DATAPRO DATA PROCESSING AGREEMENT (DPA)

Background

Customer and DataPro have and may enter into Agreements for the supply of Services. Any capitalised terms not otherwise defined in this DPA shall having the meaning ascribed to that term in the DataPro Terms and Conditions for the Provision of Services (Terms).

DataPro will be required to process Customer Personal Data on behalf of Customer and/or its Affiliates in connection with Agreements.

This DPA sets out the additional terms on which DataPro will process Customer Personal Data when providing Services under or in connection with an Agreement.

The terms set out in this DPA will apply to the extent Data Protection Legislation requires Customer to include equivalent terms in agreements with its processors.

1. Interpretation. The definitions and rules of interpretation in this clause apply in this DPA. Any capitalised terms not otherwise defined herein shall having the meaning ascribed to that term in the Terms.

Adequate Transfer Mechanism: the transfer of Customer Personal Data to a recipient that (a) is located in a country in relation to which an Adequacy Decision has been adopted by the EU Commission or HM Government in the UK (as appropriate) (b) is covered by a suitable framework or other legally adequate transfer mechanism recognised by the relevant authorities as providing an adequate level of protection for Customer Personal Data (c) has achieved processor binding corporate rules authorisation in accordance with Data Protection Legislation; (d) has executed the Standard Contractual Clauses (as appropriate); or (e) is located in the United States and participates in the EU-US Data Privacy Framework in relation to which the European Commission adopted its adequacy decision on 23 July 2023. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “personal data breach” and “processing”, “supervisory authority” shall have the meanings attributed to them in the Data Protection Legislation.

Data Protection Legislation: all data protection and privacy legislation in force from time to time governing the processing of Personal Data in the country or state in which that Personal Data is processed applicable to a party including, GDPR, UK GDPR, the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended).

EU Standard Contractual Clauses/SCCs means Module Two (controller to processor) of the standard contractual clauses adopted by the European Commission for the transfer of Personal Data to third countries pursuant to GDPR in the form annexed to the European Commission’s Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries or the replacement agreement annexed to any subsequent European Commission decision for use in relation to transfers from a processor located in the EU/EEA (or otherwise subject to the EU GDPR) to processors established outside the EU/EEA (and not subject to the EU GDPR).

Customer Personal Data: Personal Data DataPro processes on behalf of Customer or its Affiliates including Personal Data processed in and in relation to, Profiles and Guidance.

Standard Contractual Clauses: as appropriate the (a) EU Standard Contractual Clauses; or (b) Standard Contractual Clauses as modified by the UK Addendum.

UK Addendum the international data transfer addendum approved by the UK Information Commissioner in accordance with s119A of the Data Protection Act 2018 from time to time which is intended to be used in conjunction with the Standard Contractual Clauses for the transfer of Personal Data to third countries compliant with the Data Protection Legislation applicable in the UK.

UK GDPR: the retained version of the EU General Data Protection Regulation ((EU) 2016/679) in the UK, as defined in s.3(10) of the Data Protection Act 2018, and as supplemented by s.205(4), and all references in this DPA to "GDPR" are to UK GDPR unless otherwise stated.

1.1. Words and expressions defined in the Terms shall have the same meaning in this DPA.

1.2. Clause, schedule and paragraph headings shall not affect the interpretation of this DPA.

1.3. A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality).

1.4. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.5. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular, and a reference to one gender shall include a reference to the other genders.

1.6. A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this DPA and shall include all subordinate legislation made as at the date of this DPA under that statute or statutory provision.

2. Basis of Processing 

2.1. If DataPro processes Customer Personal Data under an Agreement, for the purposes of the relevant Data Protection Legislation, Customer is the Controller of Customer Personal Data and DataPro is the Processor of Customer Personal Data.

2.2. Customer alone will exercise all rights under this DPA on its own behalf and on behalf of Customer Affiliates.

2.3. The subject-matter, duration, nature, purpose of processing, types of Customer Personal Data and categories of Data Subjects processed under this DPA are set out in the Schedule to this DPA.

3. Instructions 

3.1. DataPro will process Customer Personal Data for the purpose of and for the duration as is necessary to perform its obligations under an Agreement, or otherwise in accordance with Customer’s written instructions. Such instructions will be reasonable, given in good faith and consistent with DataPro’s obligations under an Agreement.

