Data Processing Agreement

This Data Processing Agreement is an Addendum to the Agreement between:

  • Webevents Limited T/A WMG/ID incorporated and registered in England and Wales with company number 03984604 whose registered office is at Central House, Otley Road, Harrogate, North Yorkshire, England, HG3 1UF and

NetConstruct Limited incorporated and registered in England and Wales with company number 03421794 whose registered office is at Central House, Otley Road, Harrogate, North Yorkshire, England, HG3 1UF (“The Suppliers”).

 

  • The company details set out in full on the Order Form or Quote (as applicable) (“The Customer”).

Background

The Supplier is providing a combination or selection of Digital Marketing Services, Website Development Services and Hosting Services to the Customer and in accordance with the General Data Protection Regulation (2016) (GDPR) coming into force on the 25th May 2018, the Supplier has data processing terms which shall apply to the commercial terms agreed between the parties.

Consequently, this Data Processing Agreement is deemed to be accepted on acceptance of the Order Form and/or Quote (as applicable).

Definitions

Agreement As defined in the main Terms and Conditions between the parties;

 

Appropriate Safeguards Refers to the measures taken to ensure the transfer of Personal Data between parties is safely and securely done and includes but may not be limited to taking steps such as having binding corporate rules, standard data protection clauses in the form of template transfer clauses adopted by the Commission; standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission; compliance with an approved code of conduct approved by a supervisory authority; certification under an approved certification mechanism as provided for in the GDPR; contractual clauses agreed authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
Applicable Law As defined in Clause 6.1;

 

Associate In respect of either party, a company which is a subsidiary or holding company of that party, or a subsidiary of such holding company, in each case for the time being (and subsidiary and holding company shall be defined in section 1159 Companies Act 2006);

 

Data Controller As defined by the Data Protection Legislation;

 

Data Controller Personal Data The Personal Data provided by the Data Controller to the Data Processor to Process. This may include but not be limited to the Data Controllers employee or website end user data;

 

Data Processor As defined by the Data Protection Legislation

 

Data Protection Legislation Refers to applicable data protection regulation including but not limited to the Data Protection Act 1998 prior to 25 May 2018 and post 25 May 2018 the General Data Protection Regulation (GDPR) 2016/679;

 

Data Subject As defined in the Data Protection Legislation

 

Digital Marketing Services Refers to services that help to improve the online performance of the Customer website including but not limited to SEO, PPC, CRO, Paid Social, Outreach and Programmatic.

 

DP Records As defined in clause 8.1;

 

DP Regulator The Information Commissioner’s Office, or any successor or replacement body from time to time;
 

DSR

 

Meaning the rights of Data Subjects under the Data Protection Legislation;

 

DSAR A request or notice from a Data Subject to exercise any DSR.

 

Hosting Services

 

Refers to the provision of services to assist with hosting the Customer website.

 

Personal Data As defined in the Data Protection Legislation;

 

Processor/Processing/Processed As defined in the Data Protection Legislation;

 

Processing Period The period of time that the Data Processor is permitted to Process the Data Controller’s Personal Data in line with the latest Proposal;

 

Proposal Refers to the relevant Order Form or Quote and any relevant Specification agreed between the parties that detail the terms of the Agreement;

 

Purpose The particular purpose in respect of which the Data Processor may Process the relevant Data Controller Personal Data, the details of which are set out in the relevant Appendix;

 

Security Breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Data Controller Personal Data whilst the Data Controller’s Personal Data is Processed by the Data Processor;

 

Sensitive Personal Data Means Personal Data that reveals such categories of data as are listed in Article 9(1) of the GDPR;

 

Staff Any employees, officers and individuals contracted to the Data Processor or its Associates that are involved in the provision of the Services.

 

Sub-Contractor A third party that provides outsourced services to or on behalf of the Data Processor in connection with the provision of the Services and/or performance of the Data Processor’s other duties under the Agreement, including its Associates.

 

Website Development Services Refers to the Services provided to develop or re-develop the Customer website including but not limited to design, front end development, back end development, user research, testing and support services.

