Data Processing Agreement

Data Processing Agreement

This Data Processing Agreement is between:

- The IDHL Company stated in the Proposal (the Supplier).
- The company purchasing services from the Supplier as stated in the Proposal (the Customer).

Background

This Data Processing Agreement forms part of our Agreement with you. Any terms not defined below shall have the meaning given to them in the IDHL Terms and Conditions.

Definitions

Applicable Law as defined in clause 2.1.1;

Associate in respect of either party, a company which is a subsidiary or holding company of that party, or a subsidiary of such holding company, in each case for the time being (and subsidiary and holding company shall be defined in section 1159 Companies Act 2006);

Data Controller as defined by the Data Protection Legislation;

Data Processor as defined by the Data Protection Legislation;

Data Protection Legislation all applicable data protection and privacy legislation in force from time to time in the UK including the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR), the Data Protection Act 2018 (and regulations made thereunder) or any successor legislation, and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data;

Data Subject as defined in the Data Protection Legislation;

Digital Marketing Services refers to services that help to improve the online performance of the Customer website including but not limited to SEO, PPC, CRO, Paid Social, Outreach and Media Advertising;

DSAR a request or notice from a Data Subject to exercise any of their rights under the Data Protection Legislation;

Hosting Services refers to the provision of services to assist with hosting the Customer website;

Personal Data as defined in the Data Protection Legislation;

Processor/Processing/Processed as defined in the Data Protection Legislation;

Processing Period the period of time that the Data Processor is permitted to Process the Data Controller’s Personal Data in line with the latest Proposal;

Proposal as defined in the IDHL Terms and Conditions;

Purpose the particular purpose in respect of which the Data Processor may Process the relevant Data Controller Personal Data, the details of which are set out in the relevant Appendix;

Security Breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Data Controller Personal Data whilst the Data Controller’s Personal Data is Processed by the Data Processor;

Sensitive Personal Data means Personal Data that reveals such categories of data as are listed in Article 9(1) of the GDPR;

Staff any employees, officers and individuals contracted to the Data Processor or its Associates that are involved in the provision of the Services;

Website Development Services refers to the Services provided to develop or re-develop the Customer website including but not limited to design, front end development, back end development, user research, testing and support services.

1. Data Protection Provisions

1.1. Each party shall (and the Data Processor shall procure that any sub-contractors shall) in the course of performing its obligations under the Agreement, comply with the provisions of the Data Protection Legislation which apply to that party for the purpose of the Agreement.

1.2. The parties agree to their defined roles under the Data Protection Legislation as defined in the relevant Appendix to this Data Processing Agreement.

1.3. The Data Controller warrants that it has and will continue to have a lawful basis and/or all necessary and appropriate consents and notices in place to:

1.3.1. process the Personal Data;

1.3.2. enable the Data Controller to lawfully transfer the Personal Data to the Data Processor and its sub-contractors; and

1.3.3. permit the Data Processor to lawfully Process the Personal Data for the duration of the Agreement.

1.4. The Data Processor shall only Process the Personal Data for the Purpose or any other purpose which is expressly requested by the Data Controller in writing to the Data Processor.

1.5. A general description of the scope, nature and purpose of the Processing being undertaken by the relevant party and the types of Personal Data are set out in the relevant Appendix to this Data Processing Agreement.

2. Processing

2.1. The Data Processor shall:

2.1.1. only Process the Personal Data for the Purpose and not for any other purpose unless acting in accordance with the Data Controller’s express written instructions which shall be documented in the Proposal or any subsequent specification documentation or unless required to do so by law (Applicable Law). Where the Data Processor is relying on Applicable Law as the basis for Processing Personal Data, the Data Processor shall promptly notify the Data Controller before performing the Processing required, unless prohibited by such Applicable Law;

2.1.2. ensure it has in place appropriate technical and organisational security measures to protect against any Security Breach taking into account the state of technological development and the cost of implementing any measures;

2.1.3. promptly forward any DSAR received directly by the Data Processor to the Data Controller and, at the Data Controller’s cost, provide such other further reasonable assistance to the Data Controller in responding to the DSAR;

