Data Processing Addendum
The following terms apply to our customers wishing to retain the services of ParaCode Ltd as a Data Processor in accordance and compliance with the relevant Data Protection Legislation –
- i) Unless an overriding customer-specific agreement replaces these terms or,
- ii) the GDPR is no longer directly applicable in the UK
This Data Processing Agreement forms a new appendix to any existing contracts or agreements between ParaCode and its customers.
- Our obligations as a Processor – general principles
- The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer (or “you”) is the data controller and ParaCode (or “we”) is the data processor (where “Data Controller” and “Data Processor” have the meanings as defined in the Data Protection Legislation).
- The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to ParaCode for the duration and purposes of this Agreement.
- We shall, in relation to any Personal Data processed in connection with the performance of the Services, process such Personal Data exclusively on documented lawful instructions from you and in accordance with the relevant ‘Software Development Agreement’, ‘Support and Maintenance Agreement’ and/or ‘Web Hosting Agreement’ and as modified from time to time by the written agreement of the parties, unless we are required by the laws of any member of the European Union or by the laws of the European Union applicable to ParaCode to process Personal Data (“Applicable Laws”).
- Where ParaCode is relying on laws of a member of the European Union or European Union law as the basis for processing Personal Data, we shall promptly notify you of this before performing the processing required by the Applicable Laws, unless those Applicable Laws prohibit the Provider from so notifying the Customer.
- Unless otherwise defined in this Schedule, any capitalised term shall have the meaning ascribed to it in the terms & conditions to the relevant ‘Software Development Agreement’, ‘Support and Maintenance Agreement’ and/or ‘Web Hosting Agreement’.
- Processing your data – technical and organisational measures
- We will process and safeguard Personal Data with appropriate technical and organisational measures (with regard to storage, computing, networking access, transfer, input, order and availability control) to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of our systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by us). Our protective measures at present include using software for file encryption, firewalls, secure FTP technology for file transfer, ISO 27001 approved digital storage servers etc. We build these into our working practices via a range of internal policies and procedures, including Data Handling Policy, Data Security Policy, and Passwords Policy. These policies are available for inspection if required. Our protective measures also apply when Personal Data is processed in the home offices of any of our staff.
- We will always use anonymisation when processing Personal Data, to the greatest extent possible whilst retaining practicality of methodology. Specific measures to achieve this will be explained and discussed with you in advance of any data transfer, and agreement obtained as to their suitability, and the level of risk identified. We will also take into account the findings of any relevant privacy/data impact assessment carried out by yourselves.
- We will not transfer or authorise the transfer of your Personal Data to countries outside the EU and/or the European Economic Area (EEA) without prior consent from the Customer and the following conditions are fulfilled: (i) the Customer or ParaCode has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) ParaCode complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and (iv) ParaCode complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data.
- We shall only allocate such of our employees who are informed and trained about the Data Protection Legislation and related guidance to process the Personal Data and ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.
- Monitoring and control of processing
- At your request, we shall give you sufficient information for your monitoring and documentation of our implementation of the necessary technical and organisational security measures. We will maintain a record of all categories of processing carried out under this Agreement. Such records shall include the name and contact information of our responsible employee, the Data Protection Manager (if applicable), the nature/subject matter, purpose, duration and categories of processing carried out by us or any sub-processors.
- We will, within reasonable notice and mutually agreed upon timing, give you access to our offices/physical facilities to inspect and view how processing is undertaken. This access will also be granted to the representatives of the ICO, if requested.
- Information security and/or data breach
- We shall notify you without undue delay on becoming aware of a Personal Data breach. We shall notify you of the background of Personal Data breach and the extent and potential consequences thereof, any circumstantial facts and measures taken that may limit the extent of the breach, as well as information about initiatives to safeguard against future security breach. These measures are documented in our Security Incident and Data Breach Policy, available upon request.
- Your obligations as a Controller
- ParaCode will assist the Customer, at the Customer’s cost, in responding to any request from a Data Subject (as defined in the Data Protection Legislation) and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
- Use of other data Processors/sub-Processors
- The Customer will not unreasonably withhold, delay or condition any consent to ParaCode appointing a third-party processor of Personal Data under this Agreement, provided that ParaCode confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out in this Schedule.
- We will inform you of our intention to appoint any further third-party processors or sub-processors, beyond those mentioned at clause 6.1, with full details of the work they will undertake together with all contact details.
- As between the Customer and ParaCode, we will remain fully liable to you for the performance of any sub-processors obligations and for all acts or omissions of any third-party processor appointed by us pursuant to this clause 6.
- Return and Deletion of Personal Data
- Upon written instruction by yourselves, and pursuant to the relevant provisions of statutory law and principles of the GDPR (including data minimalisation, accuracy and storage limitation), we shall facilitate the correction, deletion and transfer of Personal Data processed on your behalf unless we are required by Applicable Law to store the Personal Data.
- Upon termination of the Agreement, should no such instruction be received, we shall retain all Personal Data files (including data/deliverables held on cloud-based servers, all intermediate files created during the data processing and any manual files) securely for a maximum period of 90 days.
- Upon termination of the Agreement, should no such instruction be received, we shall retain all Personal Data files (including data/deliverables held on cloud-based servers, all intermediate files created during the data processing and any manual files) securely for a maximum period of 90 days.
- You accept that return/deletion of all created and working files and Personal Data will mean that we no longer hold copies of any source data or deliverables, reports and populated databases. This will mean that costs to recreate any of these items will need to be negotiated under a separate, additional contract for services.