Whereas
Data Processing Agreement
The purpose of this Data Processing Addendum (“DPA”) is for the sharing and processing of personal data, the terms and conditions of such as set out below.
This DPA is supplemental to any other separate agreement entered into between the parties and introduces further contractual provisions to ensure the protection and security of data passed from the Data Controller to the Data Processor for data processing.
This DPA is effective upon its incorporation into the Agreement, which may be specified in the Agreement, the Order Form or an executed amendment to the Agreement.
GENERAL DEFINITIONS
“Client Data” being any data provided by the Client to RFA
“Contact Information” contact information provided customers, Clients, or partners
“Data Controller” the Client as defined in the Agreement and in accordance with the definition in the applicable Data Protection Law.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us in connection with the provision of our Products and Services. A Data Breach will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Processor” means RFA as defined in the DPA and in accordance with the definition in the applicable Data Protection Law.
"Data Protection Legislation" all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the retained EU law version of the General Data Protection Regulation ("UK GDPR"); the Data Protection Act 2018 (and regulations made thereunder) ("DPA 2018"); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and the guidance and codes of practice issued by the Commissioner and which are applicable to a party;
"Data Subject" an individual who is the subject of Personal Data;
“Personal Data” means any information relating to an identified or identifiable individual where (i) such information is contained within Client Data; and (ii) is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
"Processing" shall mean any operation or set of operations which is/are performed upon personal data, (whether or not by automatic means) including collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. Such processing may be wholly or partly by automatic means or processing otherwise than by automatic means of personal data which form part of a filing system or one intended to form part of a filing system. A filing system shall mean any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographic basis”
"Force Majeure Event" means any circumstance not within a party's reasonable control including, without limitation: (a) acts of God, flood, drought, earthquake or other natural disaster; (b) epidemic or pandemic; (c) terrorist attack, civil war, civil commotion or riots, war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, or breaking off of diplomatic relations; (d) nuclear, chemical or biological contamination or sonic boom; (e) any law or any action taken by a government or public authority, including without limitation imposing an export or import restriction, quota or prohibition, or failing to grant a necessary licence or consent; (f) collapse of buildings, fire, explosion or accident; and (g) any labour or trade dispute, strikes, industrial action or lockouts (other than in each case by the party seeking to rely on this clause, or companies in the same group as that party); (h) non-performance by suppliers or subcontractors (other than by companies in the same group as the party seeking to rely on this clause) and; Page 2 of 14 (i) interruption or failure of utility service;
"Shared Personal Data" the personal data to be shared between the parties to be set out in writing between the parties;
"Standard Contractual Clauses" ("SCC") Standard Contractual Clauses for the transfer of Personal Data from the UK to controllers and processors established in third countries and countries that are not subject to an approved adequacy regulation by the Secretary of State, Commissioner such SCCs as approved by the Information Commissioner's Office ("ICO") (international data transfers), as set out on the ICO website at ico.org.uk;
Transfers from a Data Controller to a Data Processor, for the Processing of Personal Data as shall be set out below:
Controller Instructions.
The parties agree that the Agreement (including this DPA), together with the Client’s use of RFA’s Products and Services as outlined in the Order Form and in accordance with the Agreement, constitute the Client’s complete instructions to RFA in relation to the Processing of Personal Data, so long as the Client may provide additional instructions during the Agreement term that are consistent with the Agreement, the nature and lawful use of RFA Products and Services provided thereof. The Parties agree the following terms:
1.1 The Parties will comply with UK Data Protection Legislation in their performance and , receipt and use (as appropriate) of the Services and Products provided to them under agreement with RFA.
1.2 The Data Controller is, in the capacity of the data controller, responsible for the Personal Data processed within the scope of the Agreement.
1.3 The parties acknowledge that for the purposes of the UK Data Protection Legislation, the Client is the Data Controller and RFA as the service provider is the Data Processor (where "Data Controller" and "Data Processor" have the meanings as defined in the UK Data Protection Legislation). The schedule hereto below sets out the scope, nature and purpose of processing by RFA, the duration of the processing and the types of Personal Data and categories of Data Subject.
