1. The parties
This DPA is entered into between ATEB IT Solutions Ltd, of Evolve Business Centre, Houghton le Spring, Durham, DH4 5QY (referred to as “ATEB”), and the Customer (referred to as the “Customer”) and is incorporated into and governed by the terms of the Agreement.
Where this DPA forms part of a 14 Day Free Trial Licence Agreement the term Customer shall also mean Company.
2. Definitions and interpretation
In this Data Processing Agreement (“DPA”), unless the context otherwise requires, the following terms shall have the meanings set out below:
- Agreement means the legal relationship existing between ATEB and the Customer;
- Customer Personal Data means the Personal Data that the Customer provides to ATEB for Processing via the Services under or in connection with the Agreement;
- Data Protection Laws means all applicable data protection and privacy legislation, regulations and binding codes of practice issued by any DP Regulator, including the Data Protection Act 2018 and from 25th May 2018 Regulation (EU) 2016/679 (the "GDPR"); the Privacy and Electronic Communications (EC Directive) Regulations 2003; and all legislation enacted in the UK in respect of the protection of Personal Data; in each case, to the extent in force, and as such are updated, amended, re-enacted or replaced from time to time;
- DP Regulator means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws;
- Services means the services provided by ATEB under the Agreement;
- Standard Contractual Clauses shall mean the Standard Contractual Clauses annexed to the European Commission Decision (2010/87/EU).
The terms Data Subject, Personal Data, Personal Data Breach and Processing shall have the meanings set out in the GDPR.
3. Data protection obligations
The parties shall comply with the provisions and obligations imposed on them by the Data Protection Laws at all times when processing the Customer Personal Data in connection with the Agreement.
The details of the processing of the Customer Personal Data carried out by ATEB on behalf of the Customer are set out in the Appendix to this DPA and form part of this DPA (the "Processing Instructions").
Each party shall maintain accurate, complete and up-to-date written records of all processing operations under its responsibility that contain at least the minimum information required by the Data Protection Laws, and shall make such information available to any DP Regulator on request.
- process the Customer Personal Data only for the performance of the Services in accordance with the Agreement and/or the Customer’s other written instructions from time to time;
- ensure that the employees, agents and sub-contractors who have access to the Customer Personal Data are informed of the confidential nature of the Customer Personal data and are subject to appropriate contractual obligations of confidentiality when processing such Customer Personal Data;
- implement and maintain technical and organisational measures and procedures to preserve the confidentiality and integrity of the Customer Personal Data and ensure an appropriate level of security for the Customer Personal Data, including protecting the Customer Personal Data against the risks of accidental, unlawful or unauthorised processing, destruction, loss, alteration, disclosure, dissemination or access;
- inform the Customer without undue delay if the Customer Personal Data is (while within ATEB’s or ATEB’s subcontractors', or affiliates' possession or control) subject to a Personal Data Breach or is otherwise lost or destroyed or becomes damaged, corrupted or unusable;
- upon termination or expiry of the Agreement, on the Customer’s explicit request, return or delete all the Customer Personal Data in ATEB’s possession or control (in a manner and form decided by ATEB, acting reasonably). This requirement shall not apply to the extent that ATEB is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on backup systems, which Customer Personal Data ATEB shall isolate and protect from any further processing;
- provide or make available to the Customer and any DP Regulator such information and assistance as is reasonably required to verify, demonstrate or ensure compliance with ATEB’s obligations (and each subcontractor's obligations, if applicable) in this DPA and/or the Data Protection Laws;
- assist the Customer to take such steps as are reasonably required to assist in ensuring compliance with any obligations under Articles 30 to 36 (inclusive) of the GDPR;
- notify the Customer within two (2) Business Days if ATEB receive a request from a Data Subject to exercise its rights under the Data Protection Laws in relation to that Data Subject's Personal Data;
- provide the Customer with such co-operation and assistance as may reasonably be required in relation to any request made by a Data Subject to exercise its rights under the Data Protection Laws in relation to that Data Subject's Personal Data.
The Customer represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit ATEB to execute their rights or undertake the Services under this DPA as well as explicit consent from a Data Subject to process their Special Category Data.
Subject to paragraph 5, at the Customer’s request and provided that you shall enter into appropriate confidentiality agreements (as reasonably required by ATEB), ATEB shall permit the Customer or the Customer’s representatives to access any relevant premises, personnel or records of ATEB’s on reasonable notice to audit and otherwise verify ATEB’s compliance with the obligations under this DPA and the Data Protection Laws.
5. Notices and complaints
If either party receives any complaint, notice or communication which relates directly or indirectly to the processing of the Customer Personal Data by the other party or to either party's compliance with the Data Protection Laws, it shall as soon as reasonably practicable notify the other party and it shall provide the other party with reasonable co-operation and assistance in relation to any such complaint, notice or communication.
The Customer consents to ATEB engaging third party sub-processors (including any subcontractors and affiliates) to process the Customer Personal Data for the purpose of providing the Services, provided that:
- ATEB maintains an up-to-date list of its sub-processors via the ATEB suitability website (/sub-processors); and
- ATEB provides prior notification, via email, of any changes to the list of sub-processors who may process Customer Personal Data before authorising any new or replacement sub-processors; and
- ATEB imposes data protection terms on any sub-processor it appoints that require it to protect the Customer Personal Data to the standard required by Data Protection Laws; and
- where a sub-processor is located outside the European Economic Area ATEB ensures they are located in a country that the European Commission has decided provides adequate protection for Personal Data, or have entered into Standard Contractual Clauses with ATEB, or has other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules; and
- ATEB remains liable for any breach of this DPA that is caused by an act, error or omission of its sub-processor.
The Customer may object to ATEB's appointment or replacement of a sub-processor prior to its appointment or replacement by notifying ATEB promptly in writing within ten (10) Business Days after receipt of ATEB’s notice. Provided such objection is based on reasonable grounds relating to data protection ATEB will either not appoint or replace the sub-processor or, if this is not reasonably possible, at ATEB's sole discretion, the Customer may suspend or terminate their Agreement without penalty (without prejudice to any fees incurred by Customer up to and including the date of suspension or termination).
7. Indemnity and liability
Each party shall indemnify and keep indemnified at its own expense the other party against all claims, liabilities, damages, costs or expenses incurred by the other party or for which the other party may become liable due to any failure by a party or its, subcontractors, agents or personnel to comply with any of its obligations under this DPA or under the Data Protection Laws.
The liability of each party under this DPA shall be subject to the specific exclusions and limitations of liability set out in the Agreement.
8. Term and termination
The term of this DPA shall coincide with the commencement of the Agreement and this DPA shall terminate automatically together with termination or expiry of the Agreement.
ATEB’s right to charge the Customer for the reasonable costs which ATEB incurs in complying with its obligations to provide access and cooperation under this DPA are expressly reserved. In any such case, ATEB shall notify the Customer of the fees incurred in advance, unless otherwise agreed.
This DPA sets out the entire understanding of the parties with regards to the subject matter herein.
Should a provision of this DPA be invalid or become invalid then the legal effect of the other provisions shall be unaffected. A valid provision is deemed to have been agreed which comes closest to what the parties intended commercially and shall replace the invalid provision. The same shall apply to any omissions.
This DPA shall be governed by the laws of England and Wales. The courts of England shall have exclusive jurisdiction for the settlement of all disputes arising under this DPA.
Appendix - Processing Instructions
The Customer Personal Data processing activities carried out by ATEB under the Agreement are as follows:
1. Subject matter and duration of processing
The subject matter and duration of the processing are set out in the Agreement and in this DPA.
2. Nature and purpose of processing
Broadly, ATEB process the Customer Personal Data to provide the Services to the Customer and to comply with the obligations under the Agreement whilst they remain in force.
3. Categories of Customer Personal Data
- Contact details
- Next of kin / emergency contact details
- Birth date / age
- Family details
- Financial information (including bank details)
- Compensation information (including salary, bonus and pension contributions)
- Employment information
4. Categories of Special Category Data
- Medical and / or health information
5. Categories of Data Subjects
- The Customer's prospect clients
- The Customer's clients
- The Customer's employees
This Data Processing Agreement was last updated on 24 May 2018 and is effective from 25 May 2018.