DATA PROCESSING AGREEMENT
- Definitions and Interpretation.
1.1 In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:
|“Customer”||Means the Customer as identified in the Order in the Master Agreement|
|“Customer”, “GivePanel”, “processing”, and “data subject”||shall have the meanings given to the terms “controller”, “processor”, “processing”, and “data subject” respectively in Article 4 of the GDPR;|
|“GDPR”||Means both the UK-GDPR which took effect on January 31, 2020, as well as the EU-GDPR|
|“GivePanel”||Means Nick Burne Consulting Limited|
|“ICO”||means the UK’s supervisory authority, the Information Commissioner’s Office;|
|“Master Agreement”||means the Software as a Service agreement entered into between the Customer and GivePanel;|
|“Order”||means the order for the Services as defined in the Master Agreement;|
|“Personal Data”||means all such “personal data”, as defined in Article 4 of the GDPR, as is, or is to be, processed by GivePanel on behalf of the Customer, as described in Schedule 1;|
|“Services”||means those services described in the Master Agreement which are provided by GivePanel to the Customer and which the Customer uses for the purpose of managing its Facebook fundraising efforts;|
|“Sub-Processor”||means a sub-processor appointed by GivePanel to process the Personal Data; and|
|“Sub-Processing Agreement”||means an agreement between GivePanel and a Sub-Processor governing the Personal Data processing carried out by the Sub-Processor, as described in Clause 7.|
1.2 Unless the context otherwise requires, each reference in this Agreement to:
1.2.1 “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
1.2.2 a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
1.2.3 “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;
1.2.4 a Schedule is a schedule to this Agreement; and
1.2.5 a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.
1.2.6 a “Party” or the “Parties” refer to the parties to this Agreement.
1.3 The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
1.4 Words imparting the singular number shall include the plural and vice versa.
1.5 References to any gender shall include all other genders.
1.6 References to persons shall include corporations.
2. Scope and Application of this Agreement
2.1 The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 1, carried out for the Customer by GivePanel, and to all Personal Data held by GivePanel in relation to all such processing whether such Personal Data is held at the date of this Agreement or received afterwards.
2.2 In the event of any conflict between the provisions of this Agreement and the Master Agreement, the provisions of this supersede the terms of the Master Agreement.
2.3 This Agreement shall continue in full force and effect for so long as GivePanel is processing Personal Data on behalf of the Customer.
3. Provision of the Services and Processing Personal Data
GivePanel is only to process the Personal Data received from the Customer:
3.1 for the purposes of those Services and not for any other purpose;
3.2 to the extent and in such a manner as is necessary for those purposes; and
3.3 strictly in accordance with the express written authorisation and instructions of the Customer (which may be specific instructions or instructions of a general nature or as otherwise notified by the Customer to GivePanel).
4. Data Protection Compliance
4.1 All instructions given by the Customer to GivePanel shall be made in writing and shall at all times be in compliance with the GDPR and other applicable laws. GivePanel shall act only on such written instructions from the Customer unless GivePanel is required by law to do otherwise (as per Article 29 of the GDPR).
4.2 GivePanel shall promptly comply with any request from the Customer requiring GivePanel to amend, transfer, delete, or otherwise dispose of the Personal Data.
4.3 GivePanel shall transfer all Personal Data to the Customer on the Customer’s request in the formats, at the times, and in compliance with the Customer’s written instructions.
4.4 Both Parties shall comply at all times with the GDPR and other applicable laws and shall not perform their obligations under this Agreement or any other agreement or arrangement between themselves in such way as to cause either Party to breach any of its applicable obligations under the GDPR.
4.5 The Customer hereby warrants, represents, and undertakes that the Personal Data shall comply with the GDPR in all respects including, but not limited to, its collection, holding, and processing.
4.6 GivePanel agrees to comply with any reasonable measures required by the Customer to ensure that its obligations under this Agreement are satisfactorily performed in accordance with any and all applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO.
4.7 GivePanel shall provide all reasonable assistance (at the Customer’s cost) to the Customer in complying with its obligations under the GDPR with respect to the security of processing, the notification of personal data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.
4.8 When processing the Personal Data on behalf of the Customer, GivePanel shall:
4.8.1 not process the Personal Data outside the European Economic Area (all EU member states, plus Iceland, Liechtenstein, and Norway) (“EEA”) without the prior written consent of the Customer (such consent not to be unreasonably withheld or delayed) and, where the Customer consents to such a transfer to a country that is outside of the EEA, to comply with the obligations of GivePanel under the provisions applicable to transfers of Personal Data to third countries set out in Chapter 5 of the GDPR by providing an adequate level of protection to any Personal Data that is transferred. Where such a Sub-Processor has been appointed by GivePanel prior to the entering into of the Master Agreement, the entering into of the Master Agreement shall be deemed written notice as required under this clause;
4.8.2 not transfer any of the Personal Data to any third party without the written consent of the Customer and, in the event of such consent, the Personal Data shall be transferred strictly subject to the terms of a suitable agreement, as set out in Clause 7;
4.8.3 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Customer or as may be required by law (in which case, GivePanel shall inform the Customer of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
4.8.4 implement appropriate technical and organisational measures, as described in Schedule 2, and take all steps necessary to protect the Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. GivePanel shall inform the Customer in advance of any changes to such measures;
4.8.5 if so requested by the Customer (and within the timescales required by the Customer) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
4.8.6 make available to the Customer any and all such information as is reasonably required and necessary to demonstrate GivePanel’s compliance with the GDPR;
4.8.7 on reasonable prior notice, submit to audits and inspections and provide the Customer with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Customer believes that GivePanel is in breach of any of its obligations under this Agreement or under the law; and
4.8.8 inform the Customer immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.
