Data Processing Agreement
This agreement re processing of personal data (the ”Agreement”) regulates Pet Software Ltd’s (the ”Data Processor”) processing of personal data on behalf of the Client (the ”Data Controller”) and is attached as an addendum to the Terms & Conditions in which the parties have agreed the terms for the Data Processor’s delivery of Services to the Data Controller.
(1) The Data Controller from time to time engages the Data Processor to provide to the Data Controller the Services described in Schedule 1.
(2) The provision of the Services by the Data Processor involves it in processing the Personal Data described in Schedule 2 on behalf of the Data Controller.
(3) Under EU Regulation 2016/679 General Data Protection Regulation (“the GDPR”) (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organisation which processes personal data on its behalf governing the processing of that data.
(4) The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.
(5) The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.
IT IS AGREED as follows:
1. Definitions and Interpretation
1.1 In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:
“Data Controller”, “Data Processor”, “processing”, and “data subject” shall have the meanings given to the terms “controller”, “processor”, “processing”, and “data subject” respectively in Article 4 of the GDPR;
“ICO” means the UK’s supervisory authority, the Information Commissioner’s Office;
“Personal Data” means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by the Data Processor on behalf of the Data Controller, as described in Schedule 2;
“Services” means those services described in Schedule 1 which are provided by the Data Processor to the Data Controller and which the Data Controller uses for the purposes described in Schedule 1;
“Sub-Processor” means a sub-processor appointed by the Data Processor to process the Personal Data; and
“Sub-Processing Agreement” means an agreement between the Data Processor and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 10.
1.2 Unless the context otherwise requires, each reference in this Agreement to:
1.2.1 “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
1.2.2 a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
1.2.3 “this Agreement” is a reference to this Agreement as an addendum to the Terms & Conditions and each of the Schedules as amended or supplemented at the relevant time;
1.2.4 a Schedule is a schedule to this Agreement; and
1.2.5 a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.
1.2.6 a "Party" or the "Parties" refer to the parties to this Agreement.
1.3 The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
1.4 Words imparting the singular number shall include the plural and vice versa.
1.5 References to any gender shall include all other genders.
1.6 References to persons shall include corporations.
2.0 Scope and Application of this Agreement
2.1 This Agreement applies where and only to the extent that Data Processor processes Personal Data that originates from the EEA and / or that is otherwise subject to EU Data Protection Law on behalf of Data Controller as Data Processor in the course of providing Services pursuant to this Agreement.
2.2 The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 2, carried out for the Data Controller by the Data Processor, and to all Personal Data held by the Data Processor in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
2.3 The provisions of this Agreement supersede any other arrangement, understanding, or agreement made between the Parties at any time relating to the Personal Data.
2.4 This Agreement shall continue in full force and effect for so long as the Data Processor is processing Personal Data on behalf of the Data Controller, and thereafter as provided in Clause 9.
3.0 Provision of the Services and Processing Personal Data
3.1 Data Processor will process Personal Data in accordance with the Data Controller’s instructions. The parties agree that this Agreement is Data Controller’s complete and final instructions to Data Processor in relation to the processing of Personal Data. Processing outside the scope of this Agreement (if any) will require prior written agreement between Data Processor and Data Controller on additional instructions for processing, including agreement on any additional fees Data Controller will pay to Data Processor for carrying out such instructions. Data Controller may terminate this Agreement if Data Processor declines to follow instructions requested by Data Controller that are outside the scope of this Agreement.
3.2 The Data Processor is only to carry out the Services, and only to process the Personal Data received from the Data Controller:
3.2.1 for the purposes of those Services and not for any other purpose;
3.2.1 to the extent and in such a manner as is necessary for those purposes.
4.0 Data Protection Compliance
4.1 The Data Processor shall comply in a reasonable timeframe with any request from the Data Controller requiring the Data Processor to dispose of the Personal Data.
4.2 The Data Processor shall transfer all Personal Data to the Data Controller on the Data Controller’s written request in .CSV format.
4.3 Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
4.4 The Data Processor agrees to comply with any reasonable measures required by the Data Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO.
4.5 The Data Processor shall provide all reasonable assistance (at the Data Controller’s cost) to the Data Controller in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
4.6 When processing the Personal Data on behalf of the Data Controller, the Data Processor shall:
4.6.1 not process the Personal Data outside the European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”) without the prior written consent of the Data Controller and, where the Data Controller consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of Data Processors under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred;
4.6.2 not transfer any of the Personal Data to any third party without the written consent of the Data Controller and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 10;
4.6.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Data Controller or as may be required by law;
4.6.4 on at least 30 days' prior written notice, submit to audits and inspections and provide the Data Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR and
4.6.5 inform the Data Controller immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
5.1 Data Processor shall implement and maintain appropriate technical and organisational security measures to protect Personal Data from security incidents and to preserve the security and confidentiality of the Personal Data, in accordance with the Technical and Organisational Data Protection Measures set out in Schedule 3.
5.2 Data Controller is responsible for reviewing the information made available by Data Processor relating to data security and making an independent determination as to whether the services meet the Data Controllers requirements and legal obligations under the Data Protection Laws. Customer acknowledges that the security measures are subject to technical progress and development and that the Data Processor may update or modify Schedule 3 of this Agreement from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Data Controller.
5.3 Notwithstanding the above, Data Controller agrees that except as provided by this Agreement, Data Controller is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Services and taking any appropriate steps to secure, encrypt or backup any Personal Data uploaded to the services.
