Please contact us on email@example.com if you would like a PDF version of this agreement.
DATA PROCESSING AGREEMENT
(version 1.1, May 2018)
Saracen Datastore ltd
(together with the Client, the "Parties")
1. Scope of the DPA
1.1 This DPA forms part of the Agreement in place between the Client and Saracen Datastore Ltd and reflects the Parties' agreement with regard to the processing of personal data.
1.2 Saracen Datastore Ltd acts as a data processor for the Client, as Saracen processes personal data for the Client as set out in Annex 1.
1.3 The personal data to be processed by Saracen concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Annex 1.
1.4 "Personal data" means any information relating to an identified or identifiable natural person, as defined by article 4(1) of Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation "GDPR").
2 Processing of Personal Data
2.1 Saracen Datastore Ltd is instructed to process the personal data only for the purposes of providing the Services as set out in Annex 1. Saracen Datastore Ltd may not process or use the Client's personal data for any other purpose than provided in the Client’s instructions, including the transfer of personal data to any third country or international organisations unless Saracen Datastore Ltd is required to do so according to applicable UK law. In which case, Saracen Datastore Ltd shall inform the Client in writing of that legal requirement before processing, unless that law prohibits the provision of such information on the grounds of public interest.
2.2 If the Client, in the instructions in Annex 1 or otherwise, has consented to a transfer of personal data to a third country or to international organisations, Saracen Datastore Ltd shall ensure that there is a legal basis for the transfer, e.g. the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries.
2.3 If Saracen Datastore Ltd is of the opinion that an instruction from the Client is in violation of the GDPR, or other applicable data protection provisions, Saracen Datastore Ltd shall immediately inform the Client in writing.
3 Saracen Datastore Ltd.’s general obligations
3.1 Saracen Datastore Ltd shall ensure that persons authorised to process the personal data are subject to appropriate obligations of confidentiality.
3.2 Saracen Datastore Ltd shall implement appropriate technical and organisational measures to prevent that the personal data processed is
(i) accidentally or unlawfully destroyed, lost or altered,
(ii) disclosed or made available without authorisation, or
(iii) otherwise processed in violation of applicable laws relevant, including the GDPR, for the Services.
3.3 Saracen Datastore Ltd shall comply with any other applicable data security requirements applicable to Saracen Datastore Ltd; including the data security requirements in the country of establishment of Saracen Datastore Ltd, or in the country where the data processing will be performed.
3.4 Appropriate technical and organisational security measures shall be determined with due regard for
(i) the current state of the art,
(ii) the cost of their implementation, and
(iii) the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.5 Saracen Datastore Ltd shall, upon request, provide the Client with such reasonable information as it may require to satisfy itself that Saracen Datastore Ltd complies with its obligations under this DPA, including ensuring that the appropriate technical and organisational security measures have been implemented.
3.7 Saracen Datastore Ltd shall provide information related to the provision of the Services to authorities or the Client's external advisors, including auditors, in so far as this is necessary for the performance of their duties in accordance with applicable UK law.
3.8 The Client understands that Saracen Datastore Ltd must give authorities who by virtue of UK law have a right to enter the Client's or the Client's supplier's facilities, or representatives of the authorities, access to Saracen Datastore Ltd.’s physical facilities, subject to presentation of a proper proof of identity.
3.9 Saracen Datastore Ltd must, without undue delay after becoming aware of the facts, in writing notify the Client about:
(i) any request for disclosure of personal data processed under the DPA by authorities, unless expressly prohibited from doing so under applicable UK law,
(ii) any suspicion or finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by Saracen Datastore Ltd in connection with the Services, or (b) other failure to comply with Saracen Datastore Ltd.'s obligations under clause 3.2 and 3.3, or
(iii) any request for access to the personal data received directly from the data subjects or from third parties relating to the processing of personal data on behalf of the Client.
3.10 Saracen Datastore Ltd shall provide reasonable assistance to the Client with the handling of any requests from data subjects under Chapter III of the GDPR, including requests for access, rectification, blocking or deletion, which relates to the processing of personal data in connection with the Services.
3.11 Saracen Datastore Ltd shall provide reasonable assistance to the Client with meeting other obligations that may be incumbent on the Client according to applicable UK law related to data processing, where the assistance of Saracen Datastore Ltd is necessary for the Client to comply with its obligations. This includes, but is not limited to, a request to provide the Client with all necessary information about an incident under Clause 3.9 (ii), and all necessary information for an impact assessment in accordance with article 35 and 36 of the GDPR.
3.12 Annex 1 details the servers, premises and offices etc. used to provide the Services. The Client may at any time make reasonable request for information about the servers, premises and offices used by Saracen Datastore Ltd in connection with the Services and Saracen Datastore Ltd shall respond within 30 days with such information.
3.13 Saracen Datastore Ltd does not accept liability for any breach of the GDPR which can not be proven beyond reasonable doubt to be the fault of an action by Saracen Datastore Ltd.
4.1 Prior to the engagement of any subprocessor, Saracen Datastore Ltd shall enter into a written agreement with the subprocessor, in which data protection obligations no less than those as set out in the DPA shall be imposed on the subprocessor, including an obligation to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.
4.2 The Client has the right to receive a copy of Saracen Datastore Ltd.'s agreement with any applicable subprocessor as regards the provisions related to data protection obligations. Saracen Datastore Ltd shall remain fully liable to the Client for the performance of the subprocessor obligations. The fact that the Client has given consent to the Saracen Datastore Ltd.'s use of subprocessor is without prejudice for Saracen Datastore Ltd duty to comply with the DPA.
5.1 The Parties may at any time agree to amend this DPA. Amendments must be in writing. The latest version of this document can always be found online at http://www.saracendatastore.co.uk/gdpr/data-processing-agreement
6 Term and consequences of the termination of the DPA
6.1 The DPA comes into force on 25 May 2018.
6.2 The term of this DPA shall correspond to the term of the Agreement.
6.3 On the Client's request Saracen Datastore Ltd shall transfer or delete personal data, which Saracen Datastore Ltd is processing for the Client, unless applicable UK law prevents such action.
7.1 If any of the provisions of the DPA conflict with the provisions of the Agreement, then the provisions of the DPA shall prevail. However, the requirements in clause 3 do not apply to the extent that the Parties in another agreement have set out stricter obligations for Saracen Datastore Ltd. Furthermore, the DPA shall not apply if and to the extent the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries are concluded and such clauses set out stricter obligations for Saracen Datastore Ltd and/or for subprocessors.
7.2 This DPA does not determine the Client's remuneration of Saracen Datastore Ltd for Services according to the Agreement.
This Annex constitutes the Client's instruction to Saracen Datastore Ltd in connection with Saracen Datastore Ltd.'s data processing for the Client, and is an integrated part of the Agreement.
The processing of personal data
a) Purpose and nature of the processing operations
Providing the Client with Records Management Service for documents or media.
b) Categories of data subjects
- The Client's customers, employees, agents and other 3rd parties as requested by the Client as the Data Controller
c) Categories of personal data may include
- Email address
- Reference number, such as an order ID or similar.
d) Special categories of data may include
- Date of significant events (birth/ death/ marriage/ divorce etc)
- Maiden name
e) Location(s), including name of country/countries processing
- United Kingdom