DATA PROCESSING AGREEMENT

Data Processing Agreement

This Data Processing Agreement (“DPA”) sets out the terms and conditions on which SourceBreaker will process personal data when providing services to the Customer (“Services”), including under the services agreement entered into between the parties and any renewals, extensions, variations thereof and/or any other written agreements for services entered into between the Parties from time to time (the “Agreement”).  By entering into the Agreement the parties agree to be bound by this DPA which shall form part of the Agreement and shall reflect the parties’ agreement with respect to the processing of Customer Personal Data.

The Customer enters into this DPA on behalf of itself and its Affiliates, unless otherwise specified in the Agreement.  For the purpose of this DPA, and except where indicated otherwise, the term “Customer” shall include Customer and its Affiliates. 

Definitions

The rules of interpretation and definitions set out in this clause 1 shall apply to this DPA.

In this DPA, the following capitalised terms shall have the meanings given to them in this clause 1.  Any other capitalised terms used in this DPA but not defined shall have the meaning given to them in the Agreement. 

 

In this DPA the terms “process”, “processing”, “personal data”, “data subject”, “controller” and “processor” shall have the meanings given to them in the UK GDPR.

The Data Processing Schedule (and any changed, new or supplementary Data Processing Schedule) forms part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Data Processing Schedule (and any changed, new or supplementary Data Processing Schedule).

Roles of the Parties

The parties acknowledge and agree that in relation to Customer Personal Data for the purposes of Data Protection Legislation:

the Customer is a controller;

SourceBreaker is:

a controller of any personal data it uses for the purpose of: (i) managing the parties’ commercial relationship; or (ii) monitoring, reviewing, improving and developing its performance, products and Services under the Agreement; and

a processor with respect to any other processing under the Agreement;

to the extent SourceBreaker processes any Customer Personal Data as a controller, it shall process the personal data solely for the purposes set out in clause 2.1.2(a) above, in accordance with its privacy policy (available on the SourceBreaker website and on request), strictly in accordance with Data Protection Legislation and clauses 1 and 11 to 14 of this DPA shall apply.

to the extent SourceBreaker processes any Customer Personal Data as a processor, the Data Processing Schedule sets out the subject matter, duration, nature and purpose of processing of Customer Personal Data and the categories of personal data and type of data subjects in respect of which SourceBreaker may process personal data as a processor in connection with SourceBreaker’s provision of the Services . and the entirety of this DPA shall apply; and

If the determination set out in or any details referred to in clause 2.1 change, the parties shall work together in good faith to agree any changes which are necessary to this DPA or any related Data Processing Schedule (which may include preparing a new or supplementary Data Processing Schedule which will be binding on the Parties when agreed in writing by both parties).

Processing Customer Personal Data

SourceBreaker shall process Customer Personal Data only on and in accordance with the documented instructions of the Customer from time to time (which shall include, without limitation, processing the Customer Personal Data for the purposes set out in the Agreement and the Data Processing Schedule), save where SourceBreaker is required by Data Protection Legislation to otherwise process that Customer Personal Data.  SourceBreaker shall inform the Customer if, in the opinion of SourceBreaker, the instructions of the Customer infringe Data Protection Legislation.

Customer shall retain control of the Customer Personal Data and remain responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to:

ensuring that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer Personal Data to SourceBreaker;

the lawfulness of the processing instructions it gives to SourceBreaker;

having sole responsibility for the accuracy and quality of Customer Personal Data; and

hereby warranting that:

SourceBreaker’s expected use of the Customer Personal Data in connection with the Services and as specifically instructed by the Customer will comply with the Data Protection Legislation; and

that it is and will at all relevant times remain duly authorised on behalf of each relevant Customer Affiliate to give instructions to SourceBreaker in relation to the Customer Personal Data.

SourceBreaker Security and Personnel

SourceBreaker shall maintain appropriate technical and organisational measures designed to protect against unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, any Customer Personal Data.  Such measures shall be appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

SourceBreaker shall:

regularly monitor compliance with the measures referred to in clause 4.1;

ensure that its personnel engaged in the processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data and are obliged to keep the Customer Personal Data confidential; and

ensure that access to Customer Personal Data is limited to those personnel performing Services.

Customer Data Incident Management And Notification

SourceBreaker shall notify Customer without undue delay (and in any event in accordance with such timelines as required by applicable Data Protection Legislation) if it becomes aware of any accidental or unlawful destruction, damage, loss, corruption of, and/or any accidental, unauthorised or unlawful disclosure of, or access to, any Customer Personal Data that is processed by SourceBreaker or its subcontractors (a “Customer Data Incident”).

Where SourceBreaker becomes aware of any Customer Data Incident, it shall:

without undue delay, provide the Customer with a reasonable description of the nature of the Customer Data Incident including where relevant any measures taken or proposed to be taken to address the Customer Data Incident;

make reasonable efforts to identify the cause of such Customer Data Incident; and

to the extent that remediation of the Customer Data Incident is within SourceBreaker’s reasonable control, take such commercially reasonable steps as SourceBreaker deems necessary in order to remedy the cause of such a Customer Data Incident.  The parties acknowledge and agree that SourceBreaker shall not be liable for costs arising from a Customer Data Incident to the extent such costs are not directly caused by a breach of SourceBreaker’s obligations under this DPA.

The parties agree that in the event of a Customer Data Incident occurring, the Customer has the sole right and responsibility to determine whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Customer Data Incident to any data subjects, the Information Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation.

Data Subject Requests And Complaints

SourceBreaker shall notify Customer without undue delay if SourceBreaker receives:

a request from a data subject to exercise the data subject’s rights under Data Protection Legislation in relation to any Customer Personal Data (“Data Subject Request”); or

any complaint, notice or communication that relates to the processing of the Customer Personal Data or to either party’s compliance with the Data Protection Legislation.

SourceBreaker shall insofar as reasonably practicable (taking into account the nature of the processing and the information available to SourceBreaker) and at the Customer’s cost and written request:

assist the Customer in responding to any Data Subject Request; and

assist the Customer in ensuring the Customer’s compliance with its obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.

Return And Deletion Of Customer Data

SourceBreaker shall, at any time on the request of Customer (including where such request is made on termination of any Services Agreement), delete or return all Customer Personal Data to Customer, save to the extent SourceBreaker is required to retain or otherwise process such Customer Personal Data for compliance with applicable laws or regulatory requirements.

Records And Audit

SourceBreaker shall maintain records that are sufficient to demonstrate its compliance with its obligations under this DPA and shall provide copies of such records (after redacting any confidential and commercially sensitive information) to the Customer within a reasonable period following any written request from the Customer.

To the extent that:

the measures set out in clause 8.1 are not sufficient to demonstrate SourceBreaker’s compliance with its obligations under this DPA; and

the Customer is not provided with information and audit rights that satisfy the relevant requirements of Data Protection Legislation in the Agreement,

SourceBreaker shall also provide reasonable cooperation and assistance to the Customer in relation to any request by the Customer for an independent audit to be conducted of SourceBreaker’s compliance with its obligations under this DPA. Any such independent audit shall be carried out in accordance with clause 8.3.

In the event the Customer wishes for an independent audit to be conducted (as contemplated by clause 8.2) the parties shall mutually agree on the infrastructure and systems used by SourceBreaker to process the Customer Personal Data that shall form part of the audit and only to the extent reasonably required to assess SourceBreaker’s compliance with its obligations under this DPA, and subject to the following conditions:

SourceBreaker must be provided with at least 4 weeks’ prior written notice and, subject to receiving such notice, such audit must be within SourceBreaker normal working hours.  In this regard, the parties agree:

SourceBreaker shall be entitled to redact commercially confidential or sensitive information contained in records requested to be inspected; and

subject to the prior consent of SourceBreaker, the Customer shall be permitted access to SourceBreaker’s necessary premises or systems that are used for storing or processing Customer Personal Data, provided that the Customer agrees to minimise any disruption caused to SourceBreaker’s business activities as a result of such audit and enter into appropriate confidentiality agreements in advance in a form acceptable to SourceBreaker;

all costs of any audit, including the appointment of any independent auditor, will be borne by Customer;

an audit shall take place no more than once in any calendar year unless and to the extent that Customer (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA by SourceBreaker, in which case Customer and SourceBreaker will agree an appropriate alternative timescale; and

all information obtained pursuant to any audit contained in any audit report shall be maintained in confidence by the Customer and may not be disclosed to any third party (except if and to the extent required by Data Protection Legislation).