2.1.4. co-operate with and provide reasonable assistance to the Data Controller in order for the Data Controller to respond to and comply with any DSAR, including providing any Personal Data that is not accessible by the Data Controller, within the timescales prescribed by the relevant Data Protection Legislation;

2.1.5. observe the provisions of and comply with any reasonable request made or direction given by the Data Controller in connection with the requirements of any Data Protection Legislation, in so far as they relate to the Processing of the Personal Data (including with regard to security, breach notification, impact assessments and consultations with supervising authorities or the ICO), provided always that where the Data Processor’s compliance with such requests or directions require a change to the Data Processor’s, its Associates and/or its sub-contractors (as applicable) existing practices, such compliance and change shall be at the Data Controllers cost and it shall not be unreasonable for the Data Processor to refuse a request or direction in relation to a shared service where the consent of the Data Processor’s other customers may be required in order to make such a change.

3. Data Processing Staff

The Data Processor shall ensure that all Staff Processing Personal Data do so in accordance with applicable company policies and procedures and are bound by appropriate confidentiality obligations.

4. Records and Audit

4.1. The Data Processor agrees to:

4.1.1. maintain reasonable written records and information to demonstrate its compliance with its obligations under the Data Protection Legislation insofar as they relate to the Processing undertaken pursuant to the Agreement (DP Records);

4.1.2. subject to the Data Controller paying the Data Processor’s reasonable costs and expenses in connection with the same, make available to the Data Controller the DP Records, promptly on written request;

4.1.3. immediately notify the Data Controller if, in its opinion, a request made pursuant to clause 4.1.2 infringes the Data Protection Legislation;

4.1.4. subject to the Data Controller paying the Data Processor’s reasonable costs and expenses in connection with the same, procure and ensure that such of the Staff are available to provide reasonable assistance and information as required by the Data Controller for any audits or inspections to be undertaken by or on behalf of the Data Controller pursuant to the Data Protection Legislation. Any such audits that are not related to any specific Security Breach or DSAR shall be limited to no more than once per twelve month period and the Data Controller will provide the Data Processor with no less than fourteen days written notice in advance of any audit and agree on any reasonable costs that will be incurred as a result of facilitating such audit.

5. Security and Breaches

5.1. In the event of any Security Breach, the Data Processor shall:

5.1.1. notify the Data Controller of the Security Breach without undue delay after becoming aware of the Security Breach; and

5.1.2. give all assistance reasonably required by the Data Controller to enable the Data Controller to enforce against any person that is, or may be, engaging in any unauthorised action, or acting in violation of any rights that the Data Controller has to.

6. Sub-Contracting

6.1. The Data Controller consents to the Data Processor’s use of sub-contractors where necessary to provide the Services under the Agreement and in line with the Purpose or any additional written instructions.

6.2. The Data Processor confirms that it has entered or (if applicable) will enter into a written agreement with any sub-contractor on written terms that reflect the sub-contractors obligations under the Data Protection Legislation.

6.3. Subject to clause 6.1, the Data Processor agrees that it shall not provide any sub-contractor with access to Personal Data, or allow any sub-contractor to Process Personal Data, unless it has received prior written consent from the Data Controller (such consent may not be unreasonably withheld or delayed) or such access is specifically allowed under the Agreement.

6.4. The Data Processor shall remain responsible for any acts or omissions of any sub-contractor appointed by the Data Processor.

7. Return and Deletion of Information

7.1. The Data Controller agrees that it is responsible for deleting and erasing Personal Data and rectifying inaccurate Personal Data and warrants that it shall do so in accordance with the Data Protection Legislation.

7.2. Subject to clause 7.3 the Data Processor shall not be obliged to delete, erase or rectify any of the Customer Personal Data where it conflicts with any other legal obligations that the Data Processor is subject to.

7.3. Except to the extent that Applicable Law requires storage of the Personal Data, the Data Processor shall, if required by the Data Controller:

7.3.1. return the Personal Data to the Data Controller in accordance with the terms of the Agreement; and/or

7.3.2. securely delete the Personal Data as directed by the Data Controller.

8. Cross-border transfers of Personal Data

8.1. The Data Processor shall not transfer any Personal Data outside of the UK unless, in accordance with the Data Protection Legislation, it ensures that (i) the transfer is to a country approved as providing an adequate level of protection for Personal Data; or (ii) there are appropriate safeguards in place for the transfer of Personal Data; or (iii) binding corporate rules are in place; or (iv) one of the derogations for specific situations applies to the transfer.