 

Data Protection Provisions

  1. Each party shall (and the Data Processor shall procure that any Sub-Contractors shall) in the course of performing its obligations under the Agreement, comply with the provisions of the Data Protection Legislation which apply to that party for the purpose of the Agreement.
  2. The parties agree to their defined roles under the Data Protection Legislation as defined in the relevant Appendix to these Data Processing Terms.
  3. The Data Controller warrants that it has and will continue to have a lawful basis and/or all necessary and appropriate consents and notices in place to:
    • Process the Data Controller’s Personal Data
    • Enable the Data Controller to lawfully transfer the Data Controller Personal Data to the Data Processor and its Sub-Contractors; and
    • Permit the Data Processor to lawfully Process the Data Controller Personal Data in accordance with and for the purpose of the Agreement

for the duration of the Agreement.

  1. The Data Processor shall only Process the Data Controllers Personal Data for the Purpose or any other purpose which is expressly requested by the Data Controller in writing to the Data Processor.
  2. A general description of the scope, nature and purpose of the Processing being undertaken by the relevant party and the types of Personal Data is set out in the relevant Appendix.

Processing

  1. In relation to the Data Controller Personal Data in connection with the performance by the Data Processor of its obligations under the Agreement, the Data Processor shall:
    • Only Process the Data Controller Personal Data for the Purpose and not for any other purpose unless acting in accordance with the Data Controller’s express written instructions which shall be documented in the client Proposal or any subsequent Specification documentation or unless required to do so by the law of any member of the European Union (Applicable Law). Where the Data Processor is relying on Applicable Law as the basis for Processing Data Controller Personal Data, the Data Processor shall promptly notify the Data Controller before performing the Processing required, unless prohibited by such Applicable Law;
    • Ensure it has in place appropriate technical and organisational security measures to protect against any Security Breach taking into account the state of technological development and the cost of implementing any measures. The Data Controller may request additional technical and organisational measures over and above the existing practices of the Data Processor, its Associates and/or its Sub-Contractors but this shall be subject to the Data Controller paying the Data Processor’s reasonable costs and expenses incurred for making these adjustments;
    • Immediately forward any DSAR received directly by the Data Processor to the Data Controller and, at the Data Controller’s cost, provide such other further reasonable assistance to the Data Controller in responding to the DSAR;
    • Co-operate with and provide reasonable assistance to the Data Controller in order for the Data Controller to respond to and comply with any DSAR, including providing any Data Controller Personal Data that is not accessible by the Data Controller, within the timescales prescribed by the relevant Data Protection Legislation;
    • Observe the provisions of and comply with any reasonable request made or direction given by the Data Controller in connection with the requirements of any Data Protection Legislation, in so far as they relate to the Processing of the Data Controller Personal Data (including with regard to security, breach notification, impact assessments and consultations with supervising authorities or the DP Regulator), provided always that where the Data Processor’s compliance with such requests or directions require a change to the Data Processor’s, its Associates and/or its Sub-Contractors (as applicable) existing practices, such compliance and change shall be at the Data Controllers cost and it shall not be unreasonable for the Data Processor to refuse a request or direction in relation to a share service where the consent of the Data Processor’s other customers may be required in order to make such a change.

Data Processing Staff

  1. The Data Processor shall ensure that all Staff are Processing Data Controller Personal Data in accordance with:
    • Applicable company policies and procedures;
    • Bound by appropriate confidentiality obligations; and
    • Undergo regular training on data protection principles.

Records and Audit

  1. The Data Processor agrees to:
    • Maintain reasonable written records and information to demonstrate its compliance with its obligations under the Data Protection Legislation insofar as they relate to the Processing undertaken pursuant to the Agreement (DP Records);
    • Subject to the Data Controller paying the Data Processor reasonable costs and expenses in connection with the same, make available to the Data Controller the DP Records, promptly on request;
    • Immediately notify the Data Controller if, in its opinion, a request made pursuant to clause 8.2 infringes the Data Protection Legislation;
    • Subject to the Data Controller paying the Data Processor’s reasonable costs and expenses in connection with the same, procure and ensure that such of the Staff are available to provide reasonable assistance and information as required by the Data Controller for any audits or inspections to be undertaken by or on behalf of the Data Controller pursuant to the Data Protection Legislation. Any such audits that are not related to any specific Security Breach or DSAR shall be limited to no more than one per twelve month period and the Data Controller will provide the Data Processor with no less than fourteen days written notice in advance of any audit and agree on any reasonable costs that will be incurred as a result of facilitating such audit.

Security and Breaches

  1. In the event of any Security Breach, the Data Processor shall:
    • Notify the Data Controller of the Security Breach immediately (and in any event within 24 hours) of becoming aware of the Security Breach;
    • Give all assistance reasonably required by the Data Controller to enable the Data Controller to enforce against any person that is, or may be, engaging in any unauthorised action, or acting in violation of any rights that the Data Controller has to.

Sub-Contracting

  1. The Data Controller consents to the Data Processor’s use of Sub-Contractors where necessary to provide the Services under the Agreement and in line with the Purpose or any additional written instructions.
  2. The Data Processor confirms that it has entered or (if applicable) will enter into a written agreement with any Sub-Contractor on written terms that reflect the Sub-Contractors obligations under the Data Protection Legislation.
  3. Subject to clause 10, the Data Processor agrees that it shall not provide any Sub-Contractor with access to Data Controller Personal Data, or allow any Sub-Contractor to Process Data Controller Personal Data, unless it has received prior written consent from the Data Controller (such consent may not be unreasonably withheld or delayed) or such access is specifically allowed under the Agreement.
  4. The Data Processor shall remain responsible for any acts or omissions of any Sub-Contractor appointed by the Data Processor.

 

Return and Deletion of Information

  1. The Data Controller agrees that it is responsible for deleting and erasing Data Controller Personal Data and rectifying inaccurate Personal Data and warrants that it shall do so in accordance with the Data Protection Legislation.
  2. Subject to clause 16 the Data Processor shall not be obliged to delete, erase or rectify any of the Customer Personal Data where it conflicts with any other legal obligations that the Data Processor is subject to.
  3. Except to the extent that Applicable Law requires storage of the Data Controller Personal Data, the Data Processor shall, following expiry or termination of the Agreement or if required by the Data Controller:
    • Return the Data Controller Personal Data to the Data Controller in accordance with the terms of the Agreement; and/or
    • Securely delete the Data Controller Personal Data

as directed by the Data Controller.

Cross-border transfers of Personal Data

  1. The Data Processor shall:
    • Not transfer any Data Controller Personal Data outside of the EEA or to a country not approved by the ICO unless the following conditions are fulfilled:
      • the transfer to that third country outside of the EEA is on the basis that they are deemed to have adequate protections in their local laws by the European Commission or the Data Processor has provided Appropriate Safeguards in relation to the transfer; or
      • the Data Processor complies with its obligations under the Data Protection Legislation by providing an adequate level of protection for any Data Controller Personal Data that is transferred; and
      • the Data Processor complies with reasonable instructions notified to it in advance by the Data Controller with respect to the Processing of the Data Controller Personal Data.

Standard Contractual Clauses

  1. If any Personal Data transfer between the Data Controller and the Data Processor requires execution of the European Commission’s Standard Contractual Clauses for the transfer of Personal Data (Controller to Processor) (Model Clauses) in order to comply with the Data Protection Legislation, the parties will complete all relevant details in, and execute, the Model Clauses and take other actions required to legitimise the transfer. Where there is any conflict between this Data Protection Agreement and the Model Clauses the Model Clauses shall take precedence.
  2. The Data Processor may, at any time on not less than 30 days’ notice, request that the parties revise this Addendum by replacing it with any standard contractual documentation provided by the ICO form time to time.

Notices

  1. Where notification is required of the Supplier for any reason the Customer must email: DPO@idhl.co.uk.

 

 

 

Appendix 1

Details of Processing undertaken by the Supplier for Digital Marketing Services

Data Controller The Customer
Data Processor The Supplier
Subject matter and duration of processing The provision of Digital Marketing Services, which may include:

i)             Search Engine Optimisation

ii)            Pay Per Click

iii)           Conversion Rate Optimisation

iv)           Public Relations

v)            Programmatic Advertising

vi)           Paid Social

vii)          Account Management Services.

 

Data Controller Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant Services set out in a Proposal between the parties.

 

Personal Data relating to the Data Controller’s employees will be retained for as long as deemed necessary or required to be compliant with any Applicable Law.

Nature and purpose of Processing Processing of Data Controller Personal Data is to provide Digital Marketing Services that aim to facilitate the online performance of a company’s website through various methods.

 

Type of Customer Personal Data Please note that the list provided for each service below includes data that we may be able to Process but may not actively report on. This list may also develop over time as online platforms evolve.

