Data Protection Agreement

© Provident CRM LTD
Unit 1, The CHQ Building,
Custom House Quay,
North Dock,
Dublin 1
Eircode: D01 Y6H7 Dublin – Ireland
+353 (0)1 693 0000
+44 203 411 6799

Provident CRM Ltd rights reserved. No part of this publication may be reprinted, reproduced, stored in a retrieval system or transmitted, in any form or by any means, without prior permission in writing from Provident CRM Ltd, Ltd, other than for the internal business use of Company Policy. Please note that this complete response and attachments should be deemed commercially sensitive and should not be disclosed under an FOI request

BETWEEN:

(1) The Client named in the SOW/SLA and/or Quote as the case may be (the “Company”);

(2) Provident CRM LTD, Unit 1, The CHQ Building, Custom House Quay, North Dock, Dublin 1, Eircode: D01 Y6H7 Dublin – Ireland (the “Contractor”)

(each a ‘party’ and together the ‘Parties’).

WHEREAS THE PARTIES AGREE THAT :

In the course of providing the Services to the Company pursuant to this Agreement, the Contractor may Process Personal Data on behalf of the Company. The Contractor agrees to comply with the following provisions with respect to any Personal Data submitted by or for the Company or collected and Processed by or for the Company.

If there is any inconsistency between the Services Agreement (or, where appropriate, the SOW / Contractor’s Terms and Conditions) and this Agreement relating to the Processing of Personal Data, this Agreement shall take priority.

1. Definitions and Interpretation

In this Schedule, save where the context requires otherwise, the following words and expressions have the following meaning. In the event of a conflict or inconsistency between such definitions, Data Protection Laws and Regulations shall take precedence.

“Company Personal Data” means Personal Data relating to employees, directors or customers of the Company or its Associated Company and any other Personal Data for which the Company is a Data Controller and which is actually Processed by the Contractor in providing the Services to the Company in accordance with the Services Agreement or on the instructions of the Company;

“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data;

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller;

“Data Protection Laws and Regulations” means all national and local laws, regulations and rules by any government, agency or authority applicable to the Processing of Personal Data under the Agreement, including EU Directive 95/46/EC and any successor laws or regulations, including, from 25 May 2018, the EU General Data Protection Regulation (2016/679). In the event of any inconsistency between the Data Protection Laws and Regulations, the strictest provision shall prevail;

“Data Subject” means an identified or identifiable natural person;

“Good Industry Practice” means the exercise of the degree of skill, diligence, prudence and foresight that one would reasonably and ordinarily expect from a person skilled and experienced in the practice or activity in question;

“Personal Data” means any information, including Company Personal Data, which alone or in combination with other information can be used to identify a living individual where protected under Data Protection Laws and Regulations, where such data is Processed by the Contractor;

“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organisation, storage, adaptation or alteration, retrieval, disclosure or otherwise making available, duplication, transmission, combination, blocking, redaction, erasure or destruction;

“Security Breach” means actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Company Personal Data transmitted, stored or otherwise processed by the Contractor or its Sub-processors;

“Services” means the services to be provided by the Contractor to the Company pursuant to the Services Agreement;

“Services Agreement” means the Agreement entered into between the Company and the Contractor in relation to the provision of the Services or if none, Provident’s standard terms and conditions.

“Standard Contractual Clauses” means such contractual terms as are currently approved by the European Commission for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection;

“Sub-processor” means any Data Processor engaged by the Contractor;

“Supervisory Authority” has the meaning prescribed in EU General Data Protection Regulation (2016/679).

2. Processing of Personal Data

2.1 The parties acknowledge and agree that with regard to the Processing of Personal Data, the Company is the Data Controller, the Contractor is a Data Processor.

2.2 The parties agree that the Contractor shall Process Personal Data (including Company Personal Data) for the purposes and for the provision of the Services and as further set out in Schedule 3.

2.3 The Company warrants that it is in compliance with Data Protection Laws and Regulations in relation to the Company Personal Data and that it has taken all necessary actions to ensure that the Contractor may process the Personal Data in accordance with this Agreement.