Subcontractors

The Customer (on behalf of itself and each Customer Affiliate) hereby provides its prior, general authorisation for SourceBreaker to appoint (and permit each subcontractor appointed in accordance with this clause 9 to appoint) subcontractors to process the Customer Personal Data, provided that SourceBreaker shall:

ensure that the terms on which it appoints such subcontractors comply with Data Protection Legislation and are substantially similar to the obligations imposed on SourceBreaker in this DPA;

remain responsible for the acts and omission of any such subcontractors as if they were the acts and omissions of SourceBreaker; and

use its reasonable endeavours to inform the Customer in advance of any addition or replacement of the subcontractors (which may be done by a notice on SourceBreaker’s website and/or platform), including details of the processing to be undertaken by the Subcontractor. If, within 10 (ten) business days of receipt of that notice, Customer notifies SourceBreaker in writing of any objections to the proposed appointment (on reasonable grounds, such as due to an actual or likely breach of Data Protection Legislation), SourceBreaker shall not appoint (or disclose any Customer Personal Data to) that proposed subcontractor until reasonable steps have been taken to address the objections raised by the Customer and Customer has been provided with a reasonable written explanation of the steps taken.

The Customer acknowledges and agrees that, as of the date of this DPA, SourceBreaker engages certain approved subcontractors in connection with its provision of the Services, and the Customer agrees to the use of such subcontractors, a list of which can be provided on request.

Cross-border Transfers

The Customer hereby provides its prior, general authorisation for SourceBreaker to transfer Customer Personal Data outside of the United Kingdom as required for the purposes of processing the Customer Personal Data, provided that the following conditions are satisfied:

SourceBreaker shall ensure that appropriate safeguards are provided in relation to the transfer (and, in this regard, the Customer shall promptly comply with any reasonable request of SourceBreaker, including any request to enter into standard data protection clauses adopted by the Information Commissioner from time to time (where the UK GDPR applies to the transfer) or adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer);

the data subject has enforceable rights and effective legal remedies; and

the data importer complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred.

The parties acknowledge that they shall agree in good faith to revise this clause 10 by replacing it with any applicable standard clauses or similar terms adopted by the Information Commissioner to govern the transfer of Customer Personal Data outside the United Kingdom as required.

Limitation Of Liability

Nothing in this DPA shall limit or exclude the liability of either party:

for death or personal injury caused by its negligence, or the negligence of its personnel, agents or sub-contractors;

for fraud or fraudulent misrepresentation; or

for any other liability which cannot be limited or excluded by applicable law.

Subject to clause 11.1, the total aggregate liability of each party (including its Affiliates) to the other party (including its Affiliates) in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this DPA and/or compliance with Data Protection Legislation shall be limited to £10,000 unless liability is covered in the Agreement in which case the amount set out in the “Limitation of Liability” clause of the Agreement shall apply.  Any reference in the “Limitation of Liability” clause of the Agreement to the liability of a party shall mean the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA together.

Notices

Except as stated in clause 9.1.3 and 12.2, any notice given under this DPA shall be provided in accordance with the “Notices” section of the Agreement. 

Clause 12.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Status

This DPA is subject to the terms of, and is incorporated into, the Agreement (including any extensions, renewals, modifications, variations or other dealings of the Agreement).  In the event that the Agreement has terminated or expired but the Customer has requested and/or instructed SourceBreaker to continue to process personal data on the Customer’s behalf, any such processing shall be carried out in accordance with the terms and conditions of this DPA (and any reference herein to any provision of the Principal Agreement or other Services Agreement shall be deemed to be a reference to the applicable provision as if the Principal Agreement or other Services Agreement had not terminated or expired).

This DPA and any relevant provisions of the Agreement contain the entire agreement and understanding between the parties in relation to the processing of Customer Personal Data and supersedes any prior arrangements, agreements, understandings or representations whether oral or written between the parties relating to the subject matter of this DPA. 

In the case of conflict or ambiguity between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail.

Governing Law And Jurisdiction

This DPA and any non-contractual obligations arising out of it shall be governed by and construed in accordance with the laws of England and Wales and each party agrees to submit to the exclusive jurisdiction of the English courts to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this DPA or its subject matter or formation.

Data Processing Schedule

This Data Processing Schedule sets out certain particulars regarding the processing of Customer Personal Data and forms part of, and is incorporated into, the DPA between the Parties.