U.S. Data Processing Agreement
This U.S. Data Processing Agreement is between: The IDHL company stated in the Proposal (the “Supplier”). The company purchasing services from the Supplier as stated in the Proposal (the “Customer”).
Background
This Data Processing Agreement forms part of our agreement with you (together with the IDHL Terms and Conditions, the “Agreement”). Any terms not defined below shall have the meaning given to them in the IDHL Terms and Conditions.
1. Definitions
1.1. “Applicable Law”, as defined in clause 3.1.1;
1.2. “Affiliate” in respect of either party, means a company which is a subsidiary or holding company of that party, or a subsidiary of such holding company, in each case for the time being;
1.3. “Consumer” has the meaning defined in Data Protection Legislation.
1.4. “Data Controller” means “businesses” as defined by CCPA, and “processors” as defined by other applicable Data Protection Legislation;
1.5. “Data Processor” means “contractors” and “service providers,” as defined by CCPA, and “processors,” as defined by other applicable Data Protection Legislation;
1.6. “Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Texas Data Privacy and Security Act, and any implementing regulations thereunder, in each case applicable to this Data Processing Agreement as and when legally effective, or any successor legislation, and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data;
1.7. “Digital Marketing Services” refers to services that help to improve the online performance of the Customer website including but not limited to SEO, PPC, CRO, Paid Social, Outreach and Media Advertising;
1.8. “DP Records” has the meaning defined in clause 5.1.1;
1.9. “DSAR” means a request or notice from a Consumer to exercise any of their rights under the Data Protection Legislation;
1.10. “Hosting Services” refers to the provision of services to assist with hosting the Customer website;
1.11. “Personal Data” shall mean “personal information” as defined by the CCPA, and “personal data” or “personally identifiable information” as defined or by other applicable Data Protection Legislation;
1.12. “Process/Processing/Processed” has the meaning defined in the Data Protection Legislation;
1.13. “Proposal” has the meaning as defined in the IDHL Terms and Conditions;
1.14. “Purpose” means the particular purpose in respect of which the Data Processor may Process the relevant Data Controller Personal Data, the details of which are set out in the relevant Appendix. “Purpose” shall include the enumerated business purposes set forth in the CCPA that are applicable to the Services as set forth in the Agreement, including but not limited to: performing the Services on behalf of Customer, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of Customer;
1.15. “Security Breach” means a security incident affecting a party’s Personal Data that requires notification to Consumers and/or government authorities under Data Protection Legislation and includes a “personal data breach,” as defined in Data Protection Legislation;
1.16. “Sell” has the meaning defined in the Data Protection Legislation;
1.17. “Sensitive Personal Data” means “sensitive personal information” and “sensitive personal data,” as defined by applicable Data Protection Legislation;
1.18. “Services” means Digital Marketing Services, Hosting Services, Website Development Services and any other services to be provided by Supplier under the Agreement;
1.19. “Share” has the meaning defined in the Data Protection Legislation;
1.20. “Staff” means any employees, officers and individuals contracted to the Data Processor or its Affiliates that are involved in the provision of the Services;
1.21. “Website Development Services” refers to the services provided to develop or re-develop the Customer website including but not limited to design, front end development, back end development, user research, testing and support services.
2. Data Protection Provisions
2.1. Each party shall (and the Data Processor shall procure that any sub-contractors shall) in the course of performing its obligations under the Agreement, comply with the provisions of the Data Protection Legislation which apply to that party for the purpose of the Agreement. With respect to the Personal Data that Data Processor collected pursuant to the Agreement, Data Processor shall provide the same level of privacy protection as required of Data Controllers by applicable Data Protection Legislation.
2.2. The parties agree to their defined roles under the Data Protection Legislation as defined in the relevant Appendix to this Data Processing Agreement.
2.3. The Data Controller warrants that it has and will continue to have a lawful basis and/or all necessary and appropriate consents and notices in place to:
2.3.1. Process the Personal Data;
2.3.2. enable the Data Controller to lawfully transfer the Personal Data to the Data Processor and its sub-contractors; and
2.3.3. permit the Data Processor to lawfully Process the Personal Data for the duration of the Agreement.