2.4 The Contractor shall:
2.4.1 Process Personal Data only as necessary to perform the Services and otherwise in accordance with prior written instructions of the Company unless the Contractor is required to do so by EU or Member State law to which the Contractor is subject; in such a case, the Contractor shall inform the Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;

2.4.2 only Process Personal Data in accordance with this Agreement and all applicable Data Protection Laws and Regulations; and

2.4.3 agree that the Company is the sole owner and Data Controller of the Company Personal Data and has the sole right to determine the purposes for which the Contractor may Process the Company Personal Data.

2.5 The Contractor shall notify the Company of any changes to the Services which will prevent the Contractor from complying with its obligations under this Agreement or significant changes to the functionality of the contracted Services which may impact the Processing of Personal Data.

3. Transfer of Personal Data

3.1 Subject to clause 3.2, the Contractor shall not Process, publish, disclose, divulge or otherwise permit access to Personal Data by recipients (including Sub-processors) in jurisdictions outside of the European Economic Area unless the Company provides its prior written consent.

3.2 The Company acknowledges and agrees that the Contractor may engage the non-EEA based sub-processors listed in Schedule 1 to this Agreement in carrying out the Services.

4. Rights of Data Subjects

4.1 The Contractor warrants that where the Company Personal Data is processed on the systems of the Contractor, that the Services include appropriate technical and organisational measures to assist the Company to fulfil its obligation to respond to requests by Data Subjects in relation to their rights under the Data Protection Laws and Regulations including such functionality which enables the Company to access and export (including data portability), correct, amend, block or delete any individual element of Personal Data, and to restrict the Processing, without adversely impacting other Personal Data. Where such functionality is not provided, Contractor shall assist the Company to fulfil its obligation to respond to these Data Subject requests and shall access and export, correct, amend, block or delete, and restrict the Processing of, such Personal Data (and only such Personal Data) as instructed by the Company. The Contractor shall carry out such actions within five (5) Business Days following receipt of the Company’s subject to the right of the Contractor to charge the Company for such assistance on its then current rates.

4.2 The Contractor shall, to the extent legally permitted, promptly notify the Company if it receives a request from a Data Subject for access to, export (including data portability), correction, amendment or deletion, or restriction of the Processing, of that person’s Personal Data. The Contractor shall not respond to any such Data Subject request without the Company’s prior written consent except to confirm that the request relates to the Company.

4.3 The Contractor shall provide assistance to the Company in relation to any mandatory obligations applicable to the Company in relation to the performance of data protection impact assessments or the carrying out of consultations with a Supervisory Authority under Data Protection Laws and Regulations in respect of the Company Personal Data subject to the right of the Contractor to charge the Company for such assistance on its then current rates.

5. Contractor Staff

5.1 The Contractor shall:
5.1.1 ensure that Contractor Staff engaged in the Processing of Personal Data are informed of the confidential nature of the Company Personal Data, have received appropriate training on their responsibilities, and have agreed in writing to maintain the confidentiality of the Company Personal Data; and

5.1.2 take commercially reasonable steps to ensure the reliability of any Contractor Staff engaged in the Processing of Company Personal Data.

6. Sub-processors

6.1 The Contractor may not engage Sub-processors other than pursuant to the requirements set forth in this paragraph 6.3.

6.2 The Company acknowledges and agrees that the Contractor’s Affiliates may be retained as Sub-processors.

6.3 The Contractor may engage the sub-processors listed in the Schedule 2 to this Agreement in carrying out the Services.

7. Data Security Requirements

7.1 The Contractor shall implement appropriate technical and organisational measures in accordance with Good Industry Practice to and the Data Protection Laws and Regulations to:
7.1.1 protect Personal Data against accidental loss or damage and unauthorised access, use, disclosure, alteration or destruction;

7.1.2 ensure the confidentiality, security, integrity, and availability of Personal Data; and

7.1.3 securely dispose of Personal Data and tangible property containing Personal Data (as and when required), taking into account available technology so that such information cannot be practicably read or reconstructed.

7.2 The Contractor shall document, in a written policy, and provide access to the Company on prior written request: 7.2.1 Personal Data handling procedures designed to implement technical and organisational measures to protect Personal Data; and

7.2.2 Personal Data recovery procedures covering an unplanned event resulting in an interruption of or inaccessibility to Personal Data and the Services as required by the applicable Data Protection Laws and Regulations and this Schedule.

