Data Processing Agreement (as the processor)
THIS AGREEMENT is BETWEEN the company set out in the Pricing Agreement and Terms & Conditions (hereinafter referred to as the “Company“);
AND Speakserve Limited trading as babl, a company incorporated in England with registered number 07640707, whose registered office is at 85 Fleet Street, London, EC4Y 1AE (hereinafter referred to as “babl“),
the Company and babl jointly referred to as the “Parties”.
- Company and babl entered into a Pricing Agreement and Terms & Conditions on the date set out in the Pricing Agreement (hereinafter referred to as the “Principal Agreement“). This Data Processor Agreement (hereinafter referred to as the “DPA”) forms an integral, inherent and substantial part of the Principal Agreement;
- Company is acting in its capacity as a Data Controller pursuant to Data Protection Laws (capitalised terms defined below);
- In performing services under the Principal Agreement, babl processes Personal Data on behalf of Company;
- Company has verified that babl holds the prerequisite experience, capability and reliability to adopt reasonable and appropriate technical and organisational security measures for processing Personal Data in compliance with Data Protection Laws; and
- Company intends to appoint babl as a Data Processor according to Data Protection Laws, and babl intends to accept such appointment.
Now, therefore, the Parties agree as follows:
1.1. In this DPA, the following terms shall have the meanings set out below:
- “Relevant Personal Data” means any Personal Data (including Special Categories of data) processed by babl on behalf of Company pursuant to or in connection with the Principal Agreement;
- “Data Protection Laws” means the Data Protection Act 2018, the General Data Protection Regulations (EU) 2016/679 (“GDPR”), and all applicable laws and regulations relating to the processing of Personal Data and data privacy;
- “EEA” means the European Economic Area;
- “Persons in charge of Data Processing” means the employees, people in charge or any other natural person authorised by Company to process Personal Data;
- “Sub-processor” means any entity appointed by babl to Process Personal Data on behalf of Company in connection with the Principal Agreement; and
1.2 The terms, “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Supervisory Authority” and “processing” shall have the same meanings as in Data Protection Laws, and “process” shall be construed in accordance with the definition of processing.
2. Subject Matter
2.1. babl agrees to be appointed as a Data Processor, according to Section 28 of the GDPR and agrees to act on behalf of Company in the Processing of the Relevant Personal Data.
2.2. The following Relevant Personal Data may be processed under this DPA:
- The following categories of Personal Data: first name, last name, title, job title, telephone numbers, images, email addresses
- Personal Data relating to the following categories of Data Subjects: Company employees, Company suppliers, customers of the Company, employees of the customer’s Company, suppliers of the customer’s Company
2.3. babl shall:
- Process the Relevant Personal Data for the sole purpose of performing the Principal Agreement, in accordance with the terms and conditions therein; and
- Not process Relevant Personal Data other than on Company’s documented instructions, unless the processing is required by applicable laws, in which case babl shall, to the extent permitted by applicable laws, inform Company of that legal requirement before carrying out the relevant processing.
2.4. Company shall provide instructions in accordance with all applicable laws, duly informing babl about any relevant information or issue concerning the processing by babl under this DPA (e.g. data retention periods).
3. Security Measures
3.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, babl shall, in relation to its obligation to process the Relevant Personal Data under the Principal Agreement, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Section 32(1) of the GDPR. The above obligations are without prejudice to Company’s overarching data security obligations pursuant to the GDPR.
4.1. Company authorises babl to appoint (and permit each Sub-processor to appoint) Sub-processors in accordance with this Clause 4 and without prejudice to any restrictions in the Principal Agreement.
4.2. babl may continue to use those Sub-processors already engaged by babl as at the date of this DPA, provided that in each case babl, as soon as practicable, meets the obligations set out in Clause 4.3.
4.3 With respect to each Sub-processor, babl shall:
- Before appointing a Sub-processor, carry out adequate due diligence to ensure that such Sub-processor is capable of providing the same level of protection for the Relevant Personal Data required by this DPA;
- Ensure that the arrangement between babl and the Sub-processor (i) is governed by a written contract including terms which offer at least the same level of protection for the Relevant Personal Data as set out in this DPA, as well as (ii) meets the requirements of Section 28(3) of the GDPR.
