OVERVIEW
This Data Processing Agreement (this “DPA”) is an agreement between WHEN THEN LIMITED or any company under its control (collectively herein as “WHEN THEN LTD”) as a data processor and the client who agrees to this DPA (“Client”). Wherein, WHEN THEN LTD has agreed to process certain Client’s customer data on Client’s behalf in relation to WHEN THEN LTD’s services (“Services”) as defined on its website (“Website”). WHEN THEN LTD and Client are also jointly referred to as “parties” and individually as a “party” under this DPA.
This DPA forms a supplementary agreement to WHEN THEN LTD’s general Terms and Conditions Agreement (“Terms and Conditions”) and privacy policy (“Privacy Policy”) found on the Website. In relation to WHEN THEN LTD’s role as a data processor for any EEA, EU, UK or Switzerland’s personal data (as defined under the GDPR) in Client’s role as a data controller, this DPA shall apply. If any portion of this DPA conflicts with any provision under our Terms and Conditions, this DPA shall prevail. If any terms and conditions under this DPA conflict with the EU’s Standard Contract Clauses (“SCC”), the SCC shall prevail.
By clicking the “I accept” button, Client accepts to be bound by the terms and conditions of this DPA.
DEFINITION OF TERMS
“processing”, “personal data”, “Data Subject”, “Controller” and “Processor” have their meanings in the GDPR.
“Sub-processor” refers to any other processor WHEN THEN LTD engages to perform part of the Services on WHEN THEN LTD’s behalf.
“GDPR” refers to the EU’s General Data Protection Regulation 2016/679 that came into effect in May 2018.
“SCC” refers to the Standard Contract Clauses (for processors) located at the Annex section of the European Commission Decision 2010/87/EU.
“Client’s Customer data” refers to any personal data WHEN THEN LTD processes about Client’s Customers (end-users).
“Client Data” refers to any data that relates to Client’s relationship with WHEN THEN LTD, including data about co-workers, customers and company.
“EEA” refers to any country in the European Economic Area and any other countries under the GDPR, including the UK and Switzerland.
“Applicable Laws” refer to any privacy law that applies to this DPA.
PROCESSING PERSONAL DATA
- Data Controller and Processor: Parties under this DPA hereby acknowledge and agree that in relation to the processing of personal data, Client may either be the Controller or the Processor. Wherever Client is the Controller, WHEN THEN LTD shall be the Processor or Sub-processor. Where Client is the Processor, WHEN THEN LTD will be the Sub-processor. WHEN THEN LTD may further hire the services of Sub-processors in its role as a Processor.
- Processing of personal data by Client: When Client uses the Services, Client agrees to process personal data in accordance with the requirements set by Applicable Laws. Also, the instructions given by the Client to process personal data on Client’s behalf must comply with Applicable Laws. Client is responsible for the legality, accuracy and quality of personal data acquired from Client’s Customer and the means by which such data is obtained.
- Processing of personal data by WHEN THEN LTD: Where WHEN THEN LTD processes personal data as a Processor, WHEN THEN LTD shall: (i) process such personal data in accordance with the instructions given by the Client and in accordance with this DPA, (ii) make sure all employees or persons who WHEN THEN LTD authorises to process personal data observes their duty of confidentiality and process the data in accordance with this DPA, (iii) provide support or assistance to the Client in order for the Client to comply with Applicable Laws in Client’s duty as a Controller, (iv) provide the Client with reasonable audit and inspection report requested by Client, provided that Client signs a Non-Disclosure Agreement (“NDA”) with WHEN THEN LTD and the audit or inspection request is limited to once per year, and (v) provide Client with reasonable support, upon Client’s request and at Client’s expense, to enable Client comply with Client’s data protection impact assessment obligations and consulting with supervisory authority, as required under Applicable Laws.
- The details of the processing: The subject matter of processing personal data is in relation to the Services contemplated under our Terms and Conditions. The duration of data processing, the nature and purpose of the data processing and the types of data processed under this DPA are described in Schedule A of this DPA (attached below).
DATA SUBJECT RIGHTS
Upon a request from any Data Subject to exercise their right of access, deletion or restriction (“Data Subject Request”), WHEN THEN LTD shall, to the extent permitted by Applicable Laws, notify Client of such Data Subject Requests. WHEN THEN LTD shall not respond to any Data Subject Request without prior written consent from Client. However, WHEN THEN LTD shall offer reasonable assistance, upon Client’s request, in granting Data Subject Request if Client is unable to grant such a Data Subject Request, to the extent WHEN THEN LTD is lawfully permitted and provided that such a Data Subject Request is in accordance with Applicable Laws. Client agrees that Client will, to the extent lawfully permitted, be responsible for the cost of such support.
