Data Processing Agreement

DATA PROCESSING AGREEMENT

Last Modified date 24/05/18

The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Customer for Journey. The terms of this Agreement are to apply to all processing of Personal Data carried out for Journey by the Customer and to all Personal Data held by the Customer in relation to all such processing.

DEFINITIONS  

IT IS AGREED as follows:

Definitions and Interpretation
In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

“Data Controller”,

“Customer”, “processing”,

and “data subject”

shall have the meanings given to the terms “controller”, “processor”, “processing”, and “data subject” respectively in Article 4 of the GDPR;
“ICO” means the UK’s supervisory authority, the Information Commissioner’s Office;
“Personal Data” means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by the Customer on behalf of Journey, as described in Schedule 1;
“Services” means those services and facilities which are provided by Journey to the Customer and which Journey uses for the purposes for discharging The Service Agreement;
“Sub-Processor” means a sub-processor appointed by Journey to process the Personal Data; and
“Sub-Processing Agreement” means an agreement between Journey and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 8.

 

  1. Scope and Application of this Agreement
    1. The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 1, carried out for the Customer by Journey, and to all Personal Data held by Journey in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
    2. This Agreement shall continue in full force and effect for so long as Journey is processing Personal Data on behalf of the Customer, and thereafter as provided in Clause 8.

  2. Provision of the Services and Processing Personal Data
    1. Journey is only to carry out the Services, and only to process the Personal Data received from the Customer:
      1. for the purposes of those Services and not for any other purpose;
      2. to the extent and in such a manner as is necessary for those purposes; and
      3. strictly in accordance with the express written authorisation and instructions of the Customer (which may be specific instructions or instructions of a general nature or as otherwise notified to Journey by the Customer).

  3. Data Protection Compliance
    1. Journey shall promptly comply with any request from the Customer requiring Journey to amend, transfer, delete, or otherwise dispose of the Personal Data.
    2. Journey shall transfer all Personal Data to the Customer on their request in the formats, at the times, and in compliance with the Customer’s written instructions.
    3. Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
    4. The Customer hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing.
    5. Each Party agrees to comply with any reasonable measures required by the other Party to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO.
    6. Each Party shall provide all reasonable assistance to the other Party in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
    7. When processing the Personal Data on behalf of the Customer, Journey shall:
      1. not process the Personal Data outside the European Economic Area without the prior written consent of the Customer and, where the Customer consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Journey under the provisions applicable to transfers of Personal Data to third countries by providing an adequate level of protection to any Personal Data that is transferred;
      2. not transfer any of the Personal Data to any third party without the written consent of the Customer;
      3. process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Customer or as may be required by law;
      4. implement appropriate technical and organisational measures, as described in Schedule 2, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure;
      5. if so requested by the Customer supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
      6. make available to the Customer any and all such information as is reasonably required and necessary to demonstrate the Journey’s compliance with the GDPR;
      7. on reasonable prior notice, submit to audits and inspections and provide the Customer with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR.
      8. inform the Customer immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.

  4. Data Subject Access, Complaints, and Breaches
    1. Journey shall assist the Customer in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
    2. Each Party shall notify the other Party without undue delay if they receive:
      1. a subject access request from a data subject; or
      2. any other complaint or request relating to the processing of the Personal Data.
    3. Each Party shall cooperate fully with the other Party and assist as required in relation to any subject access request, complaint, or other request, including by providing the requesting Party:
      1. with full details of the complaint or request;
      2. the necessary information and assistance in order to comply with a subject access request;
      3. with any Personal Data they hold in relation to a data subject; and
      4. any other information requested.
    4. Journey shall notify the Customer immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
    5. For further details on Subject Access Requests please refer to Journey’s Subject Access Request Procedure.

