This Data Processing Agreement ("DPA") is incorporated into, and is subject to the terms and conditions of, the Agreement between Meet Alfred and the customer entity that is a party to the Agreement ("Customer" or "you").
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
“Agreement” means this data processing agreement, together with its schedules.
“Controller” has the meaning given to it in: (a) the GDPR, if the GDPR is applicable; or (b) the UK DPA, if the UK DPA is applicable.
“Data Protection Authority” means an independent public authority that is legally tasked with overseeing compliance with applicable data protection laws"
“Supervisory Authority”, as that term is defined in the GDPR; or (b) if the UK DPA is applicable, the Information Commissioner.
“Data Protection Impact Assessment” means a data protection impact assessment, as described in Article 35 of the GDPR.
“Data Protection Laws” means: (a) the UK DPA; (b) the GDPR, Directive 95/46/EC, Directive 2002/58/EC and Directive 2009/136/EC, together with any national implementing laws in any Member State of the European Union; and (c) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world, in each case as amended, consolidated or replaced from time to time.
“Data Subject” has the meaning given to it in: (a) the GDPR, if the GDPR is applicable; or (b) the UK DPA, if the UK DPA is applicable.
“GDPR” means Regulation (EU) 2016/679, as amended, consolidated or replaced from time to time.
“Personal Data” has the meaning given to it in: (a) the GDPR, if the GDPR is applicable; or (b) the UK DPA, if the UK DPA is applicable.
“Personal Data Breach” has the meaning given to it in: (a) the GDPR, if the GDPR is applicable; or (b) the UK DPA, if the UK DPA is applicable.
“Personnel” means any current, former or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.
“Process”, “Processing” or “Processed” each have the meanings given to them in the GDPR.
“Processor” has the meaning given to it in the GDPR.
“Relevant Personal Data” means Personal Data provided or made available to the Servicer for the purpose of providing the Services, performing its obligations or exercising its rights arising under or in connection with this Agreement.
“Services” means the Meet Alfred web services provided under the Terms of Service.
“Terms of Service" means the Terms of Service governing use of services provided by Meet Alfred, available here: https://meetalfred.com/terms and as updated by Meet Alfred from time to time.
“Subprocessor” means any party (including but not limited to affiliates and sub-contractors) engaged by Service Provider to Process Relevant Personal Data.
“UK DPA” means the Data Protection Act 2018, as amended, consolidated or replaced from time to time.
Roles and Responsibilities
1.1 With respect to the Processing of Relevant Personal Data, Service Provider shall, and shall procure that each of its Personnel, agents and Subprocessors shall comply with all Data Protection Laws, to the extent applicable.
1.2 Service Provider represents and warrants to Customer that it shall implement appropriate technical and organisational measures to protect Relevant Personal Data, in accordance with applicable Data Protection Laws and, during the GDPR Period, in accordance with Articles 32-34 of the GDPR in particular. Service Provider shall ensure that such technical and organisational measures are appropriate to the particular risks that are presented by its Processing activities, in particular to protect Relevant Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access. Prior to the Processing of any Relevant Personal Data, and then regularly thereafter, Service Provider shall document its relevant technical and organisational security measures. Service Provider shall perform internal inspections on a regular basis, to confirm that it is complying with its obligations under this Agreement and, where appropriate, Service Provider shall amend its Processing activities to satisfy its obligations under this Agreement.
1.3 The Parties hereby acknowledge and agree that Customer is a Controller and Service Provider is a Processor with respect to the Processing of Relevant Personal Data. In addition to, and notwithstanding, any other right or obligation arising under this Agreement or the Terms of Service, the Service Provider shall, in relation to such Processing:
(a) comply with the express instructions or directions of Customer given from time to time in connection with the Processing of Relevant Personal Data, and the requirements of any applicable Data Protection Laws; and
(b) only Process Relevant Personal Data strictly and solely: (i) to the extent necessary in connection with this Agreement, in particular as described in Schedule 1 below; and (ii) in accordance with the documented instructions received from Customer from time to time. If at any point, Service Provider becomes legally unable to comply with Customer's instructions regarding the Processing of Relevant Personal Data (whether as a result of a change in applicable law, or a change in Customer's instructions), Service Provider shall promptly:
(i) notify Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and
(ii) cease all Processing of the affected Relevant Personal Data (other than merely storing and maintaining the security of the affected Relevant Personal Data) until such time as Customer issues new instructions with which Service Provider is able to comply;
(c) (i) create; (ii) keep up-to-date for the duration of the Processing; and (iii) maintain for four (4) years thereafter; complete and accurate records in writing (including in electronic form) of its Processing activities, including all categories of its Processing activities, in relation to Relevant Personal Data, and disclose such records to Customer, or any Data Protection Authority, promptly upon demand;
(d) ensure Relevant Personal Data are kept confidential; (ii) take all reasonable steps to ensure the reliability and trustworthiness of Service Provider’s Personnel and any Subprocessors, and (iii) ensure that all relevant Service Provider Personnel, and any relevant Subprocessors, have committed themselves to ensuring the confidentiality of all Relevant Personal Data that they Process;
(e) ensure that, in each instance in which it engages a Subprocessor to Process any Relevant Personal Data, it shall: (i) only appoint such Subprocessor in accordance with the prior written authorisation of Customer (such authorisation not to be unreasonably withheld, conditioned or delayed); (ii) keep Customer informed if there is any change to the role or status of the Subprocessor; and (iii) enter into a binding written agreement with the Subprocessor that imposes on the Subprocessor the same obligations that apply to Service Provider under this Agreement with respect to the Processing of Relevant Personal Data and, if applicable, any restricted transfers of Relevant Personal Data;
(f) at Customer’s request and expense, promptly provide Customer with all reasonable technical and organisational assistance necessary to respond appropriately to requests from Data Subjects to exercise their rights;
(g) at Customer’s request and expense, promptly provide Customer with all reasonable assistance necessary to enable Customer to: (i) notify relevant breaches of the GDPR to the relevant Data Protection Authorities and/or affected Data Subjects; (ii) conduct Data Protection Impact Assessments; and (iii) obtain any necessary authorisations from Data Protection Authorities;
(h) permanently and securely delete (or, at the election of Customer, return) all Relevant Personal Data in the possession or control of Service Provider or any of its Subprocessors, thirty (30) days after this Agreement has automatically terminated, with automatic termination occurring on the date of termination or expiration of the Terms of Service.
(i) at Customer’s request and expense: (i) promptly provide Customer with all information necessary to enable Customer to demonstrate compliance with its obligations under the GDPR, to the extent that Service Provider is able to provide such information; and (ii) allow for and contribute to audits, including inspections, conducted by Customer or an auditor appointed by Customer; and
(j) notify Customer promptly, and in any event within twenty-four (24) hours, of: (i) becoming aware of any Personal Data Breach affecting Relevant Personal Data; (ii) becoming aware of any material breach of this Clause 1; or (iii) receipt of any correspondence or communication from any Data Subject, Data Protection Authority or third party regarding the Processing of Relevant Personal Data.
1.4 Service Provider shall not, whether through action or omission, place Customer in breach of any applicable Data Protection Laws.
1.5 Service Provider shall remain primarily liable and responsible for the acts and omissions of its Subprocessors.