8. Security and Breach Notification

8.1 The Contractor shall maintain appropriate security incident management policies and procedures.

8.2 The Contractor shall:
8.2.1 immediately notify the Company (and in all cases no later than 24 hours of becoming aware) of any Security Breach relating to the Company Personal Data of which it becomes aware;

8.2.2 provide reasonable cooperation with the Company’s investigation into the Security Breach; and

8.2.3 unless legally required by Data Protection Laws and Regulations or compelled under a subpoena, court order or similar legal document issued by a court or Supervisory Authority, not disclose the Security Breach relating to the Company Personal Data to any third party without first obtaining the Company’s prior written consent.

8.3 Each party shall reasonably cooperate with the other party to ensure compliance with Data Protection Laws and Regulations in respect of any Security Breach relating to the Company Personal Data, including but not limited to notification of affected Data Subjects and Supervisory Authorities.

9. Notices

9.1 The Contractor shall immediately notify the Company (unless legally prohibited) of any request for disclosure of Company Personal Data by any law enforcement or other government authority or Supervisory Authority. The Contractor shall cooperate fully with the Company in relation to requests for the disclosure of Company Personal Data and where legally permitted shall delay the disclosure of Company Personal Data pursuant to such requests to enable the Company to investigate and respond to the request for Company Personal Data.

9.2 The Contractor shall promptly notify the Company if, at any time, it is unable to comply with the terms of this Schedule or Data Protection Laws and Regulations.

10. Breach

10.1 Any failure by the Contractor or its Sub-processor to comply with the terms of this Agreement and/or Data Protection Laws and Regulations shall be considered a material breach of the Services Agreement and if the breach is capable of rectification is not rectified with 28 days of the becoming aware of the breach the Company may terminate this Agreement and the Services Agreement.

11. Limitation on liability

The limitations on liability set out in the Services Agreement/Terms shall apply to this Agreement.

12. Audits and Certifications

12.1 The parties agree that the Company has the right to audit the Contractor’s compliance with the terms of this Agreement and Data Protection Laws and Regulations in accordance with the following procedure: 12.1.1 Subject to the Contractor’s confidentiality obligations to its other clients, upon the Company’s prior written request, the Contractor shall make available to the Company (or the Company’s independent, third-party auditor which auditor shall be subject to the reasonable agreement of the Contractor) information, documentation, and access to its data processing facilities, sufficient to establish and demonstrate the Contractor’s compliance with the obligations set forth in this Agreement and the Data Protection Laws and Regulations (the Compliance Obligations). In the event that the audit shows breaches of this Agreement by the Contractor and/or Data Protection Laws and Legislation, then the Company shall be entitled to seek reimbursement of the costs of the audit from the Contractor. The Contractor shall immediately inform the Company if, in its opinion, an instruction infringes the Data Protection Laws and Regulations or other EU or Member State data protection provisions.

13. General

13.1 This Agreement may be executed in two or more counterparts, each of which shall be deemed to be an original, but all of which together shall constitute one and the same instrument.

13.2 Provisions which by their terms or intent are to survive termination of this Agreement will do so.

13.3 The Parties are independent businesses and not partners, principal and agent, or employer and employee, or in any other relationship of trust to each other.

13.4 No amendment or variation of this Agreement will be valid unless agreed in writing by an authorised signatory of each Party.

13.5 This Agreement will bind and benefit each Party’s successors and personal representatives.

13.6 If any clause in this Agreement (or part thereof) is or becomes illegal, invalid or unenforceable under applicable law, but would be legal, valid and enforceable if the clause or some part of it was deleted or modified (or the duration of the relevant clause reduced), the relevant clause (or part thereof) will apply with such deletion or modification as may be required to make it legal, valid and enforceable, and the Parties will promptly and in good faith seek to negotiate a replacement provision consistent with the original intent of this Agreement as soon as possible.

13.7 Unless otherwise expressly agreed, no delay, act or omission by either Party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

13.8 The Parties will do all further acts and execute all further documents necessary to give effect to this Agreement.

13.9 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter is governed by and shall be construed in accordance with the laws of Ireland. The Parties irrevocably submit to the exclusive jurisdiction of the courts of Ireland to settle any disputes and claims which may arise out of, or in connection with, this Agreement.

Schedule 1 – Non EEA based Sub-processors

Atlassian

HubSpot

monday

Sugar

Salesforce

DocuSign

Schedule 2 – Sub Processors