  5. Liability and Indemnity
    1. The Customer shall be liable for, and shall indemnify (and keep indemnified) Journey in respect of any and all action, proceeding, liability, cost, claim, loss, expense, reasonable legal fees, or demand suffered or incurred by, awarded against, or agreed to be paid by, Journey and any Sub-Processor arising directly or in connection with:
      1. any non-compliance by the Customer with the GDPR or other applicable legislation;
      2. any Personal Data processing carried out by Journey or Sub-Processor in accordance with instructions given by the Customer that infringe the GDPR or other applicable legislation; or
      3. any breach by the Customer of its obligations under this Agreement, except to the extent that Journey or any Sub-Processor is liable under sub-Clause 6.2.
    2. Journey shall be liable for, and shall indemnify the Customer in respect of any and all action, proceeding, liability, cost, claim, loss, expense, reasonable legal fees or demand suffered or incurred by, awarded against, or agreed to be paid by Journey arising directly or in connection with Journey’s Personal Data processing activities that are subject to this Agreement:
      1. only to the extent that the same results from the Journey’s or a Sub-Processor’s breach of this Agreement; and
      2. not to the extent that the same is or are contributed to by any breach of this Agreement by the Customer.
    3. Nothing in this Agreement (and in particular, this Clause 6) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR.

  6. Confidentiality
    1. Journey shall maintain the Personal Data in confidence, and in particular, unless the Customer has given written consent for Journey to do so, Journey shall not disclose any Personal Data supplied to them by, for, or on behalf of the Customer to any third party. Journey shall not process or make any use of any Personal Data supplied to it by the Customer otherwise than in connection with the provision of the Services to the Customer
    2. Journey shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.

  7. Appointment of Sub-Processor
    1. Journey shall not sub-contract any of its obligations or rights under this Agreement without the prior written consent of the Customer (such consent not to be unreasonably withheld)
    2. In the event that Journey appoints a Sub-Processor, Journey shall:
      1. enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon Journey by this Agreement and which shall permit both Journey and the Customer to enforce those obligations; and
      2. ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the GDPR.
    3. In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, the Customer shall remain fully liable to the Customer for failing to meet its obligations under this Agreement.
    4. Sub-Processors at this current time include:
      1. PAYROLL AND FINANCE
      2. IT PROVIDER
      3. DATA & HOSTING CENTRES
      4. MARKETING PLATFORM PROVIDERS
      5. POSTAL FULFILMENT PROVIDERS
      6. ONLINE MANAGEMENT PLATFORM PROVIDERS

  8. Deletion and/or Disposal of Personal Data
    1. Journey shall, at the written request of the Customer, delete (or otherwise dispose of) the Personal Data or return it to the Customer within a reasonable time after the earlier of the following:
      1. the end of the provision of the Services under the Service Agreement; or
      2. the processing of that Personal Data by Journey is no longer required for the performance of the Journey’s obligations under this Agreement and/or the Service Agreement.
    2. Following the deletion, disposal, or return of the Personal Data, Journey shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case Journey shall inform the Customer of such requirements in writing.
    3. All Personal Data to be deleted or disposed of under this Agreement shall be deleted or disposed of using certified confidential waste providers if held in hard copy format or upon advice from specialist IT Providers for all electronic data held.

  9. Law and Jurisdiction
    1. This Agreement shall be governed by, and construed in accordance with, the laws of England and Wales.

 

SCHEDULE 1

Personal Data

Type of Personal Data Nature of Processing Carried Out Purpose(s) of Processing Duration of Processing
Name, Email Address, Other relevant preference options Storage, Uploading and segmentation of data Email Marketing Duration of service contract
Name, Email Address, other custom form fields Data Storage Website form entries for email marketing and or provision of information Duration of service contract
Phone numbers Data Storage and tracking Analytical statistics Duration of service contract

 

SCHEDULE 2

Technical and Organisational Data Protection Measures

  1. Journey shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Customer, it maintains security measures to a standard appropriate to:
    1. the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
    2. the nature of the Personal Data.
  2. In particular, Journey shall have in place, and comply with, a security policy which:
    1. defines security needs based on a risk assessment;
      1.  is provided to the Customer on written request;
      2. is disseminated to all relevant staff.
    2. ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
    3. prevent unauthorised access to the Personal Data;
    4. protect the Personal Data using pseudonymisation, where it is practical to do so;
    5. ensure that its storage of Personal Data conforms with best industry practice and access by personnel to Personal Data is strictly monitored and controlled;
    6. have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using encryption);
    7. password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure and that passwords are not shared under any circumstances;
    8. take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
    9. have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
      1. having a proper procedure in place for investigating and remedying breaches of the GDPR; and
      2. notifying the Customer as soon as any such security breach occurs.
    10. have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
    11. have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment;