Data Processing Agreement
Agreement Dated: XXXX
(1)CLOUD2020 LIMITED of Nexus House, 32 Bath Road, Stonehouse, Gloucestershire, GL10 2JA (Cloud2020); (the Processor) and
(2)XXXX, having its registered office at XXXX (the "Controller”)
(A)This Agreement is to ensure there is in place proper arrangements relating to personal data passed from (the Controller) to the Cloud2020.
(B)This Agreement is compliant with the requirements of Article 28 of the General Data Protection Regulation.
(C)The parties wish to record their commitments under this Agreement.
It is Agreed as Follows:
1.Definitions and Interpretation
In this Agreement:
"Data Protection Laws" means the Data Protection Act 1998, together with successor legislation incorporating GDPR;
"Data" means personal data passed under this Agreement, being potential customer and customer contact details;
“GDPR” means the General Data Protection Regulation;
"Services" means Marketing Services.
XXXX is the data controller for the Data and Cloud2020 is the data processor for the Data. Cloud2020 agrees to process the Data only in accordance with Data Protection Laws and on the following conditions:
the Cloud2020 shall only process the Data (i) on the written instructions from XXXX and (ii) only process the Data for completing the Services;
Cloud2020 shall ensure that all employees and other representatives accessing the Data are (i) aware of the terms of this Agreement and (ii) have received comprehensive training on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality (Article 28, para 3(b) GDPR);
XXXX and Cloud2020 have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR, details of those measures are set out under Part A of the Annex to this Agreement (Article 28, para 3(c) GDPR);
Cloud2020 may involve third parties in the processing of the Data as part of this agreement. Those third parties are also governed by the agreement and will comply with all relevant Articles and requirements of Data Protection Laws.
Cloud2020 shall, taking into account the nature of the processing, assist XXXX by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of XXXX’s obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc (Article 28, para 3(e) GDPR), this may be subject to additional charges which will be communicated to XXXX by way of quotation;
The Data Controller (XXXX) is responsible for ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the ICO etc, taking into account the nature of processing and the information available to the Cloud2020 (Article 28, para 3(f) GDPR);
Cloud2020 shall, safely delete or return the Data at any time. [It has been agreed that the Cloud2020 will in any event securely delete the Data at the end of the Services]. Where Cloud2020 is to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement to retain the Data. Where there is a legal requirement Cloud2020 will prior to entering into this Agreement confirm such an obligation in writing to XXXX on request.
Cloud2020 shall make available to XXXX all information necessary to demonstrate compliance with the obligations laid down under this Agreement and allow for, and contribute to, any audits, inspections or other verification exercises required by XXXX from time to time, with prior notification and agreement (Article 28, para 3(h) GDPR);
arrangements relating to the secure transfer of the Data from Cloud2020 to the Controller and the safe keeping of the Data by the Processor are detailed under our Data Privacy and Protection Policy.
Cloud2020 shall maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created; and
Cloud2020 shall immediately contact XXXX if there is any personal data breach or incident where the Data may have been compromised.
Cloud2020 may immediately terminate this Agreement on written notice to XXXX.
This Agreement may only be varied with the written consent of both parties.
For the purposes of this Agreement the representatives of each party are detailed below.
This Agreement represents the entire understanding of the parties relating to necessary legal protections arising out of their data controller/processor relationship under Data Protection Laws.
This Agreement is subject to English law and the exclusive jurisdiction of the English Courts.
Signed by the parties’ or their authorised representatives as follows:
On behalf of Cloud2020 Limited by
Name: Ian Bourne
On behalf of XXXX by