Data Processing Agreement
1. BACKGROUND
This DPA shall apply with respect to the Processing of Personal Data carried out by us on your behalf, whenever we provide you with the Services.
2. INTERPRETATION
2.1 In this data processing agreement, defined terms from the Order Form and Terms of Business shall have the same meaning, save for where specified to the contrary. The following additional capitalised terms shall have the meanings set out below:
| Client | means, for the purposes of this DPA, you; |
| Client Personal Data | means any Personal Data Processed in connection with the provision of the Services under the Agreement; |
| Data Protection Laws | means any applicable data protection, privacy or similar laws that apply to data Processed in connection with the Agreement, including the GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Directive 2002/58 and any amendments to these laws or replacements of these laws, including, without limitation, any variations amendments or re-enactments; |
| DPA | means this data processing agreement; |
| GDPR | means the UK GDPR; |
| Sub-processor | means any entity or person (excluding an employee of us) appointed by or on behalf of us to Process Client Personal Data on behalf of you in connection with the provision of the Services. |
2.2 The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process”, “Processing” and “Supervisory Authority” shall have the meanings ascribed to them in applicable Data Protection Laws.
3. GENERAL
3.1 The terms of the Agreement shall remain in full force and effect unless specified otherwise.
3.2 In the event of inconsistencies between the provisions of this DPA and the Agreement, this DPA shall take precedence, unless explicitly agreed otherwise in writing.
4. CONTROLLER AND PROCESSOR OBLIGATIONS
4.1 The parties acknowledge that, for the purposes of Data Protection Laws, you are the Controller and we are the Processor of Client Personal Data. Schedule 1 sets out a description of the Processing of Client Personal Data by us. You may by notice to us make such changes to Schedule 1 as you deem are reasonably necessary to meet the requirements of Data Protection Laws.
4.2 We will comply with all requirements of Data Protection Laws when Processing Client Personal Data, and will not do, nor omit to do, anything that would cause you to breach your obligations under Data Protection Laws.
4.3 When Processing Client Personal Data, we, acting as Processor, shall:
4.3.1 only Process Client Personal Data on your documented instructions, unless further Processing is required by applicable laws, in which case we shall promptly notify you of the requirement before undertaking the Processing;
4.3.2 (subject to clauses 4.4 – 4.6) only permit access to the Client Personal Data to employees and Sub-processors who:
(a) require access to the Client Personal Data to enable us to provide the Services to you; and
(b)are subject to appropriate confidentiality undertakings or professional or statutory obligations of confidentiality;
4.3.3 taking into account the nature of the Processing, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and to protect the Client Personal Data from accidental or unlawful destruction, loss or alteration, or unauthorised disclosure or access;
4.3.4 taking into account the nature of the Processing, we shall provide reasonable cooperation and assistance to you, including by implementing appropriate technical and organisational measures, to assist you with responding to requests to exercise Data Subject rights, and in ensuring your obligations under Data Protection Laws with respect to security, breach notifications, data protection impact assessments and consultations with Supervisory Authorities;
4.3.5 at your written direction:
(a) securely delete or return the Client Personal Data, and
(b) procure the deletion or return of the Client Personal Data from Sub-processors or others authorised by us in accordance with this DPA,
to you at any time during the Agreement or on termination of the Agreement unless we are required by law to retain it, and provide you with certification of such deletion where relevant and requested;
4.3.6 notify you with full details as soon as practicable, and in any event without undue delay from the point of becoming aware of, a Personal Data Breach relating to Client Personal Data;
4.3.7 immediately take steps to mitigate the effects of a Personal Data Breach relating to Client Personal Data and fully co-operate with you to address the Personal Data Breach and any required notifications relating to the Personal Data Breach;
4.3.8 maintain and make available to you, all information necessary to demonstrate our compliance with the obligations laid down in this DPA;
4.3.9 not transfer the Client Personal Data to, or Process the Client Personal Data in, any jurisdiction outside of the UK where there is no official finding by the UK Supervisory Authority or UK Government that the recipient country ensures an adequate level of protection of the rights and freedoms of Data Subjects without:
(a) your prior approval; and
(b) complying with Data Protection Laws.
4.4 You hereby grant to us a general authorisation to engage the Sub-processors engaged at the time of entering this DPA for the purposes of providing the Services. We shall inform you of any intended changes concerning the change, addition or replacement of Sub-processors and give you reasonable opportunity to object to such change, addition or replacement.
4.5 With respect to each Sub-processor, we shall ensure that the arrangement between us and the Sub-processor is governed by a contract including:
4.5.1 terms which offer at least the same level of protection for Client Personal Data as those set out in this DPA; and
4.5.2 terms which meet the requirements of Article 28(3) of the GDPR.
5. LIABILITY
Each party’s liability under this DPA shall be limited in a manner consistent with any limitations of liability set out in the Agreement.
6. TERMINATION
This DPA shall automatically terminate on termination of the Agreement.
7. SEVERANCE
7.1 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall:
7.1.1 be amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible;
7.1.2 be construed in a manner as if the invalid or unenforceable part had never been contained in the DPA.
8. RIGHTS OF THIRD PARTIES
Third-parties shall not be entitled to enforce any of the terms of this DPA.
9. GOVERNING LAW AND JURISDICTION
This DPA will be governed in accordance with the law of England and Wales. The courts of England and Wales will have exclusive jurisdiction to settle any disputes relating to this DPA.
SCHEDULE 1: DESCRIPTION OF PROCESSING ACTIVITIES
This Schedule 1 includes certain details of the Processing of Client Personal Data by us:
| Categories of Personal Data to be Processed | Name, job details, residential address, contact details, payroll information, employee bank account details, employee HR records, and any other Personal Data required to allow us to provide the Services. |
| Categories of Data Subjects | Client’s employees, workers, and contractors (as applicable) |
| Description of the nature and method of Processing | Transfer of employee Personal Data from you to us to allow us to perform the Services in accordance with the Agreement which may include: contacting Data Subjects to perform day-to-day HR functions; processing payroll; carrying out grievance investigations, disciplinary actions, and other HR-related activities; andfor the purpose of providing HR consultancy services to you. |
| Location of Processing | All paper files shall be kept on our premises. All electronic files shall be held on our hosted infrastructure, within the UK/EEA. |
| Purpose of Processing | To allow us to provide the Services to you in accordance with the Agreement. |
| Duration of Processing | The duration of the Agreement and any transition period post-expiry or termination, as agreed between the parties. |
HR support services specialising in employment law for businesses and their people