Data Processing Agreement

Data Processing Agreement

Background

(A) Compleat has granted the Customer a licence to use certain software and has also agreed as an adjunct to that licence to provide Data Processing Services (which includes processing Personal Data on behalf of the Customer).

(B) Under paragraph 3 of Article 28 to the General Data Protection Regulation (EU Regulation 2016/679, GDPR) the Customer is required to put a written agreement in place with any organisation which processes Personal Data on its behalf governing the processing of that data. Compleat is such an organisation and this Data Processing Agreement constitutes such written agreement for the purposes of that Article.

(C) The terms of this Data Processing Agreement apply to all processing of Personal Data carried out for the Customer by Compleat and to all Personal Data held by Compleat in relation to all such processing.

OPERATIVE PROVISIONS

1 Definitions and Interpretation

1.1 In this Data Processing Agreement, unless the context otherwise requires, the following expressions have the following meanings:

Data Processing Agreement means the agreement between Compleat and the Customer recorded in this document (including the Background section its Schedule) as amended or supplemented from time to time;

Data Processing Services refers to the data processing services agreed to be provided to the Customer by Compleat;

data subject has the meaning given to the term “data subject” in Article 4 of the GDPR;

ICO means the UK’s supervisory authority, the Information Commissioner’s Office;

Personal Data means all personal data (as defined in Article 4 of the GDPR) as is, or is to be, processed by Compleat on behalf of the Customer, as described in the Schedule;

processing has the meaning given to the term “processing” in Article 4 of the GDPR; and

Sub-Processor means another processor appointed by Compleat for carrying out specific processing activities on behalf of the Customer.

1.2 Unless the context otherwise requires, each reference in this Data Processing Agreement to:

1.2.1 “writing” includes electronic communication (but not facsimile transmission), and the expression “written” shall be construed accordingly (provided that the burden of proof of delivery of an electronic communication shall fall on the party seeking to rely on it);

1.2.2 a statute or a provision of a statute includes all subordinate legislation made under that statute or provision of a statute, as well we that statute, statutory provision or subordinate legislation as the same may be amended, re-enacted or replaced from time to time;

1.2.3 a “Clause” is to a clause of the corresponding number in this document;

1.2.4 any party includes that party’s successors and permitted assigns;

1.2.5 a person includes a natural person or a corporate or unincorporated body (whether or not having separate legal personality); and

1.2.6 a company includes any company, corporation or other body corporate, whether or not having separate legal personality.

1.3 The headings used in this Data Processing Agreement are for convenience only and shall have no effect upon the interpretation of this Data Processing Agreement.

1.4 Words denoting the singular number shall include the plural and vice versa; and references to any gender include a reference to other genders.

1.5 Any words in this Data Processing Agreement following the expressions “include”, “including”, “in particular” or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those expressions.

2 Scope and Application of this Data Processing Agreement

2.1 The provisions of this Data Processing Agreement apply to the processing of the Personal Data described in the Schedule, carried out for the Customer by Compleat (and to all Personal Data held by Compleat in relation to all such processing) whether such Personal Data is held at the date of this Data Processing Agreement or received afterwards.

2.2 The provisions of this Data Processing Agreement supersede any other arrangement, understanding, or agreement including, but not limited to, any license of software made between the Customer and Compleat at any time relating to the Personal Data.

2.3 This Data Processing Agreement shall continue in full force and effect for so long as Compleat is processing Personal Data on behalf of the Customer.

2.4 Nothing in this Data Processing Agreement operates to impose any obligation or liability on (or limit ant action of) Compleat beyond such obligation, liability or limitation that Compleat has, or is required to accept, by operation of, applicable law or regulation.

2.5 Nothing in this Data Processing Agreement operates to prevent Compleat from extracting, using and retaining anonymised (and, where appropriate, aggregated) data to the extent that such extraction and use is lawful.

3 Provision of Data Processing Services and Processing Personal Data

3.1 Compleat agrees that save as required by law or competent authority it shall only process Personal Data received from the Customer for the purposes of providing Data Processing Services or as otherwise instructed (whether specifically or generically) by the Customer.

3.2 Customer agrees not to instruct Compleat to do anything which is or may be in breach of any requirement of the GDPR (or other applicable law). Compleat shall be required to act only on instructions given by the Customer in writing.

