Data Processing Agreement
Detected: Data processing agreement
This Data Processing Agreement (the Agreement) supplements the contract between Detected and Customer (Main Agreement). Terms defined in this Agreement shall have the meaning given to them in the Main Agreement unless otherwise defined in this Agreement.
In this Agreement:
Applicable Law: means the following to the extent forming part of the law of the United Kingdom (or a part of the United Kingdom) as applicable and binding on either party or the Services:
- any law, statute, regulation, byelaw or subordinate legislation in force from time to time;
- the common law and laws of equity as applicable to the parties from time to time;
- any binding court order, judgment or decree; or
- any applicable direction, policy, rule or order made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
Controller: has the meaning given to that term in Data Protection Laws;
Data Protection Laws: means as applicable and binding on either party or the Services:
- the GDPR;
- the Data Protection Act 2018;
- any laws which implement or supplement any such laws; and
- any laws that replace, extend, re-enact, consolidate or amend any of the foregoing;
Data Protection Losses: means all liabilities, including all:
- costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and
- to the extent permitted by Applicable Law:
- administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Data Protection Supervisory Authority;
- compensation which is ordered by a court or Data Protection Supervisory Authority to be paid to a Data Subject; and
- the costs of compliance with investigations by a Data Protection Supervisory Authority;
Data Protection Supervisory Authority: means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;
Data Subject: has the meaning given to that term in Data Protection Laws;
Data Subject Request: means a request made by a Data Subject to exercise any rights of Data Subjects under Chapter III of the GDPR;
GDPR: means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time);
International Recipient: means the organisations, bodies, persons and other recipients to which Transfers of Protected Data are prohibited under clause 6.1 without the Customer’s prior written authorisation;
Lawful Safeguards: means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
Onward Transfer: means a Transfer from one International Recipient to another International Recipient;
Personal Data: has the meaning given to that term in Data Protection Laws;
Personal Data Breach: means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
processing: has the meaning given to that term in Data Protection Laws (and related terms such as process, processes and processed have corresponding meanings);
Processing End Date: means the earlier of:
- the end of the provision of the relevant Services related to processing of the Protected Data; or
- once processing by Detected of any Protected Data is no longer required for the purpose of Detected’s performance of its relevant obligations under this Agreement or the Main Agreement;
Processing Instructions: has the meaning given to that term in clause 2.1.1;
Processor: has the meaning given to that term in Data Protection Laws;
Protected Data: means Personal Data received from or on behalf of the Customer in connection with the performance of Detected’s obligations under this Agreement;
Sub-Processor: means a Processor engaged by Detected or by any other Sub-Processor for carrying out processing activities in respect of the Protected Data on behalf of the Customer; and
Transfer: bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR. Related expressions such as Transfers and Transferring shall be construed accordingly;
Data processing provisions
- PROCESSING OBLIGATIONS
- Where Customer acts as a Controller and Detected acts as a Processor, this Agreement shall apply. Nothing in this Agreement relieves the Customer of any responsibilities or liabilities under any Data Protection Laws.
- Detected shall process Protected Data in compliance with:
- the obligations of Processors under Data Protection Laws in respect of the performance of its obligations under this Agreement; and
- the terms of this Agreement.
- The Customer shall comply with:
- all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its respective rights and obligations under this Agreement, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
- the terms of this Agreement.
- The Customer warrants, represents and undertakes, that:
- the processing of all Protected Data (if processed in accordance with this Agreement) shall comply in all respects with Data Protection Laws, including in terms of its collection, use and storage;
- fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Laws in connection with all processing activities in respect of the Protected Data which may be undertaken by Detected and its Sub-Processors in accordance with this Agreement;
- the Protected Data is accurate and up to date;
- except to the extent resulting from Transfers to International Recipients made by Detected or any Sub-Processor, the Protected Data is not subject to the laws of any jurisdiction outside of the United Kingdom;
- it shall establish and maintain adequate security measures to safeguard the Protected Data in its possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure);
- it shall maintain complete and accurate backups of all Protected Data provided to Detected (or anyone acting on its behalf) so as to be able to immediately recover and reconstitute such Protected Data in the event of loss, damage or corruption of such Protected Data by Detected or any other person;
- all instructions given by it to Detected in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
- it is satisfied that:
- Detected’s processing operations are suitable for the purposes for which the Customer proposes to use the Services and engage Detected to process the Protected Data;
- the technical and organisational measures shall ensure a level of security appropriate to the risk in regards to the Protected Data as required by Data Protection Law; and
- Detected has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
- The Customer shall not unreasonably withhold, delay or condition its agreement to any change requested by Detected in order to ensure the Services and Detected (and each Sub-Processor) can comply with Data Protection Laws.
- Instructions and details of processing
- Insofar as Detected processes Protected Data on behalf of the Customer, Detected:
- unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Customer’s documented instructions as set out in this Agreement (including with regard to a Transfer of Protected Data to any International Recipient), as updated from time to time in accordance with the Change Control Procedure (Processing Instructions);
- if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
- shall promptly inform the Customer if Detected becomes aware of a Processing Instruction that, in Detected’s opinion, infringes Data Protection Laws, provided that:
- this shall be without prejudice to clauses 1.3 and 1.4; and
- to the maximum extent permitted by Applicable Law, Detected shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Processing Instructions following the Customer’s receipt of that information.
- The Customer agrees that:
- Detected (and each Sub-Processor) is not obliged to undertake any processing of Protected Data that it believes infringes any Data Protection Laws and shall not be liable (or subject to any reduction or set-off of any Subscription Fees or Additional Fees otherwise payable to Detected) to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under this Agreement as a result of not undertaking any processing in such circumstances; and
- without prejudice to any other right or remedy of Detected, in the event the Customer has not resolved any Processing Instruction notified to it under clause 2.1.3 such that it is lawful in Detected’s reasonable opinion within 14 days of such notification then Detected may terminate this Agreement in accordance with clause 13.2.1 of Detected’s Main Agreement with Customer.
- The processing of Protected Data to be carried out by Detected under this Agreement shall comprise the processing set out in Schedule 1 as may be updated from time to time in accordance with the Change Control Procedure.
- Technical and organisational measures
- Detected shall implement and maintain, at its cost and expense, technical and organisational measures, taking into account the nature of the processing, and to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Protected Data.
- Any additional technical and organisational measures shall be at the Customer’s cost and expense.
- Using staff and other Processors
- Detected shall not engage (nor permit any other Sub-Processor to engage) any Sub-Processor for carrying out any processing activities in respect of the Protected Data without the Customer’s prior written authorisation. Customer hereby grants to Detected its general authority to Detected to engage Sub-Processors as appropriate to perform the Services under its Main Agreement.
- Detected shall:
- prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, ensure each Sub-Processor is appointed under a written contract containing materially the same obligations as under clauses 1 to 11 (inclusive) (including those obligations relating to sufficient guarantees to implement appropriate technical and organisational measures) that is enforceable by Detected;
- ensure each such Sub-Processor complies with all such obligations; and
- remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
- Detected shall ensure that all Sub-processors authorised to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Detected shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such requirement before such disclosure).
- Customer acknowledges and agrees that third parties such as credit reference agencies may be used in connection with providing the Services contemplated under the Main Agreement. Detected shall at all times ensure any data sharing takes place in accordance with the Data Protection Laws.
- Assistance with the Customer’s compliance and Data Subject rights
- Detected shall refer all Data Subject Requests it receives to the Customer within three (3) Business Days of receipt of the request.
- Detected shall provide such assistance as the Customer reasonably requires (taking into account the nature of processing and the information available to Detected) to the Customer in ensuring compliance with the Customer’s obligations under Data Protection Laws with respect to:
- security of processing;
- data protection impact assessments (as such term is defined in Data Protection Laws);
- prior consultation with a Data Protection Supervisory Authority regarding high risk processing; and
- notifications to the Data Protection Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach,
provided the Customer shall pay Detected for all work, time, costs and expenses incurred by Detected or any Sub-Processor(s) in connection with providing the assistance in this clause 5.2, such Charges to be calculated on a time and materials basis at Detected’s then current rates.
- International Transfers
- Subject to clause 6.2, Detected shall not Transfer (nor permit any Onward Transfer of) any Protected Data:
- to any country or territory outside the United Kingdom; and/or
- to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,
without the Customer’s prior written authorisation except where required by Applicable Law (in which case the provisions of clause 2.1 shall apply).
- The Customer hereby authorises Detected (or any Sub-Processor) to Transfer Protected Data where required, provided all Transfers of Protected Data by Detected to an International Recipient (including any Onward Transfer) shall:
- be effected by way of the Lawful Safeguards referred to in clause 6.3 and in accordance with this Agreement; and
- be made pursuant to a written contract, including equivalent obligations on each Sub-Processor in respect of Transfers to International Recipients as apply to Detected under any of this clause 6.