3.2. DataPro may also process Customer Personal Data if required to do so by applicable law. DataPro will inform Customer of any such legal requirement before processing unless the law prohibits it from doing so.

4. Compliance with Data Protection Legislation

4.1. Each party will comply with the Data Protection Legislation applicable to it.

4.2. DataPro will notify Customer prior to carrying out any instruction from Customer that DataPro is aware would result in a breach of Data Protection Legislation.

4.3. The additional safeguards in Schedule 2 will apply.

5. Technical Requirements

5.1. Taking into account the state of technical development and the nature of processing, DataPro shall implement and maintain appropriate technical and organisational measures designed to meet the requirements of Data Protection Legislation.

5.2. Customer will determine whether the technical and organisational measures provided by the Services enable Customer to meet Customer’s obligations under the Data Protection Legislation.

5.3. Customer is solely responsible for ensuring the secure use of the Services by its Users.

6. Sub-processing

6.1. DataPro will provide Customer with a list of its then current sub-processors on request. Sub-processors may be outside the UK or EEA.

6.2. DataPro has Customer’s general authorisation under this DPA to appoint sub-processors and authorise them to process Customer Personal Data to the extent necessary for DataPro to provide Services. DataPro shall only allow processing of Customer Personal Data using a sub-processor if:

6.2.1. DataPro has appointed that sub-processor under a written agreement containing, in substance, the same data protection obligations as this DPA;

6.2.2. DataPro is responsible for each sub-processor’s compliance with DataPro obligations under this DPA;

6.2.3. the conditions of paragraph “International Transfer” below have been met whenever Customer Personal Data is transferred from the EEA or the UK to any country outside the EEA or UK.

6.3. DataPro will notify Customer of any proposed changes to its sub-processors. Acting reasonably and in good faith, Customer may object to such changes on data protection grounds within 10 days of DataPro’s notification to Customer. If no objection is received within such 10 day period, Customer will be deemed to have no objections. If Customer does notify DataPro of such reasonable objections, the parties will discuss Customer’s concerns in good faith with a view to achieving a commercially reasonable resolution within a reasonable period of time, but in any event within 30 days of Customer being informed of the proposed new sub-processor. DataPro may suspend the provision of the Services pending such resolution and may appoint such new sub-processor. If DataPro is unable to resolve the objection to Customer’s reasonable satisfaction within this timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement or, at its option, the affected Services, immediately on notice given within such 30 day period.

7. DataPro Personnel

7.1. DataPro shall ensure that those of its personnel who are engaged or involved in the processing of Customer Personal Data to provide the Services:

7.2. are informed of the confidential nature of Customer Personal Data and are subject to a binding written contractual obligation to keep Customer Personal Data confidential;

7.3. are aware of, and have adequate training and instruction to allow them to comply with, DataPro’s duties and their personal duties and obligations under such laws and this DPA; and

7.4. shall only have access to such part or parts of Customer Personal Data as is strictly necessary for performance of that person’s duties.

8. International transfers

8.1. DataPro shall not transfer any Customer Personal Data to a country outside the EEA or UK (as applicable) unless an Adequate Transfer Mechanism is in place and DataPro has taken all other actions required by the Data Protection Legislation to legitimise the transfer.

9. Personal Data Breach

9.1. DataPro shall without undue delay, inform Customer if DataPro becomes aware that any Customer Personal Data has been subject to a personal data breach.

9.2. DataPro shall make reasonable efforts to identify the cause of any personal data breach and take those steps as DataPro deems necessary and reasonable in order to remediate the cause of any personal data breach to the extent remediation is within DataPro’s reasonable control. DataPro will keep Customer informed of such cause and the steps it is taking.

10. Audits

10.1. DataPro shall on request, in accordance with the Data Protection Legislation, make available to Customer such information as it has and allow and contribute to audits in each case as is necessary to demonstrate DataPro’s compliance with the provisions of this DPA and with the applicable Data Protection Legislation.