3.3 Subject always to taking such steps as Compleat reasonably considers appropriate to ensure that it is able to comply with laws and applicable regulations, Compleat shall to the extent that it is reasonably able promptly comply with any express written request from the Customer requiring Compleat to amend or delete Personal Data.

3.4 Compleat shall transfer all Personal Data to the Customer on the Customer’s request in such format as the Customer may reasonably request in writing. Compleat reserve the right to levy a reasonable charge for the provision of such data taking into account the format required by the Customer.

3.5 Compleat and the Customer shall each implement policies designed to ensure compliance with the GDPR and other applicable laws and shall take reasonable precautions to protect themselves in such way as to cause neither of them to breach any of their respective obligations under the GDPR.

3.6 The Customer agrees to ensure that the Personal Data (and its collection, holding and processing of Personal Data) shall comply with the requirements of the GDPR.

3.7 Compleat agrees to comply with any reasonable measures requested in writing by the Customer to ensure that Compleat’s obligations under this Data Processing Agreement are satisfactorily performed to the extent required to ensure compliance with applicable legislation from time to time in force (including, but not limited to, the GDPR) and any best practice guidance issued by the ICO (provided that Customer shall reimburse to Compleat all third-party costs that Compleat incurs in doing so).

3.8 Compleat shall so far as it is able provide all reasonable assistance (at the Customer’s cost) to the Customer in complying with the Customer’s obligations under the GDPR with respect to the security of processing, the notification of Personal Data breaches, the conduct of data protection impact assessments, and in dealings with the ICO.

3.9 When processing the Personal Data on behalf of the Customer, Compleat shall:

3.9.1 process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Customer or as may be required by law (in which case, Compleat shall inform the Customer of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);

3.9.2 implement appropriate technical and organisational measures, and take all steps as are reasonably necessary to protect the Personal Data against foreseeable unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure in accordance with generally accepted industry standards. Compleat shall inform the Customer in advance of any material changes to such measures that it implements;

3.9.3 if so requested by the Customer supply reasonable details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;

3.9.4 keep detailed records of all processing activities carried out on the Personal Data in accordance with the requirements of Article 30(2) of the GDPR;

3.9.5 make available to the Customer any and all such information as is reasonably required and necessary to demonstrate Compleat’s compliance with the GDPR;

3.9.6 on reasonable prior notice, submit to audits and inspections and provide the Customer with any information reasonably required in order to assess and verify compliance with the provisions of this Data Processing Agreement and the Customer and Compleat compliance with the requirements of the GDPR. The requirement to give notice will not apply if the Customer believes that Compleat is in breach of any of its obligations under this Data Processing Agreement or under the law; and

3.9.7 inform the Customer immediately if it is asked to do anything that infringes the GDPR or any other applicable data protection legislation.

4 Data subject access, complaints, and breaches

4.1 Compleat shall, at the Customer’s cost, assist the Customer in complying with its obligations under the GDPR. In particular, the following shall apply to data subject access requests, complaints, and data breaches.

4.2 Compleat shall notify the Customer without undue delay if it receives:

4.2.1 a subject access request from a data subject related to the services provided under this Data Processing Agreement; or

4.2.2 any other complaint or request relating to the processing of the Personal Data pursuant to this Data Processing Agreement.

4.3 Compleat shall, at the Customer’s cost, cooperate fully with the Customer and assist as reasonably requested in relation to any subject access request, complaint, or other request, including by:

4.3.1 providing the Customer with full details of the complaint or request;

4.3.2 providing the necessary information and assistance in order to comply with a subject access request;

4.3.3 providing the Customer with any Personal Data it holds in relation to a data subject (within the timescales required by the Customer); and

4.3.4 providing the Customer with any other information requested by the Customer.

4.4 Compleat shall notify the Customer immediately if it becomes aware of any form of Personal Data breach as a result of its dealing with Personal Data, including any unauthorised or unlawful processing, loss of, damage to, or destruction of any of the Personal Data.

5 Liability and Indemnity

5.1 The Customer shall be liable for, and shall indemnify (and keep indemnified) Compleat in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, Compleat and any Sub-Processor arising directly or in connection with:

5.1.1 any non-compliance by the Customer with the GDPR or other applicable legislation;

5.1.2 any Personal Data processing carried out by Compleat or Sub-Processor in accordance with instructions given by the Customer that infringe the GDPR or other applicable legislation; or

5.1.3 any breach by the Customer of its obligations under this Data Processing Agreement.

