Data processing agreement (GDPR) 2018
For this agreement to be binding, this document both parties must sign.
Infoodle Ltd, a company incorporated under New Zealand law, with registered offices at 44 Moffatt Road,Bethlehem Tauranga, 3110, New Zealand, company number 1772795
Represented by Richard Smith, Director
Hereafter “Data Processor”;
[Name + legal form], a company incorporated under United Kingdom law, with registered offices at [xxx], company number [xxx]
Represented by [Representative], [title]
Hereafter “Data Controller”;
The Data Controller and the Data Processor may be referred to individually as a “Party” and collectively as the “Parties”.
(A) The Data Controller wishes to subcontract certain Services (as defined below), which imply the processing of personal data, to the Data Processor.
(B) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
IT IS AGREED AS FOLLOWS:
1 Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement (including the recitals hereto) shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules, if any.
1.1.2 “Confidential Information” means all information disclosed by a Party to the other Party pursuant to this Agreement which is either designated as proprietary and/or confidential, or by its nature or the nature of the circumstances surrounding disclosure, should reasonably be understood to be confidential, including (but not limited to), information on products, customer lists, price lists and financial information.
1.1.3 “Service” means providing access to the infoodle software.
1.2 The clause headings in this Agreement are for reference purposes only and shall not be used in the interpretation thereof.
2 Object of this Agreement
2.1 The Data Processor shall perform the Services in accordance with the provisions of the Agreement.
3 Data Protection
3.1 As the performance of the Agreement and the delivery of the Services implies the processing of personal data, the Data Controller and the Data Processor shall comply with the applicable data protection legislation and regulations.
3.2 The Data Processor shall ensure that in relation to personal data disclosed to it by, or otherwise obtained from the Data Controller, it shall act as the Data Controller’s data processor in relation to such personal data and shall therefore:
3.2.1 from 25th May 2018, create and maintain a record of its processing activities in relation to this Agreement; the Data Processor shall make the record available to the Data Controller, any auditor appointed by it and/or the supervisory authority on first request;
3.2.3 inform the Data Controller immediately if it believes that any instruction from the Data Controller infringes applicable data protection legislation and regulations;
3.2.4 not disclose the personal data to any person other than to its personnel as necessary to perform its obligations under the Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligations;
3.2.5 take appropriate technical and organisational measures against any unauthorised or unlawful processing, and to evaluate at regular intervals the adequacy of such security measures, amending these measures where necessary;
3.2.6 ensure that access, inspection, processing and provision of the personal data shall take place only in accordance with the need-to-know principle, i.e. information shall be provided only to those persons who require the personal data for their work in relation to the performance of the Services;
3.2.7 promptly notify the Data Controller about (i) any legally binding request for disclosure of the personal data by a data subject, a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry, and to assist the Data Controller therewith (ii) any accidental or unauthorized access, and more in general, any unlawful processing and to assist the Data Controller therewith;
3.2.8 deal promptly and properly with all reasonable inquiries from the Data Controller relating to its processing of the personal data or in connection with the Agreement;
3.2.9 make available to the Data Controller all information necessary to demonstrate compliance with the applicable data protection legislation and regulations;
3.2.10 at the request and costs of the Data Controller, submit its data processing facilities for audit or control of the processing activities;
3.2.11 assist the Data Controller, subject to reasonable additional compensation, with the Data Controller’s obligation under applicable data protection laws and regulations.;
3.3 Personal data processed in the context of this Agreement may not be transferred to a country outside the European Economic Area without the prior written consent of the Data Controller. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
List of Schedules:
Schedule 1: Terms and Conditions
The Data Processors terms and conditions can be found here