Data

Processing Agreement

This Data Processing Agreement is between:

The IDHL Group company stated in the Proposal (the Supplier).
The company purchasing services from the Supplier as stated in the Proposal (the Customer).

Background

This Data Processing Agreement forms part of our Agreement with you. Any terms not defined below shall have the meaning given to them in the IDHL Group Terms and Conditions.

Definitions

Applicable Law as defined in clause 2.1.1;

Associate in respect of either party, a company which is a subsidiary or holding company of that party, or a subsidiary of such holding company, in each case for the time being (and subsidiary and holding company shall be defined in section 1159 Companies Act 2006);

Data Controller as defined by the Data Protection Legislation;

Data Processor as defined by the Data Protection Legislation;

Data Protection Legislation all applicable data protection and privacy legislation in force from time to time in the UK including the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR), the Data Protection Act 2018 (and regulations made thereunder) or any successor legislation, and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data;

Data Subject as defined in the Data Protection Legislation;

Digital Marketing Services refers to services that help to improve the online performance of the Customer website including but not limited to SEO, PPC, CRO, Paid Social, Outreach and Media Advertising;

DSAR a request or notice from a Data Subject to exercise any of their rights under the Data Protection Legislation;

Hosting Services refers to the provision of services to assist with hosting the Customer website;

Personal Data as defined in the Data Protection Legislation;

Processor/Processing/Processed as defined in the Data Protection Legislation;

Processing Period the period of time that the Data Processor is permitted to Process the Data Controller’s Personal Data in line with the latest Proposal;

Proposal as defined in the IDHL Group Terms and Conditions;

Purpose the particular purpose in respect of which the Data Processor may Process the relevant Data Controller Personal Data, the details of which are set out in the relevant Appendix;

Security Breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Data Controller Personal Data whilst the Data Controller’s Personal Data is Processed by the Data Processor;

Sensitive Personal Data means Personal Data that reveals such categories of data as are listed in Article 9(1) of the GDPR;

Staff any employees, officers and individuals contracted to the Data Processor or its Associates that are involved in the provision of the Services;

Website Development Services refers to the Services provided to develop or re-develop the Customer website including but not limited to design, front end development, back end development, user research, testing and support services.

1. Data Protection Provisions

1.1. Each party shall (and the Data Processor shall procure that any sub-contractors shall) in the course of performing its obligations under the Agreement, comply with the provisions of the Data Protection Legislation which apply to that party for the purpose of the Agreement.

1.2. The parties agree to their defined roles under the Data Protection Legislation as defined in the relevant Appendix to this Data Processing Agreement.

1.3. The Data Controller warrants that it has and will continue to have a lawful basis and/or all necessary and appropriate consents and notices in place to:

1.3.1. process the Personal Data;

1.3.2. enable the Data Controller to lawfully transfer the Personal Data to the Data Processor and its sub-contractors; and

1.3.3. permit the Data Processor to lawfully Process the Personal Data for the duration of the Agreement.

1.4. The Data Processor shall only Process the Personal Data for the Purpose or any other purpose which is expressly requested by the Data Controller in writing to the Data Processor.

1.5. A general description of the scope, nature and purpose of the Processing being undertaken by the relevant party and the types of Personal Data are set out in the relevant Appendix to this Data Processing Agreement.

2. Processing

2.1. The Data Processor shall:

2.1.1. only Process the Personal Data for the Purpose and not for any other purpose unless acting in accordance with the Data Controller’s express written instructions which shall be documented in the Proposal or any subsequent specification documentation or unless required to do so by law (Applicable Law). Where the Data Processor is relying on Applicable Law as the basis for Processing Personal Data, the Data Processor shall promptly notify the Data Controller before performing the Processing required, unless prohibited by such Applicable Law;

2.1.2. ensure it has in place appropriate technical and organisational security measures to protect against any Security Breach taking into account the state of technological development and the cost of implementing any measures;

2.1.3. promptly forward any DSAR received directly by the Data Processor to the Data Controller and, at the Data Controller’s cost, provide such other further reasonable assistance to the Data Controller in responding to the DSAR;

2.1.4. co-operate with and provide reasonable assistance to the Data Controller in order for the Data Controller to respond to and comply with any DSAR, including providing any Personal Data that is not accessible by the Data Controller, within the timescales prescribed by the relevant Data Protection Legislation;

2.1.5. observe the provisions of and comply with any reasonable request made or direction given by the Data Controller in connection with the requirements of any Data Protection Legislation, in so far as they relate to the Processing of the Personal Data (including with regard to security, breach notification, impact assessments and consultations with supervising authorities or the ICO), provided always that where the Data Processor’s compliance with such requests or directions require a change to the Data Processor’s, its Associates and/or its sub-contractors (as applicable) existing practices, such compliance and change shall be at the Data Controllers cost and it shall not be unreasonable for the Data Processor to refuse a request or direction in relation to a shared service where the consent of the Data Processor’s other customers may be required in order to make such a change.

3. Data Processing Staff

The Data Processor shall ensure that all Staff Processing Personal Data do so in accordance with applicable company policies and procedures and are bound by appropriate confidentiality obligations.