9. Standard Contractual Clauses

9.1. If any Personal Data transfer between the Data Controller and the Data Processor requires execution of the European Commission’s Standard Contractual Clauses for the transfer of Personal Data (Controller to Processor) (Model Clauses) in order to comply with the Data Protection Legislation, the parties will complete all relevant details in, and execute, the Model Clauses and take other actions required to legitimise the transfer. Where there is any conflict between this Data Protection Agreement and the Model Clauses the Model Clauses shall take precedence.

9.2. The Data Processor may, at any time on not less than 30 days’ notice, request that the parties revise this Data Processing Agreement by replacing it with any standard contractual documentation provided by the ICO from time to time.

10. Notices

Where notification is required of the Supplier for any reason the Customer must email: DPO@idhl.co.uk.

Appendix 1

Details of Processing undertaken by the Supplier for Digital Marketing Services

Data Controller: The Customer

Data Processor: The Supplier

Subject matter and duration of processing: The provision of Digital Marketing Services, which may include:

- Search Engine Optimisation
- Pay Per Click
- Conversion Rate Optimisation
- Public Relations
- Media Advertising
- Paid Social
- Account Management Services

Data Controller Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant services set out in a Proposal.

Personal Data relating to the Data Controller’s employees will be retained for as long as deemed necessary or required to be compliant with any Applicable Law.

Nature and purpose of Processing: To provide Digital Marketing Services that aim to facilitate the online performance of a company’s website through various methods.

Type of Customer Personal Data: Please note that the list provided for each service below includes data that the Supplier may be able to Process but may not actively report on. This list may also develop over time as online platforms evolve.

Search Engine Optimisation:

- Age of website end user
- Location data
- Amount spent on products
- Onsite behaviour
- Attributions
- Operating systems
- Browsers used
- Originating campaign
- Delivery paid
- Quantity purchase
- Devices
- Search query
- Email addresses
- Site search query
- Employment
- Social Network
- Gender
- Tax paid per purchase
- Industries
- phase
- Interests/non-interests
- Transaction ID
- Internet providers
- User ID
- IP addresses
- Website hits
- Language
- Online purchases from the Customer’s website
- Time taken to purchase/consideration

Pay Per Click:

- Age
- Tax paid per purchase
- Amount spent on product
- Transaction ID
- Attributions
- User ID
- Browsers used
- Website hits
- Delivery paid
- Language
- Devices
- Location data
- Employment
- On site behaviour
- Gender
- Operating systems
- Industries
- Originating campaign
- Interests/non-interests
- Quantity purchase
- Internet providers
- Search query
- Online purchases from the Customer’s website
- Time taken to purchase/consideration phase

Conversion Rate Optimisation:

Access to any salesforce information provided by the Customer
- Any Personal Data rovided by being given access to Customer software systems such as Basecamp and Trello
- Onsite behaviour
- Addresses
- Opinions, reviews and/or preferences
- Average order value
- Order values
- Browser type used
- Prospect information
- Buying behaviour
- Purchase information
- Demographic profiling
- Return users
- Device – type owned
- Screen size owned
- Email addresses
- Session recording
- Gender
- Session recording language
- New vs returning end user activity on heatmapping
- Session recording time
- Time of day access
- Time of day using website
- Session recording user ID
- User age
- Social demographics
- Website user ID
- Supply names
- Geo location obtained via heatmapping, from the Customer of past website end-users or a session recording

Public Relations:

- Address
- Freelancer phone number
- Age
- Freelancer photos
- Blogger email
- Freelancer social media handles
- Blogger name
- Freelancer work history
- Blogger payment information
- Gender
- Blogger phone numbers
- Identification name (e.g. account name or unique customer number)
- Blogger photos
- Journalist emails
- Blogger portfolio
- Journalist name
- Blogger social media handles
- Journalist phone number
- Blogger work history
- Journalist photos
- Client email
- Journalists area of experience/expertise
- Client name
- Location data
- Client phone number
- Names
- Content / social media data
- Occupation
- Email address
- Opinions, reviews, interests and/or preferences
- Employers / employment status
- Payment details
- Freelancer address
- Personalised sales information
- Freelancer body of work / portfolio
- Photographs
- Freelancer email
- Social media handles
- Freelancer name
- Survey information (opinions)
- Freelancer payment information
- Videos