The provisions of this Agreement shall constitute the Customer’s instructions with respect to Transfers of Protected Data to International Recipients for the purposes of this Agreement.
- The Lawful Safeguards employed by Detected in connection with this Agreement shall be:
- The Standard Contractual Clauses, the Addendum to the Standard Contractual Clauses, or the International Data Transfer Agreement, as defined in Data Protection Laws, authorised by the UK Government and as may be updated or replaced from time to time.
- Records, information and audit
- Detected shall maintain, in accordance with Data Protection Laws binding on Detected, written records of all categories of processing activities carried out on behalf of the Customer.
- Detected shall, in accordance with Data Protection Laws make available to the Customer such information as is reasonably necessary to demonstrate Detected’s compliance with its obligations under Article 28 of the GDPR, and allow for and contribute to audits, including inspections by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer:
- giving Detected reasonable prior notice of such information request, audit and/or inspection being required by the Customer;
- ensuring that all information obtained or generated by the Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to a Data Protection Supervisory Authority or as otherwise required by Applicable Law);
- hereby agreeing that Detected shall be entitled to withhold information where it is commercially sensitive or confidential to it or its other customers;
- ensuring that such audit or inspection is undertaken during normal Business Hours, with minimal disruption to Detected's business, the Sub-Processors’ businesses and the business of any customers of Detected or of any of the Sub-Processors; and
- paying Detected for all work, time, costs and expenses incurred by Detected or any Sub-Processor(s) in connection with the provision of information and allowing for and contributing to inspections and audits, such Charges to be calculated on a time and materials basis at Detected’s then current rates.
- Breach notification
- In respect of any Personal Data Breach, Detected shall, without undue delay:
- notify the Customer of the Personal Data Breach; and
- provide the Customer with details of the Personal Data Breach.
- Deletion or return of Protected Data and copies
- Detected shall (and shall ensure that each of the Sub-Processors shall) delete the Protected Data (and all copies) within a reasonable time after the Processing End Date except to the extent that storage of any such data is required by Applicable Law (and, if so, Detected shall inform the Customer of any such requirement and shall (and shall ensure any relevant Sub-Processor shall) securely delete such data promptly once it is permitted to do so under Applicable Law).
- Detected shall promptly comply with any reasonable requests from time to time from the Customer for the secure return or transfer of Protected Data to the Customer within a reasonable time.
- Liability, indemnities and compensation claims
- The Customer shall indemnify and keep indemnified Detected in respect of all Data Protection Losses suffered or incurred by, awarded against or agreed to be paid by, Detected and any Sub-Processor arising from or in connection with any:
- non-compliance by the Customer with the Data Protection Laws;
- processing carried out by Detected or any Sub-Processor pursuant to any Processing Instruction that infringes any Data Protection Law; or
- breach by the Customer of any of its obligations under clauses 1 to 11 (inclusive).
- Detected’s financial liability in respect of any breach of this DPA or Data Protection Laws shall be as set out in the Main Agreement between Detected and Customer to which this Agreement relates.
- If a party receives a compensation claim from a person relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim.
- The parties agree that the Customer shall not be entitled to claim back from Detected any part of any compensation paid by the Customer in respect of such damage to the extent that the Customer is liable to indemnify or otherwise compensate Detected in accordance with clause 10.1.
- Survival of data protection provisions
- Clauses 1 to 8 (inclusive) shall survive expiry or termination (for any reason) of this Agreement and continue until no Protected Data remains in the possession or control of Detected or any Sub-Processor. The termination or expiry of such clauses shall be without prejudice to any accrued rights or remedies of either party under any such clauses at the time of such termination or expiry.
- Clauses 9 to 11 (inclusive) shall survive expiry or termination (for any reason) of this Agreement and continue indefinitely.
- 1. Data processing details
- Subject-matter of processing:
Customer’s business clients and their relevant personnel including directors and shareholders.
- Duration of the processing:
The Subscription Term of the Main Agreement.
- Nature and purpose of the processing:
To provide the Detected Service (as described in the Main Agreement) – namely to provide a KYB / onboarding service to the Customer, and processing of relevant data to be at the direction of the Customer and, at times, the end user, where it chooses which document(s) to upload.
- Type of Personal Data:
Name and contact details, identification documents (such as passports and driving licences), proof of address documents or other documents requested by the Customer as a data controller.
- Categories of Data Subjects:
Customer’s end clients.
- Special categories of Personal Data:
Identification documents may include details of racial or ethnic origin data and other special category data depending on the documents requested by the Customer.
- Further Processing Instructions