Data Processing Agreement

This Data Processing Agreement forms part of the Agreement. Any terms not defined below shall have the meaning given to them in the IDHL Terms and Conditions.

Definitions

Business Purposes

the services to be provided by IDHL to the Client as described in the Agreement and any other purpose specifically identified in the Annex to this Data Processing Agreement;

Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing

have the meanings given in the Data Protection Legislation; and

Data Protection, Legislation

all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1. Controller and Processor.

The parties agree and acknowledge that for the purpose of the Data Protection Legislation the Client is the Controller and IDHL is the Processor. The Client retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to IDHL.

2. Processing Purposes.

The Annex to this Data Processing Agreement describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which IDHL may process the Personal Data to fulfil the Business Purposes.

3. Processor Obligations.

3.1 IDHL shall:

3.1.1 only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client's written instructions. IDHL will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. IDHL must promptly notify the Client if, in its opinion, the Client's instructions do not comply with the Data Protection Legislation.

3.1.2 reasonably assist the Client, with meeting its compliance obligations under the Data Protection Legislation, taking into account the nature of IDHL’s processing and the information available to it.

4. Security.

IDHL has appropriate technical and organisational measures in place against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

5. Records.

IDHL will maintain reasonable written records and information to demonstrate its compliance with its obligations under the Data Protection Legislation insofar as they relate to the Processing undertaken pursuant to the Agreement and shall make such records available to the Client on reasonable written request.

6. Audits.

IDHL will provide such reasonable assistance and information as required by the Client for any audits or inspections to be undertaken by or on behalf of the Client pursuant to the Data Protection Legislation. Any audits that are not related to a specific Data Breach shall be limited to no more than once per twelve month period and the Client will provide IDHL with no less than 30 days written notice in advance of any audit and the parties shall agree in advance on any reasonable costs that will be incurred by IDHL as a result of facilitating such audit.

7. Personal Data Breaches.

In the event of a Data Breach, IDHL shall notify the Client without undue delay after becoming aware of such breach and reasonably cooperate with the Client in the Client’s handling of the matter. The parties will coordinate with each other to investigate the matter.

8. Subcontracting.

The Provider may only authorise a third-party (subcontractor) to process the Personal Data where the Client’s prior written consent have been obtained. IDHL shall be responsible for any acts or omissions of its subcontractors. IDHL confirms that it has entered or (if applicable) will enter into a written agreement with any sub-contractor on written terms that reflect the sub-contractors obligations under the Data Protection Legislation.

9. Data Return and Destruction.

On termination of the Agreement for any reason or expiry of its term, the Provider will securely delete or destroy (in accordance with its internal data retention policy) or, if directed in writing by the Client, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.

10. Transfers of Personal Data.

IDHL shall not transfer any Personal Data outside of the UK unless, in accordance with the Data Protection Legislation, it ensures that (i) the transfer is to a country approved as providing an adequate level of protection for Personal Data; or (ii) there are appropriate safeguards in place for the transfer of Personal Data; or (iii) binding corporate rules are in place; or (iv) one of the derogations for specific situations applies to the transfer.

11. Notices.

Where notification is required of IDHL for any reason the Client must email: DPO@idhl.co.uk.

Appendix

Personal Data Processing Purposes and Details

Subject Matter and Duration of Processing

Personal Data will be processed for as long as required by the Agreement and for the provision of relevant services set out in a Statement of Work.

Nature and Purpose of Processing

Digital growth services which shall include data access, sharing and storage.

Data Subjects

Client employees, website users, prospects and customers.