Data Processing Agreement
Effective From 8th November 2022
This Data Processing Agreement (the “DPA“) forms part of the Eficode Terms of Service or as applicable the Master Services Agreement as executed between the Parties, collectively (the “Agreement”). This DPA reflects the Parties’ agreement with regard to the processing of personal data in accordance with Applicable Data Protection Law.
All capitalised terms not defined herein shall have the meaning set forth in the Agreement.
To the extent that the terms of this DPA and the Agreement conflict, the terms of this DPA prevail.
This DPA will automatically expire on the termination date (however so triggered) or expiration date of the Agreement, whichever is earlier.
WHEREAS, in rendering the Services We may be provided with, or have access to Your information that may qualify as Personal Data within the meaning of the UK General Data Protection Regulation “UK GDPR”, under the Data Protection Act 2018 “DPA 2018” and other applicable data protection laws and provisions.
WHEREAS, the Parties agree that they would like to use this DPA as the required contractual processing agreement.
NOW, THEREFORE, in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals in relation to the Personal Data specified in Annex 1, the Parties have entered into this DPA as follows:
1. Definitions
In this Agreement, the following words and expressions will have the following meanings:
“Applicable Law/s” means all applicable laws (including decisions) and guidance by relevant supervisory authorities relating to data protection, the Processing of Personal Data and privacy, including the UK GDPR and the DPA 2018;
and references to “Data Controller”, “Data Subject”, “Personal Data”, “Process”, “Processed”, “Processing”, “Data Protection Officer”, “Data Processor” and “Personal Data Breach” have the meanings set out in, and will be interpreted in accordance with, such Applicable Law/s.
2. Background
2.1 We provide Services to You which may involve the Processing of Personal Data by Us on Your behalf. This may include Your Personal Data, or that of Your personnel and where applicable, Your clients or other individuals with whom the You deal in the course of Your business as relevant to the Services (“Relevant Data Subjects”). Further information on the subject matter, nature, purpose and duration of Processing in relation to the provision of Services can be found in the applicable Statement of Work.
3. Description of processing
3.1 The Processing to be carried out by Us is as follows:
a. the subject matter of the Processing is as described in clause 2.1;
b. the duration of the Processing will be throughout the period within which We perform the Services;
c. the nature of the Processing is described in clause 2.1;
d. the purpose of the Processing is to enable Us to perform the Services to You;
e. the Personal Data Processed will be any Personal Data of the Relevant Data Subjects provided in order to enable or facilitate the provision of the Services by Us as described in clause 2.1. and the categories of data subjects are the Relevant Data Subjects; and
f. the obligations and rights of the data Controller are set out below.
4. Compliance with Data Protection Legislation
4.1 Both Parties represent and warrant that they will comply with and ensure that their employees and/or subcontractors comply with the Data Protection Legislation in Processing Personal Data in connection with the Services.
5. Relationship of the Parties
5.1 In relation to the Processing of Personal Data in connection with the Services, the Parties acknowledge and agree that:
a. You are the data Controller; and
b. We are the data Processor.
5.2 You instruct Us to Process Personal Data where this is necessary to deliver the Services.
5.3 We agree that We will Process the Personal Data in accordance with this DPA.
6. Processing of Personal Data
6.1 In relation to the Processing of Personal Data in connection with the Services We shall:
a. Process the Personal Data (including when making an international transfer of the Personal Data) only for the purpose of and to the extent necessary for provision of the Services and then only in accordance with:
i. this DPA; and
ii. Your written instructions from time to time, unless otherwise required by law. Where We are required by law to Process the Personal Data otherwise than as provided by this DPA, We will notify You before carrying out the Processing concerned (unless the law also prevents Us from doing so for reasons of important public interest);
b. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the Processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed under this DPA, as set forth in Annex 1.
c. take all reasonable steps to ensure that only authorised personnel have access to the Personal Data and that any persons whom it authorises to have access to the Personal Data will respect and maintain all due confidentiality in relation to the Personal Data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);
d. not engage any sub-processors in the performance of the Services without Your prior written consent and otherwise in accordance with clause 7 at all times;
e. not do, or omit to do, anything, which would cause You to be in breach of Your obligations under the Applicable Laws;
f. immediately notify You if, in Our opinion, any instruction given to Us infringes the Applicable Laws;
g. where applicable in respect of any Personal Data Processed in relation to the Services, co-operate with and assist You in ensuring compliance with:
i. Your obligations to respond to requests from data subject(s) seeking to exercise their rights under the Applicable Laws, including by notifying the You of any written subject access requests We receive relating to the Your obligations under the Applicable Laws; and
ii. Your obligations under the Applicable Laws to:
- ensure the security of the Processing;
- notify the relevant supervisory authority, and any data subjects(s), where relevant, of any breaches relating to Personal Data;
- carry out any data protection impact assessments (each a “DPIA”) of the impact of the Processing on the protection of Personal Data; and
- consult the relevant supervisory authority prior to any Processing where a DPIA indicates that the Processing would result in a high risk in the absence of measures taken to mitigate the risk.
h. provide assistance where reasonably required by You in relation to the fulfilment of Your obligations to co-operate with the relevant supervisory authority under the Applicable Laws.