5.2 Subject always to Clauses 3.6 and the following provisions of this Clause 5, Compleat shall be liable to the Customer in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or reasonably agreed to be paid by, the Customer arising directly as a result of Compleat’s Personal Data processing activities the subject of this Data Processing Agreement being in material breach of this Data Processing Agreement provided however that it shall:

5.2.1 be liable only to the extent that the liability results from Compleat’s or a Sub-Processor’s breach of this Data Processing Agreement; and

5.2.2 not be liable to the extent that the liability is or is contributed to by any breach of this Data Processing Agreement or any rule of law the Customer or any of its agents.

5.3 The Customer shall not be entitled to claim back from Compleat or any Sub-Processor any sums paid in compensation by the Customer in respect of any damage to the extent that the Customer is liable to indemnify Compleat or Sub-Processor under this Data Processing Agreement.

5.4 Nothing in this Data Processing Agreement shall relieve Customer or Compleat of, or otherwise affect, the liability of either of them to any data subject, or for any other breach of its own direct obligations under the GDPR. Compleat acknowledges that if it were to fail to comply with its obligations as a data processor under the GDPR it may be rendered subject to the fines, penalties, and compensation requirements set out in the GDPR.

6 Intellectual Property Rights

All copyright, database rights, and other intellectual property rights subsisting in the Personal Data made available to Compleat for the purposes of providing Data Processing Services (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Customer or Compleat) shall belong to the Customer or to any other applicable third-party from whom the Customer has obtained the Personal Data under licence (including, but not limited to, data subjects, where applicable). Compleat is licenced to use such Personal Data under such rights as are provided in any other agreement between the Customer and Compleat and for the purposes providing the Data Processing Services in accordance with this Data Processing Agreement.

7 Confidentiality

7.1 Compleat shall to the extent required by law maintain the Personal Data in confidence, and in particular, unless the Customer has given written consent for Compleat to do so, Compleat shall not disclose any Personal Data supplied to Compleat by, for, or on behalf of, the Customer to any third-party. Compleat shall not process or make any use of any Personal Data supplied to it by the Customer otherwise than as permitted by any other agreement between the Customer and Compleat or as required in connection with the provision of Data Processing Services to the Customer.

7.2 Compleat shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.

7.3 Nothing in this Data Processing Agreement shall prevent either the Customer or Compleat from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the relevant party required to disclose shall notify the other the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

8 Use of Sub-Processors

8.1 The Customer agrees that Compleat may appoint Sub-Processors to assist it in providing Data Processing Services and processing Personal Data provided that such Sub-Processors:

8.1.1 agree to act only on Compleat’s instructions when processing the Personal Data (which instructions shall be consistent with the Customer’s processing instructions to Compleat); and

8.1.2 agree to protect the Personal Data to a standard consistent with the requirements of this Data Processing Agreement, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they process.

8.2 Compleat agrees that it shall remain liable to the Customer for the processing services subcontracted by it to any Sub-Processors. Compleat shall maintain an up-to-date list of the names and location of all Sub-Processors used for the processing of Personal Data under this Data Processing Agreement which is available to the Customer upon request to “privacy@Compleatsoftware.com”. Wherever practicable Compleat shall inform the Customer about any new Sub-Processor to be appointed at least 30 days prior to the date on which the Sub-Processor shall commence processing Personal Data.

8.3 If the Customer objects to the processing of Personal Data as part of the Data Processing Services by any newly appointed Sub-Processor as described in Clause 8.2, it shall inform Compleat immediately and Compleat will then either (a) instruct the Sub-Processor to cease any further processing of Customer’s Personal Data (and this Data Processing Agreement shall continue unaffected), or (b) may itself terminate the Data Processing Agreement (or allow the Customer to terminate this Data Processing Agreement (and any related services agreement with Compleat) immediately). If this Data Processing Agreement is terminated, Compleat shall have no further obligation to provide any of the Data Processing Services.

8.4 In addition, in providing Data Processing Services Compleat may provide links to, or integrations with, third-party data processing services, including, without limitation, certain third-party data processing services which may be integrated directly into Customer’s use of Data Processing Services. If the Customer elects to enable, access or use such third-party data processing services, its access and use of such third-party data processing services is governed solely by the terms and conditions and privacy policies of such third-party data processing services, and Compleat does not endorse, is not responsible or liable for, and makes no representations as to any aspect of such third-party data processing services, including, without limitation, their content or the manner in which they handle Personal Data or any interaction between the Customer and the provider of such third-party data processing services. Customer accepts that Compleat is not liable for any damage or loss caused (or alleged to be caused) by or in connection with the Customer’s enablement, access or use of any such third-party data processing services, or the Customer’s reliance on the privacy practices, data security processes or other policies of such third-party data processing services. The providers of third-party data processing services shall be deemed not to be “Sub-Processors” for any purpose under this Data Processing Agreement.

