Purpose of the transfer | To fulfil the service |
Appendix 3 – Technical and Organisational Security Measures
Below is a description of the technical and organisational measures implemented by the Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
| Solution Architecture | Bridgit is built using Microsoft Azure cloud technologies, which encompasses data fetching, data manipulation, security, governance, performance, monitoring, hosting, storage and business intelligence. Services used include but are not limited to Azure Databricks, Azure Data Factory, Delta Lake, Azure Purview, Azure DevOps, Azure Key Vault, Azure Active Directory, Azure Monitor and Azure Cost Management. Data from third-party platforms is securely accessed via OAuth2, Basic Auth and Robotic Process Automation techniques. It is brought into the VPC (Virtual Private Cloud) where all further operations are securely operated and monitored via strict networking protocols within Azure. Charity clients log in via a client portal built with NextJS and Auth0 for client authentication. The web app securely links to the data storage with a REST API. The application is hosted within a VNET network configuration, preventing access from outside the Azure environment except through explicitly enabled routes, which are documented and reviewed regularly. This is best practice as recommended by Microsoft. |
| Organisation and Personnel | Access to the administration layer of the Bridgit platform is restricted to named employees, accessing the technology using Multi-Factor Authentication. This access is restricted to only the internal, technical resources responsible for the development and maintenance of the solution. |
| Encryption | Azure Storage Accounts and Azure SQL utilise encryption at rest using AES-256. Any usernames and passwords for third-party integrations are stored in an encrypted form too. This means that no Bridgit staff can see or access platform credentials. All data in transit is encrypted to a minimum of AES-256. Where data is being transmitted over the internet the service must be secure by HTTPS to connect with a suitable certificate. |
| Software and Development | 'Privacy by Design' is built into the Bridgit infrastructure so that only data that is absolutely necessary is processed and retained. Production-like controls are applied across all non-Production environments. Development is conducted on test datasets and test logins wherever possible. |
| Antivirus and Malware | All Bridgit employee devices are required to have up-to-date antivirus and malware detection software installed. |
| Backup | Azure backups are stored in an encrypted state and retained for 72hrs. |
| Compliance Standards and Certifications | Bridgit is registered with the UK Information Commissioner's Office (registration number ZA768618) and follows compliance standards written in accordance with ICO guidelines on data protection and privacy, data breaches and information security. Bridgit is working towards Cyber Essentials certification, to meet standards set by the UK National Cyber Security Centre. |
| Penetration Testing | Bridgit is in consultation with third-party providers for Penetration Testing services. |