7. Sub-processors
7.1 We will ensure that any sub-processor We engage to provide any services on Our behalf do so only on the basis of a written contract which imposes on such sub-processor terms equivalent to those imposed on Us under this DPA or such other alternative terms as may be agreed with You (the “Relevant Terms”). We shall procure the performance by the sub-processor of the Relevant Terms and shall be directly liable to You for:
a. any breach by the sub-processor of any of the Relevant Terms;
b. any act or omission of the sub-processor which causes:
i. Us to be in breach of this DPA; or
ii. either Party to be in breach of the Applicable Laws.
7.2 Where You have given a general authorisation to Us to engage sub-processors, then prior to engaging a new sub-processor under the general authorisation We will notify You of any changes that are made that would affect that general authorisation and give You an opportunity to object to them.
7.3 Notwithstanding clauses 7.1 and 7.2, You agree We shall be permitted to transfer Personal Data to such sub-processors as are set forth in the Privacy Policy as may be amended from time to time.
8. Monitoring and audit
8.1 You are entitled to monitor and audit Our compliance with the Applicable Laws and Our obligations in relation to data Processing in connection with the Services at any time during normal business hours. We agree to provide You promptly with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If You believe that an on-site audit is necessary, We agree to give You reasonable access to Our premises (subject to any reasonable confidentiality and security measures), and to any stored Personal Data and data Processing programs We have on-site. You are entitled to have the audit carried out by a third party.
9. International transfers
9.1 We may transfer Personal Data internationally, including outside the EEA, and to any third party located internationally (including to all affiliates in the Eficode group of companies) where We are permitted to do so for that transfer under the Applicable Laws.
9.2 For the purposes hereof, it is agreed that We shall be permitted to transfer Personal Data internationally, including outside the EEA, and to such third parties located outside the EEA as set forth in the Privacy Policy provided the appropriate safeguard mechanisms remain in place.
10. Completion of services
10.1 Upon completion of the Services, We will at Your discretion, on receipt of the Your written instruction, delete or return to You all Personal Data (including copies) Processed in connection with the Services, except to the extent that We are required by law to retain any copies of the Personal Data and save to the extent that We receive instructions to the contrary from any Relevant Data Subjects.
Annex 1 – Technical and Organisational Measures, Key Controls
1 Certifications
1.1 We have achieved and maintain the following certifications:
a. ISO 27001 Information Security Standard; and
b. Cyber Essentials
2 Information Security Management System
2.1 Information Security Management System details:
a. Policy;
b. Governance;
c. Process and procedure;
d. Roles and responsibilities;
e. Assurance and audit process;
f. Risk assessment and management; and
g. Improvement plans.
3 Physical security
3.1 Key measures to prevent physical unauthorised access to Our premises and with regard to the data centres utilised by Us include:
a. ISO 27001 certified data centres;
b. the fitting of appropriate locks and other physical entry controls on doors and windows;
c. surveillance facilities;
d. CCTV;
e. physically securing devices containing Personal Data e.g. locked cupboard/draw;
f. ensuring control of removable media;
g. secure disposal of physical assets; and
h. access control system including logging of visitors.
4 System access security
4.1 Key measures to prevent unauthorised system access Our IT systems include:
a. password procedures;
b. central management of access;
c. auditing of user access;
d. monitoring of suspicious activity; and
e. joiner/leaver processes managed by IT admins and HR.
5 Data access security
5.1 Key measures to prevent unauthorised data access include:
a. principle of least privilege applied;
b. role based access; and
c. management of logged access requests.
6 Vulnerability management
6.1 Key measures to prevent exploitation of technological vulnerabilities include:
a. software installation restricted to approved software only;
b. application of patching policy;
c. email threat management;
d. internet browser threat management;
e. awareness training;
f. virus scanning; and
g. utilisation of Amazon GuardDuty on AWS estate.
7 Awareness, training, and personnel
7.1 Key measures to prevent personnel vulnerabilities include:
a. performing reference checks on all new personnel;
b. induction training to include information security/data protection;
c. signed acceptance of compliance to information security policies;
d. refresher training conducted at least annually; and
e. clear job description including information security responsibilities.
8 Incident management and business continuity
8.1 Key measures to prevent and manage incidents and business continuity events include:
a. incident management policies and procedures;
b. incident management training;
c. incident management key personnel;
d. business continuity plan including key personnel, external contacts and contingency plans;
e. incident and business continuity testing; and
f. continued improvement.
9 Audit
9.1 We apply a program of regular external and internal audits to monitor and enforce compliance with its security and data protection policies and procedures.