5. Data Subject Access, Complaints, and Breaches
5.1 GivePanel shall, at the Customer’s cost, assist the Customer in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.
5.2 GivePanel shall notify the Customer without undue delay if it receives:
5.2.1 a subject access request from a data subject; or
5.2.2 any other complaint or request relating to the processing of the Personal Data.
5.3 GivePanel shall , at the Customer’s cost, cooperate fully with the Customer and assist as required in relation to any subject access request, complaint, or other request, including by:
5.3.1 providing the Customer with full details of the complaint or request;
5.3.2 providing the necessary information and assistance in order to comply with a subject access request;
5.3.3 providing the Customer with any Personal Data it holds in relation to a data subject (within the timescales required by the Customer); and
5.3.4 providing the Customer with any other information requested by the Customer.
5.4 GivePanel shall notify the Customer immediately if it becomes aware of any form of Personal Data breach, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.
6. Liability and Indemnity
6.1 The Customer shall be liable for, and shall indemnify (and keep indemnified) GivePanel in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, GivePanel arising directly or in connection with:
6.1.1 any non-compliance by the Customer with the GDPR or other applicable legislation;
6.1.2 any Personal Data processing carried out by GivePanel or any Sub-Processor in accordance with instructions given by the Customer that infringe the GDPR or other applicable legislation; or
6.1.3 any breach by the Customer of its obligations under this Agreement,
except to the extent that GivePanel or any Sub-Processor is liable under sub-Clause 6.2.
6.2 GivePanel shall be liable for, and shall indemnify (and keep indemnified) the Customer in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Customer arising directly or in connection with GivePanel’s Personal Data processing activities that are subject to this Agreement:
6.2.1 only to the extent that the same results from GivePanel’s breach of this Agreement; and
6.2.2 not to the extent that the same is or are contributed to by any breach of this Agreement by the Customer.
6.3 The Customer shall not be entitled to claim back from GivePanel any sums paid in compensation by the Customer in respect of any damage to the extent that the Customer is liable to indemnify GivePanel under sub-Clause 6.1.
6.4 Both party’s total liability under the indemnities in this clause 6 shall be capped at the sum of £1 million per claim.
7. Appointment of Sub-Processors
7.1 GivePanel shall not sub-contract any of its obligations or rights under this Agreement without the prior written consent of the Customer (such consent not to be unreasonably withheld).
7.2 An up-to-date list of GivePanel’s Sub-Processors, and the date on which they were appointed by GivePanel, can be found on GivePanel’s website (https://givepanel.com/sub-processors/). Where a Sub-Processor has been appointed by GivePanel prior to the entering into of the Master Agreement, the entering into of the Master Agreement shall be deemed written notice as required under clause 7.1.
7.3 In the event that GivePanel appoints a Sub-Processor (with the written consent of the Customer, not to be unreasonably withheld or delayed), GivePanel shall:
7.3.1 enter into a Sub-Processing Agreement with the Sub-Processor which shall impose upon the Sub-Processor the same obligations as are imposed upon GivePanel by this Agreement and which shall permit both GivePanel and the Customer to enforce those obligations; and
7.3.2 ensure that the Sub-Processor complies fully with its obligations under the Sub-Processing Agreement and the GDPR.
7.4 In the event that a Sub-Processor fails to meet its obligations under any Sub-Processing Agreement, GivePanel shall remain fully liable to the Customer for failing to meet its obligations under this Agreement.
8. Deletion and/or Disposal of Personal Data
8.1 GivePanel shall:
a) at the written request of the Customer; or
b) within 60 days of the end of the provision of the Services under the Master Agreement
delete (or otherwise dispose of) the Personal Data or return it to the Customer in the format(s) reasonably requested by the Customer:
9. Law and Jurisdiction
9.1 This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
9.2 Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.
|Type of Personal Data||Category of Data Subject||Nature of Processing Carried Out||Purpose(s) of Processing||Duration of Processing|
|Names, dates of birth, email addresses, telephone numbers, Facebook post information.||Natural persons over 18 years of age.||Storage and transfer of personal data across and on computer infrastructure.||To enable GivePanel to provide the Services outlined in the Master Agreement.||Term of the Master Agreement|
Technical and Organisational Data Protection Measures
The following are the technical and organisational data protection measures referred to in Clause 4:
- GivePanel shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Customer, it maintains security measures to a standard appropriate to:
- the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
- the nature of the Personal Data.
- In particular, GivePanel shall:
- have in place, and comply with, a security policy which:
- defines security needs based on a risk assessment;
- allocates responsibility for implementing the policy to a specific individual or personnel;
- is provided to the Customer on or before the commencement of this Agreement;
- is disseminated to all relevant staff; and
- provides a mechanism for feedback and review.
- ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
- prevent unauthorised access to the Personal Data;
- protect the Personal Data using pseudonymisation, where it is practical to do so;
- ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
- have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using encryption);
- password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure, and that passwords are not shared under any circumstances;
- take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
- have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
- the ability to identify which individuals have worked with specific Personal Data;
- having a proper procedure in place for investigating and remedying breaches of the GDPR; and
- notifying the Customer as soon as any such security breach occurs.
- have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
- have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment; and
- adopt such organisational, operational, and technological processes and procedures as are required to comply with the requirements of ISO/IEC 27001:2013, as appropriate to the Services provided to the Customer.
- have in place, and comply with, a security policy which: