This document sets out the Data Processing Agreement (DPA) between us and the customer. It is incorporated into our Terms and Conditions.
0. Document History
Version | Comment | Date |
Version 1 | Initial version | 16th August 2019 |
1. Definitions
- Data Controller (you, the Controller) – the entity deciding to collect personal data, typically as the result of a contract with the data subject
- Data Processor (we/us, the Processor) – the entity which processes personal data on behalf of the controller
- Personal Data – information that relate to an identifiable person
- Customer Data – Personal Data that the Data Controller is responsible for
- Processing – any operation performed on personal data. This includes the storage, modification and retrieval of the data
- Data Processing Agreement (DPA) – this document
- General Data Protection Regulations (GDPR) – the legal regulations under which this document exists
2. Data Processing
We process Customer Data on your behalf in performing the services that we provide to you. This classifies us as a “Data Processor” under the General Data Protection Regulations (GDPR).
2.1 Scope
This DPA applies to when we are processing personal data that you are responsible as the Controller.
We will only process Customer Data to the extent needed to perform the services we provide. We do so in line with this DPA, Terms and Conditions, any extra agreements and as instructed by you.
2.2 Permission to Process
We agree to only process Customer Data under your documented instructions, unless otherwise required by law.
You give permission for us to process Customer Data on your behalf, as required for us to deliver the requested services.
This includes the “Named Services” below in addition to any other requested services.
2.2.1 Named Services
Service | Data Processed | Types of Processing |
Website (Hosted) | IP address Pages requested Browser meta data | Collection Storage Retrieval |
Membership Websites (Hosted) | User Login (e.g. email, username & hashed password) Membership information Personalisation information | Collection Storage Retrieval |
eCommerce Websites (Hosted) | Shipping information Billing information Payment meta-data | Collection Storage Retrieval |
Data Backups (Hosted) | All Data | Retrieval Storage |
2.3 Duration of the Processing
We will only process Customer Data on your behalf for the duration of the services we provide up until those services are ended.
2.3.1 Termination of Services
When you inform us that you want to end your services with us, you have the option to request the return of the Customer Data. You must state this when you send your request to end services.
If we force your services to end, as per our Terms and Conditions, then you will need to respond promptly with such a request for data.
We will charge a fee to cover the cost of us providing you with the Customer Data.
If you can retrieve the Customer Data yourself using the tools provided as part of the service. In which case you must do so before terminating our services.
If no request for data is received, we will permanently delete all Customer Data after the end of services.
3. Data Confidentiality
We will ensure that the processing of customer data is done so with a duty of confidence.
We will not disclose Customer Data to any other third party, except as legally required or as needed under your instruction.
If possible, we will redirect such requests to you, in doing so we may pass your basic contact information on to the requesting party.
4. Security of Processing
We take appropriate measures to ensure the Customer Data we process is done so securely.
4.1 Authorisation and Encryption of Data
Where we store data on remote servers we do so using the appropriate level of industry standard mechanisms to restrict access. This helps ensure that only authorised users can gain access the data.
Once access is granted, the transmission of data is completed over encrypted channels.
5. Data Subject Rights
We will take appropriate measures to help you in complying with data subject rights.
We may do this by providing you with the administrative tools required for you to fulfil such obligations. You may need to pay for such tools to be provided.
If no such tools can be provided then we may assist by performing tasks on your behalf. We will charge additional fees in order to cover the cost of doing so.
Any requests received directly from a Data Subject will be forwarded onto you, for you to comply with the request.
6. Sub-Processing
We will only engage with sub-processors that you have provided written authorisation for.
You agree that we may use sub-processors to fulfil our contractual obligation under its Terms and Conditions, this document and to provide certain services on your behalf, such as providing support services.
6.1 Named Sub-Processors
Sub-processor | Purpose | Type of Processing |
1&1 IONOS Ltd (Agreement) | Provision of servers | Storage |
7. Notification of Data Breach
If we become aware of a Security Incident, we will without undue delay:
- Notify you of the security incident
- Take steps to mitigate the effects and minimise damage
8. Data Controller Rights
8.1 Independent Determination
You are responsible for reviewing the information made available by us relating to data security. You are to independently determine whether this meets your legal obligations.
8.2 Auditing
We will make available all requested information necessary for you to show compliance with the GDPR. We will allow for and contribute to Audits (including inspections) conducted by you or on your behalf.
We will notify you if we believe the request infringes the GDPR.
We may not be able to provide specific information relating to our security implementation, as this could undermine the security of that implementation.
8.3 Charges
We are entitled to charge extra fees to cover the costs and expenses involved in completing any requests you make to us relating to this DPA and the GDPR.
In such cases an estimate will be provided in advance.
8.4 Changes
You are responsible for notifying us, with reasonable time, of any changes to applicable data protection laws, codes or regulations which may affect our contractual duties as the Processor.