8.5 The Customer acknowledges that Compleat and its Sub-Processors may maintain data processing operations in countries that are within the EEA but outside of the United Kingdom. As such, both Compleat and its Sub-Processors may process Personal Data in these territories, if such processing is necessary to provide support-related or other services requested by the Customer.

8.6 If Compleat permits any Sub-Processor to process Personal Data outside the EEA (or does iso itself), Compleat and its Sub-Processor shall comply with the requirements of the EU Commission’s Controller -to- Processor Model Clauses (annexed to EU Commission Decision 2010/87/EU). The Customer and Compleat have agreed to practical interpretations of certain provisions contained within the Controller-to-Processor Model Clauses, as permitted by the Article 29 Working Party and the amendments expected from the Article 29 Working Party in connection with the requirements of the GDPR.

9 Deletion and/or Disposal of Personal Data

9.1 Compleat shall, at the written request of the Customer, delete (or otherwise dispose of) the Personal Data or return it to the Customer in the format(s) reasonably requested by the Customer (where Compleat reserve the right to levy a reasonable charge for the provision of such data taking into account the format required by the Customer) within a reasonable time after the earlier of the following:

9.1.1 the end of the provision of Data Processing Services under the Compleat Licence and Data Processing Agreement; or

9.1.2 the processing of that Personal Data by Compleat is no longer required for the performance of Compleat’s obligations under this Data Processing Agreement or any other agreement between the Customer and Compleat.

9.2 Following the deletion, disposal, or return of the Personal Data under Clause 9.1, Compleat shall delete (or otherwise dispose of) all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case Compleat shall inform the Customer of such requirement(s) in writing. Compleat shall have no further liability or obligation in respect of Personal Data which has been so deleted.

10 Law and Jurisdiction

10.1 This Data Processing Agreement (including any non-contractual matters and obligations arising in relation to it) shall be governed by, and construed in accordance with, the laws of England and Wales.

10.2 Any dispute, controversy, proceedings or claim between the Customer and Compleat relating to this Data Processing Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

11 Purpose of agreement

11.1 Nothing in this Data Processing Agreement will be construed as placing an obligation on Compleat that it is not by law obliged to accept (and any such provision shall not be construed as creating a binding obligation on Compleat). If and to the extent that any provision of this Data Processing Agreement contradicts applicable law, the applicable law shall apply.

12 Data Protection Officer

12.1 Compleat shall appoint a data protection officer where such appointment is required by applicable laws and regulations. The appointed person(s) may be reached at privacy@compleatsoftware.com.

13 Duration

13.1 This Data Processing Agreement will remain in force as long as Compleat processes Personal Data on behalf of the Customer under this Processing Agreement.

Schedule

Personal Data processing purposes and details

Subject matter: The subject matter of the data processing under this Data Processing Agreement is the processing of Personal Data for the purpose of or in connection with the provision of Data Processing Services to the Customer.

Duration: As between Compleat and the Customer, the duration of the processing of Personal Data under this Data Processing Agreement shall be until the sooner of the expiration or termination of (i) all other agreements between the Customer and Compleat pursuant to which the Data Processing Services are provided and (ii) this Data Processing Agreement.

Purpose: The purpose of the processing of Personal Data under this Data Processing Agreement is the provision of services by Compleat to the Customer for the Customer to better enjoy the benefits of software licensed to Customer by Compleat.

Categories of Data Subject: - The Customer’s users of the Data Processing Services (“Users”);
- Any individual suppliers or supplier contacts of the Customer (“Suppliers”).

Nature of the processing: Processing of Personal Data relating to Users and Suppliers.

Types of Personal Data processed: Users’ names and emails (and other contact information) and Suppliers’ names, emails, phone numbers, home addresses, VAT statuses, order items and other financial information

Contact details of our Data Privacy Officer:

Contact Name:  Mark Blakemore
Address line 1:  1 Watervole Way
Address line 2:  Doncaster
Address line 3:  South Yorkshire
Address line 4:  DN4 5JP
Email:  mark.blakemore@compleatsoftware.com