4.4 The Company acknowledges and agrees that the Sub-processor shall be directly responsible towards the Company for its breach of this DPA or of the Data Protection Laws.
4.5 In case a Sub-processor is established in a country outside EEA which has not received an adequacy decision in terms of data protection safeguards by the European Commission, Company expressly authorises babl, who accepts, to conclude a data transfer agreement with such Sub-processors containing Binding Corporate Rules or the Standard Contractual Clauses (as may be amended) adopted by the European Commission
5. Data Subject Rights
5.1. Taking into account the nature of the processing, babl shall assist Company by implementing appropriate technical and organisational measures for the fulfilment of Company’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6. Personal Data Breach
6.1 babl shall notify Company without undue delay upon becoming aware of a Personal Data Breach affecting Relevant Personal Data, in accordance with Section 33 of the GDPR.
6.2 babl shall cooperate with Company and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of any such Personal Data Breach. Such activities shall be carried out at Company’s cost, unless the Personal Data Breach is due to babl breach of this DPA.
7. Data Protection Impact Assessment and Prior Consultation
7.1 babl shall provide reasonable assistance to Company with the performance of data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, that are necessary for Company to comply with Section 35 or 36 of the GDPR, in each case solely in relation to the processing of Relevant Personal Data by babl, and taking into account the nature of the Processing and information available to babl.
8. Duration and Deletion or Return of Relevant Personal Data
8.1 This DPA shall become effective upon execution of the Principal Agreement and shall apply as long as babl processes Relevant Personal Data on behalf of Company and the Principal Agreement has neither been terminated nor expired.
8.2 Except in case of different written instructions from Company, upon termination or expiration of the Principal Agreement (and consequently this DPA) babl shall stop processing Relevant Personal Data and shall destroy or return to Company, according to its instruction, the Relevant Personal Data. This provision shall not affect babl statutory duties to preserve records as may be required by applicable law or relevant authorities.
9. Audit Rights
9.1 babl shall make available to Company all information reasonably requested by Company which is necessary to demonstrate compliance with this DPA. babl shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company (provided that such auditor does not provide services in direct competition with babl and/or a Sub-processor) in relation to the Processing of the Relevant Personal Data by babl, provided that (i) babl is given reasonable notice of any audit or inspection to be conducted under this Clause 9.1, identifying in writing its concerns, relevant requirements and legal basis; and (ii) Company shall (and shall ensure that each of its mandated auditors shall) avoid causing (or, if it cannot avoid, minimise) any damage, injury or disruption to babl activities, premises, equipment, personnel and business. babl needs not to give access to its premises for the purposes of such an audit or inspection:
- To any individual who does not produce reasonable evidence of identity and authority;
- Outside normal business hours, unless the audit or inspection needs to be conducted on an emergency basis and Company has given a fully documented notice to babl that this is the case before attendance outside those hours begins; or
- For the purposes of more than one audit or inspection, in any calendar year, except for any additional audits or inspections which Company is required or requested to carry out by Data Protection Laws, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws.
10. Company’s Responsibilities
10.1 Company represents, undertakes and warrants that the Relevant Personal Data:
- Is anonymised, pseudonymised and otherwise minimised so far as reasonably possible;
- Is transmitted to babl in accordance with the purpose for which it as collected, in compliance with Data Protection Laws, and on the understanding that Company is responsible for defining the legal basis of the data processing; and
- Shall not cause babl or any permitted Sub-Processor to breach any of its obligations under Data Protection Laws.
10.2 Company remains responsible for the data processing method implemented by means of applicative procedures developed according to its specifications and/or through its electronic instruments or telecommunications.
11. General Terms
11.1 The Parties hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
11.2 In case of conflict between this DPA and the Principal Agreement, the former should prevail with regard to any issue relating to Personal Data Processing.
11.3 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability while preserving the Parties’ intentions as closely as possible or, if this is not possible, or (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
11.4 Unless otherwise established in the Principal Agreement, the transmission of any communication between Company should be performed by certified E-mail using the following addresses:
Company (Data Controller): As set out in the Principal Agreement
babl (Data Processor):
To the attention of Jonathan Grant, CEO and Data Protection Officer
Certified E-mail: firstname.lastname@example.org