This Data Processing Agreement forms part of the Agreement. Any terms not defined below shall have the meaning given to them in the applicable Terms and Conditions.
Definitions
Business Purposes
the services described in the Agreement and any other purpose specifically identified in the Annex to this Data Processing Agreement;
Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Process(ing)
have the meanings given in the Data Protection Legislation; and
IDHL
the entity within the IDHL group providing the Services under the Agreement.
1. Controller and Processor.
The parties agree and acknowledge that for the purpose of the Data Protection Legislation the Client is the Controller and IDHL is the Processor. The Client retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to IDHL.
2. Processing Purposes.
The Annex to this Data Processing Agreement describes the subject matter, duration, nature and purpose of the Processing and the Personal Data categories and Data Subject types in respect of which IDHL may Process the Personal Data to fulfil the Business Purposes.
3. Processor Obligations.
3.1 IDHL shall:
3.1.1 only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client's written instructions. IDHL will not Process the Personal Data for any other purpose or in a way that does not comply with this Data Processing Agreement or the Data Protection Legislation, unless required to do so by any applicable law (in which case it shall notify the Client of this to the extent legally permitted). IDHL must promptly notify the Client if, in its opinion, the Client's instructions do not comply with the Data Protection Legislation; and
3.1.2 reasonably assist the Client, at the Client’s expense, with meeting its compliance obligations under the Data Protection Legislation, taking into account the nature of IDHL’s Processing and the information available to it.
4. Security.
IDHL has appropriate technical and organisational measures in place against accidental, unauthorised or unlawful Processing, access, copying, modification, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
5. Records.
IDHL will maintain reasonable written records and information to demonstrate its compliance with its obligations under the Data Protection Legislation insofar as they relate to the Processing undertaken pursuant to the Agreement and shall make such records available to the Client on reasonable written request.
6. Audits.
IDHL will provide such reasonable assistance and information as required by the Client for any audits or inspections to be undertaken by or on behalf of the Client pursuant to the Data Protection Legislation. Any audits that are not related to a specific Personal Data Breach shall be limited to no more than once per twelve month period and the Client will provide IDHL with no less than 30 days written notice in advance of any audit and the parties shall agree in advance on any reasonable costs that will be incurred by IDHL as a result of facilitating such audit.
7. Personal Data Breaches.
In the event of a Personal Data Breach, IDHL shall notify the Client without undue delay after becoming aware of such breach and reasonably cooperate with the Client in the Client’s handling of the matter. The parties will co-ordinate with each other to investigate the matter.
8. Data Subject Rights.
IDHL shall notify the Client without undue delay if it receives a request from a Data Subject to exercise any of their rights under the Data Protection Legislation in relation to the Personal Data Processed by IDHL under the Agreement.
9. Subcontracting.
9.1. The Client provides general authorisation for IDHL to engage third parties (subcontractors) to Process the Personal Data. IDHL will maintain a list of such third parties, made available to the Client on written request. Where IDHL engages a third party Processor it shall ensure that the data protection obligations imposed on such Processor are set out in a written contract and shall be no less onerous than those set out in this Data Protection Agreement. IDHL shall remain fully liable to the Client for performance of the other Processor’s obligations.
9.2. IDHL shall inform the Client if it wishes to change its list of third party Processors through the addition or replacement of Processors at least 14 days in advance, thereby giving the Client the opportunity to object to the proposed change (such objection only to be made where the Client holds a genuine belief that the proposed Processor will be unable to comply with its obligations in the Data Protection Legislation and/or the provisions of the contract with IDHL as set out in clause 9.1).
10. Data Return and Destruction.
Unless required to retain Personal Data by any applicable law (in which case IDHL will notify the Client of the retention obligation to the extent legally permitted), on termination of the Agreement for any reason or expiry of its term, the Provider will securely delete or destroy (in accordance with its internal data retention policy) or, if directed in writing by the Client, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.
11. Transfers of Personal Data.
IDHL shall not transfer any Personal Data outside of the UK unless, in accordance with the Data Protection Legislation, it ensures that (i) the transfer is to a country approved as providing an adequate level of protection for Personal Data; or (ii) there are appropriate safeguards in place for the transfer of Personal Data; or (iii) binding corporate rules are in place; or (iv) one of the derogations for specific situations applies to the transfer.
12. Notices.
Where notification is required of IDHL for any reason, the Client must email: DPO@idhl.co.uk.
Appendix
Personal Data Processing Purposes and Details
Subject Matter and Duration of Processing
Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant services set out in a Statement of Work.
Nature and Purpose of Processing
Digital growth services, which shall include data access, sharing and storage.
Personal Data Categories
Name
Age
Date of birth
Gender
Ethnicity
Opinions and Behaviours
Email Address
IP Address / Geolocation
Address
Job title
Cookie consents
Location data
Telephone number(s)
Voice/video recordings
Payment details and methods
Purchase history
Social media handles
Data Subjects
Client employees, website users, prospects and customers.