2.4. The Data Processor shall only retain, use, disclose or otherwise Process the Personal Data for the Purposes or any other purpose which is expressly requested by the Data Controller in writing to the Data Processor.
2.5. A general description of the scope, nature and purpose of the Processing being undertaken by the relevant party and the types of Personal Data are set out in Appendix 1 to this Data Processing Agreement.
2.6. Data Controller shall have the right to: (a) take reasonable and appropriate steps to ensure that Data Processor uses the Personal Data that it collected pursuant to the Agreement in a manner consistent with Data Controller’s obligations under applicable Data Protection Legislation; and (b) upon notice, take reasonable and appropriate steps to stop and remediate Data Processor’s unauthorized use of Personal Data.
3. Processing
3.1. The Data Processor shall:
3.1.1. only retain, use, disclose or otherwise Process the Personal Data for the Purposes and not for any other purpose unless acting in accordance with the Data Controller’s express written instructions which shall be documented in the Proposal or any subsequent specification documentation or unless required to do so by law applicable to the Data Controller (“Applicable Law”).
3.1.2. ensure it has in place appropriate technical and organizational security measures to protect against any Security Breach taking into account the state of technological development and the cost of implementing any measures;
3.1.3. promptly forward any DSAR received directly by the Data Processor to the Data Controller and, provide such other further reasonable assistance to the Data Controller in responding to the DSAR;
3.1.4. co-operate with and provide reasonable assistance to the Data Controller in order for the Data Controller to respond to and comply with any DSAR, including providing any Personal Data that is not accessible by the Data Controller, within the timescales prescribed by the relevant Data Protection Legislation;
3.1.5. provide the Data Controller information to reasonably enable it to conduct and document data protection assessments and prior consultations to the applicable supervisory authority;
3.1.6. notify the Data Controller after it determines that it can no longer meet its obligations under Data Protection Legislation; and
3.1.7. observe the provisions of and comply with any reasonable request made or direction given by the Data Controller in connection with the requirements of any Data Protection Legislation, in so far as they relate to the Processing of the Personal Data (including with regard to security, breach notification, impact assessments and consultations with supervising authorities), provided always that where the Data Processor’s compliance with such requests or directions require a change to the Data Processor’s, its Affiliates and/or its sub-contractors (as applicable) existing practices, such compliance and change shall be at the Data Controllers cost and it shall not be unreasonable for the Data Processor to refuse a request or direction in relation to a shared service where the consent of the Data Processor’s other customers may be required in order to make such a change.
3.2. Data Processor shall not:
3.2.1. Sell or Share Data Controller’s Personal Data;
3.2.2. retain, use, or disclose Data Controller’s Personal Data for any commercial purpose other than to perform the Services and to carry out the Purposes under the Agreement;
3.2.3. retain, use, disclose, or Process Data Controller Personal Data outside of the direct business relationship between Data Controller and Data Processor; and
3.2.4. combine Personal Data received from or on behalf of Data Controller with Personal Data it receives from, or on behalf of, another person(s), or collects from its own interaction with a Consumer, except where expressly required to perform the Services.
4. Data Processing Staff
The Data Processor shall ensure that all Staff Process Personal Data in accordance with applicable company policies and procedures and are bound by appropriate confidentiality obligations.
5. Records and Audit
5.1. The Data Processor agrees to:
5.1.1. maintain reasonable written records and information to demonstrate its compliance with its obligations under the Data Protection Legislation insofar as they relate to the Processing undertaken pursuant to the Agreement (“DP Records”);
5.1.2. make available to the Data Controller the DP Records, promptly on written request;
5.1.3. subject to the Data Controller paying the Data Processor’s reasonable costs and expenses in connection with the same, procure and ensure that such of the Staff are available to provide reasonable assistance and information as required by the Data Controller for any audits or inspections to be undertaken by or on behalf of the Data Controller pursuant to the Data Protection Legislation. Any such audits that are not related to any specific Security Breach or DSAR shall be limited to no more than once per twelve month period and the Data Controller will provide the Data Processor with no less than fourteen days written notice in advance of any audit and agree on any reasonable costs that will be incurred as a result of facilitating such audit.
