Cloud2020 Data Processing Agreement
BETWEEN:
(1) CLOUD2020 LIMITED of Nexus House, 32 Bath Road, Stonehouse, Gloucestershire, GL10 2JA (Cloud2020); (the Processor) and
(2) The Controller
Background
(A) This Agreement is to ensure there is in place proper arrangements relating to personal data passed from the Controller to the Processor.
(B) This Agreement is compliant with the requirements of Article 28 of the General Data Protection Regulation.
(C) The parties wish to record their commitments under this Agreement.
It is Agreed as Follows:
- Definitions and Interpretation
In this Agreement:
“Data Protection Laws” means the Data Protection Act 1998, together with successor legislation incorporating GDPR;
“Data” means personal data passed under this Agreement, being potential customer and customer contact details;
“GDPR” means the General Data Protection Regulation;
“Services” means Marketing Services.
- 2. Data Processing
XXXX is the data controller for the Data and Cloud2020 is the data processor for the Data. Cloud2020 agrees to process the Data only in accordance with Data Protection Laws and on the following conditions:
- The Processor shall only process the Data (i) on the written instructions from the Controller and (ii) only process the Data for completing the Services;
- The Processor shall ensure that all employees and other representatives accessing the Data are (i) aware of the terms of this Agreement and (ii) have received comprehensive training on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality (Article 28, para 3(b) GDPR);
- The Controller and the Processor have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR, details of those measures are set out under Part A of the Annex to this Agreement (Article 28, para 3(c) GDPR);
- The Processor may involve third parties in the processing of the Data as part of this agreement. Those third parties are also governed by the agreement and will comply with all relevant Articles and requirements of Data Protection Laws.
- The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of the Controller’s obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc (Article 28, para 3(e) GDPR), this may be subject to additional charges which will be communicated to the Controller by way of quotation;
- The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the ICO etc, taking into account the nature of processing and the information available to the Processor (Article 28, para 3(f) GDPR);
- The Processor shall, safely delete or return the Data at any time. [It has been agreed that the Processor will in any event securely delete the Data at the end of the Services]. Where the Processor is to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement exists to retain the Data. Where there is a legal requirement the Controller will prior to entering into this Agreement confirm such an obligation in writing to the Processor on request.
- The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down under this Agreement and allow for, and contribute to, any audits, inspections or other verification exercises required by the Controller from time to time, with prior notification and agreement (Article 28, para 3(h) GDPR);
- arrangements relating to the secure transfer of the Data from the Processor to the Controller and the safe keeping of the Data by the Processor are detailed under our Data Privacy and Protection Policy.
- The Processor shall maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created; and
- The Processor shall immediately contact the Controller if there is any personal data breach or incident where the Data may have been compromised.
- Termination
The Processor may immediately terminate this Agreement on written notice to the Controller.
- General
- This Agreement may only be varied with the written consent of both parties.
- For the purposes of this Agreement the representatives of each party are detailed below.
- This Agreement represents the entire understanding of the parties relating to necessary legal protections arising out of their data controller/processor relationship under Data Protection Laws.
- This Agreement is subject to English law and the exclusive jurisdiction of the English Courts.