Data Processing Agreement
The terms set out in this Data Processing Agreement apply in addition to the Main Agreement.
1.1 The following definitions apply in addition to the terms of the Main Agreement:
Data Protection Legislation: means (i) the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) unless and until the GDPR is no longer directly applicable in the UK, together with any national implementing laws, regulations and secondary laws as amended or updated from time to time in the UK including the Data Protection Act 2018 (the “DPA”); (ii) the UK GDPR; (iii) any successor legislation to GDPR, the DPA and the UK GDPR; and (iv) any other directly applicable regulation relating to data protection and privacy;
Licensee: the client whose details are set out in the Main Agreement;
Main Agreement: the agreement entered into between Software2 and the Licensee for the provision of services by Software2 to the Licensee;
Purpose: the provision of services by Software2 pursuant to the Main Agreement;
SCCs means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller to processors transfers), as updated from time to time;
Software2: Software2 Limited (company number: 07018761) whose registered office is at The Foresters Arms, 35 Kirkgate Sherburn in Elmet, Leeds, LS25 6BH; and
UK GDPR: after 31 December 2020, the retained EU law version of GDPR as it forms part of the law of England and Wales, by virtue of the European (Withdrawal) Act 2018, as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended from time to time.
2. Data Protection
2.1 This Data Processing Agreement sets out the additional terms, requirements and conditions on which Software2 will process Personal Data on behalf of the Licensee when providing services under the Main Agreement.
2.2 Each party shall comply with the applicable requirements of the Data Protection Legislation. This paragraph 2 is in addition to and does not replace a party’s obligations under the Data Protection Legislation. The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process” and “Processing” have the meanings prescribed in the Data Protection Legislation.
2.3 For the purposes of the Data Protection Legislation, the Licensee is the Controller and Software2 is the Processor. The Commercial Terms of the Main Agreement set out the subject matter, nature and purpose of Processing by Software2, the types of Personal Data, categories of Data Subject and the obligations and rights of the Licensee as Controller.
2.4 Software2 shall:
- 2.4.1 Process Personal Data only on written instructions of the Licensee and only to the extent required to fulfil the Purpose. If Software2 is required by any applicable laws to process Personal Data it shall, to the extent legally permitted, notify the Licensee before doing so;
- 2.4.2 have in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of, accidental loss or destruction of or damage to Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected. Software2 shall implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity, available and resilience of processing systems and services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectives of security measures;
- 2.4.3 not engage another processor without prior general written authorisation from the Licensee and without ensuring that the same data protection obligations as set out in this Data Processing Agreement are imposed in a written contract on that other processor and Software2 shall remain fully liable to the Licensee for performance of the other processor’s obligations to the extent the other processor fails to fulfil their data protection obligations. For the purposes of this clause 2.4.3, clause 2.5 constitutes prior general written authorisation from the Licensee;
- 2.4.4 ensure that persons who have access to or process Personal Data keep the Personal Data confidential (either under contractual or statutory obligations);
- 2.4.5 ensure that any transfer of Personal Data outside of the European Economic Area takes place only on documented instructions of the Licensee and that the organisations to which Personal Data is transferred ensure an adequate level of protection. For the purposes of this clause 2.4.5, clause 2.6 constitutes documented instructions of the Licensee;
- 2.4.6 assist the Licensee to respond to any request from a Data Subject;
- 2.4.7 notify the Licensee without undue delay if it receives a request from a Data Subject to exercise any of their rights under the Data Protection Legislation;
- 2.4.8 notify the Licensee without undue delay if it becomes aware of any accidental, unauthorised or unlawful processing of the Personal Data or a Personal Data Breach including the following information: (i) description of the nature of the accidental, unauthorised or unlawful processing and/or Personal Data Breach; (ii) the likely consequences; and (iii) a description of the measures taken or proposed to be taken to address the accidental, unauthorised or unlawful processing and/or Personal Data Breach together with measures to mitigate possible adverse effects;
- 2.4.9 following the occurrence of an event described in clause 2.4.8 above, cooperate with the Licensee;
- 2.4.10 not inform any third party of any Personal Data Breach without first obtaining the Licensee’s prior written consent, except when required to do so by law;
- 2.4.11 taking into account the nature of Software2’s processing and the information available to Software2 provide reasonable assistance to the Licensee complying with its obligations pursuant to Articles 32 to 36 of GDPR including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation;
- 2.4.12 at the written direction of the Licensee, delete or return Personal Data to the Licensee on termination of the Main Agreement unless Software2 is required by law to store the Personal Data;
- 2.4.13 maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for one audit per year by the Licensee or the Licensee’s designated auditor (at the Licensee’s cost), provided that the Licensee shall provide reasonable notice of any audit it wishes to carry out; and
- 2.4.14 immediately inform the Licensee if, in its opinion, an instruction from the Licensee infringes the Data Protection Legislation and shall promptly notify the Licensee of any changes to Data Protection Legislation that may adversely affect Software2’s performance of the Main Agreement.
2.5 For the purposes of clause 2.4.3, the Licensee consents to Software2 appointing the sub-processors set out at www.software2.com/data-security-and-eu-data-protection/sub-processors. This clause 2.5 constitutes general written authorisation from the Licensee for the purposes of clause 2.4.3.
2.6 Notwithstanding clause 2.4.5, Software2 may need to transfer Personal Data outside of the European Economic Area to Software2 Americas, Inc. This clause 2.6 constitutes documented instructions from the Licensee for the purposes of clause 2.4.5.
2.7 Software2 agrees that the Licensee has the sole right to determine:
- 2.7.1 whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Licensee’s discretion, including the contents and delivery method of the notice; and
- 2.7.2 whether to offer any type of remedy to affected Data Subjects including the nature and extent of such remedy.
2.8 If any Personal Data transfer between Software2 and the Licensee requires execution of SCCs in order to comply with the Data Protection Legislation, the parties will complete all relevant details in, and execute, the SCCs and take all other actions required to legitimise the transfer.