Data Processing Agreement

Contents

1. Definitions
2. Processor and Controller
3. Instructions and details of processing
4. Technical and organisational measures
5. Using staff and other processors
6. Assistance with compliance and Data Subject rights
7. International data transfers
8. Information and audit
9. Breach notification
10. Deletion of Personal Data and copies
11. Compensation and claims
12. Survival
13. General

We, the supplier are referred to as We/Our/Us and you the customer are referred to as You/Your, together the Parties and each a Party.

1. Definitions

1.1 Defined terms in this Data Processing Agreement shall have the meaning given in the Terms and Conditions and the same rules of interpretation apply. In addition, in this Data Processing Agreement the following definitions have the meanings given below:

2 Processor and Controller

2.1 The Parties agree that, for the Personal Data, You are the Controller and We are the Processor. Nothing in this Agreement relieves You of any responsibilities or liabilities under any Data Protection Laws.

2.2 We shall process Personal Data in compliance with Data Protection Laws and the terms of our Agreement.

2.3 You warrant, represent and undertake, that at all times:

2.3.1 You shall comply with Data Protection Laws including in terms of collection, storage and processing of the Personal Data;

2.3.2 fair processing and other information notices have been provided to the Data Subjects of the Personal Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Personal Data which may be undertaken by Us in accordance with our Agreement; and

2.3.3 all instructions given by You to Us in respect of Personal Data shall at all times be in accordance with Data Protection Laws.

3 Instructions and details of processing

3.1 Insofar as We process Personal Data on behalf of You, We:

3.1.1 shall (and shall take steps to ensure each person acting under Our authority shall) process the Personal Data only on and in accordance with Your instructions (Processing Instructions);

3.1.2 if any Data Protection Laws require Us to process Personal Data other than in accordance with the Processing Instructions, We shall notify You of any such requirement before processing the Personal Data (unless such Data Protection Laws prohibit such information on important grounds of public interest); and

3.1.3 shall immediately inform You if We become aware of a Processing Instruction that, in Our opinion, infringes Data Protection Laws, and to the maximum extent permitted by law, We shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with Your Processing Instructions.

3.2 You acknowledge and agree that the execution of any computer command to process (including deletion of) any Personal Data made in the use of any of the Services by an Authorised User will be a Processing Instruction. You shall ensure that Authorised Users do not execute any such command unless authorised by You (and by all other relevant Controller(s)) and acknowledge that if any Personal Data is deleted pursuant to any such command We are under no obligation to seek to restore it.

3.3 The processing of the Personal Data by Us under our Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Annex 1.

4 Technical and organisational measures

4.1 Taking into account the nature of the processing, We shall implement and maintain appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Personal Data to be protected, having regard to the state of technological development.

5 Using staff and other processors

5.1 You hereby give Us a general authorisation to appoint the Sub-Processors listed on the webpage at https://enhancedsupport.esendex.co.uk/sub-processors/.  We can update the Website from time to time and will inform You by email of any update, provided that You register an email address on the Website. You shall have the opportunity to object to any addition or replacement by notification in writing to Us, within 20 days of a change being made. In the event of an objection, We are entitled to terminate this Agreement if the Services become impossible without the addition or replacement of the relevant sub-processor.

5.2 We shall:

5.2.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Personal Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under paragraphs 2 to 12 (inclusive) that is enforceable by Us (including those relating to sufficient guarantees to implement appropriate technical and organisational measures);

5.2.2 ensure each such Sub-Processor complies with all such obligations; and

5.2.3 remain fully liable for all the acts and omissions of each Sub-Processor as if they were Our own.

5.3 We shall ensure that all persons authorised by Us (or by any Sub-Processor) to process Personal Data are subject to a binding written contractual obligation to keep the Personal Data confidential (except where disclosure is required in accordance with Data Protection Laws, in which case We shall, where practicable and not prohibited by Data Protection Laws, notify You of any such requirement before such disclosure).

6 Assistance with compliance and Data Subject rights

6.1 We shall refer all Data Subject Requests We receive to You without undue delay. 

6.2 We shall provide such reasonable assistance as You reasonably require (taking into account the nature of processing and the information available to Us) to You in ensuring compliance with Your obligations under Data Protection Laws with respect to:

6.2.1 security of processing;

6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);

6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and

6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by You in response to any Personal Data Breach.

7 International data transfers

7.1 We shall not Transfer any Personal Data to any country or international organisation outside of the UK or EEA unless:

7.1.1 such Transfer is solely for the purpose set out in Annex 1;

7.1.2 the Secretary of State or EU Commission has confirmed that country or international organisation can provide an adequate level of protection (an adequacy regulation or decision). This includes the use of approved frameworks for the sharing of personal data, such as the UK Extension to the EU-US Data Privacy Framework or the transfer has been made subject to and Appropriate Safeguards being entered into; 

7.1.3 the Data Subject has enforceable rights and effective legal remedies; and

7.1.4 such Transfer is in accordance with Data Protection Laws and our Agreement.

8 Information and audit

8.1 We shall maintain, in accordance with Data Protection Laws applicable to Us, written records of all categories of processing activities carried out on behalf of You.