 

i)             Search Engine Optimisation:

·         Age of website end user

·         Amount spent on products

·         Attributions

·         Browsers used

·         Delivery paid

·         Devices

·         Email addresses

·         Employment

·         Gender

·         Industries

·         Interests/non-interests

·         Internet providers

·         IP addresses

·         Language

·         Location data

·         On site behaviour

·         Online purchases from the client website

·         Operating systems

·         Originating campaign

·         Quantity purchase

·         Search query

·         Site search query

·         Social Network

·         Tax paid per purchase

·         Time taken to purchase/consideration phase

·         Transaction ID

·         User ID

·         Website hits

ii)            Pay Per Click:

·         Age

·         Amount spent on product

·         Attributions

·         Browsers used

·         Delivery paid

·         Devices

·         Employment

·         Gender

·         Industries

·         Interests/non-interests

·         Internet providers

·         Language

·         Location data

·         On site behaviour

·         Online purchases from the client website

·         Operating systems

·         Originating campaign

·         Quantity purchase

·         Search query

·         Tax paid per purchase

·         Time taken to purchase/consideration phase

·         Transaction ID

·         User ID

·         Website hits

iii)           Conversion Rate Optimisation:

·         Access to any salesforce information provided by the Customer

·         Addresses

·         Any Personal Data provided by being given access to Customer software systems such as Basecamp and Trello.

·         Average order value

·         Browser type used

·         Buying behaviour

·         Demographic profiling

·         Device – type owned

·         Email addresses

·         Gender

·         Geo location obtained via heatmapping, from the Customer of past website end-users or a session recording

·         Home owners

·         Languages spoken

·         New vs returning end user activity on heatmapping

·         On site behaviour

·         Opinions, reviews and/or preferences

·         Order values

·         Prospect information

·         Purchase information

·         Return users

·         Screen size owned

·         Session recording

·         Session recording language

·         Session recording time

·         Session recording user ID

·         Social demographics

·         Supply names

·         Time of day of access

·         Time of day using website

·         User age

·         Website user ID

iv)           Public Relations:

·         Address

·         Age

·         Blogger email

·         Blogger name

·         Blogger payment information

·         Blogger phone numbers

·         Blogger photos

·         Blogger portfolio

·         Blogger social media handles

·         Blogger work history

·         Client email

·         Client name

·         Client phone number

·         Content / social media data

·         Email address

·         Employers / employment status

·         Freelancer address

·         Freelancer body of work / portfolio

·         Freelancer email

·         Freelancer name

·         Freelancer payment information

·         Freelancer phone number

·         Freelancer photos

·         Freelancer social media handles

·         Freelancer work history

·         Gender

·         Identification name (e.g. account name or unique customer number)

·         Journalist emails

·         Journalist name

·         Journalist phone number

·         Journalist photos

·         Journalists area of experience/expertise

·         Location data

·         Names

·         Occupation

·         Opinions, reviews, interests and/or preferences

·         Payment details

·         Personalised sales information

·         Photographs

·         Social media handles

·         Survey information (opinions)

·         Videos

v)            Programmatic Advertising:

·         Browser Information

·         Content / websites visited / IAB category

·         Date visited website

·         Device Information

·         Education level

·         Ethnicity

·         Gender

·         Income band

·         Interests

·         Location data

·         Shopping habits / interests

·         Time visited website

·         User Age

vi)           Paid Social:

·         Address

·         Demographic

·         Email addresses

·         Friends/contact details

·         Income range

·         Interests/non-interests

·         Job titles

·         Location data

·         Name

·         Payment details

·         Personal opinions

·         Photographs

·         Telephone numbers

vii)          Account Management Services:

·         Browser type of website visitors

·         Client address

·         Client email address

·         Client name

·         Client opinions

·         Client personal phone number

·         Client phone number

·         Client photos

·         Client targets

·         Client work history

·         Client customer address

·         Client customer car owned

·         Client customer car registration plate

·         Client customer email addresses

·         Client customer location

·         Client customer mobile number

·         Client customer phone number

·         Client customer purchase history

·         Demographic data of website visitors

·         Device used of website visitors

·         Email campaigns / CRM campaigns

·         Geographic data of website visitors

·         Mobile used of website visitors

·         Operating system of website visitors

·         Other client contacts

·         Time of day the website is used

·         Video calls

·         Voice recordings

 

Categories of Personal Data Data Controller Personal Data collected may include individual employee data and website end user data.