Media Advertising:

- Browser Information
- Gender
- Content / websites visited / IAB category
- Income band
- User age
- Date visited website
- Interests
- Device Information
- Location data
- Education level
- Shopping habits / interests
- Ethnicity
- Time visited website

Paid Social:

- Address
- Job titles
- Demographic
- Location data
- Email addresses
- Name
- Friends/contact details
- Payment details
- Income range
- Personal opinions
- Interests/non-interests
- Photographs
- Telephone numbers

Account Management Services:

- Browser type of website visitors
- Client customer car registration plate
- Client address
- Client customer email addresses
- Client email address
- Client customer location
- Client name
- Client customer mobile number
- Client opinions
- Client customer phone number
- Client personal phone number
- Client customer purchase history
- Client phone number
- Demographic data of website visitors
- Client photos
- Device used of website visitors
- Client targets
- Email campaigns / CRM campaigns
- Client work history
- Geographic data of website visitors
- Client customer address
- Mobile used of website visitors
- Client customer car owned
- Operating system of website visitors
- Time of day the website is used
- Other client contacts
- Video calls
- Voice recordings

Categories of Personal Data: Data Controller Personal Data collected may include individual employee data and website end user data.

Appendix 2

Details of Processing undertaken by the Supplier for Website Development Services.

Data Controller: The Customer

Data Processor: The Supplier

Subject matter and duration of processing: The provision of Website Development Services, which may include:

- Website Design and Development
- User Research
- Hosting Services
- Account Management Service

Data Controller Personal Data will be Processed for as long as required by the Agreement and for the provision of relevant services set out in a Proposal and any subsequent specification documentation between the parties.

Personal Data relating to the Data Controller’s employees will be retained for as long as deemed necessary or required to be compliant with any Applicable Law.

Nature and purpose of Processing: To provide Website Development and Hosting Services that aim to improve the online appearance of the Customer website(s).

Type of Customer Personal Data: Please note that the list provided for each service below includes data that the Supplier may be able to Process but may not actively report on or utilise beyond it being visible to it. This list may also develop over time.

Website Development and Integrations:

- Avatar
- Gender
- Browser details
- IP address
- Cookie contents
- Job title
- Custom data
- Location data
- Debugging logs
- Organization
- Delivery status information
- Website activity data
- Passwords (hashed/encrypted)
- Access/API tokens (encrypted)
- DOB
- Payment methods
- Domain
- Purchased item data
- Email
- Social Media handles
- Email content
- Time zone
- Full name, nickname, username or Initials
- Unsubscribe details
- User agent

User Research:

- Demographic data
- NRS Social grade
- User opinions and behaviours

Hosting Services:

- Avatar
- Full name, nickname, username or Initials
- Browser details
- Gender
- Cookie contents
- IP address
- Custom data
- Job Title
- Debugging logs
- Location data
- Delivery status information
- Organization
- DOB
- Unsubscribe details
- Passwords (hashed/encrypted)
- Domain
- Payment methods
- Email
- Purchased item data
- User agent
- Social Media handles
- Website activity data
- Time zone

Account Management Services:

- Browser type of website visitors
- Client opinions
- Client address
- Client phone number
- Client avatar
- Client photos
- Client customer address
- Client targets
- Client customer car owned
- Client work history
- Client customer car registration plate
- Website domain
- Demographic data of website visitors
- Client customer email addresses
- Device used of website visitors
- Client customer location
- Video calls
- Email campaigns / CRM campaigns
- Client customer mobile number
- Client name
- Geographic data of website visitors
- Client customer phone number
- Google Account details
- Client customer purchase history
- Mobile used of website visitors
- Client devices
- Client notes of tenure
- Operating system of website visitors
- Client email address
- Opinions/preferences
- Client fax number
- Organisation
- Client job title
- Organisation department
- Voice calls and recordings
- Other client contacts
- Telephone number
- Social Media handles
- Time of day the website is used

Categories of Personal Data: Data Controller Personal Data collected may include individual employee data and website end user data.