Data Processing Agreement
Engagement Technology Ltd. Data Processing Agreement
By accessing the Services, the Client hereby agrees to this Data Processing Agreement unless the Client has a superseded written agreement with Engagement Technology Ltd. This Agreement is incorporated into and made part of Engagement Technology Ltd.’s Terms of Service. In the event of any conflict or inconsistency between this Agreement and the Terms of Service, this Data Processing Agreement shall prevail. All capitalised terms not defined here within have the same meaning as defined in the Terms of Service.
- THE PARTIES
The “Data Controller” being the Client of Engagement Technology Ltd as defined in the Terms of Service,
Engagement Technology Ltd. (also referred to as “ETL” or “Engagement Multiplier”), having its registered office at The Old Vicarage, Church Lane, Meriden, CV7 7HX, United Kingdom, (the “Data Processor”),
agree as follows:
- This Agreement is to ensure there is in place proper arrangements relating to personal data passed from the Data Controller to the Data Processor.
- This Agreement is compliant with the requirements of Article 28 of the General Data Protection Regulation.
- The parties wish to record their commitments under this Agreement.
- This is a free-standing Agreement that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
- DEFINITIONS AND INTERPRETATION IN THIS AGREEMENT
- “Data Protection Laws” means the General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018, together with successor legislation incorporating GDPR;
- “Data” means personal data passed under this Agreement, being, in particular, the data detailed in Annex (Part B).
- “GDPR” means the General Data Protection Regulation;
- “Services” means the processing to be performed upon the Data by the Data Processor, being, in particular, the Services detailed in Annex (Part C).
- DATA PROCESSING
- The Client is the Data Controller for the Data and Engagement Technology Limited is the Data Processor for the Data.
- The Data Processor agrees to process the Data only in accordance with applicable data protection laws and in particular on the following conditions:
- The Processor shall only process the Data on the written instructions from Data Controller; and
- only process the Data for completing the Services; and
- only process the Data in the UK with no transfer of the Data outside of the UK (Article 28, para 3(a) GDPR) except where:
- pursuant to Art. 49 GDPR, the Processor uses such sub-processors and the personal data is protected through pseudonymisation such that the sub-processor cannot match the data to specific individuals; and
- in accordance with Art. 49 GDPR that such specific data processing by a sub-processor in a Third Country, together with the transfer of the data subjects’ consent, is conducted by necessity for the fulfilment of a contract concluded in the interest of the data subject.
- ensure that all employees and other representatives accessing the Data are aware of the terms of this Agreement and have received comprehensive training on Data Protection Laws and related good practice; and
- is bound by a commitment of confidentiality (Article 28, para 3(b) GDPR);
- The Data Controller and the Data Processor have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR, details of those measures are set out under Part A of the Annex to this Agreement (Article 28, para 3(c) GDPR);
- Except for the sub processors stipulated and authorised in Annex D, the Data Processor shall not involve any third party in the processing of the Data without the written consent of the Data Controller. Such consent may be withheld without reason. If consent is given a further processing agreement will be required (Article 28, para 3(d) GDPR);
- Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organisational measures, in so far as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc. (Article 28, para 3(e) GDPR);
- The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the UK Information Commissioner’s Officer (ICO) or other Supervisory Authority as may be applicable, taking into account the nature of processing and the information available to the Processor (Article 28, para 3(f) GDPR);
- At the Data Controller’s choice safely delete or return the Data at any time, and, in any event, securely delete the Data at the end of the Services. Where the Data Processor is to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement to retain the Data. Where there is a legal requirement the Data Processor will prior to entering into this Agreement confirm such an obligation in writing to the Data Controller. Upon request by the Data Controller, the Data Processor shall provide certification of destruction of all Data (Article 28, para 3(g) GDPR);
- The Data Processor shall make immediately available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down under this Agreement and allow for and contribute to any audits, inspections or other verification exercises required by the Data Controller from time to time (Article 28, para 3(h) GDPR);
- Arrangements relating to the secure transfer of the Data between the Data Controller and the Data Processor, and the safe keeping of the Data by the Data Processor, are detailed under Part A of the Annex.
- The Data Processor shall maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created; and immediately contact the Data Controller if there is any personal data breach or incident where the Data may have been compromised.
- The Data Controller may immediately terminate this Agreement on written notice to the Data Processor. The Data Processor may not terminate this Agreement without the written consent of the Data Controller.
- This Agreement may only be varied with the written consent of both parties.
- This Agreement represents the entire understanding of the parties relating to necessary legal protections arising out of their data controller/processor relationship under Data Protection Laws.
- For Data Controllers in the United Kingdom, this Agreement is subject to English law and the exclusive jurisdiction of the English Courts.
- For Data Controllers not located in the United Kingdom, this Agreement is subject to the laws and exclusive jurisdiction according to the location of the Data Controller’s specific Supervisory Authority.
1. Annex (Part A) Security
Appropriate technical and security measures shall ensure the secure transfer of data between the Data Controller and the Data Processor. Specifically, these shall include:
- Via email, where the personal data is within an encrypted file or the email itself is encrypted.
- Via courier or equivalent tracked security service.
- Via file transfer utilising VPN (Virtual Private Network).
- Via transfer of physical documents in person.
Appropriate technical and security measures shall ensure the security of the data while being processed by the Data Processor. Specifically, these are:
The Processor shall ensure that, at all times, it shall use an IT system which:
- is correctly configured with an operating system fully supported and maintained by the manufacturer.
- is configured with an anti-virus and malware application, and that an update subscription is always maintained.
- is configured to require a password with a minimum complexity of ten alpha-numeric characters.
- utilises only such software which is supported by the manufacturer for software patches and maintenance updates.
- where Cloud servers are utilised, that all data shall be retained on servers located in the United Kingdom.
The Processor shall at all times protect the personal data, whether in digital or paper form, through the following:
- Ensure there is always adequate security to prevent physical loss or accidental disclosure.
- Physical files removed from the registered office shall be kept hidden from view.
- Notebooks, worksheets and other memoranda prepared or completed by the Processor which concern a data subject shall be accorded the same security as is demanded upon data provided by the Data Controller.
2. Annex (Part B) Data
The Personal Data to be passed from The Client to Engagement Technology Ltd. shall be comprised of only the following categories:
- Personal Information
- Biographic Data
- Employment Data
3. Annex (Part C) Services
The Data Processor shall conduct computational analytics upon pseudonymised personal data for the sole purpose of conducting employee surveys for improved employee satisfaction and engagement.
4. Annex (Part D) Sub Processor(s)
In accordance with clauses 184.108.40.206 and 220.127.116.11 the parties agree that the Processor is authorised to transfer the personal data provided by The Client to the specific sub-processors detailed below:
- Engagement Multiplier LLC, being a Limited Liability Corporation, the registered office of which is 130 E. Randolph Street, Suite 1600, Chicago IL 60601, United States of America, Telephone +1 (312) 236 2000, Contact Danica Wasser.
- Envisionit Chicago LLC, being a Limited Liability Corporation, the registered office of which is 130 E. Randolph St. Suite 1600 Chicago, IL 60601, United States of America, Telephone +1 312 236 2000, Contact Amy Russell.
- Rackspace Ltd, the registered office of which is Unit 8, Millington Road, Hayes, Middlesex, England UB3 4AZ, Telephone +44 208 734 8107