1.4 Without prejudice to the generality of clause 1.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the RFA for the duration and purposes of this Agreement.
1.4.1 Prior to using Contact Information provided as part of the services or product provided by RFA for direct marketing or any other Permitted Purposes, the Client should check all UK Data Protection Legislation and shall be responsible for compliance with such UK Data Protection Legislation in connection with Client’s use of the Contact Information
1.4.2 Contact Information may only be used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession as part of any permitted use of RFA’s services or product provided to the Client.
1.4.3 If the Client uses Contact Information in a manner that violates the foregoing requirements, RFA shall not be liable for any damages, losses, costs, claims or expenses arising therefrom.
1.5 Without prejudice to the generality of clause 1.1, RFA , in relation to any Personal Data processed in connection with the performance by RFA of its obligations under this Agreement, shall warrant that it shall:
(a) process that Personal Data only on the written instructions of the Client unless the RFA is required by applicable Data Protection Legislation . Where RFA is relying on the Data Protection Legislation as the lawful basis for processing Personal Data, RFA shall promptly notify the Client of this before performing the processing required by the Data Protection Legislation unless such those Data Protection Legislation prohibits RFA from so notifying the Client;
(b) ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
(d) only transfer Personal Data outside the UK if one of the following conditions applies:
(i) the Secretary of State has issued an adequacy regulation confirming that the country to which we transfer the Personal Data ensures an adequate level of protection for the Data Subjects' rights and freedoms; or
(ii) appropriate safeguards are in place such as standard contractual clauses approved by the Secretary of State, an approved code of conduct or a certification mechanism;
(iii) the Data Subject has provided explicit consent to the proposed transfer after being informed of any potential risks in limited circumstances and as a one off transfer; or
(iv) the transfer is necessary for one of the other reasons set out in the UK GDPR or DPA 2018 as an exemption, including the performance of a contract, reasons of public interest, to establish, exercise or defend legal claims or to protect the vital interests of the Data Subject where the Data Subject is physically or legally incapable of giving consent and, in some limited cases, for legitimate interest;
(e) assist the Client in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with the UK's ICO:
(i) Where permitted by law, RFA will notify Client promptly if RFA receives any enquiry or complaint from a supervisory authority or Data Subject about the processing of Client Personal Data. RFA will co-operate with the Client to permit it to respond to such enquiry or complaint.
(f) at the written direction of the Client, securely use commercially reasonable endeavours to delete or return Personal Data and copies thereof to the Client on termination of the Agreement unless required by Data Protection Legislation to store the Personal Data; and
(g) maintain complete and accurate records and information to demonstrate its compliance with this clause and allow for audits by the Client’s designated auditor;
(h) comply with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data in accordance with Data Protection Legislation;
(k) notify the Client without undue delay on becoming aware of a Data Breach. If RFA becomes aware of a Data Breach involving Client Data (“the Incident”), RFA will:
(i) promptly notify the Client of the details of the Incident to the email address registered by Client;
(ii) promptly initiate an investigation into the circumstances surrounding the Incident and make a report of the investigation available to the Client; and
(iii) co-operate with any investigation by the Client and provide such reasonable assistance requested by the Client in order for Client to comply with its obligations under Data Protection Legislation including any notifications that Client is required to make as a result of an Incident and any cost of such cooperation and assistance shall be borne by RFA; and
1.6 In its role as Data Processor of Client Data, RFA (i) will only act on documented instructions contained within the Agreement regarding the processing of Client Data, (ii) will not process Client Data for any purposes other than for the purpose(s) specified in the Agreement (iii) will not disclose Client Data to any third party unless permitted to do so under the Agreement and or is requested to do so by the Client in writing or is required by Data Protection Legislation or any other applicable law.
1.7 Where disclosure of Client Data is required by applicable law, RFA will (to the extent permitted by such applicable law) inform the Client in advance of making the disclosure and will co-operate with the Client to limit the scope of the disclosure to what is strictly required by such applicable law.
1.8 The Client does not consent to RFA appointing any third-party processor of Client Data under this Agreement unless and until the Client has provided specific written permission for a particular third-party processor to be appointed. Should such permission be given, RFA shall enter into a written agreement with the third-party processor incorporating terms which are to be the same or substantially similar to those in this Agreement. As between the Client and RFA, RFA shall remain fully liable for all acts or omissions of it and of any third-party processor appointed by it at all times and for all purposes.
