Data Processing Agreement
amazingprofit is committed to the correct processing of data and has created the following Data Processing Agreement in accordance to the applicable Data Protection Laws. Please be aware the following agreement will hear on be known as Schedule 1.
Has the meaning given to ‘Data Controller’, or ‘Controller’ as appropriate, in the Data Protection Laws;
Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
Has the meaning given to ‘Data Processor’, or ‘Processor’ as appropriate, in the Data Protection Laws;
“Data Protection Laws”
Means any and all laws, statutes, enactments, orders or regulations or other similar instruments of general application and any other rules, instruments or provisions in force from time to time relating to the processing of personal data and privacy applicable to the performance of this Agreement, including where applicable the Data Protection Act 1998, the Data Protection Bill, the Regulation of Investigatory Powers Act 2000, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and the GDPR (Regulation (EU) 2016/679), as amended or superseded;
Means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC as updated, superseded or repealed from the time to time;
Has the meaning given in the Data Protection Laws.
(2) DATA PROCESSING
2.1 Each Party shall comply with its obligations as a Data Controller or Processor under the applicable Data Protection Laws.
2.2 If it is found that the Publisher, pursuant to this Agreement, processes Personal Data on behalf of amazingprofit , the Publisher acknowledges that amazingprofit is the Data Processor , and that the Publisher is the Data Controler.
2.3 In the event that clause 2.2 applies, the Data Processor shall comply with its obligations under applicable Data Protection laws and as set out in this Schedule I.
(3) COMPLIANCE WITH DATA PROTECTION LAWS
3.1 The Data Processor warrants that it has complied, and shall continue to comply, with the requirements of the applicable Data Protection Laws and all other data protection legislation in any jurisdiction relevant to the exercise of its rights or the performance of its obligations under this Agreement.
(4) DATA CONTROLLER OBLIGATIONS
4.1 In respect of any Personal Data to be processed by the Data Controller pursuant to this Agreement, the Data Controller shall:
4.1.1 have in place and at all times maintain appropriate technical and organizational measures in such a manner as is designed to ensure the protection of the rights of the data subject and to ensure a level of security appropriate to the risk and shall implement any reasonable security measures as requested by amazingprofit from time to time;
4.1.2 not engage any sub-controllers without the prior specific or general written authorization of amazingprofit (and in the case of general written authorization; the Data Controller shall inform amazingprofit of any intended changes concerning the addition or replacement of other controller and amazingprofit shall have the right to object to such changes);
4.1.3 ensure that each of the Data Controller’s employees, agents, consultants, subcontractors and sub-controllers are made aware of the Data Processor’s obligations under this Schedule I and enter into binding obligations with the Data Processor to maintain the levels of security and protection required under this Schedule I. The Data Controller shall ensure that the terms of this Schedule I are incorporated into each agreement with any sub-controller, subcontractor, agent or consultant to the effect that the sub-controller, subcontractor, agent or consultant shall be obligated to act at all times in accordance with duties and obligations of the Data controller under this Schedule I. The Data Controller shall at all times be and remain liable to amazingprofit for any failure of any employee, agent, consultant, subcontractor or sub-controller to act in accordance with the duties and obligations of the Data Processor under this Schedule I;
4.1.4 process that Personal Data only on behalf of amazingprofit in accordance with amazingprofit’s instructions and to perform its obligations under this Agreement or other documented instructions from amazingprofit and for no other purpose save to the limited extent required by law;
4.1.5 ensure that all persons authorised to access the Personal Data are subject to obligations of confidentiality and receive training to ensure compliance with this Agreement and the Data Protection Laws;
4.1.6 make available to amazingprofit all information necessary to demonstrate compliance with the obligations laid out in Article 28 of GDPR and this Schedule I and allow for and contribute to audits, including inspections, conducted by amazingprofit or another auditor mandated by amazingprofit, of the Data Controller’s data processing facilities, procedures and documentation (and the facilities, procedures and documentation of any sub-Controller) in order to ascertain compliance with Article 28 GDPR and this Schedule I, within 5 working days of request by amazingprofit , and, following any such audit, without prejudice to any other rights of amazingprofit , the Data Controller shall implement such measures which amazingprofit considers reasonably necessary to achieve compliance with the Data Controller’s obligations under this Schedule I; provided that, in respect of this provision the Data Controller shall imtely inform amazingprofit if, in its opinion, an instruction infringes Data Protection Laws;