4. Records and Audit

4.1. The Data Processor agrees to:

4.1.1. maintain reasonable written records and information to demonstrate its compliance with its obligations under the Data Protection Legislation insofar as they relate to the Processing undertaken pursuant to the Agreement (DP Records);

4.1.2. subject to the Data Controller paying the Data Processor’s reasonable costs and expenses in connection with the same, make available to the Data Controller the DP Records, promptly on written request;

4.1.3. immediately notify the Data Controller if, in its opinion, a request made pursuant to clause 4.1.2 infringes the Data Protection Legislation;

4.1.4. subject to the Data Controller paying the Data Processor’s reasonable costs and expenses in connection with the same, procure and ensure that such of the Staff are available to provide reasonable assistance and information as required by the Data Controller for any audits or inspections to be undertaken by or on behalf of the Data Controller pursuant to the Data Protection Legislation. Any such audits that are not related to any specific Security Breach or DSAR shall be limited to no more than once per twelve month period and the Data Controller will provide the Data Processor with no less than fourteen days written notice in advance of any audit and agree on any reasonable costs that will be incurred as a result of facilitating such audit.

5. Security and Breaches

5.1. In the event of any Security Breach, the Data Processor shall:

5.1.1. notify the Data Controller of the Security Breach without undue delay after becoming aware of the Security Breach; and

5.1.2. give all assistance reasonably required by the Data Controller to enable the Data Controller to enforce against any person that is, or may be, engaging in any unauthorised action, or acting in violation of any rights that the Data Controller has to.

6. Sub-Contracting

6.1. The Data Controller consents to the Data Processor’s use of sub-contractors where necessary to provide the Services under the Agreement and in line with the Purpose or any additional written instructions.

6.2. The Data Processor confirms that it has entered or (if applicable) will enter into a written agreement with any sub-contractor on written terms that reflect the sub-contractors obligations under the Data Protection Legislation.

6.3. Subject to clause 6.1, the Data Processor agrees that it shall not provide any sub-contractor with access to Personal Data, or allow any sub-contractor to Process Personal Data, unless it has received prior written consent from the Data Controller (such consent may not be unreasonably withheld or delayed) or such access is specifically allowed under the Agreement.

6.4. The Data Processor shall remain responsible for any acts or omissions of any sub-contractor appointed by the Data Processor.

7. Return and Deletion of Information

7.1. The Data Controller agrees that it is responsible for deleting and erasing Personal Data and rectifying inaccurate Personal Data and warrants that it shall do so in accordance with the Data Protection Legislation.

7.2. Subject to clause 7.3 the Data Processor shall not be obliged to delete, erase or rectify any of the Customer Personal Data where it conflicts with any other legal obligations that the Data Processor is subject to.

7.3. Except to the extent that Applicable Law requires storage of the Personal Data, the Data Processor shall, if required by the Data Controller:

7.3.1. return the Personal Data to the Data Controller in accordance with the terms of the Agreement; and/or

7.3.2. securely delete the Personal Data as directed by the Data Controller.

8. Cross-border transfers of Personal Data

8.1. The Data Processor shall not transfer any Personal Data outside of the UK unless, in accordance with the Data Protection Legislation, it ensures that (i) the transfer is to a country approved as providing an adequate level of protection for Personal Data; or (ii) there are appropriate safeguards in place for the transfer of Personal Data; or (iii) binding corporate rules are in place; or (iv) one of the derogations for specific situations applies to the transfer.

9. Standard Contractual Clauses

9.1. If any Personal Data transfer between the Data Controller and the Data Processor requires execution of the European Commission’s Standard Contractual Clauses for the transfer of Personal Data (Controller to Processor) (Model Clauses) in order to comply with the Data Protection Legislation, the parties will complete all relevant details in, and execute, the Model Clauses and take other actions required to legitimise the transfer. Where there is any conflict between this Data Protection Agreement and the Model Clauses the Model Clauses shall take precedence.

9.2. The Data Processor may, at any time on not less than 30 days’ notice, request that the parties revise this Data Processing Agreement by replacing it with any standard contractual documentation provided by the ICO from time to time.

10. Notices

Where notification is required of the Supplier for any reason the Customer must email: DPO@idhl.co.uk.

Appendix 1

Details of Processing undertaken by the Supplier for Digital Marketing Services

Data Controller: The Customer

Data Processor: The Supplier

Subject matter and duration of processing: The provision of Digital Marketing Services, which may include:

Search Engine Optimisation
Pay Per Click
Conversion Rate Optimisation
Public Relations
Media Advertising
Paid Social
Account Management Services

Data Controller Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant services set out in a Proposal.

Personal Data relating to the Data Controller’s employees will be retained for as long as deemed necessary or required to be compliant with any Applicable Law.

Nature and purpose of Processing: To provide Digital Marketing Services that aim to facilitate the online performance of a company’s website through various methods.

Type of Customer Personal Data: Please note that the list provided for each service below includes data that the Supplier may be able to Process but may not actively report on. This list may also develop over time as online platforms evolve.