1.9 The parties may at any time, by mutual written agreement, agree to revise relevant clauses in this Agreement.
2.1 RFA shall indemnify the Client against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the Client arising out of or in connection with the breach of the Data Protection Legislation by the RFA, its employees or agents including any appointed sub-processors, provided that the Client gives to the Provider prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and authority to manage, defend and/or settle it.
2.2 The Client, subject to clause 9.6 of the Agreement, shall indemnify, defend and hold RFA harmless, at the Client’s expense for any direct losses incurred by RFA resulting from any third-party claim, suit, action, or proceeding (each, an "Action") brought against RFA (and its officers, directors, employees and agents) by a third party not affiliated with RFA, but under the Control of the Client, to the extent that such Action is based upon or arises out of the Client or its Affiliates' noncompliance with or breach of this Agreement,
RFA will:
Notify the Client in writing within thirty (30) days of becoming aware of any such claim; give the Client sole control of the defence or settlement of such a claim; and provide the Client (at their expense) with any and all information and assistance reasonably requested by the Client to handle the defence or settlement of the claim. The Client will not accept any settlement that (i) imposes an obligation on RFA; (ii) require RFA to make an admission; or (iii) imposes liability not covered by these indemnifications or places restrictions on RFA without prior written consent.
3.1 This Agreement and any dispute relating to it shall be governed exclusively by the laws of England and Wales, whose courts shall have exclusive jurisdiction.
3.2 No part of this Agreement shall create any rights pursuant to the Contracts (Rights of Third Parties) Act 1999.
3.3 Neither party may assign, novate or otherwise transfer any right or obligation under this Agreement without first obtaining written consent in writing from the other party.
3.4 In the event of any conflict between the terms and conditions in this DPA and the Agreement and the terms and conditions in any prior or existing agreement between the parties, the terms and conditions in the Agreement shall take precedence.
3.5 Should any part of this DPA be found to be unlawful or unenforceable, the offending part is to be deemed omitted without affecting the legality or enforceability of any other parts of the agreement.
4.1 RFA acknowledges that the persons authorised to Process the Client Data are committed to confidentiality including all information related to the Agreement and the parties’ business
4.2 The provisions of confidentiality shall continue to apply after termination of this DPA.
5.1 This DPA will remain in full force and effect so long as:
(i) the Agreement remains in effect; or
(ii) the Data Processor, Data Controller retains any Personal Data related to this Agreement in its possession or control ("Term").
5.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination in order to protect Client Data will remain in full force and effect.
5.3 The Data Processor’s or Data Controller's failure to comply with the terms of this DPA shall be deemed a material breach of the Agreement.
5.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations, the parties will suspend the processing of Personal Data in accordance with this DPA until such Processing complies with the new requirements. If the parties are unable to bring the Processing into compliance with Data Protection Legislation within 30 days of the date of the change then such failure will constitute a material breach and the other party may terminate the Agreement immediately.
5.5 In the event that any one or more of the provisions of this DPA shall for any reason be held to be invalid, illegal or unenforceable, the remaining provisions of this DPA shall continue in full force and effect and the parties will negotiate in good faith to substitute a provision of like effect and intent to that deemed to be unenforceable.
5.6 Termination of this DPA, for any reason, shall not affect the accrued rights, remedies, obligations or liabilities of the parties existing at termination.
Schedule of Data Processing
RFA will process the Personal Data for the purpose of the supply of Services to the Client.
4.2 Nature of Processing
RFA will carry out the following processing of Personal Data:
4.3 Duration of the Processing
For the duration of the service provision to the Client by RFA
4.4 Types of Personal Data
Any types of Personal Data which RFA processes as a result of this Agreement and/or the provision of the Services which could include:
4.5 Categories of Data Subject
Any categories of Data Subject about which RFA processes Personal Data in accordance with this Agreement and/or the provision of the Services which could include:
5 Location of Data Processing:
Data Processing takes place only in the UK
This document was last updated October 2024.