10.2. Any audit shall be performed: (i) following a personal data breach or request from a supervisory authority; or (ii) otherwise no more than once per calendar year, with at least 60 days prior written notice and be at Customer’s own cost and expense. Audits will be carried out on a remote or desktop basis unless it is not possible to do so. Customer will not unreasonably interfere with DataPro’s day to day business activities and shall comply with its reasonable security requirements. Customer will conduct audits as efficiently as possible. DataPro will respond to audit enquires as efficiently as possible and will not be required to spend more than one (1) business day doing so.

10.3. Save as may be required by Data Protection Legislation, DataPro shall not be under an obligation to provide audit access to commercially sensitive information.

10.4. Audit results may not be disclosed by Customer other than to its Permitted Recipients to the extent required by the Data Protection Legislation.

11. Assistance

11.1. DataPro shall:

11.2. Without undue delay, provide such reasonable information and assistance as Customer may require in relation to the fulfilment of Customer’s obligations to respond to requests for exercising the Data Subjects’ rights under the Data Protection Legislation; and

11.3. Provide such information, co-operation and other assistance to Customer as Customer reasonably requires (taking into account the nature of processing and the information available to DataPro) to ensure compliance with Customer’s obligations as Controller under Data Protection Legislation, including with respect to:

11.3.1. security of processing;

11.3.2. data protection impact assessments;

11.3.3. prior consultation with a supervisory authority regarding high risk processing; and

11.3.4. any remedial action and/or notifications to be taken in response to any personal data breach and/or any complaint or request relating to either party’s obligations under Data Protection Legislation relevant to this DPA, including (subject in each case to Customer’s prior written authorisation) regarding any notification of the personal data breach to supervisory authorities and/or communication to any affected Data Subjects.

11.4. DataPro may (acting reasonably) charge Customer at its standard professional services rates for any support, co-operation or assistance it provides under the DPA that cannot be provided within the scope of the Services. This paragraph shall not apply in relation to any support, co-operation or assistance (a) that is a direct legal obligation of DataPro under the Data Protection Legislation; or (b) required due to a breach of DataPro’s obligations under this DPA or the Standard Contractual Clauses.

12. Deletion/return

12.1. Following termination of an Agreement, DataPro may securely dispose of Customer Personal Data unless Customer requests DataPro to return Customer Personal Data at Customer’s cost within 30 days of termination. DataPro shall use reasonable commercial efforts to deliver to Customer a copy of the then most recent back-up of Customer Personal Data within 30 days of receipt of such request. DataPro has the right to retain Customer Personal Data (a) when required by law or (b) when securely isolated and protected on back-up systems and deleted in accordance with DataPro’s standard deletion practises. DataPro may also keep one copy of Guidance for its internal risk management purposes for 6 years following the date of the Guidance. Retained Customer Confidential Information shall remain subject to clause 7 of the Terms and this DPA.

13. DataPro as Controller

13.1. DataPro may process Service user Personal Data as a Controller including for the purposes of: (a) administering the Customer’s account; (b) complying with law or regulation; (c) providing Authorised Users with information and support in connection with DataPro services; (d) ensuring the security of the Services. Where BI acts as data controller, it shall ensure that it does so in accordance with the Data Protection Legislation.

14. Customer obligations

14.1. Customer must obtain all consents or other legal justifications necessary for DataPro to process Customer Personal Data and to deliver the Services in accordance with an Agreement.

14.2. The Customer will ensure the Customer Personal Data:

14.2.1. contains the minimum information required for DataPro to provide the Services;

14.2.2. does not contain any special category or sensitive Personal Data (within the meaning of the Data Protection Legislation) other than as contained in Profiles.

14.3. If Customer receives any complaint, notice or communication which relates directly or indirectly to the Service, DataPro Data or to DataPro’s compliance with the Data Protection Legislation or other applicable laws, it shall without undue delay notify DataPro and provide reasonable cooperation and assistance in relation to any such complaint, notice or communication.

14.4. Customer will provide DataPro with reasonable co-operation and assistance in relation to any request made by any Data Subject identified in the Customer Data in relation to the DataPro Data.

15. Application of the Terms

15.1. The following provisions of the Terms shall apply equally to this DPA as if references in the Terms to “the agreement” or “this agreement” were references to this DPA: 1 (definitions), 9 (limitation of Liability) as between DataPro and Customer but not between DataPro and Data Subjects, 11 (Force Majeure), 13 (General) and14 (Notices).