6. Security and Breaches
6.1. In the event of any Security Breach, the Data Processor shall:
6.1.1. notify the Data Controller of the Security Breach without undue delay after becoming aware of the Security Breach;
6.1.2. give all assistance reasonably required by the Data Controller or to enable the Data Controller to enforce against any person that is, or may be, engaging in any unauthorized action, or acting in violation of any rights that the Data Controller has to; and
6.1.3. provide reasonable assistance and information regarding such Security Breach as may be required for the purposes of reporting to the authorities and, where necessary, to the affected Consumers
7. Sub-Contracting
7.1. The Data Controller consents to the Data Processor’s use of sub-contractors where necessary to provide the Services under the Agreement and in line with the Purpose or any additional written instructions.
7.2. The Data Processor confirms that it has entered or (if applicable) will enter into a written agreement with any sub-contractor on written terms that reflect the sub-contractors’ obligations under the Data Protection Legislation.
7.3. Subject to clause 7.1, the Data Processor agrees that it shall not provide any sub-contractor with access to Personal Data, or allow any sub-contractor to Process Personal Data, unless it has received prior written consent from the Data Controller (such consent may not be unreasonably withheld or delayed) or such access is specifically allowed under the Agreement.
7.4. The Data Processor shall remain responsible for any acts or omissions of any sub-contractor appointed by the Data Processor.
8. Return and Deletion of Information
8.1. The Data Controller agrees that it is responsible for deleting and erasing Personal Data and correcting inaccurate Personal Data and warrants that it shall do so in accordance with the Data Protection Legislation.
8.2. Subject to clause 8.3, the Data Processor shall not be obliged to delete, erase or correct any of Customer’s Personal Data where it conflicts with any other legal obligations that the Data Processor is subject to.
8.3. Except to the extent that Applicable Law requires storage of the Personal Data, the Data Processor shall, if required by the Data Controller:
8.3.1. return the Personal Data to the Data Controller in accordance with the terms of the Agreement; and
8.3.2. securely delete the Personal Data as directed by the Data Controller.
9. Notices
Where notification is required of the Supplier for any reason the Customer must email: DPO@idhl.co.uk.
Appendix 1
Details of Processing undertaken by the Supplier for Digital Marketing Services
Data Controller: the Customer
Data Processor: the Supplier
Subject matter and duration of Processing: The provision of Digital Marketing Services, which may include:
Search Engine Optimisation
Pay Per Click
Conversion Rate Optimisation
Public Relations
Media Advertising
Paid Social
Account Management Services
Data Controller Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant services set out in a Proposal.
Personal Data relating to the Data Controller’s employees will be retained for as long as deemed necessary or required to be compliant with any Applicable Law.
Nature and purpose of Processing: To provide Digital Marketing Services that aim to facilitate the online performance of a company’s website through various methods.
Type of Customer Personal Data: Please note that the list provided for each service below includes data that the Supplier may be able to Process but may not actively report on. This list may also develop over time as online platforms evolve.
Appendix 2
Details of Processing undertaken by the Supplier for Website Development Services.
Data Controller: the Customer
Data Processor: the Supplier
Subject matter and duration of Processing: The provision of Website Development Services, which may include:
Website Design and Development
User Research
Hosting Services
Account Management Service
Data Controller Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant services set out in a Proposal and any subsequent specification documentation between the parties.
Personal Data relating to the Data Controller’s employees will be retained for as long as deemed necessary or required to be compliant with any Applicable Law.
Nature and purpose of Processing: To provide Website Development and Hosting Services that aim to improve the online appearance of the Customer website(s).