 

 

Appendix 2

Details of Processing undertaken by the Supplier for Website Development Services

Data Controller The Customer
Data Processor The Supplier
Subject matter and duration of processing The provision of Website Development Services, which may include:

i)             Website Design and Development

ii)            User Research

iii)           Hosting Services

iv)           Account Management Services

 

Data Controller Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant Services set out in a Proposal and any subsequent Specification documentation between the parties.

 

Personal Data relating to the Data Controller’s employees will be retained for as long as deemed necessary or required to be compliant with any Applicable Law.

 

Nature and purpose of Processing Processing of Data Controller Personal Data is to provide Website Development and Hosting Services that aim to improve the online appearance of Customer Websites.

 

Type of Customer Personal Data Please note that the list provided for each service below includes data that we may be able to Process but may not actively report on or utilise beyond it being visible to us. This list may also develop over time as online platforms evolve.

 

i)             Website development:

·         Avatar

·         Browser details

·         Cookie contents

·         Custom data

·         Debugging logs

·         Delivery status information

·         DOB

·         Domain

·         Email

·         Email content

·         Full name, nickname, username or Initials

·         Gender

·         IP address

·         Job title

·         Location data

·         Organization

·         Passwords (hashed/encrypted)

·         Payment methods

·         Purchased item data

·         Social Media handles

·         Time zone

·         Unsubscribe details

·         User agent

·         Website activity data

 

ii)            User Research:

·         Demographic data

·         NRS Social grade

·         User opinions and behaviours

 

iii)           Hosting services:

·         Avatar

·         Browser details

·         Cookie contents

·         Custom data

·         Debugging logs

·         Delivery status information

·         DOB

·         Domain

·         Email

·         Email content

·         Full name, nickname, username or Initials

·         Gender

·         IP address

·         Job Title

·         Location data

·         Organization

·         Passwords (hashed/encrypted)

·         Payment methods

·         Purchased item data

·         Social Media handles

·         Time zone

·         Unsubscribe details

·         User agent

·         Website activity data

 

iv)           Account Management Services:

·      Browser type of website visitors

·      Client address

·      Client avatar

·      Client customer address

·      Client customer car owned

·      Client customer car registration plate

·      Client customer email addresses

·      Client customer location

·      Client customer mobile number

·      Client customer phone number

·      Client customer purchase history

·      Client devices

·      Client email address

·      Client fax number

·      Client job title

·      Client name

·      Client notes of tenure

·      Client opinions

·      Client phone number

·      Client photos

·      Client targets

·      Client work history

·      Demographic data of website visitors

·      Device used of website visitors

·      Email campaigns / CRM campaigns

·      Geographic data of website visitors

·      Google Account details

·      Mobile used of website visitors

·      Operating system of website visitors

·      Opinions/preferences

·      Organisation

·      Organisation department

·      Other client contacts

·      Social Media handles

·      Telephone number

·      Time of day the website is used

·      Video calls

·      Voice calls and recordings

·      Website domain

 

Categories of Personal Data Data Controller Personal Data collected may include individual employee data and website end user data.

 

 

 

Appendix 3

Details of Processing undertaken by the Customer

Data Controller The Supplier
Data Processor The Customer
Subject matter and duration of processing The provision of Outreach services which relates to Digital Marketing Services and any personal data Processed by the Customer relating to the Supplier’s employees or any third parties that the Supplier may look to engage to provide the Services.

 

This Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant Services set out in a Proposal between the parties.

 

Personal Data relating to the Suppliers employees will be retained for as long as deemed necessary or required to be compliant with any Applicable Law.

 

Nature and purpose of Processing Processing of this Personal Data is to provide Outreach services which form part of the Digital Marketing Services and the Processing of Supplier employee details is required for the provision of all services that aim to facilitate the online performance of a company’s website through various methods.

 

Type of Customer Personal Data Personal Data provided to the Data Processor as part of the Outreach Services.

 

Data processed regarding Supplier employees may include:

–          Names

–          Telephone numbers

–          Email addresses

–          Job titles

–          Avatars

–          Opinions/Preferences

–          Video/Voice recordings

–          Biography