6.0 Data Subject Access, Complaints, and Breaches
6.1 The Data Processor shall, at the Data Controller’s cost, assist the Data Controller in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
6.2 The Data Processor shall notify the Data Controller within 14 days if it receives:
6.2.1 a subject access request from a data subject; or
6.2.2 any other complaint or request relating to the processing of the Personal Data.
6.3 The Data Processor shall, at the Data Controller’s cost, cooperate fully with the Data Controller and assist as required in relation to any subject access request, complaint, or other request, including by:
6.3.1 providing the Data Controller with full details of the complaint or request;
6.3.2 provide the necessary information and assistance in order to comply with a subject access request;
6.3.3 providing the Data Controller with any Personal Data it holds in relation to a data subject;
6.4 The Data Processor shall notify the Data Controller if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
7.0 Appointment of a Data Protection Officer
7.1 The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations. The Data Protection Office can be contacted at firstname.lastname@example.org.
8.0 Limitation and Liability
8.1 The total aggregate liability to the Data Controller, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the Terms and Conditions to which this Agreement is an addendum.
8.2 Nothing in this Agreement will relieve the Data Processor of its own responsibilities and liabilities under the GDPR.
9.1 The Data Processor shall maintain the Personal Data in confidence, and in particular, unless the Data Controller has given written consent for the Data Processor to do so, the Data Processor shall not disclose any Personal Data supplied to the Data Processor by, for, or on behalf of, the Data Controller to any third party. The Data Processor shall not process or make any use of any Personal Data supplied to it by the Data Controller otherwise than in connection with the provision of the Services to the Data Controller.
9.2 The Data Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
9.3 The obligations set out in in this Clause 9 shall continue for a period of 1 year after the cessation of the provision of Services by the Data Processor to the Data Controller.
9.4 Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.
10.0 Appointment of Sub-Processors
10.1 Data Controller agrees that the Data Processor may engage Sub-Processors to process the Personal Data on its behalf. The Sub-Processors currently engaged by the Data Processor and authorized by Data Processor are listed in Schedule 4.
10.2 Data Processor shall (i) enter into a written agreement with the Sub-Processor imposing data protection terms that require the Sub-Processor to protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this Agreement and for any acts or omissions of the Sub-Processor that cause Data Processor to breach any of its obligations under this Agreement.
11.0 Changes to Sub-Processors
11.1 Data Processor shall (a) provide and up to date list of the Sub-Processors it has appointed upon written request from the Data Controller; and (b) notify Data Controller by email if it adds or removes a Sub Processor at east 10 days before any such changes.
11.2 Data Controller may object in writing to Data Processors appointment of a new Sub-Processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Data Controller may suspend or terminate this Agreement.
12.0 Deletion and/or Disposal of Personal Data
12.1 The Data Processor shall, at the written request of the Data Controller, delete (or otherwise dispose of) the Personal Data or return it to the Data Controller in .csv format within a reasonable time after the earlier of the following:
12.2.1 The end of the provision of the Services; or
12.2.2 the processing of that Personal Data by the Data Processor is no longer required for the performance of the Data Processor’s obligations under this Agreement.
12.2 Following the deletion, disposal, or return of the Personal Data under sub-Clause 12.1, the Data Processor shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Data Processor shall inform the Data Controller of such requirement(s) in writing.
13.0 Law and Jurisdiction
13.1 This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
13.2 Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.
The use of the Services (known as Pet Sitter Plus) as described here
The data processor processes the following types of data in connection with its delivery of the Services.
1.0 Information relating to data subjects for the processing of pet sitting schedules and subsequent financial transactions including but not limited to;
OTHER PERSONAL DATA
2.0 A Client may wish to create and store additional categories of Personal Data to those listed above, such as a gender, age, occupation, social interests, home security details etc.
2.1 The Services provide the Client with the ability to create and store an unlimited number of types of Personal Data (the “Custom Fields”).
2.2 For the purposes of this Agreement, any additional Personal Data that is created and stored by the client using Custom Fields shall form part of this Schedule 2.
CATEGORIES OF DATA SUBJECTS
3.0 The Data Processor processes Personal Data about the following categories of data subjects on behalf of the Client.
Clients of the Data Controller
Employees and or contractors of the Data Controller
Veterinarians related to data subjects
Any other categories that the Client requires, which are subsequently defined using Custom Fields.
TECHNICAL AND ORGANISATIONAL DATA PROTECTION MEASURES
The following are the technical and organisational data protection measures referred to in Clause 4:
1.0 The Data Processor shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Data Controller, it maintains security measures to a standard appropriate to:
1.1 the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
1.2 the nature of the Personal Data.
2.0 In particular, the Data Processor shall:
2.1 have in place, and comply with, a security policy which:
2.1.1 defines security needs based on a risk assessment;
2.1.2 allocates responsibility for implementing the policy to a specific individual or personnel;
2.1.3 is disseminated to all relevant staff; and
2.1.4 provides a mechanism for feedback and review.
2.2 ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
2.3 prevent unauthorised access to the Personal Data;
2.4 ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
2.5 have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using encryption);
2.6 password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure and that passwords are not shared under any circumstances;
2.7 take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
2.8 have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
2.8.1 the ability to identify which individuals have worked with specific Personal Data;
2.8.2 having a proper procedure in place for investigating and remedying breaches of the GDPR; and
2.8.3 notifying the Data Controller as soon as any such security breach occurs.
2.9 have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
2.10 have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment.
LIST OF SUB-PROCESSORS
Data Processor uses a range of third party Sub-Processors to assist it in providing the Services. These Sub-Processors are listed below:
Amazon Web Services (AWS) https://aws.amazon.com/