WHEN THEN LTD’S PERSONNEL
WHEN THEN LTD shall ensure that WHEN THEN LTD’s employees and workers who are involved in the processing of personal data are (i) duly informed and made to be aware of the confidential nature of the personal data, (ii) appropriately trained on their responsibilities, and (iii) given a copy of NDA, which addresses their obligations to confidentiality, data protection and security, and have it signed. For this purpose, WHEN THEN LTD has appointed a Data Protection Officer (DPO) who handles all issues regarding personal data and requests. For any questions or issues, message Eamon Doyle at legal@whenthen.com.
SUB-PROCESSORS
- Client hereby agrees that any WHEN THEN LTD affiliates may be engaged as Sub-processors, and Client and also grants WHEN THEN LTD and any affiliates the authority to engage the services of third parties as Sub-processors to aid the provision of the Services. Where WHEN THEN LTD engages the services of Sub-processors, it will impose the same obligations regarding data protection and security as described under this DPA. WHEN THEN LTD shall be responsible for any failure of the Sub-processor to comply with the obligations set forth herein, unless the agreement between WHEN THEN LTD and the Sub-processor say otherwise.
- List of Sub-processors: WHEN THEN LTD shall provide Client with the current list of Sub-processors. The current Sub-processors WHEN THEN LTD use can be obtained by mailing legal@whenthen.com or here. WHEN THEN LTD will update this list anytime it makes an addition or replaces any of these Sub-processors.
- Client’s right to object to use new Sub-processors: Client may reasonably object to WHEN THEN LTD’s use of new Sub-processors. Client must notify WHEN THEN LTD of this objection within 10 days it updates its Sub-processor list. If Client fails to exercise its right of objection within 10 days, WHEN THEN LTD will deem the updated Sub-processor list accepted. If Client objects to WHEN THEN LTD’s use of a new Sub-processor, Client agrees that it may prevent WHEN THEN LTD from performing the Services. WHEN THEN LTD shall notify Client if a new Sub-processor is added or a previous Sub-processor is replaced.
SECURITY OF PERSONAL DATA
- Controls for the protection of personal data: Parties shall each implement and maintain appropriate technical and organisational measures to protect and secure personal data, as well as to maintain data confidentiality and integrity at all times, including where relevant (i) to anonymise, encrypt or pseudonymise personal data, (ii) to ensure parties’ obligations to keep personal data protected, secured and confidential at all times, (iii) to be able to restore personal data’s availability in a reasonable time under any physical or technical incidence, and (iv) to regularly test, access and evaluate how effective the measures put in place to ensure the safety of personal data is.
- Managing personal data incidents and notifications: WHEN THEN LTD shall employ a data incident management program, which will comply with Applicable Laws. WHEN THEN LTD shall notify Client within 72 hours or any time required under Applicable Law, in the event of a theft, loss, misuse, alteration, unauthorised access, acquisition, disclosure or destruction that may affect the personal data WHEN THEN LTD processes about Client’s Customer.
DELETION OF CLIENT’S CUSTOMER DATA
Unless required under any Applicable Law, upon the completion of the Services, or at the request of Client, WHEN THEN LTD shall delete Client Data (including copies backed up in our database) and any personal data WHEN THEN LTD processes on Client’s behalf.
INTERNATIONAL TRANSFER OF PERSONAL DATA
Parties agree that WHEN THEN LTD may transfer personal data to Sub-processors outside of the EEA in relation to the Services. However, if WHEN THEN LTD transfers personal data to Sub-processors outside of the EEA to any country which the European Commission has not deemed to have adequate privacy protection, such transfers must be done using the approved data transfer mechanism as required under Applicable Laws, including using SCC, which is referenced under the section 2 (Definition of Terms) of this DPA.
LIABILITY LIMITATION
Each party’s liability (including the party’s affiliates), taken together in the aggregate, arising out of this DPA, whether in contract, tort or under any other legal theory, is subject to the liability limitations described in the Terms and Conditions. For the avoidance of doubt, WHEN THEN LTD’s total liability for all claims made by Client arising out of this DPA or Terms and Conditions means the aggregate liability of WHEN THEN LTD (or its affiliates) under the Terms and Conditions and this DPA.
SCHEDULE A: Details of the Processing
- Nature and purpose of data processing: WHEN THEN LTD shall process personal data based on Client’s instructions to perform the Services described on the Website and the Terms and Conditions. Furthermore, WHEN THEN LTD shall process parts of the data to (i) gather analytics about how the Website is used, and (ii) improve the Services by developing new products and features.
- Duration of data processing: Unless otherwise agreed to in writing, WHEN THEN LTD shall process personal data for as long as the Terms and Conditions apply to Client.
- Data subjects: Refers to Client’s Customer and any individual whose personal data is provided to WHEN THEN LTD by Client.
- Types of data processed: WHEN THEN LTD will process the customer’s name, email address, location and other personal data about Client’s Customer, which is required to perform the Services.