8.2 We shall, on request by You, in accordance with Data Protection Laws, make available to You such information as is reasonably necessary to demonstrate Our compliance with Our obligations under this Data Processing Agreement and Article 28 of the UK GDPR, and allow for audits, including inspections, by You (or another auditor mandated by You) for this purpose provided:

8.2.1 such audit, inspection or information request is reasonable, limited to information in Our possession or control and is subject to You giving Us reasonable prior notice of such audit, inspection or information request;

8.2.2 You pay Us reasonable costs in allowing any audit or inspection (unless such audit or inspection is required by a Supervisory Authority or due to a breach by Us of this Data Processing Agreement); 

8.2.3 the Parties (each acting reasonably and consent not to be unreasonably withheld or delayed) shall agree the timing, scope and duration of the audit, inspection or information release together with any specific policies or other steps with which You or third party auditor shall comply (including to protect the security and confidentiality of other customers, to ensure We are not placed in breach of any other arrangement with any other customer and so as to comply with the remainder of this paragraph 8.2); 

8.2.4 Your rights under this paragraph 8.2 may only be exercised once in any consecutive 12 month period, unless otherwise required by a Supervisory Authority or if You (acting reasonably) believe We are in breach of this Data Processing Agreement;

8.2.5 You shall promptly report any non-compliance identified by the audit, inspection or release of information to Us;

8.2.6 You shall ensure that all information obtained or generated by You or Your auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure required by Data Protection Laws);

8.2.7 You shall ensure that any such audit or inspection is undertaken during normal business hours, with minimal disruption to Our business; and

8.2.8 You shall ensure that each person acting on Your behalf in connection with such audit or inspection (including the personnel of any third party auditor) shall not by any act or omission cause or contribute to any damage, destruction, loss or corruption of or to any of Our systems, equipment or data.

9 Breach notification

9.1 In respect of any Personal Data Breach involving Personal Data, We shall, without undue delay:

9.1.1 notify You of the Personal Data Breach; and

9.1.2 provide You with details of the Personal Data Breach.

10 Deletion of Personal Data and copies

10.1 Following the end of the provision of the Services (or part) relating to the processing of Personal Data We shall dispose of Personal Data in accordance with Our obligations under this Agreement. We shall have no liability (howsoever arising, including in negligence) for any deletion or destruction of any such Personal Data undertaken in accordance with our Agreement.

11 Compensation and claims

11.1 Subject to the limitation of liability set out in the Terms and Conditions, We shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Agreement:

11.1.1 only to the extent caused by the processing of Personal Data under our Agreement and directly resulting from Our breach of our Agreement; and

11.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Agreement or Data Protection Laws by You.

11.2 If a Party receives a compensation claim from a person relating to processing of Personal Data in connection with our Agreement or the Services, it shall promptly provide the other Party with notice and full details of such claim. The Party with conduct of the action shall:

11.2.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other Party (which shall not be unreasonably withheld or delayed); and

11.2.2 consult fully with the other Party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the Party that is responsible under our Agreement for paying the compensation.

11.3 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the Parties except:

11.3.1 to the extent not permitted by Data Protection Laws; and

11.3.2 it does not affect the liability of either Party to any Data Subject.

12 Survival

This Data Processing Agreement shall survive termination (for any reason) or expiry of our Agreement and continue until no Personal Data remains in the possession or control of Us or any Sub-Processor, except that paragraphs 10 to 13 (inclusive) shall continue indefinitely.

13 General

13.1 This Data Processing Agreement constitutes the entire agreement between the parties in relation to its subject matter and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

13.2 No failure or delay by a party to exercise any right or remedy provided under this Data processing Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

13.3 If any provision or part-provision of this Data processing Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Data Processing Agreement.

13.4 Any notice or other communication given to a party under or in connection with this Data processing Agreement shall be in writing, addressed to that party at its registered office and shall be delivered personally, or sent by pre-paid first-class post or other next working day delivery service, commercial courier or e-mail.

13.5 A notice or other communication shall be deemed to have been received: (i) if delivered personally, when left at the address referred to in clause 13.4; (ii) if sent by pre-paid first class post or other next working day delivery service, at 9.00 am on the second Business Day after posting; (iii) if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed; or (iv) if sent by e-mail, one Business Day after transmission.

13.6 No one other than a party to this Data Processing Agreement shall have any right to enforce any of its terms.

13.7 This Data Processing Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.

13.8 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Data Processing Agreement or its subject matter or formation.

Annex 1

Data processing details

Subject-matter of processing:

Sending business communications

Duration of the processing:

Until the earlier of final termination or final expiry of our Agreement, except as otherwise expressly stated in our Agreement

Nature and purpose of the processing:

Processing in accordance with the rights and obligations of the Parties under our Agreement;

Processing as reasonably required to provide the Services;

Processing as initiated, requested or instructed by Authorised Users in connection with their use of the Services, or by You, in each case in a manner consistent with our Agreement.

Processing to detect and prevent fraudulent activity.

Type of Personal Data:

Name;

Address;

Mobile Number;

And as further inputted by You in Our platform.

Categories of Data Subjects:

Your customers, prospects and/or employees.