4.1.7 taking into account the nature of the processing, provide assistance to amazingprofit “ “, within such timescales as amazingprofit “ “ may require from time to time, at no charge to amazingprofit , in connection with the fulfilment of the amazingprofit ’s obligation as Data Processor to respond to requests for the exercise of data subjects’ rights pursuant to Chapter III of the GDPR to the extent applicable;
4.1.8 provide amazingprofit with assistance in ensuring compliance with articles 32 to 36 (inclusive) of the GDPR (concerning security of processing, data breach notification, communication of a personal data breach to the data subject, data protection impact assessments, and prior consultation with supervisory authorities) to the extent applicable to amazingprofit , taking into account the nature of the processing and the information available to the Data Controller;
4.1.9 (at no additional cost to amazingprofit ) deal promptly and properly with all enquiries or requests from amazingprofit relating to the Personal Data and the data processing activities, promptly provide to amazingprofit in such form as amazingprofit may request, a copy of any Personal Data requested by amazingprofit;
4.1.10(at no additional cost to amazingprofit) assist amazingprofit (where requested by amazingprofit ) in connection with any regulatory or law enforcement authority audit, investigation or enforcement action in respect of the Personal Data;
4.1.11 imtely notify amazingprofit in writing about:
(a) any Data Breach or any accidental loss, disclosure or unauthorised access of which the Data Controller becomes aware in respect of Personal Data that it Controlled on behalf of amazingprofit;
(b) any request for disclosure of the Personal Data by a law enforcement authority (unless otherwise prohibited);
(c) any access request or complaint received directly from a data subject.
It being accepted by the Data Processor that:
(d)the Data Controller remains responsible for any complaints or claims made by Data Subjects, third parties or any regulatory or law enforcement authority to the extent such complaints or claims are the result of an infringement of Data Protection Laws by the Data Controller.
4.1.12 maintain a record of its processing activities in accordance with Article 30 of the GDPR.
4.1.13 indemnify amazingprofit against all liabilities, claims, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal and other professional costs and expenses) suffered or incurred by amazingprofit or for which it may become liable as a result of or in connection with any failure of the Data Controller, its employees, agents, consultants, subcontractors or sub-controller’s to comply with this Schedule I.
4.2 amazingprofit reserves the right to take legal action for any damages (financial or reputational) and the Data Controller shall indemnify amazingprofit and its clients in respect of any fines, damages or complaints made to us as a result of the Data Controller’s use of personal data.
4.3 Notwithstanding anything to the contrary set out in this Agreement, to the extent that there is any duplication or conflict between definitions or clauses used in the Agreement and this Schedule I, the definitions and clauses set out in this Schedule I will apply and take precedence. In all other respects the Agreement shall continue to be in effect.
(5) INTERNATIONAL DATA TRANSFERS
5.1 In respect of any Personal Data to be processed by a party acting as Data Controller pursuant to this Agreement for which the other party is Data Processor, the Data Controller shall not transfer the Personal Data outside the EEA or to an international organisation without:
5.1.1 obtaining the written permission of the Data Processor;
5.1.2 ensuring appropriate levels of protection, including any appropriate safeguards if required, are in place for the Personal Data in accordance with the Data Protection Laws;
5.1.3 notifying the Data Processor of the protections and appropriate safeguards in paragraph 5.1.2 above;
5.1.4 documenting and evidencing the protections and appropriate safeguards in paragraph 5.1.2 above and allowing the Data Processor access to any relevant documents and evidence.
(6) DETAILS OF PROCESSING ACTIVITIES
6.1. As required by Article 28 of the GDPR if at any point you will be processing data on behalf of the Data Processor, please specify this to the Data Processor and they will pass you the relevant pre due diligence questions before moving forward this this activity. May 2018