Data Processing Agreement

v1.0

Agreement

1.Definitions

1.1We, us or processor (in addition to 1.7, below) means Gareth Evans trading as socomp.co.uk. Our(s) shall be construed accordingly;
1.2You or controller (in addition to 1.5, below) means a client of Southampton Computer Services, for whom or for which we act as a processor. Your(s) shall be construed accordingly;
1.3Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
1.4Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1.5Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
1.6Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future;
1.7Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
1.8Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with domestic law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
1.9Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
1.10Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
1.11Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
1.12Your controlled data means any personal data for which you are a controller and for which you engage us as a processor;
 
2.Scope

2.1These terms apply in relation to our processing in accordance with your instructions of data or information for which you are a data controller, in accordance with UK GDPR and the Data Protection Act (2018).
 
3.Your Instructions

3.1You warrant and represent that you are duly authorised or otherwise entitled to give instructions described in section 3.2 and shall remain so authorised or entitled for the duration of the engagement. Where a material change to such authorisation or entitlement occurs during any engagement you shall inform us immediately;
3.2You instruct us to provide, or at our discretion to arrange for sub-processor(s) possibly including their sub-processor(s) to provide, such service(s) or aspect(s) thereof as described or agreed in communication(s) to or from us concerning the engagement or as specified in any description of work to be undertaken, including any operation(s) which, in our opinion or in the opinion of any sub-processor(s) concerned, are reasonable, targeted and proportionate in relation to the execution of that instruction or those instructions.
 
4.The Processing

4.1The nature, purpose and subject matter of the processing shall be as described in section 3.2;
4.2The duration of the processing shall be the length of the contract or engagement, plus upto three months during which data may be held in our backup systems;
4.3The personal data shall be your controlled data, and the data subjects involved in the processing shall be as found in your controlled data, such as staff, clients, customers, or as described or agreed in communication(s) to or from us or as otherwise documented.
 
5.Processor's Rights and Obligations

We shall:

5.1Process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by domestic law; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
5.2Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
5.3Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 UK GDPR;
5.4Appoint such other processor(s) ('sub-processor(s)') as we consider reasonably necessary or appropriate to provide or facilitate service(s) or aspect(s) thereof, in accordance with Article 28(4) UK GDPR;
5.5Where we engage another processor for carrying out specific processing activities on behalf of the controller, impose the same data protection obligations as set out in Article 28(3) UK GDPR by way of a contract or other legal act under domestic law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of UK GDPR. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations;
5.6Inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes;
5.7Taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III UK GDPR (transparency and modalities, information and access to personal data, information to be provided where personal data have not been obtained from the data subject, right of access by the data subject, right to rectification and erasure, right to restriction of processing, notification obligation regarding rectification or erasure of personal data or restriction of processing, right to data portability, right to object, automated individual decision-making including profiling);
5.8Assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 UK GDPR (security of personal data, notification of personal data breach to the commissioner, communication of personal data breach to the data subject, data protection impact assessment and prior consultation) taking into account the nature of processing and the information available to the processor;
5.9At the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless domestic law requires storage of the personal data;
5.10Make available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 UK GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller;
5.11Immediately inform the controller if, in our opinion, an instruction infringes UK GDPR or other domestic law relating to data protection.