Search Engine Optimisation:

Age of website end user
Location data
Amount spent on products
Onsite behaviour
Attributions
Operating systems
Browsers used
Originating campaign
Delivery paid
Quantity purchase
Devices
Search query
Email addresses
Site search query
Employment
Social Network
Gender
Tax paid per purchase
Industries
phase
Interests/non-interests
Transaction ID
Internet providers
User ID
IP addresses
Website hits
Language
Online purchases from the Customer’s website
Time taken to purchase/consideration

Pay Per Click:

Age
Tax paid per purchase
Amount spent on product
Transaction ID
Attributions
User ID
Browsers used
Website hits
Delivery paid
Language
Devices
Location data
Employment
On site behaviour
Gender
Operating systems
Industries
Originating campaign
Interests/non-interests
Quantity purchase
Internet providers
Search query
Online purchases from the Customer’s website
Time taken to purchase/consideration phase

Conversion Rate Optimisation:

Access to any salesforce information provided by the Customer
Any Personal Data rovided by being given access to Customer software systems such as Basecamp and Trello
Onsite behaviour
Addresses
Opinions, reviews and/or preferences
Average order value
Order values
Browser type used
Prospect information
Buying behaviour
Purchase information
Demographic profiling
Return users
Device – type owned
Screen size owned
Email addresses
Session recording
Gender
Session recording language
New vs returning end user activity on heatmapping
Session recording time
Time of day access
Time of day using website
Session recording user ID
User age
Social demographics
Website user ID
Supply names
Geo location obtained via heatmapping, from the Customer of past website end-users or a session recording

Public Relations:

Address
Freelancer phone number
Age
Freelancer photos
Blogger email
Freelancer social media handles
Blogger name
Freelancer work history
Blogger payment information
Gender
Blogger phone numbers
Identification name (e.g. account name or unique customer number)
Blogger photos
Journalist emails
Blogger portfolio
Journalist name
Blogger social media handles
Journalist phone number
Blogger work history
Journalist photos
Client email
Journalists area of experience/expertise
Client name
Location data
Client phone number
Names
Content / social media data
Occupation
Email address
Opinions, reviews, interests and/or preferences
Employers / employment status
Payment details
Freelancer address
Personalised sales information
Freelancer body of work / portfolio
Photographs
Freelancer email
Social media handles
Freelancer name
Survey information (opinions)
Freelancer payment information
Videos

Media Advertising:

Browser Information
Gender
Content / websites visited / IAB category
Income band
User age
Date visited website
Interests
Device Information
Location data
Education level
Shopping habits / interests
Ethnicity
Time visited website

Paid Social:

Address
Job titles
Demographic
Location data
Email addresses
Name
Friends/contact details
Payment details
Income range
Personal opinions
Interests/non-interests
Photographs
Telephone numbers

Account Management Services:

Browser type of website visitors
Client customer car registration plate
Client address
Client customer email addresses
Client email address
Client customer location
Client name
Client customer mobile number
Client opinions
Client customer phone number
Client personal phone number
Client customer purchase history
Client phone number
Demographic data of website visitors
Client photos
Device used of website visitors
Client targets
Email campaigns / CRM campaigns
Client work history
Geographic data of website visitors
Client customer address
Mobile used of website visitors
Client customer car owned
Operating system of website visitors
Time of day the website is used
Other client contacts
Video calls
Voice recordings

Categories of Personal Data: Data Controller Personal Data collected may include individual employee data and website end user data.

Appendix 2

Details of Processing undertaken by the Supplier for Website Development Services.

Data Controller: The Customer

Data Processor: The Supplier

Subject matter and duration of processing: The provision of Website Development Services, which may include:

Website Design and Development
User Research
Hosting Services
Account Management Service

Data Controller Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant services set out in a Proposal and any subsequent specification documentation between the parties.

Personal Data relating to the Data Controller’s employees will be retained for as long as deemed necessary or required to be compliant with any Applicable Law.

Nature and purpose of Processing: To provide Website Development and Hosting Services that aim to improve the online appearance of the Customer website(s).

Type of Customer Personal Data: Please note that the list provided for each service below includes data that the Supplier may be able to Process but may not actively report on or utilise beyond it being visible to it. This list may also develop over time.

Website Development and Integrations:

Avatar
Gender
Browser details
IP address
Cookie contents
Job title
Custom data
Location data
Debugging logs
Organization
Delivery status information
Website activity data
Passwords (hashed/encrypted)
Access/API tokens (encrypted)
DOB
Payment methods
Domain
Purchased item data
Email
Social Media handles
Email content
Time zone
Full name, nickname, username or Initials
Unsubscribe details
User agent

User Research:

Demographic data
NRS Social grade
User opinions and behaviours

Hosting Services:

Avatar
Full name, nickname, username or Initials
Browser details
Gender
Cookie contents
IP address
Custom data
Job Title
Debugging logs
Location data
Delivery status information
Organization
DOB
Unsubscribe details
Passwords (hashed/encrypted)
Domain
Payment methods
Email
Purchased item data
User agent
Social Media handles
Website activity data
Time zone